Skip to content

Commit 36dfae2

Browse files
author
Daniel Neto
committed
fix: Refactor save method in Subscribe class to use prepared statements for SQL queries
https://github.com/WWBN/AVideo/security/advisories/GHSA-ffr8-fxhv-fv8h#event-592243
1 parent adeff0a commit 36dfae2

File tree

1 file changed

+15
-4
lines changed

1 file changed

+15
-4
lines changed

objects/subscribe.php

Lines changed: 15 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -80,14 +80,25 @@ protected function loadFromId($subscriber_users_id, $user_id, $status = "a")
8080

8181
public function save()
8282
{
83-
global $global;
8483
if (!empty($this->id)) {
85-
$sql = "UPDATE subscribes SET status = '{$this->status}', notify = '{$this->notify}',ip = '" . getRealIpAddr() . "', modified = now() WHERE id = {$this->id}";
84+
$sql = "UPDATE subscribes SET status = ?, notify = ?, ip = ?, modified = now() WHERE id = ?";
85+
$saved = sqlDAL::writeSql($sql, "sssi", [
86+
(string) $this->status,
87+
(string) $this->notify,
88+
getRealIpAddr(),
89+
intval($this->id),
90+
]);
8691
} else {
8792
$this->status = 'a';
88-
$sql = "INSERT INTO subscribes ( users_id, email,status,ip, created, modified, subscriber_users_id) VALUES ('{$this->users_id}','{$this->email}', '{$this->status}', '" . getRealIpAddr() . "',now(), now(), '$this->subscriber_users_id')";
93+
$sql = "INSERT INTO subscribes (users_id, email, status, ip, created, modified, subscriber_users_id) VALUES (?, ?, ?, ?, now(), now(), ?)";
94+
$saved = sqlDAL::writeSql($sql, "isssi", [
95+
intval($this->users_id),
96+
(string) $this->email,
97+
(string) $this->status,
98+
getRealIpAddr(),
99+
intval($this->subscriber_users_id),
100+
]);
89101
}
90-
$saved = sqlDAL::writeSql($sql);
91102
if($saved){
92103
//var_dump($saved, $this->status);exit;
93104
if($this->status == 'a'){

0 commit comments

Comments
 (0)