From db2d2d1f41ba372b825fd51ed65ed8c6f6fa4305 Mon Sep 17 00:00:00 2001
From: Remi Collet <fedora@famillecollet.com>
Date: Thu, 3 Dec 2015 17:33:05 +0100
Subject: add missing escape, thanks P.Allaert

---
 class/CommonTable.php | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

(limited to 'class')

diff --git a/class/CommonTable.php b/class/CommonTable.php
index ab06cfd..d8852c7 100644
--- a/class/CommonTable.php
+++ b/class/CommonTable.php
@@ -56,6 +56,18 @@ abstract class CommonTable
         }
     }
 
+    /**
+     * Escape a string
+     *
+     * @param string $val    Value to be escaped
+     *
+     * @return string
+     */
+    function escape($val)
+    {
+        return $this->db->quote($val);
+    }
+
     /**
      * Check if the table already exists
      *
@@ -109,7 +121,7 @@ abstract class CommonTable
             } else if (is_numeric($value)) {
                 $val[] = $value;
             } else {
-                $val[] = "'".addslashes($value)."'";
+                $val[] = "'".$this->escape($value)."'";
             }
         }
         $sql = "INSERT INTO `".$this->table."` (".implode(',', $col).")
@@ -173,7 +185,7 @@ abstract class CommonTable
             } else if (is_numeric($value)) {
                 $sql .= '='.$value;
             } else {
-                $sql .= "='".addslashes($value)."'";
+                $sql .= "='".$this->escape($value)."'";
             }
 
             $link = "AND";
@@ -208,7 +220,7 @@ abstract class CommonTable
             } else if (is_numeric($value)) {
                 $sql .= $value;
             } else {
-                $sql .= "'".addslashes($value)."'";
+                $sql .= "'".$this->escape($value)."'";
             }
             $link = ',';
         }
-- 
cgit