scape the login

classes/functions.php

@@ -327,4 +327,16 @@
 		$dirs = array_unique($dirs);
  		return $dirs;
  	}
+	
+	function sql_escape($value) {
+	    if(get_magic_quotes_gpc()) {
+	          $value = stripslashes($value);
+	    }
+	    if( function_exists("mysql_real_escape_string")) {
+	          $value = mysql_real_escape_string($value);
+	    } else {
+	          $value = addslashes($value);
+	    }
+	    return $value;
+	}
 ?>

classes/user.class.php

@@ -41,7 +41,7 @@ class user extends Conexion_Mysql {
 	}
 
 	function validateUser($user="", $password="") {
-		if ($this->ejecutarConsulta("SELECT id_user, login, password  FROM ".$this->conf->tablePrefix."users WHERE login='".$user."' AND password='".$password."'")) {
+		if ($this->ejecutarConsulta("SELECT id_user, login, password  FROM ".$this->conf->tablePrefix."users WHERE login='".sql_escape($user)."' AND password='".$password."'")) {
 			if ($this->contarRegistros()>0) {
 				$register=$this->obtenerRegistro();
 				$_SESSION['user_id']=$register["id_user"];