From 66f4896153689d7f70c55bb3f4d54cfb94f812bb Mon Sep 17 00:00:00 2001
From: bradymiller <bradymiller@users.sourceforge.net>
Date: Wed, 27 Feb 2013 16:33:07 -0800
Subject: [PATCH] Security fix - html escape sql error messages

---
 library/sql.inc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/library/sql.inc b/library/sql.inc
index 05023333c..c7653a22d 100644
--- a/library/sql.inc
+++ b/library/sql.inc
@@ -161,7 +161,7 @@ if (!$GLOBALS['dbh']) {
   if ($host == "localhost") {
     echo "Check that mysqld is running.<p>";
   } else {
-    echo "Check that you can ping the server '$host'.<p>";
+    echo "Check that you can ping the server '".text($host)."'.<p>";
   }//if local
   HelpfulDie("Could not connect to server!", getSqlLastError("native_mysql"));
   exit;
@@ -546,9 +546,9 @@ function sqlNumRows($r)
 */
 function HelpfulDie ($statement, $sqlerr='')
 {
-  echo "<p><p><font color='red'>ERROR:</font> $statement<p>";
+  echo "<p><p><font color='red'>ERROR:</font> ".text($statement)."<p>";
   if ($sqlerr) {
-    echo "Error: <font color='red'>$sqlerr</font><p>";
+    echo "Error: <font color='red'>".text($sqlerr)."</font><p>";
   }//if error
   exit;
 }
-- 
2.11.4.GIT