rooty/OwncloudBookmarksOfficial
1
0
Fork 0
mirror of https://github.com/owncloud/bookmarks.git synced 2024-12-02 06:24:11 +01:00
Code Issues Releases Activity

Prevent any security problems with order by

Browse Source
This commit is contained in:
Brice Maron 2013-04-23 21:59:52 +02:00
parent b4447b1e9f
commit 4a75293711
1 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
lib/bookmarks.php
View File

@ -81,7 +81,10 @@ class OC_Bookmarks_Bookmarks{
public static function findBookmarks($offset, $sqlSortColumn, $filters, $filterTagOnly, $limit = 10) { public static function findBookmarks($offset, $sqlSortColumn, $filters, $filterTagOnly, $limit = 10) {
$CONFIG_DBTYPE = OCP\Config::getSystemValue( 'dbtype', 'sqlite' ); $CONFIG_DBTYPE = OCP\Config::getSystemValue( 'dbtype', 'sqlite' );
if(is_string($filters)) $filters = array($filters); if(is_string($filters)) $filters = array($filters);
if(! in_array($sqlSortColumn, array('id', 'url', 'title', 'user_id',
'description', 'public', 'added', 'lastmodified','clickcount',))) {
$sqlSortColumn = 'bookmarks_sorting_recent';
}
$params=array(OCP\USER::getUser()); $params=array(OCP\USER::getUser());
if($CONFIG_DBTYPE == 'pgsql') { if($CONFIG_DBTYPE == 'pgsql') {
@ -109,6 +112,7 @@ class OC_Bookmarks_Bookmarks{
$params[] = '%' . strtolower($filter) . '%'; $params[] = '%' . strtolower($filter) . '%';
} }
} }
$sql .= " ORDER BY ".$sqlSortColumn." DESC "; $sql .= " ORDER BY ".$sqlSortColumn." DESC ";
if($limit == -1 || $limit === false) { if($limit == -1 || $limit === false) {
$limit = null; $limit = null;
@ -143,17 +147,17 @@ class OC_Bookmarks_Bookmarks{
$query = OCP\DB::prepare(" $query = OCP\DB::prepare("
DELETE FROM `*PREFIX*bookmarks` DELETE FROM `*PREFIX*bookmarks`
WHERE `id` = $id WHERE `id` = ?
"); ");
$result = $query->execute(); $result = $query->execute(array($id));
$query = OCP\DB::prepare(" $query = OCP\DB::prepare("
DELETE FROM `*PREFIX*bookmarks_tags` DELETE FROM `*PREFIX*bookmarks_tags`
WHERE `bookmark_id` = $id WHERE `bookmark_id` = ?
"); ");
$result = $query->execute(); $result = $query->execute(array($id));
return true; return true;
} }