Merge pull request #345 from frankmullenger/frankmullenger-sql-patch

FIX: Casting to integer to prevent potential SQL injection.
silverstripe · Sep 20, 2015 · 606b20b · 606b20b
2 parents cc7a674 + 2cea1ce
commit 606b20b
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/code/model/UserDefinedForm.php b/code/model/UserDefinedForm.php
@@ -152,7 +152,7 @@ public function getCMSFields() {
 			);
 
 			// make sure a numeric not a empty string is checked against this int column for SQL server
-			$parentID = (!empty($self->ID)) ? $self->ID : 0;
+			$parentID = (!empty($self->ID)) ? (int)$self->ID : 0;
 
 			// get a list of all field names and values used for print and export CSV views of the GridField below.
 			$columnSQL = <<<SQL