pierre/wallabag
1
0
Fork 0
forked from wallabag/wallabag
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity

[fix] security problems with tags

Browse Source
This commit is contained in:
Nicolas Lœuillet
2014-02-19 13:25:28 +01:00
parent 53ae58e1a1
commit b89d5a2bf4
2 changed files with 37 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
inc/poche/Database.class.php
View File

@ -344,30 +344,36 @@ class Database {
return $this->getHandle()->lastInsertId($column);
}
public function retrieveAllTags() {
$sql = "SELECT * FROM tags";
$query = $this->executeQuery($sql, array());
public function retrieveAllTags($user_id) {
$sql = "SELECT tags.* FROM tags
LEFT JOIN tags_entries ON tags_entries.tag_id=tags.id
LEFT JOIN entries ON tags_entries.entry_id=entries.id
WHERE entries.user_id=?";
$query = $this->executeQuery($sql, array($user_id));
$tags = $query->fetchAll();
return $tags;
}
public function retrieveTag($id) {
public function retrieveTag($id, $user_id) {
$tag = NULL;
$sql = "SELECT * FROM tags WHERE id=?";
$params = array(intval($id));
$sql = "SELECT tags.* FROM tags
LEFT JOIN tags_entries ON tags_entries.tag_id=tags.id
LEFT JOIN entries ON tags_entries.entry_id=entries.id
WHERE tags.id=? AND entries.user_id=?";
$params = array(intval($id), $user_id);
$query = $this->executeQuery($sql, $params);
$tag = $query->fetchAll();
return isset($tag[0]) ? $tag[0] : null;
}
public function retrieveEntriesByTag($tag_id) {
public function retrieveEntriesByTag($tag_id, $user_id) {
$sql =
"SELECT entries.* FROM entries
LEFT JOIN tags_entries ON tags_entries.entry_id=entries.id
WHERE tags_entries.tag_id = ?";
$query = $this->executeQuery($sql, array($tag_id));
WHERE tags_entries.tag_id = ? AND entries.user_id=?";
$query = $this->executeQuery($sql, array($tag_id, $user_id));
$entries = $query->fetchAll();
return $entries;