From d6d8037f5d76e0a8d2d92eb4fe3254ddac330667 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rytis=20Slatkevi=C4=8Dius?= <rytis.s@gmail.com>
Date: Mon, 18 Jan 2010 15:19:23 +0000
Subject: [PATCH] user web: do SQL escaping before storing prefs in the
 database as some projects store user-editable strings in the preferences.

svn path=/trunk/boinc/; revision=20188
---
 checkin_notes      | 7 +++++++
 html/inc/prefs.inc | 4 ++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/checkin_notes b/checkin_notes
index dbf8052e7d..cb8667b654 100644
--- a/checkin_notes
+++ b/checkin_notes
@@ -470,3 +470,10 @@ David  17 Jan 2010
         sched_send.cpp
         sched_shmem.cpp
         handle_request.cpp
+
+Rytis  18 Jan 2010
+    - user web: do SQL escaping before storing prefs in the database as some
+        projects store user-editable strings in the preferences.
+
+    html/inc/
+        prefs.inc
diff --git a/html/inc/prefs.inc b/html/inc/prefs.inc
index 525e021aa0..dab3ea6314 100644
--- a/html/inc/prefs.inc
+++ b/html/inc/prefs.inc
@@ -1584,7 +1584,7 @@ function project_prefs_make_xml($prefs, $primary=true) {
 // Update user's prefs in database, from a given structure
 //
 function global_prefs_update(&$user, $prefs) {
-    $prefs_xml = global_prefs_make_xml($prefs);
+    $prefs_xml = mysql_real_escape_string(global_prefs_make_xml($prefs));
     $query = "update user set global_prefs='$prefs_xml' where id=$user->id";
     $retval = mysql_query($query);
     if (!$retval) {
@@ -1597,7 +1597,7 @@ function global_prefs_update(&$user, $prefs) {
 }
 
 function project_prefs_update(&$user, $prefs) {
-    $prefs_xml = project_prefs_make_xml($prefs);
+    $prefs_xml = mysql_real_escape_string(project_prefs_make_xml($prefs));
     $retval = mysql_query("update user set project_prefs='$prefs_xml', send_email=$user->send_email, show_hosts=$user->show_hosts where id=$user->id");
     $user->project_prefs = $prefs_xml;
     return $retval;