From 9e7d31841ed9678a7dd06869037686fc9925e59f Mon Sep 17 00:00:00 2001
From: Isaac Connor <isaac@zoneminder.com>
Date: Thu, 31 Oct 2024 13:51:50 -0400
Subject: [PATCH] Fix SQL Vulnerability. Fixes GHSA-qm8h-3xvf-m7j3

---
 web/ajax/event.php | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/web/ajax/event.php b/web/ajax/event.php
index 371a8e9b0f..c96038ec9f 100644
--- a/web/ajax/event.php
+++ b/web/ajax/event.php
@@ -215,14 +215,11 @@
     ajaxResponse(array('response'=>$response));
     break;
   case 'removetag' :
-    $tagId = $_REQUEST['tid'];
+    $tagId = validCardinal($_REQUEST['tid']);
     dbQuery('DELETE FROM Events_Tags WHERE TagId = ? AND EventId = ?', array($tagId, $_REQUEST['id']));
-    $sql = "SELECT * FROM Events_Tags WHERE TagId = $tagId";
-    $rowCount = dbNumRows($sql);
+    $rowCount = dbNumRows('SELECT * FROM Events_Tags WHERE TagId=?', [ $tagId ]);
     if ($rowCount < 1) {
-      $sql = 'DELETE FROM Tags WHERE Id = ?';
-      $values = array($_REQUEST['tid']);
-      $response = dbNumRows($sql, $values);
+      $response = dbNumRows('DELETE FROM Tags WHERE Id=?', [$tagId]);
       ajaxResponse(array('response'=>$response));
     }
     ajaxResponse();