CC-5121: fix some SQL statements not being escaped/prepared

2013-05-09 15:08:47 -04:00 · 2013-05-09 15:08:47 -04:00 · 9c05511613
parent 21df9013ee
commit 9c05511613
4 changed files with 77 additions and 49 deletions
--- a/airtime_mvc/application/models/Schedule.php
+++ b/airtime_mvc/application/models/Schedule.php
@ -418,7 +418,6 @@ SQL;

    public static function UpdateMediaPlayedStatus($p_id)
    {
-        $con = Propel::getConnection();
        $sql = "UPDATE cc_schedule"
                ." SET media_item_played=TRUE";
        // we need to update 'broadcasted' column as well
@ -431,11 +430,11 @@ SQL;
            $sql .= ", broadcasted=1";
        }

-        $sql .= " WHERE id=$p_id";
+        $sql .= " WHERE id=:pid";
+        $map = array(":pid" => $p_id);

-        $retVal = $con->exec($sql);
-
-        return $retVal;
+        Application_Common_Database::prepareAndExecute($sql, $map, 
+            Application_Common_Database::EXECUTE);
    }

    public static function UpdateBrodcastedStatus($dateTime, $value)
@ -952,8 +951,9 @@ SQL;

    public static function deleteAll()
    {
-        $con = Propel::getConnection();
-        $con->exec("TRUNCATE TABLE cc_schedule");
+        $sql = "TRUNCATE TABLE cc_schedule";
+        Application_Common_Database::prepareAndExecute($sql, array(), 
+            Application_Common_Database::EXECUTE);
    }

    public static function deleteWithFileId($fileId)
--- a/airtime_mvc/application/models/Show.php
+++ b/airtime_mvc/application/models/Show.php
@ -602,8 +602,6 @@ SQL;
        Application_Common_Database::prepareAndExecute( $sql,
            array( ':showId' => $this->getId(),
                   ':timestamp' => gmdate("Y-m-d H:i:s")), 'execute');
-
-        $con->exec($sql);
    }

    /**
@ -617,8 +615,6 @@ SQL;
     */
    public function removeAllInstancesFromDate($p_date=null)
    {
-        $con = Propel::getConnection();
-
        $timestamp = gmdate("Y-m-d H:i:s");

        if (is_null($p_date)) {
@ -628,12 +624,16 @@ SQL;

        $showId = $this->getId();
        $sql = "DELETE FROM cc_show_instances "
-                ." WHERE date(starts) >= DATE '$p_date'"
-                ." AND starts > TIMESTAMP '$timestamp'"
-                ." AND show_id = $showId";
+                ." WHERE date(starts) >= :date::date"
+                ." AND starts > :timestamp::timestamp"
+                ." AND show_id = :showId";

-        $con->exec($sql);
+        $map = array(":date"=>$p_date,
+            ':timestamp'=>$timestamp,
+            ':showId'=>$showId);

+        $res = Application_Common_Database::prepareAndExecute($sql, $map, 
+            Application_Common_Database::EXECUTE);
    }

    /**
@ -650,17 +650,20 @@ SQL;
     */
    public function removeAllInstancesBeforeDate($p_date)
    {
-        $con = Propel::getConnection();
-
        $timestamp = gmdate("Y-m-d H:i:s");

        $showId = $this->getId();
        $sql = "DELETE FROM cc_show_instances "
-                ." WHERE date(starts) < DATE '$p_date'"
-                ." AND starts > TIMESTAMP '$timestamp'"
-                ." AND show_id = $showId";
+                ." WHERE date(starts) < :date::date"
+                ." AND starts > :timestamp::timestamp"
+                ." AND show_id = :showId";

-        $con->exec($sql);
+        $map = array(":date"=>$p_date,
+            ":timestamp"=>$timestamp,
+            ":showId"=>$showId);
+
+        $res = Application_Common_Database::prepareAndExecute($sql, $map, 
+            Application_Common_Database::EXECUTE);
    }

    public function getNextFutureRepeatShowTime()
@ -870,43 +873,62 @@ SQL;

    private function updateStartDateTime($p_data, $p_endDate)
    {
-        //need to update cc_schedule, cc_show_instances, cc_show_days
-        $con = Propel::getConnection();
-
        $date = new Application_Common_DateHelper;
        $timestamp = $date->getTimestamp();

        //TODO fix this from overwriting info.
        $sql = "UPDATE cc_show_days "
-                ."SET start_time = TIME '$p_data[add_show_start_time]', "
-                ."first_show = DATE '$p_data[add_show_start_date]', ";
+                ."SET start_time = :start_time::time, "
+                ."first_show = :start_date::date, ";
        if (strlen ($p_endDate) == 0) {
            $sql .= "last_show = NULL ";
        } else {
-            $sql .= "last_show = DATE '$p_endDate' ";
+            $sql .= "last_show = :end_date::date";
        }
-        $sql .= "WHERE show_id = $p_data[add_show_id]";
-        $con->exec($sql);
+        $sql .= "WHERE show_id = :show_id";
+
+        $map = array(":start_time" => $p_data['add_show_start_time'],
+            ':start_date' => $p_data['add_show_start_date'],
+            ':end_date' => $p_endDate,
+            ':show_id' => $p_data['add_show_id'],
+        );
+
+        $res = Application_Common_Database::prepareAndExecute($sql, $map, 
+            Application_Common_Database::EXECUTE);

