Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fixed potential sql injection points
  • Loading branch information
UndefinedOffset committed Oct 13, 2015
1 parent d02049f commit 2e14b0f
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions code/control/KapostService.php
Expand Up @@ -121,11 +121,11 @@ public function index() {
*/
public function preview() {
$auth=$this->request->getVar('auth');
$token=KapostPreviewToken::get()->filter('Code', Convert::raw2xml($auth))->first();
$token=KapostPreviewToken::get()->filter('Code', Convert::raw2sql($auth))->first();

//Verify the token exists and hasn't expired yet
if(!empty($token) && $token!==false && $token->exists() && time()-strtotime($token->Created)<self::config()->preview_expiry*60 && $token->KapostRefID==$this->urlParams['ID']) {
$kapostObj=KapostObject::get()->filter('KapostRefID', Convert::raw2xml($this->urlParams['ID']))->sort('"Created" DESC')->first();
$kapostObj=KapostObject::get()->filter('KapostRefID', Convert::raw2sql($this->urlParams['ID']))->sort('"Created" DESC')->first();
if(!empty($kapostObj) && $kapostObj!==false && $kapostObj->exists()) {
$previewController=$kapostObj->renderPreview();

Expand Down Expand Up @@ -734,7 +734,7 @@ protected function getPreview($blog_id, $content, $content_id) {


//Detect if the record already exists or not so we can decide whether to create a new record or edit an existing
$existing=KapostObject::get()->filter('KapostRefID', Convert::raw2xml($content_id))->first();
$existing=KapostObject::get()->filter('KapostRefID', Convert::raw2sql($content_id))->first();
if(!empty($existing) && $existing!==false && $existing->exists()) {
$resultID=$content_id;

Expand All @@ -743,7 +743,7 @@ protected function getPreview($blog_id, $content, $content_id) {
$resultID=$this->newPost($blog_id, $content, false, true);

//Find the object
$existing=KapostObject::get()->filter('KapostRefID', Convert::raw2xml($resultID))->first();
$existing=KapostObject::get()->filter('KapostRefID', Convert::raw2sql($resultID))->first();
}

//Make sure we got the kapost hash back or an id if we got an object back we assume that it's a response
Expand Down

0 comments on commit 2e14b0f

Please sign in to comment.