From 4208cb3bc67341ef7341f9a55aa70b327dd4c645 Mon Sep 17 00:00:00 2001 From: Faustin Date: Sun, 22 Jan 2023 13:54:39 +0100 Subject: [PATCH] escape missing in sql request --- htdocs/admin/oauth.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/htdocs/admin/oauth.php b/htdocs/admin/oauth.php index 6fadc36a285..8c082d674db 100644 --- a/htdocs/admin/oauth.php +++ b/htdocs/admin/oauth.php @@ -123,9 +123,10 @@ if ($action == 'update') { $oldlabel = preg_replace('/^.*-/', '', $oldname); $newlabel = preg_replace('/^.*-/', '', $newconstvalue); + $sql = "UPDATE ".MAIN_DB_PREFIX."oauth_token"; - $sql.= " SET service = '".$oldprovider."-".$newlabel."'"; - $sql.= " WHERE service = '".$oldprovider."-".$oldlabel."'"; + $sql.= " SET service = '".$db->escape($oldprovider."-".$newlabel)."'"; + $sql.= " WHERE service = '".$db->escape($oldprovider."-".$oldlabel)."'"; $resql = $db->query($sql);