mirror of
https://codeberg.org/PostERG/xamxam.git
synced 2026-05-06 11:09:18 +02:00
encapsulate raw PDO queries leaking from callers into Database.php methods
- Add getThesisAccessTypeId(int $id): ?int — replaces raw SELECT in tfe.php - Add getCoverPathsForTheses(array $ids): array — replaces raw SELECT/IN query in index.php - Add getFileVisibility(string $path): ?int — replaces raw join query in media.php - Add getThesisBannerPath(int $id): ?string — replaces unparameterised SQL injection in edit.php (SELECT banner_path FROM theses WHERE id = $thesisId was interpolating $thesisId directly into the query string; now parameterised via prepared statement) - Add getThesisRawFields(int $id): ?array — replaces raw SELECT license_id/access_type_id/ context_note in edit.php - Add getThesisCount(): int — replaces raw SELECT COUNT(*) in system.php Callers updated: public/tfe.php, public/index.php, public/media.php, public/admin/edit.php, public/admin/system.php
This commit is contained in:
Pontoporeia
@@ -856,6 +856,101 @@ class Database {
|
||||
$stmt->execute([$path, $thesisId]);
|
||||
}
|
||||
|
||||
// ========================================================================
|
||||
// ENCAPSULATED QUERY HELPERS
|
||||
// ========================================================================
|
||||
|
||||
/**
|
||||
* Return the raw access_type_id for a thesis (used for visibility gating).
|
||||
* Returns null if the thesis is not found.
|
||||
*/
|
||||
public function getThesisAccessTypeId(int $thesisId): ?int {
|
||||
$stmt = $this->pdo->prepare(
|
||||
"SELECT access_type_id FROM theses WHERE id = ? LIMIT 1"
|
||||
);
|
||||
$stmt->execute([$thesisId]);
|
||||
$val = $stmt->fetchColumn();
|
||||
return ($val !== false) ? (int)$val : null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return the raw FK fields not exposed through v_theses_full string columns.
|
||||
* Returns ['license_id', 'access_type_id', 'context_note'] or null if not found.
|
||||
*
|
||||
* @return array{license_id:int|null,access_type_id:int|null,context_note:string}|null
|
||||
*/
|
||||
public function getThesisRawFields(int $thesisId): ?array {
|
||||
$stmt = $this->pdo->prepare(
|
||||
"SELECT license_id, access_type_id, context_note FROM theses WHERE id = ? LIMIT 1"
|
||||
);
|
||||
$stmt->execute([$thesisId]);
|
||||
$row = $stmt->fetch();
|
||||
return $row !== false ? $row : null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return the banner_path for a thesis, or null.
|
||||
* Used when we need just the banner path without the full view expansion.
|
||||
*/
|
||||
public function getThesisBannerPath(int $thesisId): ?string {
|
||||
$stmt = $this->pdo->prepare(
|
||||
"SELECT banner_path FROM theses WHERE id = ? LIMIT 1"
|
||||
);
|
||||
$stmt->execute([$thesisId]);
|
||||
$val = $stmt->fetchColumn();
|
||||
return ($val !== false && $val !== null) ? (string)$val : null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Batch-load cover file paths for a set of thesis IDs.
|
||||
* Returns [thesis_id => file_path] for IDs that have a cover in thesis_files.
|
||||
*
|
||||
* @param int[] $thesisIds
|
||||
* @return array<int,string>
|
||||
*/
|
||||
public function getCoverPathsForTheses(array $thesisIds): array {
|
||||
if (empty($thesisIds)) {
|
||||
return [];
|
||||
}
|
||||
$placeholders = implode(',', array_fill(0, count($thesisIds), '?'));
|
||||
$stmt = $this->pdo->prepare("
|
||||
SELECT thesis_id, file_path FROM thesis_files
|
||||
WHERE file_type = 'cover' AND thesis_id IN ($placeholders)
|
||||
");
|
||||
$stmt->execute($thesisIds);
|
||||
$map = [];
|
||||
foreach ($stmt->fetchAll() as $row) {
|
||||
$map[(int)$row['thesis_id']] = $row['file_path'];
|
||||
}
|
||||
return $map;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check visibility for a file path under theses/.
|
||||
* Returns the access_type_id of the owning thesis, or null if the file
|
||||
* is not found or the path does not belong to a thesis file.
|
||||
*
|
||||
* Access type 3 = Interdit (forbidden).
|
||||
*/
|
||||
public function getFileVisibility(string $filePath): ?int {
|
||||
$stmt = $this->pdo->prepare("
|
||||
SELECT t.access_type_id FROM theses t
|
||||
JOIN thesis_files tf ON tf.thesis_id = t.id
|
||||
WHERE tf.file_path = ?
|
||||
LIMIT 1
|
||||
");
|
||||
$stmt->execute([$filePath]);
|
||||
$val = $stmt->fetchColumn();
|
||||
return ($val !== false) ? (int)$val : null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return total number of rows in the theses table (for system status display).
|
||||
*/
|
||||
public function getThesisCount(): int {
|
||||
return (int)$this->pdo->query("SELECT COUNT(*) FROM theses")->fetchColumn();
|
||||
}
|
||||
|
||||
/**
|
||||
* Insert a thesis file record
|
||||
*/
|
||||
|
||||
Reference in New Issue
Block a user