Corrected a possible SQL insertion bug in elgg_get_entity_metadata_where_sql().

git-svn-id: http://code.elgg.org/elgg/trunk@3825 36083f99-b078-4883-b0ff-0f9b5a30f544

diff --git a/engine/lib/metadata.php b/engine/lib/metadata.php
index 955939e42f395da7ca99cbbc863832a29bbb5f2f..d4652cf7fe98415675c405bf1df81346e1659e12 100644 (file)
--- a/engine/lib/metadata.php
+++ b/engine/lib/metadata.php
@@ -739,9 +739,11 @@ function elgg_get_entity_metadata_where_sql($table, $names = NULL, $values = NUL
                        // if the value is an int, don't quote it because str '15' < str '5'
                        // if the operand is IN don't quote it because quoting should be done already.
                        //$value = trim(strtolower($operand)) == 'in' ? $pair['value'] : "'{$pair['value']}'";
-                       if (trim(strtolower($operand)) == 'in' || sanitise_int($pair['value'])) {
+                       if (trim(strtolower($operand)) == 'in' || is_numeric($pair['value'])) {
+                               var_dump(sanitise_int($pair['value']));
                                $value = sanitise_string($pair['value']);
                        } else {
+                               var_dump("Not clenaing {$pair['value']}");
                                $value = '\'' . sanitise_string($pair['value']) . '\'';
                        }