Changeset 770202

Timestamp:

09/11/2013 01:22:09 PM (12 years ago)

Author:

laki_patel

Message:

Fix Sql Injection

File:

• indianic-testimonial/trunk/testimonial.php (modified) (3 diffs)

indianic-testimonial/trunk/testimonial.php

@@ -276 +276 @@
 
     if ($_POST['action'] == "iNIC_testimonial_delete_listing_template" && $_POST['id']) {
-      $this->wpdb->query("DELETE FROM {$this->wpdb->prefix}inic_testimonial_template WHERE id='{$_POST['id']}'");
+      $this->wpdb->delete("{$this->wpdb->prefix}inic_testimonial_template", array('id' => $_POST['id']));
       if (mysql_error()) {
         $data['error'] = mysql_error();
@@ -290 +290 @@
     if (isset($_POST['id']) && $_POST['id']) {
 
-      $this->wpdb->query("DELETE FROM {$this->wpdb->prefix}inic_testimonial_widget WHERE id='{$_POST['id']}'");
+      $this->wpdb->delete("{$this->wpdb->prefix}inic_testimonial_widget", array('id' => $_POST['id']));
       if (mysql_error()) {
         $data['error'] = mysql_error();
@@ -310 +310 @@
         $_POST['list_only_featured_testimonials'] = isset($_POST['list_only_featured_testimonials']) && $_POST['list_only_featured_testimonials'] ? $_POST['list_only_featured_testimonials'] : "0";
 
+        $_data = array(
+            "title" => $_POST['widget_title'],
+            "no_of_testimonial" => $_POST['no_of_testimonials'],
+            "only_featured" => $_POST['list_only_featured_testimonials'],
+            "filter_by_country" => $_POST['filter_by_country'],
+            "filter_by_tags" => $_POST['filter_by_tags'],
+            "display_randomly" => $_POST['display_randomly'],
+            "html_template" => $_POST['widget_template'],
+        );
+        
         if (isset($_POST['id']) && $_POST['id']) {
-          $this->wpdb->query("UPDATE {$this->wpdb->prefix}inic_testimonial_widget SET title='{$_POST['widget_title']}', no_of_testimonial='{$_POST['no_of_testimonials']}', only_featured='{$_POST['list_only_featured_testimonials']}', filter_by_country='{$_POST['filter_by_country']}', filter_by_tags='{$_POST['filter_by_tags']}', display_randomly='{$_POST['display_randomly']}', html_template='{$_POST['widget_template']}' WHERE id='{$_POST['id']}'");
+          $this->wpdb->update("{$this->wpdb->prefix}inic_testimonial_widget", $_data, array('id' => $_POST['id']));
           $_success_msg = "The testimonial widget template has been updated successfully.";
         } else {
-          $this->wpdb->query("INSERT INTO {$this->wpdb->prefix}inic_testimonial_widget (title, no_of_testimonial, only_featured, filter_by_country, filter_by_tags, display_randomly, html_template) VALUES('{$_POST['widget_title']}', '{$_POST['no_of_testimonials']}', '{$_POST['list_only_featured_testimonials']}', '{$_POST['filter_by_country']}', '{$_POST['filter_by_tags']}', '{$_POST['display_randomly']}', '{$_POST['widget_template']}')");
+          $this->wpdb->insert("{$this->wpdb->prefix}inic_testimonial_widget", $_data);
           $_success_msg = "The testimonial widget template has been added successfully.";
         }