fix sql injection hole where value fields were not being escaped in the stored file - (thanks to Filippo Cavallarin)

git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/branches/postfixadmin-2.3@1320 a1433add-5e2c-0410-b055-b7f2511e0802

backup.php

@@ -49,7 +49,7 @@ $cmd = "pg_dump -c -D -f /tix/miner/miner.sql -F p -N -U postgres $db";
 $res = `$cmd`;
 // Alternate: $res = shell_exec($cmd);
 echo $res; 
-*/
+ */
 
 if ($_SERVER['REQUEST_METHOD'] == "GET")
 {
@@ -107,12 +107,9 @@ if ($_SERVER['REQUEST_METHOD'] == "GET")
             {
                 while ($row = db_assoc ($result['result']))
                 {
-               foreach ($row as $key=>$val)
-               {
-                  $fields[] = $key;
-                  $values[] = $val;
-               }
-
+                    $fields = array_keys($row);
+                    $values = array_values($row);
+                    $values = array_map('escape_string', $values);
                     fwrite ($fh, "INSERT INTO ". $tables[$i] . " (". implode (',',$fields) . ") VALUES ('" . implode ('\',\'',$values) . "');\n");
                     $fields = "";
                     $values = "";