From 5b118b3781d888a97f713b32e76a8604e1e4c0f5 Mon Sep 17 00:00:00 2001
From: Joshua Wise <jwise@nvidia.com>
Date: Tue, 16 Jul 2013 10:27:30 -0700
Subject: [PATCH] Escape SQL parameter in Profile_tag::moveTag()

This change adds additional escapes for arguments to
Profile_tag::moveTag(). The arguments are canonicalized in the API and
Web UI paths higher up the stack, but this change makes sure that no
other paths can introduce SQL injection errors.
---
 classes/Profile_tag.php | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/classes/Profile_tag.php b/classes/Profile_tag.php
index de91857eb8..fdac14cd71 100644
--- a/classes/Profile_tag.php
+++ b/classes/Profile_tag.php
@@ -284,8 +284,11 @@ class Profile_tag extends Managed_DataObject
                'tag = "%s", tagger = "%s" ' .
                'WHERE tag = "%s" ' .
                'AND tagger = "%s"';
-        $result = $tags->query(sprintf($qry, $new->tag, $new->tagger,
-                                             $orig->tag, $orig->tagger));
+        $result = $tags->query(sprintf($qry,
+                                       $tags->escape($new->tag),
+                                       $tags->escape($new->tagger),
+                                       $tags->escape($orig->tag),
+                                       $tags->escape($orig->tagger)));
 
         if (!$result) {
             common_log_db_error($tags, 'UPDATE', __FILE__);