diff --git a/modules/reports/models/scheduled_reports.php b/modules/reports/models/scheduled_reports.php index f1df5d7b8..6fb2f158c 100644 --- a/modules/reports/models/scheduled_reports.php +++ b/modules/reports/models/scheduled_reports.php @@ -37,7 +37,7 @@ static function delete_all_scheduled_reports($type='avail',$id=false) $row = $res->current(); $report_type_id = $row->id; - $sql = "DELETE FROM scheduled_reports WHERE report_type_id=".$report_type_id." AND report_id=".$id; + $sql = "DELETE FROM scheduled_reports WHERE report_type_id=".$db->escape($report_type_id)." AND report_id=".$db->escape($id); try { $db->query($sql); } catch (Kohana_Database_Exception $e) { @@ -74,7 +74,7 @@ public static function get_scheduled_reports($type) scheduled_report_periods rp, saved_reports r WHERE - rt.identifier='".$type."' AND + rt.identifier=".$db->escape($type)." AND sr.report_type_id=rt.id AND rp.id=sr.period_id AND sr.report_id=r.id".$sql_xtra." @@ -205,9 +205,9 @@ static public function edit_report($id=false, $rep_type=false, $saved_report_id= if ($id) { // UPDATE - $sql = "UPDATE scheduled_reports SET ".self::USERFIELD."=".$db->escape($user).", report_type_id=".$rep_type.", report_id=".$saved_report_id.", recipients=".$db->escape($recipients).", period_id=".$period.", filename=".$db->escape($filename).", description=".$db->escape($description).", local_persistent_filepath = ".$db->escape($local_persistent_filepath).", attach_description = ".$db->escape($attach_description)." WHERE id=".$id; + $sql = "UPDATE scheduled_reports SET ".self::USERFIELD."=".$db->escape($user).", report_type_id=".$db->escape($rep_type).", report_id=".$db->escape($saved_report_id).", recipients=".$db->escape($recipients).", period_id=".$db->escape($period).", filename=".$db->escape($filename).", description=".$db->escape($description).", local_persistent_filepath = ".$db->escape($local_persistent_filepath).", attach_description = ".$db->escape($attach_description)." WHERE id=".$db->escape($id); } else { - $sql = "INSERT INTO scheduled_reports (".self::USERFIELD.", report_type_id, report_id, recipients, period_id, filename, description, local_persistent_filepath, attach_description, report_time, report_on, report_period)VALUES(".$db->escape($user).", ".$rep_type.", ".$saved_report_id.", ".$db->escape($recipients).", ".$period.", ".$db->escape($filename).", ".$db->escape($description).", ".$db->escape($local_persistent_filepath).", ".$db->escape($attach_description).", '".$report_time."', '".$report_on."', '".$report_period."' )"; + $sql = "INSERT INTO scheduled_reports (".self::USERFIELD.", report_type_id, report_id, recipients, period_id, filename, description, local_persistent_filepath, attach_description, report_time, report_on, report_period)VALUES(".$db->escape($user).", ".$db->escape($rep_type).", ".$db->escape($saved_report_id).", ".$db->escape($recipients).", ".$db->escape($period).", ".$db->escape($filename).", ".$db->escape($description).", ".$db->escape($local_persistent_filepath).", ".$db->escape($attach_description).", ".$db->escape($report_time).", ".$db->escape($report_on).", ".$db->escape($report_period).")"; } @@ -234,11 +234,11 @@ static public function edit_report($id=false, $rep_type=false, $saved_report_id= */ static function update_report_field($id=false, $field=false, $value=false) { - $id = (int)$id; - $field = trim($field); - $value = trim($value); $db = Database::instance(); - $sql = "UPDATE scheduled_reports SET ".$field."= ".$db->escape($value)." WHERE id=".$id; + $id = (int)$id; + $field = $db->escape_column(trim($field)); + $value = $db->escape(trim($value)); + $sql = "UPDATE scheduled_reports SET {$field}={$value} WHERE id={$id}"; try { $res = $db->query($sql); } catch (Kohana_Database_Exception $e) {