diff --git a/etemplate/inc/class.soetemplate.inc.php b/etemplate/inc/class.soetemplate.inc.php index e950deae50..e5b38ffbdd 100644 --- a/etemplate/inc/class.soetemplate.inc.php +++ b/etemplate/inc/class.soetemplate.inc.php @@ -201,18 +201,18 @@ $pref_lang = $GLOBALS['phpgw_info']['user']['preferences']['common']['lang']; $pref_templ = $GLOBALS['phpgw_info']['server']['template_set']; - $sql = "SELECT * FROM $this->db_name WHERE et_name='$this->name' AND "; + $sql = "SELECT * FROM $this->db_name WHERE et_name='".$this->db->db_addslashes($this->name)."' AND "; if (is_array($name)) { $template = $name['template']; } if ($template == 'default') { - $sql .= "(et_template='$pref_templ' OR et_template='')"; + $sql .= "(et_template='".$this->db->db_addslashes($pref_templ)."' OR et_template='')"; } else { - $sql .= "et_template='$this->template'"; + $sql .= "et_template='".$this->db->db_addslashes($this->template)."'"; } $sql .= ' AND '; if (is_array($name)) @@ -221,15 +221,15 @@ } if ($lang == 'default' || $name['lang'] == 'default') { - $sql .= "(et_lang='$pref_lang' OR et_lang='')"; + $sql .= "(et_lang='".$this->db->db_addslashes($pref_lang)."' OR et_lang='')"; } else { - $sql .= "et_lang='$this->lang'"; + $sql .= "et_lang='".$this->db->db_addslashes($this->lang)."'"; } if ($this->version != '') { - $sql .= "AND et_version='$this->version'"; + $sql .= "AND et_version='".$this->db->db_addslashes($this->version)."'"; } $sql .= " ORDER BY et_lang DESC,et_template DESC,et_version DESC"; @@ -352,19 +352,19 @@ $version = $name['version']; $name = $name['name']; } - $sql = "SELECT et_name,et_template,et_lang,et_group,et_version FROM $this->db_name WHERE et_name LIKE '$name%'"; + $sql = "SELECT et_name,et_template,et_lang,et_group,et_version FROM $this->db_name WHERE et_name LIKE '".$this->db->db_addslashes($name)."%'"; if ($template != '' && $template != 'default') { - $sql .= " AND et_template LIKE '$template%'"; + $sql .= " AND et_template LIKE '".$this->db->db_addslashes($template)."%'"; } if ($lang != '' && $lang != 'default') { - $sql .= " AND et_lang LIKE '$lang%'"; + $sql .= " AND et_lang LIKE '".$this->db->db_addslashes($lang)."%'"; } if ($this->version != '') { - $sql .= " AND et_version LIKE '$version%'"; + $sql .= " AND et_version LIKE '".$this->db->db_addslashes($version)."%'"; } $sql .= " ORDER BY et_name DESC,et_lang DESC,et_template DESC,et_version DESC"; @@ -557,10 +557,10 @@ $data['data'] = serialize($this->compress_array($data['data'])); $sql = "INSERT INTO $this->db_name ("; - for (reset($this->db_cols); list($db_col,$col) = each($this->db_cols); ) + foreach ($this->db_cols as $db_col => $col) { $sql .= $db_col . ','; - $vals .= "'" . addslashes($data[$col]) . "',"; + $vals .= $db_col == 'et_group' ? intval($data[$col]).',' : "'" . addslashes($data[$col]) . "',"; } $sql[strlen($sql)-1] = ')'; $sql .= " VALUES ($vals"; @@ -579,9 +579,9 @@ */ function delete() { - for (reset($this->db_key_cols); list($db_col,$col) = each($this->db_key_cols); ) + foreach ($this->db_key_cols as $db_col => $col) { - $vals .= ($vals ? ' AND ' : '') . $db_col . "='" . $this->$col . "'"; + $vals .= ($vals ? ' AND ' : '') . $db_col . '=' . ($db_col == 'et_group' ? intval($this->$col) : "'".$this->$col."'"); } $this->db->query("DELETE FROM $this->db_name WHERE $vals",__LINE__,__FILE__);