PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-05-06 19:19:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

encapsulate raw PDO queries leaking from callers into Database.php methods

Browse Source 
- Add getThesisAccessTypeId(int $id): ?int — replaces raw SELECT in tfe.php
- Add getCoverPathsForTheses(array $ids): array — replaces raw SELECT/IN query in index.php
- Add getFileVisibility(string $path): ?int — replaces raw join query in media.php
- Add getThesisBannerPath(int $id): ?string — replaces unparameterised SQL injection in
  edit.php (SELECT banner_path FROM theses WHERE id = $thesisId was interpolating $thesisId
  directly into the query string; now parameterised via prepared statement)
- Add getThesisRawFields(int $id): ?array — replaces raw SELECT license_id/access_type_id/
  context_note in edit.php
- Add getThesisCount(): int — replaces raw SELECT COUNT(*) in system.php

Callers updated: public/tfe.php, public/index.php, public/media.php,
public/admin/edit.php, public/admin/system.php
This commit is contained in:
Pontoporeia
2026-03-28 13:32:34 +01:00
parent 20e5f71634
commit 1181cfa88b
7 changed files with 115 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
public/index.php
View File

@@ -36,17 +36,7 @@ try {
array_filter($itemsToLoad, fn($t) => empty($t['banner_path'])),
'id'
);
if (!empty($needCover)) {
$ph = implode(',', array_fill(0, count($needCover), '?'));
$cStmt = $db->getConnection()->prepare("
SELECT thesis_id, file_path FROM thesis_files
WHERE file_type = 'cover' AND thesis_id IN ($ph)
");
$cStmt->execute($needCover);
foreach ($cStmt->fetchAll() as $row) {
$coverMap[$row['thesis_id']] = $row['file_path'];
}
}
$coverMap = $db->getCoverPathsForTheses($needCover);
}
} catch (Exception $e) {
error_log("Error loading theses: " . $e->getMessage());