Commit 88d2fbe4554849757a21a33338a752ae63a2201d
1 parent
2f065d4a
Parameterise (or vette/mark) more SQL queries
git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@3062 c91229c3-7414-0410-bfa2-8a42b809f60b
Showing
22 changed files
with
168 additions
and
140 deletions
lib/archiving/ArchiveRestorationRequest.inc
| @@ -199,7 +199,7 @@ class ArchiveRestorationRequest extends KTEntity { | @@ -199,7 +199,7 @@ class ArchiveRestorationRequest extends KTEntity { | ||
| 199 | global $default; | 199 | global $default; |
| 200 | $aArchiveRestorationRequestArray = array(); | 200 | $aArchiveRestorationRequestArray = array(); |
| 201 | $sql = $default->db; | 201 | $sql = $default->db; |
| 202 | - $result = $sql->query("SELECT * FROM $default->archive_restoration_table " . (isset($sWhereClause) ? " WHERE " . $sWhereClause : "")); | 202 | + $result = $sql->query("SELECT * FROM $default->archive_restoration_table " . (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));/*wc*/ |
| 203 | if ($result) { | 203 | if ($result) { |
| 204 | while ($sql->next_record()) { | 204 | while ($sql->next_record()) { |
| 205 | $aArchiveRestorationRequestArray[] = & ArchiveRestorationRequest::get($sql->f("id")); | 205 | $aArchiveRestorationRequestArray[] = & ArchiveRestorationRequest::get($sql->f("id")); |
lib/archiving/ArchivingSettings.inc
| @@ -191,7 +191,7 @@ class ArchivingSettings extends KTEntity { | @@ -191,7 +191,7 @@ class ArchivingSettings extends KTEntity { | ||
| 191 | global $default; | 191 | global $default; |
| 192 | $aArchivingSettings = array(); | 192 | $aArchivingSettings = array(); |
| 193 | $sql = $default->db; | 193 | $sql = $default->db; |
| 194 | - $result = $sql->query("SELECT * FROM $default->archiving_settings_table " . (isset($sWhereClause) ? " WHERE " . $sWhereClause : "")); | 194 | + $result = $sql->query("SELECT * FROM $default->archiving_settings_table " . (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));/*wc*/ |
| 195 | if ($result) { | 195 | if ($result) { |
| 196 | while ($sql->next_record()) { | 196 | while ($sql->next_record()) { |
| 197 | $oArchivingSettings = & ArchivingSettings::get($sql->f("id")); | 197 | $oArchivingSettings = & ArchivingSettings::get($sql->f("id")); |
lib/archiving/ArchivingType.inc
| @@ -113,7 +113,7 @@ class ArchivingType extends KTEntity { | @@ -113,7 +113,7 @@ class ArchivingType extends KTEntity { | ||
| 113 | global $default; | 113 | global $default; |
| 114 | $aArchivingTypeArray = array(); | 114 | $aArchivingTypeArray = array(); |
| 115 | $sql = $default->db; | 115 | $sql = $default->db; |
| 116 | - $result = $sql->query("SELECT * FROM $default->archiving_type_lookup_table " . (isset($sWhereClause) ? " WHERE " . $sWhereClause : "")); | 116 | + $result = $sql->query("SELECT * FROM $default->archiving_type_lookup_table " . (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));/*wc*/ |
| 117 | if ($result) { | 117 | if ($result) { |
| 118 | $iCount = 0; | 118 | $iCount = 0; |
| 119 | while ($sql->next_record()) { | 119 | while ($sql->next_record()) { |
lib/archiving/DocumentArchiving.inc
| @@ -156,7 +156,7 @@ class DocumentArchiving extends KTEntity { | @@ -156,7 +156,7 @@ class DocumentArchiving extends KTEntity { | ||
| 156 | global $default; | 156 | global $default; |
| 157 | $aDocumentArchivingArray = array(); | 157 | $aDocumentArchivingArray = array(); |
| 158 | $sql = $default->db; | 158 | $sql = $default->db; |
| 159 | - $result = $sql->query("SELECT * FROM $default->document_archiving_table " . (isset($sWhereClause) ? " WHERE " . $sWhereClause : "")); | 159 | + $result = $sql->query("SELECT * FROM $default->document_archiving_table " . (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));/*wc*/ |
| 160 | if ($result) { | 160 | if ($result) { |
| 161 | $iCount = 0; | 161 | $iCount = 0; |
| 162 | while ($sql->next_record()) { | 162 | while ($sql->next_record()) { |
lib/archiving/TimePeriod.inc
| @@ -135,7 +135,7 @@ class TimePeriod extends KTEntity { | @@ -135,7 +135,7 @@ class TimePeriod extends KTEntity { | ||
| 135 | global $default; | 135 | global $default; |
| 136 | $aTimePeriodArray = array(); | 136 | $aTimePeriodArray = array(); |
| 137 | $sql = $default->db; | 137 | $sql = $default->db; |
| 138 | - $result = $sql->query("SELECT * FROM $default->time_period_table " . (isset($sWhereClause) ? " WHERE " . $sWhereClause : "")); | 138 | + $result = $sql->query("SELECT * FROM $default->time_period_table " . (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));/*wc*/ |
| 139 | if ($result) { | 139 | if ($result) { |
| 140 | $iCount = 0; | 140 | $iCount = 0; |
| 141 | while ($sql->next_record()) { | 141 | while ($sql->next_record()) { |
lib/archiving/TimeUnit.inc
| @@ -112,7 +112,7 @@ class TimeUnit extends KTEntity { | @@ -112,7 +112,7 @@ class TimeUnit extends KTEntity { | ||
| 112 | global $default; | 112 | global $default; |
| 113 | $aTimeUnitArray = array(); | 113 | $aTimeUnitArray = array(); |
| 114 | $sql = $default->db; | 114 | $sql = $default->db; |
| 115 | - $result = $sql->query("SELECT * FROM $default->time_unit_lookup_table " . (isset($sWhereClause) ? " WHERE " . $sWhereClause : "")); | 115 | + $result = $sql->query("SELECT * FROM $default->time_unit_lookup_table " . (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));/*wc*/ |
| 116 | if ($result) { | 116 | if ($result) { |
| 117 | $iCount = 0; | 117 | $iCount = 0; |
| 118 | while ($sql->next_record()) { | 118 | while ($sql->next_record()) { |
lib/authentication/DBAuthenticator.inc
| @@ -62,14 +62,15 @@ class DBAuthenticator extends Authenticator { | @@ -62,14 +62,15 @@ class DBAuthenticator extends Authenticator { | ||
| 62 | global $default; | 62 | global $default; |
| 63 | 63 | ||
| 64 | $sql = $default->db; | 64 | $sql = $default->db; |
| 65 | - $sQuery = "SELECT "; | 65 | + $sQuery = "SELECT ";/*ok*/ |
| 66 | // build select | 66 | // build select |
| 67 | for ($i=0; $i<count($aAttributes); $i++) { | 67 | for ($i=0; $i<count($aAttributes); $i++) { |
| 68 | $sQuery .= $aAttributes[$i] . (( ($i+1) == count($aAttributes) ) ? "" : ", "); | 68 | $sQuery .= $aAttributes[$i] . (( ($i+1) == count($aAttributes) ) ? "" : ", "); |
| 69 | } | 69 | } |
| 70 | - $sQuery .= " FROM $default->users_table WHERE username = '$sUserName'"; | 70 | + $sQuery .= " FROM $default->users_table WHERE username = ?"; |
| 71 | + $aParams = array($sUserName); | ||
| 71 | 72 | ||
| 72 | - if ($sql->query($sQuery)) { | 73 | + if ($sql->query(array($sQuery, $aParams))) { |
| 73 | $aUserResults = array(); | 74 | $aUserResults = array(); |
| 74 | while ($sql->next_record()) { | 75 | while ($sql->next_record()) { |
| 75 | for ($i=0; $i<count($aAttributes); $i++) { | 76 | for ($i=0; $i<count($aAttributes); $i++) { |
| @@ -93,12 +94,12 @@ class DBAuthenticator extends Authenticator { | @@ -93,12 +94,12 @@ class DBAuthenticator extends Authenticator { | ||
| 93 | global $default; | 94 | global $default; |
| 94 | 95 | ||
| 95 | $sql = $default->db; | 96 | $sql = $default->db; |
| 96 | - $sQuery = "SELECT "; | 97 | + $sQuery = "SELECT ";/*ok*/ |
| 97 | // build select | 98 | // build select |
| 98 | for ($i=0; $i<count($aAttributes); $i++) { | 99 | for ($i=0; $i<count($aAttributes); $i++) { |
| 99 | $sQuery .= $aAttributes[$i] . (( ($i+1) == count($aAttributes) ) ? "" : ", "); | 100 | $sQuery .= $aAttributes[$i] . (( ($i+1) == count($aAttributes) ) ? "" : ", "); |
| 100 | } | 101 | } |
| 101 | - $sQuery .= " FROM $default->users_table where username like '%$sUserNameSearch%'"; | 102 | + $sQuery .= " FROM $default->users_table where username like '%" . DBUtil::escapeSimple($sUserNameSearch) . "%'"; |
| 102 | 103 | ||
| 103 | if ($sql->query($sQuery)) { | 104 | if ($sql->query($sQuery)) { |
| 104 | $aUserResults = array(); | 105 | $aUserResults = array(); |
lib/browse/DocumentTypeBrowser.inc
| @@ -79,7 +79,7 @@ class DocumentTypeBrowser extends Browser { | @@ -79,7 +79,7 @@ class DocumentTypeBrowser extends Browser { | ||
| 79 | $results["documentTypes"][] = array("id" => $iDocumentTypeID, "name" => $documentTypeName); | 79 | $results["documentTypes"][] = array("id" => $iDocumentTypeID, "name" => $documentTypeName); |
| 80 | 80 | ||
| 81 | // create query to retrieve documents with this document type | 81 | // create query to retrieve documents with this document type |
| 82 | - $documentQuery = "SELECT d.id as id FROM $default->documents_table d "; | 82 | + $documentQuery = "SELECT d.id as id FROM $default->documents_table d ";/*wc*/ |
| 83 | if ( isset($aLookupCriteria) ) { | 83 | if ( isset($aLookupCriteria) ) { |
| 84 | //$documentQuery .= "INNER JOIN " . $aLookupCriteria["table"] . " lt ON d.$this->sSortField=lt.id "; | 84 | //$documentQuery .= "INNER JOIN " . $aLookupCriteria["table"] . " lt ON d.$this->sSortField=lt.id "; |
| 85 | $documentQuery .= "INNER JOIN " . $aLookupCriteria["table"] . " lt ON "; | 85 | $documentQuery .= "INNER JOIN " . $aLookupCriteria["table"] . " lt ON "; |
lib/browse/FolderBrowser.inc
| @@ -119,7 +119,7 @@ class FolderBrowser extends Browser { | @@ -119,7 +119,7 @@ class FolderBrowser extends Browser { | ||
| 119 | // if we're sorting by name or creator_id then sort folders in the appropriate direction | 119 | // if we're sorting by name or creator_id then sort folders in the appropriate direction |
| 120 | 120 | ||
| 121 | $aParams = array(); | 121 | $aParams = array(); |
| 122 | - $sFolderQuery = "SELECT f.id FROM $default->folders_table AS f "; | 122 | + $sFolderQuery = "SELECT f.id FROM $default->folders_table AS f ";/*ok*/ |
| 123 | if (in_array($this->sSortField, array("name", "creator_id"))) { | 123 | if (in_array($this->sSortField, array("name", "creator_id"))) { |
| 124 | if (isset($aLookupCriteria)) { | 124 | if (isset($aLookupCriteria)) { |
