BUG SQL Injection in CsvBulkLoader (fixes #6227)

Diff should speak for itself, looks like this will have to be implemented in all supported branches.
This commit is contained in:
Stephen Shkardoon 2013-03-20 00:45:05 +13:00 committed by Ingo Schommer
parent f0c893bd60
commit bfbc7bca1b

View File

@ -154,7 +154,7 @@ class CsvBulkLoader extends BulkLoader {
return false;
//user_error("CsvBulkLoader:processRecord: Couldn't find duplicate identifier '{$fieldName}' in columns", E_USER_ERROR);
}
$SQL_fieldValue = $record[$fieldName];
$SQL_fieldValue = Convert::raw2sql($record[$fieldName]);
$existingRecord = DataObject::get_one($this->objectClass, "`$SQL_fieldName` = '{$SQL_fieldValue}'");
if($existingRecord) return $existingRecord;
} elseif(is_array($duplicateCheck) && isset($duplicateCheck['callback'])) {
@ -180,4 +180,4 @@ class CsvBulkLoader extends BulkLoader {
}
}
?>
?>