From 474390311fd646db88acfdbff7dcc7c57ac7249e Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Sat, 19 May 2007 15:09:16 +0100 Subject: remove db_unescape_string() hack --- modules/pref-labels.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'modules/pref-labels.php') diff --git a/modules/pref-labels.php b/modules/pref-labels.php index 3f7b7f806..8d19d0287 100644 --- a/modules/pref-labels.php +++ b/modules/pref-labels.php @@ -21,8 +21,8 @@ $line = db_fetch_assoc($result); - $sql_exp = htmlspecialchars(db_unescape_string($line["sql_exp"])); - $description = htmlspecialchars(db_unescape_string($line["description"])); + $sql_exp = htmlspecialchars($line["sql_exp"]); + $description = htmlspecialchars($line["description"]); print "
Label editor
"; print "
"; @@ -78,8 +78,9 @@ if ($subop == "test") { - $expr = db_unescape_string(trim($_GET["expr"])); - $descr = db_unescape_string(trim($_GET["descr"])); + // no escaping here on purpose + $expr = trim($_GET["expr"]); + $descr = db_escape_string(trim($_GET["descr"])); if (!$expr) { print "
Error: SQL expression is blank.
"; @@ -260,9 +261,8 @@ print ""; - $line["sql_exp"] = htmlspecialchars(db_unescape_string($line["sql_exp"])); - $line["description"] = htmlspecialchars( - db_unescape_string($line["description"])); + $line["sql_exp"] = htmlspecialchars($line["sql_exp"]); + $line["description"] = htmlspecialchars($line["description"]); if (!$line["description"]) $line["description"] = "[No caption]"; -- cgit v1.2.3