Converted misc to prepared statements (#38 #214 #196)

This commit is contained in:
Tobias Reich 2014-08-29 21:25:41 +02:00
parent 606334fb62
commit 1be2789023

View File

@ -16,7 +16,8 @@ function search($database, $settings, $term) {
$return['albums'] = ''; $return['albums'] = '';
// Photos // Photos
$result = $database->query("SELECT id, title, tags, public, star, album, thumbUrl FROM lychee_photos WHERE title like '%$term%' OR description like '%$term%' OR tags like '%$term%';"); $query = Database::prepare($database, "SELECT id, title, tags, public, star, album, thumbUrl FROM ? WHERE title LIKE '%?%' OR description LIKE '%%' OR tags LIKE '%?%'", [LYCHEE_TABLE_PHOTOS, $term, $term, $term]);
$result = $database->query($query);
while($row = $result->fetch_assoc()) { while($row = $result->fetch_assoc()) {
$return['photos'][$row['id']] = $row; $return['photos'][$row['id']] = $row;
$return['photos'][$row['id']]['thumbUrl'] = LYCHEE_URL_UPLOADS_THUMB . $row['thumbUrl']; $return['photos'][$row['id']]['thumbUrl'] = LYCHEE_URL_UPLOADS_THUMB . $row['thumbUrl'];
@ -24,7 +25,8 @@ function search($database, $settings, $term) {
} }
// Albums // Albums
$result = $database->query("SELECT id, title, public, sysstamp, password FROM lychee_albums WHERE title like '%$term%' OR description like '%$term%';"); $query = Database::prepare($database, "SELECT id, title, public, sysstamp, password FROM ? WHERE title LIKE '%?%' OR description LIKE '%?%'", [LYCHEE_TABLE_ALBUMS, $term, $term]);
$result = $database->query($query);
$i = 0; $i = 0;
while($row = $result->fetch_object()) { while($row = $result->fetch_object()) {
@ -36,7 +38,8 @@ function search($database, $settings, $term) {
$return['albums'][$row->id]['password'] = ($row->password=='' ? false : true); $return['albums'][$row->id]['password'] = ($row->password=='' ? false : true);
// Thumbs // Thumbs
$result2 = $database->query("SELECT thumbUrl FROM lychee_photos WHERE album = '" . $row->id . "' " . $settings['sorting'] . " LIMIT 0, 3;"); $query = Database::prepare($database, "SELECT thumbUrl FROM ? WHERE album = '?' " . $settings['sorting'] . " LIMIT 0, 3", [LYCHEE_TABLE_PHOTOS, $row->id]);
$result2 = $database->query($query);
$k = 0; $k = 0;
while($row2 = $result2->fetch_object()){ while($row2 = $result2->fetch_object()){
$return['albums'][$row->id]["thumb$k"] = LYCHEE_URL_UPLOADS_THUMB . $row2->thumbUrl; $return['albums'][$row->id]["thumb$k"] = LYCHEE_URL_UPLOADS_THUMB . $row2->thumbUrl;
@ -55,9 +58,8 @@ function getGraphHeader($database, $photoID) {
if (!isset($database, $photoID)) return false; if (!isset($database, $photoID)) return false;
$photoID = mysqli_real_escape_string($database, $photoID); $query = Database::prepare($database, "SELECT title, description, url FROM ? WHERE id = '?'", [LYCHEE_TABLE_PHOTOS, $photoID]);
$result = $database->query($query);
$result = $database->query("SELECT title, description, url FROM lychee_photos WHERE id = '$photoID';");
$row = $result->fetch_object(); $row = $result->fetch_object();
$parseUrl = parse_url("http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']); $parseUrl = parse_url("http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);