From 488fc63b67312640dcac68a324794ec4a591ba6d Mon Sep 17 00:00:00 2001 From: Maryana Rozhankivska Date: Fri, 14 Feb 2014 17:27:22 +0200 Subject: duplicate check added. fix of issue #400 --- inc/poche/Database.class.php | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'inc/poche/Database.class.php') diff --git a/inc/poche/Database.class.php b/inc/poche/Database.class.php index 9f553fa1..58583bf5 100644 --- a/inc/poche/Database.class.php +++ b/inc/poche/Database.class.php @@ -241,6 +241,22 @@ class Database { return isset($entry[0]) ? $entry[0] : null; } + public function retrieveOneByURL($url, $user_id) { + $entry = NULL; + $sql = "SELECT * FROM entries WHERE url=? AND user_id=?"; + $params = array($url, $user_id); + $query = $this->executeQuery($sql, $params); + $entry = $query->fetchAll(); + + return isset($entry[0]) ? $entry[0] : null; + } + + public function reassignTags($old_entry_id, $new_entry_id) { + $sql = "UPDATE tags_entries SET entry_id=? WHERE entry_id=?"; + $params = array($new_entry_id, $old_entry_id); + $query = $this->executeQuery($sql, $params); + } + public function getEntriesByView($view, $user_id, $limit = '') { switch ($_SESSION['sort']) { -- cgit v1.2.3 From b89d5a2bf48c2c1eb796963b3401aca498618ec4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20L=C5=93uillet?= Date: Wed, 19 Feb 2014 13:25:28 +0100 Subject: [fix] security problems with tags --- inc/poche/Database.class.php | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) (limited to 'inc/poche/Database.class.php') diff --git a/inc/poche/Database.class.php b/inc/poche/Database.class.php index 58583bf5..3332b5a3 100644 --- a/inc/poche/Database.class.php +++ b/inc/poche/Database.class.php @@ -344,30 +344,36 @@ class Database { return $this->getHandle()->lastInsertId($column); } - public function retrieveAllTags() { - $sql = "SELECT * FROM tags"; - $query = $this->executeQuery($sql, array()); + public function retrieveAllTags($user_id) { + $sql = "SELECT tags.* FROM tags + LEFT JOIN tags_entries ON tags_entries.tag_id=tags.id + LEFT JOIN entries ON tags_entries.entry_id=entries.id + WHERE entries.user_id=?"; + $query = $this->executeQuery($sql, array($user_id)); $tags = $query->fetchAll(); return $tags; } - public function retrieveTag($id) { + public function retrieveTag($id, $user_id) { $tag = NULL; - $sql = "SELECT * FROM tags WHERE id=?"; - $params = array(intval($id)); + $sql = "SELECT tags.* FROM tags + LEFT JOIN tags_entries ON tags_entries.tag_id=tags.id + LEFT JOIN entries ON tags_entries.entry_id=entries.id + WHERE tags.id=? AND entries.user_id=?"; + $params = array(intval($id), $user_id); $query = $this->executeQuery($sql, $params); $tag = $query->fetchAll(); return isset($tag[0]) ? $tag[0] : null; } - public function retrieveEntriesByTag($tag_id) { + public function retrieveEntriesByTag($tag_id, $user_id) { $sql = "SELECT entries.* FROM entries LEFT JOIN tags_entries ON tags_entries.entry_id=entries.id - WHERE tags_entries.tag_id = ?"; - $query = $this->executeQuery($sql, array($tag_id)); + WHERE tags_entries.tag_id = ? AND entries.user_id=?"; + $query = $this->executeQuery($sql, array($tag_id, $user_id)); $entries = $query->fetchAll(); return $entries; -- cgit v1.2.3