From 26a7752c34321fd9cb889308f507ca6bdb777f08 Mon Sep 17 00:00:00 2001
From: David Rothstein <drothstein@gmail.com>
Date: Wed, 15 Oct 2014 10:31:54 -0400
Subject: SA-CORE-2014-005 by Stefan Horst, greggles, larowlan,
 David_Rothstein, klausi: Fixed SQL injection vulnerability

---
 includes/database/database.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'includes/database')

diff --git a/includes/database/database.inc b/includes/database/database.inc
index f78098bc0..01b638584 100644
--- a/includes/database/database.inc
+++ b/includes/database/database.inc
@@ -736,7 +736,7 @@ abstract class DatabaseConnection extends PDO {
     // to expand it out into a comma-delimited set of placeholders.
     foreach (array_filter($args, 'is_array') as $key => $data) {
       $new_keys = array();
-      foreach ($data as $i => $value) {
+      foreach (array_values($data) as $i => $value) {
         // This assumes that there are no other placeholders that use the same
         // name.  For example, if the array placeholder is defined as :example
         // and there is already an :example_2 placeholder, this will generate
-- 
cgit v1.2.3