diff --git a/libraries/src/Table/Usergroup.php b/libraries/src/Table/Usergroup.php index 2505bfa69223f..5bb645b6e9481 100644 --- a/libraries/src/Table/Usergroup.php +++ b/libraries/src/Table/Usergroup.php @@ -13,6 +13,7 @@ use Joomla\CMS\Language\Text; use Joomla\Database\DatabaseDriver; use Joomla\Database\Exception\ExecutionFailureException; +use Joomla\Database\ParameterType; /** * Usergroup table class. @@ -63,13 +64,19 @@ public function check() // Check for a duplicate parent_id, title. // There is a unique index on the (parent_id, title) field in the table. - $db = $this->_db; - $query = $db->getQuery(true) + $db = $this->_db; + $parentId = (int) $this->parent_id; + $title = trim($this->title); + $id = (int) $this->id; + $query = $db->getQuery(true) ->select('COUNT(title)') ->from($this->_tbl) - ->where('title = ' . $db->quote(trim($this->title))) - ->where('parent_id = ' . (int) $this->parent_id) - ->where('id <> ' . (int) $this->id); + ->where($db->quoteName('title') . ' = :title') + ->where($db->quoteName('parent_id') . ' = :parentid') + ->where($db->quoteName('id') . ' <> :id') + ->bind(':title', $title) + ->bind(':parentid', $parentId, ParameterType::INTEGER) + ->bind(':id', $id, ParameterType::INTEGER); $db->setQuery($query); if ($db->loadResult() > 0) @@ -85,20 +92,29 @@ public function check() /** * Method to recursively rebuild the nested set tree. * - * @param integer $parent_id The root of the tree to rebuild. - * @param integer $left The left id to start with in building the tree. + * @param integer $parentId The root of the tree to rebuild. + * @param integer $left The left id to start with in building the tree. * * @return boolean True on success * * @since 1.7.0 */ - public function rebuild($parent_id = 0, $left = 0) + public function rebuild($parentId = 0, $left = 0) { // Get the database object - $db = $this->_db; + $db = $this->_db; + $query = $db->getQuery(true); + $parentId = (int) $parentId; // Get all children of this node - $db->setQuery('SELECT id FROM ' . $this->_tbl . ' WHERE parent_id=' . (int) $parent_id . ' ORDER BY parent_id, title'); + $query->clear() + ->select($db->quoteName('id')) + ->from($db->quoteName($this->_tbl)) + ->where($db->quoteName('parent_id') . ' = :parentid') + ->bind(':parentid', $parentId, ParameterType::INTEGER) + ->order($db->quoteName('parent_id'), $db->quoteName('title')); + + $db->setQuery($query); $children = $db->loadColumn(); // The right value of this node is the left value + 1 @@ -117,9 +133,20 @@ public function rebuild($parent_id = 0, $left = 0) } } + $left = (int) $left; + $right = (int) $right; + // We've got the left value, and now that we've processed // the children of this node we also know the right value - $db->setQuery('UPDATE ' . $this->_tbl . ' SET lft=' . (int) $left . ', rgt=' . (int) $right . ' WHERE id=' . (int) $parent_id); + $query->clear() + ->update($db->quoteName($this->_tbl)) + ->set($db->quoteName('lft') . ' = :lft') + ->set($db->quoteName('rgt') . ' = :rgt') + ->where($db->quoteName('id') . ' = :id') + ->bind(':lft', $left, ParameterType::INTEGER) + ->bind(':rgt', $right, ParameterType::INTEGER) + ->bind(':id', $parentId, ParameterType::INTEGER); + $db->setQuery($query); // If there is an update failure, return false to break out of the recursion try @@ -190,12 +217,17 @@ public function delete($oid = null) $db = $this->_db; + $lft = (int) $this->lft; + $rgt = (int) $this->rgt; + // Select the usergroup ID and its children $query = $db->getQuery(true) ->select($db->quoteName('c.id')) - ->from($db->quoteName($this->_tbl) . 'AS c') - ->where($db->quoteName('c.lft') . ' >= ' . (int) $this->lft) - ->where($db->quoteName('c.rgt') . ' <= ' . (int) $this->rgt); + ->from($db->quoteName($this->_tbl, 'c')) + ->where($db->quoteName('c.lft') . ' >= :lft') + ->where($db->quoteName('c.rgt') . ' <= :rgt') + ->bind(':lft', $lft, ParameterType::INTEGER) + ->bind(':rgt', $rgt, ParameterType::INTEGER); $db->setQuery($query); $ids = $db->loadColumn(); @@ -207,7 +239,7 @@ public function delete($oid = null) // Delete the usergroup and its children $query->clear() ->delete($db->quoteName($this->_tbl)) - ->where($db->quoteName('id') . ' IN (' . implode(',', $ids) . ')'); + ->whereIn($db->quoteName('id'), $ids); $db->setQuery($query); $db->execute(); @@ -223,12 +255,17 @@ public function delete($oid = null) } $query->clear() - ->select('id, rules') - ->from('#__viewlevels'); + ->select( + [ + $db->quoteName('id'), + $db->quoteName('rules'), + ] + ) + ->from($db->quoteName('#__viewlevels')); $db->setQuery($query); $rules = $db->loadObjectList(); - $match_ids = array(); + $matchIds = []; foreach ($rules as $rule) { @@ -236,17 +273,19 @@ public function delete($oid = null) { if (strstr($rule->rules, '[' . $id) || strstr($rule->rules, ',' . $id) || strstr($rule->rules, $id . ']')) { - $match_ids[] = $rule->id; + $matchIds[] = $rule->id; } } } - if (!empty($match_ids)) + if (!empty($matchIds)) { + $rules = str_repeat('replace(', 4 * \count($ids)) . 'rules' . implode('', $replace); $query->clear() - ->set('rules=' . str_repeat('replace(', 4 * \count($ids)) . 'rules' . implode('', $replace)) - ->update('#__viewlevels') - ->where('id IN (' . implode(',', $match_ids) . ')'); + ->update($db->quoteName('#__viewlevels')) + ->set($db->quoteName('rules') . ' = :rules') + ->whereIn($db->quoteName('id'), $matchIds) + ->bind(':rules', $rules); $db->setQuery($query); $db->execute(); } @@ -254,7 +293,7 @@ public function delete($oid = null) // Delete the user to usergroup mappings for the group(s) from the database. $query->clear() ->delete($db->quoteName('#__user_usergroup_map')) - ->where($db->quoteName('group_id') . ' IN (' . implode(',', $ids) . ')'); + ->whereIn($db->quoteName('group_id'), $ids); $db->setQuery($query); $db->execute();