fix: convert remaining db_execute to prepared statements in notify_lists.php

somethingwithproof · somethingwithproof · commit 2118f6f1cf36 · 2026-03-24T17:58:23.000-07:00
Convert all template and thold_data association/disassociation queries
from raw string concatenation with $selected_items[$i] to
db_execute_prepared with bound parameters.

Signed-off-by: Thomas Vincent &lt;thomasvincent@gmail.com&gt;
diff --git a/notify_lists.php b/notify_lists.php
@@ -394,42 +394,29 @@ function form_actions() {
 							// clear other settings
 							if (get_request_var('notification_warning_action') == 1) {
 								// set the notification list
-								db_execute('UPDATE thold_template
-									SET notify_warning=' . get_request_var('id') . '
-									WHERE id=' . $selected_items[$i]);
+								db_execute_prepared('UPDATE thold_template SET notify_warning=? WHERE id=?', [intval(get_request_var('id')), intval($selected_items[$i])]);
 
 								// clear other items
-								db_execute("UPDATE thold_template
-									SET notify_warning_extra=''
-									WHERE id=" . $selected_items[$i]);
+								db_execute_prepared("UPDATE thold_template SET notify_warning_extra='' WHERE id=?", [intval($selected_items[$i])]);
 							} else {
 								// set the notification list
-								db_execute('UPDATE thold_template
-									SET notify_warning=' . get_request_var('id') . '
-									WHERE id=' . $selected_items[$i]);
+								db_execute_prepared('UPDATE thold_template SET notify_warning=? WHERE id=?', [intval(get_request_var('id')), intval($selected_items[$i])]);
 							}
 						}
 
 						if (get_request_var('notification_alert_action') > 0) {
 							// clear other settings
 							if (get_request_var('notification_alert_action') == 1) {
 								// set the notification list
-								db_execute('UPDATE thold_template
-									SET notify_alert=' . get_request_var('id') . '
-									WHERE id=' . $selected_items[$i]);
+								db_execute_prepared('UPDATE thold_template SET notify_alert=? WHERE id=?', [intval(get_request_var('id')), intval($selected_items[$i])]);
 
 								// clear other items
-								db_execute("UPDATE thold_template
-									SET notify_extra=''
-									WHERE id=" . $selected_items[$i]);
+								db_execute_prepared("UPDATE thold_template SET notify_extra='' WHERE id=?", [intval($selected_items[$i])]);
 
-								db_execute('DELETE FROM plugin_thold_template_contact
-									WHERE template_id=' . $selected_items[$i]);
+								db_execute_prepared('DELETE FROM plugin_thold_template_contact WHERE template_id=?', [intval($selected_items[$i])]);
 							} else {
 								// set the notification list
-								db_execute('UPDATE thold_template
-									SET notify_alert=' . get_request_var('id') . '
-									WHERE id=' . $selected_items[$i]);
+								db_execute_prepared('UPDATE thold_template SET notify_alert=? WHERE id=?', [intval(get_request_var('id')), intval($selected_items[$i])]);
 							}
 						}
 
@@ -439,18 +426,12 @@ function form_actions() {
 					for ($i = 0; ($i < count($selected_items)); $i++) {
 						if (get_request_var('notification_warning_action') > 0) {
 							// set the notification list
-							db_execute('UPDATE thold_template
-								SET notify_warning=0
-								WHERE id=' . $selected_items[$i] . '
-								AND notify_warning=' . get_request_var('id'));
+							db_execute_prepared('UPDATE thold_template SET notify_warning=0 WHERE id=? AND notify_warning=?', [intval($selected_items[$i]), intval(get_request_var('id'))]);
 						}
 
 						if (get_request_var('notification_alert_action') > 0) {
 							// set the notification list
-							db_execute('UPDATE thold_template
-								SET notify_alert=0
-								WHERE id=' . $selected_items[$i] . '
-								AND notify_alert=' . get_request_var('id'));
+							db_execute_prepared('UPDATE thold_template SET notify_alert=0 WHERE id=? AND notify_alert=?', [intval($selected_items[$i]), intval(get_request_var('id'))]);
 						}
 
 						thold_template_update_thresholds($selected_items[$i]);
@@ -472,60 +453,42 @@ function form_actions() {
 							// clear other settings
 							if (get_request_var('notification_warning_action') == 1) {
 								// set the notification list
-								db_execute('UPDATE thold_data
-									SET notify_warning=' . get_request_var('id') . '
-									WHERE id=' . $selected_items[$i]);
+								db_execute_prepared('UPDATE thold_data SET notify_warning=? WHERE id=?', [intval(get_request_var('id')), intval($selected_items[$i])]);
 
 								// clear other items
-								db_execute("UPDATE thold_data
-									SET notify_warning_extra=''
-									WHERE id=" . $selected_items[$i]);
+								db_execute_prepared("UPDATE thold_data SET notify_warning_extra='' WHERE id=?", [intval($selected_items[$i])]);
 							} else {
 								// set the notification list
-								db_execute('UPDATE thold_data
-									SET notify_warning=' . get_request_var('id') . '
-									WHERE id=' . $selected_items[$i]);
+								db_execute_prepared('UPDATE thold_data SET notify_warning=? WHERE id=?', [intval(get_request_var('id')), intval($selected_items[$i])]);
 							}
 						}
 
 						if (get_request_var('notification_alert_action') > 0) {
 							// clear other settings
 							if (get_request_var('notification_alert_action') == 1) {
 								// set the notification list
-								db_execute('UPDATE thold_data
-									SET notify_alert=' . get_request_var('id') . '
-									WHERE id=' . $selected_items[$i]);
+								db_execute_prepared('UPDATE thold_data SET notify_alert=? WHERE id=?', [intval(get_request_var('id')), intval($selected_items[$i])]);
 
 								// clear other items
-								db_execute("UPDATE thold_data
-									SET notify_extra=''
-									WHERE id=" . $selected_items[$i]);
+								db_execute_prepared("UPDATE thold_data SET notify_extra='' WHERE id=?", [intval($selected_items[$i])]);
 
 								db_execute_prepared('DELETE FROM plugin_thold_threshold_contact WHERE thold_id = ?', [intval($selected_items[$i])]);
 							} else {
 								// set the notification list
-								db_execute('UPDATE thold_data
-									SET notify_alert=' . get_request_var('id') . '
-									WHERE id=' . $selected_items[$i]);
+								db_execute_prepared('UPDATE thold_data SET notify_alert=? WHERE id=?', [intval(get_request_var('id')), intval($selected_items[$i])]);
 							}
 						}
 					}
 				} elseif (get_request_var('drp_action') == '2') { // disassociate
 					for ($i = 0; ($i < count($selected_items)); $i++) {
 						if (get_request_var('notification_warning_action') > 0) {
 							// set the notification list
-							db_execute('UPDATE thold_data
-								SET notify_warning=0
-								WHERE id=' . $selected_items[$i] . '
-								AND notify_warning=' . get_request_var('id'));
+							db_execute_prepared('UPDATE thold_data SET notify_warning=0 WHERE id=? AND notify_warning=?', [intval($selected_items[$i]), intval(get_request_var('id'))]);
 						}
 
 						if (get_request_var('notification_alert_action') > 0) {
 							// set the notification list
-							db_execute('UPDATE thold_data
-								SET notify_alert=0
-								WHERE id=' . $selected_items[$i] . '
-								AND notify_alert=' . get_request_var('id'));
+							db_execute_prepared('UPDATE thold_data SET notify_alert=0 WHERE id=? AND notify_alert=?', [intval($selected_items[$i]), intval(get_request_var('id'))]);
 						}
 					}
 				}
