From 7a12046a67ae5d8cf04face3ee75e55f03a1a608 Mon Sep 17 00:00:00 2001 From: Jelmer Prins Date: Wed, 23 Mar 2022 13:16:53 +0100 Subject: [PATCH] Prevent sql injection through the ids of the action --- src/Backend/Modules/FormBuilder/Engine/Model.php | 1 + 1 file changed, 1 insertion(+) diff --git a/src/Backend/Modules/FormBuilder/Engine/Model.php b/src/Backend/Modules/FormBuilder/Engine/Model.php index 6a13543526..6028b7607f 100644 --- a/src/Backend/Modules/FormBuilder/Engine/Model.php +++ b/src/Backend/Modules/FormBuilder/Engine/Model.php @@ -152,6 +152,7 @@ public static function delete(int $id): void public static function deleteData(array $ids): void { $database = BackendModel::getContainer()->get('database'); + $ids = array_map('intval', $ids); $database->delete('forms_data', 'id IN(' . implode(',', $ids) . ')'); $database->delete('forms_data_fields', 'data_id IN(' . implode(',', $ids) . ')');