From a5556c2471973e292dce615fe0c77fdbbc54405b Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Fri, 29 Jan 2016 17:24:59 +0300
Subject: [PATCH 1/1] fix item_id not being properly escaped in
 pref_feeds::process_category_order() (possible sql injection)

---
 classes/pref/feeds.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/classes/pref/feeds.php b/classes/pref/feeds.php
index 595d2957..167ddabf 100755
--- a/classes/pref/feeds.php
+++ b/classes/pref/feeds.php
@@ -324,7 +324,7 @@ class Pref_Feeds extends Handler_Protected {
 
 		if ($debug) _debug("$prefix C: $item_id P: $parent_id");
 
-		$bare_item_id = substr($item_id, strpos($item_id, ':')+1);
+		$bare_item_id = $this->dbh->escape_string(substr($item_id, strpos($item_id, ':')+1));
 
 		if ($item_id != 'root') {
 			if ($parent_id && $parent_id != 'root') {
@@ -346,7 +346,7 @@ class Pref_Feeds extends Handler_Protected {
 		if ($cat && is_array($cat)) {
 			foreach ($cat as $item) {
 				$id = $item['_reference'];
-				$bare_id = substr($id, strpos($id, ':')+1);
+				$bare_id = $this->dbh->escape_string(substr($id, strpos($id, ':')+1));
 
 				if ($debug) _debug("$prefix [$order_id] $id/$bare_id");
 
-- 
2.39.2