Skip to content

Fix SQL injection in EventEditor.php via EID parameter#7684

Merged
DawoudIO merged 2 commits intomasterfrom
fix/issue-6854-eventeditor-sqli
Nov 30, 2025
Merged

Fix SQL injection in EventEditor.php via EID parameter#7684
DawoudIO merged 2 commits intomasterfrom
fix/issue-6854-eventeditor-sqli

Conversation

@DawoudIO
Copy link
Contributor

@DawoudIO DawoudIO commented Nov 30, 2025

What Changed

Add InputUtils::filterInt() sanitization to EID parameter from both GET and POST requests. The unsanitized EID was being directly concatenated into SQL queries, allowing SQL injection attacks.

Fixes #6854

Type

  • ✨ Feature
  • 🐛 Bug fix
  • ♻️ Refactor
  • 🏗️ Build/Infrastructure
  • 🔒 Security

Testing

Screenshots

Security Check

  • Introduces new input validation
  • Modifies authentication/authorization
  • Affects data privacy/GDPR

Code Quality

  • Database: Propel ORM only, no raw SQL
  • No deprecated attributes (align, valign, nowrap, border, cellpadding, cellspacing, bgcolor)
  • Bootstrap CSS classes used
  • All CSS bundled via webpack

Pre-Merge

  • Tested locally
  • No new warnings
  • Build passes
  • Backward compatible (or migration documented)

@DawoudIO
Fix SQL injection in EventEditor.php via EID parameter
dedae81 
Add InputUtils::filterInt() sanitization to EID parameter from both
GET and POST requests. The unsanitized EID was being directly
concatenated into SQL queries, allowing SQL injection attacks.

Fixes #6854
Copilot AI review requested due to automatic review settings November 30, 2025 00:32
@DawoudIO DawoudIO requested a review from a team as a code owner November 30, 2025 00:32
@DawoudIO DawoudIO requested review from DAcodedBEAT, MrClever, bigtigerku, grayeul and respencer and removed request for a team November 30, 2025 00:32
@DawoudIO
Fix SQL injection via EventCount array parameters (Issue #6849)
a9df9bd 
Sanitize EventCount[] and EventCountNotes POST parameters in the
ON DUPLICATE KEY UPDATE clause of eventcounts_evtcnt INSERT statements.
The INSERT VALUES were already sanitized but the UPDATE clause used
raw unsanitized values, allowing SQL injection via the attendance
count fields.

Applied InputUtils::legacyFilterInput() consistently to both the
INSERT and UPDATE portions of the query.
Copilot AI reviewed Nov 30, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a SQL injection vulnerability in EventEditor.php by sanitizing the EID parameter from both GET and POST requests using InputUtils::filterInt(). The unsanitized EID was being directly concatenated into SQL queries at line 231, creating a security risk.

Key Changes

  • Applied InputUtils::filterInt() to $_GET['EID'] (line 34)
  • Applied InputUtils::filterInt() to $_POST['EID'] (line 37)

@DawoudIO DawoudIO merged commit 1ca7109 into master Nov 30, 2025
7 checks passed
@DawoudIO DawoudIO deleted the fix/issue-6854-eventeditor-sqli branch November 30, 2025 01:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@respencer respencer Awaiting requested review from respencer respencer is a code owner automatically assigned from ChurchCRM/developers

@grayeul grayeul Awaiting requested review from grayeul grayeul is a code owner automatically assigned from ChurchCRM/developers

@DAcodedBEAT DAcodedBEAT Awaiting requested review from DAcodedBEAT DAcodedBEAT is a code owner automatically assigned from ChurchCRM/developers

@MrClever MrClever Awaiting requested review from MrClever MrClever is a code owner automatically assigned from ChurchCRM/developers

@bigtigerku bigtigerku Awaiting requested review from bigtigerku bigtigerku is a code owner automatically assigned from ChurchCRM/developers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security Bug: SQL Injecton - Event Editor

2 participants

@DawoudIO