projects / civicrm-core.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e15bd6d)
Also escape when value starts with a [ and validate the negative operation as well
authorSeamus Lee <seamuslee001@gmail.com>
Sun, 29 Mar 2020 20:55:14 +0000 (07:55 +1100)
committerSeamus Lee <seamuslee001@gmail.com>
Thu, 16 Apr 2020 01:03:21 +0000 (11:03 +1000)
CRM/Contact/BAO/Query.php patch | blob | blame | history

diff --git a/CRM/Contact/BAO/Query.php b/CRM/Contact/BAO/Query.php
index fa4068402172232c0d37b6ca5e10a17d8a830da1..5cf62c9d94780343230490e0994bc6a8339afa03 100644 (file)
--- a/CRM/Contact/BAO/Query.php
+++ b/CRM/Contact/BAO/Query.php
@@ -4058,9 +4058,11 @@ WHERE  $smartGroupClause
       }
     }
     if (strpbrk($value, "[")) {
-      $value = "'{$value}'";
-      $op = "!{$op}";
-      $this->_where[$grouping][] = "contact_a.{$name} $op $value";
+      $value = CRM_Core_DAO::escapeString($value);
+      if (in_array("!{$op}", CRM_Core_DAO::acceptedSQLOperators(), TRUE)) {
+        $op = "!{$op}";
+        $this->_where[$grouping][] = "contact_a.{$name} $op $value";
+      }
     }
     else {
       CRM_Utils_Type::validate($value, 'Integer');