added warnings for future devs to not run into sql injection mistakes

author: Bernhard Posselt <nukeawhale@gmail.com> 2013-04-06 17:56:24 +0200
committer: Bernhard Posselt <nukeawhale@gmail.com> 2013-04-06 17:56:24 +0200
commit: 050d866f546f380ad986b6da26e6871a59d17a2b (patch)
tree: d734c7cebd6a7be7d22e32d0b4f84d68f803d4af /db/itemmapper.php
parent: 4b169b4561dd752cfe717e17a66bc3cf61f7627d (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/db/itemmapper.php b/db/itemmapper.php
index daff18466..e2850e725 100644
--- a/db/itemmapper.php
+++ b/db/itemmapper.php
@@ -72,6 +72,11 @@ class ItemMapper extends Mapper implements IMapper {
 
 		// now im gonna slowly stick them in the query, be careful!
 		return $this->makeSelectQuery(
+			
+			// WARNING: this is a desperate attempt at making this query work
+			// because prepared statements dont work. This is a possible 
+			// SQL INJECTION RISK WHEN MODIFIED WITHOUT THOUGH.
+			// think twice when chaning this
 			'AND ((`items`.`status` & ' . $status . ') = ' . $status . ') ' .
 			$prependTo
 		);
@@ -94,6 +99,10 @@ class ItemMapper extends Mapper implements IMapper {
 			'JOIN `*PREFIX*news_items` `items` ' .
 				'ON `items`.`feed_id` = `feeds`.`id` ' .
 				'AND `feeds`.`user_id` = ? ' .
+			// WARNING: this is a desperate attempt at making this query work
+			// because prepared statements dont work. This is a possible 
+			// SQL INJECTION RISK WHEN MODIFIED WITHOUT THOUGH.
+			// think twice when chaning this
 			'WHERE ((`items`.`status` & ' . StatusFlag::STARRED . ') = ' . 
 				StatusFlag::STARRED . ')';
author	Bernhard Posselt <nukeawhale@gmail.com>	2013-04-06 17:56:24 +0200
committer	Bernhard Posselt <nukeawhale@gmail.com>	2013-04-06 17:56:24 +0200
commit	050d866f546f380ad986b6da26e6871a59d17a2b (patch)
tree	d734c7cebd6a7be7d22e32d0b4f84d68f803d4af /db/itemmapper.php
parent	4b169b4561dd752cfe717e17a66bc3cf61f7627d (diff)