Fix SQL injection in Packet Index controller

carlbennett · claude · carlbennett · commit ee9775c72e76 · 2026-03-17T19:51:32.000-05:00
Cast pktapplayer values to int via array_map before interpolating into
the SQL IN() clause, preventing injection from user-supplied GET params.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/src/Controllers/Packet/Index.php b/src/Controllers/Packet/Index.php
@@ -42,7 +42,7 @@ public function invoke(?array $args): bool
     }
 
     $this->model->packets = \BNETDocs\Libraries\Packet\Packet::getAllPackets(
-      '`packet_application_layer_id` IN (' . implode( ',', $this->model->pktapplayer ) . ')',
+      '`packet_application_layer_id` IN (' . implode(',', array_map('intval', $this->model->pktapplayer)) . ')',
       $this->model->order
     );
 

Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@ public function invoke(?array $args): bool`
`42`	`42`	`}`
`43`	`43`
`44`	`44`	`$this->model->packets = \BNETDocs\Libraries\Packet\Packet::getAllPackets(`
`45`		- '`packet_application_layer_id` IN (' . implode( ',', $this->model->pktapplayer ) . ')',
	`45`	+ '`packet_application_layer_id` IN (' . implode(',', array_map('intval', $this->model->pktapplayer)) . ')',
`46`	`46`	`$this->model->order`
`47`	`47`	`);`
`48`	`48`