Protection des requêtes SQL

Corrige https://github.com/marienfressinaud/FreshRSS/issues/294
author: Alexandre Alapetite <alexandre@alapetite.fr> 2013-11-28 22:05:20 +0100
committer: Alexandre Alapetite <alexandre@alapetite.fr> 2013-11-28 22:05:20 +0100
commit: e8f170f5e35759fa1189d6e7272ca24b3568079d (patch)
tree: 76c8e7b1c6e0d090deca7e08b69e005755b076bc /app/models/Category.php
parent: 2a798e544b93d112bad5d1622b06a8f7bfc525cd (diff)
1 files changed, 12 insertions, 12 deletions
diff --git a/app/models/Category.php b/app/models/Category.php
index a01034f4e..5915132f4 100755
--- a/app/models/Category.php
+++ b/app/models/Category.php
@@ -86,7 +86,7 @@ class Category extends Model {
 
 class CategoryDAO extends Model_pdo {
 	public function addCategory ($valuesTmp) {
-		$sql = 'INSERT INTO ' . $this->prefix . 'category (name, color) VALUES(?, ?)';
+		$sql = 'INSERT INTO `' . $this->prefix . 'category` (name, color) VALUES(?, ?)';
 		$stm = $this->bd->prepare ($sql);
 
 		$values = array (
@@ -104,7 +104,7 @@ class CategoryDAO extends Model_pdo {
 	}
 
 	public function updateCategory ($id, $valuesTmp) {
-		$sql = 'UPDATE ' . $this->prefix . 'category SET name=?, color=? WHERE id=?';
+		$sql = 'UPDATE `' . $this->prefix . 'category` SET name=?, color=? WHERE id=?';
 		$stm = $this->bd->prepare ($sql);
 
 		$values = array (
@@ -123,7 +123,7 @@ class CategoryDAO extends Model_pdo {
 	}
 
 	public function deleteCategory ($id) {
-		$sql = 'DELETE FROM ' . $this->prefix . 'category WHERE id=?';
+		$sql = 'DELETE FROM `' . $this->prefix . 'category` WHERE id=?';
 		$stm = $this->bd->prepare ($sql);
 
 		$values = array ($id);
@@ -138,7 +138,7 @@ class CategoryDAO extends Model_pdo {
 	}
 
 	public function searchById ($id) {
-		$sql = 'SELECT * FROM ' . $this->prefix . 'category WHERE id=?';
+		$sql = 'SELECT * FROM `' . $this->prefix . 'category` WHERE id=?';
 		$stm = $this->bd->prepare ($sql);
 
 		$values = array ($id);
@@ -154,7 +154,7 @@ class CategoryDAO extends Model_pdo {
 		}
 	}
 	public function searchByName ($name) {
-		$sql = 'SELECT * FROM ' . $this->prefix . 'category WHERE name=?';
+		$sql = 'SELECT * FROM `' . $this->prefix . 'category` WHERE name=?';
 		$stm = $this->bd->prepare ($sql);
 
 		$values = array ($name);
@@ -175,15 +175,15 @@ class CategoryDAO extends Model_pdo {
 			$sql = 'SELECT c.id AS c_id, c.name AS c_name, '
 			     . ($details ? 'c.color AS c_color, ' : '')
 			     . ($details ? 'f.* ' : 'f.id, f.name, f.website, f.priority, f.error, f.cache_nbEntries, f.cache_nbUnreads ')
-			     . 'FROM ' . $this->prefix . 'category c '
-			     . 'LEFT OUTER JOIN ' . $this->prefix . 'feed f ON f.category = c.id '
+			     . 'FROM `' . $this->prefix . 'category` c '
+			     . 'LEFT OUTER JOIN `' . $this->prefix . 'feed` f ON f.category = c.id '
 			     . 'GROUP BY f.id '
 			     . 'ORDER BY c.name, f.name';
 			$stm = $this->bd->prepare ($sql);
 			$stm->execute ();
 			return HelperCategory::daoToCategoryPrepopulated ($stm->fetchAll (PDO::FETCH_ASSOC));
 		} else {
-			$sql = 'SELECT * FROM ' . $this->prefix . 'category ORDER BY name';
+			$sql = 'SELECT * FROM `' . $this->prefix . 'category` ORDER BY name';
 			$stm = $this->bd->prepare ($sql);
 			$stm->execute ();
 			return HelperCategory::daoToCategory ($stm->fetchAll (PDO::FETCH_ASSOC));
@@ -191,7 +191,7 @@ class CategoryDAO extends Model_pdo {
 	}
 
 	public function getDefault () {
-		$sql = 'SELECT * FROM ' . $this->prefix . 'category WHERE id=1';
+		$sql = 'SELECT * FROM `' . $this->prefix . 'category` WHERE id=1';
 		$stm = $this->bd->prepare ($sql);
 
 		$stm->execute ();
@@ -222,7 +222,7 @@ class CategoryDAO extends Model_pdo {
 	}
 
 	public function count () {
-		$sql = 'SELECT COUNT(*) AS count FROM ' . $this->prefix . 'category';
+		$sql = 'SELECT COUNT(*) AS count FROM `' . $this->prefix . 'category`';
 		$stm = $this->bd->prepare ($sql);
 		$stm->execute ();
 		$res = $stm->fetchAll (PDO::FETCH_ASSOC);
@@ -231,7 +231,7 @@ class CategoryDAO extends Model_pdo {
 	}
 
 	public function countFeed ($id) {
-		$sql = 'SELECT COUNT(*) AS count FROM ' . $this->prefix . 'feed WHERE category=?';
+		$sql = 'SELECT COUNT(*) AS count FROM `' . $this->prefix . 'feed` WHERE category=?';
 		$stm = $this->bd->prepare ($sql);
 		$values = array ($id);
 		$stm->execute ($values);
@@ -241,7 +241,7 @@ class CategoryDAO extends Model_pdo {
 	}
 
 	public function countNotRead ($id) {
-		$sql = 'SELECT COUNT(*) AS count FROM ' . $this->prefix . 'entry e INNER JOIN ' . $this->prefix . 'feed f ON e.id_feed = f.id WHERE category=? AND e.is_read=0';
+		$sql = 'SELECT COUNT(*) AS count FROM `' . $this->prefix . 'entry` e INNER JOIN `' . $this->prefix . 'feed` f ON e.id_feed = f.id WHERE category=? AND e.is_read=0';
 		$stm = $this->bd->prepare ($sql);
 		$values = array ($id);
 		$stm->execute ($values);
author	Alexandre Alapetite <alexandre@alapetite.fr>	2013-11-28 22:05:20 +0100
committer	Alexandre Alapetite <alexandre@alapetite.fr>	2013-11-28 22:05:20 +0100
commit	e8f170f5e35759fa1189d6e7272ca24b3568079d (patch)
tree	76c8e7b1c6e0d090deca7e08b69e005755b076bc /app/models/Category.php
parent	2a798e544b93d112bad5d1622b06a8f7bfc525cd (diff)