From 8694d1697cd8dd3faec80cb638ceb1a3fe5bb439 Mon Sep 17 00:00:00 2001 From: Ali Alam Date: Wed, 17 Jun 2026 12:05:05 +0800 Subject: [PATCH 1/3] Messenger: Fixed the issue of Non-Parameterised input --- modules/Messenger/src/MessageTargets.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/modules/Messenger/src/MessageTargets.php b/modules/Messenger/src/MessageTargets.php index a5ac253758..932dd72fb1 100644 --- a/modules/Messenger/src/MessageTargets.php +++ b/modules/Messenger/src/MessageTargets.php @@ -1958,7 +1958,11 @@ public function createMessageRecipientsFromTargets($gibbonMessengerID, $data, &$ if ($parents=="Y") { try { //Get the familyIDs for each student logged $dataFamily=array(); - $sqlFamily="SELECT DISTINCT gibbonFamilyID FROM gibbonFamilyChild WHERE gibbonPersonID IN (".implode(",",$selectedStudents).")" ; + // Sanitize student IDs + $safeStudentIDs = array_map('intval', $selectedStudents); + $inClause = implode(',', $safeStudentIDs); + + $sqlFamily="SELECT DISTINCT gibbonFamilyID FROM gibbonFamilyChild WHERE gibbonPersonID IN ($inClause)" ; $resultFamily=$connection2->prepare($sqlFamily); $resultFamily->execute($dataFamily); $resultFamilies = $resultFamily->fetchAll(); From 2f41be6cc23767db99247b2bc706a8f23c3d366a Mon Sep 17 00:00:00 2001 From: Ali Alam Date: Thu, 18 Jun 2026 13:43:26 +0800 Subject: [PATCH 2/3] Messenger: improved the code based on code review to add the variables as parameters to the SQL Query --- modules/Messenger/src/MessageTargets.php | 83 +++++++++++++++--------- 1 file changed, 51 insertions(+), 32 deletions(-) diff --git a/modules/Messenger/src/MessageTargets.php b/modules/Messenger/src/MessageTargets.php index 932dd72fb1..bbeee2e3ab 100644 --- a/modules/Messenger/src/MessageTargets.php +++ b/modules/Messenger/src/MessageTargets.php @@ -1902,11 +1902,11 @@ public function createMessageRecipientsFromTargets($gibbonMessengerID, $data, &$ $currentStudent=""; $lastStudent=""; while ($row=$result->fetch()) { - $currentStudent=$row["gibbonPersonID"] ; - if (in_array($row["type"], $choices) AND $currentStudent!=$lastStudent) { - $selectedStudents[]=$currentStudent ; - } - $lastStudent=$currentStudent ; + $currentStudent=$row["gibbonPersonID"] ; + if (in_array($row["type"], $choices) AND $currentStudent!=$lastStudent) { + $selectedStudents[]=$currentStudent ; + } + $lastStudent=$currentStudent ; } if (count($selectedStudents)>=1) { @@ -1953,21 +1953,40 @@ public function createMessageRecipientsFromTargets($gibbonMessengerID, $data, &$ } } } //end get emails + //Get SMS if ($sms=="Y" AND $countryCode!="") { if ($parents=="Y") { try { //Get the familyIDs for each student logged - $dataFamily=array(); - // Sanitize student IDs - $safeStudentIDs = array_map('intval', $selectedStudents); - $inClause = implode(',', $safeStudentIDs); + $validStudentIDs = []; + foreach ($selectedStudents as $studentID) { + if (is_numeric($studentID)) { + $validStudentIDs[] = $studentID; + } + } + + if (!empty($validStudentIDs)) { + $dataFamily = []; + $placeholders = []; + + $count = 0; + foreach ($validStudentIDs as $studentID) { + $paramName = 'student' . $count; + $dataFamily[$paramName] = $studentID; + $placeholders[] = ':' . $paramName; + $count++; + } + + $inClause = implode(',', $placeholders); - $sqlFamily="SELECT DISTINCT gibbonFamilyID FROM gibbonFamilyChild WHERE gibbonPersonID IN ($inClause)" ; - $resultFamily=$connection2->prepare($sqlFamily); - $resultFamily->execute($dataFamily); - $resultFamilies = $resultFamily->fetchAll(); - } - catch(\PDOException $e) { } + $sqlFamily="SELECT DISTINCT gibbonFamilyID FROM gibbonFamilyChild WHERE gibbonPersonID IN ($inClause)" ; + $resultFamily=$connection2->prepare($sqlFamily); + $resultFamily->execute($dataFamily); + $resultFamilies = $resultFamily->fetchAll(); + } else { + $resultFamilies = []; + } + } catch(\PDOException $e) { } foreach ($resultFamilies as $rowFamily) { //Get the people for each familyID try { @@ -1998,25 +2017,25 @@ public function createMessageRecipientsFromTargets($gibbonMessengerID, $data, &$ } } if ($students=="Y") { - try { //Get the phone numbers for each student - foreach ($selectedStudents as $t) { - $dataSMS=array("gibbonPersonID"=>$t); - $sqlSMS="(SELECT phone1 AS phone, phone1CountryCode AS countryCode, gibbonPerson.gibbonPersonID FROM gibbonPerson WHERE NOT phone1='' AND phone1Type='Mobile' AND gibbonPersonID=:gibbonPersonID AND status='Full')" ; - $sqlSMS.