- Always scrub data before passing it to mysql

2009-09-17 05:53:47 +00:00 · 2009-09-17 05:53:47 +00:00 · abd1fda6fe
commit abd1fda6fe
parent 0a9053181c
1 changed files with 4 additions and 2 deletions
--- a/admin/award_awards.php
+++ b/admin/award_awards.php
@ -99,8 +99,9 @@
 	mysql_query("DELETE FROM award_awards_projectcategories WHERE award_awards_id='$id'");

 	foreach($_POST['categories'] AS $key=>$cat) {
+		$c = intval($cat);
 		mysql_query("INSERT INTO award_awards_projectcategories (award_awards_id,projectcategories_id,year) 
-				VALUES ('$id','$cat','{$config['FAIRYEAR']}')");
+				VALUES ('$id','$c','{$config['FAIRYEAR']}')");
 	}

 	//wipe out any old award-divisions links
@ -108,8 +109,9 @@

 	//now add the new ones
 	foreach($_POST['divisions'] AS $key=>$div) {
+		$d = intval($div);
 		mysql_query("INSERT INTO award_awards_projectdivisions (award_awards_id,projectdivisions_id,year) 
-				VALUES ('$id','$div','{$config['FAIRYEAR']}')");
+				VALUES ('$id','$d','{$config['FAIRYEAR']}')");
 	}
 	happy_("Saved.");
 	exit;