[4.0][com_associations] convert to prepared statement

administrator/components/com_associations/Helper/AssociationsHelper.php

@@ -19,6 +19,7 @@
 use Joomla\CMS\Language\Text;
 use Joomla\CMS\Layout\LayoutHelper;
 use Joomla\CMS\Router\Route;
+use Joomla\Database\ParameterType;
 use Joomla\Registry\Registry;
 
 /**
@@ -263,12 +264,13 @@ public static function getAssociationHtmlList($extensionName, $typeName, $itemId
 					$query = $db->getQuery(true)
 						->select($db->quoteName('title'))
 						->from($db->quoteName('#__categories'))
-						->where($db->quoteName('id') . ' = ' . $db->quote($items[$langCode]['catid']));
+						->where($db->quoteName('id') . ' = :id')
+						->bind(':id', $items[$langCode]['catid'], ParameterType::INTEGER);
 
 					$db->setQuery($query);
-					$category_title = $db->loadResult();
+					$categoryTitle = $db->loadResult();
 
-					$additional = '<strong>' . Text::sprintf('JCATEGORY_SPRINTF', $category_title) . '</strong> <br>';
+					$additional = '<strong>' . Text::sprintf('JCATEGORY_SPRINTF', $categoryTitle) . '</strong> <br>';
 				}
 				elseif (isset($items[$langCode]['menutype']))
 				{
@@ -278,12 +280,13 @@ public static function getAssociationHtmlList($extensionName, $typeName, $itemId
 					$query = $db->getQuery(true)
 						->select($db->quoteName('title'))
 						->from($db->quoteName('#__menu_types'))
-						->where($db->quoteName('menutype') . ' = ' . $db->quote($items[$langCode]['menutype']));
+						->where($db->quoteName('menutype') . ' = :menutype')
+						->bind(':menutype', $items[$langCode]['menutype']);
 
 					$db->setQuery($query);
-					$menutype_title = $db->loadResult();
+					$menutypeTitle = $db->loadResult();
 
-					$additional = '<strong>' . Text::sprintf('COM_MENUS_MENU_SPRINTF', $menutype_title) . '</strong><br>';
+					$additional = '<strong>' . Text::sprintf('COM_MENUS_MENU_SPRINTF', $menutypeTitle) . '</strong><br>';
 				}
 
 				$labelClass  = 'badge-secondary';

administrator/components/com_associations/Model/AssociationsModel.php

@@ -18,6 +18,7 @@
 use Joomla\CMS\Table\Table;
 use Joomla\Component\Associations\Administrator\Helper\AssociationsHelper;
 use Joomla\Database\Exception\ExecutionFailureException;
+use Joomla\Database\ParameterType;
 
 /**
  * Methods supporting a list of article records.
@@ -231,16 +232,27 @@ protected function getListQuery()
 		$query->select($db->quoteName($fields['language'], 'language'))
 			->select($db->quoteName('l.title', 'language_title'))
 			->select($db->quoteName('l.image', 'language_image'))
-			->join('LEFT', $db->quoteName('#__languages', 'l') . ' ON ' . $db->quoteName('l.lang_code') . ' = ' . $db->quoteName($fields['language']));
+			->join(
+				'LEFT',
+				$db->quoteName('#__languages', 'l'),
+				$db->quoteName('l.lang_code') . ' = ' . $db->quoteName($fields['language'])
+			);
+		$extensionNameItem = $extensionName . '.item';
 
 		// Join over the associations.
 		$query->select('COUNT(' . $db->quoteName('asso2.id') . ') > 1 AS ' . $db->quoteName('association'))
 			->join(
 				'LEFT',
-				$db->quoteName('#__associations', 'asso') . ' ON ' . $db->quoteName('asso.id') . ' = ' . $db->quoteName($fields['id'])
-				. ' AND ' . $db->quoteName('asso.context') . ' = ' . $db->quote($extensionName . '.item')
+				$db->quoteName('#__associations', 'asso'),
+				$db->quoteName('asso.id') . ' = ' . $db->quoteName($fields['id'])
+				. ' AND ' . $db->quoteName('asso.context') . ' = :context'
+			)
+			->join(
+				'LEFT',
+				$db->quoteName('#__associations', 'asso2'),
+				$db->quoteName('asso2.key') . ' = ' . $db->quoteName('asso.key')
 			)
-			->join('LEFT', $db->quoteName('#__associations', 'asso2') . ' ON ' . $db->quoteName('asso2.key') . ' = ' . $db->quoteName('asso.key'));
+			->bind(':context', $extensionNameItem);
 
 		// Prepare the group by clause.
 		$groupby = array(
@@ -268,7 +280,11 @@ protected function getListQuery()
 
