fix(sql): migrate interpolated queries to prepared statements#50
fix(sql): migrate interpolated queries to prepared statements#50somethingwithproof wants to merge 1 commit intoCacti:developfrom
Conversation
Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
There was a problem hiding this comment.
Pull request overview
This PR updates the Audit plugin’s poller retention cleanup to avoid SQL string interpolation by using a prepared statement, aligning the plugin with Cacti’s safer DB access patterns.
Changes:
- Replace interpolated
DELETE ... FROM_UNIXTIME(<expr>)query withdb_execute_prepared(...)in the daily purge logic.
|
|
||
| if ($retention > 0) { | ||
| db_execute('DELETE FROM audit_log WHERE event_time < FROM_UNIXTIME(' . (time() - ($retention * 86400)) . ')'); | ||
| db_execute_prepared('DELETE FROM audit_log WHERE event_time < FROM_UNIXTIME(?)', array(time() - ($retention * 86400))); |
There was a problem hiding this comment.
PR description says it migrates the remaining interpolated SQL queries to prepared statements, but this file still has variable-interpolated UPDATEs to plugin_config (e.g., SET version='$current' and string-concatenated name/author/webpage updates in audit_check_upgrade()). Either convert those to prepared statements as well, or adjust the PR description/scope so it matches the actual change set.
There was a problem hiding this comment.
Correct. Only the one query with variable interpolation was converted. The others are static SQL.
Migrate remaining non-prepared SQL queries that interpolate PHP variables to use prepared statement variants (db_execute_prepared, db_fetch_cell_prepared, etc.). Static SQL without variable interpolation is left as-is.