From 6007e71050c4e385367118314d44b36cfc507197 Mon Sep 17 00:00:00 2001 From: brettp Date: Sun, 10 Jan 2010 22:13:16 +0000 Subject: Fixes #1375: Metadata names and values are properly escaped. git-svn-id: http://code.elgg.org/elgg/trunk@3792 36083f99-b078-4883-b0ff-0f9b5a30f544 --- engine/lib/metadata.php | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'engine/lib/metadata.php') diff --git a/engine/lib/metadata.php b/engine/lib/metadata.php index d0ab818b9..d2851275d 100644 --- a/engine/lib/metadata.php +++ b/engine/lib/metadata.php @@ -647,7 +647,7 @@ function elgg_get_entity_metadata_where_sql($table, $names = NULL, $values = NUL if (!$name) { $name = '0'; } - $sanitised_names[] = "'$name'"; + $sanitised_names[] = '\'' . sanitise_string($name) . '\''; } if ($names_str = implode(',', $sanitised_names)) { @@ -671,7 +671,7 @@ function elgg_get_entity_metadata_where_sql($table, $names = NULL, $values = NUL if (!$value) { $value = 0; } - $sanitised_values[] = "'$value'"; + $sanitised_values[] = '\'' . sanitise_string($value) . '\''; } if ($values_str = implode(',', $sanitised_values)) { @@ -740,13 +740,15 @@ function elgg_get_entity_metadata_where_sql($table, $names = NULL, $values = NUL // if the operand is IN don't quote it because quoting should be done already. //$value = trim(strtolower($operand)) == 'in' ? $pair['value'] : "'{$pair['value']}'"; if (trim(strtolower($operand)) == 'in' || sanitise_int($pair['value'])) { - $value = $pair['value']; + $value = sanitise_string($pair['value']); } else { - $value = "'{$pair['value']}'"; + $value = '\'' . sanitise_string($pair['value']) . '\''; } + $name = sanitise_string($pair['name']); + $access = get_access_sql_suffix("md{$i}"); - $pair_wheres[] = "(msn{$i}.string = '{$pair['name']}' AND {$pair_binary}msv{$i}.string $operand $value AND $access)"; + $pair_wheres[] = "(msn{$i}.string = '$name' AND {$pair_binary}msv{$i}.string $operand $value AND $access)"; $i++; } -- cgit v1.2.3