CRM-19641

diff --git a/CRM/Case/XMLProcessor/Report.php b/CRM/Case/XMLProcessor/Report.php
index 45356fde6dc04af391c0ccbc96830fac79761be4..1e3abee48e0fc61585cf949a6e0294af265771ff 100644 (file)
--- a/CRM/Case/XMLProcessor/Report.php
+++ b/CRM/Case/XMLProcessor/Report.php
@@ -669,10 +669,10 @@ AND " . CRM_Core_Permission::customGroupClause(CRM_Core_Permission::VIEW, 'cg.')
           $query = "
 SELECT label, value
   FROM civicrm_option_value
- WHERE option_group_id = {$dao->optionGroupID}
+ WHERE option_group_id = %1
 ";
 
-          $option = CRM_Core_DAO::executeQuery($query);
+          $option = CRM_Core_DAO::executeQuery($query, array(1 => array($dao->optionGroupID, 'Positive')));
           while ($option->fetch()) {
             $dataType = $dao->dataType;
             if ($dataType == 'Int' || $dataType == 'Float') {
@@ -691,8 +691,9 @@ SELECT label, value
 
       foreach ($sql as $tableName => $values) {
         $columnNames = implode(',', $values);
+        $tableName = CRM_Utils_Type::escape($tableName, 'MysqlColumnNameOrAlias');
         $sql[$tableName] = "
-SELECT '{$groupTitle[$tableName]}' as groupTitle, $columnNames
+SELECT '" . CRM_Core_DAO::escapeString($groupTitle[$tableName]) . "' as groupTitle, $columnNames
 FROM   $tableName
 WHERE  entity_id = %1
 ";