\r
foreach($columns as $columnName => $columnValue)\r
{\r
- $query .= sprintf('%s="%s" AND ', $columnName, str_replace('"', '\"', $columnValue));\r
+ $columnValue = $db->quote($columnValue);\r
+ $query .= sprintf('%s=%s AND ', $columnName, str_replace('"', '\"', $columnValue));\r
}\r
\r
$query = substr($query, 0, -4);\r