use parameter passing instead of explicit exscaping

This commit is contained in:
Isaac Connor 2013-11-03 15:40:00 -05:00
parent 93560652f1
commit 59b841958d
1 changed files with 4 additions and 4 deletions

View File

@ -27,12 +27,12 @@ if ( !canView( 'Stream' ) )
$groupSql = "";
if ( !empty($_REQUEST['group']) )
{
$sql = "select * from Groups where Id = ".dbEscape($_REQUEST['group']);
$row = dbFetchOne( $sql );
$groupSql = " and find_in_set( Id, '".$row['MonitorIds']."' )";
$row = dbFetchOne( 'select * from Groups where Id = ?', NULL, array($_REQUEST['group']) );
$sql = "select * from Monitors where Function != 'None' and find_in_set( Id, '".$row['MonitorIds']."' ) order by Sequence";
} else {
$sql = "select * from Monitors where Function != 'None' order by Sequence";
}
$sql = "select * from Monitors where Function != 'None'$groupSql order by Sequence";
$maxWidth = 0;
$maxHeight = 0;
$showControl = false;