public function save(Post $post)
{
$title = $post->getTitle();
$author = $post->getAuthor();
$content = $post->getContent();
$date = $post->getDate();
$payed = $post->isPayedPost();
$answered = $post->isAnswered();
// Can't update posts
if ($post->getPostId() !== null) {
return;
}
$stmt = $this->pdo->prepare("INSERT INTO posts (title, author, content, date, ispayedpost, isanswered) VALUES (?, ?, ?, ?, ?, ?)");
$stmt->execute(array($title, $author, $content, $date, $payed, $answered));
return $this->pdo->lastInsertId();
}
public function save(Post $post)
{
//VULN: SQL-Injection via postId variable (G21_0018)
// I believe this is fixed
if ($post->getPostId() === null) {
$query = "INSERT INTO posts (title, author, content, date, pay, lock_user, lock_tstamp) " . "VALUES (:title, :author, :content, :date, :pay, '', 0)";
$stmt = $this->db->prepare($query);
$title = $post->getTitle();
$author = $post->getAuthor();
$content = $post->getContent();
$date = $post->getDate();
$pay = $post->getPay();
$stmt->bindParam(':title', $title);
$stmt->bindParam(':author', $author);
$stmt->bindParam(':content', $content);
$stmt->bindParam(':date', $date);
$stmt->bindParam(':pay', $pay);
$stmt->execute();
}
return $this->db->lastInsertId();
//Bad-Practice: No erro check if insertion worked
}
public function saveExistingPost(Post $post)
{
$postId = $post->getPostId();
$isAnsweredByDoctor = $post->getDoctor();
$stmt = $this->db->prepare("UPDATE posts " . "SET isAnsweredByDoctor=:isAnsweredByDoctor WHERE postId=:postId");
$stmt->execute([':postId' => $postId, ':isAnsweredByDoctor' => $isAnsweredByDoctor]);
}
