ChrisChrome/sccp_manager
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Fix Issue with SQL syntax reported by kc2vrj

Browse source 
Correct quotation and simplify logic to avoid complex SQL statements.

Bind strings

Confirmed fix of issue reported by kc2vrj.
This commit is contained in:
steve-lad 2021-04-29 16:44:33 +02:00
parent 9e95071bad
commit d451b36363
1 changed files with 5 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
Sccp_manager.inc/dbinterface.class.php
View file

@ -205,13 +205,13 @@ class dbinterface
case 'byciscoid':
if (!empty($filter)) {
if (!empty($filter['model'])) {
if (strpos($filter['model'], 'loadInformation')) {
$stmt = $dbh->prepare('SELECT ' . $sel_inf . ' FROM sccpdevmodel WHERE (loadinformationid =' . $filter['model'] . ') ORDER BY model');
} else {
$stmt = $dbh->prepare('SELECT ' . $sel_inf . ' FROM sccpdevmodel WHERE (loadinformationid = loadInformation' . $filter['model'] . ') ORDER BY model');
if (!strpos($filter['model'], 'loadInformation')) {
$filter['model'] = 'loadInformation' . $filter['model'];
}
$stmt = $dbh->prepare("SELECT {$sel_inf} FROM sccpdevmodel WHERE (loadinformationid = :model ) ORDER BY model");
$stmt->bindParam(':model', $filter['model'], \PDO::PARAM_STR);
} else {
$stmt = $dbh->prepare('SELECT ' . $sel_inf . ' FROM sccpdevmodel ORDER BY model');
$stmt = $dbh->prepare("SELECT {$sel_inf} FROM sccpdevmodel ORDER BY model");
}
break;
}