From 2cea1ced316ba96d78b2e1cbe06ab7cfe0fe152c Mon Sep 17 00:00:00 2001 From: Frank Mullenger Date: Mon, 21 Sep 2015 08:37:12 +1200 Subject: [PATCH] Update UserDefinedForm.php Casting to integer to prevent potential SQL injection. --- code/model/UserDefinedForm.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code/model/UserDefinedForm.php b/code/model/UserDefinedForm.php index f92e734..fbbb0c4 100755 --- a/code/model/UserDefinedForm.php +++ b/code/model/UserDefinedForm.php @@ -152,7 +152,7 @@ class UserDefinedForm extends Page { ); // make sure a numeric not a empty string is checked against this int column for SQL server - $parentID = (!empty($self->ID)) ? $self->ID : 0; + $parentID = (!empty($self->ID)) ? (int)$self->ID : 0; // get a list of all field names and values used for print and export CSV views of the GridField below. $columnSQL = <<