diff options
author | Bernhard Posselt <nukeawhale@gmail.com> | 2013-04-06 17:56:24 +0200 |
---|---|---|
committer | Bernhard Posselt <nukeawhale@gmail.com> | 2013-04-06 17:56:24 +0200 |
commit | 050d866f546f380ad986b6da26e6871a59d17a2b (patch) | |
tree | d734c7cebd6a7be7d22e32d0b4f84d68f803d4af /db/itemmapper.php | |
parent | 4b169b4561dd752cfe717e17a66bc3cf61f7627d (diff) |
added warnings for future devs to not run into sql injection mistakes
Diffstat (limited to 'db/itemmapper.php')
-rw-r--r-- | db/itemmapper.php | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/db/itemmapper.php b/db/itemmapper.php index daff18466..e2850e725 100644 --- a/db/itemmapper.php +++ b/db/itemmapper.php @@ -72,6 +72,11 @@ class ItemMapper extends Mapper implements IMapper { // now im gonna slowly stick them in the query, be careful! return $this->makeSelectQuery( + + // WARNING: this is a desperate attempt at making this query work + // because prepared statements dont work. This is a possible + // SQL INJECTION RISK WHEN MODIFIED WITHOUT THOUGH. + // think twice when chaning this 'AND ((`items`.`status` & ' . $status . ') = ' . $status . ') ' . $prependTo ); @@ -94,6 +99,10 @@ class ItemMapper extends Mapper implements IMapper { 'JOIN `*PREFIX*news_items` `items` ' . 'ON `items`.`feed_id` = `feeds`.`id` ' . 'AND `feeds`.`user_id` = ? ' . + // WARNING: this is a desperate attempt at making this query work + // because prepared statements dont work. This is a possible + // SQL INJECTION RISK WHEN MODIFIED WITHOUT THOUGH. + // think twice when chaning this 'WHERE ((`items`.`status` & ' . StatusFlag::STARRED . ') = ' . StatusFlag::STARRED . ')'; |