jakob/friendica
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

We should escape the table name as well.

Browse source
This commit is contained in:
Michael 2017-04-28 04:05:50 +00:00
parent 15355850f7
commit 615197e044
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
include/dba.php
View file

@ -456,7 +456,7 @@ class dba {
if (is_int($args[$param]) OR is_float($args[$param])) { if (is_int($args[$param]) OR is_float($args[$param])) {
$replace = intval($args[$param]); $replace = intval($args[$param]);
} else { } else {
$replace = "'".dbesc($args[$param])."'"; $replace = "'".self::$dbo->escape($args[$param])."'";
} }
$pos = strpos($sql, '?', $offset); $pos = strpos($sql, '?', $offset);
@ -738,7 +738,7 @@ class dba {
* @return boolean was the insert successfull? * @return boolean was the insert successfull?
*/ */
static public function insert($table, $param) { static public function insert($table, $param) {
$sql = "INSERT INTO `".$table."` (`".implode("`, `", array_keys($param))."`) VALUES (". $sql = "INSERT INTO `".self::$dbo->escape($table)."` (`".implode("`, `", array_keys($param))."`) VALUES (".
substr(str_repeat("?, ", count($param)), 0, -2).");"; substr(str_repeat("?, ", count($param)), 0, -2).");";
$sql = self::replace_parameters($sql, $param); $sql = self::replace_parameters($sql, $param);