Skip to content
Permalink
Browse files Browse the repository at this point in the history
prevent SQL-injection
  • Loading branch information
mrtnmtth committed Jan 30, 2016
1 parent 4cc0816 commit 27c1b44
Showing 1 changed file with 4 additions and 3 deletions.
7 changes: 4 additions & 3 deletions helper.php
Expand Up @@ -20,17 +20,17 @@ public static function getStatsByType($year) {
if (($year > $latest) or !(ctype_digit($year)))
$year = $latest;

$db = JFactory::getDbo();
$query =
'SELECT arten.title AS label,
count(data1) AS value,
arten.marker AS color
FROM #__eiko_einsatzberichte AS berichte
INNER JOIN #__eiko_einsatzarten AS arten
ON berichte.data1=arten.id
WHERE berichte.state=1 AND berichte.date1 LIKE \''.$year.'%\'
WHERE berichte.state=1 AND berichte.date1 LIKE '.$db->quote($year.'%').'
GROUP BY data1
ORDER BY arten.ordering;';
//TODO mucho importante: Prevent SQL injection
$result = self::executeQuery($query, 1);
foreach ($result as $i) {
$i->highlight = $i->color;
Expand All @@ -43,7 +43,8 @@ public static function getStatsByType($year) {
public static function getAjax() {
// get data from Ajax request
$input = JFactory::getApplication()->input;
$data = $input->get('data');
// only allow unsigned integers
$data = $input->get('data', date('Y'), 'UINT');

return json_encode(self::getStatsByType($data));
}
Expand Down

0 comments on commit 27c1b44

Please sign in to comment.