I was having a look through ContactManager_to_Yealink_AddressBook/cm_to_yl_ab.php to look for some inspiration on feeding freepbx data to Yealink, and noticed that unsanitised $_GET data is fed directly into an SQL string.
On line 33:
$contact_manager_group = isset($_GET['cgroup']) ? $_GET['cgroup'] : "SomeName"; // <-- Edit "SomeName" to make your own default
Is then used on line 55:
$sql = "SELECT ... WHERE cg.name = '$contact_manager_group') ...;";
Then prepared/executed on lines 58/59.
I'd suggest minimally using the ? placeholder and bind_param() to prevent SQL string manipulation.
Hello,
I was having a look through
ContactManager_to_Yealink_AddressBook/cm_to_yl_ab.phpto look for some inspiration on feeding freepbx data to Yealink, and noticed that unsanitised$_GETdata is fed directly into an SQL string.On line 33:
Is then used on line 55:
Then prepared/executed on lines 58/59.
I'd suggest minimally using the
?placeholder andbind_param()to prevent SQL string manipulation.