From f986a3c5d914c5cfd62b61366202026331f75d0a Mon Sep 17 00:00:00 2001
From: Marius Cramer <m.cramer@pixcept.de>
Date: Mon, 25 Aug 2014 17:16:27 +0200
Subject: [PATCH] - another regexp fix for sql injection detection

---
 interface/lib/classes/db_mysql.inc.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/interface/lib/classes/db_mysql.inc.php b/interface/lib/classes/db_mysql.inc.php
index 6609ec94e..bcf1b008a 100644
--- a/interface/lib/classes/db_mysql.inc.php
+++ b/interface/lib/classes/db_mysql.inc.php
@@ -138,7 +138,8 @@ class db extends mysqli
 				$chars = array(';', '#', '/*', '*/', '--', ' UNION ', '\\\'', '\\"');
 		
 				$string = str_replace('\\\\', '', $string);
-				$string = preg_replace('/(^|[^\\\])([\'"])(.*?[^\\\]?)\\2/is', '$1', $string);
+				$string = preg_replace('/(^|[^\\\])([\'"])\\2/is', '$1', $string);
+				$string = preg_replace('/(^|[^\\\])([\'"])(.*?[^\\\])\\2/is', '$1', $string);
 				$ok = true;
 
 				if(substr_count($string, "`") % 2 != 0 || substr_count($string, "'") % 2 != 0 || substr_count($string, '"') % 2 != 0) {
-- 
GitLab