Skip to content

Commit

Permalink
MDL-70804 mnet: Use proper DML method to get records from the table
Browse files Browse the repository at this point in the history
This improves the code and avoids the risk of SQL injection through the
malicious XML-RPC request from the MNet peer.
  • Loading branch information
mudrd8mz authored and Jenkins committed May 4, 2021
1 parent 5a0cca1 commit eaa157d
Showing 1 changed file with 1 addition and 3 deletions.
4 changes: 1 addition & 3 deletions auth/mnet/auth.php
Original file line number Diff line number Diff line change
Expand Up @@ -710,9 +710,7 @@ function keepalive_server($array) {

foreach($superArray as $subArray) {
$subArray = array_values($subArray);
$instring = "('".implode("', '",$subArray)."')";
$query = "select id, session_id, username from {mnet_session} where username in $instring";
$results = $DB->get_records_sql($query);
$results = $DB->get_records_list('mnet_session', 'username', $subArray, '', 'id, session_id, username');

if ($results == false) {
// We seem to have a username that breaks our query:
Expand Down

0 comments on commit eaa157d

Please sign in to comment.