02.09.2008, 18:10
|
|
Постоянный
Регистрация: 07.11.2007
Сообщений: 392
Провел на форуме:
1325167
Репутация:
100
|
|
http://man.firstvds.ru/mediaviewer.php?mid=M20'
ERROR:-2 DB Error: syntax error
SQL:SELECT mm_gid FROM media_mapping WHERE mm_media='M20\' AND mm_gedfile='1' [nativecode=1064 ** You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1'' at line 1]
Система PhpGedView
Как можно раскрутить иньекцию?
Бажный кусок кода:
$dbq = "SELECT mm_gid FROM ".$TBLPREFIX."media_mapping WHERE mm_media='".$mid."' AND mm_gedfile='".$GEDCOMS[$GEDCOM]['id']."'";
$dbr = dbquery($dbq);
while($row = $dbr->fetchRow()) {
if ($row[0] != $mid){
$media[$row[0]] = id_type($row[0]);
}
}
$medialist[$keyMediaList]['LINKS'] = $media;
return $media;
}
//Basically calls the get_media_relations method but it uses a file name rather than a media id.
function get_media_relations_with_file_name($filename){
global $TBLPREFIX, $BUILDING_INDEX, $DBCONN, $GEDCOMS, $GEDCOM;
$dbq = "select m_media from ".$TBLPREFIX."media where m_file='".$filename."' and m_gedfile='".$GEDCOMS[$GEDCOM]['id']."'";
$dbr = dbquery($dbq);
if (isset($dbr)){
while($result = $dbr->fetchRow()) {
$media_id = $result[0];
$media_array = get_media_relations($media_id);
return $media_array;
}
}
else{
return array();
}
}
|
|
|