$duedate = date2sql($due_date);
$sql = "INSERT INTO ".TB_PREF."dimensions (reference, name, type_, date_, due_date)
- VALUES ('$reference', '$name', $type_, '$date', '$duedate')";
+ VALUES (".db_escape($reference).", ".db_escape($name).", $type_, '$date', '$duedate')";
db_query($sql, "could not add dimension");
$id = db_insert_id();
$date = date2sql($date_);
$duedate = date2sql($due_date);
- $sql = "UPDATE ".TB_PREF."dimensions SET name='$name',
+ $sql = "UPDATE ".TB_PREF."dimensions SET name=".db_escape($name).",
type_ = $type_,
date_='$date',
due_date='$duedate'