From 445b59b99a1bad06041dadfd4aeeb452da155c1e Mon Sep 17 00:00:00 2001
From: Koen Reefman <koen.reefman@aareon.nl>
Date: Thu, 17 Aug 2017 07:33:07 +0000
Subject: [PATCH] PNBR#41284 SQL-injection voorkomen

svn path=/Website/trunk/; revision=34970
---
 APPL/FAC/fac_edit_faq.asp | 12 ++++++------
 APPL/FAC/fac_show_faq.asp |  6 +++---
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/APPL/FAC/fac_edit_faq.asp b/APPL/FAC/fac_edit_faq.asp
index 96fae4c996..141f93357c 100644
--- a/APPL/FAC/fac_edit_faq.asp
+++ b/APPL/FAC/fac_edit_faq.asp
@@ -115,17 +115,17 @@ else
         BLOCK_END();
 
         BLOCK_START("mldInfo", L("lcl_faq_itemadm"));
-        var sql= "           SELECT 1,  " + safe.quoted_sql(L("lcl_faq_level1")) + " FROM DUAL"
-               + " UNION ALL SELECT 2,  " + safe.quoted_sql(L("lcl_faq_level2")) + " FROM DUAL"
-               + " UNION ALL SELECT 3,  " + safe.quoted_sql(L("lcl_faq_level3")) + " FROM DUAL"
+        var sql = "           SELECT 1, " + safe.qL("lcl_faq_level1") + " FROM DUAL"
+                + " UNION ALL SELECT 2, " + safe.qL("lcl_faq_level2") + " FROM DUAL"
+                + " UNION ALL SELECT 3, " + safe.qL("lcl_faq_level3") + " FROM DUAL"
         FCLTselector("fac_faq_level", sql,
           { initKey: level,
             label: L("lcl_faq_level")
           });
 
-        var displaySql = " SELECT 0, '" + L("lcl_faq_display_popup")    + "' FROM DUAL UNION ALL "
-                       + " SELECT 1, '" + L("lcl_faq_display_screen")   + "' FROM DUAL UNION ALL "
-                       + " SELECT 2, '" + L("lcl_faq_display_both_edit")+ "' FROM DUAL";
+        var displaySql = "           SELECT 0, " + safe.qL("lcl_faq_display_popup")     + " FROM DUAL"
+                       + " UNION ALL SELECT 1, " + safe.qL("lcl_faq_display_screen")    + " FROM DUAL"
+                       + " UNION ALL SELECT 2, " + safe.qL("lcl_faq_display_both_edit") + " FROM DUAL";
 
         FCLTselector("fac_faq_displaymode",
                      displaySql,
diff --git a/APPL/FAC/fac_show_faq.asp b/APPL/FAC/fac_show_faq.asp
index 43a20ac628..e3d785b2ad 100644
--- a/APPL/FAC/fac_show_faq.asp
+++ b/APPL/FAC/fac_show_faq.asp
@@ -141,9 +141,9 @@ var canChange = canWriteFAQBOF || (canWriteFAQFOF && datum == null)
             BLOCK_START("mldInfo", L("lcl_faq_itemadm"));
             ROFIELDTR("fld",          L("lcl_faq_level"),       fac.getfaqleveltext(level));
 
-            var displaySql = " SELECT 0, '" + L("lcl_faq_display_popup")    + "' FROM DUAL UNION ALL "
-                           + " SELECT 1, '" + L("lcl_faq_display_screen")   + "' FROM DUAL UNION ALL "
-                           + " SELECT 2, '" + L("lcl_faq_display_both_show")+ "' FROM DUAL";
+            var displaySql = "           SELECT 0, " + safe.qL("lcl_faq_display_popup")     + " FROM DUAL"
+                           + " UNION ALL SELECT 1, " + safe.qL("lcl_faq_display_screen")    + " FROM DUAL"
+                           + " UNION ALL SELECT 2, " + safe.qL("lcl_faq_display_both_show") + " FROM DUAL";
 
             FCLTselector("fld",
                          displaySql,