Skip to content

fix/ escape SQL values#627

Open
Herafia wants to merge 5 commits into
mainfrom
fix-datainjection-escape-sql-value
Open

fix/ escape SQL values#627
Herafia wants to merge 5 commits into
mainfrom
fix-datainjection-escape-sql-value

Conversation

@Herafia
Copy link
Copy Markdown
Contributor

@Herafia Herafia commented May 20, 2026
edited
Loading

Checklist before requesting a review

Please delete options that are not relevant.

  • I have performed a self-review of my code.
  • I have added tests (when available) that prove my fix is effective or that my feature works.
  • I have updated the CHANGELOG with a short functional description of the fix or new feature.
  • This change requires a documentation update.

Description

  • It fixes !44078
  • SQL queries in dataAlreadyInDB concatenated field values directly without escaping, causing a syntax error when names contain apostrophes . All affected concatenations now use escape().

@Herafia Herafia requested review from Rom1-B, Copilot and stonebuzz and removed request for Copilot May 20, 2026 07:32
@Herafia Herafia self-assigned this May 20, 2026
@Herafia Herafia mentioned this pull request May 20, 2026
Open
2 tasks
Rom1-B
Rom1-B requested changes May 20, 2026
View reviewed changes
Comment thread inc/commoninjectionlib.class.php Outdated
Copy link
Copy Markdown
Contributor

@Rom1-B Rom1-B May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be cleaner to refactor the code to replace doQuery() with the query builder.

$result = $DB->request($criteria);

Rom1-B
Rom1-B requested changes May 20, 2026
View reviewed changes
Comment thread inc/model.class.php
),
];
}
unset($_FILES['filename']);
Copy link
Copy Markdown
Contributor

@Rom1-B Rom1-B May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why ?
I'm not sure if this is directly related to the topic of this PR?!

Copy link
Copy Markdown
Contributor Author

@Herafia Herafia May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After move_uploaded_file(), the temporary file is deleted, but $_FILES['filename'] still contains its path.

Later, when rendering the page, Html::footer() calls createFromGlobals(). An UploadedFile instance is created for each entry, and it checks whether the temporary file still exists. Since the file has already been moved and no longer exists, an exception is thrown.

unset() clears the corresponding entry from $_FILES after the file has been moved.

Comment thread inc/commoninjectionlib.class.php Outdated
//Add additional parameters specific to this itemtype (or function checkPresent exists)
if (method_exists($injectionClass, 'checkPresent')) {
$where .= $injectionClass->checkPresent($this->values, $options);
$extra = trim((string) $injectionClass->checkPresent($this->values, $options));
Copy link
Copy Markdown
Contributor

@Rom1-B Rom1-B May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The three implementations of checkPresent() (softwareversion, softwarelicense, networkport) still return raw SQL with unescaped name values.
QueryExpression continues to receive potentially dangerous values.
These methods should either be updated to return an array of criteria, or at the very least, $DB->escape() should be added to the string fields.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Rom1-B Rom1-B Rom1-B requested changes

@stonebuzz stonebuzz Awaiting requested review from stonebuzz

Requested changes must be addressed to merge this pull request.

Assignees

@Herafia Herafia

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Herafia @Rom1-B