Escape SQL parameter in Profile_tag::moveTag()

This change adds additional escapes for arguments to
Profile_tag::moveTag(). The arguments are canonicalized in the API and
Web UI paths higher up the stack, but this change makes sure that no
other paths can introduce SQL injection errors.
This commit is contained in:
Joshua Wise 2013-07-16 10:27:30 -07:00 committed by Evan Prodromou
parent c5a710e081
commit 5b118b3781

View File

@ -284,8 +284,11 @@ class Profile_tag extends Managed_DataObject
'tag = "%s", tagger = "%s" ' . 'tag = "%s", tagger = "%s" ' .
'WHERE tag = "%s" ' . 'WHERE tag = "%s" ' .
'AND tagger = "%s"'; 'AND tagger = "%s"';
$result = $tags->query(sprintf($qry, $new->tag, $new->tagger, $result = $tags->query(sprintf($qry,
$orig->tag, $orig->tagger)); $tags->escape($new->tag),
$tags->escape($new->tagger),
$tags->escape($orig->tag),
$tags->escape($orig->tagger)));
if (!$result) { if (!$result) {
common_log_db_error($tags, 'UPDATE', __FILE__); common_log_db_error($tags, 'UPDATE', __FILE__);