Skip to content

Commit 8307859

Browse files
committed
Disable the ability to call functions in escaped sql strings.
1 parent b9a10da commit 8307859

File tree

1 file changed

+7
-0
lines changed

1 file changed

+7
-0
lines changed

Diff for: library/database/class.sqldriver.php

+7
Original file line numberDiff line numberDiff line change
@@ -309,6 +309,13 @@ public function ConditionExpr($Field, $Value, $EscapeFieldSql = TRUE, $EscapeVal
309309
$Field = '@' . $Field;
310310
}
311311
if(is_array($Value)) {
312+
//$ValueStr = var_export($Value, TRUE);
313+
$ValueStr = 'ARRAY';
314+
Deprecated("Gdn_SQL->ConditionExpr(VALUE, {$ValueStr})", 'Gdn_SQL->ConditionExpr(VALUE, VALUE)');
315+
316+
if ($EscapeValueSql)
317+
throw new Gdn_UserException('Invalid function call.');
318+
312319
$FunctionCall = array_keys($Value);
313320
$FunctionCall = $FunctionCall[0];
314321
$FunctionArg = $Value[$FunctionCall];

0 commit comments

Comments
 (0)