Quote:
|
Originally Posted by kisazeky
I included this
PHP Code:
$id = $_POST["id"];
$id = preg_replace("/[^a-zA-Z0-9s]/", "", $id);
$newname = $_POST["newname"];
$newname = preg_replace("/[^a-zA-Z0-9\\040.]/", "", $newname);
What do I need to include to filter these injections, Rsmiley?
Edit: Maybe this will protect it?
Adding this to functions.php:
PHP Code:
function cleanQuery($string)
{
if(get_magic_quotes_gpc()) // prevents duplicate backslashes
{
$string = stripslashes($string);
}
if (phpversion() >= '4.3.0')
{
$string = mysql_real_escape_string($string);
}
else
{
$string = mysql_escape_string($string);
}
return $string;
}
Then adding this line in rename2.php:
PHP Code:
if (isset($_POST['newname'])) $newname = cleanQuery($_POST['newname']);
What do you think Rsmiley?
It certainly does not hurt anything. |
EDIT: I'm assuming that
PHP Code:
if (isset($_POST['newname'])) $newname = cleanQuery($_POST['newname']);
goes here:
Code:
$newname = $_POST["newname"];
but I get this error: "
PHP Error Message
Parse error: syntax error, unexpected T_IF in /home/---------/public_html/rename2.php on line 78
Free Web Hosting"