From 804f8b8ed6d04fcdc1902c6eb13db833bfaff690 Mon Sep 17 00:00:00 2001
From: Jamie McClelland <jm@mayfirst.org>
Date: Wed, 20 Feb 2019 12:59:34 -0500
Subject: [PATCH] escape alphanumeric/checkbox custom data

---
 CRM/Core/BAO/CustomQuery.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CRM/Core/BAO/CustomQuery.php b/CRM/Core/BAO/CustomQuery.php
index 790487e438..24b829e5f5 100644
--- a/CRM/Core/BAO/CustomQuery.php
+++ b/CRM/Core/BAO/CustomQuery.php
@@ -351,6 +351,12 @@ SELECT f.id, f.label, f.data_type,
                 foreach ($value as $key => $val) {
                   $value[$key] = str_replace(['[', ']', ','], ['\[', '\]', '[:comma:]'], $val);
                   $value[$key] = str_replace('|', '[:separator:]', $value[$key]);
+                  if ($field['data_type'] == 'String') {
+                    $value[$key] = CRM_Utils_Type::escape($value[$key], 'String');
+                  }
+                  elseif ($value) {
+                    $value[$key] = CRM_Utils_Type::escape($value[$key], 'Integer');
+                  }
                 }
                 $value = implode(',', $value);
               }
-- 
2.25.1