diff --git a/administrator/components/com_newsfeeds/Field/Modal/NewsfeedField.php b/administrator/components/com_newsfeeds/Field/Modal/NewsfeedField.php index a881efeb85327..bea372d37d09e 100644 --- a/administrator/components/com_newsfeeds/Field/Modal/NewsfeedField.php +++ b/administrator/components/com_newsfeeds/Field/Modal/NewsfeedField.php @@ -17,6 +17,7 @@ use Joomla\CMS\Language\LanguageHelper; use Joomla\CMS\Language\Text; use Joomla\CMS\Session\Session; +use Joomla\Database\ParameterType; /** * Supports a modal newsfeeds picker. @@ -105,11 +106,13 @@ function jSelectNewsfeed_" . $this->id . "(id, title, object) { if ($value) { + $id = (int) $value; $db = Factory::getDbo(); $query = $db->getQuery(true) ->select($db->quoteName('name')) ->from($db->quoteName('#__newsfeeds')) - ->where($db->quoteName('id') . ' = ' . (int) $value); + ->where($db->quoteName('id') . ' = :id') + ->bind(':id', $id, ParameterType::INTEGER); $db->setQuery($query); try diff --git a/administrator/components/com_newsfeeds/Field/NewsfeedsField.php b/administrator/components/com_newsfeeds/Field/NewsfeedsField.php index 85ce254b63874..36dc3b3b92e3b 100644 --- a/administrator/components/com_newsfeeds/Field/NewsfeedsField.php +++ b/administrator/components/com_newsfeeds/Field/NewsfeedsField.php @@ -42,9 +42,14 @@ protected function getOptions() $db = Factory::getDbo(); $query = $db->getQuery(true) - ->select('id As value, name As text') - ->from('#__newsfeeds AS a') - ->order('a.name'); + ->select( + [ + $db->quoteName('id', 'value'), + $db->quoteName('name', 'text'), + ] + ) + ->from($db->quoteName('#__newsfeeds', 'a')) + ->order($db->quoteName('a.name')); // Get the options. $db->setQuery($query); diff --git a/administrator/components/com_newsfeeds/Helper/NewsfeedsHelper.php b/administrator/components/com_newsfeeds/Helper/NewsfeedsHelper.php index dcddff984bcd1..72cc90aedfe34 100644 --- a/administrator/components/com_newsfeeds/Helper/NewsfeedsHelper.php +++ b/administrator/components/com_newsfeeds/Helper/NewsfeedsHelper.php @@ -13,6 +13,7 @@ use Joomla\CMS\Factory; use Joomla\CMS\Helper\ContentHelper; +use Joomla\Database\ParameterType; /** * Newsfeeds component helper. @@ -39,7 +40,19 @@ class NewsfeedsHelper extends ContentHelper */ public static function countItems(&$items) { - $db = Factory::getDbo(); + $db = Factory::getDbo(); + $query = $db->getQuery(true); + $query->select( + [ + $db->quoteName('published', 'state'), + 'COUNT(*) AS ' . $db->quoteName('count'), + ] + ) + ->from($db->quoteName('#__newsfeeds')) + ->where($db->quoteName('catid') . ' = :id') + ->bind(':id', $id, ParameterType::INTEGER) + ->group($db->quoteName('state')); + $db->setQuery($query); foreach ($items as $item) { @@ -47,12 +60,8 @@ public static function countItems(&$items) $item->count_archived = 0; $item->count_unpublished = 0; $item->count_published = 0; - $query = $db->getQuery(true); - $query->select('published AS state, count(*) AS count') - ->from($db->quoteName('#__newsfeeds')) - ->where('catid = ' . (int) $item->id) - ->group('state'); - $db->setQuery($query); + + $id = (int) $item->id; $newfeeds = $db->loadObjectList(); foreach ($newfeeds as $newsfeed) @@ -94,7 +103,8 @@ public static function countItems(&$items) */ public static function countTagItems(&$items, $extension) { - $db = Factory::getDbo(); + $db = Factory::getDbo(); + $query = $db->getQuery(true); $parts = explode('.', $extension); $section = null; @@ -103,28 +113,44 @@ public static function