diff options
| author | Gábor Hojtsy <gabor@hojtsy.hu> | 2008-01-04 09:31:49 +0000 |
|---|---|---|
| committer | Gábor Hojtsy <gabor@hojtsy.hu> | 2008-01-04 09:31:49 +0000 |
| commit | 89be29505b1ed6146aef314d5524f46cc289cee3 (patch) | |
| tree | 6be929fa5d9b84c48f0a5682bc6f95cb09b3bde3 /modules/statistics/statistics.module | |
| parent | 52f95c981bbf7588aedd1b5cb3ef74641572e39e (diff) | |
| download | brdo-89be29505b1ed6146aef314d5524f46cc289cee3.tar.gz brdo-89be29505b1ed6146aef314d5524f46cc289cee3.tar.bz2 | |
#198856 by hswong3i: Fix some incorrect use of %s for table name escaping, implement better security checks
Diffstat (limited to 'modules/statistics/statistics.module')
| -rw-r--r-- | modules/statistics/statistics.module | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/modules/statistics/statistics.module b/modules/statistics/statistics.module index 831a0d5c7..1242e973b 100644 --- a/modules/statistics/statistics.module +++ b/modules/statistics/statistics.module @@ -206,7 +206,10 @@ function statistics_cron() { * or FALSE if the query could not be executed correctly. */ function statistics_title_list($dbfield, $dbrows) { - return db_query_range(db_rewrite_sql("SELECT n.nid, n.title, u.uid, u.name FROM {node} n INNER JOIN {node_counter} s ON n.nid = s.nid INNER JOIN {users} u ON n.uid = u.uid WHERE %s <> '0' AND n.status = 1 ORDER BY %s DESC"), 's.'. $dbfield, 's.'. $dbfield, 0, $dbrows); + if (in_array($dbfield, array('totalcount', 'daycount', 'timestamp'))) { + return db_query_range(db_rewrite_sql("SELECT n.nid, n.title, u.uid, u.name FROM {node} n INNER JOIN {node_counter} s ON n.nid = s.nid INNER JOIN {users} u ON n.uid = u.uid WHERE s.". $dbfield ." != 0 AND n.status = 1 ORDER BY s.". $dbfield ." DESC"), 0, $dbrows); + } + return FALSE; } |