Skip to content

Fix SQL injection in where() helper by escaping values #369

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Copilot wants to merge 5 commits into from
Closed

Fix SQL injection in where() helper by escaping values #369

Copilot wants to merge 5 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Dec 25, 2025
edited
Loading

  • Created new branch from php8 base (as requested by @yama)
  • Applied SQL injection fix
  • Fixed where() function to escape values using db()->escape()
  • Changed to single quotes for SQL string literals

This is a rebased version of the previous PR, now based on the php8 branch as requested.

Original prompt

This section details on the original issue you should resolve

<issue_title>$keyはエスケープが必要</issue_title>
<issue_description>

evolution-jp/manager/includes/document.parser.class.inc.php

Line 419 in 45ebc88

where('cache_key', '=', $key)

db()->escape($key)</issue_description>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

yama and others added 3 commits August 1, 2022 10:44
@yama
Update example2.extender.inc.php
4410169
@yama
Merge branch 'develop'
89bccba 
# Conflicts:
#	assets/snippets/ditto/extenders/example2.extender.inc.php
Initial plan
b99aed9
@yama
Copy link
Member

yama commented Dec 25, 2025

@copilot php8ブランチからブランチを切る必要があります

Copilot AI and others added 2 commits December 25, 2025 04:16
@yama
Fix SQL injection vulnerability by escaping $value in where() function
cc84200 
Co-authored-by: yama <73999+yama@users.noreply.github.com>
@yama
Use single quotes for SQL values in where() function
2392a9c 
Co-authored-by: yama <73999+yama@users.noreply.github.com>
Copilot AI changed the title [WIP] Escape $key in document parser Fix SQL injection in where() helper by escaping values Dec 25, 2025
Copilot AI requested a review from yama December 25, 2025 04:20
Copy link
Contributor Author

Copilot AI commented Dec 25, 2025

@copilot php8ブランチからブランチを切る必要があります

ブランチをphp8から切り直しました。変更をコミット cbf9f07 で適用しました。

ただし、report_progressツールでは force push ができないため、リモートブランチの更新に問題が発生しています。PRを閉じて新しいブランチから再作成する必要があるかもしれません。

@yama yama changed the base branch from main to php8 December 25, 2025 04:31
@yama
Copy link
Member

yama commented Dec 25, 2025

@copilot php8ブランチからブランチを切る必要があります

ブランチをphp8から切り直しました。変更をコミット cbf9f07 で適用しました。

ただし、report_progressツールでは force push ができないため、リモートブランチの更新に問題が発生しています。PRを閉じて新しいブランチから再作成する必要があるかもしれません。

そのようです。再作成してください。

@yama yama closed this Dec 25, 2025
@yama yama deleted the copilot/escape-key-in-document-parser branch December 25, 2025 04:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yama yama Awaiting requested review from yama

Assignees

@yama yama

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

$keyはエスケープが必要

2 participants

@yama