fix(security): resolve F-02 — parameterize SQL queries in WaterLevelController index()

2026-05-28 16:26:33 +08:00
parent e9fa6a2912
commit d95cb57275
1 changed files with 6 additions and 8 deletions
--- a/src/app/Http/Controllers/WaterLevelController.php
+++ b/src/app/Http/Controllers/WaterLevelController.php
@@ -23,20 +23,19 @@ class WaterLevelController extends Controller
        $sqlDate = \Carbon\Carbon::parse($displayDate)->format('Y-m-d H:i:s');


+        $bindings = [];
        $stationCondition = '';
        $dateCondition = '';
        if($stationFilter)
        {
-            $stationCondition = " WHERE s.stationid = '{$stationFilter}' ";
+            $stationCondition = " WHERE s.stationid = ? ";
+            $bindings[] = $stationFilter;
        }
        
-        
        if ($dateFilter) {
-          
-
-            $dateCondition = " AND w.datetime = '{$sqlDate}' ";
+            $dateCondition = " AND w.datetime = ? ";
+            $bindings[] = $sqlDate;
        } else {
-         
            $dateCondition = "
                AND w.datetime = (
                    SELECT MAX(datetime)
@@ -44,7 +43,6 @@ class WaterLevelController extends Controller
                    WHERE w2.stationid = s.stationid
                )
            ";
-
        }
        $wldata =collect(DB::select("
            SELECT s.*, w.*
@@ -54,7 +52,7 @@ class WaterLevelController extends Controller
            $stationCondition
            $dateCondition
            ORDER BY s.name ASC
-        "));
+        ", $bindings));

        
        $stations = DB::table('station')->select('stationid', 'name')