I reverted all my changes to SVN 1247. Then made the following changes to get this problem fixed. If this doesn't work for you I can't help. Maybe one of the developers that really know the system can help. I'm just a user fixing things for myself.
[code] Index: include_functions.php =================================================================== --- include_functions.php (revision 1247) +++ include_functions.php (working copy) @@ -79,6 +79,7 @@ $url_clean = str_replace (' ','%20',$url_clean); $url_clean = str_replace ('+','%2B',$url_clean); $url_clean = str_replace ('&','%26',$url_clean); +$url_clean = str_replace ('\'','%27',$url_clean); $url_clean = str_replace (',','%2C',$url_clean); $url_clean = str_replace ('/','%2F',$url_clean); $url_clean = str_replace (':','%3A',$url_clean); Index: software_add_license_2.php =================================================================== --- software_add_license_2.php (revision 1247) +++ software_add_license_2.php (working copy) @@ -10,10 +10,10 @@ $sql .= "license_purchase_number, license_comments, license_purchase_type, license_order_number) values "; $sql .= "('" . $_POST['id'] . "', '" . $_POST['date_purchased']; -$sql .= "', '" . $_POST['vendor']; +$sql .= "', '" . mysql_real_escape_string($_POST['vendor']); $sql .= "', '" . $_POST['cost'] . "', '" . $_POST['number_purchased']; -$sql .= "', '" . $_POST['comments'] . "', '" . $_POST['type']; -$sql .= "', '" . $_POST['order'] . "')"; +$sql .= "', '" . mysql_real_escape_string($_POST['comments']) . "', '" . $_POST['type']; +$sql .= "', '" . mysql_real_escape_string($_POST['order']) . "')"; $result = mysql_query($sql); Index: software_register.php =================================================================== --- software_register.php (revision 1247) +++ software_register.php (working copy) @@ -71,7 +71,7 @@ echo "<td align=\"center\">" . $font . $number_audit . "</font></td>"; } echo "<td align=\"center\"><div id=\"s" . $myrow['software_reg_id'] . "\">\n"; - echo "<a href=\"#\" onclick=\"sendRequest('" . url_clean($myrow["software_reg_id"]) . "');\"><img border=\"0\" src=\"images/button_fail.png\" width=\"16\" height=\"16\" alt=\"\" /></a>"; + echo "<a href=\"#\" onclick=\"sendRequest('" . url_clean($myrow["software_reg_id"]) . "');return false;\"><img border=\"0\" src=\"images/button_fail.png\" width=\"16\" height=\"16\" alt=\"\" /></a>"; echo "</div></td>\n"; echo "</tr>"; } while ($myrow = mysql_fetch_array($result)); Index: software_register_add.php =================================================================== --- software_register_add.php (revision 1247) +++ software_register_add.php (working copy) @@ -69,7 +69,7 @@ echo " <td> " . $myrow["software_name"] . "</td>\n"; echo "<td align=\"center\">"; echo "<div id=\"s" . div_clean($myrow["software_name"]) . "\">"; - echo "<a href=\"#\" onclick=\"sendRequest('" . url_clean($myrow["software_name"]) . "');\"><img border=\"0\" src=\"images/button_success.png\" width=\"16\" height=\"16\" alt=\"\" /></a>"; + echo "<a href=\"#\" onclick=\"sendRequest('" . url_clean($myrow["software_name"]) . "');return false;\"><img border=\"0\" src=\"images/button_success.png\" width=\"16\" height=\"16\" alt=\"\" /></a>"; echo "</div>\n"; echo "</td>\n"; echo "<td valign=\"top\">\n"; Index: software_register_add_ajax.php =================================================================== --- software_register_add_ajax.php (revision 1247) +++ software_register_add_ajax.php (working copy) @@ -36,9 +36,11 @@ } if (isset($_GET['act'])){ $package = $_GET['act']; } else { $package = ''; } -$sql = "SELECT count(*) AS count FROM software_register WHERE software_title = '$package'"; mysql_connect($mysql_server, $mysql_user, $mysql_password) or die("Could not connect"); mysql_select_db($mysql_database) or die("Could not select database"); +$package = mysql_real_escape_string($package); +$sql = "SELECT count(*) AS count FROM software_register WHERE software_title = '$package'"; + $result = mysql_query($sql) or die ('<td>Insert Failed: ' . mysql_error() . '<br />' . $sql . "</td>"); $myrow = mysql_fetch_array($result); if ($myrow["count"] == "0") { Index: software_register_del.php =================================================================== --- software_register_del.php (revision 1247) +++ software_register_del.php (working copy) @@ -25,8 +25,16 @@ $sql3 = "SELECT SUM(license_purchase_number) AS number_purchased FROM software_licenses WHERE license_software_id = '" . $myrow["software_reg_id"] . "'"; $result3 = mysql_query($sql3, $db); $myrow3 = mysql_fetch_array($result3); - $sql4 = "SELECT count(software_name) AS number_used FROM software WHERE software_name = '" . addslashes($myrow["software_title"]) . "'"; - $result4 = mysql_query($sql4, $db); + #$sql4 = "SELECT count(software_name) AS number_used FROM software WHERE software_name = '" . mysql_real_escape_string($myrow["software_title"]) . "'"; + $sql4 = "SELECT software_reg_id, software_title, count(software.software_name) AS number_used FROM "; + $sql4 .= "software_register, software, system WHERE "; + $sql4 .= "software_title = software_name AND "; + $sql4 .= "software_title = '" . mysql_real_escape_string($myrow["software_title"]) . "' AND "; + $sql4 .= "software_uuid = system_uuid AND "; + $sql4 .= "software_timestamp = system_timestamp "; + $sql4 .= "GROUP BY software_title"; + + $result4 = mysql_query($sql4, $db); $myrow4 = mysql_fetch_array($result4); if ($myrow3["number_purchased"] == "") { $number_purchased = 0; } else { $number_purchased = $myrow3["number_purchased"]; } if ($myrow4["number_used"] == "") { $number_used = 0; } else { $number_used = $myrow4["number_used"]; } Index: software_register_del_2.php =================================================================== --- software_register_del_2.php (revision 1247) +++ software_register_del_2.php (working copy) @@ -1,4 +1,3 @@ -<<<<<<< .mine <?php include "include_config.php"; @@ -25,24 +24,3 @@ } else {} ?> -======= -<?php - -include "include_config.php"; - - if ($_GET['confirm']=1) { - - $link = mysql_connect($mysql_server, $mysql_user, $mysql_password) or die("Could not connect"); - mysql_select_db("$mysql_database") or die("Could not select database"); - - $query = "DELETE FROM software_register WHERE software_reg_id = '" . $_GET['id'] . "'"; - $result = mysql_query($query) or die("Query failed at insert stage. register"); - - $query = "DELETE FROM software_licenses WHERE license_software_id = '" . $_GET['id'] . "'"; - $result = mysql_query($query) or die("Query failed at insert stage. license"); - - header("Location: software_register.php"); - } else {} - -?> ->>>>>>> .r834 Index: software_register_details.php =================================================================== --- software_register_details.php (revision 1247) +++ software_register_details.php (working copy) @@ -36,7 +36,7 @@ $sql2 = "SELECT sum(license_purchase_number) as number_purchased FROM "; $sql2 .= "software_licenses, software_register WHERE "; $sql2 .= "license_software_id = software_reg_id AND "; - $sql2 .= "software_title = '" . $myrow['software_title'] . "'"; + $sql2 .= "software_title = '" . mysql_real_escape_string($myrow['software_title']) . "'"; $result2 = mysql_query($sql2, $db); $myrow2 = mysql_fetch_array($result2); Index: software_register_edit_comments.php =================================================================== --- software_register_edit_comments.php (revision 1247) +++ software_register_edit_comments.php (working copy) @@ -25,7 +25,7 @@ $result3 = mysql_query($sql3, $db); $myrow3 = mysql_fetch_array($result3); - $sql4 = "SELECT count(software_name) AS number_used FROM software WHERE software_name = '" . $myrow["software_title"] . "'"; + $sql4 = "SELECT count(software_name) AS number_used FROM software WHERE software_name = '" . mysql_real_escape_string($myrow["software_title"]) . "'"; $result4 = mysql_query($sql4, $db); $myrow4 = mysql_fetch_array($result4); Index: software_register_edit_comments_2.php =================================================================== --- software_register_edit_comments_2.php (revision 1247) +++ software_register_edit_comments_2.php (working copy) @@ -19,6 +19,7 @@ mysql_connect($mysql_server, $mysql_user, $mysql_password) or die("Could not connect"); mysql_select_db($mysql_database) or die("Could not select database"); +$comments = mysql_real_escape_string($comments); $sql = "update software_register set software_comments = '$comments' WHERE software_reg_id='$id'"; $result = mysql_query($sql);
[/code]
|