Added Quote In Condition Filters

pimcore · Apr 13, 2022 · adae3be · adae3be
1 parent 809851a
commit adae3be
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 7 deletions.
diff --git a/bundles/AdminBundle/Controller/Admin/ElementController.php b/bundles/AdminBundle/Controller/Admin/ElementController.php
@@ -232,21 +232,20 @@ public function noteListAction(Request $request)
                     $filter['value'] = (int) $filter['value'];
                 }
                 // system field
-                $value = $filter['value'];
+                $value = ($filter['value']??'');
                 if ($operator == 'LIKE') {
                     $value = '%' . $value . '%';
                 }
 
                 if ($filter[$propertyKey] == 'user') {
-                    $conditions[] = '`user` IN (SELECT `id` FROM `users` WHERE `name` LIKE ' . $list->quote('%'.$filter['value'].'%') . ')';
+                    $conditions[] = '`user` IN (SELECT `id` FROM `users` WHERE `name` LIKE ' . $list->quote($value) . ')';
                 } else {
                     if ($filter['type'] == 'date' && $filter[$comparisonKey] == 'eq') {
-                        $maxTime = $filter['value'] + (86400 - 1); //specifies the top point of the range used in the condition
-                        $dateCondition = '`' . $filter[$propertyKey] . '` ' . ' BETWEEN ' . $db->quote($filter['value']) . ' AND ' . $db->quote($maxTime);
+                        $maxTime = $value + (86400 - 1); //specifies the top point of the range used in the condition
+                        $dateCondition = '`' . $filter[$propertyKey] . '` ' . ' BETWEEN ' . $db->quote($value) . ' AND ' . $db->quote($maxTime);
                         $conditions[] = $dateCondition;
                     } else {
-                        $field = '`'.$filter[$propertyKey].'` ';
-                        $conditions[] = $field.$operator.' '.$db->quote($value);
+                        $conditions[] = $db->quoteIdentifier($filter[$propertyKey]).' '.$operator.' '.$db->quote($value);
                     }
                 }
             }

diff --git a/bundles/AdminBundle/Controller/Admin/RecyclebinController.php b/bundles/AdminBundle/Controller/Admin/RecyclebinController.php
@@ -109,7 +109,7 @@ public function listAction(Request $request)
                         $value = '%' . $value . '%';
                     }
 
-                    $field = '`' . $filterField . '` ';
+                    $field = $db->quoteIdentifier($filterField);
                     if (($filter['field'] ?? false) == 'fullpath') {
                         $field = 'CONCAT(path,filename)';
                     }