From 89c05838492f0675f5ecbae623248e0e4aafc3fd Mon Sep 17 00:00:00 2001 From: Martin Konecny Date: Sun, 3 Jun 2012 22:39:42 -0400 Subject: [PATCH] CC-3926: System -> Stream setting: input ' into "Name/Description" will cause PDOException --- airtime_mvc/application/models/StreamSetting.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/airtime_mvc/application/models/StreamSetting.php b/airtime_mvc/application/models/StreamSetting.php index 4cc60127c..d4128ef7b 100644 --- a/airtime_mvc/application/models/StreamSetting.php +++ b/airtime_mvc/application/models/StreamSetting.php @@ -172,7 +172,11 @@ class Application_Model_StreamSetting { $v = $d['enable'] == 1 ? 'true' : 'false'; } $v = trim($v); + + #escape double single quotes CC-3926 + $v = str_replace("'", "''", $v); $sql = "UPDATE cc_stream_setting SET value='$v' WHERE keyname='$keyname'"; + $con->exec($sql); } } else {