diff options
author | brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2010-01-10 22:13:16 +0000 |
---|---|---|
committer | brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2010-01-10 22:13:16 +0000 |
commit | 6007e71050c4e385367118314d44b36cfc507197 (patch) | |
tree | b429992ea272b4ca7483c2e80572a75f69803f87 /engine/lib | |
parent | 4dcfd46b8b6e3bbe9c12493e744be04d8861684e (diff) | |
download | elgg-6007e71050c4e385367118314d44b36cfc507197.tar.gz elgg-6007e71050c4e385367118314d44b36cfc507197.tar.bz2 |
Fixes #1375: Metadata names and values are properly escaped.
git-svn-id: http://code.elgg.org/elgg/trunk@3792 36083f99-b078-4883-b0ff-0f9b5a30f544
Diffstat (limited to 'engine/lib')
-rw-r--r-- | engine/lib/metadata.php | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/engine/lib/metadata.php b/engine/lib/metadata.php index d0ab818b9..d2851275d 100644 --- a/engine/lib/metadata.php +++ b/engine/lib/metadata.php @@ -647,7 +647,7 @@ function elgg_get_entity_metadata_where_sql($table, $names = NULL, $values = NUL if (!$name) { $name = '0'; } - $sanitised_names[] = "'$name'"; + $sanitised_names[] = '\'' . sanitise_string($name) . '\''; } if ($names_str = implode(',', $sanitised_names)) { @@ -671,7 +671,7 @@ function elgg_get_entity_metadata_where_sql($table, $names = NULL, $values = NUL if (!$value) { $value = 0; } - $sanitised_values[] = "'$value'"; + $sanitised_values[] = '\'' . sanitise_string($value) . '\''; } if ($values_str = implode(',', $sanitised_values)) { @@ -740,13 +740,15 @@ function elgg_get_entity_metadata_where_sql($table, $names = NULL, $values = NUL // if the operand is IN don't quote it because quoting should be done already. //$value = trim(strtolower($operand)) == 'in' ? $pair['value'] : "'{$pair['value']}'"; if (trim(strtolower($operand)) == 'in' || sanitise_int($pair['value'])) { - $value = $pair['value']; + $value = sanitise_string($pair['value']); } else { - $value = "'{$pair['value']}'"; + $value = '\'' . sanitise_string($pair['value']) . '\''; } + $name = sanitise_string($pair['name']); + $access = get_access_sql_suffix("md{$i}"); - $pair_wheres[] = "(msn{$i}.string = '{$pair['name']}' AND {$pair_binary}msv{$i}.string $operand $value AND $access)"; + $pair_wheres[] = "(msn{$i}.string = '$name' AND {$pair_binary}msv{$i}.string $operand $value AND $access)"; $i++; } |