Skip to content
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.

Commit

Permalink
SNYK: Sanitize and bind Meta-Services dependency queries (#11554)
Browse files Browse the repository at this point in the history 
* sanityze 2 insert queries

* spaces removed in a query
  • Loading branch information
@emabassi-ext
emabassi-ext committed Aug 11, 2022
1 parent 5998080 commit 7a34e34
Showing 1 changed file with 10 additions and 6 deletions.
16 changes: 10 additions & 6 deletions www/include/configuration/configObject/metaservice_dependency/DB-Func.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,19 +114,23 @@ function multipleMetaServiceDependencyInDB($dependencies = array(), $nbrDup = ar
$query = "SELECT DISTINCT meta_service_meta_id FROM dependency_metaserviceParent_relation " .
"WHERE dependency_dep_id = '" . $key . "'";
$dbResult = $pearDB->query($query);
$statement = $pearDB->prepare("INSERT INTO dependency_metaserviceParent_relation " .
"VALUES (:maxId, :metaId)");
while ($ms = $dbResult->fetch()) {
$query = "INSERT INTO dependency_metaserviceParent_relation " .
"VALUES ('" . $maxId["MAX(dep_id)"] . "', '" . $ms["meta_service_meta_id"] . "')";
$pearDB->query($query);
$statement->bindValue(':maxId', (int) $maxId["MAX(dep_id)"], \PDO::PARAM_INT);
$statement->bindValue(':metaId', (int) $ms["meta_service_meta_id"], \PDO::PARAM_INT);
$statement->execute();
}
$dbResult->closeCursor();
$query = "SELECT DISTINCT meta_service_meta_id FROM dependency_metaserviceChild_relation " .
"WHERE dependency_dep_id = '" . $key . "'";
$dbResult = $pearDB->query($query);
$childStatement = $pearDB->prepare("INSERT INTO dependency_metaserviceChild_relation " .
"VALUES (:maxId, :metaId)");
while ($ms = $dbResult->fetch()) {
$query = "INSERT INTO dependency_metaserviceChild_relation VALUES ('" .
$maxId["MAX(dep_id)"] . "', '" . $ms["meta_service_meta_id"] . "')";
$pearDB->query($query);
$childStatement->bindValue(':maxId', (int) $maxId["MAX(dep_id)"], \PDO::PARAM_INT);
$childStatement->bindValue(':metaId', (int) $ms["meta_service_meta_id"], \PDO::PARAM_INT);
$childStatement->execute();
}
$dbResult->closeCursor();
}
Expand Down

0 comments on commit 7a34e34

Please sign in to comment.