Merge pull request #6 from jecknig/master

Correctly escape strings for use in executed code
Corveda · May 20, 2016 · d82fe60 · d82fe60
2 parents 3535a44 + f5e86ce
commit d82fe60
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/src/PHPSandbox.php b/src/PHPSandbox.php
@@ -6484,7 +6484,7 @@ protected function prepareVars(){
                     } else if(is_float($value)){
                         $output[] = '$' . $name . ' = ' . ($value ? $value : '0.0');
                     } else if(is_string($value)){
-                        $output[] = '$' . $name . " = '" . addcslashes($value, "'") . "'";
+                        $output[] = '$' . $name . " = '" . addcslashes($value, "'\\") . "'";
                     } else {
                         $output[] = '$' . $name . " = null";
                     }
@@ -6508,7 +6508,7 @@ protected function prepareConsts(){
                     } else if(is_float($value)){
                         $output[] = '\define(' . "'" . $name . "', " . ($value ? $value : '0.0') . ');';
                     } else if(is_string($value)){
-                        $output[] = '\define(' . "'" . $name . "', '" . addcslashes($value, "'") . "');";
+                        $output[] = '\define(' . "'" . $name . "', '" . addcslashes($value, "'\\") . "');";
                     } else {
                         $output[] = '\define(' . "'" . $name . "', null);";
                     }
@@ -7123,4 +7123,4 @@ public function __call($method, $arguments){
             trigger_error('Fatal error: Call to undefined method PHPSandbox::' . $method, E_ERROR);
             return null;
         }
-    }
+    }