Skip to content

Commit 17eaf1d

Browse files
PechynhoPechynho
committed
DbWrap::updateManyToMany secured and fixed
1 parent f5c8f38 commit 17eaf1d

File tree

1 file changed

+20
-15
lines changed

1 file changed

+20
-15
lines changed

src/DbWrap.php

Lines changed: 20 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -377,8 +377,8 @@ public function iterateQuery($query, array $parameters = null, $batchSize = 500)
377377
* @param string $table
378378
* @param string $owningColumnName
379379
* @param string $inverseColumnName
380-
* @param int $owningID
381-
* @param int[] $inverseIDs
380+
* @param mixed $owningID
381+
* @param array $inverseIDs
382382
*/
383383
public function updateManyToMany($table, $owningColumnName, $inverseColumnName, $owningID, array $inverseIDs)
384384
{
@@ -394,30 +394,35 @@ public function updateManyToMany($table, $owningColumnName, $inverseColumnName,
394394
{
395395
throw new InvalidArgumentException('Parameter $inverseColumnName cannot be NULL, empty string ("") or only white-space characters.');
396396
}
397-
if (!Scalars::tryParse($owningID, $owningID, Scalars::INTEGER))
398-
{
399-
throw new InvalidArgumentException('Parameter $owningID has to be an integer.');
400-
}
401-
if (empty($inverseIDs))
402-
{
403-
throw new InvalidArgumentException('Parameter $inverseIDs has to be non-empty array containing integer values.');
404-
}
405-
$originalInverseIDs = Arrays::select($this->fetchAll("SELECT $inverseColumnName FROM $table WHERE $owningColumnName = $owningID"), "[$inverseColumnName]");
397+
$originalInverseIDs = $this->fetchAll("SELECT $inverseColumnName FROM $table WHERE $owningColumnName = :owningId", ["owningId" => $owningID]);
398+
$originalInverseIDs = Arrays::select($originalInverseIDs, "[$inverseColumnName]");
406399
$IDsToDelete = array_diff($originalInverseIDs, $inverseIDs);
407-
$IDsToAdd = array_merge($inverseIDs, $originalInverseIDs);
400+
$IDsToAdd = array_diff($inverseIDs, $originalInverseIDs);
408401
$query = "START TRANSACTION;";
402+
$parameters = ["owningId" => $owningID];
409403
if (!empty($IDsToDelete))
410404
{
411-
$query .= "DELETE FROM $table WHERE $owningColumnName = $owningID AND $inverseColumnName IN (" . Strings::join($IDsToDelete, ",") . ");";
405+
$query .= "DELETE FROM $table WHERE $owningColumnName = :owningId AND $inverseColumnName IN (";
406+
$i = 0;
407+
foreach ($IDsToDelete as $deleteID)
408+
{
409+
$query .= ":inverseId_delete_$i, ";
410+
$parameters["inverseId_delete_$i"] = $deleteID;
411+
$i++;
412+
}
413+
$query = Strings::remove($query, Strings::length($query) - 2) . ");";
412414
}
413415
if (!empty($IDsToAdd))
414416
{
417+
$i = 0;
415418
foreach ($IDsToAdd as $inverseID)
416419
{
417-
$query .= "INSERT INTO $table ($owningColumnName, $inverseColumnName) VALUES ($owningID, $inverseID);";
420+
$query .= "INSERT INTO $table ($owningColumnName, $inverseColumnName) VALUES (:owningId, :inverseId_insert_$i);";
421+
$parameters["inverseId_insert_$i"] = $inverseID;
422+
$i++;
418423
}
419424
}
420-
$query = "COMMIT;";
425+
$query .= "COMMIT;";
421426
if (!empty($IDsToDelete) || !empty($IDsToAdd))
422427
{
423428
$this->executeNonQuery($query);

0 commit comments

Comments
 (0)