From 39b158e005ef35ca2b134257d2b67d708cb169be Mon Sep 17 00:00:00 2001
From: Jim Myhrberg <contact@jimeh.me>
Date: Fri, 14 Dec 2007 01:30:16 +0000
Subject: [PATCH] fixed an issue with conditions building which didn't properly
 escapse special characters, leaving yourself open to remote SQL injection if
 passing direct user-input into a condition

---
 litemysql.lib.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/litemysql.lib.php b/litemysql.lib.php
index 4dbea93..c49f393 100644
--- a/litemysql.lib.php
+++ b/litemysql.lib.php
@@ -633,7 +633,7 @@ class LiteMySQL {
 				} elseif ( preg_match('/^[0-9]+$/', $value) ) {
 					$cond[] = "`id` = '".$value."'";
 				} else {
-					$cond[] = $value;
+					$cond[] = $this->sql_quote($value);
 				}
 			}
 			$operator = ( !empty($options['operator']) ) ? $options['operator'] : 'AND' ;
@@ -694,6 +694,8 @@ class LiteMySQL {
 		}
 		if ( ($column == 'integer' || $column == 'float') && preg_match('/^[0-9\-\.]+$/', $string) ) {
 			return $string;
+		} elseif ( preg_match('/^[0-9\-\.]+$/', $string) ) {
+			return $string;
 		} else {
 			return "'".addslashes($string)."'";
 		}