bug in escaping static texts

omatech · Feb 4, 2022 · 5909161 · 5909161
1 parent b678f13
commit 5909161
Show file tree

Hide file tree

Showing 2 changed files with 103 additions and 96 deletions.
diff --git a/src/Admin/Models/Model.php b/src/Admin/Models/Model.php
@@ -8,12 +8,12 @@ class Model
 {
     private $db;
 
-	public function __construct()
+    public function __construct()
     {
         $this->db = DB::connection(env('DB_CONNECTION', 'mysql'));
-	}
+    }
 
-	protected function get_data($sql,  array $params = [])
+    protected function get_data($sql, array $params = [])
     {
         $rows = $this->db->select($sql, $params);
 
@@ -29,48 +29,53 @@ protected function get_one($sql, array $params = [])
         $row = $this->db->selectOne($sql, $params);
 
         if (!isset($row)) {
-			return false;
-		}
+            return false;
+        }
 
-		return json_decode(json_encode($row), true);
-	}
+        return json_decode(json_encode($row), true);
+    }
 
     protected function insert_one($sql, array $params = [])
     {
-		$row = $this->db->insert($sql, $params);
+        $row = $this->db->insert($sql, $params);
 
-		if (!$row) {
-			return false;
-		}
-		else {
-			$id = DB::getPdo()->lastInsertId();
-			if ($id) return $id;
-			else return false;
-		}  
-	}
-
-    protected function update_one($sql) {
+        if (!$row) {
+            return false;
+        } else {
+            $id = DB::getPdo()->lastInsertId();
+            if ($id) {
+                return $id;
+            } else {
+                return false;
+            }
+        }
+    }
 
+    protected function update_one($sql)
+    {
         $ret = $this->db->update($sql);
 
-        if (!$ret){
-		    return false;
-        }else {
-		    return true;
+        if (!$ret) {
+            return false;
+        } else {
+            return true;
         }
-	}
+    }
 
     protected function delete($sql, array $params = [])
     {
         return $this->db->delete($sql, $params);
     }
 
-    protected function execute ($sql, array $params = []) {
-		//$res = $this->db->select($sql, $params);
-		$this->db->insert($sql, $params);
-	}
+    protected function execute($sql, array $params = [])
+    {
+        //$res = $this->db->select($sql, $params);
+        $this->db->insert($sql, $params);
+    }
 
-    protected function escape ($string) {
-		return $string;
-	}
+    protected function escape($string)
+    {
+        return $this->db->getPdo()->quote($string);
+        //return $string;
+    }
 }
diff --git a/src/Admin/Models/statictext.php b/src/Admin/Models/statictext.php
@@ -2,73 +2,75 @@
 
 namespace Omatech\Editora\Admin\Models;
 
-class statictext extends Model 
+class statictext extends Model
 {
-
-
-
-	public function get_static_text_keys(){
-		$sql = 'select distinct text_key from omp_static_text;';
+    public function get_static_text_keys()
+    {
+        $sql = 'select distinct text_key from omp_static_text;';
         $result = parent::get_data($sql);
-		$statictext = array();
-		foreach($result as $item){
-			array_push($statictext, $item['text_key']);
-		}
-		return $statictext;
-	}
-
-
-	public function get_static_text_lang($lang){
-		$sql = 'select * from omp_static_text where language="'.$lang.'";';
-		$result = parent::get_data($sql);
-		$messages = array();
-
-		if($result){
-			foreach($result as $item){
-				array_push($messages, $item);
-			}	
-		}
-
-		return $messages;
-	}
+        $statictext = array();
+        foreach ($result as $item) {
+            array_push($statictext, $item['text_key']);
+        }
+        return $statictext;
+    }
+
+
+    public function get_static_text_lang($lang)
+    {
+        $sql = 'select * from omp_static_text where language="'.$lang.'";';
+        $result = parent::get_data($sql);
+        $messages = array();
+
+        if ($result) {
+            foreach ($result as $item) {
+                array_push($messages, $item);
+            }
+        }
+
+        return $messages;
+    }
 
-	public function get_one_static_text($key, $lang){
-		$sql = 'select * from omp_static_text where language="'.$lang.'" and text_key="'.$key.'"';
-
-		$ret = parent::get_one($sql);
-        if(!$ret){
-	        return null;
-	    }else{
-		    return $ret;
-	    }
-	}
-
-	public function get_static_text_languages(){
-		$sql = "select distinct language from omp_attributes where language not in ('ALL');";
-		$result = parent::get_data($sql);
-
-		$langs = array();
-		foreach($result as $item){
-			$langs[$item['language']] = $item['language'];
-		}
-		return $langs;
-	}
-
-	public function set_static_text($values, $key){
-		$langs = $this->get_static_text_languages();
-		foreach($langs as $lang){
-			$val = $values['lang_'.$lang];
-			if($this->get_one_static_text($key, $lang)!=null){
-				$sql = 'UPDATE omp_static_text SET text_value = "'.parent::escape($values['lang_'.$lang]).'"
+    public function get_one_static_text($key, $lang)
+    {
+        $sql = 'select * from omp_static_text where language="'.$lang.'" and text_key="'.$key.'"';
+
+        $ret = parent::get_one($sql);
+        if (!$ret) {
+            return null;
+        } else {
+            return $ret;
+        }
+    }
+
+    public function get_static_text_languages()
+    {
+        $sql = "select distinct language from omp_attributes where language not in ('ALL');";
+        $result = parent::get_data($sql);
+
+        $langs = array();
+        foreach ($result as $item) {
+            $langs[$item['language']] = $item['language'];
+        }
+        return $langs;
+    }
+
+    public function set_static_text($values, $key)
+    {
+        $langs = $this->get_static_text_languages();
+        foreach ($langs as $lang) {
+            $val = $values['lang_'.$lang];
+            if ($this->get_one_static_text($key, $lang)!=null) {
+                $sql = 'UPDATE omp_static_text SET text_value = '.parent::escape($values['lang_'.$lang]).'
 					 WHERE text_key="'.$key.'" AND language = "'.$lang.'" ;';
-					parent::update_one($sql);
-					echo($sql);
-			}else{
-				$sql = 'INSERT INTO omp_static_text (text_key, language, text_value) 
-					VALUES ("'.$key.'", "'.$lang.'", "'.parent::escape($val).'" );';
-					parent::insert_one($sql);
-			}
-		}
-		return true;
-	}
+                parent::update_one($sql);
+                echo($sql);
+            } else {
+                $sql = 'INSERT INTO omp_static_text (text_key, language, text_value) 
+					VALUES ("'.$key.'", "'.$lang.'", '.parent::escape($val).' );';
+                parent::insert_one($sql);
+            }
+        }
+        return true;
+    }
 }