From 2bd76b61c58246ebcc265ca54474482e4133218a Mon Sep 17 00:00:00 2001
From: Harald Leithner <leithner@itronic.at>
Date: Sun, 5 May 2019 11:32:49 +0200
Subject: [PATCH 1/6] Add prepared statements for mod_related_items

---
 .../Helper/RelatedItemsHelper.php             | 87 +++++++++++--------
 1 file changed, 52 insertions(+), 35 deletions(-)

diff --git a/modules/mod_related_items/Helper/RelatedItemsHelper.php b/modules/mod_related_items/Helper/RelatedItemsHelper.php
index fb9935649083a..e690c80ca81a8 100644
--- a/modules/mod_related_items/Helper/RelatedItemsHelper.php
+++ b/modules/mod_related_items/Helper/RelatedItemsHelper.php
@@ -17,6 +17,7 @@
 use Joomla\CMS\MVC\Model\BaseDatabaseModel;
 use Joomla\CMS\Router\Route;
 use Joomla\Component\Content\Administrator\Extension\ContentComponent;
+use Joomla\Database\ParameterType;
 
 \JLoader::register('ContentHelperRoute', JPATH_SITE . '/components/com_content/helpers/route.php');
 
@@ -36,12 +37,13 @@ abstract class RelatedItemsHelper
 	 */
 	public static function getList(&$params)
 	{
-		$db      = Factory::getDbo();
-		$app     = Factory::getApplication();
-		$input   = $app->input;
-		$groups  = implode(',', Factory::getUser()->getAuthorisedViewLevels());
-		$maximum = (int) $params->get('maximum', 5);
-		$factory = $app->bootComponent('com_content')->getMVCFactory();
+		$db        = Factory::getDbo();
+		$app       = Factory::getApplication();
+		$input     = $app->input;
+		$groups    = Factory::getUser()->getAuthorisedViewLevels();
+		$maximum   = (int) $params->get('maximum', 5);
+		$factory   = $app->bootComponent('com_content')->getMVCFactory();
+		$condition = ContentComponent::CONDITION_PUBLISHED;
 
 		// Get an instance of the generic articles model
 		$articles = $factory->createModel('Articles', 'Site', ['ignore_request' => true]);
@@ -54,7 +56,7 @@ public static function getList(&$params)
 
 		$temp = $input->getString('id');
 		$temp = explode(':', $temp);
-		$id   = $temp[0];
+		$id   = (int) $temp[0];
 
 		$nullDate = $db->getNullDate();
 		$now      = Factory::getDate()->toSql();
@@ -66,7 +68,8 @@ public static function getList(&$params)
 			// Select the meta keywords from the item
 			$query->select('metakey')
 				->from('#__content')
-				->where('id = ' . (int) $id);
+				->where($db->quoteName('id') . ' = :id')
+				->bind(':id', $id, ParameterType::INTEGER);
 			$db->setQuery($query);
 
 			try
@@ -99,50 +102,64 @@ public static function getList(&$params)
 			{
 				// Select other items based on the metakey field 'like' the keys found
 				$query->clear()
-					->select('a.id')
-					->select('a.title')
-					->select('CAST(a.created AS DATE) as created')
-					->select('a.catid')
-					->select('a.language')
-					->select('cc.access AS cat_access')
-					->select('cc.published AS cat_state');
+					->select([
+						$db->quoteName(['a.id', 'a.title', 'a.catid', 'a.language']),
+						$db->quoteName(['cc.access', 'cc.published'], ['cat_access', 'cat_state']).
+						'CAST(' . $db->quoteName('a.created') . ' AS DATE) AS created'
+						]);
 
 				$case_when = ' CASE WHEN ';
-				$case_when .= $query->charLength('a.alias', '!=', '0');
+				$case_when .= $query->charLength($db->quoteName('a.alias'), '!=', '0');
 				$case_when .= ' THEN ';
-				$a_id      = $query->castAsChar('a.id');
-				$case_when .= $query->concatenate(array($a_id, 'a.alias'), ':');
+				$a_id      = $query->castAsChar($db->quoteName('a.id'));
+				$case_when .= $query->concatenate([$a_id, $db->quoteName('a.alias')], ':');
 				$case_when .= ' ELSE ';
-				$case_when .= $a_id . ' END as slug';
+				$case_when .= $a_id . ' END AS slug';
 
 				$query->select($case_when)
-					->from('#__content AS a')
-					->join('LEFT', '#__content_frontpage AS f ON f.content_id = a.id')
-					->join('LEFT', '#__categories AS cc ON cc.id = a.catid')
-					->join('LEFT', '#__workflow_associations AS wa ON wa.item_id = a.id')
-					->join('LEFT', '#__workflow_stages AS ws ON ws.id = wa.stage_id')
-					->where('a.id != ' . (int) $id)
-					->where('ws.condition = ' . ContentComponent::CONDITION_PUBLISHED)
-					->where('a.access IN (' . $groups . ')');
-
-				$wheres = array();
+					->from($db->quoteName('__content', 'a'))
+					->leftJoin($db->quoteName('#__categories', 'cc'), $db->quoteName('cc.id') . ' = ' . $db->quoteName('a.catid'))
+					->leftJoin($db->quoteName('#__content_frontpage', 'f'), $db->quoteName('f.content_id') . ' = ' . $db->quoteName('a.id'))
+					->leftJoin($db->quoteName('#__workflow_associations', 'wa'), $db->quoteName('wa.item_id') . ' = ' . $db->quoteName('a.id'))
+					->leftJoin($db->quoteName('#__workflow_stages', 'ws'), $db->quoteName('ws.id') . ' = ' . $db->quoteName('wa.stage_id'))
+					->where($db->quoteName('a.id') . ' != :id')
+					->where($db->quoteName('ws.condition') . ' = :condition')
+					->whereIn($db->quoteName('a.access'), $groups)
+					->bind(':id', $id, ParameterType::INTEGER)
+					->bind(':condition', $condition, ParameterType::INTEGER);
+
+				$binds  = [];
+				$wheres = [];
 
 				foreach ($likes as $keyword)
 				{
-					$wheres[] = 'a.metakey LIKE ' . $db->quote('%' . $keyword . '%');
+					$binds[] = '%' . $keyword . '%';
+				}
+
+				$bindNames = $query->bindArray($binds, parameterType::STRING);
+
+				foreach ($bindNames as $keyword)
+				{
+					$wheres[] = 'a.metakey LIKE ' . $keyword;
 				}
 
 				$query->where('(' . implode(' OR ', $wheres) . ')')
-					->where('(a.publish_up = ' . $db->quote($nullDate) . ' OR a.publish_up <= ' . $db->quote($now) . ')')
-					->where('(a.publish_down = ' . $db->quote($nullDate) . ' OR a.publish_down >= ' . $db->quote($now) . ')');
+					->where('(a.publish_up = :nullDate1 OR a.publish_up <= :nowDate1)')
+					->where('(a.publish_down = :nullDate2 OR a.publish_down >= :nowDate2)')
+					->bind(':nullDate1', $nullDate)
+					->bind(':nullDate2', $nullDate)
+					->bind(':nowDate1', $now)
+					->bind(':nowDate2', $now);
 
 				// Filter by language
 				if (Multilanguage::isEnabled())
 				{
-					$query->where('a.language in (' . $db->quote(Factory::getLanguage()->getTag()) . ',' . $db->quote('*') . ')');
+					$query->whereIn($db->quoteName('a.language'), [Factory::getLanguage()->getTag(), '*'], ParameterType::STRING);
 				}
 
-				$db->setQuery($query, 0, $maximum);
+				$query->setLimit($maximum);
+
+				$db->setQuery($query);
 
 				try
 				{
@@ -152,7 +169,7 @@ public static function getList(&$params)
 				{
 					$app->enqueueMessage(Text::_('JERROR_AN_ERROR_HAS_OCCURRED'), 'error');
 
-					return array();
+					return [];
 				}
 
 				if (count($temp))

From dd9326fde8dd175ba60301c449fead3d534e826f Mon Sep 17 00:00:00 2001
From: Harald Leithner <leithner@itronic.at>
Date: Thu, 30 May 2019 09:58:17 +0200
Subject: [PATCH 2/6] Fix typo

---
 modules/mod_related_items/Helper/RelatedItemsHelper.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/mod_related_items/Helper/RelatedItemsHelper.php b/modules/mod_related_items/Helper/RelatedItemsHelper.php
index 37d4d1e51af92..9725007aeec06 100644
--- a/modules/mod_related_items/Helper/RelatedItemsHelper.php
+++ b/modules/mod_related_items/Helper/RelatedItemsHelper.php
@@ -125,7 +125,7 @@ public static function getList(&$params)
 					$binds[] = '%' . $keyword . '%';
 				}
 
