From 783e400d941264ac6c949994e5a28972ccc2754a Mon Sep 17 00:00:00 2001 From: Joshua Wise Date: Tue, 16 Jul 2013 10:09:16 -0700 Subject: [PATCH] Potential SQL injection in Local_group::setNickname() This change escapes a parameter in Local_group::setNickname(). Review of the code paths that call this function sanitize the parameter higher up the stack, but it's escaped here to prevent mistakes later. Note that nickname parameters are normally alphanum strings, so there's not much danger in double-escaping them. --- classes/Local_group.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/classes/Local_group.php b/classes/Local_group.php index 44d8957838..b895103d16 100644 --- a/classes/Local_group.php +++ b/classes/Local_group.php @@ -44,7 +44,7 @@ class Local_group extends Managed_DataObject function setNickname($nickname) { $this->decache(); - $qry = 'UPDATE local_group set nickname = "'.$nickname.'" where group_id = ' . $this->group_id; + $qry = 'UPDATE local_group set nickname = "'.$this->escape($nickname).'" where group_id = ' . $this->group_id; $result = $this->query($qry);