forked from GNUsocial/gnu-social
Escape query parameters in Profile_tag::getTagged()
This patch escapes query parameters in Profile_tag::getTagged(). This is an extra security step; since these parameters come out of the database, it's unlikely that they would have dangerous data in them.
This commit is contained in:
parent
5b118b3781
commit
e54cb6958a
@ -310,8 +310,8 @@ class Profile_tag extends Managed_DataObject
|
||||
$profile->query('SELECT profile.* ' .
|
||||
'FROM profile JOIN profile_tag ' .
|
||||
'ON profile.id = profile_tag.tagged ' .
|
||||
'WHERE profile_tag.tagger = ' . $tagger . ' ' .
|
||||
'AND profile_tag.tag = "' . $tag . '" ');
|
||||
'WHERE profile_tag.tagger = ' . $profile->escape($tagger) . ' ' .
|
||||
'AND profile_tag.tag = "' . $profile->escape($tag) . '" ');
|
||||
$tagged = array();
|
||||
while ($profile->fetch()) {
|
||||
$tagged[] = clone($profile);
|
||||
|
Loading…
Reference in New Issue
Block a user