escape missing in sql request

2023-01-22 13:54:39 +01:00 · 2023-01-22 13:54:39 +01:00 · 4208cb3bc6
commit 4208cb3bc6
parent 9806941217
1 changed files with 3 additions and 2 deletions
--- a/htdocs/admin/oauth.php
+++ b/htdocs/admin/oauth.php
@ -123,9 +123,10 @@ if ($action == 'update') {
 				$oldlabel = preg_replace('/^.*-/', '', $oldname);
 				$newlabel = preg_replace('/^.*-/', '', $newconstvalue);

+
 				$sql = "UPDATE ".MAIN_DB_PREFIX."oauth_token";
-				$sql.= " SET service = '".$oldprovider."-".$newlabel."'";
-				$sql.= " WHERE  service = '".$oldprovider."-".$oldlabel."'";
+				$sql.= " SET service = '".$db->escape($oldprovider."-".$newlabel)."'";
+				$sql.= " WHERE  service = '".$db->escape($oldprovider."-".$oldlabel)."'";


 				$resql = $db->query($sql);