Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Trivial
-
Resolution: Fixed/Completed
-
Affects Version/s: 4.4.3
-
Fix Version/s: 4.4.4
-
Component/s: Core CiviCRM
-
Labels:
Description
The parameters used for at least one scheduled job are sent to MySQL without being escaped.
To reproduce:
1. Go to CiviCRM » Administer CiviCRM » Scheduled Jobs
2. Edit the 'geocode and parse addresses' job parameters so that the values are something non-numeric (eg the 'example' values which come with a fresh install.
3. Run the job. The task will fail with a DB parse error.
Copied below is the SQL log for such an example. Note the unescaped input in the WHERE clause:
SELECT c.id,
a.id as address_id,
a.street_address,
a.city,
a.postal_code,
s.name as state,
o.name as country
FROM civicrm_contact c
INNER JOIN civicrm_address a ON a.contact_id = c.id
LEFT JOIN civicrm_country o ON a.country_id = o.id
LEFT JOIN civicrm_state_province s ON a.state_province_id = s.id
WHERE ( c.id = a.contact_id ) AND ( c.id >= [contact ID] optional-begin with this contact ID ) AND ( c.id <= [contact ID] optional-process contacts with IDs less than this ) AND ( a.geo_code_1 is null OR a.geo_code_1 = 0 ) AND ( a.geo_code_2 is null OR a.geo_code_2 = 0 ) AND ( a.country_id is not null )
ORDER BY a.id