From 137488ee8c42df573453dbe4fe8ffb7e4596c642 Mon Sep 17 00:00:00 2001
From: Daniel Cebrian <daniel.cebrian@pandorafms.com>
Date: Wed, 31 Jan 2024 10:05:36 +0100
Subject: [PATCH] #12798 fixed unauth sql injection in grafana

---
 pandora_console/extensions/grafana/query.php  | 3 +++
 pandora_console/extensions/grafana/search.php | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/pandora_console/extensions/grafana/query.php b/pandora_console/extensions/grafana/query.php
index 3c7a843542..ac54d98161 100644
--- a/pandora_console/extensions/grafana/query.php
+++ b/pandora_console/extensions/grafana/query.php
@@ -23,6 +23,9 @@ if ($headers['Authorization']) {
 
     list($user, $password) = explode(':', base64_decode($headers['Authorization']));
 
+    // Prevent sql injection.
+    $user = mysqli_real_escape_string($config['dbconnection'], $user);
+
     // Check user login
     $user_in_db = process_user_login($user, $password, true);
 
diff --git a/pandora_console/extensions/grafana/search.php b/pandora_console/extensions/grafana/search.php
index 9193dd290e..82b670398b 100644
--- a/pandora_console/extensions/grafana/search.php
+++ b/pandora_console/extensions/grafana/search.php
@@ -24,6 +24,9 @@ if ($headers['Authorization']) {
 
     list($user, $password) = explode(':', base64_decode($headers['Authorization']));
 
+    // Prevent sql injection.
+    $user = mysqli_real_escape_string($config['dbconnection'], $user);
+
     // Check user login
     $user_in_db = process_user_login($user, $password, true);