SQL injection fix. This is serious I think.

author stekkel <stekkel@7612ce4b-ef26-0410-bec9-ea0150e637f0>

Tue, 27 Apr 2004 19:20:18 +0000 (19:20 +0000)

committer stekkel <stekkel@7612ce4b-ef26-0410-bec9-ea0150e637f0>

Tue, 27 Apr 2004 19:20:18 +0000 (19:20 +0000)
author stekkel <stekkel@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Tue, 27 Apr 2004 19:20:18 +0000 (19:20 +0000)
committer stekkel <stekkel@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Tue, 27 Apr 2004 19:20:18 +0000 (19:20 +0000)
diff --git a/functions/abook_database.php b/functions/abook_database.php

index 532ef988b11aa52a1bff8af76dc08b1ed0b1e5a1..5fdd0d60ffe8bc649fe55f37f8c7c36a12f8edb8 100644 (file)
--- a/functions/abook_database.php
+++ b/functions/abook_database.php
@@ -174,7 +174,7 @@ class abook_database extends addressbook_backend {
          }
           
          $query = sprintf("SELECT * FROM %s WHERE owner='%s' AND nickname='%s'",
          }
           
          $query = sprintf("SELECT * FROM %s WHERE owner='%s' AND nickname='%s'",
-                         $this->table, $this->owner, $alias);
+                         $this->table, $this->owner, $this->dbh->quoteString($alias));
  
          $res = $this->dbh->query($query);
  
  
          $res = $this->dbh->query($query);
author	stekkel <stekkel@7612ce4b-ef26-0410-bec9-ea0150e637f0>
	Tue, 27 Apr 2004 19:20:18 +0000 (19:20 +0000)
committer	stekkel <stekkel@7612ce4b-ef26-0410-bec9-ea0150e637f0>
	Tue, 27 Apr 2004 19:20:18 +0000 (19:20 +0000)