fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

HOR-281 No longer assumes mysql for escaping.

Browse Source
This commit is contained in:
Chloe Deguzman
2016-03-21 22:25:04 +00:00
parent f9ca5867e4
commit 58b80f54a1
1 changed files with 4 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
gulliver/methods/genericAjax.php
View File

@@ -178,15 +178,10 @@ if( isset($request) ){
try { try {
$con = Propel::getConnection($_GET['cnn']); $con = Propel::getConnection($_GET['cnn']);
if($_GET['pkt'] == 'int'){ if($_GET['pkt'] == 'int'){
// I know this isn't perfect
// but this is the sanitization $primaryKeyField = Propel::getDB($_GET['cnn'])->quoteIdentifier($_GET['pk']);
// that's used by Creole. $tableName = Propel::getDB($_GET['cnn'])->quoteIdentifier($_GET['table']);
$rs = $con->executeQuery("SELECT MAX($primaryKeyField) as lastId FROM $tableName");
$primaryKeyField = mysql_real_escape_string($_GET['pk']);
$tableName = mysql_real_escape_string($_GET['table']);
$primaryKeyField = str_replace("`", "", $primaryKeyField);
$tableName = str_replace("`", "", $tableName);
$rs = $con->executeQuery("SELECT MAX(`$primaryKeyField`) as lastId FROM `$tableName`");
$rs->next(); $rs->next();
$row = $rs->getRow(); $row = $rs->getRow();
$gKey = (int)$row['lastId'] + 1; $gKey = (int)$row['lastId'] + 1;