CC-5121 : fix some SQL statements not being escaped/prepared

2013-05-10 17:14:10 -04:00 · 2013-05-10 17:14:10 -04:00 · b0018083c7
commit b0018083c7
parent 987537fbdc
2 changed files with 82 additions and 33 deletions
--- a/airtime_mvc/application/models/Block.php
+++ b/airtime_mvc/application/models/Block.php
@ -1005,10 +1005,12 @@ SQL;

    public static function getBlockCount()
    {
-         $con = Propel::getConnection();
         $sql = 'SELECT count(*) as cnt FROM cc_playlist';
+         
+         $res = Application_Common_Database::prepareAndExecute($sql, array(), 
+         		Application_Common_Database::COLUMN);

-         return $con->query($sql)->fetchColumn(0);
+         return $res;
     }

    /**
@ -1546,12 +1548,13 @@ SQL;
    }
    public static function getAllBlockFiles()
    {
-        $con = Propel::getConnection();
        $sql = <<<SQL
 SELECT distinct(file_id)
 FROM cc_blockcontents
 SQL;
-        $files = $con->query($sql)->fetchAll();
+       
+        $files = Application_Common_Database::prepareAndExecute($sql, array());
+        
        $real_files = array();
        foreach ($files as $f) {
            $real_files[] = $f['file_id'];