apply magic quotes before using var in sql query in fetch_all_using_this()

diff --git a/lib/grade/grade_object.php b/lib/grade/grade_object.php
index 42a3cf99fc6d0d8fe6fa440265a920afcaa9bf13..17b1630e9d0c068e922b489bd652b33d2a4270a9 100644 (file)
--- a/lib/grade/grade_object.php
+++ b/lib/grade/grade_object.php
@@ -162,6 +162,7 @@ class grade_object {
         
         foreach ($variables as $var => $value) {
             if (!empty($value) && !in_array($var, $this->nonfields)) {
+                $value = addslashes($value);
                 $wheresql .= " $var = '$value' AND ";
             }
         }