From ad88e289070f73c1f2164933544ee5f17467a09d Mon Sep 17 00:00:00 2001 From: Ingo Schommer Date: Thu, 15 Sep 2011 14:16:28 +0200 Subject: [PATCH] BUGFIX Consistently using Convert::raw2sql() instead of DB::getConn()->addslashes() or PHP's deprecated addslashes() for database escaping --- code/search/AdvancedSearchForm.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code/search/AdvancedSearchForm.php b/code/search/AdvancedSearchForm.php index aa10b047..30577f2c 100755 --- a/code/search/AdvancedSearchForm.php +++ b/code/search/AdvancedSearchForm.php @@ -82,7 +82,7 @@ class AdvancedSearchForm extends SearchForm { foreach($_REQUEST['OnlyShow'] as $section => $checked) { $items = explode(",", $section); foreach($items as $item) { - $page = DataObject::get_one('SiteTree', "\"URLSegment\" = '" . DB::getConn()->addslashes($item) . "'"); + $page = DataObject::get_one('SiteTree', "\"URLSegment\" = '" . Convert::raw2sql($item) . "'"); $pageList[] = $page->ID; if(!$page) user_error("Can't find a page called '$item'", E_USER_WARNING); $page->loadDescendantIDListInto($pageList);