fix: added missing escaping of strings

thorsten · Nov 4, 2022 · e8451b1 · e8451b1
1 parent eff4fce
commit e8451b1
Showing 1 changed file with 8 additions and 8 deletions.
diff --git a/phpmyfaq/src/phpMyFAQ/Attachment/AttachmentAbstract.php b/phpmyfaq/src/phpMyFAQ/Attachment/AttachmentAbstract.php
@@ -284,14 +284,14 @@ public function saveMeta(): int
                 $attachmentTableName,
                 $this->id,
                 $this->recordId,
-                $this->recordLang,
-                $this->realHash,
-                $this->virtualHash,
-                $this->passwordHash,
-                $this->filename,
+                $this->db->escape($this->recordLang),
+                $this->db->escape($this->realHash),
+                $this->db->escape($this->virtualHash),
+                $this->db->escape($this->passwordHash),
+                $this->db->escape($this->filename),
                 $this->filesize,
                 $this->encrypted ? 1 : 0,
-                $this->mimeType
+                $this->db->escape($this->mimeType)
             );
 
             $this->db->query($sql);
@@ -332,7 +332,7 @@ protected function postUpdateMeta(): void
                 mime_type = '%s'
             WHERE id = %d",
             Database::getTablePrefix(),
-            $this->virtualHash,
+            $this->db->escape($this->virtualHash),
             $this->readMimeType(),
             $this->id
         );
@@ -404,7 +404,7 @@ protected function linkedRecords(): bool
         $sql = sprintf(
             "SELECT COUNT(1) AS count FROM  %sfaqattachment WHERE virtual_hash = '%s'",
             Database::getTablePrefix(),
-            $this->virtualHash
+            $this->db->escape($this->virtualHash),
         );
 
         $result = $this->db->query($sql);