        $dtOld = new DateTime($this->getStartDate()." ".$this->getStartTime(), new DateTimeZone("UTC"));
-        $dtNew = new DateTime($p_data['add_show_start_date']." ".$p_data['add_show_start_time'], new DateTimeZone(date_default_timezone_get()));
+        $dtNew = new DateTime($p_data['add_show_start_date']." ".$p_data['add_show_start_time'], 
+                new DateTimeZone(date_default_timezone_get()));
        $diff = $dtOld->getTimestamp() - $dtNew->getTimestamp();

        $sql = "UPDATE cc_show_instances "
-                ."SET starts = starts + INTERVAL '$diff sec', "
-                ."ends = ends + INTERVAL '$diff sec' "
-                ."WHERE show_id = $p_data[add_show_id] "
-                ."AND starts > TIMESTAMP '$timestamp'";
-        $con->exec($sql);
+                ."SET starts = starts + :diff1::interval, "
+                ."ends = ends + :diff2::interval "
+                ."WHERE show_id = :show_id "
+                ."AND starts > :timestamp::timestamp";
+        $map = array(
+            ":diff1"=>"$diff sec",
+            ":diff2"=>"$diff sec",
+            ":show_id"=>$p_data['add_show_id'],
+            ":timestamp"=>$timestamp,
+        );
+        $res = Application_Common_Database::prepareAndExecute($sql, $map, 
+            Application_Common_Database::EXECUTE);

        $showInstanceIds = $this->getAllFutureInstanceIds();
        if (count($showInstanceIds) > 0 && $diff != 0) {
            $showIdsImploded = implode(",", $showInstanceIds);
            $sql = "UPDATE cc_schedule "
-                    ."SET starts = starts + INTERVAL '$diff sec', "
-                    ."ends = ends + INTERVAL '$diff sec' "
-                    ."WHERE instance_id IN ($showIdsImploded)";
-            $con->exec($sql);
+                    ."SET starts = starts + :diff1::interval, "
+                    ."ends = ends + :diff2::interval "
+                    ."WHERE instance_id IN (:show_ids)";
+            $map = array(
+                ":diff1"=>"$diff sec",
+                ":diff2"=>"$diff sec",
+                ":show_ids"=>$showIdsImploded,           
+            );
+            $res = Application_Common_Database::prepareAndExecute($sql, $map, 
+                Application_Common_Database::EXECUTE);
        }
    }

--- a/airtime_mvc/application/models/StreamSetting.php
+++ b/airtime_mvc/application/models/StreamSetting.php
@ -265,11 +265,12 @@ class Application_Model_StreamSetting
     */
    public static function setIndividualStreamSetting($data)
    {
-        $con = Propel::getConnection();
-
        foreach ($data as $keyname => $v) {
-            $sql = "UPDATE cc_stream_setting SET value='$v' WHERE keyname='$keyname'";
-            $con->exec($sql);
+            $sql = "UPDATE cc_stream_setting SET value=:v WHERE keyname=:keyname";
+            $map = array(":v" => $v, ":keyname"=>$keyname);
+
+            $res = Application_Common_Database::prepareAndExecute($sql, $map, 
+                Application_Common_Database::EXECUTE);
        }
    }

--- a/airtime_mvc/application/models/Subjects.php
+++ b/airtime_mvc/application/models/Subjects.php
@ -20,20 +20,25 @@ class Application_Model_Subjects

    public static function increaseLoginAttempts($login)
    {
-        $con = Propel::getConnection();
        $sql = "UPDATE cc_subjs SET login_attempts = login_attempts+1"
-            ." WHERE login='$login'";
-        $res = $con->exec($sql);
+            ." WHERE login=:login";
+
+        $map = array(":login" => $login);
+
+        $res = Application_Common_Database::prepareAndExecute($sql, $map, 
+            Application_Common_Database::EXECUTE);

        return (intval($res) > 0);
    }

    public static function resetLoginAttempts($login)
    {
-        $con = Propel::getConnection();
        $sql = "UPDATE cc_subjs SET login_attempts = '0'"
-            ." WHERE login='$login'";
-        $res = $con->exec($sql);
+            ." WHERE login=:login";
+        $map = array(":login" => $login);
+
+        $res = Application_Common_Database::prepareAndExecute($sql, $map, 
+            Application_Common_Database::EXECUTE);

        return true;
    }