From baf5dda4cc07aa35eb9e41dda90aee0d2cdecf23 Mon Sep 17 00:00:00 2001
From: Sergio Cambra <sergio@programatica.es>
Date: Tue, 08 Jul 2014 09:53:13 -0400
Subject: [PATCH] fix escaping in sql query

---
 interface/lib/classes/remoting.inc.php |   11 +++++++++--
 1 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/interface/lib/classes/remoting.inc.php b/interface/lib/classes/remoting.inc.php
index cbe693f..f42d22b 100644
--- a/interface/lib/classes/remoting.inc.php
+++ b/interface/lib/classes/remoting.inc.php
@@ -180,8 +180,11 @@
 		$session_id = $app->db->quote($session_id);
 
 		$sql = "DELETE FROM remote_session WHERE remote_session = '$session_id'";
-		$app->db->query($sql);
-		return $app->db->affectedRows() == 1;
+		if($app->db->query($sql) != false) {
+			return true;
+		} else {
+			return false;
+		}
 	}
 
 	//** protected functions -----------------------------------------------------------------------------------
@@ -337,6 +340,10 @@
 
 		//* Load the form definition
 		$app->remoting_lib->loadFormDef($formdef_file);
+		
+		//* get old record and merge with params, so only new values have to be set in $params
+		$old_rec = $app->remoting_lib->getDataRecord($primary_id);
+		$params = $app->functions->array_merge($old_rec,$params);
 
 		//* Get the SQL query
 		$sql = $app->remoting_lib->getSQL($params, 'UPDATE', $primary_id);

--
Gitblit v1.9.1