git.gnu.io has moved to IP address 209.51.188.249 -- please double check where you are logging in.

Commit 5b118b37 authored by Joshua Wise's avatar Joshua Wise Committed by Evan Prodromou

Escape SQL parameter in Profile_tag::moveTag()

This change adds additional escapes for arguments to
Profile_tag::moveTag(). The arguments are canonicalized in the API and
Web UI paths higher up the stack, but this change makes sure that no
other paths can introduce SQL injection errors.
parent c5a710e0
......@@ -284,8 +284,11 @@ class Profile_tag extends Managed_DataObject
'tag = "%s", tagger = "%s" ' .
'WHERE tag = "%s" ' .
'AND tagger = "%s"';
$result = $tags->query(sprintf($qry, $new->tag, $new->tagger,
$orig->tag, $orig->tagger));
$result = $tags->query(sprintf($qry,
$tags->escape($new->tag),
$tags->escape($new->tagger),
$tags->escape($orig->tag),
$tags->escape($orig->tagger)));
if (!$result) {
common_log_db_error($tags, 'UPDATE', __FILE__);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment