From 615197e044163defe1bf5d7e577c76915eb14ca7 Mon Sep 17 00:00:00 2001 From: Michael Date: Fri, 28 Apr 2017 04:05:50 +0000 Subject: [PATCH] We should escape the table name as well. --- include/dba.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/dba.php b/include/dba.php index 7e9979cf9e..5a93338a1a 100644 --- a/include/dba.php +++ b/include/dba.php @@ -456,7 +456,7 @@ class dba { if (is_int($args[$param]) OR is_float($args[$param])) { $replace = intval($args[$param]); } else { - $replace = "'".dbesc($args[$param])."'"; + $replace = "'".self::$dbo->escape($args[$param])."'"; } $pos = strpos($sql, '?', $offset); @@ -738,7 +738,7 @@ class dba { * @return boolean was the insert successfull? */ static public function insert($table, $param) { - $sql = "INSERT INTO `".$table."` (`".implode("`, `", array_keys($param))."`) VALUES (". + $sql = "INSERT INTO `".self::$dbo->escape($table)."` (`".implode("`, `", array_keys($param))."`) VALUES (". substr(str_repeat("?, ", count($param)), 0, -2).");"; $sql = self::replace_parameters($sql, $param);