From eba7e5e38d17b0dfa28e3666e378955f7702db87 Mon Sep 17 00:00:00 2001 From: Greg Roach Date: Mon, 27 Apr 2026 21:10:15 +0100 Subject: Add comment about SQL-Injection and GEDCOM 7 --- app/Http/RequestHandlers/RenumberTreeAction.php | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/app/Http/RequestHandlers/RenumberTreeAction.php b/app/Http/RequestHandlers/RenumberTreeAction.php index 1088e44153..1f81d6ce09 100644 --- a/app/Http/RequestHandlers/RenumberTreeAction.php +++ b/app/Http/RequestHandlers/RenumberTreeAction.php @@ -67,6 +67,15 @@ final class RenumberTreeAction implements RequestHandlerInterface return redirect(route(RenumberTreePage::class, ['tree' => $tree->name()])); } + // We use embedded variables $old_xref and $new_xref in the following update statements + // because Laravel QueryBuilder does not provide a clean way to use placeholders. + // + // $old_xref comes from the database and is already validated + // $new_xref is generated by ourselves + // + // So, there is no possibility of SQL injection. + // This may change when we support GEDCOM 7, which allows any characters in XREFs. + foreach ($xrefs as $old_xref => $type) { $new_xref = Registry::xrefFactory()->make($type); switch ($type) { -- cgit v1.3