Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request #181 from Leantime/issue179-sql-bind-injection
fix: use PDO injection for IN clause for tickets query for users filter
  • Loading branch information
marcelfolaron committed Mar 27, 2020
2 parents bf33391 + 23aa023 commit af0807f
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 1 deletion.
24 changes: 24 additions & 0 deletions src/core/class.db.php
Expand Up @@ -259,4 +259,28 @@ public function hasResults()

}

/**
* This function will generate a pdo binding string (":editors0,:editors1,:editors2,:editors3") to be used in a PDO
* query that uses the IN() clause, to assist in proper PDO array bindings to avoid SQL injection.
*
* A counted for loop is user rather than foreach with a key to avoid issues if the array passed has any
* arbitrary keys
*
* @param $name string
* @param $count int
* @return string
*/
public static function arrayToPdoBindingString($name, $count)
{
$bindingStatement = "";
for ($i = 0; $i < $count; $i++) {
$bindingStatement .= ":" . $name . $i;
if ($i != $count-1) {
$bindingStatement .= ",";
}
}

return $bindingStatement;
}

}
10 changes: 9 additions & 1 deletion src/domain/tickets/repositories/class.tickets.php
Expand Up @@ -806,8 +806,10 @@ public function getAllBySearchCriteria($searchCriteria, $sort='standard')
$query .= " AND zp_tickets.projectId = :projectId";
}


if($searchCriteria["users"] != "") {
$query .= " AND zp_tickets.editorId IN(".strip_tags($searchCriteria["users"]).")";
$editorIdIn = core\db::arrayToPdoBindingString("users", count(explode(",", $searchCriteria["users"])));
$query .= " AND zp_tickets.editorId IN(" . $editorIdIn. ")";
}

if($searchCriteria["milestone"] != "") {
Expand Down Expand Up @@ -867,6 +869,12 @@ public function getAllBySearchCriteria($searchCriteria, $sort='standard')
$stmn->bindValue(':searchType', $searchCriteria["type"], PDO::PARAM_STR);
}

if($searchCriteria["users"] != "") {
foreach(explode(",", $searchCriteria["users"]) as $key => $user) {
$stmn->bindValue(":users" . $key, $user, PDO::PARAM_STR);
}
}

if($searchCriteria["term"] != "") {
$termWild = "%".$searchCriteria["term"]."%";
$stmn->bindValue(':termWild', $termWild, PDO::PARAM_STR);
Expand Down

0 comments on commit af0807f

Please sign in to comment.