Security: Fix SQL injection and likely future similar issues

ywarnier · ywarnier · commit bfa1eccfabb4 · 2018-12-17T10:11:45.000-05:00
diff --git a/main/inc/lib/CoursesAndSessionsCatalog.class.php b/main/inc/lib/CoursesAndSessionsCatalog.class.php
@@ -215,8 +215,8 @@ public static function getLimitFilterFromArray($limit)
     {
         $limitFilter = '';
         if (!empty($limit) && is_array($limit)) {
-            $limitStart = isset($limit['start']) ? $limit['start'] : 0;
-            $limitLength = isset($limit['length']) ? $limit['length'] : 12;
+            $limitStart = isset($limit['start']) ? (int) $limit['start'] : 0;
+            $limitLength = isset($limit['length']) ? (int) $limit['length'] : 12;
             $limitFilter = 'LIMIT '.$limitStart.', '.$limitLength;
         }
 
@@ -470,11 +470,13 @@ public static function search_courses($search_term, $limit, $justVisible = false
      * @param array  $limit
      *
      * @return array The session list
+     * @throws Exception
      */
     public static function browseSessions($date = null, $limit = [])
     {
         $em = Database::getManager();
         $urlId = api_get_current_access_url_id();
+        $date = Database::escape_string($date);
         $sql = "SELECT s.id FROM session s ";
         $sql .= "
             INNER JOIN access_url_rel_session ars
@@ -501,6 +503,8 @@ public static function browseSessions($date = null, $limit = [])
         }
 
         if (!empty($limit)) {
+            $limit['start'] = (int) $limit['start'];
+            $limit['length'] = (int) $limit['length'];
             $sql .= "LIMIT {$limit['start']}, {$limit['length']} ";
         }
 

Original file line number	Diff line number	Diff line change
`@@ -215,8 +215,8 @@ public static function getLimitFilterFromArray($limit)`
`215`	`215`	`{`
`216`	`216`	`$limitFilter = '';`
`217`	`217`	`if (!empty($limit) && is_array($limit)) {`
`218`		`- $limitStart = isset($limit['start']) ? $limit['start'] : 0;`
`219`		`- $limitLength = isset($limit['length']) ? $limit['length'] : 12;`
	`218`	`+ $limitStart = isset($limit['start']) ? (int) $limit['start'] : 0;`
	`219`	`+ $limitLength = isset($limit['length']) ? (int) $limit['length'] : 12;`
`220`	`220`	`$limitFilter = 'LIMIT '.$limitStart.', '.$limitLength;`
`221`	`221`	`}`
`222`	`222`
`@@ -470,11 +470,13 @@ public static function search_courses($search_term, $limit, $justVisible = false`
`470`	`470`	`* @param array $limit`
`471`	`471`	`*`
`472`	`472`	`* @return array The session list`
	`473`	`+ * @throws Exception`
`473`	`474`	`*/`
`474`	`475`	`public static function browseSessions($date = null, $limit = [])`
`475`	`476`	`{`
`476`	`477`	`$em = Database::getManager();`
`477`	`478`	`$urlId = api_get_current_access_url_id();`
	`479`	`+ $date = Database::escape_string($date);`
`478`	`480`	`$sql = "SELECT s.id FROM session s ";`
`479`	`481`	`$sql .= "`
`480`	`482`	`INNER JOIN access_url_rel_session ars`
`@@ -501,6 +503,8 @@ public static function browseSessions($date = null, $limit = [])`
`501`	`503`	`}`
`502`	`504`
`503`	`505`	`if (!empty($limit)) {`
	`506`	`+ $limit['start'] = (int) $limit['start'];`
	`507`	`+ $limit['length'] = (int) $limit['length'];`
`504`	`508`	`$sql .= "LIMIT {$limit['start']}, {$limit['length']} ";`
`505`	`509`	`}`
`506`	`510`