From 02fae3cfd04b7f1855c4a5cbeb8cd8bfa8c3cf19 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Wed, 8 Apr 2026 21:30:40 -0700
Subject: [PATCH] fix(sql): migrate device removal queries to prepared
 statements

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
---
 setup.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/setup.php b/setup.php
index 283d533..147c0f9 100644
--- a/setup.php
+++ b/setup.php
@@ -319,9 +319,9 @@ function monitor_device_action_execute($action) {
 }
 
 function monitor_device_remove($devices) {
-	db_execute('DELETE FROM plugin_monitor_notify_history WHERE host_id IN(' . implode(',', $devices) . ')');
-	db_execute('DELETE FROM plugin_monitor_reboot_history WHERE host_id IN(' . implode(',', $devices) . ')');
-	db_execute('DELETE FROM plugin_monitor_uptime WHERE host_id IN(' . implode(',', $devices) . ')');
+	db_execute_prepared('DELETE FROM plugin_monitor_notify_history WHERE host_id IN(' . implode(',', array_fill(0, cacti_count($devices), '?')) . ')', array_values(array_map('intval', $devices)));
+	db_execute_prepared('DELETE FROM plugin_monitor_reboot_history WHERE host_id IN(' . implode(',', array_fill(0, cacti_count($devices), '?')) . ')', array_values(array_map('intval', $devices)));
+	db_execute_prepared('DELETE FROM plugin_monitor_uptime WHERE host_id IN(' . implode(',', array_fill(0, cacti_count($devices), '?')) . ')', array_values(array_map('intval', $devices)));
 
 	return $devices;
 }