From 615197e044163defe1bf5d7e577c76915eb14ca7 Mon Sep 17 00:00:00 2001
From: Michael <heluecht@pirati.ca>
Date: Fri, 28 Apr 2017 04:05:50 +0000
Subject: [PATCH] We should escape the table name as well.

---
 include/dba.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/dba.php b/include/dba.php
index 7e9979cf9e..5a93338a1a 100644
--- a/include/dba.php
+++ b/include/dba.php
@@ -456,7 +456,7 @@ class dba {
 			if (is_int($args[$param]) OR is_float($args[$param])) {
 				$replace = intval($args[$param]);
 			} else {
-				$replace = "'".dbesc($args[$param])."'";
+				$replace = "'".self::$dbo->escape($args[$param])."'";
 			}
 
 			$pos = strpos($sql, '?', $offset);
@@ -738,7 +738,7 @@ class dba {
 	 * @return boolean was the insert successfull?
 	 */
 	static public function insert($table, $param) {
-		$sql = "INSERT INTO `".$table."` (`".implode("`, `", array_keys($param))."`) VALUES (".
+		$sql = "INSERT INTO `".self::$dbo->escape($table)."` (`".implode("`, `", array_keys($param))."`) VALUES (".
 			substr(str_repeat("?, ", count($param)), 0, -2).");";
 
 		$sql = self::replace_parameters($sql, $param);