Summary
weathermap_group_move() builds raw SQL strings for sortorder swaps:
$sql[] = "UPDATE weathermap_groups SET sortorder = $neworder WHERE id = $id";
$sql[] = "UPDATE weathermap_groups SET sortorder = $oldorder WHERE id = $otherid";
While $neworder, $oldorder, $id, $otherid all come from DB values (low injection risk), the equivalent map_move() function correctly uses parameterized queries. The inconsistency should be fixed.
Proposed Fix
Convert to db_execute_prepared() with bound parameters. Optionally extract a shared weathermap_swap_sortorder(string $table, int $id_a, int $order_a, int $id_b, int $order_b) helper that both map_move() and weathermap_group_move() can use.
Summary
weathermap_group_move()builds raw SQL strings for sortorder swaps:While
$neworder,$oldorder,$id,$otheridall come from DB values (low injection risk), the equivalentmap_move()function correctly uses parameterized queries. The inconsistency should be fixed.Proposed Fix
Convert to
db_execute_prepared()with bound parameters. Optionally extract a sharedweathermap_swap_sortorder(string $table, int $id_a, int $order_a, int $id_b, int $order_b)helper that bothmap_move()andweathermap_group_move()can use.