Properly quote MySQL query

Thanks Johan Smith

Change-Id: I53b8f2c9d7612f6c15da1900abbd219d80dc1f1d

modules/registrars/cozaepp/cozaeppsync.php

@@ -110,19 +110,34 @@ foreach($domains as $domain) {
 
 
 	# This is the template we going to use below for our updates
-	$querytemplate = "UPDATE tbldomains SET status = %s, registrationdate = %s, expirydate = %s, nextduedate = %s WHERE domain = %s";
+	$querytemplate = "UPDATE tbldomains SET status = '%s', registrationdate = '%s', expirydate = '%s', nextduedate = '%s' WHERE domain = '%s'";
 
 	# Check status and update
 	if ($statusres == "ok") {
-		mysql_query(sprintf($querytemplate,"Active",$createdate,$nextduedate,$nextduedate,$domain));
+		mysql_query(sprintf($querytemplate,"Active",
+				mysql_real_escape_string($createdate),
+				mysql_real_escape_string($nextduedate),
+				mysql_real_escape_string($nextduedate),
+				mysql_real_escape_string($domain)
+		));
 		echo "Updated $domain expiry to $nextduedate\n";
 
 	} elseif ($statusres == "serverHold") {
-		mysql_query(sprintf($querytemplate,"Pending",$createdate,$nextduedate,$nextduedate,$domain));
+		mysql_query(sprintf($querytemplate,"Pending",
+				mysql_real_escape_string($createdate),
+				mysql_real_escape_string($nextduedate),
+				mysql_real_escape_string($nextduedate),
+				mysql_real_escape_string($domain)
+		));
 		echo "Domain $domain is PENDING (Registration: $createdate, Expiry: $nextduedate)\n";
 
 	} elseif ($statusres == "expired") {
-		mysql_query(sprintf($querytemplate,"Expired",$createdate,$nextduedate,$nextduedate,$domain));
+		mysql_query(sprintf($querytemplate,"Expired",
+				mysql_real_escape_string($createdate),
+				mysql_real_escape_string($nextduedate),
+				mysql_real_escape_string($nextduedate),
+				mysql_real_escape_string($domain)
+		));
 		echo "Domain $domain is EXPIRED (Registration: $createdate, Expiry: $nextduedate)\n";
 	} else {
 		echo "Domain $domain has unknown status '$statusres' (File a bug report here: http://devlabs.linuxassist.net/projects/whmcs-coza-epp/issues/new)\n";