diff --git a/administrator/components/com_workflow/src/Controller/WorkflowController.php b/administrator/components/com_workflow/src/Controller/WorkflowController.php index ac34a874ec299..c6d7c6bc2f81e 100644 --- a/administrator/components/com_workflow/src/Controller/WorkflowController.php +++ b/administrator/components/com_workflow/src/Controller/WorkflowController.php @@ -15,6 +15,7 @@ use Joomla\CMS\MVC\Controller\FormController; use Joomla\CMS\MVC\Factory\MVCFactoryInterface; use Joomla\CMS\MVC\Model\BaseDatabaseModel; +use Joomla\Database\ParameterType; use Joomla\Input\Input; /** @@ -182,14 +183,16 @@ public function postSaveHook(BaseDatabaseModel $model, $validData = array()) $key = $table->getKeyName(); - $recordId = $this->input->getInt($key); + $recordId = (int) $this->input->getInt($key); + // @todo Moves queries out of the controller. $db = $model->getDbo(); $query = $db->getQuery(true); $query->select('*') ->from($db->quoteName('#__workflow_stages')) - ->where($db->quoteName('workflow_id') . ' = ' . (int) $recordId); + ->where($db->quoteName('workflow_id') . ' = :id') + ->bind(':id', $recordId, ParameterType::INTEGER); $statuses = $db->setQuery($query)->loadAssocList(); @@ -215,11 +218,11 @@ public function postSaveHook(BaseDatabaseModel $model, $validData = array()) $mapping[$oldID] = (int) $table->id; } - $query->clear(); - - $query->select('*') + $query = $db->getQuery(true) + ->select('*') ->from($db->quoteName('#__workflow_transitions')) - ->where($db->quoteName('workflow_id') . ' = ' . (int) $recordId); + ->where($db->quoteName('workflow_id') . ' = :id') + ->bind(':id', $recordId, ParameterType::INTEGER); $transitions = $db->setQuery($query)->loadAssocList(); diff --git a/administrator/components/com_workflow/src/Model/StagesModel.php b/administrator/components/com_workflow/src/Model/StagesModel.php index 6d4fd30cb8061..8d09e219de934 100644 --- a/administrator/components/com_workflow/src/Model/StagesModel.php +++ b/administrator/components/com_workflow/src/Model/StagesModel.php @@ -13,6 +13,7 @@ use Joomla\CMS\Factory; use Joomla\CMS\MVC\Model\ListModel; +use Joomla\Database\ParameterType; /** * Model class for stages @@ -124,45 +125,43 @@ public function getTable($type = 'Stage', $prefix = 'Administrator', $config = a */ public function getListQuery() { - $db = $this->getDbo(); - - $query = parent::getListQuery(); - - $select = $db->quoteName( - array( - 's.id', - 's.title', - 's.ordering', - 's.default', - 's.published', - 's.checked_out', - 's.checked_out_time', - 's.description' - ) - ); + $db = $this->getDbo(); + $query = $db->getQuery(true); $query - ->select($select) - ->from($db->quoteName('#__workflow_stages', 's')); + ->select( + [ + $db->quoteName('s.id'), + $db->quoteName('s.title'), + $db->quoteName('s.ordering'), + $db->quoteName('s.default'), + $db->quoteName('s.published'), + $db->quoteName('s.checked_out'), + $db->quoteName('s.checked_out_time'), + $db->quoteName('s.description'), + $db->quoteName('uc.name', 'editor'), + ] + ) + ->from($db->quoteName('#__workflow_stages', 's')) + ->join('LEFT', $db->quoteName('#__users', 'uc'), $db->quoteName('uc.id') . ' = ' . $db->quoteName('s.checked_out')); // Filter by extension if ($workflowID = (int) $this->getState('filter.workflow_id')) { - $query->where($db->quoteName('s.workflow_id') . ' = ' . $workflowID); + $query->where($db->quoteName('s.workflow_id') . ' = :id') + ->bind(':id', $workflowID, ParameterType::INTEGER); } - // Join over the users for the checked out user. - $query->select($db->quoteName('uc.name', 'editor')) - ->join('LEFT', $db->quoteName('#__users', 'uc'), $db->quoteName('uc.id') . ' = ' . $db->quoteName('s.checked_out')); - $status = (string) $this->getState('filter.published'); // Filter by publish state if (is_numeric($status)) { - $query->where($db->quoteName('s.published') . ' = ' . (int) $status); + $status = (int) $status; + $query->where($db->quoteName('s.published') . ' = :status') + ->bind(':status', $status, ParameterType::INTEGER); } - elseif ($status == '') + elseif ($status === '') { $query->where($db->quoteName('s.published') . ' IN (0, 1)'); } @@ -172,8 +171,9 @@ public function getListQuery() if (!empty($search)) { - $search = $db->quote('%' . str_replace(' ', '%', $db->escape(trim($search), true) . '%')); - $query->where('(' . $db->quoteName('s.title') . ' LIKE ' . $search . ' OR ' . $db->quoteName('s.description') . ' LIKE ' . $search . ')'); + $search = '%' . str_replace(' ', '%', trim($search)) . '%'; + $query->where('(' . $db->quoteName('s.title') . ' LIKE :search1 OR ' . $db->quoteName('s.description') . ' LIKE :search2)') + ->bind([':search1', ':search2'], $search); } // Add the list ordering clause. diff --git a/administrator/components/com_workflow/src/Model/TransitionsModel.php b/administrator/components/com_workflow/src/Model/TransitionsModel.php index d1cca4c888ca7..99647e0972524 100644 --- a/administrator/components/com_workflow/src/Model/TransitionsModel.php +++ b/administrator/components/com_workflow/src/Model/TransitionsModel.php @@ -13,6 +13,7 @@ use Joomla\CMS\Factory; use Joomla\CMS\MVC\Model\ListModel; +use Joomla\Database\ParameterType; /** * Model class for transitions @@ -125,69 +126,64 @@ protected function getReorderConditions($table) */ public function getListQuery() { - $db = $this->getDbo(); - - $query = parent::getListQuery(); - - $select = $db->quoteName( - array( - 't.id', - 't.title', - 't.from_stage_id', - 't.to_stage_id', - 't.published', - 't.checked_out', - 't.checked_out_time', - 't.ordering', - 't.description', - ) - ); - - $select[] = $db->quoteName('f_stage.title', 'from_stage'); - $select[] = $db->quoteName('t_stage.title', 'to_stage'); - $joinTo = $db->quoteName('#__workflow_stages', 't_stage') . - ' ON ' . $db->quoteName('t_stage.id') . ' = ' . $db->quoteName('t.to_stage_id'); + $db = $this->getDbo(); + $query = $db->getQuery(true); $query - ->select($select) - ->from($db->quoteName('#__workflow_transitions', 't')) - ->leftJoin( - $db->quoteName('#__workflow_stages', 'f_stage') . ' ON ' . $db->quoteName('f_stage.id') . ' = ' . $db->quoteName('t.from_stage_id') + ->select( + [ + $db->quoteName('t.id'), + $db->quoteName('t.title'), + $db->quoteName('t.from_stage_id'), + $db->quoteName('t.to_stage_id'), + $db->quoteName('t.published'), + $db->quoteName('t.checked_out'), + $db->quoteName('t.checked_out_time'), + $db->quoteName('t.ordering'), + $db->quoteName('t.description'), + $db->quoteName('f_stage.title', 'from_stage'), + $db->quoteName('t_stage.title', 'to_stage'), + $db->quoteName('uc.name', 'editor'), + ] ) - ->leftJoin($joinTo); - - // Join over the users for the checked out user. - $query->select($db->quoteName('uc.name', 'editor')) + ->from($db->quoteName('#__workflow_transitions', 't')) + ->join('LEFT', $db->quoteName('#__workflow_stages', 'f_stage'), $db->quoteName('f_stage.id') . ' = ' . $db->quoteName('t.from_stage_id')) + ->join('LEFT', $db->quoteName('#__workflow_stages', 't_stage'), $db->quoteName('t_stage.id') . ' = ' . $db->quoteName('t.to_stage_id')) ->join('LEFT', $db->quoteName('#__users', 'uc'), $db->quoteName('uc.id') . ' = ' . $db->quoteName('t.checked_out')); // Filter by extension if ($workflowID = (int) $this->getState('filter.workflow_id')) { - $query->where($db->quoteName('t.workflow_id') . ' = ' . $workflowID); + $query->where($db->quoteName('t.workflow_id') . ' = :id') + ->bind(':id', $workflowID, ParameterType::INTEGER); } - $status = $this->getState('filter.published'); + $status = (string) $this->getState('filter.published'); // Filter by status if (is_numeric($status)) { - $query->where($db->quoteName('t.published') . ' = ' . (int) $status); + $status = (int) $status; + $query->where($db->quoteName('t.published') . ' = :status') + ->bind(':status', $status, ParameterType::INTEGER); } - elseif ($status == '') + elseif ($status === '') { $query->where($db->quoteName('t.published') . ' IN (0, 1)'); } // Filter by column from_stage_id - if ($fromStage = $this->getState('filter.from_stage')) + if ($fromStage = (int) $this->getState('filter.from_stage')) { - $query->where($db->quoteName('from_stage_id') . ' = ' . (int) $fromStage); + $query->where($db->quoteName('from_stage_id') . ' = :fromStage') + ->bind(':fromStage', $fromStage, ParameterType::INTEGER); } - // Filter by column from_stage_id - if ($toStage = $this->getState('filter.to_stage')) + // Filter by column to_stage_id + if ($toStage = (int) $this->getState('filter.to_stage')) { - $query->where($db->quoteName('to_stage_id') . ' = ' . (int) $toStage); + $query->where($db->quoteName('to_stage_id') . ' = :toStage') + ->bind(':toStage', $toStage, ParameterType::INTEGER); } // Filter by search in title @@ -195,15 +191,16 @@ public function getListQuery() if (!empty($search)) { - $search = $db->quote('%' . str_replace(' ', '%', $db->escape(trim($search), true) . '%')); - $query->where('(' . $db->quoteName('t.title') . ' LIKE ' . $search . ' OR ' . $db->quoteName('t.description') . ' LIKE ' . $search . ')'); + $search = '%' . str_replace(' ', '%', trim($search)) . '%'; + $query->where('(' . $db->quoteName('t.title') . ' LIKE :search1 OR ' . $db->quoteName('t.description') . ' LIKE :search2)') + ->bind([':search1', ':search2'], $search); } // Add the list ordering clause. $orderCol = $this->state->get('list.ordering', 't.id'); - $orderDirn = strtolower($this->state->get('list.direction', 'asc')); + $orderDirn = strtoupper($this->state->get('list.direction', 'ASC')); - $query->order($db->quoteName($orderCol) . ' ' . $db->escape($orderDirn == 'desc' ? 'DESC' : 'ASC')); + $query->order($db->quoteName($db->escape($orderCol)) . ' ' . $db->escape($orderDirn === 'DESC' ? 'DESC' : 'ASC')); return $query; } diff --git a/administrator/components/com_workflow/src/Model/WorkflowsModel.php b/administrator/components/com_workflow/src/Model/WorkflowsModel.php index 52c8e9bbb8ea0..d11109452095a 100644 --- a/administrator/components/com_workflow/src/Model/WorkflowsModel.php +++ b/administrator/components/com_workflow/src/Model/WorkflowsModel.php @@ -13,6 +13,7 @@ use Joomla\CMS\Factory; use Joomla\CMS\MVC\Model\ListModel; +use Joomla\Database\ParameterType; /** * Model class for workflows @@ -163,20 +164,30 @@ protected function countItems($items) $query = $db->getQuery(true); - $query ->select('workflow_id, count(*) AS count') + $query->select( + [ + $db->quoteName('workflow_id'), + 'COUNT(*) AS ' . $db->quoteName('count'), + ] + ) ->from($db->quoteName('#__workflow_stages')) - ->where($db->quoteName('workflow_id') . ' IN(' . implode(',', $ids) . ')') - ->where($db->quoteName('published') . '>= 0') + ->whereIn($db->quoteName('workflow_id'), $ids) + ->where($db->quoteName('published') . ' >= 0') ->group($db->quoteName('workflow_id')); $status = $db->setQuery($query)->loadObjectList('workflow_id'); $query = $db->getQuery(true); - $query->select('workflow_id, count(*) AS count') + $query->select( + [ + $db->quoteName('workflow_id'), + 'COUNT(*) AS ' . $db->quoteName('count'), + ] + ) ->from($db->quoteName('#__workflow_transitions')) - ->where($db->quoteName('workflow_id') . ' IN(' . implode(',', $ids) . ')') - ->where($db->quoteName('published') . '>= 0') + ->whereIn($db->quoteName('workflow_id'), $ids) + ->where($db->quoteName('published') . ' >= 0') ->group($db->quoteName('workflow_id')); $transitions = $db->setQuery($query)->loadObjectList('workflow_id'); @@ -204,36 +215,35 @@ protected function countItems($items) */ public function