Added code to escapre API parameters before using them in queries. Al…

…so added some todos. git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@2619 f5dc347c-c33d-0410-90a0-b07cc1902cb9
mantisbt · Jun 24, 2004 · afb42b6 · afb42b6
1 parent 887087e
commit afb42b6
Showing 1 changed file with 35 additions and 15 deletions.
diff --git a/core/relationship_api.php b/core/relationship_api.php
@@ -6,68 +6,88 @@
 	# See the README and LICENSE files for details
 
 	# --------------------------------------------------------
-	# $Id: relationship_api.php,v 1.7 2004-04-08 18:04:53 prescience Exp $
+	# $Id: relationship_api.php,v 1.8 2004-06-24 13:17:38 vboctor Exp $
 	# --------------------------------------------------------
 
 	### Relationship API ###
 
+	# @@@ Consider defining a BugRelationshipData class (see BugData in bug_api.php)
+	# @@@ Change relationship_fetch_* to return an instance or an array of instance of BugRelationshipData.
+
 	# --------------------
 	function relationship_add( $p_src_bug_id, $p_dest_bug_id, $p_relationship_type ) {
+		$c_src_bug_id = db_prepare_int( $c_src_bug_id );
+		$c_dest_bug_id = db_prepare_int( $c_dest_bug_id );
+		$c_relationship_type = db_prepare_int( $c_relationship_type );
+
 		$t_mantis_bug_relationship_table = config_get( 'mantis_bug_relationship_table' );
 
 		$query = "INSERT INTO $t_mantis_bug_relationship_table
-				( id, source_bug_id, destination_bug_id, relationship_type )
+				( source_bug_id, destination_bug_id, relationship_type )
 				VALUES
-				( null, '$p_src_bug_id', '$p_dest_bug_id', '$p_relationship_type' )";
+				( '$c_src_bug_id', '$c_dest_bug_id', '$c_relationship_type' )";
 		return db_query( $query );
 	}
 	# --------------------
 	function relationship_update( $p_relation_id, $p_src_bug_id, $p_dest_bug_id, $p_relationship_type ) {
+		$c_relation_id = db_prepare_int( $p_relation_id );
+		$c_src_bug_id = db_prepare_int( $p_src_bug_id );
+		$c_dest_bug_id = db_prepare_int( $p_dest_bug_id );
+		$c_relationship_type = db_prepare_int( $p_relationship_type );
+
 		$t_mantis_bug_relationship_table = config_get( 'mantis_bug_relationship_table' );
 
 		$query = "UPDATE $t_mantis_bug_relationship_table
-				SET source_bug_id='$p_src_bug_id',
-					destination_bug_id='$p_dest_bug_id',
-					relationship_type='$p_relationship_type'
-				WHERE id='$p_relation_id'";
+				SET source_bug_id='$c_src_bug_id',
+					destination_bug_id='$c_dest_bug_id',
+					relationship_type='$c_relationship_type'
+				WHERE id='$c_relation_id'";
 		return db_query( $query );
 	}
 	# --------------------
 	function relationship_delete( $p_relation_id ) {
+		$c_relation_id = db_prepare_int( $p_relation_id );
+
 		$t_mantis_bug_relationship_table = config_get( 'mantis_bug_relationship_table' );
 
 		$query = "DELETE FROM $t_mantis_bug_relationship_table
-				WHERE id='$p_relation_id'";
-		return db_query( $query );
+				WHERE id='$c_relation_id'";
+		return db_query( $query, 1 );
 	}
 	# --------------------
 	function relationship_fetch( $p_relation_id ) {
+		$c_relation_id = db_prepare_int( $p_relation_id );
+
 		$t_mantis_bug_relationship_table = config_get( 'mantis_bug_relationship_table' );
 
 		$query = "SELECT *
 				FROM $t_mantis_bug_relationship_table
-				WHERE id='$p_relation_id'";
-		$result = db_query( $query );
+				WHERE id='$c_relation_id'";
+		$result = db_query( $query, 1 );
 		return db_fetch_array( $result );
 	}
 	# --------------------
 	function relationship_fetch_all_src( $p_src_bug_id ) {
+		$c_src_bug_id = db_prepare_int( $p_src_bug_id );
+
 		$t_mantis_bug_relationship_table = config_get( 'mantis_bug_relationship_table' );
 
 		$query = "SELECT *
 				FROM $t_mantis_bug_relationship_table
-				WHERE source_bug_id='$p_src_bug_id'
-				ORDER BY relationship_type";
+				WHERE source_bug_id='$c_src_bug_id'
+				ORDER BY relationship_type, destination_bug_id";
 		return db_query( $query );
 	}
 	# --------------------
 	function relationship_fetch_all_dest( $p_src_bug_id ) {
+		$c_src_bug_id = db_prepare_int( $p_src_bug_id );
+
 		$t_mantis_bug_relationship_table = config_get( 'mantis_bug_relationship_table' );
 
 		$query = "SELECT *
 				FROM $t_mantis_bug_relationship_table
-				WHERE destination_bug_id='$p_src_bug_id'
-				ORDER BY relationship_type";
+				WHERE destination_bug_id='$c_src_bug_id'
+				ORDER BY relationship_type, source_bug_id";
 		return db_query( $query );
 	}
 	# --------------------