$sql = "UPDATE `{?_MYSQL_PREFIX?}_sponsor_data` SET";
foreach ($postData as $key => $value) {
// Mmmmm, too less security here???
- $sql .= " `".secureString($key)."`='%s',";
+ $sql .= " `" . secureString($key) . "`='%s',";
// We will secure this later inside the SQL_QUERY_ESC() function
$DATA[] = secureString($value);
$sql = substr($sql, 0, -1);
// Add SQL tail data
- $sql .= " WHERE `id`=%s AND password='%s' LIMIT 1";
+ $sql .= " WHERE `id`=%s AND `password`='%s' LIMIT 1";
$DATA[] = bigintval(getSession('sponsorid'));
$DATA[] = getSession('sponsorpass');