sql injection fix - ported back to trunk from branches/2.3 ...

git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1326 a1433add-5e2c-0410-b055-b7f2511e0802
13 years ago · 1a9104cab4
parent 51ddbd2f2e
commit 1a9104cab4
1 changed files with 3 additions and 5 deletions
--- a/backup.php
+++ b/backup.php
@ -123,11 +123,9 @@ if ($_SERVER['REQUEST_METHOD'] == "GET")
         {
            while ($row = db_assoc ($result['result']))
            {
-               foreach ($row as $key=>$val)
-               {
-                  $fields[] = $key;
-                  $values[] = $val;
-               }
+                $fields = array_keys($row);
+                $values = array_values($row);
+                $values = array_map('escape_string', $values);

               fwrite ($fh, "INSERT INTO ". $tables[$i] . " (". implode (',',$fields) . ") VALUES ('" . implode ('\',\'',$values) . "');\n");
               $fields = "";