SQL injection vulnerability

[james-voong]

The function grab_tagged_items in block_equella_links.php is vulnerable to SQL injections. xmlpath is a text field which isn't sanitised sufficiently to prevent injection and idnumber can also be injected into. Use of a prepared statement would alleviate this.

[danmarsden]

filter_var is better than doing nothing, although it might have been nice to use the moodle clean_param function which is more restrictive.

[danmarsden]

you shouldn't need to add the sanitisation here:
eff5f81#diff-7ff30c81b131dcf5e0b431dba0483755R45

because you are using mform which should already sanitise the vars with setype on the form definition and they will already be safe to use. it is also using standard db functions for insert which will also prevent any injection etc.

[danmarsden]

just in case that wasn't clear... set_type in the form definition here:
https://github.com/equella/moodle-block_equella_links/blob/master/link_edit_form.php#L29
forces the param cleaning so that when you call $mform->get_data() you can trust the output of the form.

[nelson-edalex]

Unnecessary filter removed.