properly escape class parameter

The class parameter was used as is, allowing for potential
SQL injection via the API.

Thanks to @bladeswords for finding this.

diff --git a/website/details.php b/website/details.php
index c9e86312c9cc63a8c9da6954db45b214c9adff4e..6b75e73b9aafd4864a60a6ea193e0481eba7070c 100755 (executable)
--- a/website/details.php
+++ b/website/details.php
@@ -37,7 +37,7 @@ if ($sOsmType && $iOsmId > 0) {
     );
     // osm_type and osm_id are not unique enough
     if ($sClass) {
-        $sSQL .= " AND class='".$sClass."'";
+        $sSQL .= " AND class='".pg_escape_string($sClass)."'";
     }
     $sSQL .= ' ORDER BY class ASC';
     $sPlaceId = chksql($oDB->getOne($sSQL));