From 88f1cc76140369b58cb99efb5e8a04f83ad71e8a Mon Sep 17 00:00:00 2001 From: james Date: Mon, 22 Oct 2012 18:40:16 +0000 Subject: [PATCH] A few more missed escapes --- admin/reports.inc.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/admin/reports.inc.php b/admin/reports.inc.php index cbb4dd6..553ea00 100644 --- a/admin/reports.inc.php +++ b/admin/reports.inc.php @@ -354,12 +354,12 @@ foreach($report_stock as $n=>$v) { foreach($report[$type] as $k=>$v) { if($type == 'option') { /* field, value, x, y, w, h, lines, face, align, valign, fn, fs, fsize, overflow */ - $vals = "'$k','$v','0','0','0','0','0','','','','','','0','truncate'"; + $vals = "'".mysql_real_escape_string($k)."','".mysql_real_escape_string($v)."','0','0','0','0','0','','','','','','0','truncate'"; } else { if($v['lines'] == 0) $v['lines'] =1; $fs = is_array($v['fontstyle']) ? implode(',',$v['fontstyle']) : ''; $opts = "{$v['align']} {$v['valign']}"; - $vals = "'{$v['field']}','{$v['value']}', + $vals = "'{$v['field']}','".mysql_real_escape_string($v['value'])."', '{$v['x']}','{$v['y']}','{$v['w']}', '{$v['h']}','{$v['lines']}','{$v['face']}', '$opts','{$v['valign']}',