8000 Cleanup post data in EventAttendance by respencer · Pull Request #6989 · ChurchCRM/CRM · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Cleanup post data in EventAttendance #6989

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 4, 2024
Merged

Cleanup post data in EventAttendance #6989

merged 3 commits into from
May 4, 2024

Conversation

respencer
Copy link
Contributor

Description & Issue number it closes

Fixes #6988

Screenshots (if appropriate)

None.

How to test the changes?

Visual inspection.

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

How Has This Been Tested?

Visual inspection and manual injected of extra data in URL.

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules

@respencer respencer requested a review from a team as a code owner May 3, 2024 21:06
@respencer respencer requested review from DawoudIO, grayeul, DAcodedBEAT and MrClever and removed request for a team May 3, 2024 21:06
DawoudIO
DawoudIO approved these changes May 3, 2024
View reviewed changes
Copy link
Contributor
@DawoudIO DawoudIO left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good fix unsure if we should make sure it > 0 and not empty before we move forward

@DawoudIO DawoudIO added this to the vNext (5.8.0) milestone May 3, 2024
DAcodedBEAT
DAcodedBEAT reviewed May 3, 2024
View reviewed changes
src/EventAttendance.php
@@ -24,7 +25,8 @@
ORDER BY t1.per_LastName, t1.per_ID";
$sPageTitle = gettext('Event Attendees');
} elseif ($_POST['Choice'] == 'Nonattendees') {
$aSQL = 'SELECT DISTINCT(person_id) FROM event_attend WHERE event_id = ' . $_POST['Event'];
$iEventId = InputUtils::legacyFilterInput($_POST['Event'], 'int');
$aSQL = 'SELECT DISTINCT(person_id) FROM event_attend WHERE event_id = ' . $iEventId;
Copy link
Contributor
@DAcodedBEAT DAcodedBEAT May 3, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we change this to a prepared statement somehow? I dont want to add more manually crafted sql (security nightmare)

Either query this from the orm and it'll implicitly build the prepared statement or use prepared statements from mysqli/PDO

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let us fix one thing at a time... I'm ok with this but I pulled the cleanup for more locations

DAcodedBEAT
DAcodedBEAT requested changes May 3, 2024
View reviewed changes
Copy link 8000
Contributor
@DAcodedBEAT DAcodedBEAT left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Like the issue said, we should also make sure the query is using a prepared statement

@DawoudIO DawoudIO merged commit 9843abf into ChurchCRM:master May 4, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DAcodedBEAT DAcodedBEAT DAcodedBEAT requested changes

@DawoudIO DawoudIO DawoudIO approved these changes

@grayeul grayeul Awaiting requested review from grayeul grayeul is a code owner automatically assigned from ChurchCRM/developers

@MrClever MrClever Awaiting requested review from MrClever MrClever is a code owner automatically assigned from ChurchCRM/developers

Assignees
No one assigned
Labels
Security
Projects
None yet
Milestone
5.8.0
Development

Successfully merging this pull request may close these issues.

Bug: SQL Injection Vulnerability in EventAttendance.php
3 participants
@respencer @DawoudIO @DAcodedBEAT
0