getListQuery() { - $db = $this->getDbo(); + $db = $this->getDbo(); + $query = $db->getQuery(true); - $query = parent::getListQuery(); - - $select = $db->quoteName( - array( - 'w.id', - 'w.title', - 'w.created', - 'w.modified', - 'w.published', - 'w.checked_out', - 'w.checked_out_time', - 'w.ordering', - 'w.default', - 'w.created_by', - 'w.description', - 'u.name' - ) - ); - - $query - ->select($select) + $query->select( + [ + $db->quoteName('w.id'), + $db->quoteName('w.title'), + $db->quoteName('w.created'), + $db->quoteName('w.modified'), + $db->quoteName('w.published'), + $db->quoteName('w.checked_out'), + $db->quoteName('w.checked_out_time'), + $db->quoteName('w.ordering'), + $db->quoteName('w.default'), + $db->quoteName('w.created_by'), + $db->quoteName('w.description'), + $db->quoteName('u.name'), + $db->quoteName('uc.name', 'editor'), + ] + ) ->from($db->quoteName('#__workflows', 'w')) - ->leftJoin($db->quoteName('#__users', 'u') . ' ON ' . $db->quoteName('u.id') . ' = ' . $db->quoteName('w.created_by')); + ->join('LEFT', $db->quoteName('#__users', 'u'), $db->quoteName('u.id') . ' = ' . $db->quoteName('w.created_by')) + ->join('LEFT', $db->quoteName('#__users', 'uc'), $db->quoteName('uc.id') . ' = ' . $db->quoteName('w.checked_out')); // Filter by extension if ($extension = $this->getState('filter.extension')) { - $query->where($db->quoteName('extension') . ' = ' . $db->quote($db->escape($extension))); + $query->where($db->quoteName('extension') . ' = :extension') + ->bind(':extension', $extension); } $status = (string) $this->getState('filter.published'); @@ -241,11 +251,13 @@ public function getListQuery() // Filter by status if (is_numeric($status)) { - $query->where($db->quoteName('w.published') . ' = ' . (int) $status); + $status = (int) $status; + $query->where($db->quoteName('w.published') . ' = :published') + ->bind(':published', $status, ParameterType::INTEGER); } - elseif ($status == '') + elseif ($status === '') { - $query->where($db->quoteName('w.published') . " IN ('0', '1')"); + $query->where($db->quoteName('w.published') . ' IN (0, 1)'); } // Filter by search in title @@ -253,19 +265,16 @@ public function getListQuery() if (!empty($search)) { - $search = $db->quote('%' . str_replace(' ', '%', $db->escape(trim($search), true) . '%')); - $query->where('(' . $db->quoteName('w.title') . ' LIKE ' . $search . ' OR ' . $db->quoteName('w.description') . ' LIKE ' . $search . ')'); + $search = '%' . str_replace(' ', '%', trim($search)) . '%'; + $query->where('(' . $db->quoteName('w.title') . ' LIKE :search1 OR ' . $db->quoteName('w.description') . ' LIKE :search2)') + ->bind([':search1', ':search2'], $search); } - // Join over the users for the checked out user. - $query->select($db->quoteName('uc.name', 'editor')) - ->join('LEFT', $db->quoteName('#__users', 'uc'), $db->quoteName('uc.id') . ' = ' . $db->quoteName('w.checked_out')); - // Add the list ordering clause. - $orderCol = $this->state->get('list.ordering', 'w.ordering'); - $orderDirn = strtolower($this->state->get('list.direction', 'asc')); + $orderCol = $this->state->get('list.ordering', 'w.ordering'); + $orderDirn = strtoupper($this->state->get('list.direction', 'ASC')); - $query->order($db->quoteName($db->escape($orderCol)) . ' ' . $db->escape($orderDirn == 'desc' ? 'DESC' : 'ASC')); + $query->order($db->quoteName($db->escape($orderCol)) . ' ' . $db->escape($orderDirn === 'DESC' ? 