hardening(cycle): use db_qstr() for RLIKE filter to prevent SQL injection

## Summary

`functions.php` embeds the `rfilter` request variable directly into `RLIKE '$filter'` SQL at four sites. `FILTER_VALIDATE_IS_REGEX` validates regex syntax but does not prevent SQL metacharacter injection through the string boundary. A value like `foo' OR '1'='1` breaks the quoting.

## Details

| Field | Value |
|-------|-------|
| File | functions.php |
| Lines | 232, 347, 417, 470 |
| Auth required | Yes — authenticated Cacti user |
| CWE | CWE-89 |

```php
// Before
$sql_where .= " AND gtg.title_cache RLIKE '$filter'";

// After
$sql_where .= ' AND gtg.title_cache RLIKE ' . db_qstr($filter);
```

Fix applied (all 4 occurrences) in branch `security/cycle-rlike-db-qstr`.

## Acceptance criteria

- [ ] All 4 RLIKE sites use `db_qstr($filter)`
- [ ] No string interpolation of request variable into SQL
- [ ] Regression test covering SQL-breaking payload in `tests/Security/CycleParamTest.php`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

hardening(cycle): use db_qstr() for RLIKE filter to prevent SQL injection #21

Summary

Details

Acceptance criteria

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Field	Value
File	functions.php
Lines	232, 347, 417, 470
Auth required	Yes — authenticated Cacti user
CWE	CWE-89

hardening(cycle): use db_qstr() for RLIKE filter to prevent SQL injection #21

Description

Summary

Details

Acceptance criteria

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions