diff options
| author | Nicolas LÅ“uillet <nicolas.loeuillet@gmail.com> | 2014-02-19 13:25:28 +0100 |
|---|---|---|
| committer | Nicolas LÅ“uillet <nicolas.loeuillet@gmail.com> | 2014-02-19 13:25:28 +0100 |
| commit | b89d5a2bf48c2c1eb796963b3401aca498618ec4 (patch) | |
| tree | f9ab84e607cb54bdb0dc1d0027435af213a722f3 /inc/poche/Database.class.php | |
| parent | 53ae58e1a1bf097b8eb1af3a532ebf25630f96ec (diff) | |
| download | wallabag-b89d5a2bf48c2c1eb796963b3401aca498618ec4.tar.gz wallabag-b89d5a2bf48c2c1eb796963b3401aca498618ec4.tar.zst wallabag-b89d5a2bf48c2c1eb796963b3401aca498618ec4.zip | |
[fix] security problems with tags
Diffstat (limited to 'inc/poche/Database.class.php')
| -rw-r--r-- | inc/poche/Database.class.php | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/inc/poche/Database.class.php b/inc/poche/Database.class.php index 58583bf5..3332b5a3 100644 --- a/inc/poche/Database.class.php +++ b/inc/poche/Database.class.php | |||
| @@ -344,30 +344,36 @@ class Database { | |||
| 344 | return $this->getHandle()->lastInsertId($column); | 344 | return $this->getHandle()->lastInsertId($column); |
| 345 | } | 345 | } |
| 346 | 346 | ||
| 347 | public function retrieveAllTags() { | 347 | public function retrieveAllTags($user_id) { |
| 348 | $sql = "SELECT * FROM tags"; | 348 | $sql = "SELECT tags.* FROM tags |
| 349 | $query = $this->executeQuery($sql, array()); | 349 | LEFT JOIN tags_entries ON tags_entries.tag_id=tags.id |
| 350 | LEFT JOIN entries ON tags_entries.entry_id=entries.id | ||
| 351 | WHERE entries.user_id=?"; | ||
| 352 | $query = $this->executeQuery($sql, array($user_id)); | ||
| 350 | $tags = $query->fetchAll(); | 353 | $tags = $query->fetchAll(); |
| 351 | 354 | ||
| 352 | return $tags; | 355 | return $tags; |
| 353 | } | 356 | } |
| 354 | 357 | ||
| 355 | public function retrieveTag($id) { | 358 | public function retrieveTag($id, $user_id) { |
| 356 | $tag = NULL; | 359 | $tag = NULL; |
| 357 | $sql = "SELECT * FROM tags WHERE id=?"; | 360 | $sql = "SELECT tags.* FROM tags |
| 358 | $params = array(intval($id)); | 361 | LEFT JOIN tags_entries ON tags_entries.tag_id=tags.id |
| 362 | LEFT JOIN entries ON tags_entries.entry_id=entries.id | ||
| 363 | WHERE tags.id=? AND entries.user_id=?"; | ||
| 364 | $params = array(intval($id), $user_id); | ||
| 359 | $query = $this->executeQuery($sql, $params); | 365 | $query = $this->executeQuery($sql, $params); |
| 360 | $tag = $query->fetchAll(); | 366 | $tag = $query->fetchAll(); |
| 361 | 367 | ||
| 362 | return isset($tag[0]) ? $tag[0] : null; | 368 | return isset($tag[0]) ? $tag[0] : null; |
| 363 | } | 369 | } |
| 364 | 370 | ||
| 365 | public function retrieveEntriesByTag($tag_id) { | 371 | public function retrieveEntriesByTag($tag_id, $user_id) { |
| 366 | $sql = | 372 | $sql = |
| 367 | "SELECT entries.* FROM entries | 373 | "SELECT entries.* FROM entries |
| 368 | LEFT JOIN tags_entries ON tags_entries.entry_id=entries.id | 374 | LEFT JOIN tags_entries ON tags_entries.entry_id=entries.id |
| 369 | WHERE tags_entries.tag_id = ?"; | 375 | WHERE tags_entries.tag_id = ? AND entries.user_id=?"; |
| 370 | $query = $this->executeQuery($sql, array($tag_id)); | 376 | $query = $this->executeQuery($sql, array($tag_id, $user_id)); |
| 371 | $entries = $query->fetchAll(); | 377 | $entries = $query->fetchAll(); |
| 372 | 378 | ||
| 373 | return $entries; | 379 | return $entries; |