[4.0] [plg_system_actionlogs] Convert to prepared statement (joomla#2…

…5503)
infograf768 · Nov 1, 2019 · 0fa8282 · 0fa8282
1 parent 9b51d4c
commit 0fa8282
Showing 1 changed file with 75 additions and 40 deletions.
diff --git a/plugins/system/actionlogs/actionlogs.php b/plugins/system/actionlogs/actionlogs.php
@@ -16,6 +16,7 @@
 use Joomla\CMS\Plugin\PluginHelper;
 use Joomla\CMS\User\User;
 use Joomla\Database\Exception\ExecutionFailureException;
+use Joomla\Database\ParameterType;
 
 /**
  * Joomla! Users Actions Logging Plugin.
@@ -85,10 +86,10 @@ public function onContentPrepareForm(Form $form, $data)
 	{
 		$formName = $form->getName();
 
-		$allowedFormNames = array(
+		$allowedFormNames = [
 			'com_users.profile',
 			'com_users.user',
-		);
+		];
 
 		if (!in_array($formName, $allowedFormNames, true))
 		{
@@ -108,7 +109,7 @@ public function onContentPrepareForm(Form $form, $data)
 		}
 
 		// If we are on the save command, no data is passed to $data variable, we need to get it directly from request
-		$jformData = $this->app->input->get('jform', array(), 'array');
+		$jformData = $this->app->input->get('jform', [], 'array');
 
 		if ($jformData && !$data)
 		{
@@ -154,7 +155,7 @@ public function onContentPrepareForm(Form $form, $data)
 	 */
 	public function onContentPrepareData($context, $data)
 	{
-		if (!in_array($context, array('com_users.profile', 'com_admin.profile', 'com_users.user')))
+		if (!in_array($context, ['com_users.profile', 'com_admin.profile', 'com_users.user']))
 		{
 			return true;
 		}
@@ -169,14 +170,18 @@ public function onContentPrepareData($context, $data)
 			return true;
 		}
 
-		$query = $this->db->getQuery(true)
-			->select($this->db->quoteName(array('notify', 'extensions')))
-			->from($this->db->quoteName('#__action_logs_users'))
-			->where($this->db->quoteName('user_id') . ' = ' . (int) $data->id);
+		$db = $this->db;
+		$id = (int) $data->id;
+
+		$query = $db->getQuery(true)
+			->select($db->quoteName(['notify', 'extensions']))
+			->from($db->quoteName('#__action_logs_users'))
+			->where($db->quoteName('user_id') . ' = :userid')
+			->bind(':userid', $id, ParameterType::INTEGER);
 
 		try
 		{
-			$values = $this->db->setQuery($query)->loadObject();
+			$values = $db->setQuery($query)->loadObject();
 		}
 		catch (ExecutionFailureException $e)
 		{
@@ -227,13 +232,15 @@ public function onAfterRespond()
 		// Update last run status
 		$this->params->set('lastrun', $now);
 
-		$db    = $this->db;
-		$query = $db->getQuery(true)
+		$db     = $this->db;
+		$params = $this->params->toString('JSON');
+		$query  = $db->getQuery(true)
 			->update($db->quoteName('#__extensions'))
-			->set($db->quoteName('params') . ' = ' . $db->quote($this->params->toString('JSON')))
+			->set($db->quoteName('params') . ' = :params')
 			->where($db->quoteName('type') . ' = ' . $db->quote('plugin'))
 			->where($db->quoteName('folder') . ' = ' . $db->quote('system'))
-			->where($db->quoteName('element') . ' = ' . $db->quote('actionlogs'));
+			->where($db->quoteName('element') . ' = ' . $db->quote('actionlogs'))
+			->bind(':params', $params);
 
 		try
 		{
@@ -251,7 +258,7 @@ public function onAfterRespond()
 			// Update the plugin parameters
 			$result = $db->setQuery($query)->execute();
 
-			$this->clearCacheGroups(array('com_plugins'), array(0, 1));
+			$this->clearCacheGroups(['com_plugins'], [0, 1]);
 		}
 		catch (Exception $exc)
 		{
@@ -278,14 +285,18 @@ public function onAfterRespond()
 		}
 
 		$daysToDeleteAfter = (int) $this->params->get('logDeletePeriod', 0);
-		$now               = $db->quote(Factory::getDate()->toSql());
+		$now               = Factory::getDate()->toSql();
 
 		if ($daysToDeleteAfter > 0)
 		{
-			$conditions = array($db->quoteName('log_date') . ' < ' . $query->dateAdd($now, -1 * $daysToDeleteAfter, ' DAY'));
+			$days = -1 * $daysToDeleteAfter;
 
 			$query->clear()
-				->delete($db->quoteName('#__action_logs'))->where($conditions);
+				->delete($db->quoteName('#__action_logs'))
+				->where($db->quoteName('log_date') . ' < ' . $query->dateAdd(':now', ':days', 'DAY'))
+				->bind(':now', $now)
+				->bind(':days', $days, ParameterType::INTEGER);
+
 			$db->setQuery($query);
 
 			try
@@ -359,65 +370,85 @@ public function onUserAfterSave($user, $isNew, $success, $msg)
 		// Clear access rights in case user groups were changed.
 		$userObject = new User($user['id']);
 		$userObject->clearAccessRights();
+
 		$authorised = $userObject->authorise('core.admin');
+		$userid     = (int) $user['id'];
+		$db         = $this->db;
 
