diff options
author | Bernhard Posselt <dev@bernhard-posselt.com> | 2015-11-30 21:04:55 +0100 |
---|---|---|
committer | Bernhard Posselt <dev@bernhard-posselt.com> | 2016-01-17 18:18:39 +0100 |
commit | 2bbd1e10a8a315c715095eed6536b6b319aeb974 (patch) | |
tree | d31ae5d0b83305b7bc47dc08271920181a5219cc /db | |
parent | 646b5296843de0815c47fe809178613a5b4fafaa (diff) |
fix various things
Diffstat (limited to 'db')
-rw-r--r-- | db/newsmapper.php | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/db/newsmapper.php b/db/newsmapper.php index a36956b16..fd0408f77 100644 --- a/db/newsmapper.php +++ b/db/newsmapper.php @@ -33,14 +33,27 @@ abstract class NewsMapper extends Mapper { * Performs a SELECT query with all arguments appened to the WHERE clause * The SELECT will be performed on the current table and take the entity * that is related for transforming the properties into column names + * + * Important: This method does not filter marked as deleted rows! + * * @param array $search an assoc array from property to filter value + * @param int $limit + * @paran int $offset * @return array */ - public function where(array $search) { + public function where(array $search=[], $limit=null, $offset=null) { $entity = new $this->entityClass; // turn keys into sql query filter, e.g. feedId -> feed_id = :feedId $filter = array_map(function ($property) use ($entity) { + // check if the property actually exists on the entity to prevent + // accidental Sql injection + if (!property_exists($entity, $property)) { + $msg = 'Property ' . $property . ' does not exist on ' + . $this->entityClass; + throw new \BadFunctionCallException($msg); + } + $column = $entity->propertyToColumn($property); return $column . ' = :' . $property; }, array_keys($search)); @@ -53,7 +66,7 @@ abstract class NewsMapper extends Mapper { $sql .= 'WHERE ' . $andStatement; } - return $this->findEntities($sql, $search); + return $this->findEntities($sql, $search, $limit, $offset); } }
\ No newline at end of file |