CRM-14118 - Unescaped user input sent to MySQL from geolocation scheduled job

http://issues.civicrm.org/jira/browse/CRM-14118

diff --git a/CRM/Utils/Address/BatchUpdate.php b/CRM/Utils/Address/BatchUpdate.php
index dcc483d19ea0ba95dcb4379ce9eb2b0312c56ff7..7a00acbf9df547e6318fb47070892777dc6d78ab 100644 (file)
--- a/CRM/Utils/Address/BatchUpdate.php
+++ b/CRM/Utils/Address/BatchUpdate.php
@@ -111,12 +111,15 @@ class CRM_Utils_Address_BatchUpdate {
   function processContacts(&$config, $processGeocode, $parseStreetAddress) {
     // build where clause.
     $clause = array('( c.id = a.contact_id )');
+    $params = array();
     if ($this->start) {
-      $clause[] = "( c.id >= $this->start )";
+      $clause[] = "( c.id >= %1 )";
+      $params[1] = array($this->start, 'Integer');
     }
 
     if ($this->end) {
-      $clause[] = "( c.id <= $this->end )";
+      $clause[] = "( c.id <= %2 )";
+      $params[2] = array($this->end, 'Integer');
     }
 
     if ($processGeocode) {
@@ -145,8 +148,7 @@ class CRM_Utils_Address_BatchUpdate {
 
     $totalGeocoded = $totalAddresses = $totalAddressParsed = 0;
 
-    $dao = CRM_Core_DAO::executeQuery($query, CRM_Core_DAO::$_nullArray);
-
+    $dao = CRM_Core_DAO::executeQuery($query, $params);
     if ($processGeocode) {
       require_once (str_replace('_', DIRECTORY_SEPARATOR, $config->geocodeMethod) . '.php');
     }