disallow ; in labels

master
Andrew Dolgov 17 years ago
parent a3f4e4d346
commit caf1f12f04

@ -87,6 +87,8 @@
$expr = trim($_GET["expr"]); $expr = trim($_GET["expr"]);
$descr = db_escape_string(trim($_GET["descr"])); $descr = db_escape_string(trim($_GET["descr"]));
$expr = str_replace(";", "", $expr);
if (!$expr) { if (!$expr) {
print "<div>Error: SQL expression is blank.</div>"; print "<div>Error: SQL expression is blank.</div>";
return; return;
@ -160,6 +162,8 @@
$descr = db_escape_string(trim($_GET["description"])); $descr = db_escape_string(trim($_GET["description"]));
$label_id = db_escape_string($_GET["id"]); $label_id = db_escape_string($_GET["id"]);
$sql_exp = str_replace(";", "", $sql_exp);
$result = db_query($link, "UPDATE ttrss_labels SET $result = db_query($link, "UPDATE ttrss_labels SET
sql_exp = '$sql_exp', sql_exp = '$sql_exp',
description = '$descr' description = '$descr'
@ -189,6 +193,8 @@
$sql_exp = db_escape_string(trim($_GET["sql_exp"])); $sql_exp = db_escape_string(trim($_GET["sql_exp"]));
$description = db_escape_string($_GET["description"]); $description = db_escape_string($_GET["description"]);
$sql_exp = str_replace(";", "", $sql_exp);
if (!$sql_exp || !$description) return; if (!$sql_exp || !$description) return;
$result = db_query($link, $result = db_query($link,

Loading…
Cancel
Save