From c4af0e33dfd7501c7ec0b25c4361623b3a7c24a9 Mon Sep 17 00:00:00 2001
From: Graham Knop <haarg@haarg.org>
Date: Tue, 5 Jul 2011 08:35:26 -0500
Subject: [PATCH] safer asset reading sql and better parameter validation

---
 lib/WebGUI/Asset.pm | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/WebGUI/Asset.pm b/lib/WebGUI/Asset.pm
index 4f0dda7da..0cc72bf27 100644
--- a/lib/WebGUI/Asset.pm
+++ b/lib/WebGUI/Asset.pm
@@ -343,6 +343,9 @@ around BUILDARGS => sub {
             WebGUI::Error::InvalidParam->throw(error => "Cannot find revision date for assetId", param => $assetId);
         }
     }
+    elsif ( $revisionDate =~ /[^0-9]/) {
+        WebGUI::Error::InvalidParam->throw(error => "Invalid revision date given", param => $revisionDate);
+    }
 
     my $properties = $session->cache->get("asset".$assetId.$revisionDate);
     unless (exists $properties->{assetId}) { # can we get it from cache?
@@ -353,7 +356,8 @@ around BUILDARGS => sub {
         # join all the tables
         foreach my $table ($className->meta->get_tables) {
             $sql .= ",".$table;
-            $where .= " and (asset.assetId=".$table.".assetId and ".$table.".revisionDate=".$revisionDate.")";
+            $where .= " and (asset.assetId=".$table.".assetId and ".$table.".revisionDate=?)";
+            push @$placeHolders, $revisionDate;
         }
 
         # fetch properties