Small fix of sql vuln

inkustr · inkustr · commit e623da37f1dd · 2025-07-15T01:20:25.000+02:00
diff --git a/service/src/DatabaseManager/FindProblemsByAuthorId.php b/service/src/DatabaseManager/FindProblemsByAuthorId.php
@@ -16,13 +16,17 @@ public function __construct(
 
     public function execute(?string $authorUsername): array
     {
+        try {
         $sql = "SELECT p.title as title, p.difficulty as difficulty, p.is_published as is_published, p.id as id, p.description as description FROM problems p JOIN users u ON p.author_id = u.id WHERE p.is_published = true";
         if ($authorUsername) {
             $sql .= " AND u.username = '" . $authorUsername . "'";
         }
         
         $preparedStatement = $this->entityManager->getConnection()->prepare($sql);
-        $result = $preparedStatement->executeQuery();
-        return $result->fetchAllAssociative();
+            $result = $preparedStatement->executeQuery();
+            return $result->fetchAllAssociative();
+        } catch (\Exception $e) {
+            return [];
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -16,13 +16,17 @@ public function __construct(`
`16`	`16`
`17`	`17`	`public function execute(?string $authorUsername): array`
`18`	`18`	`{`
	`19`	`+ try {`
`19`	`20`	`$sql = "SELECT p.title as title, p.difficulty as difficulty, p.is_published as is_published, p.id as id, p.description as description FROM problems p JOIN users u ON p.author_id = u.id WHERE p.is_published = true";`
`20`	`21`	`if ($authorUsername) {`
`21`	`22`	`$sql .= " AND u.username = '" . $authorUsername . "'";`
`22`	`23`	`}`
`23`	`24`
`24`	`25`	`$preparedStatement = $this->entityManager->getConnection()->prepare($sql);`
`25`		`- $result = $preparedStatement->executeQuery();`
`26`		`- return $result->fetchAllAssociative();`
	`26`	`+ $result = $preparedStatement->executeQuery();`
	`27`	`+ return $result->fetchAllAssociative();`
	`28`	`+ } catch (\Exception $e) {`
	`29`	`+ return [];`
	`30`	`+ }`
`27`	`31`	`}`
`28`	`32`	`}`