Corrected a possible SQL insertion bug in elgg_get_entity_metadata_where_sql().

git-svn-id: http://code.elgg.org/elgg/trunk@3825 36083f99-b078-4883-b0ff-0f9b5a30f544
author: brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544> 2010-01-21 17:42:34 +0000
committer: brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544> 2010-01-21 17:42:34 +0000
commit: 60d154f92f35b3314f5ea63d375587663640d9be (patch)
tree: 01e877dd8e86a4ff9ed5aa7cd14b50ecee7a876a /engine/lib/metadata.php
parent: 8b586a622e78017c86c824b443f60d0b14437033 (diff)
download: elgg-60d154f92f35b3314f5ea63d375587663640d9be.tar.gz
elgg-60d154f92f35b3314f5ea63d375587663640d9be.tar.bz2
1 files changed, 3 insertions, 1 deletions
diff --git a/engine/lib/metadata.php b/engine/lib/metadata.php
index 955939e42..d4652cf7f 100644
--- a/engine/lib/metadata.php
+++ b/engine/lib/metadata.php
@@ -739,9 +739,11 @@ function elgg_get_entity_metadata_where_sql($table, $names = NULL, $values = NUL
 			// if the value is an int, don't quote it because str '15' < str '5'
 			// if the operand is IN don't quote it because quoting should be done already.
 			//$value = trim(strtolower($operand)) == 'in' ? $pair['value'] : "'{$pair['value']}'";
-			if (trim(strtolower($operand)) == 'in' || sanitise_int($pair['value'])) {
+			if (trim(strtolower($operand)) == 'in' || is_numeric($pair['value'])) {
+				var_dump(sanitise_int($pair['value']));
 				$value = sanitise_string($pair['value']);
 			} else {
+				var_dump("Not clenaing {$pair['value']}");
 				$value = '\'' . sanitise_string($pair['value']) . '\'';
 			}
author	brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>	2010-01-21 17:42:34 +0000
committer	brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>	2010-01-21 17:42:34 +0000
commit	60d154f92f35b3314f5ea63d375587663640d9be (patch)
tree	01e877dd8e86a4ff9ed5aa7cd14b50ecee7a876a /engine/lib/metadata.php
parent	8b586a622e78017c86c824b443f60d0b14437033 (diff)
download	elgg-60d154f92f35b3314f5ea63d375587663640d9be.tar.gz elgg-60d154f92f35b3314f5ea63d375587663640d9be.tar.bz2