diff --git a/administrator/components/com_fields/Field/FieldgroupsField.php b/administrator/components/com_fields/Field/FieldgroupsField.php index f1812cee5ac5c..f36f5d39174de 100644 --- a/administrator/components/com_fields/Field/FieldgroupsField.php +++ b/administrator/components/com_fields/Field/FieldgroupsField.php @@ -46,12 +46,19 @@ protected function getOptions() $db = Factory::getDbo(); $query = $db->getQuery(true); - $query->select('title AS text, id AS value, state'); - $query->from('#__fields_groups'); - $query->where('state IN (' . implode(',', $states) . ')'); - $query->where('context = ' . $db->quote($context)); - $query->where('access IN (' . implode(',', $viewlevels) . ')'); + $query->select( + [ + $db->quoteName('title', 'text'), + $db->quoteName('id', 'value'), + $db->quoteName('state'), + ] + ); + $query->from($db->quoteName('#__fields_groups')); + $query->whereIn($db->quoteName('state'), $states); + $query->where($db->quoteName('context') . ' = :context'); + $query->whereIn($db->quoteName('access'), $viewlevels); $query->order('ordering asc, id asc'); + $query->bind(':context', $context); $db->setQuery($query); $options = $db->loadObjectList(); diff --git a/administrator/components/com_fields/Helper/FieldsHelper.php b/administrator/components/com_fields/Helper/FieldsHelper.php index 30173178a9bbe..e0c1c24bb5009 100644 --- a/administrator/components/com_fields/Helper/FieldsHelper.php +++ b/administrator/components/com_fields/Helper/FieldsHelper.php @@ -20,6 +20,7 @@ use Joomla\CMS\Object\CMSObject; use Joomla\CMS\Plugin\PluginHelper; use Joomla\Component\Fields\Administrator\Model\FieldsModel; +use Joomla\Database\ParameterType; /** * FieldsHelper @@ -640,7 +641,8 @@ public static function getAssignedCategoriesTitles($fieldId) $query->select($db->quoteName('c.title')) ->from($db->quoteName('#__fields_categories', 'a')) ->join('INNER', $db->quoteName('#__categories', 'c') . ' ON a.category_id = c.id') - ->where('field_id = ' . $fieldId); + ->where($db->quoteName('field_id') . ' = :fieldid') + ->bind(':fieldid', $fieldId, ParameterType::INTEGER); $db->setQuery($query); diff --git a/administrator/components/com_fields/Model/FieldModel.php b/administrator/components/com_fields/Model/FieldModel.php index a6b2e112fad0a..559d06c8f0479 100644 --- a/administrator/components/com_fields/Model/FieldModel.php +++ b/administrator/components/com_fields/Model/FieldModel.php @@ -24,6 +24,7 @@ use Joomla\CMS\Plugin\PluginHelper; use Joomla\CMS\Table\Table; use Joomla\Component\Fields\Administrator\Helper\FieldsHelper; +use Joomla\Database\ParameterType; use Joomla\Registry\Registry; use Joomla\String\StringHelper; use Joomla\Utilities\ArrayHelper; @@ -185,7 +186,9 @@ public function save($data) // First delete all assigned categories $query = $db->getQuery(true); $query->delete('#__fields_categories') - ->where('field_id = ' . $id); + ->where($db->quoteName('field_id') . ' = :fieldid') + ->bind(':fieldid', $id, ParameterType::INTEGER); + $db->setQuery($query); $db->execute(); @@ -222,9 +225,12 @@ public function save($data) $names[] = $db->quote($param['value']); } + $fieldId = (int) $field->id; $query = $db->getQuery(true); - $query->delete('#__fields_values')->where('field_id = ' . (int) $field->id) - ->where('value NOT IN (' . implode(',', $names) . ')'); + $query->delete($db->quoteName('#__fields_values')) + ->where($db->quoteName('field_id') . ' = :fieldid') + ->whereNotIn($db->quoteName('value'), $names, ParameterType::STRING) + ->bind(':fieldid', $fieldId, ParameterType::INTEGER); $db->setQuery($query); $db->execute(); } @@ -374,9 +380,11 @@ public function getItem($pk = null) $db = $this->getDbo(); $query = $db->getQuery(true); - $query->select('category_id') - ->from('#__fields_categories') - ->where('field_id = ' . (int) $result->id); + $fieldId = (int) $result->id; + $query->select($db->quoteName('category_id')) + ->from($db->quoteName('#__fields_categories')) + ->where($db->quoteName('field_id') . ' = :fieldid') + ->bind(':fieldid', $fieldId, ParameterType::INTEGER); $db->setQuery($query); $result->assigned_cat_ids = $db->loadColumn() ?: array(0); @@ -459,7 +467,7 @@ public function delete(&$pks) $query = $this->getDbo()->getQuery(true); $query->delete($query->quoteName('#__fields_values')) - ->where($query->quoteName('field_id') . ' IN(' . implode(',', $pks) . ')'); + ->whereIn($query->quoteName('field_id'), $pks); $this->getDbo()->setQuery($query)->execute(); @@ -467,7 +475,7 @@ public function delete(&$pks) $query = $this->getDbo()->getQuery(true); $query->delete($query->quoteName('#__fields_categories')) - ->where($query->quoteName('field_id') . ' IN(' . implode(',', $pks) . ')'); + ->whereIn($query->quoteName('field_id'), $pks); $this->getDbo()->setQuery($query)->execute(); } @@ -607,12 +615,16 @@ public function setFieldValue($fieldId, $itemId, $value) if ($needsDelete) { + $fieldId = (int) $fieldId; + // Deleting the existing record as it is a reset $query = $this->getDbo()->getQuery(true); $query->delete($query->quoteName('#__fields_values')) - ->where($query->quoteName('field_id') . ' = ' . (int) $fieldId) - ->where($query->quoteName('item_id') . ' = ' . $query->quote($itemId)); + ->where($query->quoteName('field_id') . ' = :fieldid') + ->where($query->quoteName('item_id') . ' = :itemid') + ->bind(':fieldid', $fieldId, ParameterType::INTEGER) + ->bind(':itemid', $itemId); $this->getDbo()->setQuery($query)->execute(); } @@ -697,10 +709,11 @@ public function getFieldValues(array $fieldIds, $itemId) // Create the query $query = $this->getDbo()->getQuery(true); - $query->select(array($query->quoteName('field_id'), $query->quoteName('value'))) + $query->select($query->quoteName(['field_id', 'value'])) ->from($query->quoteName('#__fields_values')) - ->where($query->quoteName('field_id') . ' IN (' . implode(',', ArrayHelper::toInteger($fieldIds)) . ')') - ->where($query->quoteName('item_id') . ' = ' . $query->quote($itemId)); + ->whereIn($query->quoteName('field_id'), ArrayHelper::toInteger($fieldIds)) + ->where($query->quoteName('item_id') . ' = :itemid') + ->bind(':itemid', $itemId); // Fetch the row from the database $rows = $this->getDbo()->setQuery($query)->loadObjectList(); @@ -754,13 +767,15 @@ public function cleanupValues($context, $itemId) $fieldsQuery = $this->getDbo()->getQuery(true); $fieldsQuery->select($fieldsQuery->quoteName('id')) ->from($fieldsQuery->quoteName('#__fields')) - ->where($fieldsQuery->quoteName('context') . ' = ' . $fieldsQuery->quote($context)); + ->where($fieldsQuery->quoteName('context') . ' = :context'); $query = $this->getDbo()->getQuery(true); $query->delete($query->quoteName('#__fields_values')) ->where($query->quoteName('field_id') . ' IN (' . $fieldsQuery . ')') - ->where($query->quoteName('item_id') . ' = ' . $query->quote($itemId)); + ->where($query->quoteName('item_id') . ' = :itemid') + ->bind(':itemid', $itemId) + ->bind(':context', $context); $this->getDbo()->setQuery($query)->execute(); } diff --git a/administrator/components/com_fields/Model/FieldsModel.php