From ed1b071355aa45955e8859c66177db952f871dcf Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Mon, 4 Feb 2008 22:37:33 +0000 Subject: [PATCH] Not escaping strings makes me queasy, even if we're *pretty* sure that database timestamps will always format to a safe value! Wrap an addQuotes around those timestamp calls... --- includes/filerepo/LocalFile.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/includes/filerepo/LocalFile.php b/includes/filerepo/LocalFile.php index 3b936a6926..f992aa3838 100644 --- a/includes/filerepo/LocalFile.php +++ b/includes/filerepo/LocalFile.php @@ -583,10 +583,10 @@ class LocalFile extends File $conds = $opts = array(); $conds[] = "oi_name = " . $dbr->addQuotes( $this->title->getDBKey() ); if( $start !== null ) { - $conds[] = "oi_timestamp <= '" . $dbr->timestamp( $start ) . "'"; + $conds[] = "oi_timestamp <= " . $dbr->addQuotes( $dbr->timestamp( $start ) ); } if( $end !== null ) { - $conds[] = "oi_timestamp >= '" . $dbr->timestamp( $end ). "'"; + $conds[] = "oi_timestamp >= " . $dbr->addQuotes( $dbr->timestamp( $end ) ); } if( $limit ) { $opts['LIMIT'] = $limit; -- 2.20.1