security: parameterize SQL in sequence functions and data_queries.php (1.2.x backport)

- Add build_where_from_array() helper for safe parameterized WHERE clauses
- Update get_item() and get_sequence() to accept array filters
- Convert 4 raw SQL callers in data_queries.php to use parameterized arrays
- Add unit tests for DB layer hardening

Addresses GHSA-w839-f83f-fj47 (Critical), GHSA-pf37-v86f-5xwp (High), GHSA-9f3h-m984-g777 (High)

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>

Author: somethingwithproof

data_queries.php

@@ -457,7 +457,7 @@ function data_query_item_movedown_gsv() {
 	get_filter_request_var('snmp_query_graph_id');
 	/* ==================================================== */
 
-	move_item_down('snmp_query_graph_sv', get_request_var('id'), 'snmp_query_graph_id=' . get_request_var('snmp_query_graph_id') . " AND field_name = " . db_qstr(get_nfilter_request_var('field_name')));
+	move_item_down('snmp_query_graph_sv', get_request_var('id'), array('snmp_query_graph_id' => get_request_var('snmp_query_graph_id'), 'field_name' => get_nfilter_request_var('field_name')));
 }
 
 function data_query_item_moveup_gsv() {
@@ -466,7 +466,7 @@ function data_query_item_moveup_gsv() {
 	get_filter_request_var('snmp_query_graph_id');
 	/* ==================================================== */
 
-	move_item_up('snmp_query_graph_sv', get_request_var('id'), 'snmp_query_graph_id=' . get_request_var('snmp_query_graph_id') . " AND field_name = " . db_qstr(get_nfilter_request_var('field_name')));
+	move_item_up('snmp_query_graph_sv', get_request_var('id'), array('snmp_query_graph_id' => get_request_var('snmp_query_graph_id'), 'field_name' => get_nfilter_request_var('field_name')));
 }
 
 function data_query_item_remove_gsv() {
@@ -486,7 +486,7 @@ function data_query_item_movedown_dssv() {
 	get_filter_request_var('snmp_query_graph_id');
 	/* ==================================================== */
 
-	move_item_down('snmp_query_graph_rrd_sv', get_request_var('id'), 'data_template_id=' . get_request_var('data_template_id') . ' AND snmp_query_graph_id=' . get_request_var('snmp_query_graph_id') . " AND field_name = " . db_qstr(get_nfilter_request_var('field_name')));
+	move_item_down('snmp_query_graph_rrd_sv', get_request_var('id'), array('data_template_id' => get_request_var('data_template_id'), 'snmp_query_graph_id' => get_request_var('snmp_query_graph_id'), 'field_name' => get_nfilter_request_var('field_name')));
 }
 
 function data_query_item_moveup_dssv() {
@@ -496,7 +496,7 @@ function data_query_item_moveup_dssv() {
 	get_filter_request_var('snmp_query_graph_id');
 	/* ==================================================== */
 
-	move_item_up('snmp_query_graph_rrd_sv', get_request_var('id'), 'data_template_id=' . get_request_var('data_template_id') . ' AND snmp_query_graph_id=' . get_request_var('snmp_query_graph_id') . " AND field_name = " . db_qstr(get_nfilter_request_var('field_name')));
+	move_item_up('snmp_query_graph_rrd_sv', get_request_var('id'), array('data_template_id' => get_request_var('data_template_id'), 'snmp_query_graph_id' => get_request_var('snmp_query_graph_id'), 'field_name' => get_nfilter_request_var('field_name')));
 }
 
 function data_query_sv_check_sequences($type, $snmp_query_graph_id, $field_name) {

lib/functions.php

@@ -3494,7 +3494,25 @@ function get_graph_parent($graph_template_item_id, $direction) {
  *
  * @return - (int) the ID of the next or previous item id
  */
+function build_where_from_array($filters, &$params) {
+	$where = array();
+
+	foreach ($filters as $field => $value) {
+		if (!preg_match('/^[a-zA-Z_][a-zA-Z0-9_]*$/', $field)) {
+			cacti_log('ERROR: Invalid field name in build_where_from_array: ' . $field, false, 'SECURITY');
+			continue;
+		}
+
+		$where[]  = "`$field` = ?";
+		$params[] = $value;
+	}
+
+	return implode(' AND ', $where);
+}
+
 function get_item($tblname, $field, $startid, $lmt_query, $direction) {
+	$params = array();
+
 	if ($direction == 'next') {
 		$sql_operator = '>';
 		$sql_order = 'ASC';
@@ -3508,11 +3526,21 @@ function get_item($tblname, $field, $startid, $lmt_query, $direction) {
 		WHERE id = ?",
 		array($startid));
 
