Parameterized queries

joomla · Jun 16, 2020 · 6575b3d · 6575b3d
1 parent bbedcab
commit 6575b3d
Show file tree

Hide file tree

Showing 3 changed files with 80 additions and 51 deletions.
diff --git a/administrator/components/com_workflow/src/Model/WorkflowsModel.php b/administrator/components/com_workflow/src/Model/WorkflowsModel.php
@@ -13,6 +13,7 @@
 
 use Joomla\CMS\Factory;
 use Joomla\CMS\MVC\Model\ListModel;
+use Joomla\Database\ParameterType;
 
 /**
  * Model class for workflows
@@ -163,20 +164,30 @@ protected function countItems($items)
 
 		$query = $db->getQuery(true);
 
-		$query	->select('workflow_id, count(*) AS count')
+		$query->select(
+			[
+				$db->quoteName('workflow_id'),
+				'COUNT(*) AS ' . $db->quoteName('count'),
+			]
+		)
 			->from($db->quoteName('#__workflow_stages'))
-			->where($db->quoteName('workflow_id') . ' IN(' . implode(',', $ids) . ')')
-			->where($db->quoteName('published') . '>= 0')
+			->whereIn($db->quoteName('workflow_id'), $ids)
+			->where($db->quoteName('published') . ' >= 0')
 			->group($db->quoteName('workflow_id'));
 
 		$status = $db->setQuery($query)->loadObjectList('workflow_id');
 
 		$query = $db->getQuery(true);
 
-		$query->select('workflow_id, count(*) AS count')
+		$query->select(
+			[
+				$db->quoteName('workflow_id'),
+				'COUNT(*) AS ' . $db->quoteName('count'),
+			]
+		)
 			->from($db->quoteName('#__workflow_transitions'))
-			->where($db->quoteName('workflow_id') . ' IN(' . implode(',', $ids) . ')')
-			->where($db->quoteName('published') . '>= 0')
+			->whereIn($db->quoteName('workflow_id'), $ids)
+			->where($db->quoteName('published') . ' >= 0')
 			->group($db->quoteName('workflow_id'));
 
 		$transitions = $db->setQuery($query)->loadObjectList('workflow_id');
@@ -205,67 +216,65 @@ protected function countItems($items)
 	public function getListQuery()
 	{
 		$db = $this->getDbo();
+		$query = $db->getQuery(true);
 
-		$query = parent::getListQuery();
-
-		$select = $db->quoteName(
-			array(
-				'w.id',
-				'w.title',
-				'w.created',
-				'w.modified',
-				'w.published',
-				'w.checked_out',
-				'w.checked_out_time',
-				'w.ordering',
-				'w.default',
-				'w.created_by',
-				'w.description',
-				'u.name'
-			)
-		);
-
-		$query
-			->select($select)
+		$query->select(
+			[
+				$db->quoteName('w.id'),
+				$db->quoteName('w.title'),
+				$db->quoteName('w.created'),
+				$db->quoteName('w.modified'),
+				$db->quoteName('w.published'),
+				$db->quoteName('w.checked_out'),
+				$db->quoteName('w.checked_out_time'),
+				$db->quoteName('w.ordering'),
+				$db->quoteName('w.default'),
+				$db->quoteName('w.created_by'),
+				$db->quoteName('w.description'),
+				$db->quoteName('u.name'),
+				$db->quoteName('uc.name', 'editor')
+			]
+		)
 			->from($db->quoteName('#__workflows', 'w'))
-			->leftJoin($db->quoteName('#__users', 'u') . ' ON ' . $db->quoteName('u.id') . ' = ' . $db->quoteName('w.created_by'));
+			->join('LEFT', $db->quoteName('#__users', 'u'), $db->quoteName('u.id') . ' = ' . $db->quoteName('w.created_by'))
+			->join('LEFT', $db->quoteName('#__users', 'uc'), $db->quoteName('uc.id') . ' = ' . $db->quoteName('w.checked_out'));
 