b/administrator/components/com_fields/Model/FieldsModel.php index 91eaffac23a33..f17d661df642a 100644 --- a/administrator/components/com_fields/Model/FieldsModel.php +++ b/administrator/components/com_fields/Model/FieldsModel.php @@ -16,6 +16,7 @@ use Joomla\CMS\MVC\Factory\MVCFactoryInterface; use Joomla\CMS\MVC\Model\ListModel; use Joomla\Component\Fields\Administrator\Helper\FieldsHelper; +use Joomla\Database\ParameterType; use Joomla\Registry\Registry; use Joomla\Utilities\ArrayHelper; @@ -170,7 +171,8 @@ protected function getListQuery() // Filter by context if ($context = $this->getState('filter.context')) { - $query->where('a.context = ' . $db->quote($context)); + $query->where($db->quoteName('a.context') . ' = :context') + ->bind(':context', $context); } // Filter by access level. @@ -179,11 +181,13 @@ protected function getListQuery() if (is_array($access)) { $access = ArrayHelper::toInteger($access); - $query->where('a.access in (' . implode(',', $access) . ')'); + $query->whereIn($db->quoteName('a.access'), $access); } else { - $query->where('a.access = ' . (int) $access); + $access = (int) $access; + $query->where($db->quoteName('a.access') . ' = :access') + ->bind(':access', $access, ParameterType::INTEGER); } } @@ -233,19 +237,32 @@ protected function getListQuery() if (in_array('0', $categories)) { - $query->where('(fc.category_id IS NULL OR fc.category_id IN (' . implode(',', $categories) . '))'); + $query->where( + '(' . + $db->quoteName('fc.category_id') . ' IS NULL OR ' . + $db->quoteName('fc.category_id') . ' IN (' . implode(',', $query->bindArray($categories, ParameterType::INTEGER)) . ')' . + ')' + ); } else { - $query->where('fc.category_id IN (' . implode(',', $categories) . ')'); + $query->whereIn($db->quoteName('fc.category_id'), $categories); } } // Implement View Level Access if (!$app->isClient('administrator') || !$user->authorise('core.admin')) { - $groups = implode(',', $user->getAuthorisedViewLevels()); - $query->where('a.access IN (' . $groups . ') AND (a.group_id = 0 OR g.access IN (' . $groups . '))'); + $groups = $user->getAuthorisedViewLevels(); + $query->whereIn($db->quoteName('a.access'), $groups); + $query->extendWhere( + 'AND', + [ + $db->quoteName('a.group_id') . ' = 0', + $db->quoteName('g.access') . ' IN (' . implode(',', $query->bindArray($groups, ParameterType::INTEGER)) . ')' + ], + 'OR' + ); } // Filter by state @@ -258,20 +275,37 @@ protected function getListQuery() if (is_numeric($state)) { - $query->where('a.state = ' . (int) $state); + $state = (int) $state; + $query->where($db->quoteName('a.state') . ' = :state') + ->bind(':state', $state, ParameterType::INTEGER); if ($includeGroupState) { - $query->where('(a.group_id = 0 OR g.state = ' . (int) $state . ')'); + $query->extendWhere( + 'AND', + [ + $db->quoteName('a.group_id') . ' = 0', + $db->quoteName('g.state') . ' = :gstate', + ], + 'OR' + ) + ->bind(':gstate', $state, ParameterType::INTEGER); } } elseif (!$state) { - $query->where('a.state IN (0, 1)'); + $query->whereIn($db->quoteName('a.state'), [0, 1]); if ($includeGroupState) { - $query->where('(a.group_id = 0 OR g.state IN (0, 1))'); + $query->extendWhere( + 'AND', + [ + $db->quoteName('a.group_id') . ' = 0', + $db->quoteName('g.state') . ' IN (' . implode(',', $query->bindArray([0, 1], ParameterType::INTEGER)) . ')' + ], + 'OR' + ); } } @@ -279,27 +313,47 @@ protected function getListQuery() if (is_numeric($groupId)) { - $query->where('a.group_id = ' . (int) $groupId); + $groupId = (int) $groupId; + $query->where($db->quoteName('a.group_id') . ' = :groupid') + ->bind(':groupid', $groupId, ParameterType::INTEGER); } // Filter by search in title $search = $this->getState('filter.search'); - if (! empty($search)) + if (!empty($search)) { if (stripos($search, 'id:') === 0) { - $query->where('a.id = ' . (int) substr($search, 3)); + $search = (int) substr($search, 3); + $query->where($db->quoteName('a.id') . ' = :id') + ->bind(':id', $search, ParameterType::INTEGER); } elseif (stripos($search, 'author:') === 0) { - $search = $db->quote('%' . $db->escape(substr($search, 7), true) . '%'); - $query->where('(ua.name LIKE ' . $search . ' OR ua.username LIKE ' . $search . ')'); + $search = '%' . substr($search, 7) . '%'; + $query->where( + '(' . + $db->quoteName('ua.name') . ' LIKE :name OR ' . + $db->quoteName('ua.username') . ' LIKE :username' . + ')' + ) + ->bind(':name', $search) + ->bind(':username', $search); } else { - $search = $db->quote('%' . str_replace(' ', '%', $db->escape(trim($search), true) . '%')); - $query->where('(a.title LIKE ' . $search . ' OR a.name LIKE ' . $search . ' OR a.note LIKE ' . $search . ')'); + $search = '%' . str_replace(' ', '%', trim($search)) . '%'; + $query->where( + '(' . + $db->quoteName('a.title') . ' LIKE :title OR ' . + $db->quoteName('a.name') . ' LIKE :sname OR ' . + $db->quoteName('a.note') . ' LIKE :note' . + ')' + ) + ->bind(':title', $search) + ->bind(':sname', $search) + ->bind(':note', $search); } } @@ -308,12 +362,7 @@ protected function getListQuery() { $language = (array) $language; - foreach ($language as $key => $l) - { - $language[$key] = $db->quote($l); - } - - $query->where('a.language in (' . implode(',', $language) . ')'); + $query->whereIn($db->quoteName('a.language'), $language, ParameterType::STRING); } // Add the list ordering clause @@ -388,14 +437,22 @@ public function getGroups() { $user = Factory::getUser(); $viewlevels = ArrayHelper::toInteger($user->getAuthorisedViewLevels()); + $context = $this->state->get('filter.context'); $db = $this->getDbo(); $query = $db->getQuery(true); - $query->select('title AS text, id AS value, state'); - $query->from('#__fields_groups'); - $query->where('state IN (0,1)'); - $query->where('context = ' . $db->quote($this->state->get('filter.context'))); - $query->where('access IN (' . implode(',', $viewlevels) . ')'); + $query->select( + [ + $db->quoteName('title', 'text'), + $db->quoteName('id', 'value'), + $db->quoteName('state'), + ] + ); + $query->from($db->quoteName('#__fields_groups')); + $query->whereIn($db->quoteName('state'), [0, 1]); + $query->where($db->quoteName('context') . ' = :context'); + $query->whereIn($db->quoteName('access'), $viewlevels); + $query->bind(':context', $context); $db->setQuery($query); diff --git a/administrator/components/com_fields/Model/GroupsModel.php b/administrator/components/com_fields/Model/GroupsModel.php index cad334b9be3bd..7f597358be1f7 100644 --- a/administrator/components/com_fields/Model/GroupsModel.php +++ b/administrator/components/com_fields/Model/GroupsModel.php @@ -14,6 +14,7 @@ use Joomla\CMS\Factory; use Joomla\CMS\MVC\Factory\MVCFactoryInterface; use Joomla\CMS\MVC\Model\ListModel; +use Joomla\Database\ParameterType; use Joomla\Registry\Registry; use Joomla\Utilities\ArrayHelper; @@ -148,7 +149,8 @@ protected function getListQuery() // Filter by context if ($context = $this->getState('filter.context', 'com_fields')) { - $query->where('a.context = ' . $db->quote($context)); + $query->where($db->quoteName('a.context') . ' = :context') + ->bind(':context', $context); } // Filter