function sql_escape_string($value, $is_str = 1) { //Trim the whitespace $value = trim($value); $search = array("'", '&', '<', '>'); $replace = array("''", '&', '<', '>'); $curr_search = array("'", '&', '<', '>', '$', ','); $curr_replace = array('', '', '', '', '', ''); if (strlen($value) > 0) { // If magic quotes are enabled if (get_magic_quotes_gpc()) { // Strip any slashes that already exist within the string $value = stripslashes($value); } // Return the escaped string switch ($is_str) { case 0: // Integer if (is_numeric($value)) { return $value; } else { return 0; } break; case 1: // html-friendly string -- DEFAULT return "'" . dbstr_replace($search, $replace, $value) . "'"; break; case 2: // clean string return "'" . dbstr_replace($curr_search, $curr_replace, $value) . "'"; break; } } else { return 'NULL'; } }
<?php require_once "include/config.inc.php"; require_once 'include/mysqli.inc.php'; require_once "include/utils.inc.php"; if (isset($_SESSION['user_key']) == false || strlen($_SESSION['user_key']) < 1) { header('Location: /login'); } // Table Name if (isset($args[1])) { $value = trim($args[1]); $search = array("'", '&', '<', '>'); $replace = array("''", '&', '<', '>'); $client_key = dbstr_replace($search, $replace, $value); } else { header('Location: /reports'); } require_once 'include/header.php'; require_once 'include/footer.php'; $sql = "CALL rptBaselinebyUser(" . sql_escape_string($client_key, 1) . ");"; //echo $sql.'<br/>'; $Result = execute_query($mysqli, $sql); if ($Result) { while ($row = $Result[0]->fetch_assoc()) { $client_age = $row['client_age']; $client_gender = strtoupper($row['client_gender']); } } //Validate the user $sql = "CALL rptCSEbyUser(" . sql_escape_string($client_key, 1) . ");"; //echo $sql.'<br/>';
<?php if (isset($_SESSION['user_key']) == false || strlen($_SESSION['user_key']) < 1) { header('Location: /login'); } require_once "include/config.inc.php"; require_once 'include/mysqli.inc.php'; require_once "include/utils.inc.php"; require_once 'include/header.php'; require_once 'include/footer.php'; // Table Name if (isset($args[1])) { $value = trim($args[1]); $search = array("'", '&', '<', '>'); $replace = array("''", '&', '<', '>'); $tablename = dbstr_replace($search, $replace, $value); } else { $tablename = "activity_log"; } // Rows if (isset($args[2])) { if ($args[2] == "all") { $sqlrowlimit = $args[2]; $sqllimitstatement = ""; } else { $sqlrowlimit = $args[2]; $sqllimitstatement = " limit " . $sqlrowlimit; } } else { $sqlrowlimit = '200'; $sqllimitstatement = " limit " . $sqlrowlimit;