@@ -47,8 +47,7 @@ public static function getHtmlForListingUsersofAGroup(
4747 $ usersTable = Util::backquote ($ configurableMenusFeature ->database )
4848 . '. ' . Util::backquote ($ configurableMenusFeature ->users );
4949 $ sql_query = 'SELECT `username` FROM ' . $ usersTable
50- . " WHERE `usergroup`=' " . $ GLOBALS ['dbi ' ]->escapeString ($ userGroup )
51- . "' " ;
50+ . ' WHERE `usergroup`= ' . $ GLOBALS ['dbi ' ]->quoteString ($ userGroup , Connection::TYPE_CONTROL );
5251 $ result = $ GLOBALS ['dbi ' ]->tryQueryAsControlUser ($ sql_query );
5352 if ($ result ) {
5453 $ i = 0 ;
@@ -220,8 +219,7 @@ public static function getHtmlToEditUserGroup(
220219 $ groupTable = Util::backquote ($ configurableMenusFeature ->database )
221220 . '. ' . Util::backquote ($ configurableMenusFeature ->userGroups );
222221 $ sql_query = 'SELECT * FROM ' . $ groupTable
223- . " WHERE `usergroup`=' " . $ GLOBALS ['dbi ' ]->escapeString ($ userGroup )
224- . "' " ;
222+ . ' WHERE `usergroup`= ' . $ GLOBALS ['dbi ' ]->quoteString ($ userGroup , Connection::TYPE_CONTROL );
225223 $ result = $ GLOBALS ['dbi ' ]->tryQueryAsControlUser ($ sql_query );
226224 if ($ result ) {
227225 foreach ($ result as $ row ) {
@@ -315,8 +313,7 @@ public static function edit(
315313
316314 if (! $ new ) {
317315 $ sql_query = 'DELETE FROM ' . $ groupTable
318- . " WHERE `usergroup`=' " . $ GLOBALS ['dbi ' ]->escapeString ($ userGroup )
319- . "'; " ;
316+ . ' WHERE `usergroup`= ' . $ GLOBALS ['dbi ' ]->quoteString ($ userGroup , Connection::TYPE_CONTROL ) . '; ' ;
320317 $ GLOBALS ['dbi ' ]->queryAsControlUser ($ sql_query );
321318 }
322319
@@ -333,7 +330,8 @@ public static function edit(
333330
334331 $ tabName = $ tabGroupName . '_ ' . $ tab ;
335332 $ allowed = isset ($ _POST [$ tabName ]) && $ _POST [$ tabName ] === 'Y ' ;
336- $ sql_query .= "(' " . $ GLOBALS ['dbi ' ]->escapeString ($ userGroup ) . "', ' " . $ tabName . "', ' "
333+ $ sql_query .= '( ' . $ GLOBALS ['dbi ' ]->quoteString ($ userGroup , Connection::TYPE_CONTROL )
334+ . ', ' . $ GLOBALS ['dbi ' ]->quoteString ($ tabName , Connection::TYPE_CONTROL ) . ", ' "
337335 . ($ allowed ? 'Y ' : 'N ' ) . "') " ;
338336 $ first = false ;
339337 }
0 commit comments