Skip to content

Messenger: Fixed the issue of Non-Parameterised input#2119

Open
ali-ichk wants to merge 3 commits into
GibbonEdu:v31.0.00from
ali-ichk:Messenger---fixed-the-issue-of-a-non-parameterised-input
Open

Messenger: Fixed the issue of Non-Parameterised input#2119
ali-ichk wants to merge 3 commits into
GibbonEdu:v31.0.00from
ali-ichk:Messenger---fixed-the-issue-of-a-non-parameterised-input

Conversation

@ali-ichk

Copy link
Copy Markdown
Contributor

Description
Fixed the issue of Non-Parameterised input

@SKuipers SKuipers left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ali-ichk While the variables have been sanitized, they have not necessarily been added as parameters. For best practice, they need to be added to the data array, and then used as a parameter in the SQL eg IN (:studentIDList)

@ali-ichk ali-ichk requested a review from SKuipers June 18, 2026 05:46

$inClause = implode(',', $placeholders);

$sqlFamily="SELECT DISTINCT gibbonFamilyID FROM gibbonFamilyChild WHERE gibbonPersonID IN ($inClause)" ;

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ali-ichk You're making progress, but the goal is to ensure there are no variables inserted into the SQL statement, so the $inClause itself should be a parameter, and the imploded string is passed into the data array. Check your code complexity, there should be a bit cleaner way to implement this, thanks.

@ali-ichk ali-ichk requested a review from SKuipers June 30, 2026 11:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants