public function save(Comment $comment) { $id = $comment->getCommentId(); $author = $comment->getAuthor(); $text = $comment->getText(); $date = (string) $comment->getDate(); $postid = $comment->getPost(); $ansdoc = $comment->getAnsDoc(); if ($comment->getCommentId() === null) { $query = "INSERT INTO comments (author, text, date, ansdoc, belongs_to_post) VALUES (:author, :text, :date, :ansdoc, :postid)"; $query_params = array(':author' => $author, ':text' => $text, ':date' => $date, ':ansdoc' => $ansdoc, ':postid' => $postid); try { $stmt = $this->db->prepare($query); $stmt->execute($query_params); } catch (PDOException $ex) { die("Failed to run query: " . $ex->getMessage()); } } if ($ansdoc == 1) { $query1 = "SELECT ansbydoc FROM posts WHERE postId= :postid"; $price = 7; $query_params1 = array(':postid' => $postid); try { $stmt = $this->db->prepare($query1); $stmt->execute($query_params1); $rows = $stmt->fetchAll(); //if (isset($rows)) { $this->userRepository->updateBalance($author, $price); //} } catch (PDOException $ex) { die("Failed to run query: " . $ex->getMessage()); } $query = "UPDATE posts SET ansbydoc = 1 WHERE postId= :postid"; $query_params = array(':postid' => $postid); try { $stmt = $this->db->prepare($query); $stmt->execute($query_params); return 1; } catch (PDOException $ex) { die("Failed to run query: " . $ex->getMessage()); } } return 1; /* if ($comment->getCommentId() === null) { $query = "INSERT INTO comments (author, text, date, belongs_to_post) " . "VALUES ('$author', '$text', '$date', '$postid')"; return $this->db->exec($query); } */ }
public function save(Comment $comment) { $id = (int) $comment->getCommentId(); $author = $comment->getAuthor(); $text = $comment->getText(); $date = (string) $comment->getDate(); $postid = $comment->getPost(); if ($comment->getCommentId() !== null) { return; } $stmt = $this->pdo->prepare("INSERT INTO comments (author, text, date, belongs_to_post) VALUES (?, ?, ?, ?)"); $stmt->execute(array($author, $text, $date, $postid)); return $this->pdo->lastInsertId(); }
public function save(Comment $comment) { // SQL injection (G21_0018) // I believe this is fixed if ($comment->getCommentId() === null) { $query = "INSERT INTO comments (author, text, date, belongs_to_post) VALUES (:author, :text, :date, :postid)"; $stmt = $this->db->prepare($query); $author = $comment->getAuthor(); $text = $comment->getText(); $date = (string) $comment->getDate(); $postid = $comment->getPost(); $stmt->bindParam(':author', $author); $stmt->bindParam(':text', $text); $stmt->bindParam(':date', $date); $stmt->bindparam(':postid', $postid); return $stmt->execute(); } }
public function save(Comment $comment) { $id = $comment->getCommentId(); $author = $comment->getAuthor(); $text = $comment->getText(); $date = (string) $comment->getDate(); $postid = $comment->getPost(); if ($comment->getCommentId() === null) { // Prepare SQL statement $stmt = $this->db->prepare('INSERT INTO comments (author, text, date, belongs_to_post) ' . "VALUES (:author, :text, :date, :postid)"); // Bind parameters to their respective values $stmt->bindParam(":author", $author); $stmt->bindParam(":text", $text); $stmt->bindParam(":date", $date); $stmt->bindParam(":postid", $postid); // Execute query return $stmt->execute(); } }