countTagItems(&$items, $extension) $section = $parts[1]; } - $join = $db->quoteName('#__newsfeeds') . ' AS c ON ct.content_item_id=c.id'; + $query->select( + [ + $db->quoteName('published', 'state'), + 'COUNT(*) AS ' . $db->quoteName('count'), + ] + ) + ->from($db->quoteName('#__contentitem_tag_map', 'ct')); if ($section === 'category') { - $join = $db->quoteName('#__categories') . ' AS c ON ct.content_item_id=c.id'; + $query->join('LEFT', $db->quoteName('#__categories', 'c'), $db->quoteName('ct.content_item_id') . ' = ' . $db->quoteName('c.id')); + } + else + { + $query->join('LEFT', $db->quoteName('#__newsfeeds', 'c'), $db->quoteName('ct.content_item_id') . ' = ' . $db->quoteName('c.id')); } + $query->where( + [ + $db->quoteName('ct.tag_id') . ' = :id', + $db->quoteName('ct.type_alias') . ' = :extension', + ] + ) + ->bind(':id', $id, ParameterType::INTEGER) + ->bind(':extension', $extension) + ->group($db->quoteName('state')); + + $db->setQuery($query); + foreach ($items as $item) { $item->count_trashed = 0; $item->count_archived = 0; $item->count_unpublished = 0; $item->count_published = 0; - $query = $db->getQuery(true); - $query->select('published AS state, count(*) AS count') - ->from($db->quoteName('#__contentitem_tag_map') . 'AS ct ') - ->where('ct.tag_id = ' . (int) $item->id) - ->where('ct.type_alias =' . $db->quote($extension)) - ->join('LEFT', $join) - ->group('state'); - - $db->setQuery($query); + + // Update ID used in database query. + $id = (int) $item->id; $newsfeeds = $db->loadObjectList(); foreach ($newsfeeds as $newsfeed) diff --git a/administrator/components/com_newsfeeds/Model/NewsfeedModel.php b/administrator/components/com_newsfeeds/Model/NewsfeedModel.php index 88d3fb53e22d6..af6e281d918cb 100644 --- a/administrator/components/com_newsfeeds/Model/NewsfeedModel.php +++ b/administrator/components/com_newsfeeds/Model/NewsfeedModel.php @@ -318,7 +318,7 @@ protected function prepareTable($table) { $db = $this->getDbo(); $query = $db->getQuery(true) - ->select('MAX(ordering)') + ->select('MAX(' . $db->quoteName('ordering') . ')') ->from($db->quoteName('#__newsfeeds')); $db->setQuery($query); $max = $db->loadResult(); diff --git a/administrator/components/com_newsfeeds/Model/NewsfeedsModel.php b/administrator/components/com_newsfeeds/Model/NewsfeedsModel.php index 0de5d840e6764..79d93c3822de9 100644 --- a/administrator/components/com_newsfeeds/Model/NewsfeedsModel.php +++ b/administrator/components/com_newsfeeds/Model/NewsfeedsModel.php @@ -155,29 +155,35 @@ protected function getListQuery() $query->select( $this->getState( 'list.select', - 'a.id, a.name, a.alias, a.checked_out, a.checked_out_time, a.catid,' . - ' a.numarticles, a.cache_time, a.created_by,' . - ' a.published, a.access, a.ordering, a.language, a.publish_up, a.publish_down' + [ + $db->quoteName('a.id'), + $db->quoteName('a.name'), + $db->quoteName('a.alias'), + $db->quoteName('a.checked_out'), + $db->quoteName('a.checked_out_time'), + $db->quoteName('a.catid'), + $db->quoteName('a.numarticles'), + $db->quoteName('a.cache_time'), + $db->quoteName('a.created_by'), + $db->quoteName('a.published'), + $db->quoteName('a.access'), + $db->quoteName('a.ordering'), + $db->quoteName('a.language'), + $db->quoteName('a.publish_up'), + $db->quoteName('a.publish_down'), + $db->quoteName('l.title', 'language_title'), + $db->quoteName('l.image', 'language_image'), + $db->quoteName('uc.name', 'editor'), + $db->quoteName('ag.title', 'access_level'), + $db->quoteName('c.title', 