Skip to content
Permalink
Browse files

Security: Remove double-escaping of SQL in previous paranoid commit

  • Loading branch information...
ywarnier committed Dec 21, 2018
1 parent bec1fd1 commit 5700b37beae20e13fca144f389e2054b77c90140
Showing with 9 additions and 9 deletions.
  1. +6 −6 main/inc/lib/TicketManager.php
  2. +2 −2 main/ticket/categories.php
  3. +1 −1 main/ticket/ticket_details.php
@@ -360,8 +360,8 @@ public static function add(
'sys_lastedit_datetime' => $now,
'source' => $source,
'assigned_last_user' => $assignedUserId,
'subject' => Database::escape_string($subject),
'message' => Database::escape_string($content),
'subject' => $subject,
'message' => $content,
];
if (!empty($course_id)) {
@@ -653,14 +653,14 @@ public static function insertMessage(
$params = [
'ticket_id' => $ticketId,
'subject' => Database::escape_string($subject),
'message' => Database::escape_string($content),
'ip_address' => Database::escape_string(api_get_real_ip()),
'subject' => $subject,
'message' => $content,
'ip_address' => api_get_real_ip(),
'sys_insert_user_id' => $userId,
'sys_insert_datetime' => $now,
'sys_lastedit_user_id' => $userId,
'sys_lastedit_datetime' => $now,
'status' => Database::escape_string($status),
'status' => $status,
];
$messageId = Database::insert($table_support_messages, $params);
if ($messageId) {
@@ -129,8 +129,8 @@
$values = $form->getSubmitValues();
$params = [
'name' => Database::escape_string($values['name']),
'description' => Database::escape_string($values['description']),
'name' => $values['name'],
'description' => $values['description'],
'sys_lastedit_datetime' => api_get_utc_datetime(),
'sys_lastedit_user_id' => api_get_user_id(),
];
@@ -318,7 +318,7 @@ class: "controls"
$file_attachments,
$user_id,
'NOL',
Database::escape_string($message)
$message
);
TicketManager::sendNotification(

0 comments on commit 5700b37

Please sign in to comment.
You can’t perform that action at this time.