 		// Filter by extension
 		if ($extension = $this->getState('filter.extension'))
 		{
-			$query->where($db->quoteName('extension') . ' = ' . $db->quote($db->escape($extension)));
+			$query->where($db->quoteName('extension') . ' = :extension')
+				->bind(':extension', $extension);
 		}
 
 		$status = (string) $this->getState('filter.published');
 
 		// Filter by status
 		if (is_numeric($status))
 		{
-			$query->where($db->quoteName('w.published') . ' = ' . (int) $status);
+			$status = (int) $status;
+			$query->where($db->quoteName('w.published') . ' = :published')
+				->bind(':published', $status, ParameterType::INTEGER);
 		}
-		elseif ($status == '')
+		elseif ($status === '')
 		{
-			$query->where($db->quoteName('w.published') . " IN ('0', '1')");
+			$query->where($db->quoteName('w.published') . ' IN (0, 1)');
 		}
 
 		// Filter by search in title
 		$search = $this->getState('filter.search');
 
 		if (!empty($search))
 		{
-			$search = $db->quote('%' . str_replace(' ', '%', $db->escape(trim($search), true) . '%'));
-			$query->where('(' . $db->quoteName('w.title') . ' LIKE ' . $search . ' OR ' . $db->quoteName('w.description') . ' LIKE ' . $search . ')');
+			$search = '%' . str_replace(' ', '%', trim($search)) . '%';
+			$query->where('(' . $db->quoteName('w.title') . ' LIKE :search1 OR ' . $db->quoteName('w.description') . ' LIKE :search2)')
+				->bind([':search1', ':search2'], $search);
 		}
 
-		// Join over the users for the checked out user.
-		$query->select($db->quoteName('uc.name', 'editor'))
-			->join('LEFT', $db->quoteName('#__users', 'uc'), $db->quoteName('uc.id') . ' = ' . $db->quoteName('w.checked_out'));
-
 		// Add the list ordering clause.
-		$orderCol	= $this->state->get('list.ordering', 'w.ordering');
-		$orderDirn 	= strtolower($this->state->get('list.direction', 'asc'));
+		$orderCol  = $this->state->get('list.ordering', 'w.ordering');
+		$orderDirn = strtoupper($this->state->get('list.direction', 'ASC'));
 
-		$query->order($db->quoteName($db->escape($orderCol)) . ' ' . $db->escape($orderDirn == 'desc' ? 'DESC' : 'ASC'));
+		$query->order($db->quoteName($db->escape($orderCol)) . ' ' . $db->escape($orderDirn === 'DESC' ? 'DESC' : 'ASC'));
 
 		return $query;
 	}

diff --git a/administrator/components/com_workflow/src/Table/StageTable.php b/administrator/components/com_workflow/src/Table/StageTable.php
@@ -16,6 +16,7 @@
 use Joomla\CMS\Language\Text;
 use Joomla\CMS\Table\Table;
 use Joomla\Database\DatabaseDriver;
+use Joomla\Database\ParameterType;
 
 /**
  * Stage table
@@ -59,11 +60,13 @@ public function delete($pk = null)
 	{
 		$db  = $this->getDbo();
 		$app = Factory::getApplication();
+		$pk  = (int) $pk;
 
 		$query = $db->getQuery(true)
 			->select($db->quoteName('default'))
 			->from($db->quoteName('#__workflow_stages'))
-			->where($db->quoteName('id') . ' = ' . (int) $pk);
+			->where($db->quoteName('id') . ' = :id')
+			->bind(':id', $pk, ParameterType::INTEGER);
 
 		$isDefault = $db->setQuery($query)->loadResult();
 
