Commit 9ed0c1a8 authored by Romain Thouvenin's avatar Romain Thouvenin
Browse files

Validate type of record ids before searching them

parent d2e5dadb
......@@ -14,6 +14,11 @@ function civicrm_api3_traxy_Trackopen($params) {
$json_msg = json_decode($params['message']);
$queue_id = $json_msg->params->q;
if (!CRM_Utils_Rule::positiveInteger($queue_id)) {
//This is an SQL injection attempt or some other form of ill-constructed URL, let's ignore it
return civicrm_api3_create_success();
}
$q = new CRM_Mailing_Event_BAO_Queue();
$q->id = $queue_id;
if ($q->find(TRUE)) {
......
......@@ -17,6 +17,11 @@ function civicrm_api3_traxy_Trackurl($params) {
$queue_id = $json_msg->params->qid;
$url_id = $json_msg->params->u;
if (!CRM_Utils_Rule::positiveInteger($queue_id) || !CRM_Utils_Rule::positiveInteger($url_id)) {
//This is an SQL injection attempt or some other form of ill-constructed URL, let's ignore it
return civicrm_api3_create_success();
}
$search = CRM_Core_DAO::executeQuery(
"SELECT $turl.url as url
FROM $turl
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment