Fix operator escaping in lib/sql/change_attrs.php3

diff --git a/Changelog b/Changelog
index acc2762dfde1eb2d809097c448336c246b6c0476..710ce52110fcadf307569e47a0e7eba58e76b4f3 100644 (file)
--- a/Changelog
+++ b/Changelog
@@ -16,6 +16,7 @@ Ver 1.75:
 * Make show_groups and the drop down menu in group_new work
 * Use lower cased row names in badusers page
 * Wrong foreach in show_groups and group_new.
+* Fix operator escaping in lib/sql/change_attrs.php3
 Ver 1.72:
 * Move the xlat function to a separate file in lib/xlat.php3
 * Add a lib/sql/nas_list.php3 to also get the nas list from sql (naslist.conf still works)

diff --git a/lib/sql/change_attrs.php3 b/lib/sql/change_attrs.php3
index a9013159093249559e46db40fc8dd70373f2ddb3..a71e7062dd0b716ff4a8650f2d91ce264ea61721 100644 (file)
--- a/lib/sql/change_attrs.php3
+++ b/lib/sql/change_attrs.php3
@@ -46,6 +46,7 @@ if ($link){
                        if ($use_ops){
                                $op_val = $$op_name;
                                if ($op_val != ''){
+                                       $op_val = da_sql_escape_string($op_val);
                                        if (check_operator($op_val,$type) == -1){
                                                echo "<b>Invalid operator ($op_val) for attribute $key</b><br>\n";
                                                continue;
@@ -53,10 +54,8 @@ if ($link){
                                        $op_val2 = ",'$op_val'";
                                }
                        }
-                       $op_val = da_sql_escape_string($op_val);
                        $sql_attr = da_sql_escape_string($sql_attr);
                        $val = da_sql_escape_string($val);
-                       $op_val2 = da_sql_escape_string($op_val2);
        // if we have operators, the operator has changed and the corresponding value exists then update
                        if ($use_ops && isset($item_vals["$key"][operator][$j]) &&
                                $op_val != $item_vals["$key"][operator][$j] ){