From c5a710e081079ae79ac84aa3628314bb803c0aed Mon Sep 17 00:00:00 2001 From: Joshua Wise Date: Tue, 16 Jul 2013 10:14:38 -0700 Subject: [PATCH] Escape $tag passed to Profile::getTaggedSubscribers() This patch escapes the $tag parameter in Profile::getTaggedSubscribers(). The parameter is not escaped either in actions/subscriptions.php or in actions/apiuserfollowers.php. So there is a potential for SQL injection here. --- classes/Profile.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/classes/Profile.php b/classes/Profile.php index cefcaf90b5..540699eb3a 100644 --- a/classes/Profile.php +++ b/classes/Profile.php @@ -682,7 +682,7 @@ class Profile extends Managed_DataObject $profile = new Profile(); $tagged = array(); - $cnt = $profile->query(sprintf($qry, $this->id, $this->id, $tag)); + $cnt = $profile->query(sprintf($qry, $this->id, $this->id, $profile->escape($tag))); while ($profile->fetch()) { $tagged[] = clone($profile); -- 2.39.2