Skip to content
Permalink
Browse files Browse the repository at this point in the history
security: fix unescaped parameter leading to sqli
  • Loading branch information
righel committed Aug 19, 2021
1 parent f91fd30 commit 20d9020
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion app/Model/Log.php
Expand Up @@ -174,7 +174,7 @@ public function returnDates($org = 'all')
// cakephp ORM would escape "DATE" datatype in CAST expression
$condnotinaction = "'" . implode("', '", $conditions['AND']['NOT']['action']) . "'";
if (!empty($conditions['org'])) {
$condOrg = ' AND org = "' . $conditions['org'] . '"';
$condOrg = sprintf('AND org = %s', $this->getDataSource()->value($conditions['org']));
} else {
$condOrg = '';
}
Expand Down

0 comments on commit 20d9020

Please sign in to comment.