From f549379e318d300e1d7188acdcc16d731b245bf7 Mon Sep 17 00:00:00 2001
From: Sarah Hoffmann <lonvia@denofr.de>
Date: Sat, 2 May 2020 23:01:27 +0200
Subject: [PATCH] properly escape class parameter

The class parameter was used as is, allowing for potential
SQL injection via the API.

Thanks to @bladeswords for finding this.
---
 website/details.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/website/details.php b/website/details.php
index c9e86312..6b75e73b 100755
--- a/website/details.php
+++ b/website/details.php
@@ -37,7 +37,7 @@ if ($sOsmType && $iOsmId > 0) {
     );
     // osm_type and osm_id are not unique enough
     if ($sClass) {
-        $sSQL .= " AND class='".$sClass."'";
+        $sSQL .= " AND class='".pg_escape_string($sClass)."'";
     }
     $sSQL .= ' ORDER BY class ASC';
     $sPlaceId = chksql($oDB->getOne($sSQL));