From 7ad63904a3ae548c01a24f9c53869f48c996c056 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Sun, 15 Mar 2026 16:07:43 -0700
Subject: [PATCH 1/3] security: migrate maint SQL helpers to prepared variants

---
 maint.php                          | 15 ++++----
 setup.php                          |  5 +--
 tests/test_prepared_statements.php | 58 ++++++++++++++++++++++++++++++
 3 files changed, 70 insertions(+), 8 deletions(-)
 create mode 100644 tests/test_prepared_statements.php

diff --git a/maint.php b/maint.php
index af10520..583223c 100644
--- a/maint.php
+++ b/maint.php
@@ -924,9 +924,10 @@ function changemaintType () {
 function schedules(): void {
 	global $actions, $maint_types, $maint_intervals, $yesno;
 
-	$schedules = db_fetch_assoc('SELECT *
+	$schedules = db_fetch_assoc_prepared('SELECT *
 		FROM plugin_maint_schedules
-		ORDER BY name');
+		ORDER BY name',
+		array());
 
 	form_start('maint.php', 'chk');
 
@@ -1134,10 +1135,11 @@ function clearFilter() {
 							<option value='<?php print MAINT_HOST_FILTER_ANY ?>' <?php if (get_request_var('site_id') == MAINT_HOST_FILTER_ANY) {?> selected<?php }?>><?php print __('Any', 'maint'); ?></option>
 							<option value='<?php print MAINT_HOST_FILTER_NONE ?>' <?php if (get_request_var('site_id') == MAINT_HOST_FILTER_NONE) {?> selected<?php }?>><?php print __('None', 'maint'); ?></option>
 							<?php
-							$sites = db_fetch_assoc('SELECT id, name
+							$sites = db_fetch_assoc_prepared('SELECT id, name
 								FROM sites
 								WHERE id IN (SELECT site_id FROM host)
-								ORDER BY name');
+								ORDER BY name',
+								array());
 
 	if (cacti_sizeof($sites)) {
 		foreach ($sites as $site) {
@@ -1158,9 +1160,10 @@ function clearFilter() {
 						<select id='poller_id'>
 							<option value='<?php print MAINT_HOST_FILTER_ANY ?>' <?php if (get_request_var('poller_id') == MAINT_HOST_FILTER_ANY) {?> selected<?php }?>><?php print __('Any', 'maint'); ?></option>
 							<?php
-	$pollers = db_fetch_assoc('SELECT id, name
+	$pollers = db_fetch_assoc_prepared('SELECT id, name
 								FROM poller
-								ORDER BY name');
+								ORDER BY name',
+								array());
 
 	if (cacti_sizeof($pollers)) {
 		foreach ($pollers as $poller) {
diff --git a/setup.php b/setup.php
index 1d3f18e..0253125 100644
--- a/setup.php
+++ b/setup.php
@@ -298,9 +298,10 @@ function maint_device_action_prepare(array $save): array {
 		}
 
 		// Load schedules to choose from
-		$schedules = db_fetch_assoc('SELECT id, name, enabled, mtype, stime, etime, minterval
+		$schedules = db_fetch_assoc_prepared('SELECT id, name, enabled, mtype, stime, etime, minterval
 			FROM plugin_maint_schedules
-			ORDER BY name');
+			ORDER BY name',
+			array());
 
 		$select = "<select name='maint_schedule_id' style='min-width:360px'>";
 
