bug 1137: mysql_real_escape() fields in user_agreements although they usually are not

user provided, just to be sure Signed-off-by: Michael Tänzer <neo@nhng.de>
author: Michael Tänzer <neo@nhng.de> 2013-08-24 15:30:48 +0200
committer: Michael Tänzer <neo@nhng.de> 2013-08-24 15:30:48 +0200
commit: 35a1e4c80c870b6f956903d61b1999ecf67d6d51 (patch)
tree: ad5ff80954476b66c032d505d9c7c52d620b86dc
parent: 33bd853d0e7034f1ad0755dd717655b650ba541f (diff)
download: cacert-devel-35a1e4c80c870b6f956903d61b1999ecf67d6d51.tar.gz
cacert-devel-35a1e4c80c870b6f956903d61b1999ecf67d6d51.tar.xz
cacert-devel-35a1e4c80c870b6f956903d61b1999ecf67d6d51.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/includes/notary.inc.php b/includes/notary.inc.php
index b8cdb1b..2b7ccb6 100644
--- a/includes/notary.inc.php
+++ b/includes/notary.inc.php
@@ -635,7 +635,7 @@
 	function write_user_agreement($memid, $document, $method, $comment, $active=1, $secmemid=0){
 	// write a new record to the table user_agreement
 		$query="insert into `user_agreements` set `memid`=".intval($memid).", `secmemid`=".intval($secmemid).
-			",`document`='".$document."',`date`=NOW(), `active`=".intval($active).",`method`='".$method."',`comment`='".$comment."'" ;
+			",`document`='".mysql_real_escape_string($document)."',`date`=NOW(), `active`=".intval($active).",`method`='".mysql_real_escape_string($method)."',`comment`='".mysql_real_escape_string($comment)."'" ;
 		$res = mysql_query($query);
 	}
author	Michael Tänzer <neo@nhng.de>	2013-08-24 15:30:48 +0200
committer	Michael Tänzer <neo@nhng.de>	2013-08-24 15:30:48 +0200
commit	35a1e4c80c870b6f956903d61b1999ecf67d6d51 (patch)
tree	ad5ff80954476b66c032d505d9c7c52d620b86dc
parent	33bd853d0e7034f1ad0755dd717655b650ba541f (diff)
download	cacert-devel-35a1e4c80c870b6f956903d61b1999ecf67d6d51.tar.gz cacert-devel-35a1e4c80c870b6f956903d61b1999ecf67d6d51.tar.xz cacert-devel-35a1e4c80c870b6f956903d61b1999ecf67d6d51.zip