MDL-70804 mnet: Use proper DML method to get records from the table

This improves the code and avoids the risk of SQL injection through the malicious XML-RPC request from the MNet peer.
moodle · May 4, 2021 · 9f4404e · 9f4404e
1 parent d9af87d
commit 9f4404e
Showing 1 changed file with 1 addition and 3 deletions.
diff --git a/auth/mnet/auth.php b/auth/mnet/auth.php
@@ -710,9 +710,7 @@ function keepalive_server($array) {
 
         foreach($superArray as $subArray) {
             $subArray = array_values($subArray);
-            $instring = "('".implode("', '",$subArray)."')";
-            $query = "select id, session_id, username from {mnet_session} where username in $instring";
-            $results = $DB->get_records_sql($query);
+            $results = $DB->get_records_list('mnet_session', 'username', $subArray, '', 'id, session_id, username');
 
             if ($results == false) {
                 // We seem to have a username that breaks our query: