Escape SQL parameter in Profile_tag::moveTag()
This change adds additional escapes for arguments to Profile_tag::moveTag(). The arguments are canonicalized in the API and Web UI paths higher up the stack, but this change makes sure that no other paths can introduce SQL injection errors.
This commit is contained in:
parent
c5a710e081
commit
5b118b3781
|
@ -284,8 +284,11 @@ class Profile_tag extends Managed_DataObject
|
||||||
'tag = "%s", tagger = "%s" ' .
|
'tag = "%s", tagger = "%s" ' .
|
||||||
'WHERE tag = "%s" ' .
|
'WHERE tag = "%s" ' .
|
||||||
'AND tagger = "%s"';
|
'AND tagger = "%s"';
|
||||||
$result = $tags->query(sprintf($qry, $new->tag, $new->tagger,
|
$result = $tags->query(sprintf($qry,
|
||||||
$orig->tag, $orig->tagger));
|
$tags->escape($new->tag),
|
||||||
|
$tags->escape($new->tagger),
|
||||||
|
$tags->escape($orig->tag),
|
||||||
|
$tags->escape($orig->tagger)));
|
||||||
|
|
||||||
if (!$result) {
|
if (!$result) {
|
||||||
common_log_db_error($tags, 'UPDATE', __FILE__);
|
common_log_db_error($tags, 'UPDATE', __FILE__);
|
||||||
|
|
Loading…
Reference in New Issue
Block a user