public function save(Comment $comment)
 {
     $id = $comment->getCommentId();
     $author = $comment->getAuthor();
     $text = $comment->getText();
     $date = (string) $comment->getDate();
     $postid = $comment->getPost();
     $ansdoc = $comment->getAnsDoc();
     if ($comment->getCommentId() === null) {
         $query = "INSERT INTO comments (author, text, date, ansdoc, belongs_to_post) VALUES (:author, :text, :date, :ansdoc, :postid)";
         $query_params = array(':author' => $author, ':text' => $text, ':date' => $date, ':ansdoc' => $ansdoc, ':postid' => $postid);
         try {
             $stmt = $this->db->prepare($query);
             $stmt->execute($query_params);
         } catch (PDOException $ex) {
             die("Failed to run query: " . $ex->getMessage());
         }
     }
     if ($ansdoc == 1) {
         $query1 = "SELECT ansbydoc FROM posts WHERE postId= :postid";
         $price = 7;
         $query_params1 = array(':postid' => $postid);
         try {
             $stmt = $this->db->prepare($query1);
             $stmt->execute($query_params1);
             $rows = $stmt->fetchAll();
             //if (isset($rows)) {
             $this->userRepository->updateBalance($author, $price);
             //}
         } catch (PDOException $ex) {
             die("Failed to run query: " . $ex->getMessage());
         }
         $query = "UPDATE posts SET ansbydoc = 1 WHERE postId= :postid";
         $query_params = array(':postid' => $postid);
         try {
             $stmt = $this->db->prepare($query);
             $stmt->execute($query_params);
             return 1;
         } catch (PDOException $ex) {
             die("Failed to run query: " . $ex->getMessage());
         }
     }
     return 1;
     /*
     if ($comment->getCommentId() === null) {
         $query = "INSERT INTO comments (author, text, date, belongs_to_post) "
             . "VALUES ('$author', '$text', '$date', '$postid')";
         return $this->db->exec($query);
     }
     */
 }
Example #2
0
 public function save(Comment $comment)
 {
     $id = (int) $comment->getCommentId();
     $author = $comment->getAuthor();
     $text = $comment->getText();
     $date = (string) $comment->getDate();
     $postid = $comment->getPost();
     if ($comment->getCommentId() !== null) {
         return;
     }
     $stmt = $this->pdo->prepare("INSERT INTO comments (author, text, date, belongs_to_post) VALUES (?, ?, ?, ?)");
     $stmt->execute(array($author, $text, $date, $postid));
     return $this->pdo->lastInsertId();
 }
Example #3
0
 public function save(Comment $comment)
 {
     // SQL injection (G21_0018)
     // I believe this is fixed
     if ($comment->getCommentId() === null) {
         $query = "INSERT INTO comments (author, text, date, belongs_to_post) VALUES (:author, :text, :date, :postid)";
         $stmt = $this->db->prepare($query);
         $author = $comment->getAuthor();
         $text = $comment->getText();
         $date = (string) $comment->getDate();
         $postid = $comment->getPost();
         $stmt->bindParam(':author', $author);
         $stmt->bindParam(':text', $text);
         $stmt->bindParam(':date', $date);
         $stmt->bindparam(':postid', $postid);
         return $stmt->execute();
     }
 }
 public function save(Comment $comment)
 {
     $id = $comment->getCommentId();
     $author = $comment->getAuthor();
     $text = $comment->getText();
     $date = (string) $comment->getDate();
     $postid = $comment->getPost();
     if ($comment->getCommentId() === null) {
         // Prepare SQL statement
         $stmt = $this->db->prepare('INSERT INTO comments (author, text, date, belongs_to_post) ' . "VALUES (:author, :text, :date, :postid)");
         // Bind parameters to their respective values
         $stmt->bindParam(":author", $author);
         $stmt->bindParam(":text", $text);
         $stmt->bindParam(":date", $date);
         $stmt->bindParam(":postid", $postid);
         // Execute query
         return $stmt->execute();
     }
 }