Potential SQL injection in Local_group::setNickname()

This change escapes a parameter in Local_group::setNickname(). Review
of the code paths that call this function sanitize the parameter
higher up the stack, but it's escaped here to prevent mistakes later.

Note that nickname parameters are normally alphanum strings, so
there's not much danger in double-escaping them.

diff --git a/classes/Local_group.php b/classes/Local_group.php
index 44d8957838f0823772bc59abb4ce5875b2fe6ec4..b895103d1675452a7c59da35635dcb6c71523d83 100644 (file)
--- a/classes/Local_group.php
+++ b/classes/Local_group.php
@@ -44,7 +44,7 @@ class Local_group extends Managed_DataObject
     function setNickname($nickname)
     {
         $this->decache();
-        $qry = 'UPDATE local_group set nickname = "'.$nickname.'" where group_id = ' . $this->group_id;
+        $qry = 'UPDATE local_group set nickname = "'.$this->escape($nickname).'" where group_id = ' . $this->group_id;
 
         $result = $this->query($qry);