From 4a5af6a268e19837f801dd6b1efe14e3953894b9 Mon Sep 17 00:00:00 2001
From: Oliver <github@raduner.ch>
Date: Sat, 24 Feb 2024 12:02:22 +0100
Subject: [PATCH] Improves SQL query parameter validation

---
 www/includes/mysql.inc.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/www/includes/mysql.inc.php b/www/includes/mysql.inc.php
index dbfca4a..48f0bcb 100644
--- a/www/includes/mysql.inc.php
+++ b/www/includes/mysql.inc.php
@@ -110,9 +110,13 @@ function query($sql, $file='', $line=0, $funktion='', $params=[]) {
 			/** Check if $params is provided, if not, execute the query directly */
 			if (empty($params)) {
 				$result = mysqli_query($this->conn, $sql);
-				/* Log SQL-Queries not upgraded to Prepared Statements */
+				/** Log SQL-Queries not upgraded to Prepared Statements */
 				zorgDebugger::log()->debug('<%s:%d> may required update to SQL prepared statement, in %s', [$funktion, $line, $file]);
 			} else {
+				/** Ensure $params is an Array */
+				if (is_object($params)) throw '$params cannot be of type object!';
+				if (!is_array($params)) $params = [ $params ];
+
 				$stmt = mysqli_prepare($this->conn, $sql);
 				if ($stmt === false) throw new mysqli_sql_exception(mysqli_error($this->conn));