aboutsummaryrefslogtreecommitdiff
path: root/www/functions/func_user.php
diff options
context:
space:
mode:
Diffstat (limited to 'www/functions/func_user.php')
-rwxr-xr-xwww/functions/func_user.php8
1 files changed, 4 insertions, 4 deletions
diff --git a/www/functions/func_user.php b/www/functions/func_user.php
index f044334..394a8f7 100755
--- a/www/functions/func_user.php
+++ b/www/functions/func_user.php
@@ -298,8 +298,8 @@ function user_id($db, $user){
}
function change_username($db, $oldname, $newname){
- $oldname = $db->escapeString($oldname);
- $newname = $db->escapeString($newname);
+ $oldname = $db->escapeString(htmlentities($oldname));
+ $newname = $db->escapeString(htmlentities($newname));
$check_db = $db->query("SELECT 1 FROM user WHERE name='".$newname."'");
$check_ar = $check_db->fetchArray(SQLITE3_NUM);
@@ -320,7 +320,7 @@ function change_username($db, $oldname, $newname){
}
function change_email($db, $name, $email){
- $res_db = $db->query("SELECT 1, name FROM user WHERE email='".$db->escapeString($email)."'");
+ $res_db = $db->query("SELECT 1, name FROM user WHERE email='".$db->escapeString(htmlentities($email))."'");
$res_ar = $res_db->fetchArray(SQLITE3_NUM);
if($res_ar[0] == 1){
@@ -331,7 +331,7 @@ function change_email($db, $name, $email){
if($db->exec("
BEGIN TRANSACTION;
- UPDATE user SET email='".$db->escapeString($email)."' WHERE name='".$db->escapeString($name)."';
+ UPDATE user SET email='".$db->escapeString(htmlentities($email))."' WHERE name='".$db->escapeString(htmlentities($name))."';
COMMIT;
")){
return CH_EMAIL_SUCCESS;