From 775d38953fd7d413b7687ef6d1e97548ed9d88c5 Mon Sep 17 00:00:00 2001
From: Alan <alan@roojs.com>
Date: Thu, 23 Mar 2023 10:47:53 +0800
Subject: [PATCH] fix SQL injection

---
 DataObjects/Core_person.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/DataObjects/Core_person.php b/DataObjects/Core_person.php
index 80187c3c..0a499a41 100644
--- a/DataObjects/Core_person.php
+++ b/DataObjects/Core_person.php
@@ -1051,7 +1051,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject
         // #2307 Search Country!!
         if (!empty($q['query']['in_country'])) {
             // DB_DataObject::debugLevel(1);
-            $inc = $q['query']['in_country'];
+            $inc = $this->escape($q['query']['in_country']);
             $this->whereAdd("$tn_p.countries LIKE '%{$inc}%'");
         }
         
-- 
2.39.2