SECURITY: Fix unescaped SQL in paths.php rebuild_page_index()
authorDan
Wed, 19 Sep 2007 13:26:42 -0400
changeset 138 13561bde2e2c
parent 137 3bce0c320e80
child 139 070ff1509cc2
SECURITY: Fix unescaped SQL in paths.php rebuild_page_index()
includes/paths.php
--- a/includes/paths.php	Tue Sep 18 17:27:55 2007 -0400
+++ b/includes/paths.php	Wed Sep 19 13:26:42 2007 -0400
@@ -745,8 +745,13 @@
     {
       return false;
     }
+    foreach ( $cache as $key => $_unused )
+    {
+      $cache[$key] = $db->escape( $cache[$key] );
+    }
     $cache = "query LIKE '%" . implode ( "%' OR query LIKE '%", $cache ) . "%'";
-    $db->sql_query('DELETE FROM '.table_prefix.'search_cache WHERE '.$cache);
+    $sql = 'DELETE FROM '.table_prefix.'search_cache WHERE '.$cache;
+    $db->sql_query($sql);
     
     $query = $db->sql_query('SELECT word,page_names FROM '.table_prefix.'search_index WHERE '.$keys.';');