Refactor SQL queries: enforce parameterized bindings and consistent style

src/Controller/Admin/Asset/AssetHelperController.php

@@ -16,6 +16,8 @@
 
 namespace OpenDxp\Bundle\AdminBundle\Controller\Admin\Asset;
 
+use Doctrine\DBAL\ArrayParameterType;
+use Doctrine\DBAL\ParameterType;
 use Exception;
 use League\Flysystem\FilesystemException;
 use League\Flysystem\UnableToReadFile;
@@ -96,13 +98,14 @@ public function getSharedGridColumnConfigs(User $user, string $classId, ?string
         $userIds = [$user->getId()];
         // collect all roles
         $userIds = [...$userIds, ...$user->getRoles()];
-        $userIds = implode(',', $userIds);
 
-        $query = 'select distinct c1.id from gridconfigs c1, gridconfig_shares s
-                    where (c1.searchType = ' . $db->quote($searchType) . ' and ((c1.id = s.gridConfigId and s.sharedWithUserId IN (' . $userIds . '))) and c1.classId = ' . $db->quote($classId) . ')
-                            UNION distinct select c2.id from gridconfigs c2 where shareGlobally = 1 and c2.classId = '. $db->quote($classId) . '  and c2.ownerId != ' . $db->quote($user->getId());
-
-        $ids = $db->fetchFirstColumn($query);
+        $ids = $db->fetchFirstColumn(
+            'SELECT DISTINCT c1.id FROM gridconfigs c1, gridconfig_shares s
+                WHERE (c1.searchType = ? AND c1.id = s.gridConfigId AND s.sharedWithUserId IN (?) AND c1.classId = ?)
+            UNION DISTINCT SELECT c2.id FROM gridconfigs c2 WHERE shareGlobally = 1 AND c2.classId = ? AND c2.ownerId != ?',
+            [$searchType, $userIds, $classId, $classId, $user->getId()],
+            [ParameterType::STRING, ArrayParameterType::INTEGER, ParameterType::STRING, ParameterType::STRING, ParameterType::INTEGER]
+        );
 
         if ($ids) {
             $ids = implode(',', $ids);
@@ -202,27 +205,39 @@ private function doGetGridColumnConfig(array $params, bool $isDelete = false): a
             $savedGridConfig = GridConfig::getById((int) $requestedGridConfigId);
 
             if ($savedGridConfig) {
-                $shared = null;
-
-                try {
+                $shared = false;
+                if (!$this->getAdminUser()->isAdmin()) {
                     $userIds = [$this->getAdminUser()->getId()];
                     $userIds = [...$userIds, ...$this->getAdminUser()->getRoles()];
-                    $userIds = implode(',', $userIds);
-                    $shared = ($savedGridConfig->getOwnerId() !== $userId && $savedGridConfig->isShareGlobally()) || $db->fetchOne('select * from gridconfig_shares where sharedWithUserId IN (' . $userIds . ') and gridConfigId = ' . $savedGridConfig->getId());
-                } catch (Exception) {
-                    // fail silently?
-                }
+                    $isSharedGlobally = $savedGridConfig->getOwnerId() !== $userId && $savedGridConfig->isShareGlobally();
+
+                    $isSharedWithUser = (bool) $db->fetchOne(
+                        'SELECT 1 FROM gridconfig_shares WHERE sharedWithUserId IN (?) AND gridConfigId = ?',
+                        [$userIds, $savedGridConfig->getId()],
+                        [ArrayParameterType::INTEGER, ParameterType::INTEGER]
+                    );
+
+                    $shared = $isSharedGlobally || $isSharedWithUser;
 
