- disallow ` in table names when using ?? placeholder in query

Marius Cramer · Marius Cramer · commit 0e41dea8cc54 · 2014-08-13T16:42:46.000+02:00
diff --git a/interface/lib/classes/db_mysql.inc.php b/interface/lib/classes/db_mysql.inc.php
@@ -126,7 +126,8 @@ public function _build_query_string($sQuery = '') {
 
 				if($iPos2 !== false && ($iPos === false || $iPos2 <= $iPos)) {
 					$sTxt = $this->escape($sValue);
-
+					
+					$sTxt = str_replace('`', '', $sTxt);
 					if(strpos($sTxt, '.') !== false) $sTxt = preg_replace('/^(.+)\.(.+)$/', '`$1`.`$2`', $sTxt);
 					else $sTxt = '`' . $sTxt . '`';
 