-				$bindNames = $query->bindArray($binds, parameterType::STRING);
+				$bindNames = $query->bindArray($binds, ParameterType::STRING);
 
 				foreach ($bindNames as $keyword)
 				{

From 29acfd9eccb13d682760092d982487a7593bccf1 Mon Sep 17 00:00:00 2001
From: Harald Leithner <leithner@itronic.at>
Date: Fri, 31 May 2019 09:56:10 +0200
Subject: [PATCH 3/6] More quoteName

---
 modules/mod_related_items/Helper/RelatedItemsHelper.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/mod_related_items/Helper/RelatedItemsHelper.php b/modules/mod_related_items/Helper/RelatedItemsHelper.php
index 9725007aeec06..38266003a59ba 100644
--- a/modules/mod_related_items/Helper/RelatedItemsHelper.php
+++ b/modules/mod_related_items/Helper/RelatedItemsHelper.php
@@ -71,8 +71,8 @@ public static function getList(&$params)
 		if ($id)
 		{
 			// Select the meta keywords from the item
-			$query->select('metakey')
-				->from('#__content')
+			$query->select($db->quoteName('metakey'))
+				->from($db->quoteName('#__content'))
 				->where($db->quoteName('id') . ' = :id')
 				->bind(':id', $id, ParameterType::INTEGER);
 			$db->setQuery($query);
@@ -133,8 +133,8 @@ public static function getList(&$params)
 				}
 
 				$query->where('(' . implode(' OR ', $wheres) . ')')
-					->where('(a.publish_up = :nullDate1 OR a.publish_up <= :nowDate1)')
-					->where('(a.publish_down = :nullDate2 OR a.publish_down >= :nowDate2)')
+					->where('('. $db->quoteName('a.publish_up') . ' = :nullDate1 OR ' . $db->quoteName('a.publish_up') . ' <= :nowDate1)')
+					->where('('. $db->quoteName('a.publish_down') . ' = :nullDate2 OR ' . $db->quoteName('a.publish_down') . ' >= :nowDate2)')
 					->bind(':nullDate1', $nullDate)
 					->bind(':nullDate2', $nullDate)
 					->bind(':nowDate1', $now)

From d956e6d65799121ee7bf9650a75de04938ab811d Mon Sep 17 00:00:00 2001
From: Harald Leithner <leithner@itronic.at>
Date: Wed, 3 Jul 2019 13:51:23 +0200
Subject: [PATCH 4/6] cs

---
 modules/mod_related_items/Helper/RelatedItemsHelper.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/mod_related_items/Helper/RelatedItemsHelper.php b/modules/mod_related_items/Helper/RelatedItemsHelper.php
index 7439b09158ecb..8517d83e799bf 100644
--- a/modules/mod_related_items/Helper/RelatedItemsHelper.php
+++ b/modules/mod_related_items/Helper/RelatedItemsHelper.php
@@ -131,8 +131,8 @@ public static function getList(&$params)
 				}
 
 				$query->where('(' . implode(' OR ', $wheres) . ')')
-					->where('('. $db->quoteName('a.publish_up') . ' = :nullDate1 OR ' . $db->quoteName('a.publish_up') . ' <= :nowDate1)')
-					->where('('. $db->quoteName('a.publish_down') . ' = :nullDate2 OR ' . $db->quoteName('a.publish_down') . ' >= :nowDate2)')
+					->where('(' . $db->quoteName('a.publish_up') . ' = :nullDate1 OR ' . $db->quoteName('a.publish_up') . ' <= :nowDate1)')
+					->where('(' . $db->quoteName('a.publish_down') . ' = :nullDate2 OR ' . $db->quoteName('a.publish_down') . ' >= :nowDate2)')
 					->bind(':nullDate1', $nullDate)
 					->bind(':nullDate2', $nullDate)
 					->bind(':nowDate1', $now)

From 890d722ce2079fbd9886e650d0384970f3183b6c Mon Sep 17 00:00:00 2001
From: Harald Leithner <leithner@itronic.at>
Date: Wed, 17 Jul 2019 20:46:49 +0200
Subject: [PATCH 5/6] Change leftJoin to join

