From f9418f9f1f05ccd57495679b9db5d184721257f4 Mon Sep 17 00:00:00 2001
From: Robert Sesek <rsesek@bluestatic.org>
Date: Fri, 13 Oct 2006 00:53:35 +0000
Subject: [PATCH] r1252: Escape input on install.php master settings

---
 install/install.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/install/install.php b/install/install.php
index 1439066..16853bd 100644
--- a/install/install.php
+++ b/install/install.php
@@ -170,9 +170,9 @@ if ($bugsys->in['mark'] == 5)
 
 <?php
 	
-	$db->query("UPDATE " . TABLE_PREFIX . "setting SET value = '" . $bugsys->in['trackertitle'] . "' WHERE varname = 'trackertitle'");
-	$db->query("UPDATE " . TABLE_PREFIX . "setting SET value = '" . $bugsys->in['trackerurl'] . "' WHERE varname = 'trackerurl'");
-	$db->query("UPDATE " . TABLE_PREFIX . "setting SET value = '" . $bugsys->in['webmasteremail'] . "' WHERE varname = 'webmasteremail'");
+	$db->query("UPDATE " . TABLE_PREFIX . "setting SET value = '" . $bugsys->input_escape('trackertitle') . "' WHERE varname = 'trackertitle'");
+	$db->query("UPDATE " . TABLE_PREFIX . "setting SET value = '" . $bugsys->input_escape('trackerurl') . "' WHERE varname = 'trackerurl'");
+	$db->query("UPDATE " . TABLE_PREFIX . "setting SET value = '" . $bugsys->input_escape('webmasteremail') . "' WHERE varname = 'webmasteremail'");
 	
 	page_end(false);
 }
-- 
2.22.5