From c94722e00bd34811a61fda6e593aae55a431f3de Mon Sep 17 00:00:00 2001 From: Nick Liu Date: Mon, 13 Sep 2021 12:41:26 -0500 Subject: [PATCH] #4564: Un-break `validatorClass::dbValidateArray()` counter I forgot an `AND` in the `WHERE` clause for the `e_db_pdo` implementation of `validatorClass::dbValidateArray()`. Fixes: https://github.com/e107inc/e107/issues/4564 --- e107_handlers/validator_class.php | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/e107_handlers/validator_class.php b/e107_handlers/validator_class.php index 59a29b171..87884d47a 100644 --- a/e107_handlers/validator_class.php +++ b/e107_handlers/validator_class.php @@ -1387,17 +1387,24 @@ class validatorClass } $field = varset($options['dbFieldName'], $f); // XXX: Different implementations due to missing API for preventing SQL injections - $count = 0; if ($u_sql instanceof e_db_mysql) { $v = $u_sql->escape($v); - $count = $u_sql->count($targetTable, "(*)", "WHERE `{$f}`='$v' AND `user_id` != " . $userID); + $count = (int) $u_sql->count($targetTable, "(*)", "WHERE `{$f}`='$v' AND `user_id` != " . $userID); } else { - $u_sql->select($targetTable, "COUNT(*)", "`{$f}`=:value", ['value' => $v]); + $u_sql->select( + $targetTable, + "COUNT(*)", + "`{$f}`=:value AND `user_id` != :userID", + [ + 'value' => $v, + 'userID' => $userID, + ] + ); $row = $u_sql->fetch('num'); - $count = $row[0]; + $count = (int) $row[0]; } if ($count) {