GNUsocial
/
gnu-social
4
0
Fork 1
Code Issues Releases Wiki Activity

Escape query parameters in Profile_tag::getTagged() 

This patch escapes query parameters in Profile_tag::getTagged(). This
is an extra security step; since these parameters come out of the
database, it's unlikely that they would have dangerous data in them.
This commit is contained in:
Joshua Wise 2013-07-16 10:35:44 -07:00 committed by Evan Prodromou
parent 5b118b3781
commit e54cb6958a
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
classes/Profile_tag.php
View File

@ -310,8 +310,8 @@ class Profile_tag extends Managed_DataObject
$profile->query('SELECT profile.* ' .
'FROM profile JOIN profile_tag ' .
'ON profile.id = profile_tag.tagged ' .
'WHERE profile_tag.tagger = ' . $tagger . ' ' .
'AND profile_tag.tag = "' . $tag . '" ');
'WHERE profile_tag.tagger = ' . $profile->escape($tagger) . ' ' .
'AND profile_tag.tag = "' . $profile->escape($tag) . '" ');
$tagged = array();
while ($profile->fetch()) {
$tagged[] = clone($profile);