From a06112e1ea5663d73a0301bcd060e8d7846a2293 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Jacquet?=
 <francoisjacquet@users.noreply.github.com>
Date: Sat, 23 Apr 2022 15:25:47 +0200
Subject: [PATCH] Fix SQL injection sanitize all `$_REQUEST` keys

---
 CHANGES.md    | 4 ++++
 Warehouse.php | 8 ++++----
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index cb2ac54c7..24ac364a3 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,6 +1,10 @@
 # CHANGES
 ## RosarioSIS Student Information System
 
+Changes in 8.9.4
+----------------
+- Fix SQL injection sanitize all `$_REQUEST` keys in Warehouse.php, thanks to @nhienit2010
+
 Changes in 8.9.3
 ----------------
 - Fix stored XSS security issue: do not allow unsanitized SVG in FileUpload.fnc.php, thanks to @scgajge12 & @crowdoverflow
diff --git a/Warehouse.php b/Warehouse.php
index 581c13dc9..f2f8343ce 100644
--- a/Warehouse.php
+++ b/Warehouse.php
@@ -191,11 +191,11 @@ function array_rwalk( &$array, $function )
 		if ( is_array( $array[$key[$i]] ) )
 		{
 			array_rwalk( $array[$key[$i]], $function );
-
-			continue;
 		}
-
-		$array[$key[$i]] = $function( $array[$key[$i]] );
+		else
+		{
+			$array[$key[$i]] = $function( $array[$key[$i]] );
+		}
 
 		// Key is also passed through $function function.
 		$fkey = $function( $key[$i] );