search

dealy14 / LearningFox-LMS

0 stars 0 forks source link

Improper database calls #30

Closed jstuckle closed 12 years ago

jstuckle commented 12 years ago

\LMS\admin\create_user.php at lines 140-142 has the following code:

$rsltSet = mysql_query($qry);
if ($rsltSet === false)
  echo mysql_error();
$cnt = mysql_affected_rows();

The query should be a call to $obj1->query() ($obj1 was instantiated on like 114 as a database object) instead.

Additionally, the data being inserted is not being properly escaped. This will cause problems with names like O'Casey, and can lead to database damage should a hacker enter bad information into the fields.

Finally, the code is not checking to see if the query succeeded or not. When it failed, no message is produced.

jstuckle commented 12 years ago

This issue was resolved when the fix for issue #42 was applied.