Skip to content

Commit

Permalink
In Model use placeholders / bind parameters rather than writing the I…
Browse files Browse the repository at this point in the history
…d Sites in the SQL query - Models should be implemented in a safe way and not assume that the callee will have validated all against SQLI
  • Loading branch information
mattab committed Dec 15, 2014
1 parent 4c079db commit 6f5e4bc
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 9 deletions.
6 changes: 3 additions & 3 deletions core/DataAccess/ArchiveSelector.php
Original file line number Diff line number Diff line change
Expand Up @@ -154,9 +154,9 @@ public static function getArchiveIds($siteIds, $periods, $segment, $plugins, $is

$getArchiveIdsSql = "SELECT idsite, name, date1, date2, MAX(idarchive) as idarchive
FROM %s
WHERE %s
WHERE idsite IN (" . Common::getSqlStringFieldsArray($siteIds) . ")
AND " . self::getNameCondition($plugins, $segment, $isSkipAggregationOfSubTables) . "
AND idsite IN (" . implode(',', $siteIds) . ")
AND %s
GROUP BY idsite, date1, date2";

$monthToPeriods = array();
Expand All @@ -171,7 +171,7 @@ public static function getArchiveIds($siteIds, $periods, $segment, $plugins, $is
foreach ($monthToPeriods as $table => $periods) {
$firstPeriod = reset($periods);

$bind = array();
$bind = $siteIds;

if ($firstPeriod instanceof Range) {
$dateCondition = "period = ? AND date1 = ? AND date2 = ?";
Expand Down
18 changes: 12 additions & 6 deletions core/DataAccess/Model.php
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@ public function getInvalidatedArchiveIdsSafeToDelete($archiveTable, array $idSit
// prevent error 'The SELECT would examine more than MAX_JOIN_SIZE rows'
Db::get()->query('SET SQL_BIG_SELECTS=1');

$idSitesString = Common::getSqlStringFieldsArray($idSites);

$query = 'SELECT t1.idarchive FROM `' . $archiveTable . '` t1
INNER JOIN `' . $archiveTable . '` t2
ON t1.name = t2.name
Expand All @@ -45,13 +47,13 @@ public function getInvalidatedArchiveIdsSafeToDelete($archiveTable, array $idSit
AND t1.date2 = t2.date2
AND t1.period = t2.period
WHERE t1.value = ' . ArchiveWriter::DONE_INVALIDATED . '
AND t1.idsite IN (' . implode(",", $idSites) . ')
AND t1.idsite IN (' . $idSitesString . ')
AND t2.value IN(' . ArchiveWriter::DONE_OK . ', ' . ArchiveWriter::DONE_OK_TEMPORARY . ')
AND t1.ts_archived < t2.ts_archived
AND t1.name LIKE \'done%\'
';

$result = Db::fetchAll($query);
$result = Db::fetchAll($query, $idSites);

$archiveIds = array_map(
function ($elm) {
Expand Down Expand Up @@ -80,6 +82,10 @@ public function updateArchiveAsInvalidated($archiveTable, $idSites, $periodId, $
}
$sql = implode(" OR ", $sql);


$sqlSites = " AND idsite IN (" . Common::getSqlStringFieldsArray($idSites) . ")";
$bind = array_merge($bind, $idSites);

$sqlPeriod = "";
if ($periodId) {
$sqlPeriod = " AND period = ? ";
Expand All @@ -89,7 +95,7 @@ public function updateArchiveAsInvalidated($archiveTable, $idSites, $periodId, $
$query = "UPDATE $archiveTable " .
" SET value = " . ArchiveWriter::DONE_INVALIDATED .
" WHERE ( $sql ) " .
" AND idsite IN (" . implode(",", $idSites) . ")" .
$sqlSites .
$sqlPeriod;
Db::query($query, $bind);
}
Expand Down Expand Up @@ -122,12 +128,12 @@ public function deleteArchivesWithPeriod($numericTable, $blobTable, $period, $da

public function deleteArchiveIds($numericTable, $blobTable, $idsToDelete)
{
$query = "DELETE FROM %s WHERE idarchive IN (" . implode(',', $idsToDelete) . ")";
$query = "DELETE FROM %s WHERE idarchive IN (" . Common::getSqlStringFieldsArray($idsToDelete) . ")";

Db::query(sprintf($query, $numericTable));
Db::query(sprintf($query, $numericTable), $idsToDelete);

try {
Db::query(sprintf($query, $blobTable));
Db::query(sprintf($query, $blobTable), $idsToDelete);
} catch (Exception $e) {
// Individual blob tables could be missing
}
Expand Down

0 comments on commit 6f5e4bc

Please sign in to comment.