@@ -50,14 +50,15 @@ public function __construct()
5050 }
5151
5252 /**
53- * Creates a valid date format **YYYY-MM-DD** for the SQL statement
53+ * Creates a valid escaped date format **YYYY-MM-DD** for the SQL statement
5454 * @param string $date The not formatted date from user input e.g. **12.04.2012**
5555 * @param string $operator The actual operator for the **date** parameter
56+ * @param Database $db Database connection for correct escaping of the date value
5657 * @return string String with a SQL valid date format **YYYY-MM-DD** or empty string
5758 * @throws Exception
5859 * @throws \Exception
5960 */
60- private function getFormatDate (string $ datestring $ operatorstring
61+ private function getFormatDate (string $ datestring $ operator, Database $ db string
6162 {
6263 global $ gSettingsManager
6364
@@ -83,29 +84,29 @@ private function getFormatDate(string $date, string $operator): string
8384 $ dateObjsub ($ oneYearadd ($ oneDay
8485 $ dateFrom$ dateObjformat ('Y-m-d ' );
8586
86- $ ageCondition' BETWEEN \'' . $ dateFrom'\' AND \'' . $ dateTo . '\'' ;
87+ $ ageCondition' BETWEEN ' . $ db -> escapeString ( $ dateFrom) . ' AND ' . $ db -> escapeString ( $ dateTo) ;
8788 break ;
8889 case '} ' :
8990 // search for dates that are older than the age
9091 // because the age itself takes 1 year we must subtract 1 year to age
9192 $ dateObjsub ($ oneYearadd ($ oneDay
92- $ ageCondition$ dateObjformat ('Y-m-d ' );
93+ $ ageCondition$ db -> escapeString ( $ dateObjformat ('Y-m-d ' ) );
9394 break ;
9495 case '{ ' :
9596 // search for dates that are younger than the age
9697 // we must add 1 day to the date because the day itself belongs to the age
9798 $ dateObjadd ($ oneDay
98- $ ageCondition$ dateObjformat ('Y-m-d ' );
99+ $ ageCondition$ db -> escapeString ( $ dateObjformat ('Y-m-d ' ) );
99100 break ;
100101 case '] ' :
101102 // search for dates that are older or equal than the age
102- $ ageCondition$ dateObjformat ('Y-m-d ' );
103+ $ ageCondition$ db -> escapeString ( $ dateObjformat ('Y-m-d ' ) );
103104 break ;
104105 case '[ ' :
105106 // search for dates that are younger or equal than the age
106107 // because the age itself takes 1 year we must subtract another 1 year but the day itself must be ignored to age
107108 $ dateObjsub ($ oneYearadd ($ oneDay
108- $ ageCondition$ dateObjformat ('Y-m-d ' );
109+ $ ageCondition$ db -> escapeString ( $ dateObjformat ('Y-m-d ' ) );
109110 break ;
110111 }
111112
@@ -286,9 +287,9 @@ public function makeSqlStatement(string $sourceCondition, string $columnName, st
286287 // if date column than the date will be saved in $date.
287288 // This variable must then be parsed and changed in a valid database format
288289 if ($ columnType'date ' && $ date'' ) {
289- $ formatDate$ this getFormatDate ($ date$ operator
290+ $ formatDate$ this getFormatDate ($ date$ operator, $ db
290291 if ($ formatDate'' ) {
291- $ this destCond .= $ db -> escapeString ( $ formatDate) ;
292+ $ this destCond .= $ formatDate
292293 } else {
293294 throw new Exception ('SYS_NOT_VALID_DATE_FORMAT ' , array ($ fieldName
294295 }
@@ -337,9 +338,9 @@ public function makeSqlStatement(string $sourceCondition, string $columnName, st
337338 // if date column than the date will be saved in $date.
338339 // This variable must then be parsed and changed in a valid database format
339340 if ($ columnType'date ' && $ date'' ) {
340- $ formatDate$ this getFormatDate ($ date$ operator
341+ $ formatDate$ this getFormatDate ($ date$ operator, $ db
341342 if ($ formatDate'' ) {
342- $ this destCond .= $ db -> escapeString ( $ formatDate) ;
343+ $ this destCond .= $ formatDate
343344 } else {
344345 throw new Exception ('SYS_NOT_VALID_DATE_FORMAT ' , array ($ fieldName
345346 }
0 commit comments