security/core#113 Apply patch from Mathieu to fix SQLI in participant import

diff --git a/CRM/Event/Import/Parser/Participant.php b/CRM/Event/Import/Parser/Participant.php
index e9ce6d6b71d8e52dffdc23850ad6c0bbfb3813c8..1af1c1f2a82b6e6f6b890c74b1aa05383d9d6650 100644 (file)
--- a/CRM/Event/Import/Parser/Participant.php
+++ b/CRM/Event/Import/Parser/Participant.php
@@ -296,11 +296,9 @@ class CRM_Event_Import_Parser_Participant extends CRM_Event_Import_Parser {
       }
       else {
         $eventTitle = $params['event_title'];
-        $qParams = [];
-        $dao = new CRM_Core_DAO();
-        $params['participant_role_id'] = $dao->singleValueQuery("SELECT default_role_id FROM civicrm_event WHERE title = '$eventTitle' ",
-          $qParams
-        );
+        $params['participant_role_id'] = CRM_Core_DAO::singleValueQuery('SELECT default_role_id FROM civicrm_event WHERE title = %1', [
+          1 => [$eventTitle, 'String']
+        ]);
       }
     }
 
@@ -554,11 +552,9 @@ class CRM_Event_Import_Parser_Participant extends CRM_Event_Import_Parser {
           if (!CRM_Utils_Rule::integer($value)) {
             return civicrm_api3_create_error("Event ID is not valid: $value");
           }
-          $dao = new CRM_Core_DAO();
-          $qParams = [];
-          $svq = $dao->singleValueQuery("SELECT id FROM civicrm_event WHERE id = $value",
-            $qParams
-          );
+          $svq = CRM_Core_DAO::singleValueQuery('SELECT id FROM civicrm_event WHERE id = %1', [
+            1 => [$value, 'Integer']
+          ]);
           if (!$svq) {
             return civicrm_api3_create_error("Invalid Event ID: There is no event record with event_id = $value.");
           }