SQL Injection in CM to Yealink

[snatella]

Hello,

I was having a look through ContactManager_to_Yealink_AddressBook/cm_to_yl_ab.php to look for some inspiration on feeding freepbx data to Yealink, and noticed that unsanitised $_GET data is fed directly into an SQL string.

On line 33:

$contact_manager_group = isset($_GET['cgroup']) ? $_GET['cgroup'] : "SomeName"; // <-- Edit "SomeName" to make your own default

Is then used on line 55:

$sql = "SELECT ... WHERE cg.name = '$contact_manager_group') ...;";

Then prepared/executed on lines 58/59.

I'd suggest minimally using the ? placeholder and bind_param() to prevent SQL string manipulation.