Add comment about SQL-Injection and GEDCOM 7

1 files changed, 9 insertions, 0 deletions

diff --git a/app/Http/RequestHandlers/RenumberTreeAction.php b/app/Http/RequestHandlers/RenumberTreeAction.php
index 1088e44153..1f81d6ce09 100644
--- a/app/Http/RequestHandlers/RenumberTreeAction.php
+++ b/app/Http/RequestHandlers/RenumberTreeAction.php
@@ -67,6 +67,15 @@ final class RenumberTreeAction implements RequestHandlerInterface
             return redirect(route(RenumberTreePage::class, ['tree' => $tree->name()]));
         }
 
+        // We use embedded variables $old_xref and $new_xref in the following update statements
+        // because Laravel QueryBuilder does not provide a clean way to use placeholders.
+        //
+        // $old_xref comes from the database and is already validated
+        // $new_xref is generated by ourselves
+        //
+        // So, there is no possibility of SQL injection.
+        // This may change when we support GEDCOM 7, which allows any characters in XREFs.
+
         foreach ($xrefs as $old_xref => $type) {
             $new_xref = Registry::xrefFactory()->make($type);
             switch ($type) {