From 288c7c4745c39cab691f55ea5bdb42dfd68f3eda Mon Sep 17 00:00:00 2001
From: Coleman Watts <coleman@civicrm.org>
Date: Mon, 21 Oct 2013 15:59:04 -0700
Subject: [PATCH] CRM-13550 - API - apiv2 patch from 4.2

---
 api/v2/Contact.php       | 6 ++++++
 api/v2/Contribution.php  | 3 +++
 api/v2/Event.php         | 4 ++--
 api/v2/Participant.php   | 4 ++++
 api/v2/Pledge.php        | 3 +++
 api/v2/PledgePayment.php | 3 +++
 6 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/api/v2/Contact.php b/api/v2/Contact.php
index 33a8616c29..ebe50b7248 100644
--- a/api/v2/Contact.php
+++ b/api/v2/Contact.php
@@ -419,6 +419,9 @@ function civicrm_contact_get(&$params, $deprecated_behavior = FALSE) {
 
   require_once 'CRM/Contact/BAO/Query.php';
   $newParams = CRM_Contact_BAO_Query::convertFormValues($inputParams);
+  $sort = CRM_Utils_Type::escape($sort, 'String');
+  $offset = CRM_Utils_Type::escape($offset, 'Int');
+  $rowCount = CRM_Utils_Type::escape($rowCount, 'Int');
   list($contacts, $options) = CRM_Contact_BAO_Query::apiQuery($newParams,
     $returnProperties,
     NULL,
@@ -547,6 +550,9 @@ function &civicrm_contact_search(&$params) {
 
   require_once 'CRM/Contact/BAO/Query.php';
   $newParams = CRM_Contact_BAO_Query::convertFormValues($inputParams);
+  $sort = CRM_Utils_Type::escape($sort, 'String');
+  $offset = CRM_Utils_Type::escape($offset, 'Int');
+  $rowCount = CRM_Utils_Type::escape($rowCount, 'Int');
   list($contacts, $options) = CRM_Contact_BAO_Query::apiQuery($newParams,
     $returnProperties,
     NULL,
diff --git a/api/v2/Contribution.php b/api/v2/Contribution.php
index bde6fcdc47..d28a7af41a 100644
--- a/api/v2/Contribution.php
+++ b/api/v2/Contribution.php
@@ -211,6 +211,9 @@ function &civicrm_contribution_search(&$params) {
   }
 
   $newParams = CRM_Contact_BAO_Query::convertFormValues($inputParams);
+  $sort = CRM_Utils_Type::escape($sort, 'String');
+  $offset = CRM_Utils_Type::escape($offset, 'Int');
+  $rowCount = CRM_Utils_Type::escape($rowCount, 'Int');
 
   $query = new CRM_Contact_BAO_Query($newParams, $returnProperties, NULL);
   list($select, $from, $where, $having) = $query->query();
diff --git a/api/v2/Event.php b/api/v2/Event.php
index 78f170aa22..47213dc4ec 100644
--- a/api/v2/Event.php
+++ b/api/v2/Event.php
@@ -198,8 +198,8 @@ function civicrm_event_search(&$params) {
     $eventDAO->whereAdd('(start_date >= CURDATE() || end_date >= CURDATE())');
   }
 
-  $eventDAO->orderBy($sort);
-  $eventDAO->limit((int)$offset, (int)$rowCount);
+  $eventDAO->orderBy(CRM_Utils_Type::escape($sort, 'String'));
+  $eventDAO->limit(CRM_Utils_Type::escape($offset, 'Int'), CRM_Utils_Type::escape($rowCount, 'Int'));
   $eventDAO->find();
   while ($eventDAO->fetch()) {
     $event[$eventDAO->id] = array();
diff --git a/api/v2/Participant.php b/api/v2/Participant.php
index f734550719..cc36eeee8c 100644
--- a/api/v2/Participant.php
+++ b/api/v2/Participant.php
@@ -190,6 +190,10 @@ function &civicrm_participant_search(&$params) {
   }
 
   $newParams = CRM_Contact_BAO_Query::convertFormValues($params);
+  $sort = CRM_Utils_Type::escape($sort, 'String');
+  $offset = CRM_Utils_Type::escape($offset, 'Int');
+  $rowCount = CRM_Utils_Type::escape($rowCount, 'Int');
+
   $query = new CRM_Contact_BAO_Query($newParams, $returnProperties, NULL);
   list($select, $from, $where, $having) = $query->query();
 
diff --git a/api/v2/Pledge.php b/api/v2/Pledge.php
index 4500519af8..343f1e16fe 100644
--- a/api/v2/Pledge.php
+++ b/api/v2/Pledge.php
@@ -199,6 +199,9 @@ function &civicrm_pledge_get(&$params) {
   }
 
   $newParams = CRM_Contact_BAO_Query::convertFormValues($inputParams);
+  $sort = CRM_Utils_Type::escape($sort, 'String');
+  $offset = CRM_Utils_Type::escape($offset, 'Int');
+  $rowCount = CRM_Utils_Type::escape($rowCount, 'Int');
 
   $query = new CRM_Contact_BAO_Query($newParams, $returnProperties, NULL);
   list($select, $from, $where) = $query->query();
diff --git a/api/v2/PledgePayment.php b/api/v2/PledgePayment.php
index 54f8ea0edb..7fe755f084 100644
--- a/api/v2/PledgePayment.php
+++ b/api/v2/PledgePayment.php
@@ -208,6 +208,9 @@ function &civicrm_pledge_payment_search(&$params) {
   }
 
   $newParams = CRM_Contact_BAO_Query::convertFormValues($inputParams);
+  $sort = CRM_Utils_Type::escape($sort, 'String');
+  $offset = CRM_Utils_Type::escape($offset, 'Int');
+  $rowCount = CRM_Utils_Type::escape($rowCount, 'Int');
 
   $query = new CRM_Contact_BAO_Query($newParams, $returnProperties, NULL);
   list($select, $from, $where) = $query->query();
-- 
2.25.1