Merge branch 'afonso/T33502-fix-yourls-sql-injection' into 'main'

T33502 - Fix YOURLS SQL injection

See merge request !1

docker-compose.yml

@@ -24,7 +24,7 @@ services:
       YOURLS_DB_NAME: "yourls"
       YOURLS_DB_USER: "yourls"
       YOURLS_DB_PASS: "youareells"
-      YOURLS_DEBUG: true
+      YOURLS_DEBUG: "true"
     volumes:
       - ./url-ownership/:/var/www/html/user/plugins/url-ownership/:z
 

url-ownership/plugin.php

@@ -74,8 +74,9 @@ function uo_add_owner_cells_filter( $cells, $keyword, $url, $title, $ip, $clicks
     global $ydb;
 
     $table = YOURLS_DB_YOURLS_OWNER;
-    $sql   = "SELECT owner FROM `$table` where `keyword` = '$keyword'";
-    $whoOwns = $ydb->fetchValue($sql);
+    $sql   = "SELECT owner FROM `$table` where `keyword` = :keyword";
+    $binds = array('keyword' => $keyword);
+    $whoOwns = $ydb->fetchValue($sql, $binds);
 
     if (!$whoOwns) {
         $whoOwns = 'No Record';