@@ -78,8 +81,14 @@ public function delete($pk = null)
 		{
 			$query = $db->getQuery(true)
 				->delete($db->quoteName('#__workflow_transitions'))
-				->where($db->quoteName('to_stage_id') . ' = ' . (int) $pk, 'OR')
-				->where($db->quoteName('from_stage_id') . ' = ' . (int) $pk);
+				->where(
+					[
+						$db->quoteName('to_stage_id') . ' = :idTo',
+						$db->quoteName('from_stage_id') . ' = :idFrom',
+					],
+					'OR'
+				)
+				->bind([':idTo', ':idFrom'], $pk, ParameterType::INTEGER);
 
 			$db->setQuery($query)->execute();
 
@@ -138,8 +147,13 @@ public function check()
 			$query
 				->select($db->quoteName('id'))
 				->from($db->quoteName('#__workflow_stages'))
-				->where($db->quoteName('workflow_id') . '=' . (int) $this->workflow_id)
-				->where($db->quoteName('default') . ' = 1');
+				->where(
+					[
+						$db->quoteName('workflow_id') . ' = :id',
+						$db->quoteName('default') . ' = 1',
+					]
+				)
+				->bind(':id', $this->workflow_id, ParameterType::INTEGER);
 
 			$id = $db->setQuery($query)->loadResult();
 

diff --git a/administrator/components/com_workflow/src/Table/WorkflowTable.php b/administrator/components/com_workflow/src/Table/WorkflowTable.php
@@ -15,6 +15,7 @@
 use Joomla\CMS\Language\Text;
 use Joomla\CMS\Table\Table;
 use Joomla\Database\DatabaseDriver;
+use Joomla\Database\ParameterType;
 
 /**
  * Workflow table
@@ -60,12 +61,14 @@ public function delete($pk = null)
 	{
 		$db  = $this->getDbo();
 		$app = Factory::getApplication();
+		$pk  = (int) $pk;
 
 		// Gets the workflow information that is going to be deleted.
 		$query = $db->getQuery(true)
 			->select($db->quoteName('default'))
 			->from($db->quoteName('#__workflows'))
-			->where($db->quoteName('id') . ' = ' . (int) $pk);
+			->where($db->quoteName('id') . ' = :id')
+			->bind(':id', $pk, ParameterType::INTEGER);
 
 		$isDefault = $db->setQuery($query)->loadResult();
 
@@ -81,13 +84,15 @@ public function delete($pk = null)
 		{
 			$query = $db->getQuery(true)
 				->delete($db->quoteName('#__workflow_stages'))
-				->where($db->quoteName('workflow_id') . ' = ' . (int) $pk);
+				->where($db->quoteName('workflow_id') . ' = :id')
+				->bind(':id', $pk, ParameterType::INTEGER);
 
 			$db->setQuery($query)->execute();
 
 			$query = $db->getQuery(true)
 				->delete($db->quoteName('#__workflow_transitions'))
-				->where($db->quoteName('workflow_id') . ' = ' . (int) $pk);
+				->where($db->quoteName('workflow_id') . ' = :id')
+				->bind(':id', $pk, ParameterType::INTEGER);
 
 			$db->setQuery($query)->execute();
 
@@ -146,7 +151,7 @@ public function check()
 			$query
 				->select($db->quoteName('id'))
 				->from($db->quoteName('#__workflows'))
-				->where($db->quoteName('default') . '= 1');
+				->where($db->quoteName('default') . ' = 1');
 
 			$id = $db->setQuery($query)->loadResult();
 
@@ -307,7 +312,8 @@ protected function _getAssetParentId(Table $table = null, $id = null)
 		$query = $this->getDbo()->getQuery(true)
 			->select($this->getDbo()->quoteName('id'))
 			->from($this->getDbo()->quoteName('#__assets'))
-			->where($this->getDbo()->quoteName('name') . ' = ' . $this->getDbo()->quote($extension));
+			->where($this->getDbo()->quoteName('name') . ' = :extension')
+			->bind(':extension', $extension);
 
 		// Get the asset id from the database.
 		$this->getDbo()->setQuery($query);