Skip to content

[Security]: Dependency Dao - Refactor SQL queries to use parameter binding#18991

Merged
kingjia90 merged 6 commits into12.3from
dependency-sql
Feb 19, 2026
Merged

[Security]: Dependency Dao - Refactor SQL queries to use parameter binding#18991
kingjia90 merged 6 commits into12.3from
dependency-sql

Conversation

@kingjia90
Copy link
Copy Markdown
Contributor

@kingjia90 kingjia90 commented Feb 19, 2026

Changes in this pull request

Related https://github.com/pimcore/ee-pimcore/pull/743

Additional info

@kingjia90 kingjia90 added this to the 12.3.3 milestone Feb 19, 2026
@kingjia90 kingjia90 self-assigned this Feb 19, 2026
Copilot AI review requested due to automatic review settings February 19, 2026 14:07
@github-actions
Copy link
Copy Markdown

github-actions bot commented Feb 19, 2026

Review Checklist

  • Target branch (12.3 for bug fixes, others 12.x)
  • Tests (if it's testable code, there should be a test for it - get help)
  • Docs (every functionality needs to be documented, see here)
  • Migration incl. install.sql (e.g. if the database schema changes, ...)
  • Upgrade notes (deprecations, important information, migration hints, ...)
  • Label
  • Milestone

Copilot AI reviewed Feb 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request refactors SQL queries in the Dependency DAO to use parameter binding instead of string concatenation, addressing SQL injection security vulnerabilities. This is part of a broader security improvement initiative (related to https://github.com/pimcore/ee-pimcore/pull/743).

Changes:

  • Replaced string concatenation with named parameter placeholders (:sourceType, :sourceId, :targetType, :targetId, :value) in SQL queries
  • Added parameter and type arrays for proper parameter binding with Doctrine DBAL
  • Cleaned up unnecessary conditional return logic
  • Fixed minor formatting inconsistencies (spacing around operators, AS keyword capitalization)

@kingjia90
Apply suggestions from code review
2e6aee5 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings February 19, 2026 14:18
Copilot AI reviewed Feb 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 5 comments.

@kingjia90
Update models/Dependency/Dao.php
948b67c 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings February 19, 2026 14:29
@kingjia90
Update models/Dependency/Dao.php
923024a 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Copilot AI reviewed Feb 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

@kingjia90 kingjia90 merged commit 1c3925f into 12.3 Feb 19, 2026
13 checks passed
@github-actions github-actions bot locked and limited conversation to collaborators Feb 19, 2026
@kingjia90 kingjia90 deleted the dependency-sql branch February 19, 2026 14:46
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@kingjia90 kingjia90

Labels

Pimcore:Priority Security

Projects

None yet

Milestone

12.3.3

Development

Successfully merging this pull request may close these issues.

2 participants

@kingjia90