| 125 | $sFolderQuery .= "INNER JOIN " . $aLookupCriteria["table"] . " lt ON f.$this->sSortField=lt.id WHERE parent_id = ?"; | 125 | $sFolderQuery .= "INNER JOIN " . $aLookupCriteria["table"] . " lt ON f.$this->sSortField=lt.id WHERE parent_id = ?"; |
| @@ -154,7 +154,7 @@ class FolderBrowser extends Browser { | @@ -154,7 +154,7 @@ class FolderBrowser extends Browser { | ||
| 154 | $default->log->debug("Going on to document checking"); | 154 | $default->log->debug("Going on to document checking"); |
| 155 | 155 | ||
| 156 | // create query to retrieve documents in this folder | 156 | // create query to retrieve documents in this folder |
| 157 | - $documentQuery = "SELECT d.id as id FROM $default->documents_table AS d "; | 157 | + $documentQuery = "SELECT d.id as id FROM $default->documents_table AS d ";/*wc*/ |
| 158 | if (isset($aLookupCriteria)) { | 158 | if (isset($aLookupCriteria)) { |
| 159 | $documentQuery .= "INNER JOIN " . $aLookupCriteria["table"] . " lt ON "; | 159 | $documentQuery .= "INNER JOIN " . $aLookupCriteria["table"] . " lt ON "; |
| 160 | $documentQuery .= "d.$this->sSortField" . "=lt." . (isset($aLookupCriteria["joinColumn"]) ? $aLookupCriteria["joinColumn"] : "id"); | 160 | $documentQuery .= "d.$this->sSortField" . "=lt." . (isset($aLookupCriteria["joinColumn"]) ? $aLookupCriteria["joinColumn"] : "id"); |
lib/dashboard/Dashboard.inc
| @@ -49,12 +49,13 @@ class Dashboard { | @@ -49,12 +49,13 @@ class Dashboard { | ||
| 49 | */ | 49 | */ |
| 50 | function getPendingWebDocuments(){ | 50 | function getPendingWebDocuments(){ |
| 51 | global $default; | 51 | global $default; |
| 52 | - $sQuery = "SELECT wd.id FROM web_documents wd " . | 52 | + $sQuery = "SELECT wd.id FROM web_documents wd " . /*ok*/ |
| 53 | "INNER JOIN web_sites ws ON wd.web_site_id = ws.id " . | 53 | "INNER JOIN web_sites ws ON wd.web_site_id = ws.id " . |
| 54 | - "WHERE ws.web_master_id=" . $this->iUserID . " AND wd.status_id=1"; | 54 | + "WHERE ws.web_master_id = ? AND wd.status_id = 1"; |
| 55 | + $aParams = array($this->iUserID); | ||
| 55 | $aDocumentList = array(); | 56 | $aDocumentList = array(); |
| 56 | $sql = $default->db; | 57 | $sql = $default->db; |
| 57 | - if ($sql->query($sQuery)) { | 58 | + if ($sql->query(array($sQuery, $aParams))) { |
| 58 | while ($sql->next_record()) { | 59 | while ($sql->next_record()) { |
| 59 | $aDocumentList[] = & WebDocument::get($sql->f("id")); | 60 | $aDocumentList[] = & WebDocument::get($sql->f("id")); |
| 60 | } | 61 | } |
| @@ -77,7 +78,7 @@ class Dashboard { | @@ -77,7 +78,7 @@ class Dashboard { | ||
| 77 | function getPendingCollaborationDocuments(){ | 78 | function getPendingCollaborationDocuments(){ |
| 78 | global $default; | 79 | global $default; |
| 79 | 80 | ||
| 80 | - $sQuery = "SELECT document_id FROM $default->folders_user_roles_table WHERE active=1 AND user_id=" . $this->iUserID; | 81 | + $sQuery = array("SELECT document_id FROM $default->folders_user_roles_table WHERE active=1 AND user_id = ?", $this->iUserID);/*ok*/ |
| 81 | $aDocumentList = array(); | 82 | $aDocumentList = array(); |
| 82 | $sql = $default->db; | 83 | $sql = $default->db; |
| 83 | if ($sql->query($sQuery)) { | 84 | if ($sql->query($sQuery)) { |
| @@ -120,7 +121,7 @@ class Dashboard { | @@ -120,7 +121,7 @@ class Dashboard { | ||
| 120 | */ | 121 | */ |
| 121 | function getDependantDocuments() { | 122 | function getDependantDocuments() { |
| 122 | global $default; | 123 | global $default; |
| 123 | - $sQuery = "SELECT id FROM $default->dependant_document_instance_table WHERE user_id = " . $this->iUserID; | 124 | + $sQuery = array("SELECT id FROM $default->dependant_document_instance_table WHERE user_id = ?", $this->iUserID);/*ok*/ |
| 124 | $aDocumentList = array(); | 125 | $aDocumentList = array(); |
| 125 | $sql = $default->db; | 126 | $sql = $default->db; |
| 126 | $sql->query($sQuery); | 127 | $sql->query($sQuery); |
| @@ -129,4 +130,4 @@ class Dashboard { | @@ -129,4 +130,4 @@ class Dashboard { | ||
| 129 | } | 130 | } |
| 130 | return $aDocumentList; | 131 | return $aDocumentList; |
| 131 | } | 132 | } |
| 132 | -} | ||
| 133 | \ No newline at end of file | 133 | \ No newline at end of file |
| 134 | +} |
lib/dashboard/DashboardNews.inc
| @@ -322,7 +322,7 @@ class DashboardNews extends KTEntity { | @@ -322,7 +322,7 @@ class DashboardNews extends KTEntity { | ||
| 322 | function & get($iNewsID) { | 322 | function & get($iNewsID) { |
| 323 | global $default; | 323 | global $default; |
| 324 | $sql = $default->db; | 324 | $sql = $default->db; |
| 325 | - $sql->query("SELECT * FROM $default->news_table WHERE id = $iNewsID"); | 325 | + $sql->query(array("SELECT * FROM $default->news_table WHERE id = ?", $iNewsID));/*ok*/ |
| 326 | if ($sql->next_record()) { | 326 | if ($sql->next_record()) { |
| 327 | $aImage = array( "image" => $sql->f("image"), | 327 | $aImage = array( "image" => $sql->f("image"), |
| 328 | "filesize" => $sql->f("image_size"), | 328 | "filesize" => $sql->f("image_size"), |
| @@ -346,7 +346,7 @@ class DashboardNews extends KTEntity { | @@ -346,7 +346,7 @@ class DashboardNews extends KTEntity { | ||
| 346 | global $default; | 346 | global $default; |
| 347 | $aDashboardNewsArray = array(); | 347 | $aDashboardNewsArray = array(); |
| 348 | $sql = $default->db; | 348 | $sql = $default->db; |
| 349 | - $result = $sql->query("SELECT * FROM " . $default->news_table . (isset($sWhereClause) ? " WHERE " . $sWhereClause : "") . " ORDER BY rank ASC"); | 349 | + $result = $sql->query("SELECT * FROM " . $default->news_table . (isset($sWhereClause) ? " WHERE " . $sWhereClause : "") . " ORDER BY rank ASC");/*wc*/ |
| 350 | if ($result) { | 350 | if ($result) { |
| 351 | $iCount = 0; | 351 | $iCount = 0; |
| 352 | while ($sql->next_record()) { | 352 | while ($sql->next_record()) { |
lib/discussions/DiscussionComment.inc
| @@ -155,7 +155,7 @@ class DiscussionComment extends KTEntity { | @@ -155,7 +155,7 @@ class DiscussionComment extends KTEntity { | ||
| 155 | function & get($iNewCommentID) { | 155 | function & get($iNewCommentID) { |
| 156 | global $default; | 156 | global $default; |
| 157 | $sql = $default->db; | 157 | $sql = $default->db; |
| 158 | - $result = $sql->query("SELECT * FROM $default->discussion_comments_table WHERE id = $iNewCommentID"); | 158 | + $result = $sql->query(array("SELECT * FROM $default->discussion_comments_table WHERE id = ?", $iNewCommentID));/*ok*/ |
| 159 | if ($result) { | 159 | if ($result) { |
| 160 | if ($sql->next_record()) { | 160 | if ($sql->next_record()) { |
| 161 | $oDiscussionComment = & new DiscussionComment($sql->f("body"),$sql->f("subject"),$sql->f("user_id"),$sql->f("thread_id"),$sql->f("in_reply_to")); | 161 | $oDiscussionComment = & new DiscussionComment($sql->f("body"),$sql->f("subject"),$sql->f("user_id"),$sql->f("thread_id"),$sql->f("in_reply_to")); |
| @@ -180,7 +180,7 @@ class DiscussionComment extends KTEntity { | @@ -180,7 +180,7 @@ class DiscussionComment extends KTEntity { | ||
| 180 | global $default; | 180 | global $default; |
| 181 | $aDiscussionComments = array(); | 181 | $aDiscussionComments = array(); |
| 182 | $sql = $default->db; | 182 | $sql = $default->db; |
| 183 | - $result = $sql->query("SELECT * FROM " . $default->discussion_comments_table . (isset($sWhereClause) ? " WHERE " . $sWhereClause : "")); | 183 | + $result = $sql->query("SELECT * FROM " . $default->discussion_comments_table . (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));/*wc*/ |
| 184 | if ($result) { | 184 | if ($result) { |
| 185 | while ($sql->next_record()) { | 185 | while ($sql->next_record()) { |
| 186 | $aDiscussionComments[] = & DiscussionComment::get($sql->f("id")); | 186 | $aDiscussionComments[] = & DiscussionComment::get($sql->f("id")); |
| @@ -212,7 +212,7 @@ class DiscussionComment extends KTEntity { | @@ -212,7 +212,7 @@ class DiscussionComment extends KTEntity { | ||
| 212 | if ($this->iId > 0) { | 212 | if ($this->iId > 0) { |
| 213 | //check to see if group is linked to a unit | 213 | //check to see if group is linked to a unit |
| 214 | $sql = $default->db; | 214 | $sql = $default->db; |
| 215 | - $query = "SELECT * FROM ". $default->discussion_comments_table . " WHERE id = " . $this->iId ; | 215 | + $query = array("SELECT * FROM ". $default->discussion_comments_table . " WHERE id = ?", $this->iId);/*ok*/ |
| 216 | $sql->query($query); | 216 | $sql->query($query); |
| 217 | $rows = $sql->num_rows($sql); | 217 | $rows = $sql->num_rows($sql); |
| 218 | 218 |
lib/discussions/DiscussionThread.inc
| @@ -142,12 +142,16 @@ class DiscussionThread extends KTEntity{ | @@ -142,12 +142,16 @@ class DiscussionThread extends KTEntity{ | ||
| 142 | global $default; | 142 | global $default; |
| 143 | 143 | ||
| 144 | $sql = $default->db; | 144 | $sql = $default->db; |
| 145 | - $result = $sql->query("SELECT id FROM $default->discussion_threads_table WHERE document_id = $this->iDocumentID ORDER BY id"); | 145 | + $aQuery = array("SELECT id FROM $default->discussion_threads_table WHERE document_id = ? ORDER BY id",/*ok*/ |
| 146 | + $this->iDocumentID); | ||
| 147 | + $result = $sql->query($aQuery); | ||
| 146 | if ($result) { | 148 | if ($result) { |
| 147 | $sql->next_record(); | 149 | $sql->next_record(); |
| 148 | $iThreadID = $sql->f("id"); | 150 | $iThreadID = $sql->f("id"); |
| 149 | 151 | ||
| 150 | - $result = $sql->query("SELECT id FROM $default->discussion_comments_table WHERE thread_id = $iThreadID ORDER BY date Desc"); | 152 | + $aQuery = array("SELECT id FROM $default->discussion_comments_table WHERE thread_id = ? ORDER BY date DESC",/*ok*/ |
| 153 | + $iThreadID); | ||
| 154 | + $result = $sql->query($aQuery); | ||
| 151 | 155 | ||
| 152 | if ($result) { | 156 | if ($result) { |
| 153 | while ($sql->next_record()) { | 157 | while ($sql->next_record()) { |
| @@ -178,7 +182,7 @@ class DiscussionThread extends KTEntity{ | @@ -178,7 +182,7 @@ class DiscussionThread extends KTEntity{ | ||
