From: reine <reine@users.sourceforge.jp>
Date: Tue, 24 Apr 2012 16:16:41 +0000 (+0900)
Subject: FIX:ブログ追加作成処理でDB向けエスケープ処理した文字列が画面表示に使用されていた不具合を修正
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=2d3e3b8e3bc275bedcd5dc7a72fc3fc8e7f3afd6;p=nucleus-jp%2Fnucleus-next.git

FIX:ブログ追加作成処理でDB向けエスケープ処理した文字列が画面表示に使用されていた不具合を修正
---

diff --git a/nucleus/libs/ADMIN.php b/nucleus/libs/ADMIN.php
index d113217..401a766 100644
--- a/nucleus/libs/ADMIN.php
+++ b/nucleus/libs/ADMIN.php
@@ -3614,15 +3614,15 @@ class Admin
         );
 
 
-        // add slashes for sql queries
-        $bname =        DB::quoteValue($bname);
-        $bshortname =   DB::quoteValue($bshortname);
-        $btimeoffset =  DB::quoteValue($btimeoffset);
-        $bdesc =        DB::quoteValue($bdesc);
-        $bdefskin =     DB::quoteValue($bdefskin);
-
         // create blog
-        $query = 'INSERT INTO '.sql_table('blog')." (bname, bshortname, bdesc, btimeoffset, bdefskin) VALUES ($bname, $bshortname, $bdesc, $btimeoffset, $bdefskin)";
+		$query = sprintf('INSERT INTO %s (bname, bshortname, bdesc, btimeoffset, bdefskin) VALUES (%s, %s, %s, %s, %s)',
+			sql_table('blog'),
+			DB::quoteValue($bname),
+			DB::quoteValue($bshortname),
+			DB::quoteValue($bdesc),
+			DB::quoteValue($btimeoffset),
+			DB::quoteValue($bdefskin)
+		);
         DB::execute($query);
         $blogid = DB::getInsertId();
         $blog   =& $manager->getBlog($blogid);
@@ -3630,8 +3630,13 @@ class Admin
         // create new category
         $catdefname = (defined('_EBLOGDEFAULTCATEGORY_NAME') ? _EBLOGDEFAULTCATEGORY_NAME : 'General');
         $catdefdesc = (defined('_EBLOGDEFAULTCATEGORY_DESC') ? _EBLOGDEFAULTCATEGORY_DESC : 'Items that do not fit in other categories');
-        $sql = 'INSERT INTO %s (cblog, cname, cdesc) VALUES (%d, %s, %s)';
-        DB::execute(sprintf($sql, sql_table('category'), $blogid, DB::quoteValue($catdefname), DB::quoteValue($catdefdesc)));
+		$query = sprintf('INSERT INTO %s (cblog, cname, cdesc) VALUES (%d, %s, %s)',
+			sql_table('category'),
+			$blogid,
+			DB::quoteValue($catdefname),
+			DB::quoteValue($catdefdesc)
+		);
+        DB::execute($query);
         $catid = DB::getInsertId();
 
         // set as default category
@@ -3640,7 +3645,7 @@ class Admin
 
         // create team member
         $memberid = $member->getID();
-        $query = 'INSERT INTO '.sql_table('team')." (tmember, tblog, tadmin) VALUES ($memberid, $blogid, 1)";
+        $query = sprintf('INSERT INTO %s (tmember, tblog, tadmin) VALUES (%d, %d, 1)', sql_table('team'), $memberid, $blogid);
         DB::execute($query);
 
         $itemdeftitle = (defined('_EBLOG_FIRSTITEM_TITLE') ? _EBLOG_FIRSTITEM_TITLE : 'First Item');