gnu-social/classes/Local_group.php
Joshua Wise 783e400d94 Potential SQL injection in Local_group::setNickname()
This change escapes a parameter in Local_group::setNickname(). Review
of the code paths that call this function sanitize the parameter
higher up the stack, but it's escaped here to prevent mistakes later.

Note that nickname parameters are normally alphanum strings, so
there's not much danger in double-escaping them.
2013-07-16 10:09:16 -07:00

64 lines
2.4 KiB
PHP

<?php
/**
* Table Definition for local_group
*/
class Local_group extends Managed_DataObject
{
###START_AUTOCODE
/* the code below is auto generated do not remove the above tag */
public $__table = 'local_group'; // table name
public $group_id; // int(4) primary_key not_null
public $nickname; // varchar(64) unique_key
public $created; // datetime not_null default_0000-00-00%2000%3A00%3A00
public $modified; // timestamp not_null default_CURRENT_TIMESTAMP
/* Static get */
function staticGet($k,$v=NULL) { return Memcached_DataObject::staticGet('Local_group',$k,$v); }
/* the code above is auto generated do not remove the tag below */
###END_AUTOCODE
public static function schemaDef()
{
return array(
'description' => 'Record for a user group on the local site, with some additional info not in user_group',
'fields' => array(
'group_id' => array('type' => 'int', 'not null' => true, 'description' => 'group represented'),
'nickname' => array('type' => 'varchar', 'length' => 64, 'description' => 'group represented'),
'created' => array('type' => 'datetime', 'not null' => true, 'description' => 'date this record was created'),
'modified' => array('type' => 'timestamp', 'not null' => true, 'description' => 'date this record was modified'),
),
'primary key' => array('group_id'),
'foreign keys' => array(
'local_group_group_id_fkey' => array('user_group', array('group_id' => 'id')),
),
'unique keys' => array(
'local_group_nickname_key' => array('nickname'),
),
);
}
function setNickname($nickname)
{
$this->decache();
$qry = 'UPDATE local_group set nickname = "'.$this->escape($nickname).'" where group_id = ' . $this->group_id;
$result = $this->query($qry);
if ($result) {
$this->nickname = $nickname;
$this->fixupTimestamps();
$this->encache();
} else {
common_log_db_error($local, 'UPDATE', __FILE__);
// TRANS: Server exception thrown when updating a local group fails.
throw new ServerException(_('Could not update local group.'));
}
return $result;
}
}