Permalink
Browse files

Make sure we quote that sucker

  • Loading branch information...
1 parent e36ea05 commit 1850a83f6934d2896a15455490b6f94a8bbcd156 @pudge pudge committed Sep 16, 2003
Showing with 8 additions and 7 deletions.
  1. +8 −7 Slash/DB/MySQL/MySQL.pm
@@ -7319,6 +7319,7 @@ sub getUsersNicknamesByUID {
sub getUser {
my($self, $id, $val) = @_;
my $answer;
+ my $id_q = $self->sqlQuote($id);
my $constants = getCurrentStatic();
my $start_time = Time::HiRes::time;
@@ -7376,25 +7377,25 @@ sub getUser {
chop($values);
for (sort keys %tables) {
- $where .= "$_.uid=$id AND ";
+ $where .= "$_.uid=$id_q AND ";
}
$where =~ s/ AND $//;
$table = join ',', keys %tables;
$answer = $self->sqlSelectHashref($values, $table, $where)
if $values;
for (@param) {
- $answer->{$_} = $self->sqlSelect('value', 'users_param', "uid=$id AND name='$_'");
+ $answer->{$_} = $self->sqlSelect('value', 'users_param', "uid=$id_q AND name='$_'");
}
} elsif ($val) {
(my $clean_val = $val) =~ s/^-//;
my $table = $self->{$cache}{$clean_val};
if ($table) {
- $answer = $self->sqlSelect($val, $table, "uid=$id");
+ $answer = $self->sqlSelect($val, $table, "uid=$id_q");
} else {
# First we try it as an acl param -acs
- $answer = $self->sqlSelect('value', 'users_param', "uid=$id AND name='$val'");
+ $answer = $self->sqlSelect('value', 'users_param', "uid=$id_q AND name='$val'");
}
} else {
@@ -7424,7 +7425,7 @@ sub getUser {
@tables_thispass = @tables_ordered;
}
my $table = join(",", @tables_thispass);
- my $where = join(" AND ", map { "$_.uid=$id" } @tables_thispass);
+ my $where = join(" AND ", map { "$_.uid=$id_q" } @tables_thispass);
if (!$answer) {
$answer = $self->sqlSelectHashref('*', $table, $where);
} else {
@@ -7438,11 +7439,11 @@ sub getUser {
}
my($append_acl, $append);
- $append_acl = $self->sqlSelectColArrayref('acl', 'users_acl', "uid=$id");
+ $append_acl = $self->sqlSelectColArrayref('acl', 'users_acl', "uid=$id_q");
for (@$append_acl) {
$answer->{acl}{$_} = 1;
}
- $append = $self->sqlSelectAll('name,value', 'users_param', "uid=$id");
+ $append = $self->sqlSelectAll('name,value', 'users_param', "uid=$id_q");
for (@$append) {
$answer->{$_->[0]} = $_->[1];
}

0 comments on commit 1850a83

Please sign in to comment.