GetMessage() function modification

This forum is for programmers who have questions about the source code.
Post Reply
User avatar
mopensoft
Posts: 146
Joined: Tue Dec 04, 2012 3:33 pm
Location: Melbourne, Australia
Contact:

GetMessage() function modification

Post by mopensoft » Mon Apr 20, 2020 11:32 pm

Hi OpenDental,

I found that the following code could raise some errors (SmsToMobiles.cs line 108-110)

Code: Select all

if(!string.IsNullOrEmpty(phoneNumber)) {
	listCommandFilters.Add($"MobilePhoneNumber = {phoneNumber}");\
}
Although most of the time, the phoneNumber should be number but in some cases, it could be a name of a special sender. Can you add the string quote to enclose the phoneNumber value?

Example of error below. It's because 'Whitecoat' is a special number in Australia.
SELECT * FROM smstomobile WHERE PatNum = 0 AND MobilePhoneNumber = Whitecoat

Is it possible to fix it?

Thanks,
M

User avatar
cmcgehee
Posts: 711
Joined: Tue Aug 25, 2015 5:06 pm
Location: Salem, Oregon

Re: GetMessage() function modification

Post by cmcgehee » Tue Apr 21, 2020 7:06 am

Yes, we will fix this especially because it is an SQL injection vulnerability.
Chris McGehee
Open Dental Software
http://www.opendental.com

User avatar
cmcgehee
Posts: 711
Joined: Tue Aug 25, 2015 5:06 pm
Location: Salem, Oregon

Re: GetMessage() function modification

Post by cmcgehee » Mon Apr 27, 2020 7:05 am

Mihn,

This has been fixed in 19.4.39 and 20.1.17.
Chris McGehee
Open Dental Software
http://www.opendental.com

User avatar
mopensoft
Posts: 146
Joined: Tue Dec 04, 2012 3:33 pm
Location: Melbourne, Australia
Contact:

Re: GetMessage() function modification

Post by mopensoft » Sat May 02, 2020 8:36 pm

Great! Thanks for the quick fix.

Post Reply