 			// Join over the users.
 			$query->select($db->quoteName('u.name', 'editor'))
-				->join('LEFT', $db->quoteName('#__users', 'u') . ' ON ' . $db->quoteName('u.id') . ' = ' . $db->quoteName($fields['checked_out']));
+				->join(
+					'LEFT',
+					$db->quoteName('#__users', 'u'),
+					$db->quoteName('u.id') . ' = ' . $db->quoteName($fields['checked_out'])
+				);
 
 			$groupby[] = 'u.name';
 			$groupby[] = $fields['checked_out'];
@@ -306,7 +322,11 @@ protected function getListQuery()
 
 			// Join over the categories.
 			$query->select($db->quoteName('c.title', 'category_title'))
-				->join('LEFT', $db->quoteName('#__categories', 'c') . ' ON ' . $db->quoteName('c.id') . ' = ' . $db->quoteName($fields['catid']));
+				->join(
+					'LEFT',
+					$db->quoteName('#__categories', 'c'),
+					$db->quoteName('c.id') . ' = ' . $db->quoteName($fields['catid'])
+				);
 
 			$groupby[] = 'c.title';
 			$groupby[] = $fields['catid'];
@@ -320,7 +340,11 @@ protected function getListQuery()
 			// Join over the menu types.
 			$query->select($db->quoteName('mt.title', 'menutype_title'))
 				->select($db->quoteName('mt.id', 'menutypeid'))
-				->join('LEFT', $db->quoteName('#__menu_types', 'mt') . ' ON ' . $db->quoteName('mt.menutype') . ' = ' . $db->quoteName($fields['menutype']));
+				->join(
+					'LEFT',
+					$db->quoteName('#__menu_types', 'mt'),
+					$db->quoteName('mt.menutype') . ' = ' . $db->quoteName($fields['menutype'])
+				);
 
 			$groupby[] = 'mt.title';
 			$groupby[] = 'mt.id';
@@ -334,15 +358,20 @@ protected function getListQuery()
 
 			// Join over the access levels.
 			$query->select($db->quoteName('ag.title', 'access_level'))
-				->join('LEFT', $db->quoteName('#__viewlevels', 'ag') . ' ON ' . $db->quoteName('ag.id') . ' = ' . $db->quoteName($fields['access']));
+				->join(
+					'LEFT',
+					$db->quoteName('#__viewlevels', 'ag'),
+					$db->quoteName('ag.id') . ' = ' . $db->quoteName($fields['access'])
+				);
 
 			$groupby[] = 'ag.title';
 			$groupby[] = $fields['access'];
 
 			// Implement View Level Access.
 			if (!$user->authorise('core.admin', $extensionName))
 			{
-				$query->where($fields['access'] . ' IN (' . implode(',', $user->getAuthorisedViewLevels()) . ')');
+				$groups = $user->getAuthorisedViewLevels();
+				$query->whereIn($db->quoteName($fields['access']), $groups);
 			}
 		}
 
@@ -356,33 +385,39 @@ protected function getListQuery()
 		// If component item type is category we need to remove all other component categories.
 		if ($typeName === 'category')
 		{
-			$query->where($db->quoteName('a.extension') . ' = ' . $db->quote($extensionName));
+			$query->where($db->quoteName('a.extension') . ' = :extensionname')
+				->bind(':extensionname', $extensionName);
 		}
 		elseif ($typeNameExploded = explode('.', $typeName))
 		{
 			if (count($typeNameExploded) > 1 && array_pop($typeNameExploded) === 'category')
 			{
 				$section = implode('.', $typeNameExploded);
-				$query->where($db->quoteName('a.extension') . ' = ' . $db->quote($extensionName . '.' . $section));
+				$extensionNameSection = $extensionName . '.' . $section;
+				$query->where($db->quoteName('a.extension') . ' = :extensionsection')
+					->bind(':extensionsection', $extensionNameSection);
 			}
 		}
 
 		// Filter on the language.
 		if ($language = $this->getState('language'))
 		{
-			$query->where($db->quoteName($fields['language']) . ' = ' . $db->quote($language));
+			$query->where($db->quoteName($fields['language']) . ' = :language')
+				->bind(':language', $language);
 		}
 
 		// Filter by item state.
 		$state = $this->getState('filter.state');
 
 		if (is_numeric($state))
 		{
-			$query->where($db->quoteName($fields['state']) . ' = ' . (int) $state);
+			$state = (int) $state;
+			$query->where($db->quoteName($fields['state']) . ' = :state')
+				->bind(':state', $state, ParameterType::INTEGER);
 		}
 		elseif ($state === '')
 		{
-			$query->where($db->quoteName($fields['state']) . ' IN (0, 1)');
+			$query->whereIn($db->quoteName($fields['state']), [0, 1]);
 		}
 
