sotre is sql-injection-safe as we work now with pdo->prepare

tynx · Mar 27, 2015 · 66d4718 · 66d4718
1 parent 039d04f
commit 66d4718
Showing 1 changed file with 34 additions and 26 deletions.
diff --git a/backend/base/Store.class.php b/backend/base/Store.class.php
@@ -34,13 +34,14 @@ private function packValue($value){
 	public function getById($table, $id){
 		$query = 'SELECT * FROM `wuersch`.`' . $table . '` WHERE ';
 		if(!is_numeric($id) && strlen($id)==32){
-			$query .= '`id_md5`="' . $id . '"';
+			$query .= '`id_md5`=?';
 		}else{
-			$query .= '`id`=' . $id;
+			$query .= '`id`=?';
 		}
-		$sth = Store::$pdo->prepare($query . ';');
-		$sth->execute();
-		$result = $sth->fetchAll(PDO::FETCH_CLASS, ucfirst($table));
+		$stmt = Store::$pdo->prepare($query . ';');
+		$stmt->bindParam(1, $id);
+		$stmt->execute();
+		$result = $stmt->fetchAll(PDO::FETCH_CLASS, ucfirst($table));
 		if(count($result) === 1){
 			return $result[0];
 		}
@@ -56,48 +57,55 @@ public function getByCustomQuery($query){
 
 	public function getByColumns($table, $columns, $combination = 'AND'){
 		$query = 'SELECT * FROM `wuersch`.`' . $table . '` WHERE ';
+
 		foreach($columns as $key=>$value){
-			$query .= '`' . $key . '`=';
-			if(is_numeric($value))
-				$query .= $value;
-			else
-				$query .= '"' . $value . '"';
-			$query .= ' ' . $combination . ' ';
+			$query .= '`' . $key . '`=? ' . $combination . ' ';
 		}
 		$query = substr($query, 0, (-2-strlen($combination)));
-		$sth = Store::$pdo->prepare($query . ' LIMIT 100;');
-		$sth->execute();
-		return $sth->fetchAll(PDO::FETCH_CLASS, ucfirst($table));
+		$stmt = Store::$pdo->prepare($query . ';');
+		foreach(array_values($columns) as $i=>$value)
+			$stmt->bindParam($i+1, $value);
+		$stmt->execute();
+		return $stmt->fetchAll(PDO::FETCH_CLASS, ucfirst($table));
 	}
 
 	public function insert($table, $data){
 		if(!is_array($data))
 			return -1;
-		$columns = '`' . implode('`, `', array_keys($data)) . '`';
-		$values = '';
-		foreach($data as $value){
-			$values .= $this->packValue($value) . ', ';
+		$query = 'INSERT INTO `wuersch`.`' . $table . '` (';
+		$query .= '`' . implode('`, `', array_keys($data)) . '`) VALUES (';
+		for($i=0; $i<count($data); $i++){
+			$query .= '?, ';
+		}
+		$query = substr($query, 0, -2) . ');';
+		$stmt = Store::$pdo->prepare($query);
+		foreach(array_values($data) as $i=>$value){
+			$stmt->bindParam($i+1, $value);
 		}
-		$values = substr($values, 0, -2);
-		$result = Store::$pdo->exec('INSERT INTO `wuersch`.`' . $table . '`(' . $columns . ') VALUES(' . $values . ');');
+
+		$result = $stmt->execute();
 		return Store::$pdo->lastInsertId();
 	}
 
 	public function update($table, $id, $data){
 		if(!is_array($data))
 			return false;
 		$columns = '';
+		$query = 'UPDATE `wuersch`.`' . $table . '` SET ';
 		foreach($data as $name=>$value){
-			$columns .= '`' . $name . '`=' . $this->packValue($value) . ', ';
+			$query .= '`' . $name . '`=?, ';
 		}
-		$columns = substr($columns, 0, -2);
-		$query = 'UPDATE `wuersch`.`' . $table . '` SET ' . $columns . ' ';
+		$query = substr($query, 0, -2);
 		if(!is_numeric($id) && strlen($id)==32){
-			$query .= 'WHERE `id_md5`="' . $id . '"';
+			$query .= ' WHERE `id_md5`=?;';
 		}else{
-			$query .= 'WHERE `id`=' . $id;
+			$query .= ' WHERE `id`=?;';
 		}
-		return Store::$pdo->exec($query . ';');
+		$stmt = Store::$pdo->prepare($query);
+		foreach(array_values($data) as $i=>$value)
+			$stmt->bindParam($i+1, $value);
+		$stmt->bindParam(count($data)+1, $id);
+		return $stmt->execute();
 	}
 }