oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix a potential SQL injection issue with Thingy.

Browse source
This commit is contained in:
Colin Kuskie 2010-10-11 13:12:20 -07:00
parent 106fcaedf7
commit a41ae977fe
2 changed files with 2 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

1
docs/changelog/7.x.x.txt
View file

@ -3,6 +3,7 @@
- fixed #11908: Inbox messages linger after deleting a user
- fixed #11909: Wrong message count in the inbox
- fixed #11773: Form injection in the EMS event ordering code.
- fixed #11773: SQL injection vulnerability in Edit Thing form processing code.
7.10.2
- fixed #11884: Editing Templates impossible / Code editor not loaded

2
lib/WebGUI/Asset/Wobject/Thingy.pm
View file

@ -2203,7 +2203,7 @@ sub www_editThingSave {
my $displayInSearch = $self->session->form->process("displayInSearch_".$field->{fieldId}) || 0;
my $searchIn = $self->session->form->process("searchIn_".$field->{fieldId}) || 0;
$self->session->db->write("update Thingy_fields set display = ".$display.", viewScreenTitle = ".$viewScreenTitle.", displayinSearch = ".$displayInSearch.", searchIn = ".$searchIn." where fieldId = ".$self->session->db->quote($field->{fieldId})." and thingId = ".$self->session->db->quote($thingId));
$self->session->db->write("update Thingy_fields set display = ?, viewScreenTitle = ?, displayinSearch = ?, searchIn = ? where fieldId = ? and thingId = ?",[$display, $viewScreenTitle, $displayInSearch, $searchIn, $field->{fieldId}, $thingId]);
}
return $self->www_manage;
}