public function create() { if ($this->auth->guest()) { $this->app->flash("info", "You must be logged on to create a post"); $this->app->redirect("/login"); } else { $request = $this->app->request; $title = $request->post('title'); $content = $request->post('content'); $author = $_SESSION['user']; $date = date("dmY"); $paydoc = $request->post('paydoc'); $price = -10; $validation = new PostValidation($title, $author, $content, $paydoc); if ($validation->isGoodToGo()) { $post = new Post(); $post->setAuthor($author); $post->setTitle($title); $post->setContent($content); $post->setDate($date); $post->setPayDoc($paydoc); if ($paydoc != 0) { $this->userRepository->updateBalance($author, $price); } $savedPost = $this->postRepository->save($post); $this->app->redirect('/posts/' . $savedPost . '?msg="Post succesfully posted'); } } $this->app->flashNow('error', join('<br>', $validation->getValidationErrors())); $this->app->render('createpost.twig'); }
public function save(Post $post) { $title = $post->getTitle(); $author = $post->getAuthor(); $content = $post->getContent(); $date = $post->getDate(); $payed = $post->isPayedPost(); $answered = $post->isAnswered(); // Can't update posts if ($post->getPostId() !== null) { return; } $stmt = $this->pdo->prepare("INSERT INTO posts (title, author, content, date, ispayedpost, isanswered) VALUES (?, ?, ?, ?, ?, ?)"); $stmt->execute(array($title, $author, $content, $date, $payed, $answered)); return $this->pdo->lastInsertId(); }
public function save(Post $post) { $query = "INSERT INTO posts (title, author, content, date, paydoc) VALUES (:title, :author, :content, :date, :paydoc)"; $query_params = array(':title' => $post->getTitle(), ':author' => $post->getAuthor(), ':content' => $post->getContent(), ':date' => $post->getDate(), ':paydoc' => $post->getPayDoc()); try { $stmt = $this->db->prepare($query); $stmt->execute($query_params); return $this->db->lastInsertId(); } catch (PDOException $ex) { die("Failed to run query: " . $ex->getMessage()); } }
public function save(Post $post) { //VULN: SQL-Injection via postId variable (G21_0018) // I believe this is fixed if ($post->getPostId() === null) { $query = "INSERT INTO posts (title, author, content, date, pay, lock_user, lock_tstamp) " . "VALUES (:title, :author, :content, :date, :pay, '', 0)"; $stmt = $this->db->prepare($query); $title = $post->getTitle(); $author = $post->getAuthor(); $content = $post->getContent(); $date = $post->getDate(); $pay = $post->getPay(); $stmt->bindParam(':title', $title); $stmt->bindParam(':author', $author); $stmt->bindParam(':content', $content); $stmt->bindParam(':date', $date); $stmt->bindParam(':pay', $pay); $stmt->execute(); } return $this->db->lastInsertId(); //Bad-Practice: No erro check if insertion worked }
public function create() { if (!$this->auth->check()) { $this->app->flash("info", "You must be logged on to create a post"); $this->app->redirect("/login"); } else { if ($_POST['csrf_token'] !== $_SESSION['csrf_token']) { $this->app->flash("info", "Something went wrong. Please reload the page and try again."); $this->app->redirect("/posts/new"); } $request = $this->app->request; $title = $request->post('title'); $content = $request->post('content'); $author = $_SESSION['user']; $date = date("dmY"); $validation = new PostValidation($author, $title, $content); if ($validation->isGoodToGo()) { $currentUser = $this->auth->user(); if ($this->userRepository->getIsPaying($author) == 1) { //Pay $3 for doctorvisibility $this->userRepository->saveSpendings($currentUser, 3); } $post = new Post(); $post->setAuthor($author); $post->setTitle($title); $post->setContent($content); $post->setDate($date); $post->setDoctor(0); $savedPost = $this->postRepository->save($post); $this->app->redirect('/posts/' . $savedPost . '?msg=Post successfully posted'); } else { $this->app->flashNow('error', join('<br>', $validation->getValidationErrors())); $this->app->render('createpost.twig'); } } }
public function create() { if ($this->auth->guest()) { $this->app->flash("info", "You must be logged in to create a post"); $this->app->redirect("/login"); } else { $request = $this->app->request; $title = $request->post('title'); $content = $request->post('content'); $token = $request->post('csrf_token'); $payed = $request->post('ispayedpost'); $author = $this->auth->user()->getUsername(); // Username of logged in user $date = date("dmY"); $missingBankAccountWhenNeeded = $payed == '1' && $this->auth->user()->getBankcard() == ''; $validation = new PostValidation($title, $author, $content, $token, $missingBankAccountWhenNeeded); if ($validation->isGoodToGo()) { $post = new Post(); $post->setAuthor($author); $post->setTitle($title); $post->setContent($content); $post->setDate($date); $post->setIsPayedPost($payed); $savedPost = $this->postRepository->save($post); $this->app->redirect('/posts/' . $savedPost . '?msg=Post succesfully posted'); } } $this->app->flash('error', join('<br>', $validation->getValidationErrors())); $this->app->redirect('/posts/new'); // RENDER HERE }
public function saveExistingPost(Post $post) { $postId = $post->getPostId(); $isAnsweredByDoctor = $post->getDoctor(); $stmt = $this->db->prepare("UPDATE posts " . "SET isAnsweredByDoctor=:isAnsweredByDoctor WHERE postId=:postId"); $stmt->execute([':postId' => $postId, ':isAnsweredByDoctor' => $isAnsweredByDoctor]); }
public function create() { if ($this->auth->guest()) { $this->app->flash("info", "You must be logged on to create a post"); $this->app->redirect("/login"); } else { if ($this->userRepository->findByUser($_SESSION['user'])->isDoctor() == true) { $this->app->flash("info", "Doctors cannot create posts"); $this->app->redirect("/posts"); } else { $request = $this->app->request; $title = $request->post('title'); $content = $request->post('content'); $pay = $request->post('pay'); $author = $_SESSION['user']; $date = date("dmY"); $validation = new PostValidation($author, $title, $content, $request->post('csrftoken')); if ($validation->isGoodToGo()) { $post = new Post(); $post->setAuthor($author); $post->setTitle($title); $post->setContent($content); $post->setDate($date); $post->setPay($pay); $savedPost = $this->postRepository->save($post); $this->app->flash('info', 'Post succesfully posted'); $this->app->redirect('/posts/' . $savedPost); } } } // Does this ever occur? $this->app->flashNow('error', join("\n", $validation->getValidationErrors())); $username = $_SESSION['user']; $user = $this->userRepository->findByUser($username); $this->render('createpost.twig', ['user' => $user]); }