From 80e71b5ccf77c6a8f2f69b412f54dd7395929c49 Mon Sep 17 00:00:00 2001 From: Sean Harvey Date: Wed, 9 Jul 2008 06:34:28 +0000 Subject: [PATCH] BUGFIX SQL injection possibility fix on MultiForm->getSessionRecordByID() --- code/MultiForm.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/code/MultiForm.php b/code/MultiForm.php index 2a3c4b9..2ba1e0a 100644 --- a/code/MultiForm.php +++ b/code/MultiForm.php @@ -257,8 +257,9 @@ abstract class MultiForm extends Form { * @param int|string $id The ID of the record to retrieve * @return MultiFormSession */ - function getSessionRecordByID($id) { - return DataObject::get_one('MultiFormSession', "MultiFormSession.ID = $id AND IsComplete = 0"); + function getSessionRecordByID($id) { + $SQL_id = (int)$id; + return DataObject::get_one('MultiFormSession', "MultiFormSession.ID = {$SQL_id} AND IsComplete = 0"); } /**