Permalink
Browse files

Disable the ability to call functions in escaped sql strings.

  • Loading branch information...
1 parent b9a10da commit 83078591bc4d263e77d2a2ca283100997755290d @tburry tburry committed Apr 5, 2013
Showing with 7 additions and 0 deletions.
  1. +7 −0 library/database/class.sqldriver.php
@@ -309,6 +309,13 @@ public function ConditionExpr($Field, $Value, $EscapeFieldSql = TRUE, $EscapeVal
$Field = '@' . $Field;
}
if(is_array($Value)) {
+ //$ValueStr = var_export($Value, TRUE);
+ $ValueStr = 'ARRAY';
+ Deprecated("Gdn_SQL->ConditionExpr(VALUE, {$ValueStr})", 'Gdn_SQL->ConditionExpr(VALUE, VALUE)');
+
+ if ($EscapeValueSql)
+ throw new Gdn_UserException('Invalid function call.');
+
$FunctionCall = array_keys($Value);
$FunctionCall = $FunctionCall[0];
$FunctionArg = $Value[$FunctionCall];

0 comments on commit 8307859

Please sign in to comment.