From caf1f12f043ac5527a4e55f5fefbfe3ad97ee2e0 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Sat, 17 May 2008 04:03:03 +0100 Subject: [PATCH] disallow ; in labels --- modules/pref-labels.php | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/modules/pref-labels.php b/modules/pref-labels.php index e9e6ee860..3582f42eb 100644 --- a/modules/pref-labels.php +++ b/modules/pref-labels.php @@ -87,6 +87,8 @@ $expr = trim($_GET["expr"]); $descr = db_escape_string(trim($_GET["descr"])); + $expr = str_replace(";", "", $expr); + if (!$expr) { print "
Error: SQL expression is blank.
"; return; @@ -159,7 +161,9 @@ $sql_exp = db_escape_string(trim($_GET["sql_exp"])); $descr = db_escape_string(trim($_GET["description"])); $label_id = db_escape_string($_GET["id"]); - + + $sql_exp = str_replace(";", "", $sql_exp); + $result = db_query($link, "UPDATE ttrss_labels SET sql_exp = '$sql_exp', description = '$descr' @@ -189,6 +193,8 @@ $sql_exp = db_escape_string(trim($_GET["sql_exp"])); $description = db_escape_string($_GET["description"]); + $sql_exp = str_replace(";", "", $sql_exp); + if (!$sql_exp || !$description) return; $result = db_query($link,