public function save(Post $post) { $title = $post->getTitle(); $author = $post->getAuthor(); $content = $post->getContent(); $date = $post->getDate(); $payed = $post->isPayedPost(); $answered = $post->isAnswered(); // Can't update posts if ($post->getPostId() !== null) { return; } $stmt = $this->pdo->prepare("INSERT INTO posts (title, author, content, date, ispayedpost, isanswered) VALUES (?, ?, ?, ?, ?, ?)"); $stmt->execute(array($title, $author, $content, $date, $payed, $answered)); return $this->pdo->lastInsertId(); }
public function save(Post $post) { //VULN: SQL-Injection via postId variable (G21_0018) // I believe this is fixed if ($post->getPostId() === null) { $query = "INSERT INTO posts (title, author, content, date, pay, lock_user, lock_tstamp) " . "VALUES (:title, :author, :content, :date, :pay, '', 0)"; $stmt = $this->db->prepare($query); $title = $post->getTitle(); $author = $post->getAuthor(); $content = $post->getContent(); $date = $post->getDate(); $pay = $post->getPay(); $stmt->bindParam(':title', $title); $stmt->bindParam(':author', $author); $stmt->bindParam(':content', $content); $stmt->bindParam(':date', $date); $stmt->bindParam(':pay', $pay); $stmt->execute(); } return $this->db->lastInsertId(); //Bad-Practice: No erro check if insertion worked }
public function saveExistingPost(Post $post) { $postId = $post->getPostId(); $isAnsweredByDoctor = $post->getDoctor(); $stmt = $this->db->prepare("UPDATE posts " . "SET isAnsweredByDoctor=:isAnsweredByDoctor WHERE postId=:postId"); $stmt->execute([':postId' => $postId, ':isAnsweredByDoctor' => $isAnsweredByDoctor]); }