From: Brion Vibber <brion@users.mediawiki.org>
Date: Fri, 6 Aug 2004 19:17:49 +0000 (+0000)
Subject: Protect against SQL insertion attacks in page move category update.
X-Git-Tag: 1.5.0alpha1~2500
X-Git-Url: http://git.cyclocoop.org/%24self?a=commitdiff_plain;h=b902a2bdf37c5f50ba54873c092e29ef1f8b4567;p=lhc%2Fweb%2Fwiklou.git

Protect against SQL insertion attacks in page move category update.
---

diff --git a/includes/Title.php b/includes/Title.php
index b224ad0a6f..74c11c5676 100644
--- a/includes/Title.php
+++ b/includes/Title.php
@@ -902,7 +902,9 @@ class Title {
 		# Fixing category links (those without piped 'alternate' names) to be sorted under the new title
 		
 		$dbw =& wfGetDB( DB_MASTER );
-		$sql = "UPDATE categorylinks SET cl_sortkey=\"" . $nt->getPrefixedText() . "\" WHERE cl_from=\"" .$this->getArticleID() . "\" AND cl_sortkey=\"" . $this->getPrefixedText() . "\"" ;
+		$sql = "UPDATE categorylinks SET cl_sortkey=" . $dbw->addQuotes( $nt->getPrefixedText() ) .
+			" WHERE cl_from=" . $dbw->addQuotes( $this->getArticleID() ) .
+			" AND cl_sortkey=" . $dbw->addQuotes( $this->getPrefixedText() );
 		$dbw->query( $sql, "SpecialMovepage::doSubmit" );