#4234 closed Defect (fixed)
negative limit in elgg_get_entities
| Reported by: | coldtrick | Owned by: | |
|---|---|---|---|
| Priority: | low | Milestone: | Elgg 1.8.3 |
| Component: | Core | Version: | Github Master |
| Severity: | minor | Keywords: | |
| Cc: | brett@… | Difficulty: | trivial |
Description
currently it is possible to pass a negative limit to elgg_get_entities.
This should not be possible
The LIMIT clause can be used to constrain the number of rows returned by the SELECT statement. LIMIT takes one or two numeric arguments, which must both be nonnegative integer constants (except when using prepared statements).
source: http://dev.mysql.com/doc/refman/5.0/en/select.html
Just as the offset it is possible to pass the "allow negative" toggle.
$limit = sanitise_int($options['limit'], false);
I did not check if this was the case in other core functions, but is should apply to all queries using a LIMIT parameter.
Change History (3)
comment:1 Changed 17 months ago by cash
- Difficulty set to trivial
- Milestone changed from Needs Review to Elgg 1.8.3
- Priority changed from normal to low
comment:2 Changed 17 months ago by Cash Costello
- Resolution set to fixed
- Status changed from new to closed
comment:3 Changed 16 months ago by Cash Costello
Fixes #4234 forcing limit to be nonnegative
Changeset: 35a5ef862d7d28a173ab78b014afc372531fb17e
Note: See
TracTickets for help on using
tickets.
Fixes #4234 forcing limit to be nonnegative