friendica
/
friendica
mirror of https://github.com/friendica/friendica
6
0
Fork 1
Code Issues Packages Projects Releases 1 Wiki Activity

We should escape the table name as well.

This commit is contained in:
Michael 2017-04-28 04:05:50 +00:00
parent 15355850f7
commit 615197e044
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
include/dba.php
View File

@ -456,7 +456,7 @@ class dba {
if (is_int($args[$param]) OR is_float($args[$param])) {
$replace = intval($args[$param]);
} else {
$replace = "'".dbesc($args[$param])."'";
$replace = "'".self::$dbo->escape($args[$param])."'";
}
$pos = strpos($sql, '?', $offset);
@ -738,7 +738,7 @@ class dba {
* @return boolean was the insert successfull?
*/
static public function insert($table, $param) {
$sql = "INSERT INTO `".$table."` (`".implode("`, `", array_keys($param))."`) VALUES (".
$sql = "INSERT INTO `".self::$dbo->escape($table)."` (`".implode("`, `", array_keys($param))."`) VALUES (".
substr(str_repeat("?, ", count($param)), 0, -2).");";
$sql = self::replace_parameters($sql, $param);