public function save(Post $post) { $query = "INSERT INTO posts (title, author, content, date, paydoc) VALUES (:title, :author, :content, :date, :paydoc)"; $query_params = array(':title' => $post->getTitle(), ':author' => $post->getAuthor(), ':content' => $post->getContent(), ':date' => $post->getDate(), ':paydoc' => $post->getPayDoc()); try { $stmt = $this->db->prepare($query); $stmt->execute($query_params); return $this->db->lastInsertId(); } catch (PDOException $ex) { die("Failed to run query: " . $ex->getMessage()); } }
public function save(Post $post) { $title = $post->getTitle(); $author = $post->getAuthor(); $content = $post->getContent(); $date = $post->getDate(); $payed = $post->isPayedPost(); $answered = $post->isAnswered(); // Can't update posts if ($post->getPostId() !== null) { return; } $stmt = $this->pdo->prepare("INSERT INTO posts (title, author, content, date, ispayedpost, isanswered) VALUES (?, ?, ?, ?, ?, ?)"); $stmt->execute(array($title, $author, $content, $date, $payed, $answered)); return $this->pdo->lastInsertId(); }
public function save(Post $post) { $title = $post->getTitle(); $author = $post->getAuthor(); $content = $post->getContent(); $date = $post->getDate(); $isAnsweredByDoctor = $post->getDoctor(); if ($post->getPostId() === null) { // Prepare SQL statement $stmt = $this->db->prepare("INSERT INTO posts (title, author, content, date, isAnsweredByDoctor) " . "VALUES (:title, :author, :content, :date, :isAnsweredByDoctor);"); // Bind parameters to their respective values $stmt->bindParam(":title", $title); $stmt->bindParam(":author", $author); $stmt->bindParam(":content", $content); $stmt->bindParam(":date", $date); $stmt->bindParam(":isAnsweredByDoctor", $isAnsweredByDoctor); // Execute query $stmt->execute(); } // Seems like good practice.... return $this->db->lastInsertId(); }
public function save(Post $post) { //VULN: SQL-Injection via postId variable (G21_0018) // I believe this is fixed if ($post->getPostId() === null) { $query = "INSERT INTO posts (title, author, content, date, pay, lock_user, lock_tstamp) " . "VALUES (:title, :author, :content, :date, :pay, '', 0)"; $stmt = $this->db->prepare($query); $title = $post->getTitle(); $author = $post->getAuthor(); $content = $post->getContent(); $date = $post->getDate(); $pay = $post->getPay(); $stmt->bindParam(':title', $title); $stmt->bindParam(':author', $author); $stmt->bindParam(':content', $content); $stmt->bindParam(':date', $date); $stmt->bindParam(':pay', $pay); $stmt->execute(); } return $this->db->lastInsertId(); //Bad-Practice: No erro check if insertion worked }