diff options
| author | Andrew Dolgov <[email protected]> | 2007-05-19 14:51:14 +0100 |
|---|---|---|
| committer | Andrew Dolgov <[email protected]> | 2007-05-19 14:51:14 +0100 |
| commit | 5b10ad15e7ba4a350dc03f56fdb71f2cb3b248be (patch) | |
| tree | c2c10364efc29dfe2427ff2716ba1eb57af581a1 /modules | |
| parent | 14b6c54b03f2164f568d25d6d54327117b149fa8 (diff) | |
labels editor: fix quote-escaping
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/pref-labels.php | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/modules/pref-labels.php b/modules/pref-labels.php index 565342700..3f7b7f806 100644 --- a/modules/pref-labels.php +++ b/modules/pref-labels.php @@ -150,7 +150,7 @@ if ($subop == "editSave") { - $sql_exp = trim($_GET["sql_exp"]); + $sql_exp = db_escape_string(trim($_GET["sql_exp"])); $descr = db_escape_string(trim($_GET["description"])); $label_id = db_escape_string($_GET["id"]); @@ -180,8 +180,7 @@ if ($subop == "add") { - // no escaping is done here on purpose - $sql_exp = trim($_GET["sql_exp"]); + $sql_exp = db_escape_string(trim($_GET["sql_exp"])); $description = db_escape_string($_GET["description"]); if (!$sql_exp || !$description) return; |