From 1f517617485050b5b2e42d4388a108520042f9bc Mon Sep 17 00:00:00 2001 From: Miguel Ribeiro Date: Sun, 10 Mar 2024 09:22:00 +0100 Subject: [PATCH] fix: sql injection vulnerability when using filters --- endpoints/subscriptions/get.php | 22 ++++++++++++++-------- includes/version.php | 2 +- 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/endpoints/subscriptions/get.php b/endpoints/subscriptions/get.php index 1a0befb0f..4e3f5eb48 100644 --- a/endpoints/subscriptions/get.php +++ b/endpoints/subscriptions/get.php @@ -29,27 +29,33 @@ } } + $params = array(); $sql = "SELECT * FROM subscriptions WHERE 1=1"; if (isset($_GET['category']) && $_GET['category'] != "") { - $category = $_GET['category']; - $sql .= " AND category_id = $category"; + $sql .= " AND category_id = :category"; + $params[':category'] = $_GET['category']; } if (isset($_GET['payment']) && $_GET['payment'] != "") { - $payment = $_GET['payment']; - $sql .= " AND payment_method_id = $payment"; + $sql .= " AND payment_method_id = :payment"; + $params[':payment'] = $_GET['payment']; } if (isset($_GET['member']) && $_GET['member'] != "") { - $member = $_GET['member']; - $sql .= " AND payer_user_id = $member"; + $sql .= " AND payer_user_id = :member"; + $params[':member'] = $_GET['member']; } $sql .= " ORDER BY $sort $order, inactive ASC"; - - $result = $db->query($sql); + $stmt = $db->prepare($sql); + + foreach ($params as $key => $value) { + $stmt->bindValue($key, $value); + } + + $result = $stmt->execute(); if ($result) { $subscriptions = array(); while ($row = $result->fetchArray(SQLITE3_ASSOC)) { diff --git a/includes/version.php b/includes/version.php index aabf0f36d..ac5264621 100644 --- a/includes/version.php +++ b/includes/version.php @@ -1,3 +1,3 @@ \ No newline at end of file