-                if (!$shared && $savedGridConfig->getOwnerId() !== $this->getAdminUser()->getId()) {
-                    throw new Exception('You are neither the owner of this config nor it is shared with you');
+                    if (!$shared && $savedGridConfig->getOwnerId() !== $this->getAdminUser()->getId()) {
+                        throw new Exception('You are neither the owner of this config nor it is shared with you');
+                    }
                 }
+
                 $gridConfigId = $savedGridConfig->getId();
                 $gridConfig = $savedGridConfig->getConfig();
                 $gridConfig = json_decode($gridConfig, true);
-                $gridConfigName = $savedGridConfig->getName();
-                $gridConfigDescription = $savedGridConfig->getDescription();
+                $gridConfigName = SecurityHelper::convertHtmlSpecialChars($savedGridConfig->getName());
+                $gridConfigDescription = SecurityHelper::convertHtmlSpecialChars($savedGridConfig->getDescription());
                 $sharedGlobally = $savedGridConfig->isShareGlobally();
                 $setAsFavourite = $savedGridConfig->isSetAsFavourite();
+
+                foreach ($gridConfig['columns'] as &$column) {
+                    if (array_key_exists('isOperator', $column) && $column['isOperator']) {
+                        $colAttributes = &$column['fieldConfig']['attributes'];
+                        SecurityHelper::convertHtmlSpecialCharsArrayKeys($colAttributes, ['label', 'attribute', 'param1']);
+                    }
+                }
             }
         }
 
@@ -432,8 +447,11 @@ protected function getShareSettings(int $gridConfigId): array
         ];
 
         $db = Db::get();
-        $allShares = $db->fetchAllAssociative('select s.sharedWithUserId, u.type from gridconfig_shares s, users u
-                      where s.sharedWithUserId = u.id and s.gridConfigId = ' . $gridConfigId);
+        $allShares = $db->fetchAllAssociative(
+            'SELECT s.sharedWithUserId, u.type FROM gridconfig_shares s, users u
+                WHERE s.sharedWithUserId = u.id AND s.gridConfigId = ?',
+            [$gridConfigId]
+        );
 
         foreach ($allShares as $share) {
             $type = $share['type'];

src/Controller/Admin/DataObject/ClassController.php

@@ -1838,9 +1838,9 @@ public function getIconsAction(Request $request, EventDispatcherInterface $event
     public function suggestClassIdentifierAction(): Response
     {
         $db = Db::get();
-        $maxId = $db->fetchOne('SELECT MAX(CAST(id AS SIGNED)) FROM classes;');
+        $maxId = $db->fetchOne('SELECT MAX(CAST(id AS SIGNED)) FROM classes');
 
-        $existingIds = $db->fetchFirstColumn('select LOWER(id) from classes');
+        $existingIds = $db->fetchFirstColumn('SELECT LOWER(id) FROM classes');
 
         $result = [
             'suggestedIdentifier' => $maxId ? $maxId + 1 : 1,

src/Controller/Admin/DataObject/ClassificationstoreController.php

@@ -16,6 +16,7 @@
 
 namespace OpenDxp\Bundle\AdminBundle\Controller\Admin\DataObject;
 
+use Doctrine\DBAL\ArrayParameterType;
 use Exception;
 use OpenDxp\Bundle\AdminBundle\Controller\AdminAbstractController;
 use OpenDxp\Controller\KernelControllerEventInterface;
@@ -218,8 +219,11 @@ public function collectionsActionGet(Request $request): JsonResponse
 
             if ($allowedGroupIds) {
                 $db = \OpenDxp\Db::get();
-                $query = 'select * from classificationstore_collectionrelations where groupId in (' . implode(',', $allowedGroupIds) .')';
-                $relationList = $db->fetchAllAssociative($query);
+                $relationList = $db->fetchAllAssociative(
+                    'SELECT * FROM classificationstore_collectionrelations WHERE groupId IN (?)',
+                    [$allowedGroupIds],
+                    [ArrayParameterType::INTEGER]
+                );
 
                 foreach ($relationList as $item) {
                     $allowedCollectionIds[] = $item['colId'];
@@ -902,9 +906,12 @@ public function addCollectionsAction(Request $request): JsonResponse
         if ($ids) {
             $db = \OpenDxp\Db::get();
             $mappedData = [];
-            $groupsData = $db->fetchAllAssociative('select * from classificationstore_groups g, classificationstore_collectionrelations c where colId IN (:ids) and g.id = c.groupId', [
-                'ids' => implode(',', array_filter($ids, is_numeric(...))),
-            ]);
+            $groupsData = $db->fetchAllAssociative(
+                'SELECT * FROM classificationstore_groups g, classificationstore_collectionrelations c
+                    WHERE colId IN (?) AND g.id = c.groupId',
+                [array_values(array_filter($ids, is_numeric(...)))],
+                [ArrayParameterType::INTEGER]
+            );
 
             foreach ($groupsData as $groupData) {
                 $mappedData[$groupData['id']] = $groupData;
@@ -1434,7 +1441,7 @@ public function getPageAction(Request $request): JsonResponse
                   ) all_rows) item where id = ' .  $id . ';';
         }
 
