The search/filter strings were not getting cleaned in any way before being put into a db query, which was very bad. We are now using a new function called conditional_addslashes($value), which adds slashes if magic quotes are turned off. Which, in our environment, they are. There are many places where we are relying on magic quotes to be turned off, so that should prtobably be a project at a later point -- to make sure the Reason suite works when magic quotes are on (right now it would almost certainly not work.)
Files Modified
- reason/classes/viewer.php
- reason/content_listers/tree.php
- dave/misc.inc (on openapps, carl_util/basic/misc.php)