diff options
| author | Gábor Hojtsy <gabor@hojtsy.hu> | 2007-09-27 16:52:00 +0000 |
|---|---|---|
| committer | Gábor Hojtsy <gabor@hojtsy.hu> | 2007-09-27 16:52:00 +0000 |
| commit | 74def328c8d6ebaa6c46011b8dc9692be4900e7f (patch) | |
| tree | 61d2ec1587743eb9c9eb3b860ee93935022f3e65 /modules/taxonomy/taxonomy.pages.inc | |
| parent | b5b6b32e364b87c87e944968764e212e85d2e10e (diff) | |
| download | brdo-74def328c8d6ebaa6c46011b8dc9692be4900e7f.tar.gz brdo-74def328c8d6ebaa6c46011b8dc9692be4900e7f.tar.bz2 | |
#167284 by Heine and pwolanin: proper field type placeholders in IN() queries, setting a best practice to avoid vulnerabilities
Diffstat (limited to 'modules/taxonomy/taxonomy.pages.inc')
| -rw-r--r-- | modules/taxonomy/taxonomy.pages.inc | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/modules/taxonomy/taxonomy.pages.inc b/modules/taxonomy/taxonomy.pages.inc index ef4ceaed2..5ff9cff48 100644 --- a/modules/taxonomy/taxonomy.pages.inc +++ b/modules/taxonomy/taxonomy.pages.inc @@ -16,7 +16,7 @@ function taxonomy_term_page($str_tids = '', $depth = 0, $op = 'page') { } if ($terms['tids']) { - $result = db_query(db_rewrite_sql('SELECT t.tid, t.name FROM {term_data} t WHERE t.tid IN (%s)', 't', 'tid'), implode(',', $terms['tids'])); + $result = db_query(db_rewrite_sql('SELECT t.tid, t.name FROM {term_data} t WHERE t.tid IN ('. db_placeholders($terms['tids']) .')', 't', 'tid'), $terms['tids']); $tids = array(); // we rebuild the $tids-array so it only contains terms the user has access to. $names = array(); while ($term = db_fetch_object($result)) { |