Fix security/core#51 by paramatising the Event Type part of the wuere clause

author Seamus Lee <seamuslee001@gmail.com>

Mon, 22 Apr 2019 07:45:52 +0000 (17:45 +1000)

committer Seamus Lee <seamuslee001@gmail.com>

Wed, 15 May 2019 20:25:18 +0000 (06:25 +1000)
author Seamus Lee <seamuslee001@gmail.com>
Mon, 22 Apr 2019 07:45:52 +0000 (17:45 +1000)
committer Seamus Lee <seamuslee001@gmail.com>
Wed, 15 May 2019 20:25:18 +0000 (06:25 +1000)
diff --git a/CRM/Event/Page/ManageEvent.php b/CRM/Event/Page/ManageEvent.php

index afc523e0347e41242ce1d240ae740f5f52f7a6f5..ae0f92942855302c7bf18c2a2a1800291ec929ba 100644 (file)
--- a/CRM/Event/Page/ManageEvent.php
+++ b/CRM/Event/Page/ManageEvent.php
@@ -517,7 +517,8 @@ ORDER BY start_date desc
        if (is_array($value)) {
          $type = implode(',', $value);
        }
-      $clauses[] = "event_type_id IN ({$type})";
+      $clauses[] = "event_type_id IN (%2)";
+      $params[2] = [$type, 'String'];
      }
  
      $eventsByDates = $this->get('eventsByDates');
author	Seamus Lee <seamuslee001@gmail.com>
	Mon, 22 Apr 2019 07:45:52 +0000 (17:45 +1000)
committer	Seamus Lee <seamuslee001@gmail.com>
	Wed, 15 May 2019 20:25:18 +0000 (06:25 +1000)