Bad SQL generation in move_image_cat
My PhotoPost installation (v5.3) emailed me a notice the other day that it had received an SQL error when trying to submit the following SQL command:
REPLACE INTO pp_admlog (adminuser,ip,datestamp,description) VALUES ('Mackey's Things','184.108.40.206','1152989903','Moved Image: Cosmo_stickers.jpg from 500 to 580')
Notice that the adminuser value is Mackey's Things, which is not properly escaped for insertion into SQL.
I've looked through the PhotoPost source and discovered that pp-inc.php includes a function, adminlog, that correctly escapes its data and inserts a record into the admlog table.
I further discovered that pp-inc.php has another function, move_image_cat, that also inserts records in the admlog table but does not correctly escape its data.
I further discovered that adm-misc.php includes code in three places (near lines 1441, 1680, 2573) that inserts records into the admlog table and correctly escapes its data but does it nakedly.
To fix the observed SQL error, I have patched move_image_cat to call adminlog instead of trying to perform its own record insertion.
For consistency and future-proofing, I have also patched all three locations in adm-misc.php to call adminlog instead of performing their own record insertion.
Thought you'd be interested in applying these same patches to the PhotoPost mainline code.