From f9418f9f1f05ccd57495679b9db5d184721257f4 Mon Sep 17 00:00:00 2001 From: Robert Sesek Date: Fri, 13 Oct 2006 00:53:35 +0000 Subject: [PATCH] r1252: Escape input on install.php master settings --- install/install.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/install/install.php b/install/install.php index 1439066..16853bd 100644 --- a/install/install.php +++ b/install/install.php @@ -170,9 +170,9 @@ if ($bugsys->in['mark'] == 5) query("UPDATE " . TABLE_PREFIX . "setting SET value = '" . $bugsys->in['trackertitle'] . "' WHERE varname = 'trackertitle'"); - $db->query("UPDATE " . TABLE_PREFIX . "setting SET value = '" . $bugsys->in['trackerurl'] . "' WHERE varname = 'trackerurl'"); - $db->query("UPDATE " . TABLE_PREFIX . "setting SET value = '" . $bugsys->in['webmasteremail'] . "' WHERE varname = 'webmasteremail'"); + $db->query("UPDATE " . TABLE_PREFIX . "setting SET value = '" . $bugsys->input_escape('trackertitle') . "' WHERE varname = 'trackertitle'"); + $db->query("UPDATE " . TABLE_PREFIX . "setting SET value = '" . $bugsys->input_escape('trackerurl') . "' WHERE varname = 'trackerurl'"); + $db->query("UPDATE " . TABLE_PREFIX . "setting SET value = '" . $bugsys->input_escape('webmasteremail') . "' WHERE varname = 'webmasteremail'"); page_end(false); } -- 2.43.5