| 178 | global $default; | 182 | global $default; |
| 179 | $aDiscussionThreads = array(); | 183 | $aDiscussionThreads = array(); |
| 180 | $sql = $default->db; | 184 | $sql = $default->db; |
| 181 | - $result = $sql->query("SELECT * FROM " . $default->discussion_threads_table . (isset($sWhereClause) ? " WHERE " . $sWhereClause : "")); | 185 | + $result = $sql->query("SELECT * FROM " . $default->discussion_threads_table . (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));/*wc*/ |
| 182 | if ($result) { | 186 | if ($result) { |
| 183 | while ($sql->next_record()) { | 187 | while ($sql->next_record()) { |
| 184 | $aDiscussionThreads[] = & DiscussionThread::get($sql->f("id")); | 188 | $aDiscussionThreads[] = & DiscussionThread::get($sql->f("id")); |
| @@ -191,7 +195,7 @@ class DiscussionThread extends KTEntity{ | @@ -191,7 +195,7 @@ class DiscussionThread extends KTEntity{ | ||
| 191 | function getThreadIDforDoc($iDocumentID){ | 195 | function getThreadIDforDoc($iDocumentID){ |
| 192 | global $default; | 196 | global $default; |
| 193 | $sql = $default->db; | 197 | $sql = $default->db; |
| 194 | - $result = $sql->query("SELECT id FROM $default->discussion_threads_table WHERE document_id = $iDocumentID"); | 198 | + $result = $sql->query(array("SELECT id FROM $default->discussion_threads_table WHERE document_id = ?", $iDocumentID));/*ok*/ |
| 195 | if ($result) { | 199 | if ($result) { |
| 196 | if ($sql->next_record()) { | 200 | if ($sql->next_record()) { |
| 197 | if ($sql->f("id") > 0) { | 201 | if ($sql->f("id") > 0) { |
| @@ -217,7 +221,7 @@ class DiscussionThread extends KTEntity{ | @@ -217,7 +221,7 @@ class DiscussionThread extends KTEntity{ | ||
| 217 | function & get($iNewThreadID) { | 221 | function & get($iNewThreadID) { |
| 218 | global $default; | 222 | global $default; |
| 219 | $sql = $default->db; | 223 | $sql = $default->db; |
| 220 | - $result = $sql->query("SELECT * FROM $default->discussion_threads_table WHERE id = $iNewThreadID"); | 224 | + $result = $sql->query(array("SELECT * FROM $default->discussion_threads_table WHERE id = ?", $iNewThreadID));/*ok*/ |
| 221 | if ($result) { | 225 | if ($result) { |
| 222 | if ($sql->next_record()) { | 226 | if ($sql->next_record()) { |
| 223 | 227 | ||
| @@ -262,7 +266,7 @@ class DiscussionThread extends KTEntity{ | @@ -262,7 +266,7 @@ class DiscussionThread extends KTEntity{ | ||
| 262 | if ($this->iId > 0) { | 266 | if ($this->iId > 0) { |
| 263 | //check to see if group is linked to a unit | 267 | //check to see if group is linked to a unit |
| 264 | $sql = $default->db; | 268 | $sql = $default->db; |
| 265 | - $query = "SELECT * FROM ". $default->discussion_threads_table ." WHERE id = " . $this->iId ; | 269 | + $query = array("SELECT * FROM ". $default->discussion_threads_table ." WHERE id = ?", $this->iId);/*ok*/ |
| 266 | $sql->query($query); | 270 | $sql->query($query); |
| 267 | $rows = $sql->num_rows($sql); | 271 | $rows = $sql->num_rows($sql); |
| 268 | 272 |
lib/documentmanagement/DependantDocumentInstance.inc
| @@ -141,7 +141,7 @@ class DependantDocumentInstance extends KTEntity { | @@ -141,7 +141,7 @@ class DependantDocumentInstance extends KTEntity { | ||
| 141 | function & get($iDependantDocumentID) { | 141 | function & get($iDependantDocumentID) { |
| 142 | global $default; | 142 | global $default; |
| 143 | $sql = $default->db; | 143 | $sql = $default->db; |
| 144 | - $result = $sql->query("SELECT * FROM $default->dependant_document_instance_table WHERE id = $iDependantDocumentID"); | 144 | + $result = $sql->query(array("SELECT * FROM $default->dependant_document_instance_table WHERE id = ?", $iDependantDocumentID));/*ok*/ |
| 145 | if ($result) { | 145 | if ($result) { |
| 146 | if ($sql->next_record()) { | 146 | if ($sql->next_record()) { |
| 147 | $oDependantDocument = & new DependantDocumentInstance($sql->f("document_title"), $sql->f("user_id"), $sql->f("template_document_id"), $sql->f("parent_document_id")); | 147 | $oDependantDocument = & new DependantDocumentInstance($sql->f("document_title"), $sql->f("user_id"), $sql->f("template_document_id"), $sql->f("parent_document_id")); |
lib/documentmanagement/DependantDocumentTemplate.inc
| @@ -149,7 +149,7 @@ class DependantDocumentTemplate extends KTEntity { | @@ -149,7 +149,7 @@ class DependantDocumentTemplate extends KTEntity { | ||
| 149 | function & get($iDependantDocumentID) { | 149 | function & get($iDependantDocumentID) { |
| 150 | global $default; | 150 | global $default; |
| 151 | $sql = $default->db; | 151 | $sql = $default->db; |
| 152 | - $result = $sql->query("SELECT * FROM $default->dependant_document_template_table WHERE id = $iDependantDocumentID"); | 152 | + $result = $sql->query(array("SELECT * FROM $default->dependant_document_template_table WHERE id = ?", $iDependantDocumentID));/*ok*/ |
| 153 | if ($result) { | 153 | if ($result) { |
| 154 | if ($sql->next_record()) { | 154 | if ($sql->next_record()) { |
| 155 | $DependantDocumentTemplate = & new DependantDocumentTemplate($sql->f("document_title"), $sql->f("default_user_id"), $sql->f("group_folder_approval_link_id"), $sql->f("template_document_id")); | 155 | $DependantDocumentTemplate = & new DependantDocumentTemplate($sql->f("document_title"), $sql->f("default_user_id"), $sql->f("group_folder_approval_link_id"), $sql->f("template_document_id")); |
| @@ -177,7 +177,7 @@ class DependantDocumentTemplate extends KTEntity { | @@ -177,7 +177,7 @@ class DependantDocumentTemplate extends KTEntity { | ||
| 177 | $aDependantDocumentTemplateArray = array(); | 177 | $aDependantDocumentTemplateArray = array(); |
| 178 | $sql = $default->db; | 178 | $sql = $default->db; |
| 179 | // TODO: join on sys_deleted | 179 | // TODO: join on sys_deleted |
| 180 | - $result = $sql->query("SELECT * FROM " . $default->dependant_document_template_table . (isset($sWhereClause) ? " WHERE " . $sWhereClause : "")); | 180 | + $result = $sql->query("SELECT * FROM " . $default->dependant_document_template_table . (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));/*wc*/ |
| 181 | if ($result) { | 181 | if ($result) { |
| 182 | $iCount = 0; | 182 | $iCount = 0; |
| 183 | while ($sql->next_record()) { | 183 | while ($sql->next_record()) { |
lib/documentmanagement/Document.inc
| @@ -286,7 +286,7 @@ class Document extends KTEntity { | @@ -286,7 +286,7 @@ class Document extends KTEntity { | ||
| 286 | //if the folder is not the root folder | 286 | //if the folder is not the root folder |
| 287 | if ($iFolderID != 0) { | 287 | if ($iFolderID != 0) { |
| 288 | $sql = $default->db; | 288 | $sql = $default->db; |
| 289 | - $sql->query("SELECT parent_id FROM $default->folders_table WHERE ID = " . quote($iFolderID)); | 289 | + $sql->query(array("SELECT parent_id FROM $default->folders_table WHERE ID = ?", $iFolderID));/*ok*/ |
| 290 | $sql->next_record(); | 290 | $sql->next_record(); |
| 291 | return $this->generateParentFolderIDS($sql->f("parent_id")) . ",$iFolderID"; | 291 | return $this->generateParentFolderIDS($sql->f("parent_id")) . ",$iFolderID"; |
| 292 | } | 292 | } |
| @@ -314,7 +314,7 @@ class Document extends KTEntity { | @@ -314,7 +314,7 @@ class Document extends KTEntity { | ||
| 314 | //if the folder is not the root folder | 314 | //if the folder is not the root folder |
| 315 | if ($iFolderID != 0) { | 315 | if ($iFolderID != 0) { |
| 316 | $sql = $default->db; | 316 | $sql = $default->db; |
| 317 | - $sql->query("SELECT name, parent_id FROM $default->folders_table WHERE ID = " . quote($iFolderID)); | 317 | + $sql->query(array("SELECT name, parent_id FROM $default->folders_table WHERE ID = ?", $iFolderID));/*ok*/ |
| 318 | $sql->next_record(); | 318 | $sql->next_record(); |
| 319 | return $this->generateFullFolderPath($sql->f("parent_id")) . "/" . $sql->f("name"); | 319 | return $this->generateFullFolderPath($sql->f("parent_id")) . "/" . $sql->f("name"); |
| 320 | } | 320 | } |
| @@ -382,12 +382,12 @@ class Document extends KTEntity { | @@ -382,12 +382,12 @@ class Document extends KTEntity { | ||
| 382 | $sql = $default->db; | 382 | $sql = $default->db; |
| 383 | 383 | ||
| 384 | // group permissions | 384 | // group permissions |
| 385 | - $sGroupPerms = "INSERT INTO $default->search_permissions_table (user_id, document_id) " . | ||
| 386 | - "SELECT UGL.user_id AS user_id, D.id AS document_id " . | 385 | + $sGroupPerms = array("INSERT INTO $default->search_permissions_table (user_id, document_id) " . |
| 386 | + "SELECT UGL.user_id AS user_id, D.id AS document_id " ./*ok*/ | ||
| 387 | "FROM $default->documents_table AS D INNER JOIN folders AS F ON D.folder_id = F.id " . | 387 | "FROM $default->documents_table AS D INNER JOIN folders AS F ON D.folder_id = F.id " . |
| 388 | "INNER JOIN $default->groups_folders_table AS GFL ON GFL.folder_id = F.id " . | 388 | "INNER JOIN $default->groups_folders_table AS GFL ON GFL.folder_id = F.id " . |
| 389 | "INNER JOIN $default->users_groups_table AS UGL ON UGL.group_id = GFL.group_id " . | 389 | "INNER JOIN $default->users_groups_table AS UGL ON UGL.group_id = GFL.group_id " . |
| 390 | - "WHERE D.id=" . quote($this->iId); | 390 | + "WHERE D.id = ?", $this->iId); |
| 391 | $default->log->debug("addDocument groupPerms=$sGroupPerms"); | 391 | $default->log->debug("addDocument groupPerms=$sGroupPerms"); |
| 392 | if ($sql->query($sGroupPerms)) { | 392 | if ($sql->query($sGroupPerms)) { |
| 393 | $default->log->debug("groupPerms succeeded"); | 393 | $default->log->debug("groupPerms succeeded"); |
| @@ -395,10 +395,10 @@ class Document extends KTEntity { | @@ -395,10 +395,10 @@ class Document extends KTEntity { | ||
| 395 | $default->log->error("groupPerms failed"); | 395 | $default->log->error("groupPerms failed"); |
| 396 | } | 396 | } |
| 397 | // role permissions | 397 | // role permissions |
| 398 | - $sRolePerms = "INSERT INTO $default->search_permissions_table (user_id, document_id) " . | ||
| 399 | - "SELECT user_id, document_id " . | 398 | + $sRolePerms = array("INSERT INTO $default->search_permissions_table (user_id, document_id) " . |
| 399 | + "SELECT user_id, document_id " ./*ok*/ | ||
| 400 | "FROM $default->folders_user_roles_table " . | 400 | "FROM $default->folders_user_roles_table " . |
| 401 | - "WHERE document_id=" . quote($this->iId); | 401 | + "WHERE document_id = ?", $this->iId); |
| 402 | $default->log->info("addDocument rolePerms=$sRolePerms"); | 402 | $default->log->info("addDocument rolePerms=$sRolePerms"); |
| 403 | if ($sql->query($sRolePerms)) { | 403 | if ($sql->query($sRolePerms)) { |
| 404 | $default->log->debug("rolePerms succeeded"); | 404 | $default->log->debug("rolePerms succeeded"); |
| @@ -407,11 +407,11 @@ class Document extends KTEntity { | @@ -407,11 +407,11 @@ class Document extends KTEntity { | ||
| 407 | } | 407 | } |
| 408 | 408 | ||
| 409 | // public folders | 409 | // public folders |
| 410 | - $sPublicFolderPerms = "INSERT INTO $default->search_permissions_table (user_id, document_id) " . | ||
| 411 | - "SELECT U.id, D.id " . | 410 | + $sPublicFolderPerms = array("INSERT INTO $default->search_permissions_table (user_id, document_id) " . |
| 411 | + "SELECT U.id, D.id " . /*ok*/ | ||
| 412 | "FROM $default->users_table AS U, $default->documents_table AS D INNER JOIN $default->folders_table AS F ON D.folder_id = F.id " . | 412 | "FROM $default->users_table AS U, $default->documents_table AS D INNER JOIN $default->folders_table AS F ON D.folder_id = F.id " . |
| 413 | "WHERE F.is_public = 1 " . | 413 | "WHERE F.is_public = 1 " . |
| 414 | - "AND D.id=" . quote($this->iId); | 414 | + "AND D.id = ?", $this->iId); |
| 415 | $default->log->debug("addDocument publicFolder=$sPublicFolderPerms"); | 415 | $default->log->debug("addDocument publicFolder=$sPublicFolderPerms"); |
| 416 | if ($sql->query($sPublicFolderPerms)) { | 416 | if ($sql->query($sPublicFolderPerms)) { |
| 417 | $default->log->debug("publicFolder succeeded"); | 417 | $default->log->debug("publicFolder succeeded"); |
| @@ -420,10 +420,10 @@ class Document extends KTEntity { | @@ -420,10 +420,10 @@ class Document extends KTEntity { | ||
| 420 | } | 420 | } |
| 421 | 421 | ||
| 422 | // creator permissions | 422 | // creator permissions |
| 423 | - $sCreatorPerms = "INSERT INTO $default->search_permissions_table (user_id, document_id) " . | ||
| 424 | - "SELECT creator_id, id " . | 423 | + $sCreatorPerms = array("INSERT INTO $default->search_permissions_table (user_id, document_id) " . |
| 424 | + "SELECT creator_id, id " ./*ok*/ | ||
| 425 | "FROM $default->documents_table " . | 425 | "FROM $default->documents_table " . |
| 426 | - "WHERE id=" . quote($this->iId); | 426 | + "WHERE id = ?", $this->iId); |
| 427 | $default->log->debug("addDocument creatorPerms=$sCreatorPerms"); | 427 | $default->log->debug("addDocument creatorPerms=$sCreatorPerms"); |
| 428 | if ($sql->query($sCreatorPerms)) { | 428 | if ($sql->query($sCreatorPerms)) { |
| 429 | $default->log->debug("creatorPerms succeeded"); | 429 | $default->log->debug("creatorPerms succeeded"); |
| @@ -439,11 +439,11 @@ class Document extends KTEntity { | @@ -439,11 +439,11 @@ class Document extends KTEntity { | ||
| 439 | function beginCollaborationProcess() { | 439 | function beginCollaborationProcess() { |
| 440 | global $default; | 440 | global $default; |
| 441 | //get the steps in this document's collaboration process | 441 | //get the steps in this document's collaboration process |
| 442 | - $sQuery = "SELECT FURL.id, GFAL.precedence " . | 442 | + $sQuery = array("SELECT FURL.id, GFAL.precedence " ./*ok*/ |
| 443 | "FROM $default->folders_user_roles_table AS FURL " . | 443 | "FROM $default->folders_user_roles_table AS FURL " . |
| 444 | "INNER JOIN $default->groups_folders_approval_table AS GFAL ON FURL.group_folder_approval_id = GFAL.id " . | 444 | "INNER JOIN $default->groups_folders_approval_table AS GFAL ON FURL.group_folder_approval_id = GFAL.id " . |
| 445 | - "WHERE document_id = " . quote($this->iId) . " " . | ||
| 446 | - "ORDER BY GFAL.precedence ASC"; | 445 | + "WHERE document_id = ? " . |
| 446 | + "ORDER BY GFAL.precedence ASC", $this->iId); | ||
| 447 | $sql = $default->db; | 447 | $sql = $default->db; |
| 448 | $sql->query($sQuery); | 448 | $sql->query($sQuery); |
| 449 | if ($sql->next_record()) { | 449 | if ($sql->next_record()) { |
| @@ -498,12 +498,12 @@ class Document extends KTEntity { | @@ -498,12 +498,12 @@ class Document extends KTEntity { | ||
| 498 | //get the current step | 498 | //get the current step |
| 499 | //if the user is assinged to two or more roles, make sure we get the current | 499 | //if the user is assinged to two or more roles, make sure we get the current |
| 500 | //one by ordering by precedence | 500 | //one by ordering by precedence |
| 501 | - $sql->query("SELECT FURL.id AS id, GFAT.precedence " . | 501 | + $sql->query(array("SELECT FURL.id AS id, GFAT.precedence " ./*ok*/ |
| 502 | "FROM $default->groups_folders_approval_table AS GFAT " . | 502 | "FROM $default->groups_folders_approval_table AS GFAT " . |
| 503 | "INNER JOIN $default->folders_user_roles_table AS FURL ON GFAT.id = FURL.group_folder_approval_id " . | 503 | "INNER JOIN $default->folders_user_roles_table AS FURL ON GFAT.id = FURL.group_folder_approval_id " . |
| 504 | - "WHERE document_id = $this->iId AND FURL.user_id = " . quote($_SESSION["userID"]) . " " . | 504 | + "WHERE document_id = ? AND FURL.user_id = ? " . |
| 505 | "AND done = 0 " . | 505 | "AND done = 0 " . |
| 506 | - "ORDER BY precedence ASC"); | 506 | + "ORDER BY precedence ASC", array($this->iId, $_SESSION["userID"]))); |
| 507 | if ($sql->next_record()) { | 507 | if ($sql->next_record()) { |
| 508 | //set it as done | 508 | //set it as done |
| 509 | $oFolderUserRole = FolderUserRole::get($sql->f("id")); | 509 | $oFolderUserRole = FolderUserRole::get($sql->f("id")); |
| @@ -527,7 +527,7 @@ class Document extends KTEntity { | @@ -527,7 +527,7 @@ class Document extends KTEntity { | ||
| 527 | global $default, $lang_err_doc_not_exist; | 527 | global $default, $lang_err_doc_not_exist; |
| 528 | if (strlen($iDocumentID) > 0) { | 528 | if (strlen($iDocumentID) > 0) { |
| 529 | $sql = $default->db; | 529 | $sql = $default->db; |
| 530 | - $sql->query("SELECT * FROM $default->documents_table WHERE id = " . quote($iDocumentID)); | 530 | + $sql->query(array("SELECT * FROM $default->documents_table WHERE id = ?", $iDocumentID));/*ok*/ |
| 531 | if ($sql->next_record()) { | 531 | if ($sql->next_record()) { |
| 532 | $oDocument = & new Document($sql->f("name"), $sql->f("filename"), $sql->f("size"), $sql->f("creator_id"), $sql->f("mime_id"), $sql->f("folder_id"), $sql->f("description")); | 532 | $oDocument = & new Document($sql->f("name"), $sql->f("filename"), $sql->f("size"), $sql->f("creator_id"), $sql->f("mime_id"), $sql->f("folder_id"), $sql->f("description")); |
| 533 | $oDocument->setDocumentTypeID($sql->f("document_type_id")); | 533 | $oDocument->setDocumentTypeID($sql->f("document_type_id")); |
| @@ -562,7 +562,7 @@ class Document extends KTEntity { | @@ -562,7 +562,7 @@ class Document extends KTEntity { | ||
| 562 | $aDocumentArray; | 562 | $aDocumentArray; |
| 563 | settype($aDocumentArray, "array"); | 563 | settype($aDocumentArray, "array"); |
| 564 | $sql = $default->db; | 564 | $sql = $default->db; |
| 565 | - $result = $sql->query("SELECT * FROM " . $default->documents_table . | 565 | + $result = $sql->query("SELECT * FROM " . $default->documents_table . /*wc*/ |
| 566 | (isset($sWhereClause) ? " WHERE " . $sWhereClause : "")); | 566 | (isset($sWhereClause) ? " WHERE " . $sWhereClause : "")); |
| 567 | if ($result) { | 567 | if ($result) { |
| 568 | $iCount = 0; | 568 | $iCount = 0; |
| @@ -589,11 +589,11 @@ class Document extends KTEntity { | @@ -589,11 +589,11 @@ class Document extends KTEntity { | ||
| 589 | $aDocumentFieldArray; | 589 | $aDocumentFieldArray; |
| 590 | settype($aDocumentFieldArray,"array"); | 590 | settype($aDocumentFieldArray,"array"); |
| 591 | $sql = $default->db; | 591 | $sql = $default->db; |
| 592 | - $result = $sql->query("SELECT DF.id AS id, DF.name AS name, DF.data_type AS data_type " . | 592 | + $result = $sql->query(array("SELECT DF.id AS id, DF.name AS name, DF.data_type AS data_type " ./*ok*/ |
| 593 | "FROM $default->document_fields_table AS DF " . | 593 | "FROM $default->document_fields_table AS DF " . |
| 594 | "INNER JOIN $default->document_type_fields_table AS DTFL ON DF.id = DTFL.field_id " . | 594 | "INNER JOIN $default->document_type_fields_table AS DTFL ON DF.id = DTFL.field_id " . |
| 595 | - "WHERE DTFL.document_type_id = " . quote($iDocumentTypeID) . ($bMandatoryOnly ? "AND DFTL.is_mandatory = 1 " : " ") . | ||
| 596 | - "ORDER BY DF.name ASC"); | 595 | + "WHERE DTFL.document_type_id = ? " . ($bMandatoryOnly ? "AND DFTL.is_mandatory = 1 " : " ") . |
| 596 | + "ORDER BY DF.name ASC", $iDocumentTypeID)); | ||
| 597 | if ($result) { | 597 | if ($result) { |
| 598 | $iCount = 0; | 598 | $iCount = 0; |
| 599 | while ($sql->next_record()) { | 599 | while ($sql->next_record()) { |
| @@ -619,9 +619,9 @@ class Document extends KTEntity { | @@ -619,9 +619,9 @@ class Document extends KTEntity { | ||
| 619 | global $default, $lang_err_database; | 619 | global $default, $lang_err_database; |
| 620 | $aDocumentHistory = array(); | 620 | $aDocumentHistory = array(); |
| 621 | $sql = $default->db; | 621 | $sql = $default->db; |
| 622 | - $result = $sql->query("SELECT * FROM " . $default->document_transactions_table . " " . | ||
| 623 | - "WHERE document_id = " . quote($this->iId) . " " . | ||
