Fixes #1375: Metadata names and values are properly escaped.

author brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>

Sun, 10 Jan 2010 22:13:16 +0000 (22:13 +0000)

committer brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>

Sun, 10 Jan 2010 22:13:16 +0000 (22:13 +0000)
author brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>
Sun, 10 Jan 2010 22:13:16 +0000 (22:13 +0000)
committer brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>
Sun, 10 Jan 2010 22:13:16 +0000 (22:13 +0000)
diff --git a/engine/lib/metadata.php b/engine/lib/metadata.php

index d0ab818b9992265ab51f0e983dc118c578ed514a..d2851275dff640195b734c8b1c2bc4a13f243abc 100644 (file)
--- a/engine/lib/metadata.php
+++ b/engine/lib/metadata.php
@@ -647,7 +647,7 @@ function elgg_get_entity_metadata_where_sql($table, $names = NULL, $values = NUL
                         if (!$name) {
                                 $name = '0';
                         }
-                       $sanitised_names[] = "'$name'";
+                       $sanitised_names[] = '\'' . sanitise_string($name) . '\'';
                 }
  
                 if ($names_str = implode(',', $sanitised_names)) {
@@ -671,7 +671,7 @@ function elgg_get_entity_metadata_where_sql($table, $names = NULL, $values = NUL
                         if (!$value) {
                                 $value = 0;
                         }
-                       $sanitised_values[] = "'$value'";
+                       $sanitised_values[] = '\'' . sanitise_string($value) . '\'';
                 }
  
                 if ($values_str = implode(',', $sanitised_values)) {
@@ -740,13 +740,15 @@ function elgg_get_entity_metadata_where_sql($table, $names = NULL, $values = NUL
                         // if the operand is IN don't quote it because quoting should be done already.
                         //$value = trim(strtolower($operand)) == 'in' ? $pair['value'] : "'{$pair['value']}'";
                         if (trim(strtolower($operand)) == 'in' || sanitise_int($pair['value'])) {
-                               $value = $pair['value'];
+                               $value = sanitise_string($pair['value']);
                         } else {
-                               $value = "'{$pair['value']}'";
+                               $value = '\'' . sanitise_string($pair['value']) . '\'';
                         }
  
+                       $name = sanitise_string($pair['name']);
+
                         $access = get_access_sql_suffix("md{$i}");
-                       $pair_wheres[] = "(msn{$i}.string = '{$pair['name']}' AND {$pair_binary}msv{$i}.string $operand $value AND $access)";
+                       $pair_wheres[] = "(msn{$i}.string = '$name' AND {$pair_binary}msv{$i}.string $operand $value AND $access)";
                         $i++;
                 }
author	brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>
	Sun, 10 Jan 2010 22:13:16 +0000 (22:13 +0000)
committer	brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>
	Sun, 10 Jan 2010 22:13:16 +0000 (22:13 +0000)