editEntry: Use sanitized inputs in SQL UPDATE

We sanitized the inputs to make sure there are no bad (empty, invalid string) values, but then use the provided inputs rather than the sanitized inputs in the SQL query. This was introduced in #54 and was exposed in the API as seen in #77. Close #77.
FTB-Gamepedia · Sep 5, 2020 · 0ab7aba · 0ab7aba
1 parent 03711dc
commit 0ab7aba
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/OreDict.body.php b/OreDict.body.php
@@ -356,7 +356,12 @@ static public function editEntry($update, $id, $user) {
 
 		$result = $dbw->update(
 			'ext_oredict_items',
-			$update,
+			array(
+				'tag_name' => $tag,
+				'item_name' => $item,
+				'mod_name' => $mod,
+				'grid_params' => $params
+			),
 			array('entry_id' => $id),
 			__METHOD__
 		);