Skip to content

Fix SQL injection vulnerability in WhichType parameter#7691

Merged
DawoudIO merged 2 commits intomasterfrom
fix/sql-injection-listevents-whitype
Nov 30, 2025
Merged

Fix SQL injection vulnerability in WhichType parameter#7691
DawoudIO merged 2 commits intomasterfrom
fix/sql-injection-listevents-whitype

Conversation

@DawoudIO
Copy link
Contributor

@DawoudIO DawoudIO commented Nov 30, 2025

What Changed

Use InputUtils::filterInt() instead of legacyFilterInput() to properly sanitize the WhichType POST parameter. This ensures only integer values are accepted when filtering events by type, preventing SQL injection attacks in the event listing page.

Type

  • ✨ Feature
  • 🐛 Bug fix
  • ♻️ Refactor
  • 🏗️ Build/Infrastructure
  • 🔒 Security

Testing

Screenshots

Security Check

  • Introduces new input validation
  • Modifies authentication/authorization
  • Affects data privacy/GDPR

Code Quality

  • Database: Propel ORM only, no raw SQL
  • No deprecated attributes (align, valign, nowrap, border, cellpadding, cellspacing, bgcolor)
  • Bootstrap CSS classes used
  • All CSS bundled via webpack

Pre-Merge

  • Tested locally
  • No new warnings
  • Build passes
  • Backward compatible (or migration documented)

@DawoudIO
Fix SQL injection vulnerability in WhichType parameter
60f9e24 
Use InputUtils::filterInt() instead of legacyFilterInput() to properly
sanitize the WhichType POST parameter. This ensures only integer values
are accepted when filtering events by type, preventing SQL injection
attacks in the event listing page.
@DawoudIO DawoudIO added this to the 6.3.0 milestone Nov 30, 2025
Copilot AI review requested due to automatic review settings November 30, 2025 06:38
@DawoudIO DawoudIO requested a review from a team as a code owner November 30, 2025 06:38
@DawoudIO DawoudIO requested review from DAcodedBEAT, MrClever, bigtigerku, grayeul and respencer and removed request for a team November 30, 2025 06:38
Copilot AI reviewed Nov 30, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This security-focused PR fixes a SQL injection vulnerability in the event listing page by replacing InputUtils::legacyFilterInput() with InputUtils::filterInt() for the WhichType parameter. The change ensures only integer values are accepted when filtering events by type, preventing potential SQL injection attacks.

Key Changes

  • Switched from legacyFilterInput() to filterInt() for sanitizing the WhichType POST parameter
  • Added an explicit check for the 'All' value to handle the special case where no type filter is applied
  • Maintains backward compatibility by preserving the 'All' type option behavior

@DawoudIO
Apply suggestion from @Copilot
03ef825 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@DawoudIO DawoudIO merged commit ce432e4 into master Nov 30, 2025
6 checks passed
@DawoudIO DawoudIO deleted the fix/sql-injection-listevents-whitype branch November 30, 2025 06:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@respencer respencer Awaiting requested review from respencer respencer is a code owner automatically assigned from ChurchCRM/developers

@grayeul grayeul Awaiting requested review from grayeul grayeul is a code owner automatically assigned from ChurchCRM/developers

@DAcodedBEAT DAcodedBEAT Awaiting requested review from DAcodedBEAT DAcodedBEAT is a code owner automatically assigned from ChurchCRM/developers

@MrClever MrClever Awaiting requested review from MrClever MrClever is a code owner automatically assigned from ChurchCRM/developers

@bigtigerku bigtigerku Awaiting requested review from bigtigerku bigtigerku is a code owner automatically assigned from ChurchCRM/developers

Assignees

No one assigned

Labels

Security

Projects

None yet

Milestone

6.3.0

Development

Successfully merging this pull request may close these issues.

2 participants

@DawoudIO