CVE-2023-1211: Bugfix: SQL injection in custom field enum/set types · phpipam/phpipam@16e7a94

@@ -673,7 +673,7 @@ public function update_custom_field_definition ($field) {
# set type definition and size of needed if($field[‘fieldType’]=="bool" || $field[‘fieldType’]=="text" || $field[‘fieldType’]=="date" || $field[‘fieldType’]=="datetime") { $field[‘ftype’] = $field[‘fieldType’]; } else { $field[‘ftype’] = $field[‘fieldType’]."(“.$field[‘fieldSize’].”)“; } else { $field[‘ftype’] = $field[‘fieldType’].”( :enumset )"; }
# default value null $field[‘fieldDefault’] = is_blank($field[‘fieldDefault’]) ? NULL : $field[‘fieldDefault’]; @@ -709,6 +709,7 @@ public function update_custom_field_definition ($field) { $params = array(); if (strpos($query, “:default”)>0) $params[‘default’] = $field[‘fieldDefault’]; if (strpos($query, “:comment”)>0) $params[‘comment’] = $field[‘Comment’]; if (strpos($query, “:enumset”)>0) $params[‘enumset’] = $field[‘fieldSize’];
# execute try { $res = $this->Database->runQuery($query, $params); }