Fix SQL error message display when invalid categories selected

author garvinhicking <garvinhicking>

Thu, 1 Mar 2007 19:54:27 +0000 (19:54 +0000)

committer garvinhicking <garvinhicking>

Thu, 1 Mar 2007 19:54:27 +0000 (19:54 +0000)
author garvinhicking <garvinhicking>
Thu, 1 Mar 2007 19:54:27 +0000 (19:54 +0000)
committer garvinhicking <garvinhicking>
Thu, 1 Mar 2007 19:54:27 +0000 (19:54 +0000)
diff --git a/docs/NEWS b/docs/NEWS

index 5ea66f4e4e7b7bdf70935fff15311f731d271905..89cc713038bf1b5ddd317986a053a063fd970fd1 100644 (file)
--- a/docs/NEWS
+++ b/docs/NEWS
@@ -80,6 +80,11 @@ Version 1.2 ()
  Version 1.1.2 ()
  -----------------------------------------------------------------------
  
+    * Fix showing SQL error message when an empty category is selected
+      for viewing. Fixes an issue reported by Samenspender that was
+      falsely declard as SQL injection. In fact, no invalid SQL code
+      can be injected. (garvinhicking)
+
      * Better checks to see if the local PEAR inclusion is required
        (garvinhicking)
  
diff --git a/include/functions_entries.inc.php b/include/functions_entries.inc.php

index 2a75027b54f6ce9df3be69bda159ae7e3cc19592..53ca9a8791cfd0cab333a6e64fb3e3da2e5acdee 100644 (file)
--- a/include/functions_entries.inc.php
+++ b/include/functions_entries.inc.php
@@ -69,6 +69,10 @@ function serendipity_getMultiCategoriesSQL($cats, $invert = false) {
              $cat_sql_array[] = " (c.category_left " . ($invert ? " NOT " : "") . " BETWEEN " . implode(' AND ', serendipity_fetchCategoryRange($categoryid)) . ')';
          }
      }
+    
+    if (count($cat_sql_array) < 1) {
+        return '';
+    }
  
      return '(' . implode(($invert ? ' AND ' : ' OR '), $cat_sql_array) . ')';
  }
author	garvinhicking <garvinhicking>
	Thu, 1 Mar 2007 19:54:27 +0000 (19:54 +0000)
committer	garvinhicking <garvinhicking>
	Thu, 1 Mar 2007 19:54:27 +0000 (19:54 +0000)
docs/NEWS		patch \| blob \| history
include/functions_entries.inc.php		patch \| blob \| history