From b5ea2f68feab41f969a2e6f0589dd55015f74098 Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Thu, 15 Sep 2011 14:36:47 +0200
Subject: [PATCH] BUGFIX Consistently using Convert::raw2sql() instead of
 DB::getConn()->addslashes() or PHP's deprecated addslashes() for database
 escaping

---
 code/AssetAdmin.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/code/AssetAdmin.php b/code/AssetAdmin.php
index 9939220d..bd5064c9 100755
--- a/code/AssetAdmin.php
+++ b/code/AssetAdmin.php
@@ -378,7 +378,7 @@ HTML;
 	public function movemarked($urlParams, $form) {
 		if($_REQUEST['DestFolderID'] && (is_numeric($_REQUEST['DestFolderID']) || ($_REQUEST['DestFolderID']) == 'root')) {
 			$destFolderID = ($_REQUEST['DestFolderID'] == 'root') ? 0 : $_REQUEST['DestFolderID'];
-			$fileList = "'" . ereg_replace(' *, *',"','",trim(addslashes($_REQUEST['FileIDs']))) . "'";
+			$fileList = "'" . ereg_replace(' *, *',"','",trim(Convert::raw2sql($_REQUEST['FileIDs']))) . "'";
 			$numFiles = 0;
 	
 			if($fileList != "''") {
@@ -411,7 +411,7 @@ HTML;
 	 * Called and returns in same way as 'save' function
 	 */
 	public function deletemarked($urlParams, $form) {
-		$fileList = "'" . ereg_replace(' *, *',"','",trim(addslashes($_REQUEST['FileIDs']))) . "'";
+		$fileList = "'" . ereg_replace(' *, *',"','",trim(Convert::raw2sql($_REQUEST['FileIDs']))) . "'";
 		$numFiles = 0;
 		$folderID = 0;
 		$deleteList = '';