tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

[SS-2018-020] Ensure that table names are escaped to prevent possible SQL injection

Browse Source
This commit is contained in:
Robbie Averill 2018-11-07 12:12:44 +02:00 committed by Aaron Carlino
parent 3f532466d1
commit fecedc2d98
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/ORM/DataObjectSchema.php
View File

@ -8,6 +8,7 @@ use LogicException;
use SilverStripe\Core\ClassInfo; use SilverStripe\Core\ClassInfo;
use SilverStripe\Core\Config\Config; use SilverStripe\Core\Config\Config;
use SilverStripe\Core\Config\Configurable; use SilverStripe\Core\Config\Configurable;
use SilverStripe\Core\Convert;
use SilverStripe\Core\Injector\Injectable; use SilverStripe\Core\Injector\Injectable;
use SilverStripe\Core\Injector\Injector; use SilverStripe\Core\Injector\Injector;
use SilverStripe\Dev\TestOnly; use SilverStripe\Dev\TestOnly;
@ -125,7 +126,7 @@ class DataObjectSchema
$tables = $this->getTableNames(); $tables = $this->getTableNames();
$class = ClassInfo::class_name($class); $class = ClassInfo::class_name($class);
if (isset($tables[$class])) { if (isset($tables[$class])) {
return $tables[$class]; return Convert::raw2sql($tables[$class]);
} }
return null; return null;
} }