Fix (bf2sclone): Fix Search page to work correctly

startersclan · Mar 10, 2024 · 7d1443f · 7d1443f
1 parent d9d6b37
commit 7d1443f
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/src/bf2sclone/search.inc.php b/src/bf2sclone/search.inc.php
@@ -2,6 +2,7 @@
 
 function getSearchResults($SEARCHVALUE)
 {
+	$SEARCHVALUE = mysqli_real_escape_string($GLOBALS['link'], $SEARCHVALUE);
 	include(ROOT . DS . 'queries'. DS .'getPIDList.php'); // imports the correct sql statement
 	$result = mysqli_query($GLOBALS['link'], $query) or die('Query failed: ' . mysqli_error($GLOBALS['link']));
 	$data = array();

diff --git a/src/bf2sclone/template/search.php b/src/bf2sclone/template/search.php
@@ -50,7 +50,7 @@
 					<label>Search Player by ID\'s or Nick: <br>
 						<input name="searchvalue" size="80" value="';
 							if ($SEARCHVALUE)
-								$template .= $SEARCHVALUE;
+								$template .= esc_attr($SEARCHVALUE);
 							$template .= '" type="text">
 					</label> 
 					<input name="search" value="Search" type="submit">
@@ -78,7 +78,7 @@
 					$template .= '
 						<td>
 							<img src="'.$ROOT.'game-images/ranks/icon/rank_'.$searchresults[$i]['rank'].'.gif" alt="" style="border: 0pt none ;"> 
-							<a href="'.$ROOT.'?pid='.$searchresults[$i]['id'].'"> ' . (RANKING_PIDS_AS_NAMES ? $searchresults[$i]['id'] : esc_attr($searchresults[$i]['name'])) . '</a>&nbsp;
+							<a href="'.$ROOT.'?pid='.$searchresults[$i]['id'].'"> ' . esc_attr(RANKING_PIDS_AS_NAMES ? $searchresults[$i]['id'] : $searchresults[$i]['name']) . '</a>&nbsp;
 							<img src="'.$ROOT.'game-images/flags/' . esc_attr(RANKING_HIDE_COUNTRY ? 'xx' : strtoupper($searchresults[$i]['country'])) .'.png" height="12" width = "16">
 						</td>
 						<td>'.$searchresults[$i]['score'].'</td>