-		$query = $this->db->getQuery(true)
+		$query = $db->getQuery(true)
 			->select('COUNT(*)')
-			->from($this->db->quoteName('#__action_logs_users'))
-			->where($this->db->quoteName('user_id') . ' = ' . (int) $user['id']);
+			->from($db->quoteName('#__action_logs_users'))
+			->where($db->quoteName('user_id') . ' = :userid')
+			->bind(':userid', $userid, ParameterType::INTEGER);
 
 		try
 		{
-			$exists = (bool) $this->db->setQuery($query)->loadResult();
+			$exists = (bool) $db->setQuery($query)->loadResult();
 		}
 		catch (ExecutionFailureException $e)
 		{
 			return false;
 		}
 
+		$query->clear();
+
 		// If preferences don't exist, insert.
 		if (!$exists && $authorised && isset($user['actionlogs']))
 		{
-			$values  = array((int) $user['id'], (int) $user['actionlogs']['actionlogsNotify']);
-			$columns = array('user_id', 'notify');
+			$notify  = (int) $user['actionlogs']['actionlogsNotify'];
+			$values  = [':userid', ':notify'];
+			$bind    = [$userid, $notify];
+			$columns = ['user_id', 'notify'];
+
+			$query->bind($values, $bind, ParameterType::INTEGER);
 
 			if (isset($user['actionlogs']['actionlogsExtensions']))
 			{
-				$values[]  = $this->db->quote(json_encode($user['actionlogs']['actionlogsExtensions']));
+				$values[]  = ':extension';
 				$columns[] = 'extensions';
+				$extension = json_encode($user['actionlogs']['actionlogsExtensions']);
+				$query->bind(':extension', $extension);
 			}
 
-			$query = $this->db->getQuery(true)
-				->insert($this->db->quoteName('#__action_logs_users'))
-				->columns($this->db->quoteName($columns))
+			$query->insert($db->quoteName('#__action_logs_users'))
+				->columns($db->quoteName($columns))
 				->values(implode(',', $values));
 		}
 		elseif ($exists && $authorised && isset($user['actionlogs']))
 		{
 			// Update preferences.
-			$values = array($this->db->quoteName('notify') . ' = ' . (int) $user['actionlogs']['actionlogsNotify']);
+			$notify = (int) $user['actionlogs']['actionlogsNotify'];
+			$values = [$db->quoteName('notify') . ' = :notify'];
+
+			$query->bind(':notify', $notify, ParameterType::INTEGER);
 
 			if (isset($user['actionlogs']['actionlogsExtensions']))
 			{
-				$values[] = $this->db->quoteName('extensions') . ' = ' . $this->db->quote(json_encode($user['actionlogs']['actionlogsExtensions']));
+				$values[] = $db->quoteName('extensions') . ' = :extension';
+				$extension = json_encode($user['actionlogs']['actionlogsExtensions']);
+				$query->bind(':extension', $extension);
 			}
 
-			$query = $this->db->getQuery(true)
-				->update($this->db->quoteName('#__action_logs_users'))
+			$query->update($db->quoteName('#__action_logs_users'))
 				->set($values)
-				->where($this->db->quoteName('user_id') . ' = ' . (int) $user['id']);
+				->where($db->quoteName('user_id') . ' = :userid')
+				->bind(':userid', $userid, ParameterType::INTEGER);
 		}
 		elseif ($exists && !$authorised)
 		{
 			// Remove preferences if user is not authorised.
-			$query = $this->db->getQuery(true)
-				->delete($this->db->quoteName('#__action_logs_users'))
-				->where($this->db->quoteName('user_id') . ' = ' . (int) $user['id']);
+			$query->delete($db->quoteName('#__action_logs_users'))
+				->where($db->quoteName('user_id') . ' = :userid')
+				->bind(':userid', $userid, ParameterType::INTEGER);
+		}
+		else
+		{
+			return false;
 		}
 
 		try
 		{
-			$this->db->setQuery($query)->execute();
+			$db->setQuery($query)->execute();
 		}
 		catch (ExecutionFailureException $e)
 		{
@@ -447,13 +478,17 @@ public function onUserAfterDelete($user, $success, $msg)
 			return false;
 		}
 
-		$query = $this->db->getQuery(true)
-			->delete($this->db->quoteName('#__action_logs_users'))
-			->where($this->db->quoteName('user_id') . ' = ' . (int) $user['id']);
+		$db     = $this->db;
+		$userid = (int) $user['id'];
+
+		$query = $db->getQuery(true)
+			->delete($db->quoteName('#__action_logs_users'))
+			->where($db->quoteName('user_id') . ' = :userid')
+			->bind(':userid', $userid, ParameterType::INTEGER);
 
 		try
 		{
-			$this->db->setQuery($query)->execute();
+			$db->setQuery($query)->execute();
 		}
 		catch (ExecutionFailureException $e)
 		{