| 624 | - "ORDER BY datetime DESC"); | 622 | + $result = $sql->query(array("SELECT * FROM " . $default->document_transactions_table . " " ./*ok*/ |
| 623 | + "WHERE document_id = ? " . | ||
| 624 | + "ORDER BY datetime DESC", $this->iId)); | ||
| 625 | if ($result) { | 625 | if ($result) { |
| 626 | $iCount = 0; | 626 | $iCount = 0; |
| 627 | while($sql->next_record()) { | 627 | while($sql->next_record()) { |
| @@ -695,10 +695,11 @@ class Document extends KTEntity { | @@ -695,10 +695,11 @@ class Document extends KTEntity { | ||
| 695 | function documentExists($sFileName, $iFolderID) { | 695 | function documentExists($sFileName, $iFolderID) { |
| 696 | global $default; | 696 | global $default; |
| 697 | $sql = $default->db; | 697 | $sql = $default->db; |
| 698 | - $sQuery = "SELECT * FROM $default->documents_table " . | ||
| 699 | - "WHERE filename = " . quote($sFileName) . | ||
| 700 | - " AND folder_id = " . quote($iFolderID) . | ||
| 701 | - " AND status_id = " . LIVE; | 698 | + $sQuery = "SELECT * FROM $default->documents_table " ./*ok*/ |
| 699 | + "WHERE filename = ? " . | ||
| 700 | + " AND folder_id = ?" . | ||
| 701 | + " AND status_id = ?"; | ||
| 702 | + $aParams = array($sFileName, $iFolderID, LIVE); | ||
| 702 | $sql->query($sQuery); | 703 | $sql->query($sQuery); |
| 703 | if ($sql->next_record()) { | 704 | if ($sql->next_record()) { |
| 704 | return true; | 705 | return true; |
| @@ -716,8 +717,8 @@ class Document extends KTEntity { | @@ -716,8 +717,8 @@ class Document extends KTEntity { | ||
| 716 | global $default, $lang_err_database, $lang_err_doc_not_exist; | 717 | global $default, $lang_err_database, $lang_err_doc_not_exist; |
| 717 | $sql = $default->db; | 718 | $sql = $default->db; |
| 718 | 719 | ||
| 719 | - if ($sql->query("SELECT name FROM $default->documents_table " . | ||
| 720 | - "WHERE id = " . quote($iDocumentID))) { | 720 | + if ($sql->query(array("SELECT name FROM $default->documents_table " ./*ok*/ |
| 721 | + "WHERE id = ?", $iDocumentID))) { | ||
| 721 | if ($sql->next_record()) { | 722 | if ($sql->next_record()) { |
| 722 | return $sql->f("name"); | 723 | return $sql->f("name"); |
| 723 | } | 724 | } |
| @@ -746,11 +747,11 @@ class Document extends KTEntity { | @@ -746,11 +747,11 @@ class Document extends KTEntity { | ||
| 746 | function documentIsAssignedDocTypeInFolder($iFolderID, $iFolderDocTypeID) { | 747 | function documentIsAssignedDocTypeInFolder($iFolderID, $iFolderDocTypeID) { |
| 747 | global $default; | 748 | global $default; |
| 748 | $sql = $default->db; | 749 | $sql = $default->db; |
| 749 | - $sql->query("SELECT * " . | 750 | + $sql->query(array("SELECT * " . /*ok*/ |
| 750 | "FROM $default->folder_doctypes_table AS FDL " . | 751 | "FROM $default->folder_doctypes_table AS FDL " . |
| 751 | "INNER JOIN $default->documents_table AS D ON D.document_type_id = FDL.document_type_id " . | 752 | "INNER JOIN $default->documents_table AS D ON D.document_type_id = FDL.document_type_id " . |
| 752 | - "WHERE FDL.id = " . quote($iFolderDocTypeID) . " " . | ||
| 753 | - "AND D.folder_id = " . quote($iFolderID)); | 753 | + "WHERE FDL.id = ? " . |
| 754 | + "AND D.folder_id = ?", array($iFolderDocTypeID, $iFolderID))); | ||
| 754 | if ($sql->next_record()) { | 755 | if ($sql->next_record()) { |
| 755 | return true; | 756 | return true; |
| 756 | } | 757 | } |
| @@ -763,10 +764,10 @@ class Document extends KTEntity { | @@ -763,10 +764,10 @@ class Document extends KTEntity { | ||
| 763 | */ | 764 | */ |
| 764 | function removeInvalidDocumentTypeEntries() { | 765 | function removeInvalidDocumentTypeEntries() { |
| 765 | global $default; | 766 | global $default; |
| 766 | - $sQuery = "SELECT field_id FROM $default->document_type_fields_table DTFL " . | 767 | + $sQuery = array("SELECT field_id FROM $default->document_type_fields_table DTFL " . /*ok*/ |
| 767 | "INNER JOIN $default->document_fields_table AS DF ON DF.id = DTFL.field_id " . | 768 | "INNER JOIN $default->document_fields_table AS DF ON DF.id = DTFL.field_id " . |
| 768 | - "WHERE DTFL.document_type_id = " . quote($this->iDocumentTypeID) . " " . | ||
| 769 | - "AND DF.is_generic = 0"; | 769 | + "WHERE DTFL.document_type_id = ? " . |
| 770 | + "AND DF.is_generic = 0", $this->iDocumentTypeID); | ||
| 770 | $sql = $default->db; | 771 | $sql = $default->db; |
| 771 | $sql->query($sQuery); | 772 | $sql->query($sQuery); |
| 772 | $aFieldIDs = array(); | 773 | $aFieldIDs = array(); |
| @@ -798,7 +799,7 @@ class Document extends KTEntity { | @@ -798,7 +799,7 @@ class Document extends KTEntity { | ||
| 798 | function hasCollaboration() { | 799 | function hasCollaboration() { |
| 799 | global $default; | 800 | global $default; |
| 800 | $sql = $default->db; | 801 | $sql = $default->db; |
| 801 | - $sql->query("SELECT id AS count from $default->groups_folders_approval_table WHERE folder_id = $this->iFolderID"); | 802 | + $sql->query(array("SELECT id AS count from $default->groups_folders_approval_table WHERE folder_id = ?", $this->iFolderID));/*ok*/ |
| 802 | if ($sql->next_record()) { | 803 | if ($sql->next_record()) { |
| 803 | return true; | 804 | return true; |
| 804 | } | 805 | } |
lib/documentmanagement/DocumentCollaboration.inc
| @@ -34,7 +34,9 @@ class DocumentCollaboration { | @@ -34,7 +34,9 @@ class DocumentCollaboration { | ||
| 34 | function documentCollaborationStarted($iDocumentID) { | 34 | function documentCollaborationStarted($iDocumentID) { |
| 35 | global $default; | 35 | global $default; |
| 36 | $sql = $default->db; | 36 | $sql = $default->db; |
| 37 | - $sql->query("SELECT id FROM $default->folders_user_roles_table WHERE document_id = $iDocumentID AND (active = 1 OR done = 1)"); | 37 | + $sQuery = "SELECT id FROM $default->folders_user_roles_table WHERE document_id = ? AND (active = 1 OR done = 1)";/*ok*/ |
| 38 | + $aParams = array($iDocumentID); | ||
| 39 | + $sql->query(array($sQuery, $aParams)); | ||
| 38 | if ($sql->next_record()) { | 40 | if ($sql->next_record()) { |
| 39 | return true; | 41 | return true; |
| 40 | } | 42 | } |
| @@ -44,7 +46,9 @@ class DocumentCollaboration { | @@ -44,7 +46,9 @@ class DocumentCollaboration { | ||
| 44 | function documentCollaborationDone($iDocumentID) { | 46 | function documentCollaborationDone($iDocumentID) { |
| 45 | global $default; | 47 | global $default; |
| 46 | $sql = $default->db; | 48 | $sql = $default->db; |
| 47 | - $sql->query("SELECT id FROM $default->folders_user_roles_table WHERE document_id = $iDocumentID AND done = 0"); | 49 | + $sQuery = "SELECT id FROM $default->folders_user_roles_table WHERE document_id = ? AND done = 0";/*ok*/ |
| 50 | + $aParams = array($iDocumentID); | ||
| 51 | + $sql->query(array($sQuery, $aParams)); | ||
| 48 | if ($sql->num_rows() > 0) { | 52 | if ($sql->num_rows() > 0) { |
| 49 | return false; | 53 | return false; |
| 50 | } else { | 54 | } else { |
| @@ -60,7 +64,9 @@ class DocumentCollaboration { | @@ -60,7 +64,9 @@ class DocumentCollaboration { | ||
| 60 | function userIsPerformingCurrentCollaborationStep($iDocumentID) { | 64 | function userIsPerformingCurrentCollaborationStep($iDocumentID) { |
| 61 | global $default; | 65 | global $default; |
| 62 | $sql = $default->db; | 66 | $sql = $default->db; |
| 63 | - $sql->query("SELECT id FROM $default->folders_user_roles_table WHERE document_id = $iDocumentID AND active = 1 AND user_id = " . $_SESSION["userID"]); | 67 | + $sQuery = "SELECT id FROM $default->folders_user_roles_table WHERE document_id = ? AND active = 1 AND user_id = ?";/*ok*/ |
| 68 | + $aParams = array($iDocumentID, $_SESSION["userID"]); | ||
| 69 | + $sql->query(array($sQuery, $aParams)); | ||
| 64 | if ($sql->next_record()) { | 70 | if ($sql->next_record()) { |
| 65 | return true; | 71 | return true; |
| 66 | } | 72 | } |
| @@ -98,7 +104,7 @@ class DocumentCollaboration { | @@ -98,7 +104,7 @@ class DocumentCollaboration { | ||
| 98 | function isLastStepInCollaborationProcess($iDocumentID) { | 104 | function isLastStepInCollaborationProcess($iDocumentID) { |
| 99 | global $default; | 105 | global $default; |
| 100 | $sql = $default->db; | 106 | $sql = $default->db; |
| 101 | - $sQuery = "SELECT id FROM $default->folders_user_roles_table WHERE document_id = $iDocumentID AND done = 0"; | 107 | + $sQuery = "SELECT id FROM $default->folders_user_roles_table WHERE document_id = $iDocumentID AND done = 0";/*ok*/ |
| 102 | $sql->query($sQuery); | 108 | $sql->query($sQuery); |
| 103 | $default->log->info("lastCollabStep:$sQuery"); | 109 | $default->log->info("lastCollabStep:$sQuery"); |
| 104 | if ($sql->num_rows() > 1) { | 110 | if ($sql->num_rows() > 1) { |
| @@ -116,11 +122,12 @@ class DocumentCollaboration { | @@ -116,11 +122,12 @@ class DocumentCollaboration { | ||
| 116 | global $default; | 122 | global $default; |
| 117 | $sql = $default->db; | 123 | $sql = $default->db; |
| 118 | // returns all users, the sequence of their collaboration and the time of completion | 124 | // returns all users, the sequence of their collaboration and the time of completion |
| 119 | - $sQuery = "SELECT FURL.user_id, FURL.datetime, GFAL.precedence FROM $default->folders_user_roles_table FURL " . | 125 | + $sQuery = "SELECT FURL.user_id, FURL.datetime, GFAL.precedence FROM $default->folders_user_roles_table FURL " ./*ok*/ |
| 120 | "INNER JOIN $default->groups_folders_approval_table GFAL ON FURL.group_folder_approval_id = GFAL.id " . | 126 | "INNER JOIN $default->groups_folders_approval_table GFAL ON FURL.group_folder_approval_id = GFAL.id " . |
| 121 | - "WHERE FURL.document_id = $iDocumentID " . | 127 | + "WHERE FURL.document_id = ? " . |
| 122 | "ORDER BY GFAL.precedence"; | 128 | "ORDER BY GFAL.precedence"; |
| 123 | - $sql->query($sQuery); | 129 | + $aParams = array($iDocumentID); |
| 130 | + $sql->query(array($sQuery, $aParams)); | ||
| 124 | $iPrecedence = -1; | 131 | $iPrecedence = -1; |
| 125 | $iDateTime = 0; | 132 | $iDateTime = 0; |
