Backport

author garvinhicking <garvinhicking>

Thu, 1 Mar 2007 19:55:51 +0000 (19:55 +0000)

committer garvinhicking <garvinhicking>

Thu, 1 Mar 2007 19:55:51 +0000 (19:55 +0000)
author garvinhicking <garvinhicking>
Thu, 1 Mar 2007 19:55:51 +0000 (19:55 +0000)
committer garvinhicking <garvinhicking>
Thu, 1 Mar 2007 19:55:51 +0000 (19:55 +0000)
diff --git a/docs/NEWS b/docs/NEWS

index 846f87624df1434768afb24f66afa451f121acff..30163d504474793895359c5512ba91e931fa3c45 100644 (file)
--- a/docs/NEWS
+++ b/docs/NEWS
@@ -3,6 +3,11 @@
  Version 1.1.2 ()
  ------------------------------------------------------------------------
  
+    * Fix showing SQL error message when an empty category is selected
+      for viewing. Fixes an issue reported by Samenspender that was
+      falsely declard as SQL injection. In fact, no invalid SQL
+      code can be injected. (garvinhicking)
+                
      * Better checks to see if the local PEAR inclusion is required
        (garvinhicking)
  
diff --git a/include/functions_entries.inc.php b/include/functions_entries.inc.php

index 2acf7b367ff3eba8e77385ebb6fb1a67b70a2c3c..2d663a237c6d061832d3208534b14592408f8834 100644 (file)
--- a/include/functions_entries.inc.php
+++ b/include/functions_entries.inc.php
@@ -69,6 +69,10 @@ function serendipity_getMultiCategoriesSQL($cats, $invert = false) {
              $cat_sql_array[] = " (c.category_left " . ($invert ? " NOT " : "") . " BETWEEN " . implode(' AND ', serendipity_fetchCategoryRange($categoryid)) . ')';
          }
      }
+    
+    if (count($cat_sql_array) < 1) {
+        return '';
+    }
  
      return '(' . implode(($invert ? ' AND ' : ' OR '), $cat_sql_array) . ')';
  }
author	garvinhicking <garvinhicking>
	Thu, 1 Mar 2007 19:55:51 +0000 (19:55 +0000)
committer	garvinhicking <garvinhicking>
	Thu, 1 Mar 2007 19:55:51 +0000 (19:55 +0000)
docs/NEWS		patch \| blob \| history
include/functions_entries.inc.php		patch \| blob \| history