Fix SQL injection issues in packages search (librenms#15950)

GHSA-cwx6-cx7x-4q34

includes/html/pages/search/packages.inc.php

@@ -43,7 +43,7 @@
 print_optionbar_end();
 
 if (isset($_POST['results_amount']) && $_POST['results_amount'] > 0) {
-    $results = $_POST['results'];
+    $results = (int) $_POST['results_amount'];
 } else {
     $results = 50;
 }
@@ -70,7 +70,6 @@
 <?php
 
 $count_query = 'SELECT COUNT(*) FROM ( ';
-$full_query = '';
 $query = 'SELECT packages.name FROM packages,devices ';
 $param = [];
 
@@ -80,7 +79,8 @@
     $param = array_merge($param, $device_ids);
 }
 
-$query .= " WHERE packages.device_id = devices.device_id AND packages.name LIKE '%" . $_POST['package'] . "%' $sql_where GROUP BY packages.name";
+$query .= " WHERE packages.device_id = devices.device_id AND packages.name LIKE ? $sql_where GROUP BY packages.name";
+$param[] = '%' . $_POST['package'] . '%';
 
 $where = '';
 $ver = '';
@@ -107,7 +107,7 @@
 }
 
 $start = ($page_number - 1) * $results;
-$full_query = $full_query . $query . " LIMIT $start,$results";
+$full_query = $query . " LIMIT $start,$results";
 
 ?>
         <tr>