| 126 | $iUserID = -1; | 133 | $iUserID = -1; |
| @@ -148,11 +155,13 @@ class DocumentCollaboration { | @@ -148,11 +155,13 @@ class DocumentCollaboration { | ||
| 148 | //get the current step | 155 | //get the current step |
| 149 | //if the user is assigned to two or more roles, make sure we get the current | 156 | //if the user is assigned to two or more roles, make sure we get the current |
| 150 | //one by ordering by precedence | 157 | //one by ordering by precedence |
| 151 | - $sql->query("SELECT FURL.id AS id, GFAT.precedence " . | 158 | + $sQuery = "SELECT FURL.id AS id, GFAT.precedence " ./*ok*/ |
| 152 | "FROM $default->groups_folders_approval_table AS GFAT " . | 159 | "FROM $default->groups_folders_approval_table AS GFAT " . |
| 153 | "INNER JOIN $default->folders_user_roles_table AS FURL ON GFAT.id = FURL.group_folder_approval_id " . | 160 | "INNER JOIN $default->folders_user_roles_table AS FURL ON GFAT.id = FURL.group_folder_approval_id " . |
| 154 | - "WHERE document_id = $iDocumentID AND FURL.user_id = " . $_SESSION["userID"] . " AND done=0 " . | ||
| 155 | - "ORDER BY precedence ASC"); | 161 | + "WHERE document_id = ? AND FURL.user_id = ? AND done=0 " . |
| 162 | + "ORDER BY precedence ASC"; | ||
| 163 | + $aParams = array($iDocumentID, $_SESSION["userID"]); | ||
| 164 | + $sql->query(array($sQuery, $aParams)); | ||
| 156 | if ($sql->next_record()) { | 165 | if ($sql->next_record()) { |
| 157 | //set it as done | 166 | //set it as done |
| 158 | $oFolderUserRole = FolderUserRole::get($sql->f("id")); | 167 | $oFolderUserRole = FolderUserRole::get($sql->f("id")); |
| @@ -162,18 +171,22 @@ class DocumentCollaboration { | @@ -162,18 +171,22 @@ class DocumentCollaboration { | ||
| 162 | $oFolderUserRole->update(); | 171 | $oFolderUserRole->update(); |
| 163 | //get it's sequence number | 172 | //get it's sequence number |
| 164 | $iCurrentSequenceNumber = $sql->f("precedence"); | 173 | $iCurrentSequenceNumber = $sql->f("precedence"); |
| 165 | - $sql->query("SELECT MIN(precedence) AS precedence " . | 174 | + $sQuery = "SELECT MIN(precedence) AS precedence " . /*ok*/ |
| 166 | "FROM $default->groups_folders_approval_table AS GFAT " . | 175 | "FROM $default->groups_folders_approval_table AS GFAT " . |
| 167 | "INNER JOIN $default->folders_user_roles_table AS FURL ON GFAT.id = FURL.group_folder_approval_id " . | 176 | "INNER JOIN $default->folders_user_roles_table AS FURL ON GFAT.id = FURL.group_folder_approval_id " . |
| 168 | - "WHERE document_id = $iDocumentID AND done = 0"); | 177 | + "WHERE document_id = ? AND done = 0"; |
| 178 | + $aParams = array($iDocumentID); | ||
| 179 | + $sql->query(array($sQuery, $aParams)); | ||
| 169 | if ($sql->next_record()) { | 180 | if ($sql->next_record()) { |
| 170 | if ($sql->f("precedence") != $iCurrentSequenceNumber) { | 181 | if ($sql->f("precedence") != $iCurrentSequenceNumber) { |
| 171 | //if there are no concurrent steps outstanding | 182 | //if there are no concurrent steps outstanding |
| 172 | $iNextSequenceNumber = $sql->f("precedence"); | 183 | $iNextSequenceNumber = $sql->f("precedence"); |
| 173 | - $sql->query("SELECT FURL.id " . | 184 | + $sQuery = "SELECT FURL.id " ./*ok*/ |
| 174 | "FROM $default->groups_folders_approval_table AS GFAT " . | 185 | "FROM $default->groups_folders_approval_table AS GFAT " . |
| 175 | "INNER JOIN $default->folders_user_roles_table AS FURL ON GFAT.id = FURL.group_folder_approval_id " . | 186 | "INNER JOIN $default->folders_user_roles_table AS FURL ON GFAT.id = FURL.group_folder_approval_id " . |
| 176 | - "WHERE document_id = $iDocumentID AND precedence = $iNextSequenceNumber"); | 187 | + "WHERE document_id = ? AND precedence = ?"; |
| 188 | + $aParams = array($iDocumentID, $iNextSequenceNumber); | ||
| 189 | + $sql->query(array($sQuery, $aParams)); | ||
| 177 | while ($sql->next_record()) { | 190 | while ($sql->next_record()) { |
| 178 | $oFolderUserRole = FolderUserRole::get($sql->f("id")); | 191 | $oFolderUserRole = FolderUserRole::get($sql->f("id")); |
| 179 | $oFolderUserRole->setActive(true); | 192 | $oFolderUserRole->setActive(true); |
| @@ -212,9 +225,10 @@ class DocumentCollaboration { | @@ -212,9 +225,10 @@ class DocumentCollaboration { | ||
| 212 | global $default; | 225 | global $default; |
| 213 | //only create the documents if they haven't been created | 226 | //only create the documents if they haven't been created |
| 214 | if ($oFolderUserRole->getDependantDocumentsCreated() == false) { | 227 | if ($oFolderUserRole->getDependantDocumentsCreated() == false) { |
| 215 | - $sQuery = "SELECT * FROM $default->dependant_document_template_table WHERE group_folder_approval_link_id = " . $oFolderUserRole->getGroupFolderApprovalID(); | 228 | + $sQuery = "SELECT * FROM $default->dependant_document_template_table WHERE group_folder_approval_link_id = ?";/*ok*/ |
| 229 | + $aParams = array($oFolderUserRole->getGroupFolderApprovalID()); | ||
| 216 | $sql = $default->db; | 230 | $sql = $default->db; |
| 217 | - $sql->query($sQuery); | 231 | + $sql->query(array($sQuery, $aParams)); |
| 218 | while ($sql->next_record()) { | 232 | while ($sql->next_record()) { |
| 219 | $oDependantDocumentInstance = & new DependantDocumentInstance($sql->f("document_title"), $sql->f("default_user_id"), $sql->f("template_document_id"), $oFolderUserRole->getDocumentID()); | 233 | $oDependantDocumentInstance = & new DependantDocumentInstance($sql->f("document_title"), $sql->f("default_user_id"), $sql->f("template_document_id"), $oFolderUserRole->getDocumentID()); |
| 220 | if ($oDependantDocumentInstance->create()) { | 234 | if ($oDependantDocumentInstance->create()) { |
| @@ -255,16 +269,17 @@ class DocumentCollaboration { | @@ -255,16 +269,17 @@ class DocumentCollaboration { | ||
| 255 | function rollbackCollaborationStep($iDocumentID, $sComment = "") { | 269 | function rollbackCollaborationStep($iDocumentID, $sComment = "") { |
| 256 | global $default; | 270 | global $default; |
| 257 | //get the current sequence number | 271 | //get the current sequence number |
| 258 | - $sQuery = "SELECT GFAT.precedence, GFAT.folder_id, FURL.id AS furl_id, FURL.document_id AS document_id " . | 272 | + $sQuery = "SELECT GFAT.precedence, GFAT.folder_id, FURL.id AS furl_id, FURL.document_id AS document_id " . /*ok*/ |
| 259 | "FROM $default->folders_user_roles_table AS FURL " . | 273 | "FROM $default->folders_user_roles_table AS FURL " . |
| 260 | "INNER JOIN $default->groups_folders_approval_table AS GFAT ON FURL.group_folder_approval_id = GFAT.id " . | 274 | "INNER JOIN $default->groups_folders_approval_table AS GFAT ON FURL.group_folder_approval_id = GFAT.id " . |
| 261 | - "WHERE FURL.document_id = $iDocumentID " . | ||
| 262 | - "AND FURL.user_id = " . $_SESSION["userID"] . " " . | 275 | + "WHERE FURL.document_id = ? " . |
| 276 | + "AND FURL.user_id = ? " . | ||
| 263 | "AND FURL.active = 1 " . | 277 | "AND FURL.active = 1 " . |
| 264 | "ORDER BY GFAT.precedence ASC"; | 278 | "ORDER BY GFAT.precedence ASC"; |
| 279 | + $aParams = array($iDocumentID, $_SESSION["userID"]); | ||
| 265 | 280 | ||
| 266 | $sql = $default->db; | 281 | $sql = $default->db; |
| 267 | - $sql->query($sQuery); | 282 | + $sql->query(array($sQuery, $aParams)); |
| 268 | if ($sql->next_record()) { | 283 | if ($sql->next_record()) { |
| 269 | $iCurrentSequenceNumber = $sql->f("precedence"); | 284 | $iCurrentSequenceNumber = $sql->f("precedence"); |
| 270 | $iFolderID = $sql->f("folder_id"); | 285 | $iFolderID = $sql->f("folder_id"); |
| @@ -275,11 +290,12 @@ class DocumentCollaboration { | @@ -275,11 +290,12 @@ class DocumentCollaboration { | ||
| 275 | 290 | ||
| 276 | //if there are concurrent collaboration steps and one is rejected, then all | 291 | //if there are concurrent collaboration steps and one is rejected, then all |
| 277 | //must be rolled back, whether they were accepted or not | 292 | //must be rolled back, whether they were accepted or not |
| 278 | - $sQuery = "SELECT FURL.id, FURL.user_id " . | 293 | + $sQuery = "SELECT FURL.id, FURL.user_id " ./*ok*/ |
| 279 | "FROM $default->folders_user_roles_table AS FURL " . | 294 | "FROM $default->folders_user_roles_table AS FURL " . |
| 280 | "INNER JOIN $default->groups_folders_approval_table AS GFAT ON FURL.group_folder_approval_id = GFAT.id " . | 295 | "INNER JOIN $default->groups_folders_approval_table AS GFAT ON FURL.group_folder_approval_id = GFAT.id " . |
| 281 | - "WHERE FURL.document_id = $iDocumentID AND GFAT.precedence = $iCurrentSequenceNumber"; | ||
| 282 | - $sql->query($sQuery); | 296 | + "WHERE FURL.document_id = ? AND GFAT.precedence = ?"; |
| 297 | + $aParams = array($iDocumentID, $iCurrentSequenceNumber); | ||
| 298 | + $sql->query(array($sQuery, $aParams)); | ||
| 283 | 299 | ||
| 284 | while ($sql->next_record()) { | 300 | while ($sql->next_record()) { |
| 285 | //roll back each user's step and then email them to inform them | 301 | //roll back each user's step and then email them to inform them |
| @@ -311,11 +327,12 @@ class DocumentCollaboration { | @@ -311,11 +327,12 @@ class DocumentCollaboration { | ||
| 311 | } | 327 | } |
| 312 | 328 | ||
| 313 | //get the previous sequence number | 329 | //get the previous sequence number |
| 314 | - $sQuery = "SELECT COALESCE(MAX(precedence), -1) AS precedence " . | 330 | + $sQuery = "SELECT COALESCE(MAX(precedence), -1) AS precedence " ./*ok*/ |
| 315 | "FROM $default->groups_folders_approval_table AS GFAT " . | 331 | "FROM $default->groups_folders_approval_table AS GFAT " . |
| 316 | - "WHERE precedence < $iCurrentSequenceNumber"; | ||
| 317 | - "AND folder_id = $iFolderID"; | ||
| 318 | - $sql->query($sQuery); | 332 | + "WHERE precedence < ?"; |
| 333 | + "AND folder_id = ?"; | ||
| 334 | + $aParams = array($iCurrentSequenceNumber, $iFolderID); | ||
