Prevent sql injection through the ids of the action

forkcms · Mar 23, 2022 · 7a12046 · 7a12046
1 parent 1b38e33
commit 7a12046
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/src/Backend/Modules/FormBuilder/Engine/Model.php b/src/Backend/Modules/FormBuilder/Engine/Model.php
@@ -152,6 +152,7 @@ public static function delete(int $id): void
     public static function deleteData(array $ids): void
     {
         $database = BackendModel::getContainer()->get('database');
+        $ids = array_map('intval', $ids);
 
         $database->delete('forms_data', 'id IN(' . implode(',', $ids) . ')');
         $database->delete('forms_data_fields', 'data_id IN(' . implode(',', $ids) . ')');