From eaadadded0082f5721273272afad540a2c5dd99f Mon Sep 17 00:00:00 2001
From: Sven Slootweg <jamsoftgamedev@gmail.com>
Date: Fri, 16 Aug 2013 02:08:18 +0200
Subject: [PATCH] Also use PDO parameterization for the row ID in UPDATE
 queries

---
 class.databaserecord.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/class.databaserecord.php b/class.databaserecord.php
index 4cdcf61..3f7dbd5 100644
--- a/class.databaserecord.php
+++ b/class.databaserecord.php
@@ -523,7 +523,9 @@ abstract class CPHPDatabaseRecordClass extends CPHPBaseClass
 				}
 				
 				$sQueryKeysIdentifiers = implode(", ", $sKeysIdentifiersList);
-				$query = "UPDATE {$this->table_name} SET {$sQueryKeysIdentifiers} WHERE `{$this->id_field}` = '{$this->sId}'";
+				/* We use :CPHPID here because it's unlikely to be used in the application itself. */
+				$query = "UPDATE {$this->table_name} SET {$sQueryKeysIdentifiers} WHERE `{$this->id_field}` = :CPHPID";
+				$uValueList[':CPHPID'] = $this->sId;
 			}
 			
 			try