Index: branches/5.2.x/core/kernel/utility/formatters/left_formatter.php
===================================================================
diff -u -N -r14748 -r15563
--- branches/5.2.x/core/kernel/utility/formatters/left_formatter.php	(.../left_formatter.php)	(revision 14748)
+++ branches/5.2.x/core/kernel/utility/formatters/left_formatter.php	(.../left_formatter.php)	(revision 15563)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: left_formatter.php 14748 2011-11-09 09:35:48Z alex $
+* @version	$Id: left_formatter.php 15563 2012-10-09 16:05:41Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2011 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -46,7 +46,10 @@
 
 		if ( !isset($options['options'][$value]) ) {
 			// required option is not defined in config => query for it
-			$sql = sprintf($options['left_sql'], $options['left_title_field'], $options['left_key_field'], $this->Conn->escape($value));
+			$display_field = $this->_escapeField($options['left_title_field']);
+			$match_field = $this->_escapeField($options['left_key_field']);
+
+			$sql = sprintf($options['left_sql'], $display_field, $match_field . ' = ' . $this->Conn->qstr($value));
 			$options['options'][$value] = $this->Conn->GetOne($sql);
 
 			if ( $options['options'][$value] === false ) {
@@ -58,6 +61,22 @@
 	}
 
 	/**
+	 * Escape field names, but not expressions
+	 *
+	 * @param string $field_name
+	 * @return string
+	 * @access protected
+	 */
+	protected function _escapeField($field_name)
+	{
+		if ( preg_match('/^[a-z_]+$/i', $field_name) ) {
+			return '`' . $field_name . '`';
+		}
+
+		return $field_name;
+	}
+
+	/**
 	 * Performs basic type validation on form field value
 	 *
 	 * @param mixed $value
@@ -81,7 +100,10 @@
 		}
 
 		// requested option is not found in field options -> query for it
-		$sql = sprintf($options['left_sql'], $options['left_key_field'], $options['left_title_field'], $this->Conn->escape($value));
+		$display_field = $this->_escapeField($options['left_key_field']);
+		$match_field = $this->_escapeField($options['left_title_field']);
+
+		$sql = sprintf($options['left_sql'], $display_field, $match_field . ' = ' . $this->Conn->qstr($value));
 		$found = $this->Conn->GetOne($sql);
 
 		if ( $found !== false ) {
@@ -90,7 +112,7 @@
 		}
 
 		$skip_errors = array_key_exists('skip_errors', $options) && $options['skip_errors'];
-		
+
 		if ( $found === false && !$skip_errors ) {
 			// option not found at all -> return not formatted value & set error
 			$object->SetError($field_name, 'invalid_option', 'la_error_InvalidOption');