#122 Security problem (unescaped id) in ct_sql

[Anonymous]

Hello.

ct_sql.inc is wrong. You are assuming that $id is
always going to be 'safe', and basically it isn't.

function ac_store (and others) that take $id in should
use addslashes, or the postgres addslashes equivalent.

Regards,

g0tai