From 2793148742ffb02a4358e1b4ddc493082426a055 Mon Sep 17 00:00:00 2001
From: kkalev <kkalev>
Date: Sat, 31 Jul 2004 07:30:57 +0000
Subject: [PATCH] Fix operator escaping in lib/sql/change_attrs.php3

---
 Changelog                 | 1 +
 lib/sql/change_attrs.php3 | 3 +--
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Changelog b/Changelog
index acc2762..710ce52 100644
--- a/Changelog
+++ b/Changelog
@@ -16,6 +16,7 @@ Ver 1.75:
 * Make show_groups and the drop down menu in group_new work
 * Use lower cased row names in badusers page
 * Wrong foreach in show_groups and group_new.
+* Fix operator escaping in lib/sql/change_attrs.php3
 Ver 1.72:
 * Move the xlat function to a separate file in lib/xlat.php3
 * Add a lib/sql/nas_list.php3 to also get the nas list from sql (naslist.conf still works)
diff --git a/lib/sql/change_attrs.php3 b/lib/sql/change_attrs.php3
index a901315..a71e706 100644
--- a/lib/sql/change_attrs.php3
+++ b/lib/sql/change_attrs.php3
@@ -46,6 +46,7 @@ if ($link){
 			if ($use_ops){
 				$op_val = $$op_name;
 				if ($op_val != ''){
+					$op_val = da_sql_escape_string($op_val);
 					if (check_operator($op_val,$type) == -1){
 						echo "<b>Invalid operator ($op_val) for attribute $key</b><br>\n";
 						continue;
@@ -53,10 +54,8 @@ if ($link){
 					$op_val2 = ",'$op_val'";
 				}
 			}
-			$op_val = da_sql_escape_string($op_val);
 			$sql_attr = da_sql_escape_string($sql_attr);
 			$val = da_sql_escape_string($val);
-			$op_val2 = da_sql_escape_string($op_val2);
 	// if we have operators, the operator has changed and the corresponding value exists then update
 			if ($use_ops && isset($item_vals["$key"][operator][$j]) &&
 				$op_val != $item_vals["$key"][operator][$j] ){
-- 
2.39.5