sub save_report {
my ( $sql, $name, $type, $notes ) = @_;
my $dbh = C4::Context->dbh();
+ $sql =~ s/(\W*)$//;
my $query =
"INSERT INTO saved_sql (borrowernumber,date_created,last_modified,savedsql,report_name,type,notes) VALUES (?,now(),now(),?,?,?,?)";
my $sth = $dbh->prepare($query);
<option value="csv">Comma Separated Text</option>
<option value="tab">Tab Separated Text</option>
</select>
-<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql" -->" />
+<input type="hidden" name="sql" value="<!-- TMPL_VAR ESCAPE="HTML" NAME="sql" -->" />
<input type="hidden" name="phase" value="Export" />
<input type="submit" name="submit" value="Download" /></fieldset>
</form>