Commit fcbe0ca6 authored by Oliver Hader's avatar Oliver Hader
Browse files

Fixed bug #14412: Field value added to foreign_table_where by replacing...

Fixed bug #14412: Field value added to foreign_table_where by replacing ###REC_FIELD_THE_FIELD_NAME### is not quoted (thanks to Helmut Hummel and Xavier Perseguers)

git-svn-id: https://svn.typo3.org/TYPO3v4/Core/branches/TYPO3_4-1@8412 709f56b5-9817-0410-a4d7-c38de5d9e867
parent 3726afad
......@@ -17,6 +17,7 @@
* Fixed bug #14389: phtml is also PHP extension and should be denied editing / uploading via fileadmin (thanks to Ernesto Baschny)
* Fixed bug #1985: XSS vulnerability in wizard classes
* Fixed bug #14712: The GET/POST variable mimeType is used to create the http header content-type without verification (thanks to Rupert Germann)
* Fixed bug #14412: Field value added to foreign_table_where by replacing ###REC_FIELD_THE_FIELD_NAME### is not quoted (thanks to Helmut Hummel and Xavier Perseguers)
2010-05-17 Oliver Hader <oliver@typo3.org>
......
......@@ -2787,7 +2787,11 @@ class t3lib_BEfunc {
while(list($kk,$vv)=each($fTWHERE_parts)) {
if ($kk) {
$fTWHERE_subpart = explode('###',$vv,2);
$fTWHERE_parts[$kk]=$TSconfig['_THIS_ROW'][$fTWHERE_subpart[0]].$fTWHERE_subpart[1];
if (substr($fTWHERE_parts[0], -1) == '\'' && $fTWHERE_subpart[1]{0} == '\'') {
$fTWHERE_parts[$kk] = $GLOBALS['TYPO3_DB']->quoteStr($TSconfig['_THIS_ROW'][$fTWHERE_subpart[0]], $foreign_table) . $fTWHERE_subpart[1];
} else {
$fTWHERE_parts[$kk] = $GLOBALS['TYPO3_DB']->fullQuoteStr($TSconfig['_THIS_ROW'][$fTWHERE_subpart[0]], $foreign_table) . $fTWHERE_subpart[1];
}
}
}
$fTWHERE = implode('',$fTWHERE_parts);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment