Revision 1868
Added by Dietmar almost 12 years ago
save.php | ||
---|---|---|
272 | 272 |
|
273 | 273 |
if ( !in_array($value, $disallow_in_fields) && (isset($_POST[$setting_name]) || $passed == true) ) |
274 | 274 |
{ |
275 |
$value = trim($admin->add_slashes($value));
|
|
275 |
$value = trim($database->escapeString($value));
|
|
276 | 276 |
$sql = 'UPDATE `'.TABLE_PREFIX.'settings` '; |
277 |
$sql .= 'SET `value` = \''.($value).'\' '; // mysql_escape_string
|
|
277 |
$sql .= 'SET `value` = \''.($value).'\' '; |
|
278 | 278 |
$sql .= 'WHERE `name` != \'wb_version\' '; |
279 | 279 |
$sql .= 'AND `name` = \''.$setting_name.'\' '; |
280 | 280 |
if (!$database->query($sql)) |
Also available in: Unified diff
! change mysql_esc_string to WbDatabase::getInstance()->escapeStrinng()