diff --git a/tests/test_prepared_statements.php b/tests/test_prepared_statements.php
new file mode 100644
index 0000000..7bf98d8
--- /dev/null
+++ b/tests/test_prepared_statements.php
@@ -0,0 +1,58 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ |                                                                         |
+ | Regression checks for prepared DB helper migration in maint plugin      |
+ |                                                                         |
+ | Run: php tests/test_prepared_statements.php                             |
+ +-------------------------------------------------------------------------+
+ */
+
+$pass = 0;
+$fail = 0;
+
+function assert_true($label, $value) {
+	global $pass, $fail;
+
+	if ($value) {
+		echo "PASS  $label\n";
+		$pass++;
+	} else {
+		echo "FAIL  $label\n";
+		$fail++;
+	}
+}
+
+$setup_contents = file_get_contents(__DIR__ . '/../setup.php');
+$maint_contents = file_get_contents(__DIR__ . '/../maint.php');
+
+assert_true(
+	'setup.php uses prepared schedules query',
+	preg_match('/db_fetch_assoc_prepared\s*\(\s*\'SELECT id,\s*name,\s*enabled,\s*mtype,\s*stime,\s*etime,\s*minterval/s', $setup_contents) === 1
+);
+assert_true(
+	'setup.php has no raw db_fetch_assoc calls',
+	preg_match('/\bdb_fetch_assoc\s*\(/', $setup_contents) === 0
+);
+assert_true(
+	'maint.php uses prepared schedule list query',
+	preg_match('/db_fetch_assoc_prepared\s*\(\s*\'SELECT \*\s+FROM plugin_maint_schedules/s', $maint_contents) === 1
+);
+assert_true(
+	'maint.php uses prepared site list query',
+	preg_match('/db_fetch_assoc_prepared\s*\(\s*\'SELECT id,\s*name\s+FROM sites/s', $maint_contents) === 1
+);
+assert_true(
+	'maint.php uses prepared poller list query',
+	preg_match('/db_fetch_assoc_prepared\s*\(\s*\'SELECT id,\s*name\s+FROM poller/s', $maint_contents) === 1
+);
+assert_true(
+	'maint.php has no raw db_fetch_assoc calls',
+	preg_match('/\bdb_fetch_assoc\s*\(/', $maint_contents) === 0
+);
+
+echo "\n";
+echo "Results: $pass passed, $fail failed\n";
+
+exit($fail > 0 ? 1 : 0);

From 80dd24783991af9a6defe83e2820625debff883a Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Sun, 15 Mar 2026 17:16:33 -0700
Subject: [PATCH 2/3] fix: address prepared migration review feedback

---
 maint.php                          |  6 +++---
 setup.php                          |  2 +-
 tests/test_prepared_statements.php | 18 ++++++++++++++----
 3 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/maint.php b/maint.php
index 583223c..3c1f5a0 100644
--- a/maint.php
+++ b/maint.php
@@ -927,7 +927,7 @@ function schedules(): void {
 	$schedules = db_fetch_assoc_prepared('SELECT *
 		FROM plugin_maint_schedules
 		ORDER BY name',
-		array());
+		[]);
 
 	form_start('maint.php', 'chk');
 
@@ -1139,7 +1139,7 @@ function clearFilter() {
 								FROM sites
 								WHERE id IN (SELECT site_id FROM host)
 								ORDER BY name',
-								array());
+								[]);
 
 	if (cacti_sizeof($sites)) {
 		foreach ($sites as $site) {
@@ -1163,7 +1163,7 @@ function clearFilter() {
 	$pollers = db_fetch_assoc_prepared('SELECT id, name
 								FROM poller
 								ORDER BY name',
-								array());
+								[]);
 
 	if (cacti_sizeof($pollers)) {
 		foreach ($pollers as $poller) {
diff --git a/setup.php b/setup.php
index 0253125..e56978a 100644
--- a/setup.php
+++ b/setup.php
@@ -301,7 +301,7 @@ function maint_device_action_prepare(array $save): array {
 		$schedules = db_fetch_assoc_prepared('SELECT id, name, enabled, mtype, stime, etime, minterval
 			FROM plugin_maint_schedules
 			ORDER BY name',
-			array());
+			[]);
 
 		$select = "<select name='maint_schedule_id' style='min-width:360px'>";
 
diff --git a/tests/test_prepared_statements.php b/tests/test_prepared_statements.php
index 7bf98d8..62465b9 100644
--- a/tests/test_prepared_statements.php
+++ b/tests/test_prepared_statements.php
@@ -27,9 +27,16 @@ function assert_true($label, $value) {
 $setup_contents = file_get_contents(__DIR__ . '/../setup.php');
 $maint_contents = file_get_contents(__DIR__ . '/../maint.php');
 
