CC-5121 :fix some SQL statements not being escaped/prepared

2013-05-10 12:35:08 -04:00 · 2013-05-10 12:35:08 -04:00 · 987537fbdc
parent d5e7185789
commit 987537fbdc
1 changed files with 5 additions and 3 deletions
--- a/airtime_mvc/application/models/Subjects.php
+++ b/airtime_mvc/application/models/Subjects.php
@ -45,9 +45,11 @@ class Application_Model_Subjects

    public static function getLoginAttempts($login)
    {
-        $con = Propel::getConnection();
-        $sql = "SELECT login_attempts FROM cc_subjs WHERE login='$login'";
-        $res = $con->query($sql)->fetchColumn(0);
+        $sql = "SELECT login_attempts FROM cc_subjs WHERE login=:login";
+        $map = array(":login" => $login);
+        
+        $res = Application_Common_Database::prepareAndExecute($sql, $map,
+        		Application_Common_Database::COLUMN);

        return ($res !== false) ? $res : 0;
    }