| 335 | + $sql->query(array($sQuery, $aParams)); | ||
| 319 | //there will always be a result in the result set | 336 | //there will always be a result in the result set |
| 320 | $sql->next_record(); | 337 | $sql->next_record(); |
| 321 | if ($sql->f("precedence") == -1) { | 338 | if ($sql->f("precedence") == -1) { |
| @@ -336,12 +353,13 @@ class DocumentCollaboration { | @@ -336,12 +353,13 @@ class DocumentCollaboration { | ||
| 336 | } | 353 | } |
| 337 | } else { | 354 | } else { |
| 338 | //there are steps prior to this step | 355 | //there are steps prior to this step |
| 339 | - $sQuery = "SELECT FURL.id AS furl_id " . | 356 | + $sQuery = "SELECT FURL.id AS furl_id " . /*ok*/ |
| 340 | "FROM $default->folders_user_roles_table AS FURL INNER JOIN $default->groups_folders_approval_table AS GFAT ON FURL.group_folder_approval_id = GFAT.id " . | 357 | "FROM $default->folders_user_roles_table AS FURL INNER JOIN $default->groups_folders_approval_table AS GFAT ON FURL.group_folder_approval_id = GFAT.id " . |
| 341 | - "WHERE FURL.document_id = $iDocumentID " . | ||
| 342 | - "AND GFAT.precedence = " . $sql->f("precedence"); | 358 | + "WHERE FURL.document_id = ? " . |
| 359 | + "AND GFAT.precedence = ?"; | ||
| 360 | + $aParams = array($iDocumentID, $sql->f("precedence")); | ||
| 343 | 361 | ||
| 344 | - $sql->query($sQuery); | 362 | + $sql->query(array($sQuery, $aParams)); |
| 345 | while ($sql->next_record()) { | 363 | while ($sql->next_record()) { |
| 346 | //reset all the previous steps and email the users | 364 | //reset all the previous steps and email the users |
| 347 | //to tell them to re-reperform their steps | 365 | //to tell them to re-reperform their steps |
| @@ -379,9 +397,10 @@ class DocumentCollaboration { | @@ -379,9 +397,10 @@ class DocumentCollaboration { | ||
| 379 | */ | 397 | */ |
| 380 | function documentIsPendingWebPublishing($iDocumentID) { | 398 | function documentIsPendingWebPublishing($iDocumentID) { |
| 381 | global $default; | 399 | global $default; |
| 382 | - $sQuery = "SELECT id FROM $default->web_documents_table WHERE document_id = $iDocumentID AND status_id = 1"; | 400 | + $sQuery = "SELECT id FROM $default->web_documents_table WHERE document_id = ? AND status_id = 1";/*ok*/ |
| 401 | + $aParams = array($iDocumentID); | ||
| 383 | $sql = $default->db; | 402 | $sql = $default->db; |
| 384 | - $sql->query($sQuery); | 403 | + $sql->query(array($sQuery, $aParams)); |
| 385 | if ($sql->next_record()) { | 404 | if ($sql->next_record()) { |
| 386 | return true;; | 405 | return true;; |
| 387 | } | 406 | } |
| @@ -393,9 +412,10 @@ class DocumentCollaboration { | @@ -393,9 +412,10 @@ class DocumentCollaboration { | ||
| 393 | */ | 412 | */ |
| 394 | function documentIsPublished($iDocumentID) { | 413 | function documentIsPublished($iDocumentID) { |
| 395 | global $default; | 414 | global $default; |
| 396 | - $sQuery = "SELECT id FROM $default->web_documents_table WHERE document_id = $iDocumentID AND status_id = 2"; | 415 | + $sQuery = "SELECT id FROM $default->web_documents_table WHERE document_id = ? AND status_id = 2";/*ok*/ |
| 416 | + $aParams = array($iDocumentID); | ||
| 397 | $sql = $default->db; | 417 | $sql = $default->db; |
| 398 | - $sql->query($sQuery); | 418 | + $sql->query(array($sQuery, $aParams)); |
| 399 | if ($sql->next_record()) { | 419 | if ($sql->next_record()) { |
| 400 | return true;; | 420 | return true;; |
| 401 | } | 421 | } |
| @@ -410,13 +430,13 @@ class DocumentCollaboration { | @@ -410,13 +430,13 @@ class DocumentCollaboration { | ||
| 410 | */ | 430 | */ |
| 411 | function notifyWebMaster($iDocumentID, $sComment) { | 431 | function notifyWebMaster($iDocumentID, $sComment) { |
| 412 | global $default; | 432 | global $default; |
| 413 | - $sQuery = "SELECT WS.web_master_id, WS.web_site_name, WS.web_site_url " . | 433 | + $sQuery = "SELECT WS.web_master_id, WS.web_site_name, WS.web_site_url " ./*ok*/ |
| 414 | "FROM $default->web_sites_table AS WS " . | 434 | "FROM $default->web_sites_table AS WS " . |
| 415 | "INNER JOIN $default->web_documents_table AS WD ON WS.id = WD.web_site_id " . | 435 | "INNER JOIN $default->web_documents_table AS WD ON WS.id = WD.web_site_id " . |
| 416 | - "WHERE WD.document_id = $iDocumentID"; | ||
| 417 | - | 436 | + "WHERE WD.document_id = ?"; |
| 437 | + $aParams = array($iDocumentID); | ||
| 418 | $sql = $default->db; | 438 | $sql = $default->db; |
| 419 | - $sql->query($sQuery); | 439 | + $sql->query(array($sQuery, $aParams)); |
| 420 | if ($sql->next_record()) { | 440 | if ($sql->next_record()) { |
| 421 | $oUser = User::get($sql->f("web_master_id")); | 441 | $oUser = User::get($sql->f("web_master_id")); |
| 422 | if (!($oUser === false)) { | 442 | if (!($oUser === false)) { |
lib/subscriptions/SubscriptionManager.inc
| @@ -88,8 +88,8 @@ class SubscriptionManager { | @@ -88,8 +88,8 @@ class SubscriptionManager { | ||
| 88 | global $default; | 88 | global $default; |
| 89 | 89 | ||
| 90 | $sql = $default->db; | 90 | $sql = $default->db; |
| 91 | - if ($sql->query("SELECT id FROM " . Subscription::getTableName($iSubscriptionType) . " " . | ||
| 92 | - "WHERE " . Subscription::getIdFieldName($iSubscriptionType) . " = $iExternalID")) { | 91 | + if ($sql->query(array("SELECT id FROM " . Subscription::getTableName($iSubscriptionType) . " " ./*ok*/ |
| 92 | + "WHERE " . Subscription::getIdFieldName($iSubscriptionType) . " = ?", $iExternalID))) { | ||
| 93 | $aSubscriptions = array(); | 93 | $aSubscriptions = array(); |
| 94 | while ($sql->next_record()) { | 94 | while ($sql->next_record()) { |
| 95 | $aSubscriptions[] = & Subscription::get($sql->f("id"), $iSubscriptionType); | 95 | $aSubscriptions[] = & Subscription::get($sql->f("id"), $iSubscriptionType); |
| @@ -150,8 +150,8 @@ class SubscriptionManager { | @@ -150,8 +150,8 @@ class SubscriptionManager { | ||
| 150 | global $default; | 150 | global $default; |
| 151 | 151 | ||
| 152 | $sql = $default->db; | 152 | $sql = $default->db; |
| 153 | - if ($sql->query("SELECT id FROM " . Subscription::getTableName($iSubscriptionType) . " " . | ||
| 154 | - "WHERE user_id = $iUserID")) { | 153 | + if ($sql->query(array("SELECT id FROM " . Subscription::getTableName($iSubscriptionType) . " " ./*ok*/ |
| 154 | + "WHERE user_id = ?", $iUserID))) { | ||
| 155 | $aSubscriptions = array(); | 155 | $aSubscriptions = array(); |
| 156 | while ($sql->next_record()) { | 156 | while ($sql->next_record()) { |
| 157 | $aSubscriptions[] = & Subscription::get($sql->f("id"), $iSubscriptionType); | 157 | $aSubscriptions[] = & Subscription::get($sql->f("id"), $iSubscriptionType); |
| @@ -184,9 +184,9 @@ class SubscriptionManager { | @@ -184,9 +184,9 @@ class SubscriptionManager { | ||
| 184 | global $default; | 184 | global $default; |
| 185 | 185 | ||
| 186 | $sql = $default->db; | 186 | $sql = $default->db; |
| 187 | - if ($sql->query("SELECT id FROM " . Subscription::getTableName($iSubscriptionType) . " " . | ||
| 188 | - "WHERE user_id = $iUserID " . | ||
| 189 | - "AND is_alerted = 1")) { | 187 | + if ($sql->query(array("SELECT id FROM " . Subscription::getTableName($iSubscriptionType) . " " ./*ok*/ |
| 188 | + "WHERE user_id = ? " . | ||
| 189 | + "AND is_alerted = 1", $iUserID))) { | ||
| 190 | $aSubscriptions = array(); | 190 | $aSubscriptions = array(); |
| 191 | while ($sql->next_record()) { | 191 | while ($sql->next_record()) { |
| 192 | $aSubscriptions[] = & Subscription::get($sql->f("id"), $iSubscriptionType); | 192 | $aSubscriptions[] = & Subscription::get($sql->f("id"), $iSubscriptionType); |
lib/unitmanagement/Unit.inc
| @@ -192,7 +192,7 @@ class Unit extends KTEntity { | @@ -192,7 +192,7 @@ class Unit extends KTEntity { | ||
| 192 | function & get($iUnitID) { | 192 | function & get($iUnitID) { |
| 193 | global $default; | 193 | global $default; |
| 194 | $sql = $default->db; | 194 | $sql = $default->db; |
| 195 | - $result = $sql->query("SELECT * FROM $default->units_table WHERE id = $iUnitID"); | 195 | + $result = $sql->query(array("SELECT * FROM $default->units_table WHERE id = ?", $iUnitID));/*ok*/ |
| 196 | if ($result) { | 196 | if ($result) { |
| 197 | if ($sql->next_record()) { | 197 | if ($sql->next_record()) { |
| 198 | $oUnit = & new Unit($sql->f("name")); | 198 | $oUnit = & new Unit($sql->f("name")); |
| @@ -213,7 +213,7 @@ class Unit extends KTEntity { | @@ -213,7 +213,7 @@ class Unit extends KTEntity { | ||
| 213 | global $default; | 213 | global $default; |
| 214 | // check to see if group is linked to a unit | 214 | // check to see if group is linked to a unit |
| 215 | $sql = $default->db; | 215 | $sql = $default->db; |
| 216 | - $query = "SELECT unit_id FROM ". $default->groups_units_table ." WHERE unit_id = " . $this->iId; | 216 | + $query = array("SELECT unit_id FROM ". $default->groups_units_table ." WHERE unit_id = ?", $this->iId);/*ok*/ |
| 217 | $sql->query($query); | 217 | $sql->query($query); |
| 218 | if ($sql->num_rows($sql) > 0) { | 218 | if ($sql->num_rows($sql) > 0) { |
| 219 | return true; | 219 | return true; |
| @@ -262,7 +262,7 @@ class Unit extends KTEntity { | @@ -262,7 +262,7 @@ class Unit extends KTEntity { | ||
| 262 | $aUnitArray; | 262 | $aUnitArray; |
| 263 | settype($aUnitArray, "array"); | 263 | settype($aUnitArray, "array"); |
| 264 | $sql = $default->db; | 264 | $sql = $default->db; |
| 265 | - $result = $sql->query("SELECT * FROM " . $default->units_table . (isset($sWhereClause) ? " " . $sWhereClause : "")); | 265 | + $result = $sql->query("SELECT * FROM " . $default->units_table . (isset($sWhereClause) ? " " . $sWhereClause : ""));/*wc*/ |
| 266 | if ($result) { | 266 | if ($result) { |
| 267 | $iCount = 0; | 267 | $iCount = 0; |
| 268 | while ($sql->next_record()) { | 268 | while ($sql->next_record()) { |
lib/unitmanagement/UnitOrganisationLink.inc
