hazza/Phraseanet
1
0
Fork 0
mirror of https://github.com/alchemy-fr/Phraseanet.git synced 2025-10-13 21:13:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Change string to array parameter to prevent SQL injections

Browse Source
This commit is contained in:
Benoît Burnichon
2015-03-06 11:19:31 +01:00
parent e51466fc46
commit 51a3ff25b5
1 changed files with 7 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
lib/Alchemy/Phrasea/Controller/Thesaurus/Xmlhttp.php
View File

@@ -1381,7 +1381,7 @@ class Xmlhttp implements ControllerProviderInterface
// first, count the number of records to update // first, count the number of records to update
foreach ($tsbas as $ksbas => $sbas) { foreach ($tsbas as $ksbas => $sbas) {
/* @var $databox databox */ /* @var $databox \databox */
try { try {
$databox = $appbox->get_databox($sbas['sbas_id']); $databox = $appbox->get_databox($sbas['sbas_id']);
$connbas = $databox->get_connection(); $connbas = $databox->get_connection();
@@ -1394,7 +1394,7 @@ class Xmlhttp implements ControllerProviderInterface
continue; continue;
} }
$lid = ''; $lids = [];
$xpathct = new \DOMXPath($tsbas[$ksbas]['domct']); $xpathct = new \DOMXPath($tsbas[$ksbas]['domct']);
foreach ($sbas['tids'] as $tid) { foreach ($sbas['tids'] as $tid) {
@@ -1403,7 +1403,7 @@ class Xmlhttp implements ControllerProviderInterface
if ($nodes->length == 1) { if ($nodes->length == 1) {
$sy = $nodes->item(0); $sy = $nodes->item(0);
$syid = str_replace('.', 'd', $sy->getAttribute('id')) . 'd'; $syid = str_replace('.', 'd', $sy->getAttribute('id')) . 'd';
$lid .= ( $lid ? ',' : '') . "'" . $syid . "'"; $lids[] = $syid;
$field = $sy->parentNode->parentNode->getAttribute('field'); $field = $sy->parentNode->parentNode->getAttribute('field');
if (!array_key_exists($field, $tsbas[$ksbas]['tvals'])) { if (!array_key_exists($field, $tsbas[$ksbas]['tvals'])) {
@@ -1413,19 +1413,18 @@ class Xmlhttp implements ControllerProviderInterface
} }
} }
if ($lid == '') { if (empty($lids)) {
// no cterm was found // no cterm was found
continue; continue;
} }
$tsbas[$ksbas]['lid'] = $lid; $tsbas[$ksbas]['lid'] = "'" . implode("','", $lids) . "'";
// count records // count records
$sql = 'SELECT DISTINCT record_id AS r $sql = 'SELECT DISTINCT record_id AS r
FROM thit WHERE value IN (' . $lid . ') FROM thit WHERE value IN (:lids)
ORDER BY record_id'; ORDER BY record_id';
$stmt = $connbas->prepare($sql); $stmt = $connbas->prepare($sql);
$stmt->execute(); $stmt->execute(['lids' => $lids]);
$tsbas[$ksbas]['trids'] = $stmt->fetchAll(\PDO::FETCH_COLUMN, 0); $tsbas[$ksbas]['trids'] = $stmt->fetchAll(\PDO::FETCH_COLUMN, 0);
$stmt->closeCursor(); $stmt->closeCursor();