We should escape the table name as well.

diff --git a/include/dba.php b/include/dba.php
index 7e9979cf9ece0957a80b393cf4711ab2e9e9d2ff..5a93338a1a61040da74fd1a9e428573e388fe71c 100644 (file)
--- a/include/dba.php
+++ b/include/dba.php
@@ -456,7 +456,7 @@ class dba {
                        if (is_int($args[$param]) OR is_float($args[$param])) {
                                $replace = intval($args[$param]);
                        } else {
-                               $replace = "'".dbesc($args[$param])."'";
+                               $replace = "'".self::$dbo->escape($args[$param])."'";
                        }
 
                        $pos = strpos($sql, '?', $offset);
@@ -738,7 +738,7 @@ class dba {
         * @return boolean was the insert successfull?
         */
        static public function insert($table, $param) {
-               $sql = "INSERT INTO `".$table."` (`".implode("`, `", array_keys($param))."`) VALUES (".
+               $sql = "INSERT INTO `".self::$dbo->escape($table)."` (`".implode("`, `", array_keys($param))."`) VALUES (".
                        substr(str_repeat("?, ", count($param)), 0, -2).");";
 
                $sql = self::replace_parameters($sql, $param);