=" UNION (SELECT phone2 AS phone, phone2CountryCode AS countryCode, gibbonPerson.gibbonPersonID FROM gibbonPerson WHERE NOT phone2='' AND phone2Type='Mobile' AND gibbonPersonID=:gibbonPersonID AND status='Full')" ; - $sqlSMS.=" UNION (SELECT phone3 AS phone, phone3CountryCode AS countryCode, gibbonPerson.gibbonPersonID FROM gibbonPerson WHERE NOT phone3='' AND phone3Type='Mobile' AND gibbonPersonID=:gibbonPersonID AND status='Full')" ; - $sqlSMS.=" UNION (SELECT phone4 AS phone, phone4CountryCode AS countryCode, gibbonPerson.gibbonPersonID FROM gibbonPerson WHERE NOT phone4='' AND phone4Type='Mobile' AND gibbonPersonID=:gibbonPersonID AND status='Full')" ; - $resultSMS=$connection2->prepare($sqlSMS); - $resultSMS->execute($dataSMS); + try { //Get the phone numbers for each student + foreach ($selectedStudents as $t) { + $dataSMS=array("gibbonPersonID"=>$t); + $sqlSMS="(SELECT phone1 AS phone, phone1CountryCode AS countryCode, gibbonPerson.gibbonPersonID FROM gibbonPerson WHERE NOT phone1='' AND phone1Type='Mobile' AND gibbonPersonID=:gibbonPersonID AND status='Full')" ; + $sqlSMS.=" UNION (SELECT phone2 AS phone, phone2CountryCode AS countryCode, gibbonPerson.gibbonPersonID FROM gibbonPerson WHERE NOT phone2='' AND phone2Type='Mobile' AND gibbonPersonID=:gibbonPersonID AND status='Full')" ; + $sqlSMS.=" UNION (SELECT phone3 AS phone, phone3CountryCode AS countryCode, gibbonPerson.gibbonPersonID FROM gibbonPerson WHERE NOT phone3='' AND phone3Type='Mobile' AND gibbonPersonID=:gibbonPersonID AND status='Full')" ; + $sqlSMS.=" UNION (SELECT phone4 AS phone, phone4CountryCode AS countryCode, gibbonPerson.gibbonPersonID FROM gibbonPerson WHERE NOT phone4='' AND phone4Type='Mobile' AND gibbonPersonID=:gibbonPersonID AND status='Full')" ; + $resultSMS=$connection2->prepare($sqlSMS); + $resultSMS->execute($dataSMS); + } + } catch(\PDOException $e) { } + + while ($rowSMS=$resultSMS->fetch()) { + $countryCodeTemp = $countryCode; + if ($rowSMS["countryCode"]=="") + $countryCodeTemp = $rowSMS["countryCode"]; + $this->reportAdd($emailReceipt, $rowSMS['gibbonPersonID'], 'Attendance', $t, 'SMS', $countryCodeTemp.$rowSMS["phone"]); } } - catch(\PDOException $e) { } - while ($rowSMS=$resultSMS->fetch()) { - $countryCodeTemp = $countryCode; - if ($rowSMS["countryCode"]=="") - $countryCodeTemp = $rowSMS["countryCode"]; - $this->reportAdd($emailReceipt, $rowSMS['gibbonPersonID'], 'Attendance', $t, 'SMS', $countryCodeTemp.$rowSMS["phone"]); - } - } } //END SMS } } From c4953ae48b814ef42375dab78301311b3e2cc385 Mon Sep 17 00:00:00 2001 From: Ali Alam Date: Tue, 30 Jun 2026 18:48:10 +0800 Subject: [PATCH 3/3] Messenger: Improved code after removing complexity and fixing the issue of parameterising variables. --- modules/Messenger/src/MessageTargets.php | 36 +++++------------------- 1 file changed, 7 insertions(+), 29 deletions(-) diff --git a/modules/Messenger/src/MessageTargets.php b/modules/Messenger/src/MessageTargets.php index bbeee2e3ab..b6f02d5399 100644 --- a/modules/Messenger/src/MessageTargets.php +++ b/modules/Messenger/src/MessageTargets.php @@ -1958,35 +1958,13 @@ public function createMessageRecipientsFromTargets($gibbonMessengerID, $data, &$ if ($sms=="Y" AND $countryCode!="") { if ($parents=="Y") { try { //Get the familyIDs for each student logged - $validStudentIDs = []; - foreach ($selectedStudents as $studentID) { - if (is_numeric($studentID)) { - $validStudentIDs[] = $studentID; - } - } - - if (!empty($validStudentIDs)) { - $dataFamily = []; - $placeholders = []; - - $count = 0; - foreach ($validStudentIDs as $studentID) { - $paramName = 'student' . $count; - $dataFamily[$paramName] = $studentID; - $placeholders[] = ':' . $paramName; - $count++; - } - - $inClause = implode(',', $placeholders); - - $sqlFamily="SELECT DISTINCT gibbonFamilyID FROM gibbonFamilyChild WHERE gibbonPersonID IN ($inClause)" ; - $resultFamily=$connection2->prepare($sqlFamily); - $resultFamily->execute($dataFamily); - $resultFamilies = $resultFamily->fetchAll(); - } else { - $resultFamilies = []; - } - } catch(\PDOException $e) { } + $dataFamily=array("gibbonPersonIDs"=>implode(",", $selectedStudents)); + $sqlFamily="SELECT DISTINCT gibbonFamilyID FROM gibbonFamilyChild WHERE FIND_IN_SET(gibbonPersonID, :gibbonPersonIDs)" ; + $resultFamily=$connection2->prepare($sqlFamily); + $resultFamily->execute($dataFamily); + $resultFamilies = $resultFamily->fetchAll(); + } + catch(\PDOException $e) { } foreach ($resultFamilies as $rowFamily) { //Get the people for each familyID try {