fix: resolve code review findings

somethingwithproof · somethingwithproof · commit beadd36aa282 · 2026-03-20T01:43:27.000-07:00
- Fix broken SQL in syslog_get_alert_sql: remove $uniqueID concatenation
  after ? placeholder (was producing ?42 instead of using bind param)
- Fix XSS in setup.php: use json_encode with JSON_HEX_* flags for JS
  string context instead of __esc (HTML escaper)
- Fix duplicate global $syslogdb_default in syslog_process_alerts
- Parameterize retention DELETE queries in syslog_delete_records
- Parameterize count query in syslog_remove_items

Signed-off-by: Thomas Vincent &lt;thomasvincent@gmail.com&gt;
diff --git a/functions.php b/functions.php
@@ -174,12 +174,12 @@ function syslog_traditional_manage() {
 	}
 
 	/* delete from the main syslog table first */
-	syslog_db_execute_prepared("DELETE FROM `" . $syslogdb_default . "`.`syslog` WHERE logtime < '$retention'");
+	syslog_db_execute_prepared("DELETE FROM `" . $syslogdb_default . "`.`syslog` WHERE logtime < ?", array($retention));
 
 	$syslog_deleted = db_affected_rows($syslog_cnn);
 
 	/* now delete from the syslog removed table */
-	syslog_db_execute_prepared("DELETE FROM `" . $syslogdb_default . "`.`syslog_removed` WHERE logtime < '$retention'");
+	syslog_db_execute_prepared("DELETE FROM `" . $syslogdb_default . "`.`syslog_removed` WHERE logtime < ?", array($retention));
 
 	$syslog_deleted += db_affected_rows($syslog_cnn);
 
@@ -379,9 +379,9 @@ function syslog_remove_items($table, $uniqueID) {
 	$xferred = 0;
 
 	if ($table == 'syslog_incoming') {
-		$total = syslog_db_fetch_cell('SELECT count(*)
+		$total = syslog_db_fetch_cell_prepared('SELECT count(*)
 			FROM `' . $syslogdb_default . '`.`syslog_incoming`
-			WHERE `status` = ' . $uniqueID);
+			WHERE `status` = ?', array($uniqueID));
 	} else {
 		$total = 0;
 	}
@@ -1172,7 +1172,6 @@ function syslog_array2xml($array, $tag = 'template') {
  */
 function syslog_process_alerts($uniqueID) {
 	global $syslogdb_default;
-	global $syslogdb_default;
 
 	$syslog_alarms = 0;
 	$syslog_alerts = 0;
@@ -1736,15 +1735,15 @@ function syslog_get_alert_sql(&$alert, $uniqueID) {
 		$sql = 'SELECT *
 			FROM `' . $syslogdb_default . '`.`syslog_incoming`
 			WHERE `' . $syslog_incoming_config['hostField'] . '` = ?
-			AND `status` = ?' . $uniqueID;
+			AND `status` = ?';
 
 		$params[] = $alert['message'];
 		$params[] = $uniqueID;
 	} elseif ($alert['type'] == 'program') {
 		$sql = 'SELECT *
 			FROM `' . $syslogdb_default . '`.`syslog_incoming`
 			WHERE `' . $syslog_incoming_config['programField'] . '` = ?
-			AND `status` = ?' . $uniqueID;
+			AND `status` = ?';
 
 		$params[] = $alert['message'];
 		$params[] = $uniqueID;
diff --git a/setup.php b/setup.php
@@ -1652,21 +1652,21 @@ function syslog_utilities_list() {
 			$(function() {
 				$('#syslog_purge_hosts').on('click', function() {
 					$('#syslog_purge_dialog').dialog({
-						title: <?php print "'" . __esc('Confirm Purge', 'syslog') . "'";?>,
+						title: <?php print json_encode(__('Confirm Purge', 'syslog'), JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT);?>,
 						minHeight: 80,
 						minWidth: 400,
 						resizable: false,
 						draggable: true,
 						buttons: {
 							'Cancel': {
-								text: <?php print "'" . __esc('Cancel', 'syslog') . "'";?>,
+								text: <?php print json_encode(__('Cancel', 'syslog'), JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT);?>,
 								id: 'btnPurgeCancel',
 								click: function() {
 									$(this).dialog('close');
 								}
 							},
 							'Continue': {
-								text: <?php print "'" . __esc('Continue', 'syslog') . "'";?>,
+								text: <?php print json_encode(__('Continue', 'syslog'), JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT);?>,
 								id: 'btnPurgeContinue',
 								click: function() {
 									$(this).dialog('close');