-        $db->executeQuery('select @rownum := 0;');
+        $db->executeStatement('SET @rownum = 0');
         $result = $db->fetchAllAssociative($query);
 
         $page = (int) $result[0]['page'] ;

src/Controller/Admin/DataObject/DataObjectController.php

@@ -1204,8 +1204,7 @@ protected function reindexBasedOnSortOrder(DataObject\AbstractObject $parentObje
 
             $db = Db::get();
             $children = $db->fetchAllAssociative(
-                'SELECT id, modificationDate, versionCount FROM objects'
-                .' WHERE parentId = ? ORDER BY `index` ASC',
+                'SELECT id, modificationDate, versionCount FROM objects WHERE parentId = ? ORDER BY `index` ASC',
                 [$parentObject->getId()]
             );
             $index = 0;
@@ -1279,8 +1278,8 @@ protected function updateIndexesOfObjectSiblings(DataObject\AbstractObject $upda
             );
 
             $siblings = $db->fetchAllAssociative(
-                'SELECT id, modificationDate, versionCount, `key`, `index` FROM objects'
-                ." WHERE parentId = ? AND id != ? AND `type` IN ('object', 'variant','folder') ORDER BY `index` ASC",
+                'SELECT id, modificationDate, versionCount, `key`, `index` FROM objects
+                    WHERE parentId = ? AND id != ? AND `type` IN ("object", "variant", "folder") ORDER BY `index` ASC',
                 [$updatedObject->getParentId(), $updatedObject->getId()]
             );
             $index = 0;

src/Controller/Admin/DataObject/DataObjectHelperController.php

@@ -16,6 +16,8 @@
 
 namespace OpenDxp\Bundle\AdminBundle\Controller\Admin\DataObject;
 
+use Doctrine\DBAL\ArrayParameterType;
+use Doctrine\DBAL\ParameterType;
 use Exception;
 use InvalidArgumentException;
 use League\Flysystem\FilesystemException;
@@ -109,14 +111,15 @@ public function getSharedGridColumnConfigs(User $user, string $classId, ?string
         $userIds = [$user->getId()];
         // collect all roles
         $userIds = [...$userIds, ...$user->getRoles()];
-        $userIds = implode(',', $userIds);
         $db = Db::get();
 
-        $query = 'select distinct c1.id from gridconfigs c1, gridconfig_shares s
-                    where (c1.searchType = ' . $db->quote($searchType) . ' and ((c1.id = s.gridConfigId and s.sharedWithUserId IN (' . $userIds . '))) and c1.classId = ' . $db->quote($classId) . ')
-                            UNION distinct select c2.id from gridconfigs c2 where shareGlobally = 1 and c2.classId = '. $db->quote($classId) . '  and c2.ownerId != ' . $db->quote($user->getId());
-
-        $ids = $db->fetchFirstColumn($query);
+        $ids = $db->fetchFirstColumn(
+            'SELECT DISTINCT c1.id FROM gridconfigs c1, gridconfig_shares s
+                WHERE (c1.searchType = ? AND c1.id = s.gridConfigId AND s.sharedWithUserId IN (?) AND c1.classId = ?)
+            UNION DISTINCT SELECT c2.id FROM gridconfigs c2 WHERE shareGlobally = 1 AND c2.classId = ? AND c2.ownerId != ?',
+            [$searchType, $userIds, $classId, $classId, $user->getId()],
+            [ParameterType::STRING, ArrayParameterType::INTEGER, ParameterType::STRING, ParameterType::STRING, ParameterType::INTEGER]
+        );
 