'DESC' : 'ASC')); return $query; } diff --git a/administrator/components/com_workflow/src/Table/StageTable.php b/administrator/components/com_workflow/src/Table/StageTable.php index 287c5443a6dfe..ae961c041bfb3 100644 --- a/administrator/components/com_workflow/src/Table/StageTable.php +++ b/administrator/components/com_workflow/src/Table/StageTable.php @@ -16,6 +16,7 @@ use Joomla\CMS\Language\Text; use Joomla\CMS\Table\Table; use Joomla\Database\DatabaseDriver; +use Joomla\Database\ParameterType; /** * Stage table @@ -59,11 +60,13 @@ public function delete($pk = null) { $db = $this->getDbo(); $app = Factory::getApplication(); + $pk = (int) $pk; $query = $db->getQuery(true) ->select($db->quoteName('default')) ->from($db->quoteName('#__workflow_stages')) - ->where($db->quoteName('id') . ' = ' . (int) $pk); + ->where($db->quoteName('id') . ' = :id') + ->bind(':id', $pk, ParameterType::INTEGER); $isDefault = $db->setQuery($query)->loadResult(); @@ -78,8 +81,14 @@ public function delete($pk = null) { $query = $db->getQuery(true) ->delete($db->quoteName('#__workflow_transitions')) - ->where($db->quoteName('to_stage_id') . ' = ' . (int) $pk, 'OR') - ->where($db->quoteName('from_stage_id') . ' = ' . (int) $pk); + ->where( + [ + $db->quoteName('to_stage_id') . ' = :idTo', + $db->quoteName('from_stage_id') . ' = :idFrom', + ], + 'OR' + ) + ->bind([':idTo', ':idFrom'], $pk, ParameterType::INTEGER); $db->setQuery($query)->execute(); @@ -138,8 +147,13 @@ public function check() $query ->select($db->quoteName('id')) ->from($db->quoteName('#__workflow_stages')) - ->where($db->quoteName('workflow_id') . '=' . (int) $this->workflow_id) - ->where($db->quoteName('default') . ' = 1'); + ->where( + [ + $db->quoteName('workflow_id') . ' = :id', + $db->quoteName('default') . ' = 1', + ] + ) + ->bind(':id', $this->workflow_id, ParameterType::INTEGER); $id = $db->setQuery($query)->loadResult(); diff --git a/administrator/components/com_workflow/src/Table/WorkflowTable.php b/administrator/components/com_workflow/src/Table/WorkflowTable.php index 6a6a14e2f1c8d..5df6d3662a98a 100644 --- a/administrator/components/com_workflow/src/Table/WorkflowTable.php +++ b/administrator/components/com_workflow/src/Table/WorkflowTable.php @@ -15,6 +15,7 @@ use Joomla\CMS\Language\Text; use Joomla\CMS\Table\Table; use Joomla\Database\DatabaseDriver; +use Joomla\Database\ParameterType; /** * Workflow table @@ -60,12 +61,14 @@ public function delete($pk = null) { $db = $this->getDbo(); $app = Factory::getApplication(); + $pk = (int) $pk; // Gets the workflow information that is going to be deleted. $query = $db->getQuery(true) ->select($db->quoteName('default')) ->from($db->quoteName('#__workflows')) - ->where($db->quoteName('id') . ' = ' . (int) $pk); + ->where($db->quoteName('id') . ' = :id') + ->bind(':id', $pk, ParameterType::INTEGER); $isDefault = $db->setQuery($query)->loadResult(); @@ -81,13 +84,15 @@ public function delete($pk = null) { $query = $db->getQuery(true) ->delete($db->quoteName('#__workflow_stages')) - ->where($db->quoteName('workflow_id') . ' = ' . (int) $pk); + ->where($db->quoteName('workflow_id') . ' = :id') + ->bind(':id', $pk, ParameterType::INTEGER); $db->setQuery($query)->execute(); $query = $db->getQuery(true) ->delete($db->quoteName('#__workflow_transitions')) - ->where($db->quoteName('workflow_id') . ' = ' . (int) $pk); + ->where($db->quoteName('workflow_id') . ' = :id') + ->bind(':id', $pk, ParameterType::INTEGER); $db->setQuery($query)->execute(); @@ -146,7 +151,7 @@ public function check() $query ->select($db->quoteName('id')) ->from($db->quoteName('#__workflows')) - ->where($db->quoteName('default') . '= 1'); + ->where($db->quoteName('default') . ' = 1'); $id = $db->setQuery($query)->loadResult(); @@ -307,7 +312,8 @@ protected function _getAssetParentId(Table $table = null, $id = null) $query = $this->getDbo()->getQuery(true) ->select($this->getDbo()->quoteName('id')) ->from($this->getDbo()->quoteName('#__assets')) - ->where($this->getDbo()->quoteName('name') . ' = ' . $this->getDbo()->quote($extension)); + ->where($this->getDbo()->quoteName('name') . ' = :extension') + ->bind(':extension', $extension); // Get the asset id from the database. $this->getDbo()->setQuery($query);