From: Andrew Dolgov <fox@bah.spb.su>
Date: Sun, 16 Oct 2005 08:52:44 +0000 (+0100)
Subject: escape html characters in db_query() error output
X-Git-Tag: 1.0.7~55
X-Git-Url: https://git.wh0rd.org/?a=commitdiff_plain;h=8823cd590f1c72c211ac3a1f58590ef60fa82240;p=tt-rss.git

escape html characters in db_query() error output
---

diff --git a/db.php b/db.php
index 35985815..c72bbd9d 100644
--- a/db.php
+++ b/db.php
@@ -55,12 +55,14 @@ function db_query($link, $query) {
 	if (DB_TYPE == "pgsql") {
 		$result = pg_query($link, $query);
 		if (!$result) {
+			$query = htmlspecialchars($query); // just in case
 		  	die("Query <i>$query</i> failed: " . pg_last_error($link));			
 		}
 		return $result;
 	} else if (DB_TYPE == "mysql") {
 		$result = mysql_query($query, $link);
 		if (!$result) {
+			$query = htmlspecialchars($query);
 		  	die("Query <i>$query</i> failed: " . mysql_error($link));
 		}
 		return $result;