Commit 4d66b5fb authored by Seblu's avatar Seblu

securting sql function by escaping

fix year "avant" video link use year 2000. Now it use as identifier
parent c7af56cd
......@@ -4,177 +4,184 @@
########## SQL NEWS ########
################################
function getOneNews($news_id){
function getOneNews($news_id) {
$news_id = mysql_real_escape_string($news_id);
$query = "select * from $DB.news_db WHERE news_id = '$news_id'";
return $result = mysql_query($query);
}
return mysql_query($query);
}
function getLastNews($tendu){
function getLastNews($tendu) {
$tendu = mysql_real_escape_string($tendu);
$query = "SELECT * FROM $DB.news_db WHERE news_tendu<='$tendu' ORDER BY news_date desc, news_time desc";
return $result = mysql_query($query);
return mysql_query($query);
}
################################
########## SQL EDITO ########
################################
function getOneEdito($edito_id){
function getOneEdito($edito_id) {
$edito_id = mysql_real_escape_string($edito_id);
$query = "select * from $DB.editos_db WHERE edito_id = '$edito_id'";
return $result = mysql_query($query);
return mysql_query($query);
}
function getLastEdito(){
function getLastEdito() {
$query = "select * from $DB.editos_db ORDER BY edito_date DESC";
return $result = mysql_query($query);
return mysql_query($query);
}
function getAllEdito(){
function getAllEdito() {
$query = "select * from $DB.editos_db ORDER BY edito_date DESC";
return $result = mysql_query($query);
return mysql_query($query);
}
################################
########## SQL VIDEOS ########
################################
function getOneVideo($vid_id){
$vid_id = mysql_real_escape_string($vid_id);
$query = "select * from $DB.videos_db WHERE video_id = '$vid_id'";
return mysql_query($query);
}
function getAllVideos() {
$query = "select * from $DB.videos_db ORDER BY video_date desc, video_time desc";
return $result = mysql_query($query);
return mysql_query($query);
}
function getLastVideos(){
function getLastVideos() {
$query = "select * from $DB.videos_db ORDER BY video_id desc";
return $result = mysql_query($query);
return mysql_query($query);
}
function getVideosByType( $type){
function getVideosByType($type) {
$type = mysql_real_escape_string($type);
$query = "select * from $DB.videos_db WHERE video_type='$type' ORDER BY video_date desc";
return $result = mysql_query($query);
return mysql_query($query);
}
function getVideosByYearAndTypeAndTendu($year, $type, $tendu){
if ($year == 2000)
function getVideosByYearAndTypeAndTendu($year, $type, $tendu) {
$year = mysql_real_escape_string($year);
$type = mysql_real_escape_string($type);
$tendu = mysql_real_escape_string($tendu);
if ($year == 0)
$query = "select * from $DB.videos_db
WHERE video_type='$type' AND video_tendu<='$tendu' AND YEAR(video_date)<='$year'
WHERE video_type='$type' AND video_tendu<='$tendu' AND YEAR(video_date)<='2000'
ORDER BY video_date desc";
else
$query = "select * from $DB.videos_db
WHERE video_type='$type' AND video_tendu<='$tendu' AND YEAR(video_date)='$year'
ORDER BY video_date desc";
return $result = mysql_query($query);
return mysql_query($query);
}
function getLastVideosByTendu($tendu){
function getLastVideosByTendu($tendu) {
$tendu = mysql_real_escape_string($tendu);
$query = "select * from $DB.videos_db WHERE video_tendu<='$tendu' ORDER BY video_id desc";
return $result = mysql_query($query);
return mysql_query($query);
}
##################################
########## SQL CONTACTS ########
##################################
function getAssoInfos(){
function getAssoInfos() {
$query = "select * from $DB.asso_db";
return $result = mysql_query($query);
return mysql_query($query);
}
function getOneLinkById($ID){
$query = "select * from $DB.links_db WHERE link_id='$ID'";
return $result = mysql_query($query);
function getOneLinkById($id) {
$id = mysql_real_escape_string($id);
$query = "select * from $DB.links_db WHERE link_id='$id'";
return mysql_query($query);
}
function getAllLinks(){
function getAllLinks() {
$query = "select * from $DB.links_db";
return $result = mysql_query($query);
return mysql_query($query);
}
###############################
########## SQL USERS ########
###############################
function getOneUserByName($login){
function getOneUserByName($login) {
$login = mysql_real_escape_string($login);
$query = "select * from $DB.users_db WHERE user_login='$login'";
return $result = mysql_query($query);
return mysql_query($query);
}
function getOneUserByPseudo($pseudo){
function getOneUserByPseudo($pseudo) {
$pseudo = mysql_real_escape_string($pseudo);
$query = "select * from $DB.users_db WHERE user_pseudo='$pseudo'";
return $result = mysql_query($query);
return mysql_query($query);
}
