[Security] Fix sql injection in modifyLimitQuery() for PgSQL and DB2

lib/Doctrine/Connection/Db2.php

@@ -46,7 +46,7 @@ public function modifyLimitQuery($query, $limit = false, $offset = false, $isMan
             return $query;
 
         if ($offset == 0) {
-            return $query . ' FETCH FIRST '. $limit .' ROWS ONLY';
+            return $query . ' FETCH FIRST '. (int)$limit .' ROWS ONLY';
         } else {
             $sqlPieces = explode('from', $query);
             $select = $sqlPieces[0];
@@ -56,8 +56,8 @@ public function modifyLimitQuery($query, $limit = false, $offset = false, $isMan
 
             $sql = 'WITH OFFSET AS(' . $select . ', ROW_NUMBER() ' .
                'OVER(ORDER BY ' . $col[1] . ') AS doctrine_rownum FROM ' . $table . ')' .
-               $select . 'FROM OFFSET WHERE doctrine_rownum BETWEEN ' . $offset .
-                   'AND ' . ($offset + $limit - 1);
+               $select . 'FROM OFFSET WHERE doctrine_rownum BETWEEN ' . (int)$offset .
+                   'AND ' . ((int)$offset + (int)$limit - 1);
             return $sql;
         }
     }

lib/Doctrine/Connection/Pgsql.php

@@ -142,14 +142,14 @@ public function modifyLimitQuery($query, $limit = false, $offset = false, $isMan
                 $from  = $match[2];
                 $where = $match[3];
                 $query = $manip . ' ' . $from . ' WHERE ctid=(SELECT ctid FROM '
-                       . $from . ' ' . $where . ' LIMIT ' . $limit . ')';
+                       . $from . ' ' . $where . ' LIMIT ' . (int)$limit . ')';
 
             } else {
                 if ( ! empty($limit)) {
-                  $query .= ' LIMIT ' . $limit;
+                  $query .= ' LIMIT ' . (int)$limit;
                 }
                 if ( ! empty($offset)) {
-                  $query .= ' OFFSET ' . $offset;
+                  $query .= ' OFFSET ' . (int)$offset;
                 }
             }
         }