validate sql_search and sql_orderby API parameters, fix unit-tests as of new default skin is 'Froxlor'

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>

lib/Froxlor/Api/ApiCommand.php

@@ -290,6 +290,10 @@ abstract class ApiCommand extends ApiParameter
 			foreach ($search as $field => $valoper) {
 				if ($field == '_plainsql') {
 					if (isset($valoper['sql']) && isset($valoper['values']) && is_array($valoper['values'])) {
+						if (preg_match('/^([a-z0-9\-\.,=\+_`\(\)\:\'\"\!\<\>\ ]+)$/i', $valoper['sql']) == false) {
+							// skip
+							continue;
+						}
 						$condition .= $valoper['sql'];
 						foreach ($valoper['values'] as $var => $value) {
 							$query_fields[':' . $var] = $value;
@@ -308,6 +312,10 @@ abstract class ApiCommand extends ApiParameter
 						$sortfield[$id] = $sfield;
 					}
 					$field = implode('.', $sortfield);
+					if (preg_match('/^([a-z0-9\-\._`]+)$/i', $field) == false) {
+						// skip
+						continue;
+					}
 					if (!$first) {
 						$condition .= ' AND ';
 					}
@@ -324,6 +332,14 @@ abstract class ApiCommand extends ApiParameter
 					} elseif (strtolower($valoper['op']) == 'in' && is_array($valoper['value']) && count($valoper['value']) > 0) {
 						$condition .= $field . ' ' . $valoper['op'] . ' (';
 						foreach ($valoper['value'] as $incnt => $invalue) {
+							if (!is_numeric($incnt)) {
+								// skip
+								continue;
+							}
+							if (!empty($invalue) && preg_match('/^([a-z0-9\-\._`]+)$/i', $invalue) == false) {
+								// skip
+								continue;
+							}
 							$condition .= ":" . $cleanfield . $incnt . ", ";
 							$query_fields[':' . $cleanfield . $incnt] = $invalue ?? '';
 						}
@@ -410,6 +426,10 @@ abstract class ApiCommand extends ApiParameter
 					$sortfield[$id] = $sfield;
 				}
 				$field = implode('.', $sortfield);
+				if (preg_match('/^([a-z0-9\-\._`]+)$/i', $field) == false) {
+					// skip
+					continue;
+				}
 				$by = strtoupper($by);
 				if (!in_array($by, [
 					'ASC',