+assert_true('setup.php is readable', $setup_contents !== false);
+assert_true('maint.php is readable', $maint_contents !== false);
+
+$setup_contents = ($setup_contents === false ? '' : $setup_contents);
+$maint_contents = ($maint_contents === false ? '' : $maint_contents);
+
 assert_true(
 	'setup.php uses prepared schedules query',
-	preg_match('/db_fetch_assoc_prepared\s*\(\s*\'SELECT id,\s*name,\s*enabled,\s*mtype,\s*stime,\s*etime,\s*minterval/s', $setup_contents) === 1
+	preg_match('/db_fetch_assoc_prepared\s*\(/', $setup_contents) === 1
+	&& preg_match('/\bplugin_maint_schedules\b/', $setup_contents) === 1
 );
 assert_true(
 	'setup.php has no raw db_fetch_assoc calls',
@@ -37,15 +44,18 @@ function assert_true($label, $value) {
 );
 assert_true(
 	'maint.php uses prepared schedule list query',
-	preg_match('/db_fetch_assoc_prepared\s*\(\s*\'SELECT \*\s+FROM plugin_maint_schedules/s', $maint_contents) === 1
+	preg_match('/db_fetch_assoc_prepared\s*\(/', $maint_contents) === 1
+	&& preg_match('/\bplugin_maint_schedules\b/', $maint_contents) === 1
 );
 assert_true(
 	'maint.php uses prepared site list query',
-	preg_match('/db_fetch_assoc_prepared\s*\(\s*\'SELECT id,\s*name\s+FROM sites/s', $maint_contents) === 1
+	preg_match('/db_fetch_assoc_prepared\s*\(/', $maint_contents) === 1
+	&& preg_match('/\bFROM\s+sites\b/i', $maint_contents) === 1
 );
 assert_true(
 	'maint.php uses prepared poller list query',
-	preg_match('/db_fetch_assoc_prepared\s*\(\s*\'SELECT id,\s*name\s+FROM poller/s', $maint_contents) === 1
+	preg_match('/db_fetch_assoc_prepared\s*\(/', $maint_contents) === 1
+	&& preg_match('/\bFROM\s+poller\b/i', $maint_contents) === 1
 );
 assert_true(
 	'maint.php has no raw db_fetch_assoc calls',

From 3f8f963d6c42b52cff5fc3d175dfadbe1f6ca380 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Sun, 15 Mar 2026 19:16:43 -0700
Subject: [PATCH 3/3] test: add grok follow-up coverage checks for maint
 prepared lookups

---
 tests/test_prepared_statements.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/tests/test_prepared_statements.php b/tests/test_prepared_statements.php
index 62465b9..148e113 100644
--- a/tests/test_prepared_statements.php
+++ b/tests/test_prepared_statements.php
@@ -38,10 +38,18 @@ function assert_true($label, $value) {
 	preg_match('/db_fetch_assoc_prepared\s*\(/', $setup_contents) === 1
 	&& preg_match('/\bplugin_maint_schedules\b/', $setup_contents) === 1
 );
+assert_true(
+	'setup.php uses prepared host description lookup',
+	preg_match('/db_fetch_row_prepared\s*\(\s*\'SELECT description FROM host WHERE id = \?/s', $setup_contents) === 1
+);
 assert_true(
 	'setup.php has no raw db_fetch_assoc calls',
 	preg_match('/\bdb_fetch_assoc\s*\(/', $setup_contents) === 0
 );
+assert_true(
+	'setup.php has no raw db_fetch_row calls',
+	preg_match('/\bdb_fetch_row\s*\(/', $setup_contents) === 0
+);
 assert_true(
 	'maint.php uses prepared schedule list query',
 	preg_match('/db_fetch_assoc_prepared\s*\(/', $maint_contents) === 1