aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBart Visscher <bartv@thisnet.nl>2012-08-07 21:49:04 +0200
committerBart Visscher <bartv@thisnet.nl>2012-08-07 21:49:31 +0200
commitb287b11ff239bdb11672afbb10a5dcd5ab85a86e (patch)
tree1492f805b0b80ad768c34e0bf0bb0ca05e6c5aa7
parent9580d0ef290c5ba2431e6c2c52c7a6d660b031ec (diff)
downloadnextcloud-server-b287b11ff239bdb11672afbb10a5dcd5ab85a86e.tar.gz
nextcloud-server-b287b11ff239bdb11672afbb10a5dcd5ab85a86e.zip
adjust the query generation in getItems, to use placeholders
-rw-r--r--lib/public/share.php44
1 files changed, 31 insertions, 13 deletions
diff --git a/lib/public/share.php b/lib/public/share.php
index 4838f9a4d30..0a5c4ce7793 100644
--- a/lib/public/share.php
+++ b/lib/public/share.php
@@ -440,26 +440,39 @@ class Share {
$root = \OC_Filesystem::getRoot();
// If includeCollections is true, find collections of this item type, e.g. a music album contains songs
if ($includeCollections && !isset($item) && $collectionTypes = self::getCollectionItemTypes($itemType)) {
- $where = "WHERE item_type IN ('".implode("','", array_merge(array($itemType), $collectionTypes))."')";
+ $item_types = array_merge(array($itemType), $collectionTypes);
+ $placeholders = join(',', array_fill(0, count($item_types), '?'));
+ $where = "WHERE item_type IN ('".$placeholders."')";
+ $query_args = $item_types;
} else {
- $where = "WHERE item_type = '".$itemType."'";
+ $where = "WHERE item_type = ?";
+ $query_args = array($itemType);
}
if (isset($shareType) && isset($shareWith)) {
// Include all user and group items
if ($shareType == self::$shareTypeUserAndGroups) {
- $where .= " AND share_type IN (".self::SHARE_TYPE_USER.",".self::SHARE_TYPE_GROUP.",".self::$shareTypeGroupUserUnique.")";
+ $where .= " AND share_type IN (?,?,?)";
+ $query_args[] = self::SHARE_TYPE_USER;
+ $query_args[] = self::SHARE_TYPE_GROUP;
+ $query_args[] = self::$shareTypeGroupUserUnique;
$groups = \OC_Group::getUserGroups($shareWith);
$userAndGroups = array_merge(array($shareWith), $groups);
- $where .= " AND share_with IN ('".implode("','", $userAndGroups)."')";
+ $placeholders = join(',', array_fill(0, count($userAndGroups), '?'));
+ $where .= " AND share_with IN (".$placeholders.")";
+ $query_args = array_merge($query_args, $userAndGroups);
} else {
- $where .= " AND share_type = ".$shareType." AND share_with = '".$shareWith."'";
+ $where .= " AND share_type = ? AND share_with = ?";
+ $query_args[] = $shareType;
+ $query_args[] = $shareWith;
}
}
if (isset($uidOwner)) {
- $where .= " AND uid_owner = '".$uidOwner."'";
+ $where .= " AND uid_owner = ?";
+ $query_args[] = $uidOwner;
if (!isset($shareType)) {
// Prevent unique user targets for group shares from being selected
- $where .= " AND share_type != '".self::$shareTypeGroupUserUnique."'";
+ $where .= " AND share_type != ?";
+ $query_args[] = self::$shareTypeGroupUserUnique;
}
if ($itemType == 'file' || $itemType == 'folder') {
$where = "INNER JOIN *PREFIX*fscache ON file_source = *PREFIX*fscache.id ".$where;
@@ -479,19 +492,24 @@ class Share {
if (isset($uidOwner)) {
// If item type is a file, file source needs to be checked in case the item was converted
if ($itemType == 'file' || $itemType == 'folder') {
- $where .= " AND path = '".$root.$item."'";
+ $where .= " AND path = ?";
+ $query_args[] = $root.$item;
} else {
- $where .= " AND item_source = '".$item."'";
+ $where .= " AND item_source = ?";
+ $query_args[] = $item;
}
} else {
if ($itemType == 'file' || $itemType == 'folder') {
- $where .= " AND file_target = '".$item."'";
+ $where .= " AND file_target = ?";
} else {
- $where .= " AND item_target = '".$item."'";
+ $where .= " AND item_target = ?";
}
+ $query_args[] = $item;
}
if ($includeCollections && $collectionTypes = self::getCollectionItemTypes($itemType)) {
- $where .= " OR item_type IN ('".implode("','", $collectionTypes)."')";
+ $placeholders = join(',', array_fill(0, count($collectionTypes), '?'));
+ $where .= " OR item_type IN ('".$placeholders."')";
+ $query_args = array_merge($query_args, $collectionTypes);
}
}
if ($limit != -1 && !$includeCollections) {
@@ -521,7 +539,7 @@ class Share {
}
$root = strlen($root);
$query = \OC_DB::prepare('SELECT '.$select.' FROM *PREFIX*share '.$where);
- $result = $query->execute();
+ $result = $query->execute($query_args);
$items = array();
while ($row = $result->fetchRow()) {
// Remove root from file source paths