From 8556f141acab45bdfc03f6cc48796653402f4b33 Mon Sep 17 00:00:00 2001
From: garvinhicking <garvinhicking>
Date: Tue, 25 Mar 2008 14:04:06 +0000
Subject: [PATCH] update

---
 include/db/mysql.inc.php    | 4 ++--
 include/db/sqlrelay.inc.php | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/include/db/mysql.inc.php b/include/db/mysql.inc.php
index ec0b8e6..8d4d592 100644
--- a/include/db/mysql.inc.php
+++ b/include/db/mysql.inc.php
@@ -96,13 +96,13 @@ function &serendipity_db_query($sql, $single = false, $result_type = "both", $re
     }
 
     if (!$expectError && mysql_error($serendipity['dbConn']) != '') {
-        $msg = '<pre>' . $sql . '</pre> / ' . htmlspecialchars(mysql_error($serendipity['dbConn']));
+        $msg = '<pre>' . htmlspecialchars($sql) . '</pre> / ' . htmlspecialchars(mysql_error($serendipity['dbConn']));
         return $msg;
     }
 
     if (!$c) {
         if (!$expectError && !$serendipity['production']) {
-            print '<pre>' . $sql . '</pre> / ' . htmlspecialchars(mysql_error($serendipity['dbConn']));
+            print '<pre>' . htmlspecialchars($sql) . '</pre> / ' . htmlspecialchars(mysql_error($serendipity['dbConn']));
             if (function_exists('debug_backtrace') && $reportErr == true) {
                 highlight_string(var_export(debug_backtrace(), 1));
             }
diff --git a/include/db/sqlrelay.inc.php b/include/db/sqlrelay.inc.php
index 36ad19d..c57da0e 100644
--- a/include/db/sqlrelay.inc.php
+++ b/include/db/sqlrelay.inc.php
@@ -161,13 +161,13 @@ function &serendipity_db_query($sql, $single = false, $result_type = "both", $re
     }
 
     if (!$expectError && sqlrcur_errorMessage($cur) != '') {
-        $msg = '<pre>' . $sql . '</pre> / ' . sqlrcur_errorMessage($cur);
+        $msg = '<pre>' . htmlspecialchars($sql) . '</pre> / ' . htmlspecialchars(sqlrcur_errorMessage($cur));
         return $msg;
     }
 
     if (!$c) {
         if (!$expectError && !$serendipity['production']) {
-            print '<pre>' . $sql . '</pre> / ' . sqlrcur_errorMessage($cur);
+            print '<pre>' . htmlspecialchars($sql) . '</pre> / ' . htmlspecialchars(sqlrcur_errorMessage($cur));
             if (function_exists('debug_backtrace') && $reportErr == true) {
                 highlight_string(var_export(debug_backtrace(), 1));
             }
-- 
2.39.5