mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-04-13 12:32:08 +02:00
Code Issues Projects Releases Wiki Activity

MDL-70804 mnet: Use proper DML method to get records from the table

Browse Source 
This improves the code and avoids the risk of SQL injection through the
malicious XML-RPC request from the MNet peer.
This commit is contained in:
David Mudrák 2021-02-09 15:29:11 +01:00 committed by Jenkins
parent 5a0cca1e3c
commit eaa157d6ff
1 changed files with 1 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
auth/mnet/auth.php
View File

@ -710,9 +710,7 @@ class auth_plugin_mnet extends auth_plugin_base {
foreach($superArray as $subArray) {
$subArray = array_values($subArray);
$instring = "('".implode("', '",$subArray)."')";
$query = "select id, session_id, username from {mnet_session} where username in $instring";
$results = $DB->get_records_sql($query);
$results = $DB->get_records_list('mnet_session', 'username', $subArray, '', 'id, session_id, username');
if ($results == false) {
// We seem to have a username that breaks our query: