From d38fe0e5cab4a7efaba8a79a22a85b0e67817441 Mon Sep 17 00:00:00 2001
From: "terry%mozilla.org" <>
Date: Wed, 8 Mar 2000 02:22:41 +0000
Subject: Patch by Brian Duggan <bduggan@oven.com> -- security improvements.

---
 reports.cgi | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'reports.cgi')

diff --git a/reports.cgi b/reports.cgi
index 6c8ededcf..805de8da9 100755
--- a/reports.cgi
+++ b/reports.cgi
@@ -206,7 +206,7 @@ and    bugs.reporter = report.userid
 FIN
 
 	if( $::FORM{'product'} ne "-All-" ) {
-		$query .= "and    bugs.product='$::FORM{'product'}'";
+		$query .= "and    bugs.product=".SqlQuote($::FORM{'product'});
 	}
 
 	$query .= <<FIN;
@@ -572,7 +572,7 @@ sub most_doomed_for_milestone
 	my $query;
 	$query = "select distinct assigned_to from bugs where target_milestone=\"$ms\"";
 	if( $::FORM{'product'} ne "-All-" ) {
-		$query .= "and    bugs.product='$::FORM{'product'}'";
+		$query .= "and    bugs.product=".SqlQuote($::FORM{'product'});
 	}
 	$query .= <<FIN;
 and 	 
@@ -600,7 +600,7 @@ FIN
                 {
                 my $query = "select count(bug_id) from bugs,profiles where target_milestone=\"$ms\" and userid=assigned_to and userid=\"$person\"";
 	        if( $::FORM{'product'} ne "-All-" ) {
-                    $query .= "and    bugs.product='$::FORM{'product'}'";
+                    $query .= "and    bugs.product=".SqlQuote($::FORM{'product'})";
                     }
 	        $query .= <<FIN;
 and 	 
@@ -696,7 +696,7 @@ sub most_recently_doomed
 	my $query;
         $query = "select distinct assigned_to from bugs where bugs.bug_status='NEW' and target_milestone='' and bug_severity!='enhancement' and status_whiteboard='' and (product='Browser' or product='MailNews')";
 	if( $::FORM{'product'} ne "-All-" ) {
-		$query .= "and    bugs.product='$::FORM{'product'}'";
+		$query .= "and    bugs.product=".SqlQuote($::FORM{'product'});
 	}
 
 # End build up $query string
-- 
cgit v1.2.3-24-g4f1b