zencart · zcwilt · Dec 11, 2014 · Dec 10, 2014 · Dec 10, 2014 · Dec 11, 2014
diff --git a/includes/classes/cache.php b/includes/classes/cache.php
@@ -125,9 +125,9 @@ function sql_cache_store($zf_query, $zf_result_array) {
         return true;
       }
       $result_serialize = $db->prepare_input(base64_encode(serialize($zf_result_array)));
-      $sql = "insert into " . TABLE_DB_CACHE . " set cache_entry_name = '" . $zp_cache_name . "',
-                                                 cache_data = '" . $result_serialize . "',
-                   cache_entry_created = '" . time() . "'";
+      $sql = "insert ignore into " . TABLE_DB_CACHE . " (cache_entry_name, cache_data, cache_entry_created) VALUES (:cachename, :cachedata, time() )";
+      $sql = $db->bindVars($sql, ':cachename', $zp_cache_name, 'string');
+      $sql = $db->bindVars($sql, ':cachedata', $result_serialize, 'string');
       $db->Execute($sql);
       return true;
       break;

diff --git a/includes/functions/sessions.php b/includes/functions/sessions.php
@@ -60,22 +60,14 @@ function _sess_write($key, $val) {
     global $SESS_LIFE;
     $expiry = time() + $SESS_LIFE;
 
-    $qid = "select count(*) as total
-            from " . TABLE_SESSIONS . "
-            where sesskey = '" . zen_db_input($key) . "'";
-    $total = $db->Execute($qid);
-
-    if ($total->fields['total'] > 0) {
-      $sql = "update " . TABLE_SESSIONS . "
-              set expiry = '" . zen_db_input($expiry) . "', value = '" . zen_db_input($val) . "'
-              where sesskey = '" . zen_db_input($key) . "'";
-      $result = $db->Execute($sql);
-    } else {
-      $sql = "insert into " . TABLE_SESSIONS . "
-              values ('" . zen_db_input($key) . "', '" . zen_db_input($expiry) . "', '" .
-                       zen_db_input($val) . "')";
-      $result = $db->Execute($sql);
-    }
+    $sql = "insert into " . TABLE_SESSIONS . " (sesskey, expiry, `value`)
+            values (:zkey, :zexpiry, :zvalue)
+            ON DUPLICATE KEY UPDATE `value`=:zvalue, expiry=:zexpiry";
+    $sql = $db->bindVars($sql, ':zkey', $key, 'string');
+    $sql = $db->bindVars($sql, ':zexpiry', $expiry, 'integer');
+    $sql = $db->bindVars($sql, ':zvalue', $val, 'string');
+    $result = $db->Execute($sql);
+
     return (!empty($result) && !empty($result->resource));
   }