From: garvinhicking <garvinhicking>
Date: Thu, 1 Mar 2007 19:54:27 +0000 (+0000)
Subject: Fix SQL error message display when invalid categories selected
X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=f13a3e95f51d6b0d74108e9914754e310b9a0f1d;p=s9y.git

Fix SQL error message display when invalid categories selected
---

diff --git a/docs/NEWS b/docs/NEWS
index 5ea66f4..89cc713 100644
--- a/docs/NEWS
+++ b/docs/NEWS
@@ -80,6 +80,11 @@ Version 1.2 ()
 Version 1.1.2 ()
 -----------------------------------------------------------------------
 
+    * Fix showing SQL error message when an empty category is selected
+      for viewing. Fixes an issue reported by Samenspender that was
+      falsely declard as SQL injection. In fact, no invalid SQL code
+      can be injected. (garvinhicking)
+
     * Better checks to see if the local PEAR inclusion is required
       (garvinhicking)
 
diff --git a/include/functions_entries.inc.php b/include/functions_entries.inc.php
index 2a75027..53ca9a8 100644
--- a/include/functions_entries.inc.php
+++ b/include/functions_entries.inc.php
@@ -69,6 +69,10 @@ function serendipity_getMultiCategoriesSQL($cats, $invert = false) {
             $cat_sql_array[] = " (c.category_left " . ($invert ? " NOT " : "") . " BETWEEN " . implode(' AND ', serendipity_fetchCategoryRange($categoryid)) . ')';
         }
     }
+    
+    if (count($cat_sql_array) < 1) {
+        return '';
+    }
 
     return '(' . implode(($invert ? ' AND ' : ' OR '), $cat_sql_array) . ')';
 }