Mercurial > hg > fapweb
changeset 296:bbdf1b9c5a07
Check compo_id in compo entry addition.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Mon, 25 Nov 2013 18:43:31 +0200 |
parents | e387d717cf46 |
children | fdcd78675d1c |
files | admajax.php |
diffstat | 1 files changed, 12 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/admajax.php Mon Nov 25 15:40:21 2013 +0200 +++ b/admajax.php Mon Nov 25 18:43:31 2013 +0200 @@ -554,11 +554,18 @@ else if ($type == "entry" && stValidateRequestEntryData($fake)) { - $sql = stPrepareSQL( - "INSERT INTO entries (name,author,compo_id,filename,info) VALUES (%S,%S,%D,%S,%S)", - "name", "author", "compo_id", "filename", "info"); + if (stFetchSQLColumn(stPrepareSQL("SELECT id FROM compos WHERE id=%D", "compo_id")) === FALSE) + { + stError("No such compo ID."); + } + else + { + $sql = stPrepareSQL( + "INSERT INTO entries (name,author,compo_id,filename,info) VALUES (%S,%S,%D,%S,%Q)", + "name", "author", "compo_id", "filename", "info"); - stExecSQLCond($sql, "OK, entry added."); + stExecSQLCond($sql, "OK, entry added."); + } } break; @@ -633,7 +640,7 @@ "name" => "S", "author" => "S", "filename" => "S", - "info" => "S", + "info" => "Q", "compo_id" => "D", ));