From 8823cd590f1c72c211ac3a1f58590ef60fa82240 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Sun, 16 Oct 2005 09:52:44 +0100 Subject: [PATCH] escape html characters in db_query() error output --- db.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/db.php b/db.php index 35985815b..c72bbd9df 100644 --- a/db.php +++ b/db.php @@ -55,12 +55,14 @@ function db_query($link, $query) { if (DB_TYPE == "pgsql") { $result = pg_query($link, $query); if (!$result) { + $query = htmlspecialchars($query); // just in case die("Query $query failed: " . pg_last_error($link)); } return $result; } else if (DB_TYPE == "mysql") { $result = mysql_query($query, $link); if (!$result) { + $query = htmlspecialchars($query); die("Query $query failed: " . mysql_error($link)); } return $result;