Skip to content
This repository
Browse code

BUGFIX Consistently using Convert::raw2sql() instead of DB::getConn()…

…->addslashes() or PHP's deprecated addslashes() for database escaping
  • Loading branch information...
commit b5ea2f68feab41f969a2e6f0589dd55015f74098 1 parent 5cd1b52
Ingo Schommer authored

Showing 1 changed file with 2 additions and 2 deletions. Show diff stats Hide diff stats

  1. 4  code/AssetAdmin.php
4  code/AssetAdmin.php
@@ -378,7 +378,7 @@ function getEditForm($id) {
378 378
 	public function movemarked($urlParams, $form) {
379 379
 		if($_REQUEST['DestFolderID'] && (is_numeric($_REQUEST['DestFolderID']) || ($_REQUEST['DestFolderID']) == 'root')) {
380 380
 			$destFolderID = ($_REQUEST['DestFolderID'] == 'root') ? 0 : $_REQUEST['DestFolderID'];
381  
-			$fileList = "'" . ereg_replace(' *, *',"','",trim(addslashes($_REQUEST['FileIDs']))) . "'";
  381
+			$fileList = "'" . ereg_replace(' *, *',"','",trim(Convert::raw2sql($_REQUEST['FileIDs']))) . "'";
382 382
 			$numFiles = 0;
383 383
 	
384 384
 			if($fileList != "''") {
@@ -411,7 +411,7 @@ public function movemarked($urlParams, $form) {
411 411
 	 * Called and returns in same way as 'save' function
412 412
 	 */
413 413
 	public function deletemarked($urlParams, $form) {
414  
-		$fileList = "'" . ereg_replace(' *, *',"','",trim(addslashes($_REQUEST['FileIDs']))) . "'";
  414
+		$fileList = "'" . ereg_replace(' *, *',"','",trim(Convert::raw2sql($_REQUEST['FileIDs']))) . "'";
415 415
 		$numFiles = 0;
416 416
 		$folderID = 0;
417 417
 		$deleteList = '';

0 notes on commit b5ea2f6

Please sign in to comment.
Something went wrong with that request. Please try again.