From 12c8f30464dc10745a6b4cfba0e4eea4f363666f Mon Sep 17 00:00:00 2001
From: steve-lad <72376554+steve-lad@users.noreply.github.com>
Date: Thu, 29 Apr 2021 16:44:33 +0200
Subject: [PATCH] Fix Issue with SQL syntax reported by kc2vrj

Correct quotation and simplify logic to avoid complex SQL statements.

Bind strings

Confirmed fix of issue reported by kc2vrj.
---
 Sccp_manager.inc/dbinterface.class.php | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/Sccp_manager.inc/dbinterface.class.php b/Sccp_manager.inc/dbinterface.class.php
index 07c4ea4..7e55e71 100644
--- a/Sccp_manager.inc/dbinterface.class.php
+++ b/Sccp_manager.inc/dbinterface.class.php
@@ -205,15 +205,13 @@ class dbinterface
             case 'byciscoid':
                 if (!empty($filter)) {
                     if (!empty($filter['model'])) {
-                        if (strpos($filter['model'], 'loadInformation')) {
-                            $stmt = $dbh->prepare('SELECT ' . $sel_inf . ' FROM sccpdevmodel WHERE (loadinformationid =' . $filter['model'] . ') ORDER BY model');
-                        } else {
-                            $stmt = $dbh->prepare('SELECT ' . $sel_inf . ' FROM sccpdevmodel WHERE (loadinformationid = loadInformation' . $filter['model'] . ') ORDER BY model');
+                        if (!strpos($filter['model'], 'loadInformation')) {
+                            $filter['model'] = 'loadInformation' . $filter['model'];
                         }
                         $stmt = $dbh->prepare("SELECT {$sel_inf} FROM sccpdevmodel WHERE (loadinformationid = :model ) ORDER BY model");
                         $stmt->bindParam(':model', $filter['model'], \PDO::PARAM_STR);
                     } else {
-                        $stmt = $dbh->prepare('SELECT ' . $sel_inf . ' FROM sccpdevmodel ORDER BY model');
+                        $stmt = $dbh->prepare("SELECT {$sel_inf} FROM sccpdevmodel ORDER BY model");
                     }
                     break;
                 }