From 19ff24d5fb15c2b2e9ba9df6832af23ced8e82e2 Mon Sep 17 00:00:00 2001
From: phili67 <philippe.logel@gmail.com>
Date: Thu, 14 Oct 2021 17:39:44 +0000
Subject: [PATCH 1/5] EcclesiaCRM/APIControllers/SearchController.php : search
 injection solution

---
 src/EcclesiaCRM/APIControllers/SearchController.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/EcclesiaCRM/APIControllers/SearchController.php b/src/EcclesiaCRM/APIControllers/SearchController.php
index cc8170d60e..92fa13646d 100644
--- a/src/EcclesiaCRM/APIControllers/SearchController.php
+++ b/src/EcclesiaCRM/APIControllers/SearchController.php
@@ -49,6 +49,9 @@ public function getSearchResult (ServerRequestInterface $request, ResponseInterf
         $req = (object)$request->getParsedBody();
 
         $query = $req->SearchTerm;
+
+        $query = Propel::getConnection()->quote($query);
+
         $query_elements = $req->Elements;
         $group_elements = $req->GroupElements;
         $group_role_elements = $req->GroupRoleElements;

From 83bd6600e699ce2f07374939340155c25faba2ed Mon Sep 17 00:00:00 2001
From: phili67 <philippe.logel@gmail.com>
Date: Sun, 17 Oct 2021 16:35:12 +0000
Subject: [PATCH 2/5] src/EcclesiaCRM/APIControllers/SearchController.php :
 antize query

---
 src/EcclesiaCRM/APIControllers/SearchController.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/EcclesiaCRM/APIControllers/SearchController.php b/src/EcclesiaCRM/APIControllers/SearchController.php
index 92fa13646d..727e2f4110 100644
--- a/src/EcclesiaCRM/APIControllers/SearchController.php
+++ b/src/EcclesiaCRM/APIControllers/SearchController.php
@@ -50,7 +50,7 @@ public function getSearchResult (ServerRequestInterface $request, ResponseInterf
 
         $query = $req->SearchTerm;
 
-        $query = Propel::getConnection()->quote($query);
+        $query = filter_var($query, FILTER_SANITIZE_STRING);
 
         $query_elements = $req->Elements;
         $group_elements = $req->GroupElements;

From a73bf91ce0bb12af4a2637c3c64b714205a0b91d Mon Sep 17 00:00:00 2001
From: phili67 <philippe.logel@gmail.com>
Date: Sun, 17 Oct 2021 17:04:57 +0000
Subject: [PATCH 3/5] src/EcclesiaCRM/APIControllers/PeopleGroupController.php
 : sanitized

---
 src/EcclesiaCRM/APIControllers/PeopleGroupController.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/EcclesiaCRM/APIControllers/PeopleGroupController.php b/src/EcclesiaCRM/APIControllers/PeopleGroupController.php
index a0819307f8..b3064e6359 100644
--- a/src/EcclesiaCRM/APIControllers/PeopleGroupController.php
+++ b/src/EcclesiaCRM/APIControllers/PeopleGroupController.php
@@ -140,8 +140,9 @@ public function addressBook (ServerRequestInterface $request, ResponseInterface
     public function searchGroup(ServerRequestInterface $request, ResponseInterface $response, array $args): ResponseInterface {
         $query = $args['query'];
 
-        $searchLikeString = '%'.$query.'%';
+        $query = filter_var($query, FILTER_SANITIZE_STRING);
 
+        $searchLikeString = '%'.$query.'%';
 
         $groups = GroupQuery::create()
             ->filterByName($searchLikeString, Criteria::LIKE)

From 9f5b16db8d0cd2a48500f2b05713debf9b53894b Mon Sep 17 00:00:00 2001
From: phili67 <philippe.logel@gmail.com>
Date: Sun, 17 Oct 2021 17:05:27 +0000
Subject: [PATCH 4/5] src/EcclesiaCRM/Service/FinancialService.php : sanitized

---
 src/EcclesiaCRM/Service/FinancialService.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/EcclesiaCRM/Service/FinancialService.php b/src/EcclesiaCRM/Service/FinancialService.php
index f4e0ec52c7..37d6aeb319 100644
--- a/src/EcclesiaCRM/Service/FinancialService.php
+++ b/src/EcclesiaCRM/Service/FinancialService.php
@@ -392,6 +392,8 @@ public function getPayments($depID)
 
     public function searchDeposits($searchTerm)
     {
+        $searchTerm = filter_var($searchTerm, FILTER_SANITIZE_STRING);
+
         MiscUtils::requireUserGroupMembership('bFinance');
         $fetch = 'SELECT dep_ID, dep_Comment, dep_Date, dep_EnteredBy, dep_Type
             FROM deposit_dep
@@ -421,6 +423,8 @@ public function searchDeposits($searchTerm)
 
     public function searchPayments($searchTerm)
     {
+        $searchTerm = filter_var($searchTerm, FILTER_SANITIZE_STRING);
+
         MiscUtils::requireUserGroupMembership('bFinance');
         $fetch = 'SELECT dep_ID, dep_Comment, dep_Date, dep_EnteredBy, dep_Type, plg_FamID, plg_amount, plg_CheckNo, plg_plgID, plg_GroupKey
             FROM deposit_dep

From 5ef132de9e2aae4e5a550ee663946f7e9515bd71 Mon Sep 17 00:00:00 2001
From: phili67 <philippe.logel@gmail.com>
Date: Sun, 17 Oct 2021 17:06:05 +0000
Subject: [PATCH 5/5] src/EcclesiaCRM/Service/PersonService.php : sanitized

