- call qstr() for name and comment

2025-03-12 00:45:34 +00:00 · 2011-12-03 16:20:05 +00:00 · 2011-12-03 16:20:05 +00:00 · 6e0df090c6
commit 6e0df090c6
parent d332984803
1 changed files with 2 additions and 2 deletions
--- a/LetoDMS_Core/Core/inc.ClassFolder.php
+++ b/LetoDMS_Core/Core/inc.ClassFolder.php
@ -127,7 +127,7 @@ class LetoDMS_Core_Folder {
 	function setName($newName) { /* {{{ */
 		$db = $this->_dms->getDB();

-		$queryStr = "UPDATE tblFolders SET name = '" . $newName . "' WHERE id = ". $this->_id;
+		$queryStr = "UPDATE tblFolders SET name = " . $db->qstr($newName) . " WHERE id = ". $this->_id;
 		if (!$db->getResult($queryStr))
 			return false;

@ -141,7 +141,7 @@ class LetoDMS_Core_Folder {
 	function setComment($newComment) { /* {{{ */
 		$db = $this->_dms->getDB();

-		$queryStr = "UPDATE tblFolders SET comment = '" . $newComment . "' WHERE id = ". $this->_id;
+		$queryStr = "UPDATE tblFolders SET comment = " . $db->qstr($newComment) . " WHERE id = ". $this->_id;
 		if (!$db->getResult($queryStr))
 			return false;