From: Andrew Dolgov <fox@bah.spb.su>
Date: Sat, 17 May 2008 03:03:03 +0000 (+0100)
Subject: disallow ; in labels
X-Git-Tag: 1.2.23-final~105
X-Git-Url: https://git.wh0rd.org/?a=commitdiff_plain;h=caf1f12f043ac5527a4e55f5fefbfe3ad97ee2e0;p=tt-rss.git

disallow ; in labels
---

diff --git a/modules/pref-labels.php b/modules/pref-labels.php
index e9e6ee86..3582f42e 100644
--- a/modules/pref-labels.php
+++ b/modules/pref-labels.php
@@ -87,6 +87,8 @@
 			$expr = trim($_GET["expr"]);
 			$descr = db_escape_string(trim($_GET["descr"]));
 
+			$expr = str_replace(";", "", $expr);
+
 			if (!$expr) {
 				print "<div>Error: SQL expression is blank.</div>";
 				return;
@@ -159,7 +161,9 @@
 			$sql_exp = db_escape_string(trim($_GET["sql_exp"]));
 			$descr = db_escape_string(trim($_GET["description"]));
 			$label_id = db_escape_string($_GET["id"]);
-			
+
+			$sql_exp = str_replace(";", "", $sql_exp);
+
 			$result = db_query($link, "UPDATE ttrss_labels SET 
 				sql_exp = '$sql_exp', 
 				description = '$descr'
@@ -189,6 +193,8 @@
 			$sql_exp = db_escape_string(trim($_GET["sql_exp"]));
 			$description = db_escape_string($_GET["description"]);
 
+			$sql_exp = str_replace(";", "", $sql_exp);
+
 			if (!$sql_exp || !$description) return;
 
 			$result = db_query($link,