Skip to content
This repository
Browse code

Disable the ability to call functions in escaped sql strings.

  • Loading branch information...
commit 83078591bc4d263e77d2a2ca283100997755290d 1 parent b9a10da
Todd Burry authored

Showing 1 changed file with 7 additions and 0 deletions. Show diff stats Hide diff stats

  1. 7  library/database/class.sqldriver.php
7  library/database/class.sqldriver.php
@@ -309,6 +309,13 @@ public function ConditionExpr($Field, $Value, $EscapeFieldSql = TRUE, $EscapeVal
309 309
          $Field = '@' . $Field;
310 310
       }
311 311
       if(is_array($Value)) {
  312
+         //$ValueStr = var_export($Value, TRUE);
  313
+         $ValueStr = 'ARRAY';
  314
+         Deprecated("Gdn_SQL->ConditionExpr(VALUE, {$ValueStr})", 'Gdn_SQL->ConditionExpr(VALUE, VALUE)');
  315
+         
  316
+         if ($EscapeValueSql)
  317
+            throw new Gdn_UserException('Invalid function call.');
  318
+         
312 319
          $FunctionCall = array_keys($Value);
313 320
          $FunctionCall = $FunctionCall[0];
314 321
          $FunctionArg = $Value[$FunctionCall];

0 notes on commit 8307859

Please sign in to comment.
Something went wrong with that request. Please try again.