From 2cea1ced316ba96d78b2e1cbe06ab7cfe0fe152c Mon Sep 17 00:00:00 2001
From: Frank Mullenger <frankmullenger@gmail.com>
Date: Mon, 21 Sep 2015 08:37:12 +1200
Subject: [PATCH] Update UserDefinedForm.php

Casting to integer to prevent potential SQL injection.
---
 code/model/UserDefinedForm.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/code/model/UserDefinedForm.php b/code/model/UserDefinedForm.php
index f92e734..fbbb0c4 100755
--- a/code/model/UserDefinedForm.php
+++ b/code/model/UserDefinedForm.php
@@ -152,7 +152,7 @@ class UserDefinedForm extends Page {
 			);
 
 			// make sure a numeric not a empty string is checked against this int column for SQL server
-			$parentID = (!empty($self->ID)) ? $self->ID : 0;
+			$parentID = (!empty($self->ID)) ? (int)$self->ID : 0;
 
 			// get a list of all field names and values used for print and export CSV views of the GridField below.
 			$columnSQL = <<<SQL