function getOneUserById($ID){
$query = "select * from $DB.users_db WHERE user_id='$ID'";
return $result = mysql_query($query);
function getOneUserById($id) {
$id = mysql_real_escape_string($id);
$query = "select * from $DB.users_db WHERE user_id='$id'";
return mysql_query($query);
}
function getAllUsers(){
function getAllUsers() {
$query = "select * from $DB.users_db WHERE user_right < 7 ORDER BY user_right desc";
return $result = mysql_query($query);
return mysql_query($query);
}
function getUsersByStatut($statut){
function getUsersByStatut($statut) {
$statut = mysql_real_escape_string($statut);
$query = "SELECT * FROM $DB.users_db WHERE user_statut='$statut' ORDER BY user_right desc";
return $result = mysql_query($query);
return mysql_query($query);
}
################################
########## SQL MEMBERS ########
################################
function getAllMembers(){
function getAllMembers() {
$query = "select * from $DB.users_db WHERE user_right >= 7";
return $result = mysql_query($query);
return mysql_query($query);
}
function getAnExistingStatut($statut){
function getAnExistingStatut($statut) {
$statut = mysql_real_escape_string($statut);
$query = "select * from $DB.users_db WHERE user_statut = '$statut'";
return $result = mysql_query($query);
return mysql_query($query);
}
####################################
########## SQL Blacklist ########
####################################
function getOneBlacklistById($id){
function getOneBlacklistById($id) {
$id = mysql_real_escape_string($id);
$query = "select * from $DB.blacklist_db WHERE blacklist_id='$id'";
return $result = mysql_query($query);
return mysql_query($query);
}
function getOneBlacklistByLogin($login){
function getOneBlacklistByLogin($login) {
$login = mysql_real_escape_string($login);
$query = "select * from $DB.blacklist_db WHERE blacklist_login='$login'";
return $result = mysql_query($query);
return mysql_query($query);
}
function getAllBlacklist(){
function getAllBlacklist() {
$query = "select * from $DB.blacklist_db";
return $result = mysql_query($query);
return mysql_query($query);
}
function getAllBlacksite(){
function getAllBlacksite() {
$query = "select * from $DB.blacksites_db";
return $result = mysql_query($query);
return mysql_query($query);
}
function getOneBlacksiteById($id){
function getOneBlacksiteById($id) {
$id = mysql_real_escape_string($id);
$query = "select * from $DB.blacksites_db WHERE blacksite_id='$id'";
return $result = mysql_query($query);
return mysql_query($query);
}
?>
\ No newline at end of file
......@@ -4,19 +4,23 @@ define('DEFAULT_YEAR', '2010');
function dispVideos() {
(isset($_GET['year_page'])) ? ($curyear = " ".$_GET['year_page']) : ($curyear = " ".DEFAULT_YEAR);
if (!isset($_GET['year_page']))
$yeartitle = DEFAULT_YEAR;
elseif ($_GET['year_page'] == 0)
$yeartitle = "2000 et avant";
else
$yeartitle = $_GET['year_page'];
$str = '
<!-- main body -->
<div id="main_body">
$str = '
<div id="main_body">
<div id="left_side">
<div id="newsbox">
<h1><img alt="" src="images/puce.png" /> <strong>Videos'. $curyear .'</strong></h1>
<h1><img alt="" src="images/puce.png" /> <strong>Videos de '. $yeartitle .'</strong></h1>
<ul>';
$str .= dispVideosYear();
$str .= dispVideosYear();
$str .= '
$str .= '
</ul></div>
</div>
......@@ -25,17 +29,15 @@ $str = '
<h1><img alt="" src="images/puce.png" /> <strong>Ann&eacute;es</strong></h1>
';
$str .= dispVideosMenu();
$str .= dispVideosMenu();
$str .= '
$str .= '
</div>
</div>
<div class="clr">&nbsp;</div>
</div>
';
</div>';
echo $str;
echo $str;
}
function dispVideosMenu(){
......@@ -50,19 +52,19 @@ function dispVideosMenu(){
$str .= '<li><a href="index.php?section=Videos&year_page=2003" class="texte_link">2003</a></li>';
$str .= '<li><a href="index.php?section=Videos&year_page=2002" class="texte_link">2002</a></li>';
$str .= '<li><a href="index.php?section=Videos&year_page=2001" class="texte_link">2001</a></li>';
$str .= '<li><a href="index.php?section=Videos&year_page=2000" class="texte_link">avant</a></li>';
$str .= '<li><a href="index.php?section=Videos&year_page=0" class="texte_link">2000 et avant</a></li>';
$str .= '</ul>';
return $str;
}
function dispVideosYear(){
if ($_GET['year_page'])
if (isset($_GET['year_page']))
$year_page = $_GET['year_page'];
else
$year_page = DEFAULT_YEAR;
$str = '';//'<B>'.$year_page.'</B>';
$str = '';
if ($_SESSION["user_right"] >= $GLOBALS["PRIV_GUEST"] ) {
$result_prod = getVideosByYearAndTypeAndTendu($year_page, "eptvprod", 2);
......@@ -87,7 +89,7 @@ function dispVideosYear(){
if (mysql_num_rows($result_adm))
$str .= dispVideosByType($result_adm, "&nbsp;e p t v . a d m");
return ($str);
return $str;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment