Harden against possible wrong usage and SQL injections

terminal42 · Jun 22, 2023 · 1c1a1d7 · 1c1a1d7
1 parent 79c40e3
commit 1c1a1d7
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 0 deletions.
diff --git a/src/ContentElement/NodesContentElement.php b/src/ContentElement/NodesContentElement.php
@@ -94,6 +94,8 @@ public static function generateBackendWildcard(array $data, array $ids): string
     {
         $nodes = [];
 
+        $ids = array_map('intval', $ids);
+
         $nodeModels = NodeModel::findBy(
             ['id IN ('.implode(',', $ids).')', 'type=?'],
             [NodeModel::TYPE_CONTENT, implode(',', $ids)],

diff --git a/src/EventListener/ContentListener.php b/src/EventListener/ContentListener.php
@@ -101,6 +101,7 @@ public function onLoadCallback(DataContainer $dc): void
     public function onNodesSaveCallback(?string $value, DataContainer $dc): string
     {
         $ids = (array) StringUtil::deserialize($value, true);
+        $ids = array_map('intval', $ids);
 
         if (\count($ids) > 0) {
             $folders = $this->db->fetchAllAssociative('SELECT name FROM tl_node WHERE id IN ('.implode(', ', $ids).') AND type=?', [NodeModel::TYPE_FOLDER]);

diff --git a/src/NodeManager.php b/src/NodeManager.php
@@ -47,6 +47,8 @@ public function generateMultiple(array $ids): array
             return [];
         }
 
+        $ids = array_map('intval', $ids);
+
         $nodeModels = NodeModel::findBy(
             ['id IN ('.implode(',', $ids).')', 'type=?'],
             [NodeModel::TYPE_CONTENT, implode(',', $ids)],