Security: Fix SQL injection and likely future similar issues

chamilo · Dec 17, 2018 · bfa1ecc · bfa1ecc
1 parent 40dd044
commit bfa1ecc
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/main/inc/lib/CoursesAndSessionsCatalog.class.php b/main/inc/lib/CoursesAndSessionsCatalog.class.php
@@ -215,8 +215,8 @@ public static function getLimitFilterFromArray($limit)
     {
         $limitFilter = '';
         if (!empty($limit) && is_array($limit)) {
-            $limitStart = isset($limit['start']) ? $limit['start'] : 0;
-            $limitLength = isset($limit['length']) ? $limit['length'] : 12;
+            $limitStart = isset($limit['start']) ? (int) $limit['start'] : 0;
+            $limitLength = isset($limit['length']) ? (int) $limit['length'] : 12;
             $limitFilter = 'LIMIT '.$limitStart.', '.$limitLength;
         }
 
@@ -470,11 +470,13 @@ public static function search_courses($search_term, $limit, $justVisible = false
      * @param array  $limit
      *
      * @return array The session list
+     * @throws Exception
      */
     public static function browseSessions($date = null, $limit = [])
     {
         $em = Database::getManager();
         $urlId = api_get_current_access_url_id();
+        $date = Database::escape_string($date);
         $sql = "SELECT s.id FROM session s ";
         $sql .= "
             INNER JOIN access_url_rel_session ars
@@ -501,6 +503,8 @@ public static function browseSessions($date = null, $limit = [])
         }
 
         if (!empty($limit)) {
+            $limit['start'] = (int) $limit['start'];
+            $limit['length'] = (int) $limit['length'];
             $sql .= "LIMIT {$limit['start']}, {$limit['length']} ";
         }