Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Merge pull request #1925 from phili67/phili67-sql-injection-solution
Phili67 sql injection solution
  • Loading branch information
phili67 committed Oct 17, 2021
2 parents f9580e1 + 5ef132d commit e8ca8a7
Show file tree
Hide file tree
Showing 4 changed files with 48 additions and 37 deletions.
3 changes: 2 additions & 1 deletion src/EcclesiaCRM/APIControllers/PeopleGroupController.php
Expand Up @@ -140,8 +140,9 @@ public function addressBook (ServerRequestInterface $request, ResponseInterface
public function searchGroup(ServerRequestInterface $request, ResponseInterface $response, array $args): ResponseInterface {
$query = $args['query'];

$searchLikeString = '%'.$query.'%';
$query = filter_var($query, FILTER_SANITIZE_STRING);

$searchLikeString = '%'.$query.'%';

$groups = GroupQuery::create()
->filterByName($searchLikeString, Criteria::LIKE)
Expand Down
3 changes: 3 additions & 0 deletions src/EcclesiaCRM/APIControllers/SearchController.php
Expand Up @@ -49,6 +49,9 @@ public function getSearchResult (ServerRequestInterface $request, ResponseInterf
$req = (object)$request->getParsedBody();

$query = $req->SearchTerm;

$query = filter_var($query, FILTER_SANITIZE_STRING);

$query_elements = $req->Elements;
$group_elements = $req->GroupElements;
$group_role_elements = $req->GroupRoleElements;
Expand Down
4 changes: 4 additions & 0 deletions src/EcclesiaCRM/Service/FinancialService.php
Expand Up @@ -392,6 +392,8 @@ public function getPayments($depID)

public function searchDeposits($searchTerm)
{
$searchTerm = filter_var($searchTerm, FILTER_SANITIZE_STRING);

MiscUtils::requireUserGroupMembership('bFinance');
$fetch = 'SELECT dep_ID, dep_Comment, dep_Date, dep_EnteredBy, dep_Type
FROM deposit_dep
Expand Down Expand Up @@ -421,6 +423,8 @@ public function searchDeposits($searchTerm)

public function searchPayments($searchTerm)
{
$searchTerm = filter_var($searchTerm, FILTER_SANITIZE_STRING);

MiscUtils::requireUserGroupMembership('bFinance');
$fetch = 'SELECT dep_ID, dep_Comment, dep_Date, dep_EnteredBy, dep_Type, plg_FamID, plg_amount, plg_CheckNo, plg_plgID, plg_GroupKey
FROM deposit_dep
Expand Down
75 changes: 39 additions & 36 deletions src/EcclesiaCRM/Service/PersonService.php
Expand Up @@ -14,14 +14,17 @@

class PersonService
{
public function search($searchTerm, $includeFamilyRole=true)
public function search($searchTerm, $includeFamilyRole = true)
{
$searchLikeString = '%'.$searchTerm.'%';
$searchTerm = filter_var($searchTerm, FILTER_SANITIZE_STRING);

$searchLikeString = '%' . $searchTerm . '%';

$people = PersonQuery::create()->
filterByFirstName($searchLikeString, Criteria::LIKE)->
_or()->filterByLastName($searchLikeString, Criteria::LIKE)->
_or()->filterByEmail($searchLikeString, Criteria::LIKE)->
limit(15)->find();
filterByFirstName($searchLikeString, Criteria::LIKE)->
_or()->filterByLastName($searchLikeString, Criteria::LIKE)->
_or()->filterByEmail($searchLikeString, Criteria::LIKE)->
limit(15)->find();
$return = [];
foreach ($people as $person) {
$values['id'] = $person->getId();
Expand Down Expand Up @@ -58,43 +61,43 @@ public function search($searchTerm, $includeFamilyRole=true)
public function getPeopleEmailsAndGroups()
{
$persons = PersonQuery::Create()
->addJoin(PersonTableMap::COL_PER_ID,Person2group2roleP2g2rTableMap::COL_P2G2R_PER_ID,Criteria::LEFT_JOIN)
->addJoin(Person2group2roleP2g2rTableMap::COL_P2G2R_GRP_ID,GroupTableMap::COL_GRP_ID,Criteria::LEFT_JOIN)
->addMultipleJoin(array(array(GroupTableMap::COL_GRP_ROLELISTID,ListOptionTableMap::COL_LST_ID),
array(Person2group2roleP2g2rTableMap::COL_P2G2R_RLE_ID,ListOptionTableMap::COL_LST_OPTIONID)),
Criteria::LEFT_JOIN)
->addAsColumn("GroupName",GroupTableMap::COL_GRP_NAME)
->addAsColumn("OptionName",ListOptionTableMap::COL_LST_OPTIONNAME)
->filterByEmail('',Criteria::NOT_EQUAL)
->_and()->filterByDateDeactivated (null)
->orderById()
->find();
->addJoin(PersonTableMap::COL_PER_ID, Person2group2roleP2g2rTableMap::COL_P2G2R_PER_ID, Criteria::LEFT_JOIN)
->addJoin(Person2group2roleP2g2rTableMap::COL_P2G2R_GRP_ID, GroupTableMap::COL_GRP_ID, Criteria::LEFT_JOIN)
->addMultipleJoin(array(array(GroupTableMap::COL_GRP_ROLELISTID, ListOptionTableMap::COL_LST_ID),
array(Person2group2roleP2g2rTableMap::COL_P2G2R_RLE_ID, ListOptionTableMap::COL_LST_OPTIONID)),
Criteria::LEFT_JOIN)
->addAsColumn("GroupName", GroupTableMap::COL_GRP_NAME)
->addAsColumn("OptionName", ListOptionTableMap::COL_LST_OPTIONNAME)
->filterByEmail('', Criteria::NOT_EQUAL)
->_and()->filterByDateDeactivated(null)
->orderById()
->find();

$people = [];
$people = [];
$lastPersonId = 0;
$per = [];
$per = [];
foreach ($persons as $person) {
if ($lastPersonId != $person->getId()) {
if ($lastPersonId != 0) {
$people[] = $per;
if ($lastPersonId != $person->getId()) {
if ($lastPersonId != 0) {
$people[] = $per;
}
$per = [];
$per['id'] = $person->getId();
$per['email'] = $person->getEmail();
$per['firstName'] = $person->getFirstName();
$per['lastName'] = $person->getLastName();
}
$per = [];
$per['id'] = $person->getId();
$per['email'] = $person->getEmail();
$per['firstName'] = $person->getFirstName();
$per['lastName'] = $person->getLastName();
}

if (!is_null($person->getGroupName()) && !is_null($person->getOptionName()) ) {
$per[$person->getGroupName()] = _($person->getOptionName());
}
if ($lastPersonId != $person->getId()) {
$lastPersonId = $person->getId();
}
if (!is_null($person->getGroupName()) && !is_null($person->getOptionName())) {
$per[$person->getGroupName()] = _($person->getOptionName());
}

if ($lastPersonId != $person->getId()) {
$lastPersonId = $person->getId();
}
}

$people[] = $per;
$people[] = $per;

return $people;
}
Expand Down

0 comments on commit e8ca8a7

Please sign in to comment.