PNBR#41284 SQL-injection voorkomen

svn path=/Website/trunk/; revision=34970
2017-08-17 07:33:07 +00:00
parent bcbcf30991
commit 445b59b99a
2 changed files with 9 additions and 9 deletions
--- a/APPL/FAC/fac_edit_faq.asp
+++ b/APPL/FAC/fac_edit_faq.asp
@@ -115,17 +115,17 @@ else
        BLOCK_END();

        BLOCK_START("mldInfo", L("lcl_faq_itemadm"));
-        var sql= "           SELECT 1,  " + safe.quoted_sql(L("lcl_faq_level1")) + " FROM DUAL"
-               + " UNION ALL SELECT 2,  " + safe.quoted_sql(L("lcl_faq_level2")) + " FROM DUAL"
-               + " UNION ALL SELECT 3,  " + safe.quoted_sql(L("lcl_faq_level3")) + " FROM DUAL"
+        var sql = "           SELECT 1, " + safe.qL("lcl_faq_level1") + " FROM DUAL"
+                + " UNION ALL SELECT 2, " + safe.qL("lcl_faq_level2") + " FROM DUAL"
+                + " UNION ALL SELECT 3, " + safe.qL("lcl_faq_level3") + " FROM DUAL"
        FCLTselector("fac_faq_level", sql,
          { initKey: level,
            label: L("lcl_faq_level")
          });

-        var displaySql = " SELECT 0, '" + L("lcl_faq_display_popup")    + "' FROM DUAL UNION ALL "
-                       + " SELECT 1, '" + L("lcl_faq_display_screen")   + "' FROM DUAL UNION ALL "
-                       + " SELECT 2, '" + L("lcl_faq_display_both_edit")+ "' FROM DUAL";
+        var displaySql = "           SELECT 0, " + safe.qL("lcl_faq_display_popup")     + " FROM DUAL"
+                       + " UNION ALL SELECT 1, " + safe.qL("lcl_faq_display_screen")    + " FROM DUAL"
+                       + " UNION ALL SELECT 2, " + safe.qL("lcl_faq_display_both_edit") + " FROM DUAL";

        FCLTselector("fac_faq_displaymode",
                     displaySql,
--- a/APPL/FAC/fac_show_faq.asp
+++ b/APPL/FAC/fac_show_faq.asp
@@ -141,9 +141,9 @@ var canChange = canWriteFAQBOF || (canWriteFAQFOF && datum == null)
            BLOCK_START("mldInfo", L("lcl_faq_itemadm"));
            ROFIELDTR("fld",          L("lcl_faq_level"),       fac.getfaqleveltext(level));

-            var displaySql = " SELECT 0, '" + L("lcl_faq_display_popup")    + "' FROM DUAL UNION ALL "
-                           + " SELECT 1, '" + L("lcl_faq_display_screen")   + "' FROM DUAL UNION ALL "
-                           + " SELECT 2, '" + L("lcl_faq_display_both_show")+ "' FROM DUAL";
+            var displaySql = "           SELECT 0, " + safe.qL("lcl_faq_display_popup")     + " FROM DUAL"
+                           + " UNION ALL SELECT 1, " + safe.qL("lcl_faq_display_screen")    + " FROM DUAL"
+                           + " UNION ALL SELECT 2, " + safe.qL("lcl_faq_display_both_show") + " FROM DUAL";

            FCLTselector("fld",
                         displaySql,