From: Andrew Dolgov <fox@bah.spb.su>
Date: Sat, 19 May 2007 13:51:14 +0000 (+0100)
Subject: labels editor: fix quote-escaping
X-Git-Tag: 1.2.11~7
X-Git-Url: https://git.wh0rd.org/?a=commitdiff_plain;h=5b10ad15e7ba4a350dc03f56fdb71f2cb3b248be;p=tt-rss.git

labels editor: fix quote-escaping
---

diff --git a/modules/pref-labels.php b/modules/pref-labels.php
index 56534270..3f7b7f80 100644
--- a/modules/pref-labels.php
+++ b/modules/pref-labels.php
@@ -150,7 +150,7 @@
 
 		if ($subop == "editSave") {
 
-			$sql_exp = trim($_GET["sql_exp"]);
+			$sql_exp = db_escape_string(trim($_GET["sql_exp"]));
 			$descr = db_escape_string(trim($_GET["description"]));
 			$label_id = db_escape_string($_GET["id"]);
 			
@@ -180,8 +180,7 @@
 
 		if ($subop == "add") {
 
-			// no escaping is done here on purpose
-			$sql_exp = trim($_GET["sql_exp"]);
+			$sql_exp = db_escape_string(trim($_GET["sql_exp"]));
 			$description = db_escape_string($_GET["description"]);
 
 			if (!$sql_exp || !$description) return;