Congegni/sintonia
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

CC-5121 : fix some SQL statements not being escaped/prepared

Browse source
This commit is contained in:
Naomi 2013-05-13 11:42:11 -04:00
parent 6b560eede1
commit bd2462170b
1 changed files with 23 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

42
airtime_mvc/application/models/Preference.php
View file

@ -106,43 +106,44 @@ class Application_Model_Preference
private static function getValue($key, $isUserValue = false) private static function getValue($key, $isUserValue = false)
{ {
try { try {
$con = Propel::getConnection();
//Check if key already exists //Check if key already exists
$sql = "SELECT COUNT(*) FROM cc_pref" $sql = "SELECT COUNT(*) FROM cc_pref"
." WHERE keystr = '$key'"; ." WHERE keystr = :key";
/*." WHERE keystr = :key";
$paramMap = array(); $paramMap = array();
$paramMap[':key'] = $key;*/ $paramMap[':key'] = $key;
//For user specific preference, check if id matches as well //For user specific preference, check if id matches as well
if ($isUserValue) { if ($isUserValue) {
$auth = Zend_Auth::getInstance(); $auth = Zend_Auth::getInstance();
if ($auth->hasIdentity()) { if ($auth->hasIdentity()) {
$id = $auth->getIdentity()->id; $id = $auth->getIdentity()->id;
$sql .= " AND subjid = '$id'";
/*$sql .= " AND subjid = :id"; $sql .= " AND subjid = :id";
$paramMap[':id'] = $id;*/ $paramMap[':id'] = $id;
} }
} }
$result = $con->query($sql)->fetchColumn(0);
//$result = Application_Common_Database::prepareAndExecute($sql, $paramMap, 'column'); $result = Application_Common_Database::prepareAndExecute($sql, $paramMap, Application_Common_Database::COLUMN);
if ($result == 0) { if ($result == 0) {
return ""; return "";
} else { }
else {
$sql = "SELECT valstr FROM cc_pref" $sql = "SELECT valstr FROM cc_pref"
." WHERE keystr = '$key'"; ." WHERE keystr = :key";
/*." WHERE keystr = :key";
$paramMap = array(); $paramMap = array();
$paramMap[':key'] = $key;*/ $paramMap[':key'] = $key;
//For user specific preference, check if id matches as well //For user specific preference, check if id matches as well
if ($isUserValue && $auth->hasIdentity()) { if ($isUserValue && $auth->hasIdentity()) {
$sql .= " AND subjid = '$id'"; $sql .= " AND subjid = :id";
/*$sql .= " AND subjid = :id"; $paramMap[':id'] = $id;
$paramMap[':id'] = $id;*/
} }
$result = $con->query($sql)->fetchColumn(0);
//$result = Application_Common_Database::prepareAndExecute($sql, $paramMap, 'column'); $result = Application_Common_Database::prepareAndExecute($sql, $paramMap, Application_Common_Database::COLUMN);
return ($result !== false) ? $result : ""; return ($result !== false) ? $result : "";
} }
@ -609,9 +610,10 @@ class Application_Model_Preference
public static function GetCountryList() public static function GetCountryList()
{ {
$con = Propel::getConnection();
$sql = "SELECT * FROM cc_country"; $sql = "SELECT * FROM cc_country";
$res = $con->query($sql)->fetchAll();
$res = Application_Common_Database::prepareAndExecute($sql, array());
$out = array(); $out = array();
$out[""] = _("Select Country"); $out[""] = _("Select Country");
foreach ($res as $r) { foreach ($res as $r) {