| @@ -115,8 +115,9 @@ class UnitOrganisationLink extends KTEntity { | @@ -115,8 +115,9 @@ class UnitOrganisationLink extends KTEntity { | ||
| 115 | if ($this->iId < 0) { | 115 | if ($this->iId < 0) { |
| 116 | 116 | ||
| 117 | $sql = $default->db; | 117 | $sql = $default->db; |
| 118 | - $query = "SELECT unit_id FROM $default->units_organisations_table WHERE unit_id = $this->iUnitID AND organisation_id = $this->iOrgID"; | ||
| 119 | - $sql->query($query); | 118 | + $query = "SELECT unit_id FROM $default->units_organisations_table WHERE unit_id = ? AND organisation_id = ?";/*ok*/ |
| 119 | + $params = array($this->iUnitID, $this->iOrgID); | ||
| 120 | + $sql->query(array($query, $params)); | ||
| 120 | $rows = $sql->num_rows($sql); | 121 | $rows = $sql->num_rows($sql); |
| 121 | 122 | ||
| 122 | if ($rows > 0) { | 123 | if ($rows > 0) { |
| @@ -138,7 +139,7 @@ class UnitOrganisationLink extends KTEntity { | @@ -138,7 +139,7 @@ class UnitOrganisationLink extends KTEntity { | ||
| 138 | function & get($iUnitOrganisationLinkID) { | 139 | function & get($iUnitOrganisationLinkID) { |
| 139 | global $default; | 140 | global $default; |
| 140 | $sql = $default->db; | 141 | $sql = $default->db; |
| 141 | - $result = $sql->query("SELECT * FROM $default->units_organisations_table WHERE id = $iUnitOrganisationLinkID"); | 142 | + $result = $sql->query(array("SELECT * FROM $default->units_organisations_table WHERE id = ?", $iUnitOrganisationLinkID));/*ok*/ |
| 142 | if ($result) { | 143 | if ($result) { |
| 143 | if ($sql->next_record()) { | 144 | if ($sql->next_record()) { |
| 144 | $oUnitOrganisationLink = & new UnitOrganisationLink($sql->f("unit_id"),$sql->f("organisation_id") ); | 145 | $oUnitOrganisationLink = & new UnitOrganisationLink($sql->f("unit_id"),$sql->f("organisation_id") ); |
| @@ -164,7 +165,7 @@ class UnitOrganisationLink extends KTEntity { | @@ -164,7 +165,7 @@ class UnitOrganisationLink extends KTEntity { | ||
| 164 | $aUnitOrganisationLink; | 165 | $aUnitOrganisationLink; |
| 165 | settype($aUnitOrganisationLink, "array"); | 166 | settype($aUnitOrganisationLink, "array"); |
| 166 | $sql = $default->db; | 167 | $sql = $default->db; |
| 167 | - $result = $sql->query("SELECT * FROM " . $default->units_organisations_table . (isset($sWhereClause) ? " " . $sWhereClause : "")); | 168 | + $result = $sql->query("SELECT * FROM " . $default->units_organisations_table . (isset($sWhereClause) ? " " . $sWhereClause : ""));/*wc*/ |
| 168 | if ($result) { | 169 | if ($result) { |
| 169 | $iCount = 0; | 170 | $iCount = 0; |
| 170 | while ($sql->next_record()) { | 171 | while ($sql->next_record()) { |
| @@ -208,7 +209,7 @@ class UnitOrganisationLink extends KTEntity { | @@ -208,7 +209,7 @@ class UnitOrganisationLink extends KTEntity { | ||
| 208 | function getByUnitID($unitId) { | 209 | function getByUnitID($unitId) { |
| 209 | global $default; | 210 | global $default; |
| 210 | $sql = $default->db; | 211 | $sql = $default->db; |
| 211 | - $result = $sql->query("SELECT * FROM $default->units_organisations_table WHERE unit_id = $unitId"); | 212 | + $result = $sql->query(array("SELECT * FROM $default->units_organisations_table WHERE unit_id = ?", $unitId));/*ok*/ |
| 212 | if ($result) { | 213 | if ($result) { |
| 213 | if ($sql->next_record()) { | 214 | if ($sql->next_record()) { |
| 214 | $oUnitOrganisationLink = & UnitOrganisationLink::get($sql->f("id")); | 215 | $oUnitOrganisationLink = & UnitOrganisationLink::get($sql->f("id")); |
lib/users/User.inc
| @@ -353,7 +353,7 @@ class User extends KTEntity { | @@ -353,7 +353,7 @@ class User extends KTEntity { | ||
| 353 | function & get($iUserID) { | 353 | function & get($iUserID) { |
| 354 | global $default; | 354 | global $default; |
| 355 | $sql = $default->db; | 355 | $sql = $default->db; |
| 356 | - $result = $sql->query("SELECT * FROM $default->users_table WHERE id = $iUserID"); | 356 | + $result = $sql->query(array("SELECT * FROM $default->users_table WHERE id = ?", $iUserID));/*ok*/ |
| 357 | if ($result) { | 357 | if ($result) { |
| 358 | if ($sql->next_record()) { | 358 | if ($sql->next_record()) { |
| 359 | $oUser = & new User($sql->f("username"), $sql->f("name"), $sql->f("password"), $sql->f("quota_max"), $sql->f("email"), $sql->f("mobile"), $sql->f("email_notification"), $sql->f("sms_notification"), $sql->f("ldap_dn"), $sql->f("max_sessions"), $sql->f("language_id")); | 359 | $oUser = & new User($sql->f("username"), $sql->f("name"), $sql->f("password"), $sql->f("quota_max"), $sql->f("email"), $sql->f("mobile"), $sql->f("email_notification"), $sql->f("sms_notification"), $sql->f("ldap_dn"), $sql->f("max_sessions"), $sql->f("language_id")); |
| @@ -380,7 +380,7 @@ class User extends KTEntity { | @@ -380,7 +380,7 @@ class User extends KTEntity { | ||
| 380 | $aUserArray; | 380 | $aUserArray; |
| 381 | settype($aUserArray, "array"); | 381 | settype($aUserArray, "array"); |
| 382 | $sql = $default->db; | 382 | $sql = $default->db; |
| 383 | - $result = $sql->query("SELECT * FROM " . $default->users_table . (isset($sWhereClause) ? " " . $sWhereClause : "")); | 383 | + $result = $sql->query("SELECT * FROM " . $default->users_table . (isset($sWhereClause) ? " " . $sWhereClause : ""));/*wc*/ |
| 384 | if ($result) { | 384 | if ($result) { |
| 385 | $iCount = 0; | 385 | $iCount = 0; |
| 386 | while ($sql->next_record()) { | 386 | while ($sql->next_record()) { |
| @@ -406,9 +406,9 @@ class User extends KTEntity { | @@ -406,9 +406,9 @@ class User extends KTEntity { | ||
| 406 | global $default, $lang_err_database; | 406 | global $default, $lang_err_database; |
| 407 | 407 | ||
| 408 | $sql = $default->db; | 408 | $sql = $default->db; |
| 409 | - $result = $sql->query("SELECT DISTINCT gul.unit_id FROM $default->users_groups_table ugl " . | 409 | + /*ok*/$result = $sql->query(array("SELECT DISTINCT gul.unit_id FROM $default->users_groups_table ugl " . |
| 410 | "INNER JOIN $default->groups_units_table gul ON ugl.group_id = gul.group_id ". | 410 | "INNER JOIN $default->groups_units_table gul ON ugl.group_id = gul.group_id ". |
| 411 | - "WHERE ugl.user_id=$userID"); | 411 | + "WHERE ugl.user_id = ?", $userID)); |
| 412 | if ($result) { | 412 | if ($result) { |
| 413 | $aUnitIDs = array(); | 413 | $aUnitIDs = array(); |
| 414 | while ($sql->next_record()) { | 414 | while ($sql->next_record()) { |
| @@ -430,9 +430,9 @@ class User extends KTEntity { | @@ -430,9 +430,9 @@ class User extends KTEntity { | ||
| 430 | global $default, $lang_err_database; | 430 | global $default, $lang_err_database; |
| 431 | 431 | ||
| 432 | $sql = $default->db; | 432 | $sql = $default->db; |
| 433 | - $result = $sql->query("SELECT DISTINCT gul.unit_id FROM $default->users_groups_table ugl " . | 433 | + /*ok*/$result = $sql->query(array("SELECT DISTINCT gul.unit_id FROM $default->users_groups_table ugl " . |
| 434 | "INNER JOIN $default->groups_units_table gul ON ugl.group_id = gul.group_id ". | 434 | "INNER JOIN $default->groups_units_table gul ON ugl.group_id = gul.group_id ". |
| 435 | - "WHERE ugl.user_id=$userID"); | 435 | + "WHERE ugl.user_id = ?", $userID)); |
| 436 | if ($result) { | 436 | if ($result) { |
| 437 | if ($sql->next_record()) { | 437 | if ($sql->next_record()) { |
| 438 | return $sql->f("unit_id"); | 438 | return $sql->f("unit_id"); |
| @@ -503,17 +503,17 @@ class User extends KTEntity { | @@ -503,17 +503,17 @@ class User extends KTEntity { | ||
| 503 | // then find the group that is unit_admin | 503 | // then find the group that is unit_admin |
| 504 | $sql = $default->db; | 504 | $sql = $default->db; |
| 505 | $sEmail = ""; | 505 | $sEmail = ""; |
| 506 | - if ($sql->query("SELECT group_id FROM $default->groups_units_table GUL " . | 506 | + if ($sql->query(array("SELECT group_id FROM $default->groups_units_table GUL " . /*ok*/ |
| 507 | "INNER JOIN $default->groups_table GL on GUL.group_id=GL.id " . | 507 | "INNER JOIN $default->groups_table GL on GUL.group_id=GL.id " . |
| 508 | "WHERE GL.is_unit_admin=1 " . | 508 | "WHERE GL.is_unit_admin=1 " . |
| 509 | - "AND unit_id=$iUnitID")) { | 509 | + "AND unit_id = ?", $iUnitID))) { |
| 510 | // get the first record | 510 | // get the first record |
| 511 | if ($sql->next_record()) { | 511 | if ($sql->next_record()) { |
| 512 | $iGroupID = $sql->f("group_id"); | 512 | $iGroupID = $sql->f("group_id"); |
| 513 | // then find the first user in this group that has an email address | 513 | // then find the first user in this group that has an email address |
| 514 | - if ($sql->query("SELECT U.id, U.email FROM $default->users_table U " . | 514 | + if ($sql->query(array("SELECT U.id, U.email FROM $default->users_table U " . /*ok*/ |
| 515 | "INNER JOIN $default->users_groups_table UGL on UGL.user_id=U.id " . | 515 | "INNER JOIN $default->users_groups_table UGL on UGL.user_id=U.id " . |
| 516 | - "WHERE group_id=$iGroupID")) { | 516 | + "WHERE group_id = ?", $iGroupID))) { |
| 517 | while ($sql->next_record()) { | 517 | while ($sql->next_record()) { |
| 518 | if (strlen($sql->f("email")) > 0) { | 518 | if (strlen($sql->f("email")) > 0) { |
| 519 | return User::get($sql->f("id")); | 519 | return User::get($sql->f("id")); |
lib/web/WebDocument.inc
| @@ -151,7 +151,7 @@ class WebDocument extends KTEntity { | @@ -151,7 +151,7 @@ class WebDocument extends KTEntity { | ||
| 151 | global $default, $lang_err_database; | 151 | global $default, $lang_err_database; |
| 152 | $aWebDocumentArray = array(); | 152 | $aWebDocumentArray = array(); |
| 153 | $sql = $default->db; | 153 | $sql = $default->db; |
| 154 | - $sQuery = "SELECT * FROM " . $default->web_documents_table; | 154 | + $sQuery = "SELECT * FROM " . $default->web_documents_table;/*wc*/ |
| 155 | if (isset($sWhereClause)) { | 155 | if (isset($sWhereClause)) { |
| 156 | $sQuery .= " WHERE " . $sWhereClause; | 156 | $sQuery .= " WHERE " . $sWhereClause; |
| 157 | } | 157 | } |