Improves SQL query parameter validation

zorgch · Feb 24, 2024 · 4a5af6a · 4a5af6a
1 parent ff8c689
commit 4a5af6a
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/www/includes/mysql.inc.php b/www/includes/mysql.inc.php
@@ -110,9 +110,13 @@ function query($sql, $file='', $line=0, $funktion='', $params=[]) {
 			/** Check if $params is provided, if not, execute the query directly */
 			if (empty($params)) {
 				$result = mysqli_query($this->conn, $sql);
-				/* Log SQL-Queries not upgraded to Prepared Statements */
+				/** Log SQL-Queries not upgraded to Prepared Statements */
 				zorgDebugger::log()->debug('<%s:%d> may required update to SQL prepared statement, in %s', [$funktion, $line, $file]);
 			} else {
+				/** Ensure $params is an Array */
+				if (is_object($params)) throw '$params cannot be of type object!';
+				if (!is_array($params)) $params = [ $params ];
+
 				$stmt = mysqli_prepare($this->conn, $sql);
 				if ($stmt === false) throw new mysqli_sql_exception(mysqli_error($this->conn));