Issue #2993511 by mikhailkrainiuk, kala4ek: Fix potential SQL injection

backdrop-contrib · Aug 18, 2018 · bb119f4 · bb119f4
1 parent 32b5b39
commit bb119f4
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/elysia_cron.module b/elysia_cron.module
@@ -240,8 +240,11 @@ $GLOBALS['_ec_variables_allowed'] = array(
  */
 function _ec_variable_init() {
   global $_ec_variables, $_ec_variables_allowed;
+
   $_ec_variables = array();
-  $_ec_variables = array_map('unserialize', db_query("SELECT name, value FROM {variable} where name like '" . implode("' or name like '", $_ec_variables_allowed) . "'")->fetchAllKeyed());
+  foreach ($_ec_variables_allowed as $name) {
+    $_ec_variables[$name] = variable_get($name);
+  }
 }
 
 /**