diff --git a/administrator/components/com_tags/Model/TagsModel.php b/administrator/components/com_tags/Model/TagsModel.php index af16ae682246c..7efe737abbcc7 100644 --- a/administrator/components/com_tags/Model/TagsModel.php +++ b/administrator/components/com_tags/Model/TagsModel.php @@ -16,6 +16,7 @@ use Joomla\CMS\Factory; use Joomla\CMS\MVC\Factory\MVCFactoryInterface; use Joomla\CMS\MVC\Model\ListModel; +use Joomla\Database\ParameterType; /** * Tags Component Tags Model @@ -141,41 +142,47 @@ protected function getListQuery() ', a.language' ) ); - $query->from('#__tags AS a') - ->where('a.alias <> ' . $db->quote('root')); + $query->from($db->quoteName('#__tags', 'a')) + ->where($db->quoteName('a.alias') . ' <> ' . $db->quote('root')); // Join over the language - $query->select('l.title AS language_title, l.image AS language_image') - ->join('LEFT', $db->quoteName('#__languages') . ' AS l ON l.lang_code = a.language'); + $query->select( + [ + $db->quoteName('l.title', 'language_title'), + $db->quoteName('l.image', 'language_image'), + ] + ) + ->join('LEFT', $db->quoteName('#__languages', 'l'), $db->quoteName('l.lang_code') . ' = ' . $db->quoteName('a.language')); // Join over the users for the checked out user. - $query->select('uc.name AS editor') - ->join('LEFT', '#__users AS uc ON uc.id=a.checked_out'); + $query->select($db->quoteName('uc.name', 'editor')) + ->join('LEFT', $db->quoteName('#__users', 'uc'), $db->quoteName('uc.id') . ' = ' . $db->quoteName('a.checked_out')); // Join over the users for the author. - $query->select('ua.name AS author_name') - ->join('LEFT', '#__users AS ua ON ua.id = a.created_user_id') - - ->select('ug.title AS access_title') - ->join('LEFT', '#__viewlevels AS ug on ug.id = a.access'); + $query->select($db->quoteName('ua.name', 'author_name')) + ->join('LEFT', $db->quoteName('#__users', 'ua'), $db->quoteName('ua.id') . ' = ' . $db->quoteName('a.created_user_id')) + ->select($db->quoteName('ug.title', 'access_title')) + ->join('LEFT', $db->quoteName('#__viewlevels', 'ug'), $db->quoteName('ug.id') . ' = ' . $db->quoteName('a.access')); // Filter on the level. - if ($level = $this->getState('filter.level')) + if ($level = (int) $this->getState('filter.level')) { - $query->where('a.level <= ' . (int) $level); + $query->where($db->quoteName('a.level') . ' <= :level') + ->bind(':level', $level, ParameterType::INTEGER); } // Filter by access level. - if ($access = $this->getState('filter.access')) + if ($access = (int) $this->getState('filter.access')) { - $query->where('a.access = ' . (int) $access); + $query->where($db->quoteName('a.access') . ' = :access') + ->bind(':access', $access, ParameterType::INTEGER); } // Implement View Level Access if (!$user->authorise('core.admin')) { - $groups = implode(',', $user->getAuthorisedViewLevels()); - $query->where('a.access IN (' . $groups . ')'); + $groups = $user->getAuthorisedViewLevels(); + $query->whereIn($db->quoteName('a.access'), $groups); } // Filter by published state @@ -183,11 +190,13 @@ protected function getListQuery() if (is_numeric($published)) { - $query->where('a.published = ' . (int) $published); + $published = (int) $published; + $query->where($db->quoteName('a.published') . ' = :published') + ->bind(':published', $published, ParameterType::INTEGER); } elseif ($published === '') { - $query->where('(a.published IN (0, 1))'); + $query->whereIn($db->quoteName('a.published'), [0, 1]); } // Filter by search in title @@ -197,19 +206,34 @@ protected function getListQuery() { if (stripos($search, 'id:') === 0) { - $query->where('a.id = ' . (int) substr($search, 3)); + $ids = (int) substr($search, 3); + $query->where($db->quoteName('a.id') . ' = :id') + ->bind(':id', $ids, ParameterType::INTEGER); } else { - $search = $db->quote('%' . str_replace(' ', '%', $db->escape(trim($search), true) . '%')); - $query->where('(a.title LIKE ' . $search . ' OR a.alias LIKE ' . $search . ' OR a.note LIKE ' . $search . ')'); + $search = '%' . str_replace(' ', '%', trim($search)) . '%'; + $query->extendWhere( + 'AND', + [ + $db->quoteName('a.title') . ' LIKE :title', + $db->quoteName('a.alias') . ' LIKE :alias', + $db->quoteName('a.note') . ' LIKE :note', + + ], + 'OR' + ); + $query->bind(':title', $search) + ->bind(':alias', $search) + ->bind(':note', $search); } } // Filter on the language. if ($language = $this->getState('filter.language')) { - $query->where('a.language = ' . $db->quote($language)); + $query->where($db->quoteName('a.language') . ' = :language') + ->bind(':language', $language); } // Add the list ordering clause diff --git a/components/com_tags/Model/TagsModel.php b/components/com_tags/Model/TagsModel.php index 45141c9fd002a..b3b626931ea1b 100644 --- a/components/com_tags/Model/TagsModel.php +++ b/components/com_tags/Model/TagsModel.php @@ -15,6 +15,7 @@ use Joomla\CMS\Factory; use Joomla\CMS\Helper\ContentHelper; use Joomla\CMS\MVC\Model\ListModel; +use Joomla\Database\ParameterType; /** * This models supports retrieving a list of tags. @@ -90,10 +91,10 @@ protected function getListQuery() { $app = Factory::getApplication(); $user = Factory::getUser(); - $groups = implode(',', $user->getAuthorisedViewLevels()); - $pid = $this->getState('tag.parent_id'); + $groups = $user->getAuthorisedViewLevels(); + $pid = (int) $this->getState('tag.parent_id'); $orderby = $this->state->params->get('all_tags_orderby', 'title'); - $published = $this->state->params->get('published', 1); + $published = (int) $this->state->params->get('published', 1); $orderDirection = $this->state->params->get('all_tags_orderby_direction', 'ASC'); $language = $this->getState('tag.language'); @@ -103,13 +104,14 @@ protected function getListQuery() // Select required fields from the tags. $query->select('a.*, u.name as created_by_user_name, u.email') - ->from($db->quoteName('#__tags') . ' AS a') - ->join('LEFT', '#__users AS u ON a.created_user_id = u.id') - ->where($db->quoteName('a.access') . ' IN (' . $groups . ')'); + ->from($db->quoteName('#__tags', 'a')) + ->join('LEFT', $db->quoteName('#__users', 'u'), $db->quoteName('a.created_user_id') . ' = ' . $db->quoteName('u.id')) + ->whereIn($db->quoteName('a.access'), $groups); if (!empty($pid)) { - $query->where($db->quoteName('a.parent_id') . ' = ' . $pid); + $query->where($db->quoteName('a.parent_id') . ' = :pid') + ->bind(':pid', $pid, ParameterType::INTEGER); } // Exclude the root. @@ -128,7 +130,7 @@ protected function getListQuery() $language = ContentHelper::getCurrentLanguage(); } - $query->where($db->quoteName('language') . ' IN (' . $db->quote($language) . ', ' . $db->quote('*') . ')'); + $query->whereIn($db->quoteName('language'), [$language, '*'], ParameterType::STRING); } // List state information @@ -158,10 +160,13 @@ protected function getListQuery() // Optionally filter on entered value if ($this->state->get('list.filter')) { - $query->where($db->quoteName('a.title') . ' LIKE ' . $db->quote('%' . $this->state->get('list.filter') . '%')); + $title = '%' . $this->state->get('list.filter') . '%'; + $query->where($db->quoteName('a.title') . ' LIKE :title') + ->bind(':title', $title); } - $query->where($db->quoteName('a.published') . ' = ' . $published); + $query->where($db->quoteName('a.published') . ' = :published') + ->bind(':published', $published, ParameterType::INTEGER); $query->order($db->quoteName($orderby) . ' ' . $orderDirection . ', a.title ASC');