tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-09-29 12:49:06 +02:00
Code Issues Projects Releases Wiki Activity

BUG SQL Injection in CsvBulkLoader (fixes #6227)

Browse Source 
Diff should speak for itself, looks like this will have to be implemented in all supported branches.
This commit is contained in:
Stephen Shkardoon 2013-03-20 00:45:05 +13:00
parent a8a10f8a1a
commit 143317cc86
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
dev/CsvBulkLoader.php
View File

@ -156,7 +156,7 @@ class CsvBulkLoader extends BulkLoader {
return false;
//user_error("CsvBulkLoader:processRecord: Couldn't find duplicate identifier '{$fieldName}' in columns", E_USER_ERROR);
}
$SQL_fieldValue = $record[$fieldName];
$SQL_fieldValue = Convert::raw2sql($record[$fieldName]);
$existingRecord = DataObject::get_one($this->objectClass, "\"$SQL_fieldName\" = '{$SQL_fieldValue}'");
if($existingRecord) return $existingRecord;
} elseif(is_array($duplicateCheck) && isset($duplicateCheck['callback'])) {
@ -189,4 +189,4 @@ class CsvBulkLoader extends BulkLoader {
}
}
?>
?>