From f93a6eba039d8abeb4367c941c9c6fccf51640f0 Mon Sep 17 00:00:00 2001
From: Klaus-Uwe Mitterer <git@klaus-uwe.me>
Date: Tue, 9 Aug 2016 20:22:52 +0200
Subject: [PATCH] Escape the string in order to prevent injections...

---
 access.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/access.php b/access.php
index 1883ffa..ef8dc64 100644
--- a/access.php
+++ b/access.php
@@ -12,7 +12,7 @@ if ($conn->connect_error) {
  die("Connection failed: " . $conn->connect_error);
 }
 
-$sql = "SELECT ts, lat, lon FROM tracker WHERE device='" . $_GET["device"] . "' ORDER BY ts ASC;";
+$sql = "SELECT ts, lat, lon FROM tracker WHERE device='" . mysqli_real_escape_string($conn, $_GET["device"]) . "' ORDER BY ts ASC;";
 $result = $conn->query($sql);
 
 if ($result->num_rows > 0) {