Adding database::escape_string not sure if api_get_course_id() is completly clean

15 years ago · 918f21be6a
parent 917205c514
commit 918f21be6a
1 changed files with 1 additions and 1 deletions
--- a/main/inc/lib/notebook.lib.php
+++ b/main/inc/lib/notebook.lib.php
@ -107,7 +107,7 @@ class NotebookManager

 		$sql = "UPDATE $t_notebook SET
 					user_id = '".api_get_user_id()."',
-					course = '".api_get_course_id()."',
+					course = '".Database::escape_string(api_get_course_id())."',
 					session_id = '".Database::escape_string($_SESSION['id_session'])."',
 					title = '".Database::escape_string($values['note_title'])."',
 					description = '".Database::escape_string($values['note_comment'])."',