Project

General

Profile

« Previous | Next » 

Revision 2118

Added by darkviper almost 10 years ago

28 Dec-2014 Build 2118 Manuela v.d.Decken(DarkViper)
  1. admin/preferences/save fixed invalid SQL composing

View differences:

save.php
35 35 
        $display_name = $admin->add_slashes(strip_tags($admin->StripCodeFromText($admin->get_post('display_name'),true)));
36 36 
    	$display_name = ( $display_name == '' ? $admin->get_display_name() : $display_name );
37 37 
// check that display_name is unique in whoole system (prevents from User-faking)
38 
    	$sql  = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` ';
38 
    	$sql  = 'SELECT COUNT(*) FROM `'.$oDb->TablePrefix.'users` ';
39 39 
    	$sql .= 'WHERE `user_id` <> '.(int)$admin->get_user_id().' AND `display_name` LIKE "'.$display_name.'"';
40 
    	if( $oDb->get_one($sql) > 0 ){ $err_msg[] = $oTrans->MESSAGE_USERS_USERNAME_TAKEN.' ('.$oTrans->TEXT_DISPLAY_NAME.')'; }
40 
    	if( $oDb->getOne($sql) > 0 ){ $err_msg[] = $oTrans->MESSAGE_USERS_USERNAME_TAKEN.' ('.$oTrans->TEXT_DISPLAY_NAME.')'; }
41 41 
// language must be 2 upercase letters only
42 42 
    	$language         = strtoupper($admin->get_post('language'));
43 43 
    	$language         = (preg_match('/^[A-Z]{2}$/', $language) ? $language : DEFAULT_LANGUAGE);
......
134 134 
				     .     '`language`=\''.$language.'\', '
135 135 
				     .     '`timezone`=\''.$timezone.'\', '
136 136 
				     .     '`date_format`=\''.$date_format.'\', '
137 
				     .     '`time_format`=\''.$time_format.'\' ';
138 
				if($sPwHashNew) {
139 
					$sql .=     '`password`=\''.$sPwHashNew.'\', ';
137 
				     .     '`time_format`=\''.$time_format.'\'';
138 
				if ($sPwHashNew) {
139 
					$sql .=     ', `password`=\''.$sPwHashNew.'\'';
140 140 
				}
141 
				if($email != '') {
142 
					$sql .=     '`email`=\''.$email.'\', ';
141 
				if ($email != '') {
142 
					$sql .=     ', `email`=\''.$email.'\'';
143 143 
				}
144 
				$sql .= 'WHERE `user_id`='.(int)$admin->get_user_id();
145 
				if( $oDb->doQuery($sql) )
146 
				{
144 
				$sql .= ' WHERE `user_id`='.(int)$admin->get_user_id();
145 
				if ($oDb->doQuery($sql)) {
147 146 
					// update successfull, takeover values into the session
148 147 
					$_SESSION['DISPLAY_NAME'] = $display_name;
149 148 
					$_SESSION['LANGUAGE'] = $language;

Also available in: Unified diff