labels editor: fix quote-escaping

diff --git a/modules/pref-labels.php b/modules/pref-labels.php
index 5653427003d4026a3299519db3d110948123daf9..3f7b7f80692cfe11480b61ca9b4e82877ad57728 100644 (file)
--- a/modules/pref-labels.php
+++ b/modules/pref-labels.php
@@ -150,7 +150,7 @@
 
                if ($subop == "editSave") {
 
-                       $sql_exp = trim($_GET["sql_exp"]);
+                       $sql_exp = db_escape_string(trim($_GET["sql_exp"]));
                        $descr = db_escape_string(trim($_GET["description"]));
                        $label_id = db_escape_string($_GET["id"]);
                        
@@ -180,8 +180,7 @@
 
                if ($subop == "add") {
 
-                       // no escaping is done here on purpose
-                       $sql_exp = trim($_GET["sql_exp"]);
+                       $sql_exp = db_escape_string(trim($_GET["sql_exp"]));
                        $description = db_escape_string($_GET["description"]);
 
                        if (!$sql_exp || !$description) return;