Bind group_id param to query

NamelessMC · Oct 25, 2021 · 7fc3d4e · 7fc3d4e
1 parent c9539f4
commit 7fc3d4e
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/modules/Core/includes/endpoints/ListUsersEndpoint.php b/modules/Core/includes/endpoints/ListUsersEndpoint.php
@@ -14,6 +14,8 @@ public function __construct() {
     }
 
     public function execute(Nameless2API $api) {
+        $params = [];
+
         $discord_enabled = Util::isModuleEnabled('Discord Integration');
 
         if ($discord_enabled) {
@@ -27,7 +29,8 @@ public function execute(Nameless2API $api) {
                         : ' AND';
 
         if (isset($_GET['group_id'])) {
-            $query .= ' INNER JOIN nl2_users_groups ug ON u.id = ug.user_id WHERE ug.group_id = ' . $_GET['group_id'];
+            $query .= ' INNER JOIN nl2_users_groups ug ON u.id = ug.user_id WHERE ug.group_id = ?';
+            $params[] = $_GET['group_id'];
             $filterGroup = true;
         }
 
@@ -60,7 +63,7 @@ public function execute(Nameless2API $api) {
             $query .= ' `u.discord_id` IS ' . ($_GET['discord_linked'] == 'true' ? 'NOT' : '') . ' NULL';
         }
 
-        $users = $api->getDb()->query($query)->results();
+        $users = $api->getDb()->query($query, $params)->results();
 
         $users_json = array();
         foreach ($users as $user) {