From f143f356a9ac864b360e19bc981b9b600c971b60 Mon Sep 17 00:00:00 2001
From: Janusz Dobrowolski <janusz@frontaccounting.eu>
Date: Thu, 22 Oct 2009 11:32:33 +0000
Subject: [PATCH] Fixed double db_escape in add/update.

---
 dimensions/includes/dimensions_db.inc | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/dimensions/includes/dimensions_db.inc b/dimensions/includes/dimensions_db.inc
index 5e027516..8d7b0c10 100644
--- a/dimensions/includes/dimensions_db.inc
+++ b/dimensions/includes/dimensions_db.inc
@@ -15,9 +15,12 @@ function add_dimension($reference, $name, $type_, $date_, $due_date, $memo_)
 
 	begin_transaction();
 
+	$date = date2sql($date_);
+	$duedate = date2sql($due_date);
+
 	$sql = "INSERT INTO ".TB_PREF."dimensions (reference, name, type_, date_, due_date)
 		VALUES (".db_escape($reference).", ".db_escape($name).", ".db_escape($type_)
-		.", ".db_escape($date_).", ".db_escape($due_date).")";
+		.", '$date_', '$due_date')";
 	db_query($sql, "could not add dimension");
 
 	$id = db_insert_id();
@@ -35,10 +38,13 @@ function update_dimension($id, $name, $type_, $date_, $due_date, $memo_)
 {
 	begin_transaction();
 
+	$date = date2sql($date_);
+	$duedate = date2sql($due_date);
+
 	$sql = "UPDATE ".TB_PREF."dimensions SET name=".db_escape($name).",
 		type_ = ".db_escape($type_).",
-		date_=".db_escape($date_).",
-		due_date=".db_escape($due_date)."
+		date_='$date_',
+		due_date='$due_date'
 		WHERE id = ".db_escape($id);
 
 	db_query($sql, "could not update dimension");
-- 
2.30.2