admin/sides
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): resolve F-02 — parameterize SQL queries in WaterLevelController index()

Browse Source
This commit is contained in:
root
2026-05-28 16:26:33 +08:00
parent e9fa6a2912
commit d95cb57275
1 changed files with 6 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/app/Http/Controllers/WaterLevelController.php
View File

@@ -23,20 +23,19 @@ class WaterLevelController extends Controller
$sqlDate = \Carbon\Carbon::parse($displayDate)->format('Y-m-d H:i:s'); $sqlDate = \Carbon\Carbon::parse($displayDate)->format('Y-m-d H:i:s');
$bindings = [];
$stationCondition = ''; $stationCondition = '';
$dateCondition = ''; $dateCondition = '';
if($stationFilter) if($stationFilter)
{ {
$stationCondition = " WHERE s.stationid = '{$stationFilter}' "; $stationCondition = " WHERE s.stationid = ? ";
$bindings[] = $stationFilter;
} }
if ($dateFilter) { if ($dateFilter) {
$dateCondition = " AND w.datetime = ? ";
$bindings[] = $sqlDate;
$dateCondition = " AND w.datetime = '{$sqlDate}' ";
} else { } else {
$dateCondition = " $dateCondition = "
AND w.datetime = ( AND w.datetime = (
SELECT MAX(datetime) SELECT MAX(datetime)
@@ -44,7 +43,6 @@ class WaterLevelController extends Controller
WHERE w2.stationid = s.stationid WHERE w2.stationid = s.stationid
) )
"; ";
} }
$wldata =collect(DB::select(" $wldata =collect(DB::select("
SELECT s.*, w.* SELECT s.*, w.*
@@ -54,7 +52,7 @@ class WaterLevelController extends Controller
$stationCondition $stationCondition
$dateCondition $dateCondition
ORDER BY s.name ASC ORDER BY s.name ASC
")); ", $bindings));
$stations = DB::table('station')->select('stationid', 'name') $stations = DB::table('station')->select('stationid', 'name')