---
 src/EcclesiaCRM/Service/PersonService.php | 75 ++++++++++++-----------
 1 file changed, 39 insertions(+), 36 deletions(-)

diff --git a/src/EcclesiaCRM/Service/PersonService.php b/src/EcclesiaCRM/Service/PersonService.php
index 338ce6a008..21d47d061d 100644
--- a/src/EcclesiaCRM/Service/PersonService.php
+++ b/src/EcclesiaCRM/Service/PersonService.php
@@ -14,14 +14,17 @@
 
 class PersonService
 {
-    public function search($searchTerm, $includeFamilyRole=true)
+    public function search($searchTerm, $includeFamilyRole = true)
     {
-        $searchLikeString = '%'.$searchTerm.'%';
+        $searchTerm = filter_var($searchTerm, FILTER_SANITIZE_STRING);
+
+        $searchLikeString = '%' . $searchTerm . '%';
+
         $people = PersonQuery::create()->
-    filterByFirstName($searchLikeString, Criteria::LIKE)->
-    _or()->filterByLastName($searchLikeString, Criteria::LIKE)->
-    _or()->filterByEmail($searchLikeString, Criteria::LIKE)->
-      limit(15)->find();
+        filterByFirstName($searchLikeString, Criteria::LIKE)->
+        _or()->filterByLastName($searchLikeString, Criteria::LIKE)->
+        _or()->filterByEmail($searchLikeString, Criteria::LIKE)->
+        limit(15)->find();
         $return = [];
         foreach ($people as $person) {
             $values['id'] = $person->getId();
@@ -58,43 +61,43 @@ public function search($searchTerm, $includeFamilyRole=true)
     public function getPeopleEmailsAndGroups()
     {
         $persons = PersonQuery::Create()
-              ->addJoin(PersonTableMap::COL_PER_ID,Person2group2roleP2g2rTableMap::COL_P2G2R_PER_ID,Criteria::LEFT_JOIN)
-              ->addJoin(Person2group2roleP2g2rTableMap::COL_P2G2R_GRP_ID,GroupTableMap::COL_GRP_ID,Criteria::LEFT_JOIN)
-              ->addMultipleJoin(array(array(GroupTableMap::COL_GRP_ROLELISTID,ListOptionTableMap::COL_LST_ID),
-                              array(Person2group2roleP2g2rTableMap::COL_P2G2R_RLE_ID,ListOptionTableMap::COL_LST_OPTIONID)),
-                              Criteria::LEFT_JOIN)
-              ->addAsColumn("GroupName",GroupTableMap::COL_GRP_NAME)
-              ->addAsColumn("OptionName",ListOptionTableMap::COL_LST_OPTIONNAME)
-              ->filterByEmail('',Criteria::NOT_EQUAL)
-              ->_and()->filterByDateDeactivated (null)
-              ->orderById()
-              ->find();
+            ->addJoin(PersonTableMap::COL_PER_ID, Person2group2roleP2g2rTableMap::COL_P2G2R_PER_ID, Criteria::LEFT_JOIN)
+            ->addJoin(Person2group2roleP2g2rTableMap::COL_P2G2R_GRP_ID, GroupTableMap::COL_GRP_ID, Criteria::LEFT_JOIN)
+            ->addMultipleJoin(array(array(GroupTableMap::COL_GRP_ROLELISTID, ListOptionTableMap::COL_LST_ID),
+                array(Person2group2roleP2g2rTableMap::COL_P2G2R_RLE_ID, ListOptionTableMap::COL_LST_OPTIONID)),
+                Criteria::LEFT_JOIN)
+            ->addAsColumn("GroupName", GroupTableMap::COL_GRP_NAME)
+            ->addAsColumn("OptionName", ListOptionTableMap::COL_LST_OPTIONNAME)
+            ->filterByEmail('', Criteria::NOT_EQUAL)
+            ->_and()->filterByDateDeactivated(null)
+            ->orderById()
+            ->find();
 
-        $people       = [];
+        $people = [];
         $lastPersonId = 0;
-        $per          = [];
+        $per = [];
         foreach ($persons as $person) {
-          if ($lastPersonId != $person->getId()) {
-            if ($lastPersonId != 0) {
-                $people[] = $per;
+            if ($lastPersonId != $person->getId()) {
+                if ($lastPersonId != 0) {
+                    $people[] = $per;
+                }
+                $per = [];
+                $per['id'] = $person->getId();
+                $per['email'] = $person->getEmail();
+                $per['firstName'] = $person->getFirstName();
+                $per['lastName'] = $person->getLastName();
             }
-            $per              = [];
-            $per['id']        = $person->getId();
-            $per['email']     = $person->getEmail();
-            $per['firstName'] = $person->getFirstName();
-            $per['lastName']  = $person->getLastName();
-          }
 
-          if (!is_null($person->getGroupName()) && !is_null($person->getOptionName()) ) {
-             $per[$person->getGroupName()] = _($person->getOptionName());
-          }
-            
-          if ($lastPersonId != $person->getId()) {
-             $lastPersonId = $person->getId();
-          }
+            if (!is_null($person->getGroupName()) && !is_null($person->getOptionName())) {
+                $per[$person->getGroupName()] = _($person->getOptionName());
+            }
+
+            if ($lastPersonId != $person->getId()) {
+                $lastPersonId = $person->getId();
+            }
         }
 
-        $people[] =  $per;
+        $people[] = $per;
 
         return $people;
     }