From 512c5a11f58acf87d3784176a69cdfea1c75ac19 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lo=C3=AFc=20Chapeaux?= <lolo@phpheaven.net>
Date: Fri, 6 Jul 2001 22:20:22 +0000
Subject: [PATCH] fixed bug #438895 (No mixed " and ' possible)

---
 sql.php3 | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/sql.php3 b/sql.php3
index 6f868791f..b9feaf417 100755
--- a/sql.php3
+++ b/sql.php3
@@ -23,8 +23,8 @@ if(isset($btnDrop) && $btnDrop == $strNo) {
   exit;
 }
 
-// Check if table should be dropped
-$is_drop_sql_query = eregi("DROP +(TABLE|DATABASE)|ALTER TABLE +[[:alnum:]_]* +DROP|DELETE FROM", $sql_query); // Get word "drop"
+// Check if table should be dropped or if a record should be deleted
+$is_drop_sql_query = eregi("DROP +(TABLE|DATABASE)|ALTER TABLE +[[:alnum:]_]* +DROP|DELETE FROM", $sql_query);
 
 if(!$cfgConfirm)
     $btnDrop = $strYes;
@@ -35,6 +35,11 @@ if($is_drop_sql_query && !isset($btnDrop)) {
   } else {
     $stripped_sql_query = $sql_query;
   }
+  // loic1: fix bugs when the query contains js instructions and html tags
+  $stripped_sql_query = str_replace('\\"', '&quot;', $stripped_sql_query);
+  $stripped_sql_query = str_replace('<', '&lt;', $stripped_sql_query);
+  $stripped_sql_query = str_replace('>', '&gt;', $stripped_sql_query);
+
     include("./header.inc.php3");
     echo $strDoYouReally.$stripped_sql_query."?<br>";
     ?>