Authenticated SQL injection in lib/execute/execSetResults.php via the step_notes #327

Author: fmancardi

lib/functions/testcase.class.php

@@ -9562,8 +9562,11 @@ public function getStepsPartialExec($stepsIds,$context) {
    * 
    */
   public function deleteStepsPartialExec($stepsIds,$context) {
-    $inClause = implode(",",$stepsIds);
     if( count($stepsIds) > 0 ) {
+      // https://github.com/TestLinkOpenSourceTRMS/testlink-code/pull/327
+      // Security
+      $inClause = $this->db->prepare_string(implode(",",$stepsIds));
+
       $sql = " DELETE FROM {$this->tables['execution_tcsteps_wip']} 
                WHERE tcstep_id IN (" . $inClause . ") " .
              " AND testplan_id = " .