escape alphanumeric/checkbox custom data

author Jamie McClelland <jm@mayfirst.org>

Wed, 20 Feb 2019 17:59:34 +0000 (12:59 -0500)

committer Seamus Lee <seamuslee001@gmail.com>

Wed, 15 May 2019 20:25:18 +0000 (06:25 +1000)
author Jamie McClelland <jm@mayfirst.org>
Wed, 20 Feb 2019 17:59:34 +0000 (12:59 -0500)
committer Seamus Lee <seamuslee001@gmail.com>
Wed, 15 May 2019 20:25:18 +0000 (06:25 +1000)
diff --git a/CRM/Core/BAO/CustomQuery.php b/CRM/Core/BAO/CustomQuery.php

index 790487e43891b62c2bad6ab03afddb2d63310603..24b829e5f5b427660de3f00e12a02a73f3b8fd72 100644 (file)
--- a/CRM/Core/BAO/CustomQuery.php
+++ b/CRM/Core/BAO/CustomQuery.php
@@ -351,6 +351,12 @@ SELECT f.id, f.label, f.data_type,
                  foreach ($value as $key => $val) {
                    $value[$key] = str_replace(['[', ']', ','], ['\[', '\]', '[:comma:]'], $val);
                    $value[$key] = str_replace('|', '[:separator:]', $value[$key]);
+                  if ($field['data_type'] == 'String') {
+                    $value[$key] = CRM_Utils_Type::escape($value[$key], 'String');
+                  }
+                  elseif ($value) {
+                    $value[$key] = CRM_Utils_Type::escape($value[$key], 'Integer');
+                  }
                  }
                  $value = implode(',', $value);
                }
author	Jamie McClelland <jm@mayfirst.org>
	Wed, 20 Feb 2019 17:59:34 +0000 (12:59 -0500)
committer	Seamus Lee <seamuslee001@gmail.com>
	Wed, 15 May 2019 20:25:18 +0000 (06:25 +1000)