Revision 1868
Added by Dietmar almost 12 years ago
| save.php | ||
|---|---|---|
| 272 | 272 |
|
| 273 | 273 |
if ( !in_array($value, $disallow_in_fields) && (isset($_POST[$setting_name]) || $passed == true) ) |
| 274 | 274 |
{
|
| 275 |
$value = trim($admin->add_slashes($value));
|
|
| 275 |
$value = trim($database->escapeString($value));
|
|
| 276 | 276 |
$sql = 'UPDATE `'.TABLE_PREFIX.'settings` '; |
| 277 |
$sql .= 'SET `value` = \''.($value).'\' '; // mysql_escape_string
|
|
| 277 |
$sql .= 'SET `value` = \''.($value).'\' '; |
|
| 278 | 278 |
$sql .= 'WHERE `name` != \'wb_version\' '; |
| 279 | 279 |
$sql .= 'AND `name` = \''.$setting_name.'\' '; |
| 280 | 280 |
if (!$database->query($sql)) |
Also available in: Unified diff
! change mysql_esc_string to WbDatabase::getInstance()->escapeStrinng()