Fixes #2698 not sanitizing strings to prevent double encoding

git-svn-id: http://code.elgg.org/elgg/trunk@7798 36083f99-b078-4883-b0ff-0f9b5a30f544

diff --git a/engine/lib/metadata.php b/engine/lib/metadata.php
index f2b1fd6423169a442a2a82b41e5e6c463d5e0c2c..c15a163b7117b9c72a812e8b025780bdd0284cfa 100644 (file)
--- a/engine/lib/metadata.php
+++ b/engine/lib/metadata.php
@@ -58,20 +58,18 @@ function get_metadata($id) {
 function remove_metadata($entity_guid, $name, $value = "") {
        global $CONFIG;
        $entity_guid = (int) $entity_guid;
-       $name = sanitise_string($name);
-       $value = sanitise_string($value);
        
-       $name = get_metastring_id($name);
-       if ($name === FALSE) {
+       $name_id = get_metastring_id($name);
+       if ($name_id === FALSE) {
                // name doesn't exist
                return FALSE;
        }
 
-       $query = "SELECT * from {$CONFIG->dbprefix}metadata WHERE entity_guid = '$entity_guid' and name_id = '$name'";
+       $query = "SELECT * from {$CONFIG->dbprefix}metadata WHERE entity_guid = '$entity_guid' and name_id = '$name_id'";
        if ($value != "") {
-               $value = get_metastring_id($value);
-               if ($value !== FALSE) {
-                       $query .= " AND value_id = '$value'";
+               $value_id = get_metastring_id($value);
+               if ($value_id !== FALSE) {
+                       $query .= " AND value_id = '$value_id'";
                }
        }