Index: left_formatter.php
===================================================================
--- left_formatter.php	(revision 14234)
+++ left_formatter.php	(working copy)
@@ -33,7 +33,7 @@
 		{
 			// required option is not defined in config => query for it
 			$db =& $this->Application->GetADODBConnection();
-			$sql = sprintf($options['left_sql'],$options['left_title_field'],$options['left_key_field'],$value);
+			$sql = sprintf($options['left_sql'],$options['left_title_field'],$options['left_key_field'], $db->escape($value));
 			$options['options'][$value] = $db->GetOne($sql);
 			if ($options['options'][$value] === false) return $value;
 		}
@@ -61,7 +61,7 @@
 
 		// requested option is not found in field options -> query for it
 		$db =& $this->Application->GetADODBConnection();
-		$sql = sprintf($options['left_sql'], $options['left_key_field'], $options['left_title_field'], $value);
+		$sql = sprintf($options['left_sql'], $options['left_key_field'], $options['left_title_field'], $db->escape($value));
 		$found = $db->GetOne($sql);
 		if ($found !== false) {
 			// option successfully retrieved from db -> cache it