From 856b548fac57e2aeecff8d514a6bcb9e95b7eca3 Mon Sep 17 00:00:00 2001 From: Seamus Lee Date: Wed, 16 Nov 2016 06:37:04 +1100 Subject: [PATCH] CRM-19641 --- CRM/Case/XMLProcessor/Report.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/CRM/Case/XMLProcessor/Report.php b/CRM/Case/XMLProcessor/Report.php index 45356fde6d..1e3abee48e 100644 --- a/CRM/Case/XMLProcessor/Report.php +++ b/CRM/Case/XMLProcessor/Report.php @@ -669,10 +669,10 @@ AND " . CRM_Core_Permission::customGroupClause(CRM_Core_Permission::VIEW, 'cg.') $query = " SELECT label, value FROM civicrm_option_value - WHERE option_group_id = {$dao->optionGroupID} + WHERE option_group_id = %1 "; - $option = CRM_Core_DAO::executeQuery($query); + $option = CRM_Core_DAO::executeQuery($query, array(1 => array($dao->optionGroupID, 'Positive'))); while ($option->fetch()) { $dataType = $dao->dataType; if ($dataType == 'Int' || $dataType == 'Float') { @@ -691,8 +691,9 @@ SELECT label, value foreach ($sql as $tableName => $values) { $columnNames = implode(',', $values); + $tableName = CRM_Utils_Type::escape($tableName, 'MysqlColumnNameOrAlias'); $sql[$tableName] = " -SELECT '{$groupTitle[$tableName]}' as groupTitle, $columnNames +SELECT '" . CRM_Core_DAO::escapeString($groupTitle[$tableName]) . "' as groupTitle, $columnNames FROM $tableName WHERE entity_id = %1 "; -- 2.25.1