We should escape the table name as well.

This commit is contained in:
Michael 2017-04-28 04:05:50 +00:00
parent 15355850f7
commit 615197e044

View file

@ -456,7 +456,7 @@ class dba {
if (is_int($args[$param]) OR is_float($args[$param])) {
$replace = intval($args[$param]);
} else {
$replace = "'".dbesc($args[$param])."'";
$replace = "'".self::$dbo->escape($args[$param])."'";
}
$pos = strpos($sql, '?', $offset);
@ -738,7 +738,7 @@ class dba {
* @return boolean was the insert successfull?
*/
static public function insert($table, $param) {
$sql = "INSERT INTO `".$table."` (`".implode("`, `", array_keys($param))."`) VALUES (".
$sql = "INSERT INTO `".self::$dbo->escape($table)."` (`".implode("`, `", array_keys($param))."`) VALUES (".
substr(str_repeat("?, ", count($param)), 0, -2).");";
$sql = self::replace_parameters($sql, $param);