Merge pull request #21 from Bynder/feature/GC-4987

[GC-4987] Unsafe SQL calls
Bynder · Jun 11, 2024 · a511985 · a511985
2 parents 02744ea + e9afa84
commit a511985
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/includes/classes/admin/mapping/field-types/acf.php b/includes/classes/admin/mapping/field-types/acf.php
@@ -44,15 +44,16 @@ public function underscore_template ( View $view ) {
         // FIELD GROUPS
         if($group_results){
             // Extract group IDs
-            $groupIds = array_map(function ($group) use ($wpdb) {
-                return $wpdb->prepare('%d', $group->ID);
+            $groupIds = array_map(function ($group) {
+                return $group->ID;
             }, $group_results);
-
-            $groupIds = implode(',', $groupIds);
+			$groupIdPlaceholders = implode(', ', array_map(function () {
+				return '%d';
+			}, $groupIds));
 
             // Prepare and execute query to get all fields for all groups
-            $fields_query = "SELECT * FROM {$wpdb->posts} WHERE post_type = 'acf-field' AND post_content LIKE '%repeater%' AND post_parent IN ($groupIds)";
-            $fields_results = $wpdb->get_results($fields_query);
+            $fields_query = "SELECT * FROM {$wpdb->posts} WHERE post_type = 'acf-field' AND post_content LIKE '%repeater%' AND post_parent IN ($groupIdPlaceholders)";
+            $fields_results = $wpdb->get_results($wpdb->prepare($fields_query, $groupIds));
 
             // Group the field results by parent group
             $grouped_field_results = [];