BUG SQL Injection in CsvBulkLoader (fixes #6227)

Diff should speak for itself, looks like this will have to be implemented in all supported branches.
This commit is contained in:
Stephen Shkardoon 2013-03-20 00:45:05 +13:00
parent a8a10f8a1a
commit 143317cc86

View File

@ -156,7 +156,7 @@ class CsvBulkLoader extends BulkLoader {
return false; return false;
//user_error("CsvBulkLoader:processRecord: Couldn't find duplicate identifier '{$fieldName}' in columns", E_USER_ERROR); //user_error("CsvBulkLoader:processRecord: Couldn't find duplicate identifier '{$fieldName}' in columns", E_USER_ERROR);
} }
$SQL_fieldValue = $record[$fieldName]; $SQL_fieldValue = Convert::raw2sql($record[$fieldName]);
$existingRecord = DataObject::get_one($this->objectClass, "\"$SQL_fieldName\" = '{$SQL_fieldValue}'"); $existingRecord = DataObject::get_one($this->objectClass, "\"$SQL_fieldName\" = '{$SQL_fieldValue}'");
if($existingRecord) return $existingRecord; if($existingRecord) return $existingRecord;
} elseif(is_array($duplicateCheck) && isset($duplicateCheck['callback'])) { } elseif(is_array($duplicateCheck) && isset($duplicateCheck['callback'])) {
@ -189,4 +189,4 @@ class CsvBulkLoader extends BulkLoader {
} }
} }
?> ?>