diff options
| author | Bernhard Posselt <dev@bernhard-posselt.com> | 2015-03-20 20:00:29 +0100 |
|---|---|---|
| committer | Bernhard Posselt <dev@bernhard-posselt.com> | 2015-03-21 13:36:50 +0100 |
| commit | 4dfafc5910baec90c9bc58aa61c1103dd41f13fe (patch) | |
| tree | 34f9ffbcf2a8a8cbd792d5cb38ef4bb4ded39bbc /db | |
| parent | c0dda27f2078de4c3adcf345383ba423c233fe9f (diff) | |
add a search parameter to the find all queries
Diffstat (limited to 'db')
| -rw-r--r-- | db/itemmapper.php | 56 |
1 files changed, 35 insertions, 21 deletions
diff --git a/db/itemmapper.php b/db/itemmapper.php index cc34ddd9d..b93bfb007 100644 --- a/db/itemmapper.php +++ b/db/itemmapper.php @@ -44,24 +44,30 @@ class ItemMapper extends NewsMapper { } private function makeSelectQueryStatus($prependTo, $status, - $oldestFirst=false) { - // Hi this is Ray and you're watching Jack Ass - // Now look closely: this is how we adults handle weird bugs in our - // code: we take them variables and we cast the shit out of them + $oldestFirst=false, $search=[]) { $status = (int) $status; - // now im gonna slowly stick them in the query, be careful! - return $this->makeSelectQuery( + // WARNING: Potential SQL injection if you change this carelessly + $sql = 'AND ((`items`.`status` & ' . $status . ') = ' . $status . ') '; - // WARNING: this is a desperate attempt at making this query work - // because prepared statements dont work. This is a possible - // SQL INJECTION RISK WHEN MODIFIED WITHOUT THOUGHT. - // think twice when changing this - 'AND ((`items`.`status` & ' . $status . ') = ' . $status . ') ' . - $prependTo, $oldestFirst - ); + foreach ($search as $_) { + $sql .= 'AND `items`.`search_index` LIKE ? '; + } + + $sql .= $prependTo; + + return $this->makeSelectQuery($sql, $oldestFirst); } + /** + * wrap and escape search parameters in a like statement + */ + private function buildLikeParameters($search=[]) { + return array_map(function ($param) { + $param = addcslashes($param, '\\_%'); + return '%' . $param . '%'; + }, $search); + } public function find($id, $userId){ $sql = $this->makeSelectQuery('AND `items`.`id` = ? '); @@ -183,42 +189,50 @@ class ItemMapper extends NewsMapper { public function findAllFeed($id, $limit, $offset, $status, $oldestFirst, - $userId){ - $params = [$userId, $id]; + $userId, $search=[]){ + $params = [$userId]; + $params = array_merge($params, $this->buildLikeParameters($search)); + $params[] = $id; + $sql = 'AND `items`.`feed_id` = ? '; if($offset !== 0){ $sql .= 'AND `items`.`id` ' . $this->getOperator($oldestFirst) . ' ? '; $params[] = $offset; } - $sql = $this->makeSelectQueryStatus($sql, $status, $oldestFirst); + $sql = $this->makeSelectQueryStatus($sql, $status, $oldestFirst, $search); return $this->findEntitiesIgnoringNegativeLimit($sql, $params, $limit); } public function findAllFolder($id, $limit, $offset, $status, $oldestFirst, - $userId){ - $params = [$userId, $id]; + $userId, $search=[]){ + $params = [$userId]; + $params = array_merge($params, $this->buildLikeParameters($search)); + $params[] = $id; + $sql = 'AND `feeds`.`folder_id` = ? '; if($offset !== 0){ $sql .= 'AND `items`.`id` ' . $this->getOperator($oldestFirst) . ' ? '; $params[] = $offset; } - $sql = $this->makeSelectQueryStatus($sql, $status, $oldestFirst); + $sql = $this->makeSelectQueryStatus($sql, $status, $oldestFirst, $search); return $this->findEntitiesIgnoringNegativeLimit($sql, $params, $limit); } - public function findAll($limit, $offset, $status, $oldestFirst, $userId){ + public function findAll($limit, $offset, $status, $oldestFirst, $userId, + $search=[]){ $params = [$userId]; + $params = array_merge($params, $this->buildLikeParameters($search)); $sql = ''; if($offset !== 0){ $sql .= 'AND `items`.`id` ' . $this->getOperator($oldestFirst) . ' ? '; $params[] = $offset; } - $sql = $this->makeSelectQueryStatus($sql, $status, $oldestFirst); + $sql = $this->makeSelectQueryStatus($sql, $status, $oldestFirst, $search); return $this->findEntitiesIgnoringNegativeLimit($sql, $params, $limit); } |