# HG changeset patch
# User Sushi-k <epgrec@park.mda.or.jp>
# Date 1247630540 -32400
# Node ID cf19005e65d19116e6135cba3bcb4bd0276ca0ee
# Parent  cbbddf99d1cde2ef9c186500e414f0fe069598d6
	added: mysql_real_escape_string

diff -r cbbddf99d1cd -r cf19005e65d1 mediatomb.php
--- a/mediatomb.php	Wed Jul 15 12:52:29 2009 +0900
+++ b/mediatomb.php	Wed Jul 15 13:02:20 2009 +0900
@@ -18,8 +18,8 @@
   mysql_query( $sqlstr );
 
   foreach( $recs as $rec ) {
-	  $title = $rec->title."(".date("Y/m/d", toTimestamp($rec->starttime)).")";
-      $sqlstr = "update mt_cds_object set metadata='dc:description=".$rec->description."' where dc_title='".$rec->path."'";
+	  $title = mysql_real_escape_string($rec->title)."(".date("Y/m/d", toTimestamp($rec->starttime)).")";
+      $sqlstr = "update mt_cds_object set metadata='dc:description=".mysql_real_escape_string($rec->description)."' where dc_title='".$rec->path."'";
       mysql_query( $sqlstr );
       $sqlstr = "update mt_cds_object set dc_title='".$title."' where dc_title='".$rec->path."'";
       mysql_query( $sqlstr );
diff -r cbbddf99d1cd -r cf19005e65d1 recomplete.php
--- a/recomplete.php	Wed Jul 15 12:52:29 2009 +0900
+++ b/recomplete.php	Wed Jul 15 13:02:20 2009 +0900
@@ -11,20 +11,22 @@
 	if( file_exists( INSTALL_PATH . SPOOL . "/". $rrec->path ) ) {
 		// 予約完了
 		$rrec->complete = '1';
-		if( MEDIATOMB_UPDATE) {
-			$dbh = mysql_connect( DB_HOST, DB_USER, DB_PASS );
-			if( $dbh !== false ) {
-				$sqlstr = "use ".DB_NAME;
-				mysql_query( $sqlstr );
-				// 別にやらなくてもいいが
-				$sqlstr = "set NAME utf8";
-				mysql_query( $sqlstr );
-				$sqlstr = "update mt_cds_object set metadata='dc:description=".$rrec->description."' where dc_title='".$rrec->path."'";
-				mysql_query( $sqlstr );
-				$sqlstr = "update mt_cds_object set dc_title='".$rrec->title."(".date("Y/m/d").")' where dc_title='".$rrec->path."'";
-				mysql_query( $sqlstr );
+		if( defined(MEDIATOMB_UPDATE) ) {
+			if( MEDIATOMB_UPDATE ) {
+				$dbh = mysql_connect( DB_HOST, DB_USER, DB_PASS );
+				if( $dbh !== false ) {
+					$sqlstr = "use ".DB_NAME;
+					mysql_query( $sqlstr );
+					// 別にやらなくてもいいが
+					$sqlstr = "set NAME utf8";
+					mysql_query( $sqlstr );
+					$sqlstr = "update mt_cds_object set metadata='dc:description=".mysql_real_escape_string($rrec->description)."' where dc_title='".$rrec->path."'";
+					mysql_query( $sqlstr );
+					$sqlstr = "update mt_cds_object set dc_title='".mysql_real_escape_string($rrec->title)."(".date("Y/m/d").")' where dc_title='".$rrec->path."'";
+					mysql_query( $sqlstr );
+				}
 			}
-		}	
+		}
 	}
 	else {
 		// 予約失敗