 		// Filter on the category.
@@ -394,41 +429,54 @@ protected function getListQuery()
 			$categoryTable->load($categoryId);
 			$baselevel = (int) $categoryTable->level;
 
-			$query->where($db->quoteName('c.lft') . ' >= ' . (int) $categoryTable->lft)
-				->where($db->quoteName('c.rgt') . ' <= ' . (int) $categoryTable->rgt);
+			$lft = (int) $categoryTable->lft;
+			$rgt = (int) $categoryTable->rgt;
+			$query->where($db->quoteName('c.lft') . ' >= :lft')
+				->where($db->quoteName('c.rgt') . ' <= :rgt')
+				->bind(':lft', $lft, ParameterType::INTEGER)
+				->bind(':rgt', $rgt, ParameterType::INTEGER);
 		}
 
 		// Filter on the level.
 		if ($level = $this->getState('filter.level'))
 		{
-			$query->where($db->quoteName('a.level') . ' <= ' . ((int) $level + (int) $baselevel - 1));
+			$queryLevel = ((int) $level + (int) $baselevel - 1);
+			$query->where($db->quoteName('a.level') . ' <= :alevel')
+				->bind(':alevel', $queryLevel, ParameterType::INTEGER);
 		}
 
 		// Filter by menu type.
 		if ($menutype = $this->getState('filter.menutype'))
 		{
-			$query->where($fields['menutype'] . ' = ' . $db->quote($menutype));
+			$query->where($db->quoteName($fields['menutype']) . ' = :menutype2')
+				->bind(':menutype2', $menutype);
 		}
 
 		// Filter by access level.
 		if ($access = $this->getState('filter.access'))
 		{
-			$query->where($fields['access'] . ' = ' . (int) $access);
+			$access = (int) $access;
+			$query->where($db->quoteName($fields['access']) . ' = :access')
+				->bind(':access', $access, ParameterType::INTEGER);
 		}
 
 		// Filter by search in name.
 		if ($search = $this->getState('filter.search'))
 		{
 			if (stripos($search, 'id:') === 0)
 			{
-				$query->where($db->quoteName($fields['id']) . ' = ' . (int) substr($search, 3));
+				$search = (int) substr($search, 3);
+				$query->where($db->quoteName($fields['id']) . ' = :searchid')
+					->bind(':searchid', $search, ParameterType::INTEGER);
 			}
 			else
 			{
-				$search = $db->quote('%' . str_replace(' ', '%', $db->escape(trim($search), true) . '%'));
-				$query->where('(' . $db->quoteName($fields['title']) . ' LIKE ' . $search
-					. ' OR ' . $db->quoteName($fields['alias']) . ' LIKE ' . $search . ')'
-				);
+				$search = '%' . str_replace(' ', '%', trim($search)) . '%';
+				$query->where('(' . $db->quoteName($fields['title']) . ' LIKE :title'
+					. ' OR ' . $db->quoteName($fields['alias']) . ' LIKE :alias)'
+				)
+					->bind(':title', $search)
+					->bind(':alias', $search);
 			}
 		}
 
@@ -463,13 +511,15 @@ public function purge($context = '', $key = '')
 		// Filter by associations context.
 		if ($context)
 		{
-			$query->where($db->quoteName('context') . ' = ' . $db->quote($context));
+			$query->where($db->quoteName('context') . ' = :context')
+				->bind(':context', $context);
 		}
 
 		// Filter by key.
 		if ($key)
 		{
-			$query->where($db->quoteName('key') . ' = ' . $db->quote($key));
+			$query->where($db->quoteName('key') . ' = :key')
+				->bind(':key', $key);
 		}
 
 		$db->setQuery($query);
@@ -516,13 +566,15 @@ public function clean($context = '', $key = '')
 		// Filter by associations context.
 		if ($context)
 		{
-			$query->where($db->quoteName('context') . ' = ' . $db->quote($context));
+			$query->where($db->quoteName('context') . ' = :context')
+				->bind(':context', $context);
 		}
 
 		// Filter by key.
 		if ($key)
 		{
-			$query->where($db->quoteName('key') . ' = ' . $db->quote($key));
+			$query->where($db->quoteName('key') . ' = :key')
+				->bind(':key', $key);
 		}
 
 		$db->setQuery($query);
@@ -536,7 +588,8 @@ public function clean($context = '', $key = '')
 		{
 			$query->clear()
 				->delete($db->quoteName('#__associations'))
-				->where($db->quoteName('key') . ' = ' . $db->quote($value->key));
+				->where($db->quoteName('key') . ' = :valuekey')
+				->bind(':valuekey', $value->key);
 
 			$db->setQuery($query);