Open Dental Forum

Hosted By Open Dental
http://opendentalsoft.com/forum/

GetMessage() function modification

http://opendentalsoft.com/forum/viewtopic.php?t=7283

Page 1 of 1

GetMessage() function modification

Posted: Mon Apr 20, 2020 11:32 pm
by mopensoft
Hi OpenDental,

I found that the following code could raise some errors (SmsToMobiles.cs line 108-110)

Code: Select all

if(!string.IsNullOrEmpty(phoneNumber)) {
	listCommandFilters.Add($"MobilePhoneNumber = {phoneNumber}");\
}
Although most of the time, the phoneNumber should be number but in some cases, it could be a name of a special sender. Can you add the string quote to enclose the phoneNumber value?

Example of error below. It's because 'Whitecoat' is a special number in Australia.
SELECT * FROM smstomobile WHERE PatNum = 0 AND MobilePhoneNumber = Whitecoat

Is it possible to fix it?

Thanks,
M

Re: GetMessage() function modification

Posted: Tue Apr 21, 2020 7:06 am
by cmcgehee
Yes, we will fix this especially because it is an SQL injection vulnerability.

Re: GetMessage() function modification

Posted: Mon Apr 27, 2020 7:05 am
by cmcgehee
Mihn,

This has been fixed in 19.4.39 and 20.1.17.

Re: GetMessage() function modification

Posted: Sat May 02, 2020 8:36 pm
by mopensoft
Great! Thanks for the quick fix.
All times are UTC-07:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited