BUGFIX Fixed possible SQL injection in file name part for File::find()

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@73437 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Sean Harvey 2009-03-20 01:39:57 +00:00 committed by Sam Minnee
parent 3973a6a47e
commit 4513631a54

View File

@ -70,7 +70,8 @@ class File extends DataObject {
foreach($parts as $part) {
if($part == "assets" && !$parentID) continue;
$item = DataObject::get_one('File', "Name = '$part' AND ParentID = $parentID");
$SQL_part = Convert::raw2sql($part);
$item = DataObject::get_one('File', "Name = '$SQL_part' AND ParentID = $parentID");
if(!$item) break;
$parentID = $item->ID;
}