summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorGreg Roach <greg@subaqua.co.uk>2026-04-27 21:10:15 +0100
committerGreg Roach <greg@subaqua.co.uk>2026-04-27 21:10:15 +0100
commiteba7e5e38d17b0dfa28e3666e378955f7702db87 (patch)
tree12fbbeab0cdd0deef7fda8a43a16e02ede6e613d /app
parente90f21dce4be97d1b89400073b730e9d63e25a24 (diff)
downloadwebtrees-eba7e5e38d17b0dfa28e3666e378955f7702db87.tar.gz
webtrees-eba7e5e38d17b0dfa28e3666e378955f7702db87.tar.bz2
webtrees-eba7e5e38d17b0dfa28e3666e378955f7702db87.zip
Add comment about SQL-Injection and GEDCOM 7
Diffstat (limited to 'app')
-rw-r--r--app/Http/RequestHandlers/RenumberTreeAction.php9
1 files changed, 9 insertions, 0 deletions
diff --git a/app/Http/RequestHandlers/RenumberTreeAction.php b/app/Http/RequestHandlers/RenumberTreeAction.php
index 1088e44153..1f81d6ce09 100644
--- a/app/Http/RequestHandlers/RenumberTreeAction.php
+++ b/app/Http/RequestHandlers/RenumberTreeAction.php
@@ -67,6 +67,15 @@ final class RenumberTreeAction implements RequestHandlerInterface
return redirect(route(RenumberTreePage::class, ['tree' => $tree->name()]));
}
+ // We use embedded variables $old_xref and $new_xref in the following update statements
+ // because Laravel QueryBuilder does not provide a clean way to use placeholders.
+ //
+ // $old_xref comes from the database and is already validated
+ // $new_xref is generated by ourselves
+ //
+ // So, there is no possibility of SQL injection.
+ // This may change when we support GEDCOM 7, which allows any characters in XREFs.
+
foreach ($xrefs as $old_xref => $type) {
$new_xref = Registry::xrefFactory()->make($type);
switch ($type) {