Skip to content

Fix SQL injection in config setting updates#141

Open
ajfroelich wants to merge 1 commit into
diskoverdata:masterfrom
ajfroelich:codex-security-review
Open

Fix SQL injection in config setting updates#141
ajfroelich wants to merge 1 commit into
diskoverdata:masterfrom
ajfroelich:codex-security-review

Conversation

@ajfroelich

Copy link
Copy Markdown

This PR fixes unsafe SQL construction in ConfigDatabase::updateConfigSetting().

The config table name is now restricted to the supported configweb and configdiskover tables. The config name and JSON encoded value now use SQLite prepared statement bindings instead of being placed directly into the SQL query.

I also added a regression test that confirms normal config updates still work and that SQL injected through a configuration name or value cannot modify the users table.

Validation completed successfully with the new security test and PHP syntax checks.

@ajfroelich ajfroelich marked this pull request as draft July 3, 2026 19:36
@ajfroelich ajfroelich marked this pull request as ready for review July 3, 2026 19:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant