[SS-2018-020] Ensure that table names are escaped to prevent possible…

… SQL injection
silverstripe · Dec 11, 2018 · 48bd335 · 48bd335
1 parent 6edcbe9
commit 48bd335
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/src/ORM/DataObjectSchema.php b/src/ORM/DataObjectSchema.php
@@ -8,6 +8,7 @@
 use SilverStripe\Core\ClassInfo;
 use SilverStripe\Core\Config\Config;
 use SilverStripe\Core\Config\Configurable;
+use SilverStripe\Core\Convert;
 use SilverStripe\Core\Injector\Injectable;
 use SilverStripe\Core\Injector\Injector;
 use SilverStripe\Dev\TestOnly;
@@ -125,7 +126,7 @@ public function tableName($class)
         $tables = $this->getTableNames();
         $class = ClassInfo::class_name($class);
         if (isset($tables[$class])) {
-            return $tables[$class];
+            return Convert::raw2sql($tables[$class]);
         }
         return null;
     }