'category_title'), + ] ) - ); - $query->from($db->quoteName('#__newsfeeds', 'a')); - - // Join over the language - $query->select($db->quoteName('l.title', 'language_title')) - ->select($db->quoteName('l.image', 'language_image')) - ->join('LEFT', $db->quoteName('#__languages', 'l') . ' ON ' . $db->quoteName('l.lang_code') . ' = ' . $db->quoteName('a.language')); - - // Join over the users for the checked out user. - $query->select($db->quoteName('uc.name', 'editor')) - ->join('LEFT', $db->quoteName('#__users', 'uc') . ' ON ' . $db->quoteName('uc.id') . ' = ' . $db->quoteName('a.checked_out')); - - // Join over the asset groups. - $query->select($db->quoteName('ag.title', 'access_level')) - ->join('LEFT', $db->quoteName('#__viewlevels', 'ag') . ' ON ' . $db->quoteName('ag.id') . ' = ' . $db->quoteName('a.access')); - - // Join over the categories. - $query->select($db->quoteName('c.title', 'category_title')) - ->join('LEFT', $db->quoteName('#__categories', 'c') . ' ON ' . $db->quoteName('c.id') . ' = ' . $db->quoteName('a.catid')); + ) + ->from($db->quoteName('#__newsfeeds', 'a')) + ->join('LEFT', $db->quoteName('#__languages', 'l'), $db->quoteName('l.lang_code') . ' = ' . $db->quoteName('a.language')) + ->join('LEFT', $db->quoteName('#__users', 'uc'), $db->quoteName('uc.id') . ' = ' . $db->quoteName('a.checked_out')) + ->join('LEFT', $db->quoteName('#__viewlevels', 'ag'), $db->quoteName('ag.id') . ' = ' . $db->quoteName('a.access')) + ->join('LEFT', $db->quoteName('#__categories', 'c'), $db->quoteName('c.id') . ' = ' . $db->quoteName('a.catid')); // Join over the associations. if (Associations::isEnabled()) @@ -197,15 +203,16 @@ protected function getListQuery() } // Filter by access level. - if ($access = $this->getState('filter.access')) + if ($access = (int) $this->getState('filter.access')) { - $query->where($db->quoteName('a.access') . ' = ' . (int) $access); + $query->where($db->quoteName('a.access') . ' = :access') + ->bind(':access', $access, ParameterType::INTEGER); } // Implement View Level Access if (!$user->authorise('core.admin')) { - $query->where($db->quoteName('a.access') . ' IN (' . implode(',', $user->getAuthorisedViewLevels()) . ')'); + $query->whereIn($db->quoteName('a.access'), $user->getAuthorisedViewLevels()); } // Filter by published state. @@ -213,7 +220,9 @@ protected function getListQuery() if (is_numeric($published)) { - $query->where($db->quoteName('a.published') . ' = ' . (int) $published); + $published = (int) $published; + $query->where($db->quoteName('a.published') . ' = :published') + ->bind(':published', $published, ParameterType::INTEGER); } elseif ($published === '') { @@ -225,35 +234,40 @@ protected function getListQuery() if (is_numeric($categoryId)) { - $query->where($db->quoteName('a.catid') . ' = ' . (int) $categoryId); + $categoryId = (int) $categoryId; + $query->where($db->quoteName('a.catid') . ' = :categoryId') + ->bind(':categoryId', $categoryId, ParameterType::INTEGER); } // Filter on the level. - if ($level = $this->getState('filter.level')) + if ($level = (int) $this->getState('filter.level')) { - $query->where($db->quoteName('c.level') . ' <= ' . (int) $level); + $query->where($db->quoteName('c.level') . ' <= :level') + ->bind(':level', $level, ParameterType::INTEGER); } // Filter by search in title - $search = $this->getState('filter.search'); - - if (!empty($search)) + if ($search = $this->getState('filter.search')) { if (stripos($search, 'id:') === 