From 143317cc864636f46ff95d4a210a0b464efb7b27 Mon Sep 17 00:00:00 2001
From: Stephen Shkardoon <ss23@ss23.geek.nz>
Date: Wed, 20 Mar 2013 00:45:05 +1300
Subject: [PATCH] BUG SQL Injection in CsvBulkLoader (fixes #6227)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Diff should speak for itself, looks like this will have to be implemented in all supported branches. 
---
 dev/CsvBulkLoader.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dev/CsvBulkLoader.php b/dev/CsvBulkLoader.php
index 7a223df17..365e1bd22 100644
--- a/dev/CsvBulkLoader.php
+++ b/dev/CsvBulkLoader.php
@@ -156,7 +156,7 @@ class CsvBulkLoader extends BulkLoader {
 					return false;
 					//user_error("CsvBulkLoader:processRecord: Couldn't find duplicate identifier '{$fieldName}' in columns", E_USER_ERROR);
 				}
-				$SQL_fieldValue = $record[$fieldName];
+				$SQL_fieldValue = Convert::raw2sql($record[$fieldName]);
 				$existingRecord = DataObject::get_one($this->objectClass, "\"$SQL_fieldName\" = '{$SQL_fieldValue}'");
 				if($existingRecord) return $existingRecord;
 			} elseif(is_array($duplicateCheck) && isset($duplicateCheck['callback'])) {
@@ -189,4 +189,4 @@ class CsvBulkLoader extends BulkLoader {
 	}
 	
 }
-?>
\ No newline at end of file
+?>