Fix date filtering issue caused by better escape_string() against SQL injections - refs #7440

main/inc/lib/database.lib.php

@@ -475,6 +475,7 @@ class Database
     public static function escape_string($string, $connection = null, $addFix = true)
     {
         // Fixes security problem when there's no "" or '' between a variable.
+        // See #7440 for more info
         if ($addFix) {
             $string = "__@$string@__";
         }
@@ -686,6 +687,7 @@ class Database
 
     /**
      * Removes "__@" prefix and @__ suffix added by Database::escape_string()
+     * See #7440 for more info
      * @param string $query
      * @return mixed
      */

main/inc/lib/internationalization.lib.php

@@ -571,6 +571,10 @@ function api_get_utc_datetime($time = null, $return_null_if_invalid_date = false
         }
         return gmdate('Y-m-d H:i:s');
     }
+    if (preg_match('/__@(.*)@__/', $time)) {
+        // unfilter special security fix for SQL injection, see Database::fixQuery()
+        $time = str_replace(array("__@","@__"), "", $time);
+    }
     // If time is a timestamp, return directly in utc
     if (is_numeric($time)) {
         $time = intval($time);