Commit d297ac74 authored by Dries's avatar Dries
Browse files

- Patch #811776 by Heine: regresssion of SA-2006-005 - SQL Injection via db_query_range().

parent cf822bd2
......@@ -59,7 +59,7 @@ public function __construct(array $connection_options = array()) {
}
public function queryRange($query, $from, $count, array $args = array(), array $options = array()) {
return $this->query($query . ' LIMIT ' . $from . ', ' . $count, $args, $options);
return $this->query($query . ' LIMIT ' . (int) $from . ', ' . (int) $count, $args, $options);
}
public function queryTemporary($query, array $args = array(), array $options = array()) {
......
......@@ -106,7 +106,7 @@ public function query($query, array $args = array(), $options = array()) {
}
public function queryRange($query, $from, $count, array $args = array(), array $options = array()) {
return $this->query($query . ' LIMIT ' . $count . ' OFFSET ' . $from, $args, $options);
return $this->query($query . ' LIMIT ' . (int) $count . ' OFFSET ' . (int) $from, $args, $options);
}
public function queryTemporary($query, array $args = array(), array $options = array()) {
......
......@@ -1407,7 +1407,7 @@ public function __toString() {
// Databases that need a different syntax can override this method and
// do whatever alternate logic they need to.
if (!empty($this->range)) {
$query .= "\nLIMIT " . $this->range['length'] . " OFFSET " . $this->range['start'];
$query .= "\nLIMIT " . (int) $this->range['length'] . " OFFSET " . (int) $this->range['start'];
}
// UNION is a little odd, as the select queries to combine are passed into
......
......@@ -159,7 +159,7 @@ public function PDOPrepare($query, array $options = array()) {
}
public function queryRange($query, $from, $count, array $args = array(), array $options = array()) {
return $this->query($query . ' LIMIT ' . $from . ', ' . $count, $args, $options);
return $this->query($query . ' LIMIT ' . (int) $from . ', ' . (int) $count, $args, $options);
}
public function queryTemporary($query, array $args = array(), array $options = array()) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment