added escaping to get_entities_from_private_setting_multi()

git-svn-id: http://code.elgg.org/elgg/trunk@6872 36083f99-b078-4883-b0ff-0f9b5a30f544

diff --git a/engine/lib/entities.php b/engine/lib/entities.php
index 95807aab58c5a0ed6f42a8519fb203db6ef65bb0..813759c8b0a2f885e6ee6494d991a7f8aaae8a99 100644 (file)
--- a/engine/lib/entities.php
+++ b/engine/lib/entities.php
@@ -3546,6 +3546,7 @@ function get_entities_from_private_setting_multi(array $name, $type = "", $subty
                $i = 1;
                foreach ($name as $k => $n) {
                        $k = sanitise_string($k);
+                       $n = sanitise_string($n);
                        $s_join .= " JOIN {$CONFIG->dbprefix}private_settings s$i ON e.guid=s$i.entity_guid";
                        $where[] = "s$i.name = '$k'";
                        $where[] = "s$i.value = '$n'";