From c2068a3eafd87f87d66591eabfee14ada11a2680 Mon Sep 17 00:00:00 2001 From: Tim Otten Date: Mon, 6 May 2019 12:34:37 -0700 Subject: [PATCH] (dev/core#934; followup) Fix escaping on new query code This updates a line which was added in the past day (#14194) to ensure that the data is escaped. --- api/v3/Activity.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/api/v3/Activity.php b/api/v3/Activity.php index de4d1ba783..8940241508 100644 --- a/api/v3/Activity.php +++ b/api/v3/Activity.php @@ -363,8 +363,9 @@ function _civicrm_activity_get_handleSourceContactNameOrderBy(&$params, &$option $sql->join( 'source_contact', "LEFT JOIN - civicrm_activity_contact ac ON (ac.activity_id = a.id AND record_type_id = $sourceContactID ) - LEFT JOIN civicrm_contact c ON c.id = ac.contact_id" + civicrm_activity_contact ac ON (ac.activity_id = a.id AND record_type_id = #sourceContactID) + LEFT JOIN civicrm_contact c ON c.id = ac.contact_id", + ['sourceContactID' => $sourceContactID] ); $sql->orderBy("c.display_name $order"); unset($options['sort'], $params['options']['sort']); -- 2.25.1