From 669efdb11869beb53e8fee5e6c0af93fef785c47 Mon Sep 17 00:00:00 2001 From: CiviCRM Date: Fri, 1 Sep 2023 22:13:39 -0700 Subject: [PATCH] CIVI-SA-2023-10 - Potential SQLI --- CRM/Core/PseudoConstant.php | 8 ++++---- CRM/Event/BAO/Event.php | 2 +- api/v3/Activity.php | 4 ++-- api/v3/Case.php | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/CRM/Core/PseudoConstant.php b/CRM/Core/PseudoConstant.php index 35bc3cae68..5ec1f6a26b 100644 --- a/CRM/Core/PseudoConstant.php +++ b/CRM/Core/PseudoConstant.php @@ -1534,13 +1534,13 @@ WHERE id = %1 $wheres[] = 'domain_id = ' . CRM_Core_Config::domainID() . ' OR domain_id is NULL'; } $queryParams = [ - 1 => [$params['keyColumn'], 'String', CRM_Core_DAO::QUERY_FORMAT_NO_QUOTES], - 2 => [$params['labelColumn'], 'String', CRM_Core_DAO::QUERY_FORMAT_NO_QUOTES], - 3 => [$pseudoconstant['table'], 'String', CRM_Core_DAO::QUERY_FORMAT_NO_QUOTES], + 1 => [$params['keyColumn'], 'MysqlColumnNameOrAlias'], + 2 => [$params['labelColumn'], 'MysqlColumnNameOrAlias'], + 3 => [$pseudoconstant['table'], 'MysqlColumnNameOrAlias'], ]; // Add orderColumn param if (!empty($params['orderColumn'])) { - $queryParams[4] = [$params['orderColumn'], 'String', CRM_Core_DAO::QUERY_FORMAT_NO_QUOTES]; + $queryParams[4] = [$params['orderColumn'], 'MysqlOrderBy']; $order = 'ORDER BY %4'; } // Support no sorting if $params[orderColumn] is FALSE diff --git a/CRM/Event/BAO/Event.php b/CRM/Event/BAO/Event.php index d829d8348b..7f45b9ae4a 100644 --- a/CRM/Event/BAO/Event.php +++ b/CRM/Event/BAO/Event.php @@ -183,7 +183,7 @@ class CRM_Event_BAO_Event extends CRM_Event_DAO_Event implements \Civi\Core\Hook foreach ($groupTree as $values) { $query = "DELETE FROM %1 WHERE entity_id = %2"; CRM_Core_DAO::executeQuery($query, [ - 1 => [$values['table_name'], 'String', CRM_Core_DAO::QUERY_FORMAT_NO_QUOTES], + 1 => [$values['table_name'], 'MysqlColumnNameOrAlias'], 2 => [$event->id, 'Integer'], ]); } diff --git a/api/v3/Activity.php b/api/v3/Activity.php index 6d95e7ca2a..98e8f33969 100644 --- a/api/v3/Activity.php +++ b/api/v3/Activity.php @@ -443,7 +443,7 @@ function _civicrm_api3_activity_get_formatResult($params, $activities, $options) case 'file_id': $dao = CRM_Core_DAO::executeQuery("SELECT entity_id, file_id FROM civicrm_entity_file WHERE entity_table = 'civicrm_activity' AND entity_id IN (%1)", - [1 => [implode(',', array_keys($activities)), 'String', CRM_Core_DAO::QUERY_FORMAT_NO_QUOTES]]); + [1 => [implode(',', array_keys($activities)), 'CommaSeparatedIntegers']]); while ($dao->fetch()) { $activities[$dao->entity_id]['file_id'][] = $dao->file_id; } @@ -451,7 +451,7 @@ function _civicrm_api3_activity_get_formatResult($params, $activities, $options) case 'case_id': $dao = CRM_Core_DAO::executeQuery("SELECT activity_id, case_id FROM civicrm_case_activity WHERE activity_id IN (%1)", - [1 => [implode(',', array_keys($activities)), 'String', CRM_Core_DAO::QUERY_FORMAT_NO_QUOTES]]); + [1 => [implode(',', array_keys($activities)), 'CommaSeparatedIntegers']]); while ($dao->fetch()) { $activities[$dao->activity_id]['case_id'][] = $dao->case_id; $caseIds[$dao->case_id] = $dao->case_id; diff --git a/api/v3/Case.php b/api/v3/Case.php index 3a95057326..51f021cee6 100644 --- a/api/v3/Case.php +++ b/api/v3/Case.php @@ -649,7 +649,7 @@ function _civicrm_api3_case_read(&$cases, $options) { // Bulk-load activities if (!empty($options['return']['activities'])) { $query = "SELECT case_id, activity_id FROM civicrm_case_activity WHERE case_id IN (%1)"; - $params = [1 => [implode(',', array_keys($cases)), 'String', CRM_Core_DAO::QUERY_FORMAT_NO_QUOTES]]; + $params = [1 => [implode(',', array_keys($cases)), 'CommaSeparatedIntegers']]; $dao = CRM_Core_DAO::executeQuery($query, $params); while ($dao->fetch()) { $cases[$dao->case_id]['activities'][] = $dao->activity_id; -- 2.25.1