From 80aa44565b3933443e6b192970b6f321c15c1a69 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Sat, 22 Sep 2012 10:51:03 +0200
Subject: [PATCH] Sanitize user input

---
 lib/db.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/db.php b/lib/db.php
index 1f0593b080..42bd04e988 100644
--- a/lib/db.php
+++ b/lib/db.php
@@ -299,7 +299,7 @@ class OC_DB {
 			// Die if we have an error (error means: bad query, not 0 results!)
 			if( PEAR::isError($result)) {
 				$entry = 'DB Error: "'.$result->getMessage().'"<br />';
-				$entry .= 'Offending command was: '.$query.'<br />';
+				$entry .= 'Offending command was: '.htmlentities($query).'<br />';
 				OC_Log::write('core', $entry,OC_Log::FATAL);
 				error_log('DB error: '.$entry);
 				die( $entry );
@@ -309,7 +309,7 @@ class OC_DB {
 				$result=self::$connection->prepare($query);
 			}catch(PDOException $e) {
 				$entry = 'DB Error: "'.$e->getMessage().'"<br />';
-				$entry .= 'Offending command was: '.$query.'<br />';
+				$entry .= 'Offending command was: '.htmlentities($query).'<br />';
 				OC_Log::write('core', $entry,OC_Log::FATAL);
 				error_log('DB error: '.$entry);
 				die( $entry );
-- 
GitLab