From 43f52582195b1ec92442d480496b495a1da5c6a8 Mon Sep 17 00:00:00 2001
From: Martin Konecny <martin.konecny@gmail.com>
Date: Wed, 5 Sep 2012 17:43:45 -0400
Subject: [PATCH 1/2] CC-4348: Prepared statements - part 4

-User.php
---
 airtime_mvc/application/models/User.php | 41 ++++++++++---------------
 1 file changed, 16 insertions(+), 25 deletions(-)

diff --git a/airtime_mvc/application/models/User.php b/airtime_mvc/application/models/User.php
index 85ff5ea64..fbfb84794 100644
--- a/airtime_mvc/application/models/User.php
+++ b/airtime_mvc/application/models/User.php
@@ -284,45 +284,38 @@ class Application_Model_User
         $sql_gen = "SELECT login AS value, login AS label, id as index FROM cc_subjs ";
         $sql     = $sql_gen;
 
-        $type = array_map( function($t) {
-            return "type = '{$t}'";
-        }, $type);
+        $types = array();
+        $params = array();
+        for ($i=0; $i<count($type); $i++) {
+            $p = ":type{$i}";
+            $types[] = "type = $p";
+            $params[$p] = $type[$i];
+        }
 
-        $sql_type = join(" OR ", $type);
+        $sql_type = join(" OR ", $types);
 
         $sql      = $sql_gen ." WHERE (". $sql_type.") ";
 
         if (!is_null($search)) {
+            //need to use addslashes for 'LIKE' values
+            $search = addslashes($search);
             $like = "login ILIKE '%{$search}%'";
 
             $sql  = $sql . " AND ".$like;
         }
 
+        echo $sql.PHP_EOL;
+        print_r($params);
         $sql = $sql ." ORDER BY login";
 
-        return $con->query($sql)->fetchAll();;
+        return Application_Common_Database::prepareAndExecute($sql, $params, "all");
     }
 
     public static function getUserCount($type=null)
     {
         $con = Propel::getConnection();
         $sql = '';
-        $sql_gen = "SELECT count(*) AS cnt FROM cc_subjs ";
-
-        if (!isset($type)) {
-            $sql = $sql_gen;
-        } else {
-            if (is_array($type)) {
-                for ($i=0; $i<count($type); $i++) {
-                    $type[$i] = "type = '{$type[$i]}'";
-                }
-                $sql_type = join(" OR ", $type);
-            } else {
-                $sql_type = "type = {$type}";
-            }
-
-            $sql = $sql_gen ." WHERE (". $sql_type.") ";
-        }
+        $sql_gen = "SELECT count(*) AS cnt FROM cc_subjs";
 
         $query = $con->query($sql)->fetchColumn(0);
 
@@ -366,13 +359,11 @@ class Application_Model_User
 
     public static function getUserData($id)
     {
-        $con = Propel::getConnection();
-
         $sql = "SELECT login, first_name, last_name, type, id, email, cell_phone, skype_contact, jabber_contact"
         ." FROM cc_subjs"
-        ." WHERE id = $id";
+        ." WHERE id = :id";
 
-        return $con->query($sql)->fetch();
+        return Application_Common_Database::prepareAndExecute($sql, array(":id" => $id), 'single');
     }
 
     public static function getCurrentUser()

From 139950fac26ab124001df2dcec49a085cfcd0507 Mon Sep 17 00:00:00 2001
From: Martin Konecny <martin.konecny@gmail.com>
Date: Wed, 5 Sep 2012 17:44:09 -0400
Subject: [PATCH 2/2] PSR fixes

---
 airtime_mvc/application/common/Database.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/airtime_mvc/application/common/Database.php b/airtime_mvc/application/common/Database.php
index 96e6e6770..d0ee39b78 100644
--- a/airtime_mvc/application/common/Database.php
+++ b/airtime_mvc/application/common/Database.php
@@ -1,6 +1,7 @@
 <?php
 class Application_Common_Database{
-    public static function prepareAndExcute($sql, $paramValueMap, $type='all'){
+    public static function prepareAndExecute($sql, $paramValueMap, $type='all')
+    {
         $con = Propel::getConnection();
         $stmt = $con->prepare($sql);
         foreach ($paramValueMap as $param => $v) {
@@ -10,7 +11,7 @@ class Application_Common_Database{
         if ($stmt->execute()) {
             if ($type == 'single') {
                 $rows = $stmt->fetch(PDO::FETCH_ASSOC);
-            } else if ($type == 'column'){
+            } elseif ($type == 'column'){
                 $rows = $stmt->fetchColumn();
             } else {
                 $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
@@ -21,4 +22,4 @@ class Application_Common_Database{
         }
         return $rows;
     }
-}
\ No newline at end of file
+}