From 2fbe7f806d9cacd64b8d8069f2e19857a3f4787c Mon Sep 17 00:00:00 2001
From: Jared Hancock <jared@osticket.com>
Date: Mon, 28 Mar 2016 11:18:20 -0500
Subject: [PATCH] orm: Properly quote objects in queries

This fixes a regression in 4f8f236d6a114c710362fdc302c4763cdf2fd387, where
the parameters are sent in the SQL statement to the database. Objects which
are converted to a string must be propertly quoted when placed in the query.
---
 include/class.orm.php | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/include/class.orm.php b/include/class.orm.php
index fbbdf7f11..954d72f7a 100644
--- a/include/class.orm.php
+++ b/include/class.orm.php
@@ -3064,13 +3064,18 @@ class MySqlPreparedExecutor {
         return preg_replace_callback("/:(\d+)(?=([^']*'[^']*')*[^']*$)/",
         function($m) use ($self) {
             $p = $self->params[$m[1]-1];
-            if ($p instanceof DateTime) {
+            switch (true) {
+            case is_bool($p):
+                $p = (int) $p;
+            case is_int($p):
+            case is_float($p):
+                return $p;
+
+            case $p instanceof DateTime:
                 $p = $p->format('Y-m-d H:i:s');
+            default:
+                return db_real_escape($p, true);
             }
-            elseif ($p === false) {
-                $p = 0;
-            }
-            return db_real_escape($p, is_string($p));
         }, $this->sql);
     }
 }
-- 
GitLab