ChrisChrome/sccp_manager
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Fix Issue with SQL syntax reported by kc2vrj

Browse source 
Correct quotation and simplify logic to avoid complex SQL statements.

Bind strings

Confirmed fix of issue reported by kc2vrj.
This commit is contained in:
steve-lad 2021-04-29 16:44:33 +02:00 committed by Diederik de Groot
parent 0011581fc0
commit 12c8f30464
No known key found for this signature in database
GPG key ID: AFA728250A1BECD6
1 changed files with 3 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
Sccp_manager.inc/dbinterface.class.php
View file

@ -205,15 +205,13 @@ class dbinterface
case 'byciscoid': case 'byciscoid':
if (!empty($filter)) { if (!empty($filter)) {
if (!empty($filter['model'])) { if (!empty($filter['model'])) {
if (strpos($filter['model'], 'loadInformation')) { if (!strpos($filter['model'], 'loadInformation')) {
$stmt = $dbh->prepare('SELECT ' . $sel_inf . ' FROM sccpdevmodel WHERE (loadinformationid =' . $filter['model'] . ') ORDER BY model'); $filter['model'] = 'loadInformation' . $filter['model'];
} else {
$stmt = $dbh->prepare('SELECT ' . $sel_inf . ' FROM sccpdevmodel WHERE (loadinformationid = loadInformation' . $filter['model'] . ') ORDER BY model');
} }
$stmt = $dbh->prepare("SELECT {$sel_inf} FROM sccpdevmodel WHERE (loadinformationid = :model ) ORDER BY model"); $stmt = $dbh->prepare("SELECT {$sel_inf} FROM sccpdevmodel WHERE (loadinformationid = :model ) ORDER BY model");
$stmt->bindParam(':model', $filter['model'], \PDO::PARAM_STR); $stmt->bindParam(':model', $filter['model'], \PDO::PARAM_STR);
} else { } else {
$stmt = $dbh->prepare('SELECT ' . $sel_inf . ' FROM sccpdevmodel ORDER BY model'); $stmt = $dbh->prepare("SELECT {$sel_inf} FROM sccpdevmodel ORDER BY model");
} }
break; break;
} }