diff --git a/infolog/csv_import.php b/infolog/csv_import.php
index d4b9cb2b9d..11aacc87d8 100644
--- a/infolog/csv_import.php
+++ b/infolog/csv_import.php
@@ -322,7 +322,8 @@ function cat_id($cats)
 								$val = str_replace($CPre.$vars[1].$CPos,$val[0] == '@' ? "'".addslashes($fields[index($vars[1],$csv_fields)])."'" : $fields[index($vars[1],$csv_fields)],$val);
 							}
 							if ($val[0] == '@') {
-								$val = 'return '.substr($val,1).';';
+								// removing the $ to close security hole of showing vars, which contain eg. passwords
+								$val = 'return '.substr(str_replace('$','',$val),1).';';
 								// echo "<p>eval('$val')=";
 								$val = eval($val);
 								// echo "'$val'</p>";