No injections

diff --git a/lib/private/share/share.php b/lib/private/share/share.php
index 38fd34e9760b1e0e360e1241b7b07f178e232866..d254b5a665c11eff0f177bd69df31539266ee419 100644 (file)
--- a/lib/private/share/share.php
+++ b/lib/private/share/share.php
@@ -1167,7 +1167,8 @@ class Share extends \OC\Share\Constants {
 
                $qb->select('`uid_owner`')
                        ->from('`*PREFIX*share`')
-                       ->where($qb->expr()->eq('`id`', $shareId));
+                       ->where('`id` = :shareId')
+                       ->setParameter(':shareId', $shareId);
                $result = $qb->execute();
                $result = $result->fetch();
 
@@ -1215,8 +1216,11 @@ class Share extends \OC\Share\Constants {
 
                $qb = $connection->createQueryBuilder();
                $qb->update('`*PREFIX*share`')
-                       ->set('`share_with`', is_null($password) ? 'NULL' : $qb->expr()->literal(\OC::$server->getHasher()->hash($password)))
-                       ->where($qb->expr()->eq('`id`', $shareId));
+                       ->set('`share_with`', ':pass')
+                       ->where('`id` = :shareId')
+                       ->setParameter(':pass', is_null($password) ? 'NULL' : $qb->expr()->literal(\OC::$server->getHasher()->hash($password)))
+                       ->setParameter(':shareId', $shareId);
+
                $qb->execute();
 
                return true;