disallow ; in labels

diff --git a/modules/pref-labels.php b/modules/pref-labels.php
index e9e6ee86040084ae1a182ef2b053a60f41af9f4a..3582f42eb533fa92908addab24b351a3593833ac 100644 (file)
--- a/modules/pref-labels.php
+++ b/modules/pref-labels.php
@@ -87,6 +87,8 @@
                        $expr = trim($_GET["expr"]);
                        $descr = db_escape_string(trim($_GET["descr"]));
 
+                       $expr = str_replace(";", "", $expr);
+
                        if (!$expr) {
                                print "<div>Error: SQL expression is blank.</div>";
                                return;
@@ -159,7 +161,9 @@
                        $sql_exp = db_escape_string(trim($_GET["sql_exp"]));
                        $descr = db_escape_string(trim($_GET["description"]));
                        $label_id = db_escape_string($_GET["id"]);
-                       
+
+                       $sql_exp = str_replace(";", "", $sql_exp);
+
                        $result = db_query($link, "UPDATE ttrss_labels SET 
                                sql_exp = '$sql_exp', 
                                description = '$descr'
@@ -189,6 +193,8 @@
                        $sql_exp = db_escape_string(trim($_GET["sql_exp"]));
                        $description = db_escape_string($_GET["description"]);
 
+                       $sql_exp = str_replace(";", "", $sql_exp);
+
                        if (!$sql_exp || !$description) return;
 
                        $result = db_query($link,