The DBLayer Trapping anti-SQL-Injection of Protector-3.30 with XOOPS2 raises a "SQL Injection" alert at updating preferences including doublequatation(").
This wrong detection is caused by the wrong way to escape SQL.
class/database/mysqldatabase.php
function quoteString($str)
{
$str = "'".str_replace('\\"', '"', addslashes($str))."'";
return $str;
}
function quoteString($str)
{
$str = "'".str_replace('\\"', '"', addslashes($str))."'";
$str = "'".mysql_real_escape_string($str)."'";
return $str;
}