From d82fa1fc19c054ff8d11ddc7385cc58c1b2822ce Mon Sep 17 00:00:00 2001
From: marcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544>
Date: Wed, 1 Oct 2008 10:07:09 +0000
Subject: Fixes #395

git-svn-id: https://code.elgg.org/elgg/trunk@2157 36083f99-b078-4883-b0ff-0f9b5a30f544
---
 engine/lib/database.php | 13 +++++++++++++
 engine/lib/install.php  |  2 +-
 2 files changed, 14 insertions(+), 1 deletion(-)

(limited to 'engine')

diff --git a/engine/lib/database.php b/engine/lib/database.php
index f1b4a5871..0ac5eba65 100644
--- a/engine/lib/database.php
+++ b/engine/lib/database.php
@@ -480,6 +480,19 @@
         		return false;
 
         	return true;
+        }
+        
+    /**
+     * Sanitise a string for database use, but with the option of escaping extra characters.
+     */
+        function sanitise_string_special($string, $extra_escapeable = '')
+        {
+        	$string = sanitise_string($string);
+        	
+        	for ($n = 0; $n < strlen($extra_escapeable); $n++)
+        		$string = str_replace($extra_escapeable[$n], "\\" . $extra_escapeable[$n], $string);
+        		
+        	return $string;
         }
         
 	/**
diff --git a/engine/lib/install.php b/engine/lib/install.php
index be88f473f..d24a8b120 100644
--- a/engine/lib/install.php
+++ b/engine/lib/install.php
@@ -106,7 +106,7 @@
 			if (!$file) return false; 
 			
 			foreach ($vars as $k => $v)
-				$file = str_replace("{{".$k."}}", $v, $file);
+				$file = str_replace("{{".$k."}}", sanitise_string_special($v, '$'), $file);
 			
 			return $file;
 		}
-- 
cgit v1.2.3