         if ($ids) {
             $ids = implode(',', $ids);
@@ -307,9 +310,15 @@ private function doGetGridColumnConfig(Request $request, array $params, Config $
                 if (!$this->getAdminUser()->isAdmin()) {
                     $userIds = [$this->getAdminUser()->getId()];
                     $userIds = [...$userIds, ...$this->getAdminUser()->getRoles()];
-                    $userIds = implode(',', $userIds);
-                    $shared = ($savedGridConfig->getOwnerId() !== $userId && $savedGridConfig->isShareGlobally()) || $db->fetchOne('select 1 from gridconfig_shares where sharedWithUserId IN ('.$userIds.') and gridConfigId = '.$savedGridConfig->getId());
-                    //                  $shared = $savedGridConfig->isShareGlobally() || GridConfigShare::getByGridConfigAndSharedWithId($savedGridConfig->getId(), $this->getUser()->getId());
+                    $isSharedGlobally = $savedGridConfig->getOwnerId() !== $userId && $savedGridConfig->isShareGlobally();
+
+                    $isSharedWithUser = (bool) $db->fetchOne(
+                        'SELECT 1 FROM gridconfig_shares WHERE sharedWithUserId IN (?) AND gridConfigId = ?',
+                        [$userIds, $savedGridConfig->getId()],
+                        [ArrayParameterType::INTEGER, ParameterType::INTEGER]
+                    );
+
+                    $shared = $isSharedGlobally || $isSharedWithUser;
 
                     if (!$shared && $savedGridConfig->getOwnerId() !== $this->getAdminUser()->getId()) {
                         throw new Exception('You are neither the owner of this config nor it is shared with you');
@@ -381,7 +390,6 @@ private function doGetGridColumnConfig(Request $request, array $params, Config $
                         if (str_starts_with($key, '~')) {
                             // not needed for now
                             $type = $keyParts[1];
-                            //                            $field = $keyParts[2];
                             $groupAndKeyId = explode('-', $keyParts[3]);
                             $keyId = (int) $groupAndKeyId[1];
 
@@ -716,11 +724,10 @@ public function gridConfigApplyToAllAction(Request $request): JsonResponse
             $searchType = $request->request->get('searchType');
             $user = $this->getAdminUser();
             $db = Db::get();
-            $db->executeQuery('delete from gridconfig_favourites where '
-                . 'ownerId = ' . $user->getId()
-                . ' and classId = ' . $db->quote($classId) .
-                ' and searchType = ' . $db->quote($searchType)
-                . ' and objectId != ' . $objectId . ' and objectId != 0');
+            $db->executeStatement(
+                'DELETE FROM gridconfig_favourites WHERE ownerId = ? AND classId = ? AND searchType = ? AND objectId != ? AND objectId != 0',
+                [$user->getId(), $classId, $searchType, $objectId]
+            );
 
             return $this->adminJson(['success' => true]);
         }
@@ -766,12 +773,10 @@ public function gridMarkFavouriteColumnConfigAction(Request $request): JsonRespo
                     $favourite->save();
                 }
                 $db = Db::get();
-                $count = $db->fetchOne('select * from gridconfig_favourites where '
-                    . 'ownerId = ' . $user->getId()
-                    . ' and classId = ' . $db->quote($classId).
-                    ' and searchType = ' . $db->quote($searchType)
-                    . ' and objectId != ' . $objectId . ' and objectId != 0'
-                    . ' and `type` != ' . $db->quote($type));
+                $count = $db->fetchOne(
+                    'SELECT * FROM gridconfig_favourites WHERE ownerId = ? AND classId = ? AND searchType = ? AND objectId != ? AND objectId != 0 AND `type` != ?',
+                    [$user->getId(), $classId, $searchType, $objectId, $type]
+                );
                 $specializedConfigs = $count > 0;
             } catch (Exception) {
                 $favourite->delete();
@@ -791,8 +796,11 @@ protected function getShareSettings(int $gridConfigId): array
         ];
 
         $db = Db::get();
-        $allShares = $db->fetchAllAssociative('select s.sharedWithUserId, u.type from gridconfig_shares s, users u
-                      where s.sharedWithUserId = u.id and s.gridConfigId = ' . $gridConfigId);
+        $allShares = $db->fetchAllAssociative(
+            'SELECT s.sharedWithUserId, u.type FROM gridconfig_shares s, users u
+                WHERE s.sharedWithUserId = u.id AND s.gridConfigId = ?',
+            [$gridConfigId]
+        );
 
         foreach ($allShares as $share) {
             $type = $share['type'];

src/Controller/Admin/PortalController.php

@@ -293,9 +293,18 @@ public function portletModificationStatisticsAction(Request $request): JsonRespo
             $end = $startDate - ($i * 86400);
             $start = $end - 86399;
 