by access level. @@ -157,19 +159,21 @@ protected function getListQuery() if (is_array($access)) { $access = ArrayHelper::toInteger($access); - $query->where('a.access in (' . implode(',', $access) . ')'); + $query->whereIn($db->quoteName('a.access'), $access); } else { - $query->where('a.access = ' . (int) $access); + $access = (int) $access; + $query->where($db->quoteName('a.access') . ' = :access') + ->bind(':access', $access, ParameterType::INTEGER); } } // Implement View Level Access if (!$user->authorise('core.admin')) { - $groups = implode(',', $user->getAuthorisedViewLevels()); - $query->where('a.access IN (' . $groups . ')'); + $groups = $user->getAuthorisedViewLevels(); + $query->whereIn($db->quoteName('a.access'), $groups); } // Filter by published state @@ -177,11 +181,13 @@ protected function getListQuery() if (is_numeric($state)) { - $query->where('a.state = ' . (int) $state); + $state = (int) $state; + $query->where($db->quoteName('a.access') . ' = :state') + ->bind(':state', $state, ParameterType::INTEGER); } elseif (!$state) { - $query->where('a.state IN (0, 1)'); + $query->whereIn($db->quoteName('a.access'), [0, 1]); } // Filter by search in title @@ -191,12 +197,15 @@ protected function getListQuery() { if (stripos($search, 'id:') === 0) { - $query->where('a.id = ' . (int) substr($search, 3)); + $search = (int) substr($search, 3); + $query->where($db->quoteName('a.id') . ' = :search') + ->bind(':id', $search, ParameterType::INTEGER); } else { - $search = $db->quote('%' . str_replace(' ', '%', $db->escape(trim($search), true) . '%')); - $query->where('a.title LIKE ' . $search); + $search = '%' . str_replace(' ', '%', trim($search)) . '%'; + $query->where($db->quoteName('a.title') . ' LIKE :search') + ->bind(':search', $search); } } @@ -205,12 +214,7 @@ protected function getListQuery() { $language = (array) $language; - foreach ($language as $key => $l) - { - $language[$key] = $db->quote($l); - } - - $query->where('a.language in (' . implode(',', $language) . ')'); + $query->whereIn($db->quoteName('a.language'), $language, ParameterType::STRING); } // Add the list ordering clause diff --git a/administrator/components/com_fields/Table/FieldTable.php b/administrator/components/com_fields/Table/FieldTable.php index 860168638a65a..6cc565bae87d7 100644 --- a/administrator/components/com_fields/Table/FieldTable.php +++ b/administrator/components/com_fields/Table/FieldTable.php @@ -317,7 +317,8 @@ private function getAssetId($name) $query = $db->getQuery(true) ->select($db->quoteName('id')) ->from($db->quoteName('#__assets')) - ->where($db->quoteName('name') . ' = ' . $db->quote($name)); + ->where($db->quoteName('name') . ' = :name') + ->bind(':name', $name); // Get the asset id from the database. $db->setQuery($query); diff --git a/administrator/components/com_fields/Table/GroupTable.php b/administrator/components/com_fields/Table/GroupTable.php index 639fef542ed0e..6a194843a9ec2 100644 --- a/administrator/components/com_fields/Table/GroupTable.php +++ b/administrator/components/com_fields/Table/GroupTable.php @@ -208,7 +208,8 @@ protected function _getAssetParentId(Table $table = null, $id = null) $query = $db->getQuery(true) ->select($db->quoteName('id')) ->from($db->quoteName('#__assets')) - ->where($db->quoteName('name') . ' = ' . $db->quote($component[0])); + ->where($db->quoteName('name') . ' = :name') + ->bind(':name', $component[0]); $db->setQuery($query); if ($assetId = (int) $db->loadResult())