aboutsummaryrefslogtreecommitdiff
path: root/engine/lib
diff options
context:
space:
mode:
authorbrettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>2010-01-21 17:42:34 +0000
committerbrettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>2010-01-21 17:42:34 +0000
commit60d154f92f35b3314f5ea63d375587663640d9be (patch)
tree01e877dd8e86a4ff9ed5aa7cd14b50ecee7a876a /engine/lib
parent8b586a622e78017c86c824b443f60d0b14437033 (diff)
downloadelgg-60d154f92f35b3314f5ea63d375587663640d9be.tar.gz
elgg-60d154f92f35b3314f5ea63d375587663640d9be.tar.bz2
Corrected a possible SQL insertion bug in elgg_get_entity_metadata_where_sql().
git-svn-id: http://code.elgg.org/elgg/trunk@3825 36083f99-b078-4883-b0ff-0f9b5a30f544
Diffstat (limited to 'engine/lib')
-rw-r--r--engine/lib/metadata.php4
1 files changed, 3 insertions, 1 deletions
diff --git a/engine/lib/metadata.php b/engine/lib/metadata.php
index 955939e42..d4652cf7f 100644
--- a/engine/lib/metadata.php
+++ b/engine/lib/metadata.php
@@ -739,9 +739,11 @@ function elgg_get_entity_metadata_where_sql($table, $names = NULL, $values = NUL
// if the value is an int, don't quote it because str '15' < str '5'
// if the operand is IN don't quote it because quoting should be done already.
//$value = trim(strtolower($operand)) == 'in' ? $pair['value'] : "'{$pair['value']}'";
- if (trim(strtolower($operand)) == 'in' || sanitise_int($pair['value'])) {
+ if (trim(strtolower($operand)) == 'in' || is_numeric($pair['value'])) {
+ var_dump(sanitise_int($pair['value']));
$value = sanitise_string($pair['value']);
} else {
+ var_dump("Not clenaing {$pair['value']}");
$value = '\'' . sanitise_string($pair['value']) . '\'';
}