diff options
author | Bernhard Posselt <nukeawhale@gmail.com> | 2013-04-06 17:56:24 +0200 |
---|---|---|
committer | Bernhard Posselt <nukeawhale@gmail.com> | 2013-04-06 17:56:24 +0200 |
commit | 050d866f546f380ad986b6da26e6871a59d17a2b (patch) | |
tree | d734c7cebd6a7be7d22e32d0b4f84d68f803d4af /db/feedmapper.php | |
parent | 4b169b4561dd752cfe717e17a66bc3cf61f7627d (diff) |
added warnings for future devs to not run into sql injection mistakes
Diffstat (limited to 'db/feedmapper.php')
-rw-r--r-- | db/feedmapper.php | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/db/feedmapper.php b/db/feedmapper.php index 3c931aabb..ba4b9a5c8 100644 --- a/db/feedmapper.php +++ b/db/feedmapper.php @@ -43,6 +43,10 @@ class FeedMapper extends Mapper implements IMapper { 'FROM `*PREFIX*news_feeds` `feeds` ' . 'LEFT JOIN `*PREFIX*news_items` `items` ' . 'ON `feeds`.`id` = `items`.`feed_id` ' . + // WARNING: this is a desperate attempt at making this query work + // because prepared statements dont work. This is a possible + // SQL INJECTION RISK WHEN MODIFIED WITHOUT THOUGH. + // think twice when chaning this 'AND (`items`.`status` & ' . StatusFlag::UNREAD . ') = ' . StatusFlag::UNREAD . ' ' . 'WHERE `feeds`.`id` = ? ' . @@ -76,7 +80,11 @@ class FeedMapper extends Mapper implements IMapper { $sql = 'SELECT `feeds`.*, COUNT(`items`.`id`) AS `unread_count` ' . 'FROM `*PREFIX*news_feeds` `feeds` ' . 'LEFT JOIN `*PREFIX*news_items` `items` ' . - 'ON `feeds`.`id` = `items`.`feed_id` ' . + 'ON `feeds`.`id` = `items`.`feed_id` ' . + // WARNING: this is a desperate attempt at making this query work + // because prepared statements dont work. This is a possible + // SQL INJECTION RISK WHEN MODIFIED WITHOUT THOUGH. + // think twice when chaning this 'AND (`items`.`status` & ' . StatusFlag::UNREAD . ') = ' . StatusFlag::UNREAD . ' ' . 'WHERE `feeds`.`user_id` = ? ' . @@ -99,6 +107,10 @@ class FeedMapper extends Mapper implements IMapper { 'FROM `*PREFIX*news_feeds` `feeds` ' . 'LEFT JOIN `*PREFIX*news_items` `items` ' . 'ON `feeds`.`id` = `items`.`feed_id` ' . + // WARNING: this is a desperate attempt at making this query work + // because prepared statements dont work. This is a possible + // SQL INJECTION RISK WHEN MODIFIED WITHOUT THOUGH. + // think twice when chaning this 'AND (`items`.`status` & ' . StatusFlag::UNREAD . ') = ' . StatusFlag::UNREAD . ' ' . 'WHERE `feeds`.`url_hash` = ? ' . |