From: Seamus Lee <seamuslee001@gmail.com>
Date: Thu, 3 Mar 2022 06:23:19 +0000 (+1100)
Subject: security/core#113 Apply patch from Mathieu to fix SQLI in participant import
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=e80bf2a28100d37249ad4f6d8661ca2d9278022f;p=civicrm-core.git

security/core#113 Apply patch from Mathieu to fix SQLI in participant import
---

diff --git a/CRM/Event/Import/Parser/Participant.php b/CRM/Event/Import/Parser/Participant.php
index e9ce6d6b71..1af1c1f2a8 100644
--- a/CRM/Event/Import/Parser/Participant.php
+++ b/CRM/Event/Import/Parser/Participant.php
@@ -296,11 +296,9 @@ class CRM_Event_Import_Parser_Participant extends CRM_Event_Import_Parser {
       }
       else {
         $eventTitle = $params['event_title'];
-        $qParams = [];
-        $dao = new CRM_Core_DAO();
-        $params['participant_role_id'] = $dao->singleValueQuery("SELECT default_role_id FROM civicrm_event WHERE title = '$eventTitle' ",
-          $qParams
-        );
+        $params['participant_role_id'] = CRM_Core_DAO::singleValueQuery('SELECT default_role_id FROM civicrm_event WHERE title = %1', [
+          1 => [$eventTitle, 'String']
+        ]);
       }
     }
 
@@ -554,11 +552,9 @@ class CRM_Event_Import_Parser_Participant extends CRM_Event_Import_Parser {
           if (!CRM_Utils_Rule::integer($value)) {
             return civicrm_api3_create_error("Event ID is not valid: $value");
           }
-          $dao = new CRM_Core_DAO();
-          $qParams = [];
-          $svq = $dao->singleValueQuery("SELECT id FROM civicrm_event WHERE id = $value",
-            $qParams
-          );
+          $svq = CRM_Core_DAO::singleValueQuery('SELECT id FROM civicrm_event WHERE id = %1', [
+            1 => [$value, 'Integer']
+          ]);
           if (!$svq) {
             return civicrm_api3_create_error("Invalid Event ID: There is no event record with event_id = $value.");
           }