From 1514f45078a311954badf108704733102c06ed2e Mon Sep 17 00:00:00 2001
From: Seamus Lee <seamuslee001@gmail.com>
Date: Wed, 13 Jul 2016 04:42:48 +0000
Subject: [PATCH] Add in Test to sort sqli

---
 CRM/Contact/BAO/Group.php          |  6 +++---
 tests/phpunit/api/v3/GroupTest.php | 22 ++++++++++++++++++++++
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/CRM/Contact/BAO/Group.php b/CRM/Contact/BAO/Group.php
index c6215ede67..def29b8dbc 100644
--- a/CRM/Contact/BAO/Group.php
+++ b/CRM/Contact/BAO/Group.php
@@ -387,13 +387,13 @@ class CRM_Contact_BAO_Group extends CRM_Contact_DAO_Group {
     if (isset($params['parents'])) {
       if (is_array($params['parents'])) {
         foreach ($params['parents'] as $parent => $dc) {
-          if (!CRM_Utils_Type::validate('integer', $parent, FALSE)) {
+          if (!CRM_Utils_Type::validate($parent, 'Integer', FALSE)) {
             unset($params['parents'][$parent]);
           }
         }
       }
       else {
-        if (!CRM_Utils_Type::validate('integer', $params['parents'], FALSE)) {
+        if (!CRM_Utils_Type::validate($params['parents'], 'Integer', FALSE)) {
           unset($params['parents']);
         }
       }
@@ -453,7 +453,7 @@ class CRM_Contact_BAO_Group extends CRM_Contact_DAO_Group {
 
       if (!empty($params['parents'])) {
         foreach ($params['parents'] as $parentId => $dnc) {
-          if (CRM_Utils_Type::validate('Integer', $parentId, FALSE)) {
+          if (CRM_Utils_Type::validate($parentId, 'Integer', FALSE)) {
             if ($parentId && !CRM_Contact_BAO_GroupNesting::isParentChild($parentId, $group->id)) {
               CRM_Contact_BAO_GroupNesting::add($parentId, $group->id);
             }
diff --git a/tests/phpunit/api/v3/GroupTest.php b/tests/phpunit/api/v3/GroupTest.php
index d668e3e366..77bc349636 100644
--- a/tests/phpunit/api/v3/GroupTest.php
+++ b/tests/phpunit/api/v3/GroupTest.php
@@ -172,4 +172,26 @@ class api_v3_GroupTest extends CiviUnitTestCase {
     $this->assertEquals(1, $result['values']['is_active']['api.default']);
   }
 
+  public function testIllegalParentsParams() {
+    $params = array(
+      'title' => 'Test illegal Group',
+      'domain_id' => 1,
+      'description' => 'Testing illegal Parents params',
+      'is_active' => 1,
+      'parents' => "(SELECT api_key FROM civicrm_contact where id = 1)",
+    );
+    $this->callAPISuccess('group', 'create', $params);
+    $group1 = $this->callAPISuccess('group', 'get', array(
+      'title' => 'Test illegal Group',
+      'parents' => array('IS NOT NULL' => 1),
+    ));
+    $this->assertEquals(0, $group1['count']);
+    $params['title'] = 'Test illegal Group 2';
+    $params['parents'] = array();
+    $params['parents'][$this->_groupID] = 'test Group';
+    $params['parents']["(SELECT api_key FROM civicrm_contact where id = 1)"] = "Test";
+    $group2 = $this->callAPISuccess('group', 'create', $params);
+    $this->assertEquals(count($group2['values'][$group2['id']]['parents']), 1);
+  }
+
 }
-- 
2.25.1