aboutsummaryrefslogtreecommitdiffhomepage
path: root/inc/poche/Database.class.php
diff options
context:
space:
mode:
authorNicolas LÅ“uillet <nicolas.loeuillet@gmail.com>2014-02-19 13:25:28 +0100
committerNicolas LÅ“uillet <nicolas.loeuillet@gmail.com>2014-02-19 13:25:28 +0100
commitb89d5a2bf48c2c1eb796963b3401aca498618ec4 (patch)
treef9ab84e607cb54bdb0dc1d0027435af213a722f3 /inc/poche/Database.class.php
parent53ae58e1a1bf097b8eb1af3a532ebf25630f96ec (diff)
downloadwallabag-b89d5a2bf48c2c1eb796963b3401aca498618ec4.tar.gz
wallabag-b89d5a2bf48c2c1eb796963b3401aca498618ec4.tar.zst
wallabag-b89d5a2bf48c2c1eb796963b3401aca498618ec4.zip
[fix] security problems with tags
Diffstat (limited to 'inc/poche/Database.class.php')
-rw-r--r--inc/poche/Database.class.php24
1 files changed, 15 insertions, 9 deletions
diff --git a/inc/poche/Database.class.php b/inc/poche/Database.class.php
index 58583bf5..3332b5a3 100644
--- a/inc/poche/Database.class.php
+++ b/inc/poche/Database.class.php
@@ -344,30 +344,36 @@ class Database {
344 return $this->getHandle()->lastInsertId($column); 344 return $this->getHandle()->lastInsertId($column);
345 } 345 }
346 346
347 public function retrieveAllTags() { 347 public function retrieveAllTags($user_id) {
348 $sql = "SELECT * FROM tags"; 348 $sql = "SELECT tags.* FROM tags
349 $query = $this->executeQuery($sql, array()); 349 LEFT JOIN tags_entries ON tags_entries.tag_id=tags.id
350 LEFT JOIN entries ON tags_entries.entry_id=entries.id
351 WHERE entries.user_id=?";
352 $query = $this->executeQuery($sql, array($user_id));
350 $tags = $query->fetchAll(); 353 $tags = $query->fetchAll();
351 354
352 return $tags; 355 return $tags;
353 } 356 }
354 357
355 public function retrieveTag($id) { 358 public function retrieveTag($id, $user_id) {
356 $tag = NULL; 359 $tag = NULL;
357 $sql = "SELECT * FROM tags WHERE id=?"; 360 $sql = "SELECT tags.* FROM tags
358 $params = array(intval($id)); 361 LEFT JOIN tags_entries ON tags_entries.tag_id=tags.id
362 LEFT JOIN entries ON tags_entries.entry_id=entries.id
363 WHERE tags.id=? AND entries.user_id=?";
364 $params = array(intval($id), $user_id);
359 $query = $this->executeQuery($sql, $params); 365 $query = $this->executeQuery($sql, $params);
360 $tag = $query->fetchAll(); 366 $tag = $query->fetchAll();
361 367
362 return isset($tag[0]) ? $tag[0] : null; 368 return isset($tag[0]) ? $tag[0] : null;
363 } 369 }
364 370
365 public function retrieveEntriesByTag($tag_id) { 371 public function retrieveEntriesByTag($tag_id, $user_id) {
366 $sql = 372 $sql =
367 "SELECT entries.* FROM entries 373 "SELECT entries.* FROM entries
368 LEFT JOIN tags_entries ON tags_entries.entry_id=entries.id 374 LEFT JOIN tags_entries ON tags_entries.entry_id=entries.id
369 WHERE tags_entries.tag_id = ?"; 375 WHERE tags_entries.tag_id = ? AND entries.user_id=?";
370 $query = $this->executeQuery($sql, array($tag_id)); 376 $query = $this->executeQuery($sql, array($tag_id, $user_id));
371 $entries = $query->fetchAll(); 377 $entries = $query->fetchAll();
372 378
373 return $entries; 379 return $entries;