0) { - $query->where($db->quoteName('a.id') . ' = ' . (int) substr($search, 3)); + $search = (int) substr($search, 3); + $query->where($db->quoteName('a.id') . ' = :search') + ->bind(':search', $search, ParameterType::INTEGER); } else { - $search = $db->quote('%' . str_replace(' ', '%', $db->escape(trim($search), true) . '%')); - $query->where('(a.name LIKE ' . $search . ' OR a.alias LIKE ' . $search . ')'); + $search = '%' . str_replace(' ', '%', trim($search)) . '%'; + $query->where('(' . $db->quoteName('a.name') . ' LIKE :search1 OR ' . $db->quoteName('a.alias') . ' LIKE :search2)') + ->bind([':search1', ':search2'], $search); } } // Filter on the language. if ($language = $this->getState('filter.language')) { - $query->where($db->quoteName('a.language') . ' = ' . $db->quote($language)); + $query->where($db->quoteName('a.language') . ' = :language') + ->bind(':language', $language); } // Filter by a single or group of tags. @@ -307,10 +321,17 @@ protected function getListQuery() if ($orderCol == 'a.ordering' || $orderCol == 'category_title') { - $orderCol = 'c.title ' . $orderDirn . ', a.ordering'; + $ordering = [ + $db->quoteName('c.title') . ' ' . $db->escape($orderDirn), + $db->quoteName('a.ordering') . ' ' . $db->escape($orderDirn), + ]; + } + else + { + $ordering = $db->quoteName($db->escape($orderCol)) . ' ' . $db->escape($orderDirn); } - $query->order($db->escape($orderCol . ' ' . $orderDirn)); + $query->order($ordering); return $query; } diff --git a/administrator/components/com_newsfeeds/Service/HTML/AdministratorService.php b/administrator/components/com_newsfeeds/Service/HTML/AdministratorService.php index ad9473e5f27b2..5998d2b35402d 100644 --- a/administrator/components/com_newsfeeds/Service/HTML/AdministratorService.php +++ b/administrator/components/com_newsfeeds/Service/HTML/AdministratorService.php @@ -16,6 +16,7 @@ use Joomla\CMS\Language\Text; use Joomla\CMS\Layout\LayoutHelper; use Joomla\CMS\Router\Route; +use Joomla\Database\ParameterType; /** * Utility class for creating HTML Grids. @@ -48,17 +49,29 @@ public function association($newsfeedid) // Get the associated newsfeed items $db = Factory::getDbo(); - $query = $db->getQuery(true) - ->select('c.id, c.name as title') - ->select('l.sef as lang_sef, lang_code') - ->from('#__newsfeeds as c') - ->select('cat.title as category_title') - ->join('LEFT', '#__categories as cat ON cat.id=c.catid') - ->where('c.id IN (' . implode(',', array_values($associations)) . ')') - ->where('c.id != ' . $newsfeedid) - ->join('LEFT', '#__languages as l ON c.language=l.lang_code') - ->select('l.image') - ->select('l.title as language_title'); + $query = $db->getQuery(true); + $query + ->select( + [ + $db->quoteName('c.id'), + $db->quoteName('c.name', 'title'), + $db->quoteName('cat.title', 'category_title'), + $db->quoteName('l.sef', 'lang_sef'), + $db->quoteName('l.lang_code'), + $db->quoteName('l.image'), + $db->quoteName('l.title', 'language_title'), + ] + ) + ->from($db->quoteName('#__newsfeeds', 'c')) + ->join('LEFT', $db->quoteName('#__categories', 'cat'), $db->quoteName('cat.id') . ' = ' . $db->quoteName('c.catid')) + ->join('LEFT', $db->quoteName('#__languages', 'l'), $db->quoteName('c.language') . ' = ' . $db->quoteName('l.lang_code')) + ->where( + [ + $db->quoteName('c.id') . ' IN (' . implode(',', $query->bindArray(array_values($associations))) . ')', + $db->quoteName('c.id') . ' != :id', + ] + ) + ->bind(':id', $newsfeedid, ParameterType::INTEGER); $db->setQuery($query); try