From 731ecac5306f6463cc98006091dd95fad2b81cc5 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Sun, 3 Dec 2017 09:06:43 +0300 Subject: [PATCH] completeLabels: use prepare() not query() --- classes/rpc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/classes/rpc.php b/classes/rpc.php index dd592b4d..cc036736 100755 --- a/classes/rpc.php +++ b/classes/rpc.php @@ -334,7 +334,7 @@ class RPC extends Handler_Protected { function completeLabels() { $search = $_REQUEST["search"]; - $sth = $this->pdo->query("SELECT DISTINCT caption FROM + $sth = $this->pdo->prepare("SELECT DISTINCT caption FROM ttrss_labels2 WHERE owner_uid = ? AND LOWER(caption) LIKE LOWER(?) ORDER BY caption