summaryrefslogtreecommitdiff
path: root/app/Http/RequestHandlers/RenumberTreeAction.php
diff options
context:
space:
mode:
Diffstat (limited to 'app/Http/RequestHandlers/RenumberTreeAction.php')
-rw-r--r--app/Http/RequestHandlers/RenumberTreeAction.php9
1 files changed, 9 insertions, 0 deletions
diff --git a/app/Http/RequestHandlers/RenumberTreeAction.php b/app/Http/RequestHandlers/RenumberTreeAction.php
index 1088e44153..1f81d6ce09 100644
--- a/app/Http/RequestHandlers/RenumberTreeAction.php
+++ b/app/Http/RequestHandlers/RenumberTreeAction.php
@@ -67,6 +67,15 @@ final class RenumberTreeAction implements RequestHandlerInterface
return redirect(route(RenumberTreePage::class, ['tree' => $tree->name()]));
}
+ // We use embedded variables $old_xref and $new_xref in the following update statements
+ // because Laravel QueryBuilder does not provide a clean way to use placeholders.
+ //
+ // $old_xref comes from the database and is already validated
+ // $new_xref is generated by ourselves
+ //
+ // So, there is no possibility of SQL injection.
+ // This may change when we support GEDCOM 7, which allows any characters in XREFs.
+
foreach ($xrefs as $old_xref => $type) {
$new_xref = Registry::xrefFactory()->make($type);
switch ($type) {
generated by cgit v1.3 (git 2.53.0) at 2026-06-29 21:30:25 +0000