Merge pull request #1308 from ss23/patch-10

BUG SQL Injection in CsvBulkLoader (fixes #6227)
2024-10-22 14:05:37 +02:00 · 2013-03-19 05:03:56 -07:00 · 2013-03-19 05:03:56 -07:00 · 5cad7fe9e3
commit 5cad7fe9e3
parent a8a10f8a1a 143317cc86
1 changed files with 2 additions and 2 deletions
--- a/dev/CsvBulkLoader.php
+++ b/dev/CsvBulkLoader.php
@ -156,7 +156,7 @@ class CsvBulkLoader extends BulkLoader {
 					return false;
 					//user_error("CsvBulkLoader:processRecord: Couldn't find duplicate identifier '{$fieldName}' in columns", E_USER_ERROR);
 				}
-				$SQL_fieldValue = $record[$fieldName];
+				$SQL_fieldValue = Convert::raw2sql($record[$fieldName]);
 				$existingRecord = DataObject::get_one($this->objectClass, "\"$SQL_fieldName\" = '{$SQL_fieldValue}'");
 				if($existingRecord) return $existingRecord;
 			} elseif(is_array($duplicateCheck) && isset($duplicateCheck['callback'])) {