Skip to content

Commit

Permalink
BUGFIX Consistently using Convert::raw2sql() instead of DB::getConn()…
Browse files Browse the repository at this point in the history 
…->addslashes() or PHP's deprecated addslashes() for database escaping
  • Loading branch information
@chillu
chillu committed Sep 15, 2011
1 parent 5cd1b52 commit b5ea2f6
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions code/AssetAdmin.php
View file
Expand Up @@ -378,7 +378,7 @@ function getEditForm($id) {
public function movemarked($urlParams, $form) {
if($_REQUEST['DestFolderID'] && (is_numeric($_REQUEST['DestFolderID']) || ($_REQUEST['DestFolderID']) == 'root')) {
$destFolderID = ($_REQUEST['DestFolderID'] == 'root') ? 0 : $_REQUEST['DestFolderID'];
$fileList = "'" . ereg_replace(' *, *',"','",trim(addslashes($_REQUEST['FileIDs']))) . "'";
$fileList = "'" . ereg_replace(' *, *',"','",trim(Convert::raw2sql($_REQUEST['FileIDs']))) . "'";
$numFiles = 0;

if($fileList != "''") {
Expand Down Expand Up @@ -411,7 +411,7 @@ public function movemarked($urlParams, $form) {
* Called and returns in same way as 'save' function
*/
public function deletemarked($urlParams, $form) {
$fileList = "'" . ereg_replace(' *, *',"','",trim(addslashes($_REQUEST['FileIDs']))) . "'";
$fileList = "'" . ereg_replace(' *, *',"','",trim(Convert::raw2sql($_REQUEST['FileIDs']))) . "'";
$numFiles = 0;
$folderID = 0;
$deleteList = '';
Expand Down

0 comments on commit b5ea2f6

Please sign in to comment.