3.69: Fix possible SQL injection for tagnames, thanks to Brian carpenter (geeknik) and Hanno B?ck

serendipity_event_freetag/ChangeLog

@@ -1,3 +1,5 @@
+3.69: Fix possible SQL injection for tagnames, Thanks to Brian carpenter (geeknik) and Hanno BÃck
+
 3.67: Iconfont a11y fix (yellowled)
 
 3.66: Fix an issue refering to Smarty2->Smarty3 changes.

serendipity_event_freetag/serendipity_event_freetag.php

@@ -72,7 +72,7 @@ class serendipity_event_freetag extends serendipity_event
             'smarty'      => '2.6.7',
             'php'         => '4.1.0'
         ));
-        $propbag->add('version',       '3.68');
+        $propbag->add('version',       '3.69');
         $propbag->add('event_hooks',    array(
             'frontend_fetchentries'                             => true,
             'frontend_fetchentry'                               => true,
@@ -1556,8 +1556,8 @@ addLoadEvent(enableAutocomplete);
         } else {
 
             if (is_string($tag)) {
-                $cond = "main.tag = '$tag'";
-                $ncond = "neg.tag != '$tag'";
+                $cond = "main.tag = '" . serendipity_db_escape_string($tag) . "'";
+                $ncond = "neg.tag != '" . serendipity_db_escape_string($tag) . "'";
                 $join = "LEFT JOIN {$serendipity['dbPrefix']}entrytags AS neg ".
                       "ON main.entryid = neg.entryid ";
                 $totalModifier = '';
@@ -1582,8 +1582,8 @@ addLoadEvent(enableAutocomplete);
 
                     $join .= "LEFT JOIN {$serendipity['dbPrefix']}entrytags AS sub{$i} ".
                                 "ON main.entryid = sub{$i}.entryid ";
-                    $cond .= "sub{$i}.tag = '{$tag[$i]}' ";
-                    $ncond .= "neg.tag != '{$tag[$i]}' ";
+                    $cond .= "sub{$i}.tag = '" . serendipity_db_escape_string($tag[$i]) . "' ";
+                    $ncond .= "neg.tag != '" . serendipity_db_escape_string($tag[$i]) . "' ";
                 }
             } else {
                 return;