mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
BUG SQL Injection in CsvBulkLoader (fixes #6227)
Diff should speak for itself, looks like this will have to be implemented in all supported branches.
This commit is contained in:
parent
f0c893bd60
commit
bfbc7bca1b
@ -154,7 +154,7 @@ class CsvBulkLoader extends BulkLoader {
|
||||
return false;
|
||||
//user_error("CsvBulkLoader:processRecord: Couldn't find duplicate identifier '{$fieldName}' in columns", E_USER_ERROR);
|
||||
}
|
||||
$SQL_fieldValue = $record[$fieldName];
|
||||
$SQL_fieldValue = Convert::raw2sql($record[$fieldName]);
|
||||
$existingRecord = DataObject::get_one($this->objectClass, "`$SQL_fieldName` = '{$SQL_fieldValue}'");
|
||||
if($existingRecord) return $existingRecord;
|
||||
} elseif(is_array($duplicateCheck) && isset($duplicateCheck['callback'])) {
|
||||
@ -180,4 +180,4 @@ class CsvBulkLoader extends BulkLoader {
|
||||
}
|
||||
|
||||
}
|
||||
?>
|
||||
?>
|
||||
|
Loading…
Reference in New Issue
Block a user