Merge pull request #1308 from ss23/patch-10

BUG SQL Injection in CsvBulkLoader (fixes #6227)
This commit is contained in:
Ingo Schommer 2013-03-19 05:03:56 -07:00
commit 5cad7fe9e3

View File

@ -156,7 +156,7 @@ class CsvBulkLoader extends BulkLoader {
return false;
//user_error("CsvBulkLoader:processRecord: Couldn't find duplicate identifier '{$fieldName}' in columns", E_USER_ERROR);
}
$SQL_fieldValue = $record[$fieldName];
$SQL_fieldValue = Convert::raw2sql($record[$fieldName]);
$existingRecord = DataObject::get_one($this->objectClass, "\"$SQL_fieldName\" = '{$SQL_fieldValue}'");
if($existingRecord) return $existingRecord;
} elseif(is_array($duplicateCheck) && isset($duplicateCheck['callback'])) {
@ -189,4 +189,4 @@ class CsvBulkLoader extends BulkLoader {
}
}
?>
?>