From d4d1df5b8cffa797a99f01777ce0b406f4fbe2a1 Mon Sep 17 00:00:00 2001 From: Seamus Lee Date: Thu, 3 Mar 2022 17:23:19 +1100 Subject: [PATCH] security/core#113 Apply patch from Mathieu to fix SQLI in participant import --- CRM/Event/Import/Parser/Participant.php | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/CRM/Event/Import/Parser/Participant.php b/CRM/Event/Import/Parser/Participant.php index 6c9cf49cb9..a60fba680b 100644 --- a/CRM/Event/Import/Parser/Participant.php +++ b/CRM/Event/Import/Parser/Participant.php @@ -294,11 +294,9 @@ class CRM_Event_Import_Parser_Participant extends CRM_Event_Import_Parser { } else { $eventTitle = $params['event_title']; - $qParams = []; - $dao = new CRM_Core_DAO(); - $params['participant_role_id'] = $dao->singleValueQuery("SELECT default_role_id FROM civicrm_event WHERE title = '$eventTitle' ", - $qParams - ); + $params['participant_role_id'] = CRM_Core_DAO::singleValueQuery('SELECT default_role_id FROM civicrm_event WHERE title = %1', [ + 1 => [$eventTitle, 'String'] + ]); } } @@ -552,11 +550,9 @@ class CRM_Event_Import_Parser_Participant extends CRM_Event_Import_Parser { if (!CRM_Utils_Rule::integer($value)) { return civicrm_api3_create_error("Event ID is not valid: $value"); } - $dao = new CRM_Core_DAO(); - $qParams = []; - $svq = $dao->singleValueQuery("SELECT id FROM civicrm_event WHERE id = $value", - $qParams - ); + $svq = CRM_Core_DAO::singleValueQuery('SELECT id FROM civicrm_event WHERE id = %1', [ + 1 => [$value, 'Integer'] + ]); if (!$svq) { return civicrm_api3_create_error("Invalid Event ID: There is no event record with event_id = $value."); } -- 2.25.1