From: Donald A. Lobo Date: Thu, 23 Jan 2014 22:50:53 +0000 (-0800) Subject: CRM-14118 - Unescaped user input sent to MySQL from geolocation scheduled job X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=18b8253b833156cea3a3ecae3b1d30872b7efad5;p=civicrm-core.git CRM-14118 - Unescaped user input sent to MySQL from geolocation scheduled job http://issues.civicrm.org/jira/browse/CRM-14118 --- diff --git a/CRM/Utils/Address/BatchUpdate.php b/CRM/Utils/Address/BatchUpdate.php index dcc483d19e..7a00acbf9d 100644 --- a/CRM/Utils/Address/BatchUpdate.php +++ b/CRM/Utils/Address/BatchUpdate.php @@ -111,12 +111,15 @@ class CRM_Utils_Address_BatchUpdate { function processContacts(&$config, $processGeocode, $parseStreetAddress) { // build where clause. $clause = array('( c.id = a.contact_id )'); + $params = array(); if ($this->start) { - $clause[] = "( c.id >= $this->start )"; + $clause[] = "( c.id >= %1 )"; + $params[1] = array($this->start, 'Integer'); } if ($this->end) { - $clause[] = "( c.id <= $this->end )"; + $clause[] = "( c.id <= %2 )"; + $params[2] = array($this->end, 'Integer'); } if ($processGeocode) { @@ -145,8 +148,7 @@ class CRM_Utils_Address_BatchUpdate { $totalGeocoded = $totalAddresses = $totalAddressParsed = 0; - $dao = CRM_Core_DAO::executeQuery($query, CRM_Core_DAO::$_nullArray); - + $dao = CRM_Core_DAO::executeQuery($query, $params); if ($processGeocode) { require_once (str_replace('_', DIRECTORY_SEPARATOR, $config->geocodeMethod) . '.php'); }