From 18b8253b833156cea3a3ecae3b1d30872b7efad5 Mon Sep 17 00:00:00 2001
From: "Donald A. Lobo" <lobo@civicrm.org>
Date: Thu, 23 Jan 2014 14:50:53 -0800
Subject: [PATCH] CRM-14118 - Unescaped user input sent to MySQL from
 geolocation scheduled job

http://issues.civicrm.org/jira/browse/CRM-14118
---
 CRM/Utils/Address/BatchUpdate.php | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/CRM/Utils/Address/BatchUpdate.php b/CRM/Utils/Address/BatchUpdate.php
index dcc483d19e..7a00acbf9d 100644
--- a/CRM/Utils/Address/BatchUpdate.php
+++ b/CRM/Utils/Address/BatchUpdate.php
@@ -111,12 +111,15 @@ class CRM_Utils_Address_BatchUpdate {
   function processContacts(&$config, $processGeocode, $parseStreetAddress) {
     // build where clause.
     $clause = array('( c.id = a.contact_id )');
+    $params = array();
     if ($this->start) {
-      $clause[] = "( c.id >= $this->start )";
+      $clause[] = "( c.id >= %1 )";
+      $params[1] = array($this->start, 'Integer');
     }
 
     if ($this->end) {
-      $clause[] = "( c.id <= $this->end )";
+      $clause[] = "( c.id <= %2 )";
+      $params[2] = array($this->end, 'Integer');
     }
 
     if ($processGeocode) {
@@ -145,8 +148,7 @@ class CRM_Utils_Address_BatchUpdate {
 
     $totalGeocoded = $totalAddresses = $totalAddressParsed = 0;
 
-    $dao = CRM_Core_DAO::executeQuery($query, CRM_Core_DAO::$_nullArray);
-
+    $dao = CRM_Core_DAO::executeQuery($query, $params);
     if ($processGeocode) {
       require_once (str_replace('_', DIRECTORY_SEPARATOR, $config->geocodeMethod) . '.php');
     }
-- 
2.25.1