Fix for CRM-16203

diff --git a/CRM/Report/Form.php b/CRM/Report/Form.php
index af72c422ecdb369995e622b2af71460aca0759ee..a77494857ebcc58fe814897fe88fdee259fcc0da 100644 (file)
--- a/CRM/Report/Form.php
+++ b/CRM/Report/Form.php
@@ -1740,6 +1740,7 @@ class CRM_Report_Form extends CRM_Core_Form {
         // mhas == multiple has
         if ($value !== NULL && count($value) > 0) {
           $sqlOP = $this->getSQLOperator($op);
+          $value = CRM_Utils_Type::escapeAll($value, $type);
           $clause
             = "{$field['dbAlias']} REGEXP '[[:cntrl:]]" . implode('|', $value) .
             "[[:cntrl:]]'";
@@ -1750,6 +1751,7 @@ class CRM_Report_Form extends CRM_Core_Form {
         // mnot == multiple is not one of
         if ($value !== NULL && count($value) > 0) {
           $sqlOP = $this->getSQLOperator($op);
+          $value = CRM_Utils_Type::escapeAll($value, $type);
           $clause
             = "( {$field['dbAlias']} NOT REGEXP '[[:cntrl:]]" . implode('|', $value) .
             "[[:cntrl:]]' OR {$field['dbAlias']} IS NULL )";

diff --git a/CRM/Utils/Type.php b/CRM/Utils/Type.php
index 81efac86b067ce651019c6b863e0e1caede604b6..f5d0bc1b9e3715bbbe8d91e66740cc013a4acbdf 100644 (file)
--- a/CRM/Utils/Type.php
+++ b/CRM/Utils/Type.php
@@ -142,6 +142,18 @@ class CRM_Utils_Type {
     return (isset($string)) ? $string : "";
   }
 
+  /**
+   * Helper function to call escape on arrays
+   *
+   * @see escape
+   */
+  public static function escapeAll($data, $type, $abort = TRUE) {
+    foreach ($data as $key => $value) {
+      $data[$key] = CRM_Utils_Type::escape($value, $type, $abort);
+    }
+    return $data;
+  }
+
   /**
    * Verify that a variable is of a given type, and apply a bit of processing.
    *