From 798abb5b77e604fe8daef6a48714d2dda0ff519c Mon Sep 17 00:00:00 2001 From: SharkyKZ Date: Mon, 26 Aug 2019 09:15:12 +0300 Subject: [PATCH] Prepared statements --- libraries/src/Helper/ContentHelper.php | 45 +++++++++++++++----------- 1 file changed, 26 insertions(+), 19 deletions(-) diff --git a/libraries/src/Helper/ContentHelper.php b/libraries/src/Helper/ContentHelper.php index 153bfa6763a4b..7c69856bd584a 100644 --- a/libraries/src/Helper/ContentHelper.php +++ b/libraries/src/Helper/ContentHelper.php @@ -68,7 +68,7 @@ public static function countRelations(&$items, $config) $usesWorkflows = (isset($config->uses_workflows) && $config->uses_workflows === true); - // Index category objects by their ID + // Index category objects by their ID $records = array(); foreach ($items as $item) @@ -86,28 +86,31 @@ public static function countRelations(&$items, $config) } // Table alias for related data table below will be 'c', and state / condition column is inside related data table - $related_tbl = $db->quoteName('#__' . $config->related_tbl, 'c'); - $state_col_prefix = $usesWorkflows ? 's.' : 'c.'; - $state_col = $db->quoteName($state_col_prefix . $config->state_col); + $related_tbl = '#__' . $config->related_tbl; + $state_col = ($usesWorkflows ? 's.' : 'c.') . $config->state_col; // Supported cases switch ($config->relation_type) { case 'tag_assigments': - $recid_col = $db->quoteName('ct.' . $config->group_col); + $recid_col = 'ct.' . $config->group_col; $query = $db->getQuery(true) ->from($db->quoteName('#__contentitem_tag_map', 'ct')) - ->join('INNER', $related_tbl . ' ON ' . $db->quoteName('ct.content_item_id') . ' = ' . $db->quoteName('c.id') . ' AND ' . - $db->quoteName('ct.type_alias') . ' = ' . $db->quote($config->extension) - ); + ->join( + 'INNER', + $db->quoteName($related_tbl, 'c'), + $db->quoteName('ct.content_item_id') . ' = ' . $db->quoteName('c.id') + . ' AND ' . $db->quoteName('ct.type_alias') . ' = :extension' + ) + ->bind(':extension', $config->extension); break; case 'category_or_group': - $recid_col = $db->quoteName('c.' . $config->group_col); + $recid_col = 'c.' . $config->group_col; $query = $db->getQuery(true) - ->from($related_tbl); + ->from($db->quoteName($related_tbl, 'c')); break; default: @@ -119,8 +122,9 @@ public static function countRelations(&$items, $config) $query->from($db->quoteName('#__workflow_stages', 's')) ->from($db->quoteName('#__workflow_associations', 'a')) ->where($db->quoteName('s.id') . ' = ' . $db->quoteName('a.stage_id')) - ->where($db->quoteName('a.extension') . '= ' . $db->quote($config->workflows_component)) - ->where($db->quoteName('a.item_id') . ' = ' . $db->quoteName('c.id')); + ->where($db->quoteName('a.extension') . ' = :component') + ->where($db->quoteName('a.item_id') . ' = ' . $db->quoteName('c.id')) + ->bind(':component', $config->workflows_component); } /** @@ -128,10 +132,12 @@ public static function countRelations(&$items, $config) * NOTE: 'state IN', allows counting specific states / conditions only, also prevents warnings with custom states / conditions, do not remove */ $query - ->select($recid_col . ' AS catid, ' . $state_col . ' AS state, COUNT(*) AS count') - ->where($recid_col . ' IN (' . implode(',', array_keys($records)) . ')') - ->where($state_col . ' IN (' . implode(',', array_keys($counter_names)) . ')') - ->group($recid_col . ', ' . $state_col); + ->select($db->quoteName($recid_col, 'catid')) + ->select($db->quoteName($state_col, 'state')) + ->select('COUNT(*) AS ' . $db->quoteName('count')) + ->whereIn($db->quoteName($recid_col), array_keys($records)) + ->whereIn($db->quoteName($state_col), array_keys($counter_names)) + ->group($db->quoteName([$recid_col, $state_col])); $relationsAll = $db->setQuery($query)->loadObjectList(); @@ -257,9 +263,10 @@ public static function getLanguageId($langCode) { $db = Factory::getDbo(); $query = $db->getQuery(true) - ->select('lang_id') - ->from('#__languages') - ->where($db->quoteName('lang_code') . ' = ' . $db->quote($langCode)); + ->select($db->quoteName('lang_id')) + ->from($db->quoteName('#__languages')) + ->where($db->quoteName('lang_code') . ' = :language') + ->bind(':language', $langCode); $db->setQuery($query); return $db->loadResult();