From 5b10ad15e7ba4a350dc03f56fdb71f2cb3b248be Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <fox@bah.spb.su>
Date: Sat, 19 May 2007 14:51:14 +0100
Subject: labels editor: fix quote-escaping

---
 modules/pref-labels.php | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

(limited to 'modules/pref-labels.php')

diff --git a/modules/pref-labels.php b/modules/pref-labels.php
index 565342700..3f7b7f806 100644
--- a/modules/pref-labels.php
+++ b/modules/pref-labels.php
@@ -150,7 +150,7 @@
 
 		if ($subop == "editSave") {
 
-			$sql_exp = trim($_GET["sql_exp"]);
+			$sql_exp = db_escape_string(trim($_GET["sql_exp"]));
 			$descr = db_escape_string(trim($_GET["description"]));
 			$label_id = db_escape_string($_GET["id"]);
 			
@@ -180,8 +180,7 @@
 
 		if ($subop == "add") {
 
-			// no escaping is done here on purpose
-			$sql_exp = trim($_GET["sql_exp"]);
+			$sql_exp = db_escape_string(trim($_GET["sql_exp"]));
 			$description = db_escape_string($_GET["description"]);
 
 			if (!$sql_exp || !$description) return;
-- 
cgit v1.2.3