Additonal sql injection prevention in date2sql().

diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index a15723270873aaacf650e39676db5ca24fcdd553..ec4587dc0b8df5cbbe05aa57da33405035f61912 100644 (file)
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -19,6 +19,10 @@ Legend:
 ! -> Note
 $ -> Affected files
 
+06-Jul-2010 Janusz Dobrowolski/Micha³ Kozielski
+# Additional sql injection prevention.
+$ /includes/date_functions.inc
+
 ------------------------------- Release 2.2.11 ----------------------------------
 ! Release 2.2.11
 $ config.default.php

diff --git a/includes/date_functions.inc b/includes/date_functions.inc
index 0adac04ddb825e6d10f685d87f1cce674fb24a89..bf579a4e08f8877e10bf9387a7ca15934d3563bc 100644 (file)
--- a/includes/date_functions.inc
+++ b/includes/date_functions.inc
@@ -328,7 +328,11 @@ and converts to a yyyy/mm/dd format */
     else // $how == 2, YYYYMMDD
         list($year, $month, $day) = explode($sep, $date_);
 
-//to modify assumption in 2030
+    // prevent potential SQL injection
+    $year = (int)$year;
+    $month = (int)$month;
+    $day = (int)$day;
+       //to modify assumption in 2030
        if ($date_system == 0 || $date_system == 3)
        {
                if ((int)$year < 60)