From a659da6919dd2f94bf6ac7f6e74bd8e084b1be5e Mon Sep 17 00:00:00 2001
From: ANKIT AGARWAL <ankit_frenz@yahoo.co.in>
Date: Fri, 25 Mar 2011 17:34:26 +0530
Subject: [PATCH 3/3] patch for MDL-20878

---
 mod/wiki/db/migration/wiki/ewiki/ewiki.php |   12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/mod/wiki/db/migration/wiki/ewiki/ewiki.php b/mod/wiki/db/migration/wiki/ewiki/ewiki.php
index 2223857..aca01d4 100644
--- a/mod/wiki/db/migration/wiki/ewiki/ewiki.php
+++ b/mod/wiki/db/migration/wiki/ewiki/ewiki.php
@@ -3454,7 +3454,7 @@ function ewiki_database_mysql($action, &$args, $sw1, $sw2) {
           the $args array.
       */
       case "GET":
-         $id = "'" . mysql_escape_string($args["id"]) . "'";
+         $id = "'" . mysql_real_escape_string($args["id"]) . "'";
          ($version = 0 + @$args["version"]) and ($version = "AND (version=$version)") or ($version="");
          $result = mysql_query("SELECT * FROM " . EWIKI_DB_TABLE_NAME
             . " WHERE (pagename=$id) $version  ORDER BY version DESC  LIMIT 1"
@@ -3474,7 +3474,7 @@ function ewiki_database_mysql($action, &$args, $sw1, $sw2) {
           with "id" index key.
       */
       case "HIT":
-         mysql_query("UPDATE " . EWIKI_DB_TABLE_NAME . " SET hits=(hits+1) WHERE pagename='" . mysql_escape_string($args["id"]) . "'");
+         mysql_query("UPDATE " . EWIKI_DB_TABLE_NAME . " SET hits=(hits+1) WHERE pagename='" . mysql_real_escape_string($args["id"]) . "'");
          break;
 
 
@@ -3501,7 +3501,7 @@ function ewiki_database_mysql($action, &$args, $sw1, $sw2) {
             }
             $a = ($sql1 ? ', ' : '');
             $sql1 .= $a . $index;
-            $sql2 .= $a . "'" . mysql_escape_string($value) . "'";
+            $sql2 .= $a . "'" . mysql_real_escape_string($value) . "'";
          }
 
          strlen(@$COMMAND) || ($COMMAND = "INSERT");
@@ -3526,7 +3526,7 @@ function ewiki_database_mysql($action, &$args, $sw1, $sw2) {
          foreach (array_values($args) as $id) if (strlen($id)) {
             $r[$id] = 0;
             $sql .= ($sql ? " OR " : "") .
-                    "(pagename='" . mysql_escape_string($id) . "')";
+                    "(pagename='" . mysql_real_escape_string($id) . "')";
          }
          $result = mysql_query($sql = "SELECT pagename AS id, meta FROM " .
             EWIKI_DB_TABLE_NAME . " WHERE $sql "
@@ -3574,7 +3574,7 @@ function ewiki_database_mysql($action, &$args, $sw1, $sw2) {
          $result = mysql_query("SELECT pagename AS id, version, flags" .
             (EWIKI_DBQUERY_BUFFER && ($field!="pagename") ? ", $field" : "") .
             " FROM " . EWIKI_DB_TABLE_NAME .
-            " WHERE LOCATE('" . mysql_escape_string($content) . "', LCASE($field)) " .
+            " WHERE LOCATE('" . mysql_real_escape_string($content) . "', LCASE($field)) " .
             " GROUP BY id, version DESC"
          );
          $r = new ewiki_dbquery_result(array("id","version",$field));
@@ -3591,7 +3591,7 @@ function ewiki_database_mysql($action, &$args, $sw1, $sw2) {
 
 
       case "DELETE":
-         $id = mysql_escape_string($args["id"]);
+         $id = mysql_real_escape_string($args["id"]);
          $version = $args["version"];
          mysql_query("DELETE FROM " . EWIKI_DB_TABLE_NAME ."
             WHERE pagename='$id' AND version=$version");
-- 
1.7.3.1.msysgit.0