Escape argument to prevent SQL injection attack in

User::getTaggedSubscriptions()

This change escapes the $tag argument to prevent a SQL injection
attack in User::getTaggedSubscriptions(). The parameter was not
escaped higher up the stack, so this vulnerability could be exploited.

diff --git a/classes/User.php b/classes/User.php
index cd99a3dd4fe5d9034b2bb0e0aeb0c185e8265195..e8aaaf6a103c47d1d26a420a59b08b3354b2a67d 100644 (file)
--- a/classes/User.php
+++ b/classes/User.php
@@ -758,7 +758,7 @@ class User extends Managed_DataObject
 
         $profile = new Profile();
 
-        $profile->query(sprintf($qry, $this->id, $tag));
+        $profile->query(sprintf($qry, $this->id, $profile->escape($tag)));
 
         return $profile;
     }