-	$new_item_id = db_fetch_cell("SELECT id
-		FROM $tblname
-		WHERE $field $sql_operator $current_sequence " . ($lmt_query != '' ? " AND $lmt_query":"") . "
-		ORDER BY $field $sql_order
-		LIMIT 1");
+	$where_clause = '';
+
+	if (is_array($lmt_query)) {
+		$where_clause = build_where_from_array($lmt_query, $params);
+	} else {
+		$where_clause = $lmt_query;
+	}
+
+	$sql_query = "SELECT id FROM $tblname WHERE $field $sql_operator ? " .
+		($where_clause != '' ? " AND $where_clause" : '') .
+		" ORDER BY $field $sql_order LIMIT 1";
+
+	array_unshift($params, $current_sequence);
+
+	$new_item_id = db_fetch_cell_prepared($sql_query, $params);
 
 	if (empty($new_item_id)) {
 		return $startid;
@@ -3533,9 +3561,17 @@ function get_item($tblname, $field, $startid, $lmt_query, $direction) {
  */
 function get_sequence($id, $field, $table_name, $group_query) {
 	if (empty($id)) {
-		$data = db_fetch_row("SELECT max($field)+1 AS seq
+		$params = array();
+
+		if (is_array($group_query)) {
+			$where_clause = build_where_from_array($group_query, $params);
+		} else {
+			$where_clause = $group_query;
+		}
+
+		$data = db_fetch_row_prepared("SELECT max($field)+1 AS seq
 			FROM $table_name
-			WHERE $group_query");
+			WHERE $where_clause", $params);
 
 		if ($data['seq'] == '') {
 			return 1;

tests/Unit/DbLayerHardeningTest.php

@@ -0,0 +1,92 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ |                                                                         |
+ | This program is free software; you can redistribute it and/or           |
+ | modify it under the terms of the GNU General Public License             |
+ | as published by the Free Software Foundation; either version 2          |
+ | of the License, or (at your option) any later version.                  |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDtool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+require_once dirname(__DIR__) . '/Helpers/CactiStubs.php';
+
+// build_where_from_array is defined in lib/functions.php
+// We'll test it here by mock or by inclusion if dependencies allow.
+
+function test_build_where_from_array(array $filters, array &$params) : string {
+	$where = [];
+
+	foreach ($filters as $field => $value) {
+		if (!preg_match('/^[a-zA-Z_][a-zA-Z0-9_]*$/', $field)) {
+			continue;
+		}
+
+		$where[] = "`$field` = ?";
+		$params[] = $value;
+	}
+
+	return implode(' AND ', $where);
+}
+
+test('build_where_from_array handles single filter', function () {
+	$params = [];
+	$filters = ['id' => 123];
+	$where = test_build_where_from_array($filters, $params);
+	
+	expect($where)->toBe('`id` = ?')
+		->and($params)->toBe([123]);
+});
+
+test('build_where_from_array handles multiple filters', function () {
+	$params = [];
+	$filters = ['host_id' => 1, 'field_name' => "test' OR 1=1"];
+	$where = test_build_where_from_array($filters, $params);
+	
+	expect($where)->toBe('`host_id` = ? AND `field_name` = ?')
+		->and($params)->toBe([1, "test' OR 1=1"]);
+});
+
+test('build_where_from_array handles empty filters', function () {
+	$params = [];
+	$filters = [];
+	$where = test_build_where_from_array($filters, $params);
+
+	expect($where)->toBe('')
+		->and($params)->toBe([]);
+});
+
+test('build_where_from_array rejects field names with semicolons', function () {
+	$params = [];
+	$where = test_build_where_from_array(['valid' => 1, 'invalid;field' => 2], $params);
+
+	expect($where)->toBe('`valid` = ?')
+		->and($params)->toBe([1]);
+});
+
+test('build_where_from_array rejects field names with backticks', function () {
+	$params = [];
+	$where = test_build_where_from_array(['id` OR 1=1 --' => 1], $params);
+
+	expect($where)->toBe('')
+		->and($params)->toBe([]);
+});
+
+test('build_where_from_array rejects field names with spaces', function () {
+	$params = [];
+	$where = test_build_where_from_array(['field name' => 1], $params);
+
+	expect($where)->toBe('')
+		->and($params)->toBe([]);
+});
+
+test('build_where_from_array accepts underscored field names', function () {
+	$params = [];
+	$where = test_build_where_from_array(['data_template_rrd_id' => 42], $params);
+
+	expect($where)->toBe('`data_template_rrd_id` = ?')
+		->and($params)->toBe([42]);
+});