Skip to content

Commit f7f9357

Browse files
jmontoyaajmontoyaa
committed
Ajax calls: escape fields
1 parent 93be016 commit f7f9357

File tree

3 files changed

+15
-4
lines changed

3 files changed

+15
-4
lines changed

main/inc/ajax/model.ajax.php

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -109,6 +109,8 @@ function getWhereClause($col, $oper, $val)
109109
'nc' => 'NOT LIKE', //doesn't contain
110110
];
111111

112+
$col = Database::escapeField($col);
113+
112114
if (empty($col)) {
113115
return '';
114116
}

main/inc/lib/database.lib.php

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -833,4 +833,9 @@ public static function listTableColumns($table)
833833
{
834834
return self::getManager()->getConnection()->getSchemaManager()->listTableColumns($table);
835835
}
836+
837+
public static function escapeField($field)
838+
{
839+
return self::escape_string(preg_replace("/[^a-zA-Z0-9_]/", '', $field));
840+
}
836841
}

main/inc/lib/extra_field.lib.php

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2620,6 +2620,7 @@ public function getExtraFieldRules($filters, $stringToSearch = 'extra_', $condit
26202620
}
26212621
} else {
26222622
// Extra fields
2623+
$ruleField = Database::escapeField($rule->field);
26232624
if (false === strpos($rule->field, '_second')) {
26242625
// No _second
26252626
$original_field = str_replace($stringToSearch, '', $rule->field);
@@ -2642,7 +2643,7 @@ public function getExtraFieldRules($filters, $stringToSearch = 'extra_', $condit
26422643
$conditionArray[] = ' ('
26432644
.$this->get_where_clause($rule->field, $rule->op, $rule->data)
26442645
.') ';
2645-
$extraFields[] = ['field' => $rule->field, 'id' => $field_option['id']];
2646+
$extraFields[] = ['field' => $ruleField, 'id' => $field_option['id']];
26462647
}
26472648
break;
26482649
case self::FIELD_TYPE_TAG:
@@ -2654,7 +2655,7 @@ public function getExtraFieldRules($filters, $stringToSearch = 'extra_', $condit
26542655
//$where = $this->get_where_clause($rule->field, $rule->op, $rule->data, 'OR');
26552656
//$conditionArray[] = " ( $where ) ";
26562657
$extraFields[] = [
2657-
'field' => $rule->field,
2658+
'field' => $ruleField,
26582659
'id' => $field_option['id'],
26592660
'data' => $rule->data,
26602661
];
@@ -2668,7 +2669,7 @@ public function getExtraFieldRules($filters, $stringToSearch = 'extra_', $condit
26682669
$where = $this->get_where_clause($rule->field, $rule->op, $rule->data, 'OR');
26692670
$conditionArray[] = " ( $where ) ";
26702671
$extraFields[] = [
2671-
'field' => $rule->field,
2672+
'field' => $ruleField,
26722673
'id' => $field_option['id'],
26732674
'data' => $rule->data,
26742675
];
@@ -2680,7 +2681,7 @@ public function getExtraFieldRules($filters, $stringToSearch = 'extra_', $condit
26802681
$original_field = str_replace($stringToSearch, '', $my_field);
26812682
$field_option = $this->get_handler_field_info_by_field_variable($original_field);
26822683
$extraFields[] = [
2683-
'field' => $rule->field,
2684+
'field' => $ruleField,
26842685
'id' => $field_option['id'],
26852686
];
26862687
}
@@ -2701,9 +2702,12 @@ public function getExtraFieldRules($filters, $stringToSearch = 'extra_', $condit
27012702
*/
27022703
public function get_where_clause($col, $oper, $val, $conditionBetweenOptions = 'OR')
27032704
{
2705+
$col = Database::escapeField($col);
2706+
27042707
if (empty($col)) {
27052708
return '';
27062709
}
2710+
27072711
$conditionBetweenOptions = in_array($conditionBetweenOptions, ['OR', 'AND']) ? $conditionBetweenOptions : 'OR';
27082712
if ('bw' === $oper || 'bn' === $oper) {
27092713
$val .= '%';

0 commit comments

Comments
 (0)