---
 .../mod_related_items/Helper/RelatedItemsHelper.php  | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/modules/mod_related_items/Helper/RelatedItemsHelper.php b/modules/mod_related_items/Helper/RelatedItemsHelper.php
index 8517d83e799bf..2940bd148a567 100644
--- a/modules/mod_related_items/Helper/RelatedItemsHelper.php
+++ b/modules/mod_related_items/Helper/RelatedItemsHelper.php
@@ -107,8 +107,8 @@ public static function getList(&$params)
 				$query->clear()
 					->select($db->quoteName('a.id'))
 					->from($db->quoteName('#__content', 'a'))
-					->leftJoin($db->quoteName('#__workflow_associations', 'wa'), $db->quoteName('wa.item_id') . ' = ' . $db->quoteName('a.id'))
-					->leftJoin($db->quoteName('#__workflow_stages', 'ws'), $db->quoteName('ws.id') . ' = ' . $db->quoteName('wa.stage_id'))
+					->join('LEFT', $db->quoteName('#__workflow_associations', 'wa'), $db->quoteName('wa.item_id') . ' = ' . $db->quoteName('a.id'))
+					->join('LEFT', $db->quoteName('#__workflow_stages', 'ws'), $db->quoteName('ws.id') . ' = ' . $db->quoteName('wa.stage_id'))
 					->where($db->quoteName('a.id') . ' != :id')
 					->where($db->quoteName('ws.condition') . ' = :condition')
 					->whereIn($db->quoteName('a.access'), $groups)
@@ -127,16 +127,14 @@ public static function getList(&$params)
 
 				foreach ($bindNames as $keyword)
 				{
-					$wheres[] = 'a.metakey LIKE ' . $keyword;
+					$wheres[] = $db->quoteName('a.metakey') . ' LIKE ' . $keyword;
 				}
 
 				$query->where('(' . implode(' OR ', $wheres) . ')')
 					->where('(' . $db->quoteName('a.publish_up') . ' = :nullDate1 OR ' . $db->quoteName('a.publish_up') . ' <= :nowDate1)')
 					->where('(' . $db->quoteName('a.publish_down') . ' = :nullDate2 OR ' . $db->quoteName('a.publish_down') . ' >= :nowDate2)')
-					->bind(':nullDate1', $nullDate)
-					->bind(':nullDate2', $nullDate)
-					->bind(':nowDate1', $now)
-					->bind(':nowDate2', $now);
+					->bind([':nullDate1', ':nullDate2'], $nullDate)
+					->bind([':nowDate1', ':nowDate2'], $now);
 
 				// Filter by language
 				if (Multilanguage::isEnabled())

From 84033835e793004ce76bfc19593423620ffb88ae Mon Sep 17 00:00:00 2001
From: Harald Leithner <leithner@itronic.at>
Date: Mon, 26 Aug 2019 16:42:49 +0200
Subject: [PATCH 6/6] Convert to extendWhere

---
 modules/mod_related_items/Helper/RelatedItemsHelper.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/mod_related_items/Helper/RelatedItemsHelper.php b/modules/mod_related_items/Helper/RelatedItemsHelper.php
index 2940bd148a567..ed4a351a8f22f 100644
--- a/modules/mod_related_items/Helper/RelatedItemsHelper.php
+++ b/modules/mod_related_items/Helper/RelatedItemsHelper.php
@@ -130,9 +130,9 @@ public static function getList(&$params)
 					$wheres[] = $db->quoteName('a.metakey') . ' LIKE ' . $keyword;
 				}
 
-				$query->where('(' . implode(' OR ', $wheres) . ')')
-					->where('(' . $db->quoteName('a.publish_up') . ' = :nullDate1 OR ' . $db->quoteName('a.publish_up') . ' <= :nowDate1)')
-					->where('(' . $db->quoteName('a.publish_down') . ' = :nullDate2 OR ' . $db->quoteName('a.publish_down') . ' >= :nowDate2)')
+				$query->extendWhere('AND', $wheres, 'OR')
+					->extendWhere('AND', [ $db->quoteName('a.publish_up') . ' = :nullDate1', $db->quoteName('a.publish_up') . ' <= :nowDate1'], 'OR')
+					->extendWhere('AND', [ $db->quoteName('a.publish_down') . ' = :nullDate2', $db->quoteName('a.publish_down') . ' >= :nowDate2'], 'OR')
 					->bind([':nullDate1', ':nullDate2'], $nullDate)
 					->bind([':nowDate1', ':nowDate2'], $now);