From 379486570bf624662f3fb405a451f348f64114bc Mon Sep 17 00:00:00 2001
From: wibyweb <49052850+wibyweb@users.noreply.github.com>
Date: Wed, 10 Aug 2022 02:22:52 -0400
Subject: [PATCH] Add files via upload

---
 html/readf/feedback.php | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/html/readf/feedback.php b/html/readf/feedback.php
index d382848..3aec3a7 100755
--- a/html/readf/feedback.php
+++ b/html/readf/feedback.php
@@ -10,12 +10,7 @@
 		include 'index.php';
 		exit();
 	}
-
-	if (isset($_POST['startid']) && $_SESSION["loadfeedback"]==false)    
-	{    
-		$startID = $_POST['startid'];
-		$endID = $_POST['endid'];
-	}	
+	
 	$link = mysqli_connect('localhost', 'approver', 'foobar');
 
 	if (!$link)
@@ -38,12 +33,18 @@
 	  include 'error.html.php'; 
 	  exit(); 
 	}
+	
+	if (isset($_POST['startid']) && $_SESSION["loadfeedback"]==false)    
+	{    
+		$startID = mysqli_real_escape_string($link, $_POST['startid']);
+		$endID = mysqli_real_escape_string($link, $_POST['endid']);
+	}	
 
 	$lim = 10000000000;
 	
 	if (isset($_POST['startid']) && $_SESSION["loadfeedback"]==false) //this is incase any new submissions are made during the review process, they will be ignored   
 	{  
-		$result = mysqli_query($link,"SELECT * FROM feedback WHERE id >= $startID AND id <= $endID");
+		$result = mysqli_query($link,"SELECT * FROM feedback WHERE id >= '".$startID."' AND id <= '".$endID."'");
 		if(!$result)
 		{
 		  $error = 'Error fetching index: ' . mysqli_error($link);  
@@ -78,7 +79,7 @@
 
 			if($_POST["drop$pageid"] == 'on')
 			{
-				$result2 = mysqli_query($link,"DELETE FROM feedback WHERE id = $pageid");
+				$result2 = mysqli_query($link,"DELETE FROM feedback WHERE id = '".$pageid."'");
 				if(!$result2)
 				{
 				  $error = 'Error deleting from feedback: ' . mysqli_error($link);