-            $o = $db->fetchOne('SELECT COUNT(*) AS count FROM objects WHERE modificationDate > '.$start . ' AND modificationDate < '.$end);
-            $a = $db->fetchOne('SELECT COUNT(*) AS count FROM assets WHERE modificationDate > '.$start . ' AND modificationDate < '.$end);
-            $d = $db->fetchOne('SELECT COUNT(*) AS count FROM documents WHERE modificationDate > '.$start . ' AND modificationDate < '.$end);
+            $o = $db->fetchOne(
+                'SELECT COUNT(*) AS count FROM objects WHERE modificationDate > ? AND modificationDate < ?',
+                [$start, $end]
+            );
+            $a = $db->fetchOne(
+                'SELECT COUNT(*) AS count FROM assets WHERE modificationDate > ? AND modificationDate < ?',
+                [$start, $end]
+            );
+            $d = $db->fetchOne(
+                'SELECT COUNT(*) AS count FROM documents WHERE modificationDate > ? AND modificationDate < ?',
+                [$start, $end]
+            );
 
             $date = new DateTime();
             $date->setTimestamp($start);

src/Controller/Admin/SettingsController.php

@@ -565,7 +565,7 @@ public function clearTemporaryFilesAction(EventDispatcherInterface $eventDispatc
 
         // public files
         Tool\Storage::get('thumbnail')->deleteDirectory('/');
-        Db::get()->executeQuery('TRUNCATE TABLE assets_image_thumbnail_cache');
+        Db::get()->executeStatement('TRUNCATE TABLE assets_image_thumbnail_cache');
 
         Tool\Storage::get('asset_cache')->deleteDirectory('/');
 
@@ -1199,12 +1199,11 @@ public function getAvailableAlgorithmsAction(Request $request): JsonResponse
     protected function deleteViews(string $language, string $dbName): void
     {
         $db = \OpenDxp\Db::get();
-        $views = $db->fetchAllAssociative('SHOW FULL TABLES IN ' . $db->quoteIdentifier($dbName) . " WHERE TABLE_TYPE LIKE 'VIEW'");
+        $views = $db->fetchAllAssociative(sprintf('SHOW FULL TABLES IN %s WHERE TABLE_TYPE LIKE "VIEW"', $db->quoteIdentifier($dbName)));
 
         foreach ($views as $view) {
             if (preg_match('/^object_localized_[0-9]+_' . $language . '$/', $view['Tables_in_' . $dbName])) {
-                $sql = 'DROP VIEW ' . $db->quoteIdentifier($view['Tables_in_' . $dbName]);
-                $db->executeQuery($sql);
+                $db->executeStatement(sprintf('DROP VIEW %s', $db->quoteIdentifier($view['Tables_in_' . $dbName])));
             }
         }
     }

src/DataObject/GridColumnConfig/Operator/RequiredBy.php

@@ -59,12 +59,12 @@ public function getLabeledValue(array|ElementInterface $element): stdClass
         }
 
         if ($this->getOnlyCount()) {
-            $query = 'select count(*) from dependencies where targettype = ? AND targetid = ?'. $typeCondition;
+            $query = 'SELECT COUNT(*) FROM dependencies WHERE targettype = ? AND targetid = ?' . $typeCondition;
             $count = $db->fetchOne($query, [Service::getElementType($element), $element->getId()]);
             $result->value = $count;
         } else {
             $resultList = [];
-            $query = 'select * from dependencies where targettype = ? AND targetid = ?'. $typeCondition;
+            $query = 'SELECT * FROM dependencies WHERE targettype = ? AND targetid = ?' . $typeCondition;
             $dependencies = $db->fetchAllAssociative($query, [Service::getElementType($element), $element->getId()]);
             foreach ($dependencies as $dependency) {
                 $sourceType = $dependency['sourcetype'];