Skip to content

Commit 908aef6

Browse files
authored
Fix MAC search sql injection (#15402)
unparameterized variable
1 parent 7fe2614 commit 908aef6

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

Diff for: includes/html/table/address-search.inc.php

+2-1
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,8 @@
3737
}
3838
} elseif ($vars['search_type'] == 'mac') {
3939
$sql = ' FROM `ports` AS I, `devices` AS D';
40-
$sql .= " WHERE I.device_id = D.device_id AND `ifPhysAddress` LIKE '%" . trim(str_replace([':', ' ', '-', '.', '0x'], '', $vars['address'])) . "%' $where ";
40+
$sql .= " WHERE I.device_id = D.device_id AND `ifPhysAddress` LIKE ? $where ";
41+
$param[] = '%' . trim(str_replace([':', ' ', '-', '.', '0x'], '', $vars['address'])) . '%';
4142
}//end if
4243
if (is_numeric($vars['device_id'])) {
4344
$sql .= ' AND I.device_id = ?';

0 commit comments

Comments
 (0)