From e1ceb050e19c7574bca146a8da7047ee4ff456b5 Mon Sep 17 00:00:00 2001
From: Marius Burkard <m.burkard@pixcept.de>
Date: Sun, 10 Jul 2016 05:02:35 -0400
Subject: [PATCH] Merge branch 'stable-3.1'

---
 interface/lib/classes/remoting_lib.inc.php |   12 +++++++-----
 1 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/interface/lib/classes/remoting_lib.inc.php b/interface/lib/classes/remoting_lib.inc.php
index a2e3988..e697810 100644
--- a/interface/lib/classes/remoting_lib.inc.php
+++ b/interface/lib/classes/remoting_lib.inc.php
@@ -98,6 +98,7 @@
 		unset($form);
 
 		$this->dateformat = $app->lng('conf_format_dateshort');
+		$this->datetimeformat = $app->lng('conf_format_datetime');
 
 		return true;
 	}
@@ -238,22 +239,23 @@
 			$sql_offset = 0;
 			$sql_limit = 0;
 			$sql_where = '';
+			$params = array($this->formDef['db_table']);
 			foreach($primary_id as $key => $val) {
-				$key = $app->db->quote($key);
-				$val = $app->db->quote($val);
 				if($key == '#OFFSET#') $sql_offset = $app->functions->intval($val);
 				elseif($key == '#LIMIT#') $sql_limit = $app->functions->intval($val);
 				elseif(stristr($val, '%')) {
-					$sql_where .= "$key like '$val' AND ";
+					$sql_where .= "?? like ? AND ";
 				} else {
-					$sql_where .= "$key = '$val' AND ";
+					$sql_where .= "?? = ? AND ";
 				}
+				$params[] = $key;
+				$params[] = $val;
 			}
 			$sql_where = substr($sql_where, 0, -5);
 			if($sql_where == '') $sql_where = '1';
 			$sql = "SELECT * FROM ?? WHERE ".$sql_where. " AND " . $this->getAuthSQL('r', $this->formDef['db_table']);
 			if($sql_offset >= 0 && $sql_limit > 0) $sql .= ' LIMIT ' . $sql_offset . ',' . $sql_limit;
-			return $app->db->queryAllRecords($sql, $this->formDef['db_table']);
+			return $app->db->queryAllRecords($sql, true, $params);
 		} else {
 			$this->errorMessage = 'The ID must be either an integer or an array.';
 			return array();

--
Gitblit v1.9.1