[4.0] [com_config] convert to prepared statement (#25193)

joomla · Jul 23, 2019 · 65e3d40 · 65e3d40
1 parent 9fbc0e5
commit 65e3d40
Showing 1 changed file with 13 additions and 7 deletions.
diff --git a/administrator/components/com_config/Model/ApplicationModel.php b/administrator/components/com_config/Model/ApplicationModel.php
@@ -30,6 +30,7 @@
 use Joomla\CMS\Uri\Uri;
 use Joomla\CMS\User\UserHelper;
 use Joomla\Database\DatabaseDriver;
+use Joomla\Database\ParameterType;
 use Joomla\Registry\Registry;
 use Joomla\Utilities\ArrayHelper;
 
@@ -829,10 +830,11 @@ public function storePermissions($permission = null)
 		try
 		{
 			// Get the asset id by the name of the component.
-			$query = $this->getDbo()->getQuery(true)
-				->select($this->getDbo()->quoteName('id'))
-				->from($this->getDbo()->quoteName('#__assets'))
-				->where($this->getDbo()->quoteName('name') . ' = ' . $this->getDbo()->quote($permission['component']));
+			$query = $this->_db->getQuery(true)
+				->select($this->_db->quoteName('id'))
+				->from($this->_db->quoteName('#__assets'))
+				->where($this->_db->quoteName('name') . ' = :component')
+				->bind(':component', $permission['component']);
 
 			$this->_db->setQuery($query);
 
@@ -855,18 +857,21 @@ public function storePermissions($permission = null)
 				$query->clear()
 					->select($this->_db->quoteName('parent_id'))
 					->from($this->_db->quoteName('#__assets'))
-					->where($this->_db->quoteName('id') . ' = ' . $assetId);
+					->where($this->_db->quoteName('id') . ' = :assetid') 
+					->bind(':assetid', $assetId, ParameterType::INTEGER);
 
 				$this->_db->setQuery($query);
 
 				$parentAssetId = (int) $this->_db->loadResult();
 			}
 
 			// Get the group parent id of the current group.
+			$rule = (int) $permission['rule'];
 			$query->clear()
 				->select($this->_db->quoteName('parent_id'))
 				->from($this->_db->quoteName('#__usergroups'))
-				->where($this->_db->quoteName('id') . ' = ' . (int) $permission['rule']);
+				->where($this->_db->quoteName('id') . ' = :rule')
+				->bind(':rule', $rule, ParameterType::INTEGER);
 
 			$this->_db->setQuery($query);
 
@@ -876,7 +881,8 @@ public function storePermissions($permission = null)
 			$query->clear()
 				->select('COUNT(' . $this->_db->quoteName('id') . ')')
 				->from($this->_db->quoteName('#__usergroups'))
-				->where($this->_db->quoteName('parent_id') . ' = ' . (int) $permission['rule']);
+				->where($this->_db->quoteName('parent_id') . ' = :rule')
+				->bind(':rule', $rule, ParameterType::INTEGER);
 
 			$this->_db->setQuery($query);