Ejemplo n.º 1
0
function sql_escape_string($value, $is_str = 1)
{
    //Trim the whitespace
    $value = trim($value);
    $search = array("'", '&', '<', '>');
    $replace = array("''", '&amp;', '&lt;', '&gt');
    $curr_search = array("'", '&', '<', '>', '$', ',');
    $curr_replace = array('', '', '', '', '', '');
    if (strlen($value) > 0) {
        // If magic quotes are enabled
        if (get_magic_quotes_gpc()) {
            // Strip any slashes that already exist within the string
            $value = stripslashes($value);
        }
        // Return the escaped string
        switch ($is_str) {
            case 0:
                // Integer
                if (is_numeric($value)) {
                    return $value;
                } else {
                    return 0;
                }
                break;
            case 1:
                // html-friendly string -- DEFAULT
                return "'" . dbstr_replace($search, $replace, $value) . "'";
                break;
            case 2:
                // clean string
                return "'" . dbstr_replace($curr_search, $curr_replace, $value) . "'";
                break;
        }
    } else {
        return 'NULL';
    }
}
Ejemplo n.º 2
0
<?php

require_once "include/config.inc.php";
require_once 'include/mysqli.inc.php';
require_once "include/utils.inc.php";
if (isset($_SESSION['user_key']) == false || strlen($_SESSION['user_key']) < 1) {
    header('Location: /login');
}
// Table Name
if (isset($args[1])) {
    $value = trim($args[1]);
    $search = array("'", '&', '<', '>');
    $replace = array("''", '&amp;', '&lt;', '&gt');
    $client_key = dbstr_replace($search, $replace, $value);
} else {
    header('Location: /reports');
}
require_once 'include/header.php';
require_once 'include/footer.php';
$sql = "CALL rptBaselinebyUser(" . sql_escape_string($client_key, 1) . ");";
//echo $sql.'<br/>';
$Result = execute_query($mysqli, $sql);
if ($Result) {
    while ($row = $Result[0]->fetch_assoc()) {
        $client_age = $row['client_age'];
        $client_gender = strtoupper($row['client_gender']);
    }
}
//Validate the user
$sql = "CALL rptCSEbyUser(" . sql_escape_string($client_key, 1) . ");";
//echo $sql.'<br/>';
Ejemplo n.º 3
0
<?php

if (isset($_SESSION['user_key']) == false || strlen($_SESSION['user_key']) < 1) {
    header('Location: /login');
}
require_once "include/config.inc.php";
require_once 'include/mysqli.inc.php';
require_once "include/utils.inc.php";
require_once 'include/header.php';
require_once 'include/footer.php';
// Table Name
if (isset($args[1])) {
    $value = trim($args[1]);
    $search = array("'", '&', '<', '>');
    $replace = array("''", '&amp;', '&lt;', '&gt');
    $tablename = dbstr_replace($search, $replace, $value);
} else {
    $tablename = "activity_log";
}
// Rows
if (isset($args[2])) {
    if ($args[2] == "all") {
        $sqlrowlimit = $args[2];
        $sqllimitstatement = "";
    } else {
        $sqlrowlimit = $args[2];
        $sqllimitstatement = " limit " . $sqlrowlimit;
    }
} else {
    $sqlrowlimit = '200';
    $sqllimitstatement = " limit " . $sqlrowlimit;