From a8418afdebe92dde495bc5010645779c73939b7b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <fred@kanboard.net>
Date: Wed, 8 Oct 2014 21:49:25 -0400
Subject: [PATCH] Add Mysql escaping

---
 app/Schema/Mysql.php    | 4 ++--
 vendor/PicoDb/Table.php | 4 ++++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/app/Schema/Mysql.php b/app/Schema/Mysql.php
index ab618635a..c7293a434 100644
--- a/app/Schema/Mysql.php
+++ b/app/Schema/Mysql.php
@@ -22,8 +22,8 @@ function version_29($pdo)
 {
     $pdo->exec("
         CREATE TABLE settings (
-            option VARCHAR(100) PRIMARY KEY,
-            value VARCHAR(255) DEFAULT ''
+            `option` VARCHAR(100) PRIMARY KEY,
+            `value` VARCHAR(255) DEFAULT ''
         )
     ");
 
diff --git a/vendor/PicoDb/Table.php b/vendor/PicoDb/Table.php
index f13b4e110..9c6bf4f91 100644
--- a/vendor/PicoDb/Table.php
+++ b/vendor/PicoDb/Table.php
@@ -173,6 +173,10 @@ class Table
 
     public function buildSelectQuery()
     {
+        foreach ($this->columns as $key => $value) {
+            $this->columns[$key] = $this->db->escapeIdentifier($value);
+        }
+
         return sprintf(
             'SELECT %s %s FROM %s %s %s %s %s %s %s',
             $this->distinct ? 'DISTINCT' : '',