Also use PDO parameterization for the row ID in UPDATE queries

11 years ago · eaadadded0
parent 138bf9949e
commit eaadadded0
1 changed files with 3 additions and 1 deletions
--- a/class.databaserecord.php
+++ b/class.databaserecord.php
@ -523,7 +523,9 @@ abstract class CPHPDatabaseRecordClass extends CPHPBaseClass
 				}
 				
 				$sQueryKeysIdentifiers = implode(", ", $sKeysIdentifiersList);
-				$query = "UPDATE {$this->table_name} SET {$sQueryKeysIdentifiers} WHERE `{$this->id_field}` = '{$this->sId}'";
+				/* We use :CPHPID here because it's unlikely to be used in the application itself. */
+				$query = "UPDATE {$this->table_name} SET {$sQueryKeysIdentifiers} WHERE `{$this->id_field}` = :CPHPID";
+				$uValueList[':CPHPID'] = $this->sId;
 			}
 			
 			try