Not escaping strings makes me queasy, even if we're *pretty* sure that database times...

Wrap an addQuotes around those timestamp calls...

diff --git a/includes/filerepo/LocalFile.php b/includes/filerepo/LocalFile.php
index 3b936a6..f992aa3 100644 (file)
--- a/includes/filerepo/LocalFile.php
+++ b/includes/filerepo/LocalFile.php
@@ -583,10 +583,10 @@ class LocalFile extends File
                $conds = $opts = array();
                $conds[] = "oi_name = " . $dbr->addQuotes( $this->title->getDBKey() );
                if( $start !== null ) {
-                       $conds[] = "oi_timestamp <= '" . $dbr->timestamp( $start ) . "'";
+                       $conds[] = "oi_timestamp <= " . $dbr->addQuotes( $dbr->timestamp( $start ) );
                }
                if( $end !== null ) {
-                       $conds[] = "oi_timestamp >= '" . $dbr->timestamp( $end ). "'";
+                       $conds[] = "oi_timestamp >= " . $dbr->addQuotes( $dbr->timestamp( $end ) );
                }
                if( $limit ) {
                        $opts['LIMIT'] = $limit;