From 34a0902089a410d1f7dda78d1f8b0771333c09df Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 12 Sep 2014 08:37:51 -0400
Subject: [PATCH] Use consistent column/table quoting in sql queries

---
 plugins/squirrelmail_usercopy/squirrelmail_usercopy.php |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/plugins/squirrelmail_usercopy/squirrelmail_usercopy.php b/plugins/squirrelmail_usercopy/squirrelmail_usercopy.php
index e882a2f..7f37867 100644
--- a/plugins/squirrelmail_usercopy/squirrelmail_usercopy.php
+++ b/plugins/squirrelmail_usercopy/squirrelmail_usercopy.php
@@ -164,14 +164,16 @@
 			if ($db_charset)
 				$db->query('SET NAMES '.$db_charset);
 
-			$sql_result = $db->query('SELECT * FROM '.$userprefs_table.' WHERE user=?', $uname); // ? is replaced with emailaddress
+			$sql_result = $db->query('SELECT * FROM ' . $db->quote_identifier($userprefs_table)
+			    .' WHERE `user` = ?', $uname); // ? is replaced with emailaddress
 
 			while ($sql_array = $db->fetch_assoc($sql_result) ) { // fetch one row from result
 				$this->prefs[$sql_array['prefkey']] = rcube_charset::convert(rtrim($sql_array['prefval']), $db_charset);
 			}
 
 			/* retrieve address table data */
-			$sql_result = $db->query('SELECT * FROM '.$address_table.' WHERE owner=?', $uname); // ? is replaced with emailaddress
+			$sql_result = $db->query('SELECT * FROM ' . $db->quote_identifier($address_table)
+			    .' WHERE `owner` = ?', $uname); // ? is replaced with emailaddress
 
 			// parse addres book
 			while ($sql_array = $db->fetch_assoc($sql_result) ) { // fetch one row from result
@@ -186,5 +188,4 @@
 			}
 		} // end if 'sql'-driver
 	}
-
 }

--
Gitblit v1.9.1