diff options
| author | Andrew Dolgov <[email protected]> | 2008-05-17 04:03:03 +0100 |
|---|---|---|
| committer | Andrew Dolgov <[email protected]> | 2008-05-17 04:03:03 +0100 |
| commit | caf1f12f043ac5527a4e55f5fefbfe3ad97ee2e0 (patch) | |
| tree | c40ca85c4bd48d3a9a034af18f8f14acc7a9a1e3 /modules/pref-labels.php | |
| parent | a3f4e4d3464c6de4d1610452c56ea9e8fb632aa7 (diff) | |
disallow ; in labels
Diffstat (limited to 'modules/pref-labels.php')
| -rw-r--r-- | modules/pref-labels.php | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/modules/pref-labels.php b/modules/pref-labels.php index e9e6ee860..3582f42eb 100644 --- a/modules/pref-labels.php +++ b/modules/pref-labels.php @@ -87,6 +87,8 @@ $expr = trim($_GET["expr"]); $descr = db_escape_string(trim($_GET["descr"])); + $expr = str_replace(";", "", $expr); + if (!$expr) { print "<div>Error: SQL expression is blank.</div>"; return; @@ -159,7 +161,9 @@ $sql_exp = db_escape_string(trim($_GET["sql_exp"])); $descr = db_escape_string(trim($_GET["description"])); $label_id = db_escape_string($_GET["id"]); - + + $sql_exp = str_replace(";", "", $sql_exp); + $result = db_query($link, "UPDATE ttrss_labels SET sql_exp = '$sql_exp', description = '$descr' @@ -189,6 +193,8 @@ $sql_exp = db_escape_string(trim($_GET["sql_exp"])); $description = db_escape_string($_GET["description"]); + $sql_exp = str_replace(";", "", $sql_exp); + if (!$sql_exp || !$description) return; $result = db_query($link, |