diff options
| author | Remi Collet <fedora@famillecollet.com> | 2015-12-03 17:33:05 +0100 |
|---|---|---|
| committer | Remi Collet <fedora@famillecollet.com> | 2015-12-03 17:33:05 +0100 |
| commit | db2d2d1f41ba372b825fd51ed65ed8c6f6fa4305 (patch) | |
| tree | 13321c9395369e3baa5657c26376fcb5de580521 /class | |
| parent | 46bc8623ddd543d750922df97c7c6428d5ce15a9 (diff) | |
add missing escape, thanks P.Allaert
Diffstat (limited to 'class')
| -rw-r--r-- | class/CommonTable.php | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/class/CommonTable.php b/class/CommonTable.php index ab06cfd..d8852c7 100644 --- a/class/CommonTable.php +++ b/class/CommonTable.php @@ -57,6 +57,18 @@ abstract class CommonTable } /** + * Escape a string + * + * @param string $val Value to be escaped + * + * @return string + */ + function escape($val) + { + return $this->db->quote($val); + } + + /** * Check if the table already exists * * @param string $table with table name @@ -109,7 +121,7 @@ abstract class CommonTable } else if (is_numeric($value)) { $val[] = $value; } else { - $val[] = "'".addslashes($value)."'"; + $val[] = "'".$this->escape($value)."'"; } } $sql = "INSERT INTO `".$this->table."` (".implode(',', $col).") @@ -173,7 +185,7 @@ abstract class CommonTable } else if (is_numeric($value)) { $sql .= '='.$value; } else { - $sql .= "='".addslashes($value)."'"; + $sql .= "='".$this->escape($value)."'"; } $link = "AND"; @@ -208,7 +220,7 @@ abstract class CommonTable } else if (is_numeric($value)) { $sql .= $value; } else { - $sql .= "'".addslashes($value)."'"; + $sql .= "'".$this->escape($value)."'"; } $link = ','; } |