Improve type checking in getContactPhone and use CRM_Utils_Request::r…

…etrieve to get data from GET Fix retrieving value from GET param as per review by Eileen Replace inserted variables with placeholders as per standards
civicrm · Oct 25, 2018 · 3ae9c7d · 3ae9c7d
1 parent 33717cb
commit 3ae9c7d
Showing 1 changed file with 9 additions and 15 deletions.
diff --git a/CRM/Contact/Page/AJAX.php b/CRM/Contact/Page/AJAX.php
@@ -463,34 +463,28 @@ public static function getContactEmail() {
   public static function getContactPhone() {
 
     $queryString = NULL;
+    $sqlParmas = [];
     //check for mobile type
     $phoneTypes = CRM_Core_OptionGroup::values('phone_type', TRUE, FALSE, FALSE, NULL, 'name');
     $mobileType = CRM_Utils_Array::value('Mobile', $phoneTypes);
 
-    $name = CRM_Utils_Array::value('name', $_GET);
+    $name = CRM_Utils_Request::retrieveValue('name', 'String', NULL, FALSE, 'GET');
     if ($name) {
-      $name = CRM_Utils_Type::escape($name, 'String');
-      $queryString = " ( cc.sort_name LIKE '%$name%' OR cp.phone LIKE '%$name%' ) ";
+      $key = (int) count(array_keys($sqlParmas)) + 1;
+      $queryString = " ( cc.sort_name LIKE %{$key} OR cp.phone LIKE %{$key} ) ";
+      $sqlParams[$key] = ['%' . $name . '%', 'String'];
     }
     else {
-      $cid = CRM_Utils_Array::value('cid', $_GET);
+      $cid = CRM_Utils_Request::retrieveValue('cid', 'CommaSeparatedIntegers', NULL, FALSE, 'GET');
       if ($cid) {
-        //check cid for integer
-        $contIDS = explode(',', $cid);
-        foreach ($contIDS as $contID) {
-          CRM_Utils_Type::escape($contID, 'Integer');
-        }
         $queryString = " cc.id IN ( $cid )";
       }
     }
 
     if ($queryString) {
       $result = array();
-      $offset = CRM_Utils_Array::value('offset', $_GET, 0);
-      $rowCount = CRM_Utils_Array::value('rowcount', $_GET, 20);
-
-      $offset = CRM_Utils_Type::escape($offset, 'Int');
-      $rowCount = CRM_Utils_Type::escape($rowCount, 'Int');
+      $offset = (int) CRM_Utils_Request::retrieveValue('offset', 'Integer', 0, FALSE, 'GET');
+      $rowCount = (int) CRM_Utils_Request::retrieveValue('rowcount', 'Integer', 20, FALSE, 'GET');
 
       // add acl clause here
       list($aclFrom, $aclWhere) = CRM_Contact_BAO_Contact_Permission::cacheClause('cc');
@@ -514,7 +508,7 @@ public static function getContactPhone() {
         CRM_Utils_Request::retrieve('cid', 'Positive')
       );
 
-      $dao = CRM_Core_DAO::executeQuery($query);
+      $dao = CRM_Core_DAO::executeQuery($query, $sqlParams);
 
       while ($dao->fetch()) {
         $result[] = array(