diff options
| author | Bernhard Posselt <nukeawhale@gmail.com> | 2013-04-06 17:56:24 +0200 |
|---|---|---|
| committer | Bernhard Posselt <nukeawhale@gmail.com> | 2013-04-06 17:56:24 +0200 |
| commit | 050d866f546f380ad986b6da26e6871a59d17a2b (patch) | |
| tree | d734c7cebd6a7be7d22e32d0b4f84d68f803d4af /db | |
| parent | 4b169b4561dd752cfe717e17a66bc3cf61f7627d (diff) | |
added warnings for future devs to not run into sql injection mistakes
Diffstat (limited to 'db')
| -rw-r--r-- | db/feedmapper.php | 14 | ||||
| -rw-r--r-- | db/itemmapper.php | 9 |
2 files changed, 22 insertions, 1 deletions
diff --git a/db/feedmapper.php b/db/feedmapper.php index 3c931aabb..ba4b9a5c8 100644 --- a/db/feedmapper.php +++ b/db/feedmapper.php @@ -43,6 +43,10 @@ class FeedMapper extends Mapper implements IMapper { 'FROM `*PREFIX*news_feeds` `feeds` ' . 'LEFT JOIN `*PREFIX*news_items` `items` ' . 'ON `feeds`.`id` = `items`.`feed_id` ' . + // WARNING: this is a desperate attempt at making this query work + // because prepared statements dont work. This is a possible + // SQL INJECTION RISK WHEN MODIFIED WITHOUT THOUGH. + // think twice when chaning this 'AND (`items`.`status` & ' . StatusFlag::UNREAD . ') = ' . StatusFlag::UNREAD . ' ' . 'WHERE `feeds`.`id` = ? ' . @@ -76,7 +80,11 @@ class FeedMapper extends Mapper implements IMapper { $sql = 'SELECT `feeds`.*, COUNT(`items`.`id`) AS `unread_count` ' . 'FROM `*PREFIX*news_feeds` `feeds` ' . 'LEFT JOIN `*PREFIX*news_items` `items` ' . - 'ON `feeds`.`id` = `items`.`feed_id` ' . + 'ON `feeds`.`id` = `items`.`feed_id` ' . + // WARNING: this is a desperate attempt at making this query work + // because prepared statements dont work. This is a possible + // SQL INJECTION RISK WHEN MODIFIED WITHOUT THOUGH. + // think twice when chaning this 'AND (`items`.`status` & ' . StatusFlag::UNREAD . ') = ' . StatusFlag::UNREAD . ' ' . 'WHERE `feeds`.`user_id` = ? ' . @@ -99,6 +107,10 @@ class FeedMapper extends Mapper implements IMapper { 'FROM `*PREFIX*news_feeds` `feeds` ' . 'LEFT JOIN `*PREFIX*news_items` `items` ' . 'ON `feeds`.`id` = `items`.`feed_id` ' . + // WARNING: this is a desperate attempt at making this query work + // because prepared statements dont work. This is a possible + // SQL INJECTION RISK WHEN MODIFIED WITHOUT THOUGH. + // think twice when chaning this 'AND (`items`.`status` & ' . StatusFlag::UNREAD . ') = ' . StatusFlag::UNREAD . ' ' . 'WHERE `feeds`.`url_hash` = ? ' . diff --git a/db/itemmapper.php b/db/itemmapper.php index daff18466..e2850e725 100644 --- a/db/itemmapper.php +++ b/db/itemmapper.php @@ -72,6 +72,11 @@ class ItemMapper extends Mapper implements IMapper { // now im gonna slowly stick them in the query, be careful! return $this->makeSelectQuery( + + // WARNING: this is a desperate attempt at making this query work + // because prepared statements dont work. This is a possible + // SQL INJECTION RISK WHEN MODIFIED WITHOUT THOUGH. + // think twice when chaning this 'AND ((`items`.`status` & ' . $status . ') = ' . $status . ') ' . $prependTo ); @@ -94,6 +99,10 @@ class ItemMapper extends Mapper implements IMapper { 'JOIN `*PREFIX*news_items` `items` ' . 'ON `items`.`feed_id` = `feeds`.`id` ' . 'AND `feeds`.`user_id` = ? ' . + // WARNING: this is a desperate attempt at making this query work + // because prepared statements dont work. This is a possible + // SQL INJECTION RISK WHEN MODIFIED WITHOUT THOUGH. + // think twice when chaning this 'WHERE ((`items`.`status` & ' . StatusFlag::STARRED . ') = ' . StatusFlag::STARRED . ')'; |