]> git.mxchange.org Git - quix0rs-gnu-social.git/blobdiff - classes/Profile_tag.php
projects / quix0rs-gnu-social.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Escape query parameters in Profile_tag::getTagged()
[quix0rs-gnu-social.git] / classes / Profile_tag.php
diff --git a/classes/Profile_tag.php b/classes/Profile_tag.php
index fdac14cd7163e004d03f530d472c95734bae0a67..75cca8c22c364e169967a41d749fb19566036391 100644 (file)
--- a/classes/Profile_tag.php
+++ b/classes/Profile_tag.php
@@ -310,8 +310,8 @@ class Profile_tag extends Managed_DataObject
         $profile->query('SELECT profile.* ' .
                         'FROM profile JOIN profile_tag ' .
                         'ON profile.id = profile_tag.tagged ' .
-                        'WHERE profile_tag.tagger = ' . $tagger . ' ' .
-                        'AND profile_tag.tag = "' . $tag . '" ');
+                        'WHERE profile_tag.tagger = ' . $profile->escape($tagger) . ' ' .
+                        'AND profile_tag.tag = "' . $profile->escape($tag) . '" ');
         $tagged = array();
         while ($profile->fetch()) {
             $tagged[] = clone($profile);
This is my personal clone from the wonderful software GNUSocial. I may fix or break things here, so use it on your own risk. :-)