prepared sql

joomla · Jul 3, 2019 · 8377f55 · 8377f55
1 parent d40a275
commit 8377f55
Showing 1 changed file with 49 additions and 24 deletions.
diff --git a/administrator/components/com_redirect/Model/LinksModel.php b/administrator/components/com_redirect/Model/LinksModel.php
@@ -15,6 +15,7 @@
 use Joomla\CMS\Factory;
 use Joomla\CMS\MVC\Factory\MVCFactoryInterface;
 use Joomla\CMS\MVC\Model\ListModel;
+use Joomla\Database\ParameterType;
 
 /**
  * Methods supporting a list of redirect links.
@@ -152,17 +153,21 @@ protected function getListQuery()
 
 		if (is_numeric($state))
 		{
-			$query->where($db->quoteName('a.published') . ' = ' . (int) $state);
+			$state = (int) $state;
+			$query->where($db->quoteName('a.published') . ' = :state')
+				->bind(':state', $state, ParameterType::INTEGER);
 		}
 		elseif ($state === '')
 		{
-			$query->where($db->quoteName('a.published') . ' IN (0,1)');
+			$query->whereIn($db->quoteName('a.published'), [0,1]);
 		}
 
 		// Filter the items over the HTTP status code header.
 		if ($httpStatusCode = $this->getState('filter.http_status'))
 		{
-			$query->where($db->quoteName('a.header') . ' = ' . (int) $httpStatusCode);
+			$httpStatusCode = (int) $httpStatusCode;
+			$query->where($db->quoteName('a.header') . ' = :header')
+				->bind(':header', $httpStatusCode, ParameterType::INTEGER);
 		}
 
 		// Filter the items over the search string if set.
@@ -172,17 +177,21 @@ protected function getListQuery()
 		{
 			if (stripos($search, 'id:') === 0)
 			{
-				$query->where($db->quoteName('a.id') . ' = ' . (int) substr($search, 3));
+				$ids = (int) substr($search, 3);
+				$query->where($db->quoteName('a.id') . ' = :id');
+				$query->bind(':id', $ids, ParameterType::INTEGER);
 			}
 			else
 			{
-				$search = $db->quote('%' . str_replace(' ', '%', $db->escape(trim($search), true) . '%'));
-				$query->where(
-					'(' . $db->quoteName('old_url') . ' LIKE ' . $search .
-					' OR ' . $db->quoteName('new_url') . ' LIKE ' . $search .
-					' OR ' . $db->quoteName('comment') . ' LIKE ' . $search .
-					' OR ' . $db->quoteName('referer') . ' LIKE ' . $search . ')'
-				);
+				$search = '%' . str_replace(' ', '%', $db->escape(trim($search), true) . '%');
+				$query->where($db->quoteName('old_url') . ' LIKE :oldurl')
+					->orWhere($db->quoteName('new_url') . ' LIKE :newurl')
+					->orWhere($db->quoteName('comment') . ' LIKE :comment')
+					->orWhere($db->quoteName('referer') . ' LIKE :referer')
+					->bind(':oldurl', $search)
+					->bind(':newurl', $search)
+					->bind(':comment', $search)
+					->bind(':referer', $search);
 			}
 		}
 
@@ -204,20 +213,21 @@ public function batchProcess($batch_urls)
 		$db    = $this->getDbo();
 		$query = $db->getQuery(true);
 
-		$params = ComponentHelper::getParams('com_redirect');
-		$state  = (int) $params->get('defaultImportState', 0);
+		$params  = ComponentHelper::getParams('com_redirect');
+		$state   = (int) $params->get('defaultImportState', 0);
+		$created = Factory::getDate()->toSql();
 
-		$columns = array(
+		$columns = [
 			$db->quoteName('old_url'),
 			$db->quoteName('new_url'),
 			$db->quoteName('referer'),
 			$db->quoteName('comment'),
 			$db->quoteName('hits'),
 			$db->quoteName('published'),
 			$db->quoteName('created_date')
-		);
+		];
 
-		$query->columns($columns);
+		$i = 0;
 
 		foreach ($batch_urls as $batch_url)
 		{
@@ -233,15 +243,30 @@ public function batchProcess($batch_urls)
 				$new_url = '';
 			}
 
-			$query->insert($db->quoteName('#__redirect_links'), false)
-				->values(
-					$db->quote($old_url) . ', ' . $db->quote($new_url) . ' ,' . $db->quote('') . ', ' . $db->quote('') . ', 0, ' . $state . ', ' .
-					$db->quote(Factory::getDate()->toSql())
-				);
-		}
+			$values = [
+					':oldurl' . $i,
+					':newurl' . $i,
+					'',
+					'',
+					0,
+					':state' . $i,
+					':created' . $i,
+			];
+
+			$query->clear()
+				->insert($db->quoteName('#__redirect_links'), false)
+				->columns($columns)
+				->values($values)
+				->bind(':oldurl' . $i, $old_url)
+				->bind(':newurl' . $i, $new_url)
+				->bind(':state' . $i, $state, ParameterType::INTEGER)
+				->bind(':created' . $i, $created);
+
+			$db->setQuery($query);
+			$db->execute();
+			$i++;
 
-		$db->setQuery($query);
-		$db->execute();
+		}
 
 		return true;
 	}