projects / civicrm-core.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2b7b111)
Also escape when value starts with a [ and validate the negative operation as well
authorSeamus Lee <seamuslee001@gmail.com>
Sun, 29 Mar 2020 20:55:14 +0000 (07:55 +1100)
committerSeamus Lee <seamuslee001@gmail.com>
Sat, 11 Apr 2020 20:49:43 +0000 (06:49 +1000)
CRM/Contact/BAO/Query.php patch | blob | blame | history

diff --git a/CRM/Contact/BAO/Query.php b/CRM/Contact/BAO/Query.php
index 4ccb455f216f45b12dd9b69e737d91c36307d1f1..5a3d0167e6734a34f316f5e9c27a9fc72a652b4a 100644 (file)
--- a/CRM/Contact/BAO/Query.php
+++ b/CRM/Contact/BAO/Query.php
@@ -4057,9 +4057,11 @@ WHERE  $smartGroupClause
       }
     }
     if (strpbrk($value, "[")) {
-      $value = "'{$value}'";
-      $op = "!{$op}";
-      $this->_where[$grouping][] = "contact_a.{$name} $op $value";
+      $value = CRM_Core_DAO::escapeString($value);
+      if (in_array("!{$op}", CRM_Core_DAO::acceptedSQLOperators(), TRUE)) {
+        $op = "!{$op}";
+        $this->_where[$grouping][] = "contact_a.{$name} $op $value";
+      }
     }
     else {
       CRM_Utils_Type::validate($value, 'Integer');