From 4f5065cf0ccc59c8c8465eac8c4f987ecbc68d18 Mon Sep 17 00:00:00 2001
From: Henning Leutz <leutz@pcsg.de>
Date: Thu, 7 Mar 2019 16:13:48 +0100
Subject: [PATCH] fix: QVE-12-2019-3 to -11

---
 composer.json                     |   2 +-
 lib/QUI/Projects/Media/Folder.php | 102 ++++++++++++++++++++----------
 2 files changed, 70 insertions(+), 34 deletions(-)

diff --git a/composer.json b/composer.json
index ea93eb8d..ddf653ac 100644
--- a/composer.json
+++ b/composer.json
@@ -2,7 +2,7 @@
   "name": "quiqqer/quiqqer",
   "type": "quiqqer-system",
   "description": "A modular based management system written in JavaScript and PHP",
-  "version": "1.2.9",
+  "version": "1.2.10",
   "license": "GPL-3.0+",
   "authors": [
     {
diff --git a/lib/QUI/Projects/Media/Folder.php b/lib/QUI/Projects/Media/Folder.php
index 1159fa16..b3fe0ce1 100644
--- a/lib/QUI/Projects/Media/Folder.php
+++ b/lib/QUI/Projects/Media/Folder.php
@@ -10,6 +10,7 @@ use QUI;
 use QUI\Projects\Media\Utils as MediaUtils;
 use QUI\Utils\System\File as FileUtils;
 use QUI\Utils\StringHelper as StringUtils;
+use QUI\Utils\Security\Orthos;
 
 /**
  * A media folder
@@ -596,45 +597,47 @@ class Folder extends Item implements QUI\Interfaces\Projects\Media\File
                 $order = 'name';
         }
 
+        $table     = Orthos::cleanupDatabaseFieldName($table);
+        $table_rel = Orthos::cleanupDatabaseFieldName($table_rel);
+
+        $table_parent = $table_rel.'.`parent`';
+        $table_child  = $table_rel.'.`child`';
+
+        $table_id     = $table.'.`id`';
+        $table_delete = $table.'.`deleted`';
+        $table_type   = $table.'.`type`';
+        $table_cDate  = $table.'.`c_date`';
+        $table_name   = $table.'.`name`';
+
+        $parentId = $this->getId();
+
         switch ($order) {
             case 'id':
             case 'id ASC':
-                $order_by
-                    = 'find_in_set('.$table.'.type, \'folder\') DESC, '.$table
-                      .'.id';
+                $order_by = "find_in_set({$table_type}, 'folder') DESC, {$table_id}";
                 break;
 
             case 'id DESC':
-                $order_by
-                    = 'find_in_set('.$table.'.type, \'folder\') DESC, '.$table
-                      .'.id DESC';
+                $order_by = "find_in_set({$table_type}, 'folder') DESC, {$table_id} DESC";
                 break;
 
             case 'c_date':
             case 'c_date ASC':
-                $order_by
-                    = 'find_in_set('.$table.'.type, \'folder\') DESC, '.$table
-                      .'.c_date';
+                $order_by = "find_in_set({$table_type}, 'folder') DESC, {$table_cDate}";
                 break;
 
             case 'c_date DESC':
-                $order_by
-                    = 'find_in_set('.$table.'.type, \'folder\') DESC, '.$table
-                      .'.c_date DESC';
+                $order_by = "find_in_set({$table_type}, 'folder') DESC, {$table_cDate} DESC";
                 break;
 
             case 'name ASC':
-                $order_by
-                    = 'find_in_set('.$table.'.type, \'folder\') ASC, '.$table
-                      .'.name';
+                $order_by = "find_in_set({$table_type}, 'folder') ASC, {$table_name}";
                 break;
 
             default:
             case 'name':
             case 'name DESC':
-                $order_by
-                    = 'find_in_set('.$table.'.type, \'folder\') DESC, '.$table
-                      .'.name';
+                $order_by = "find_in_set({$table_type}, 'folder') DESC, {$table_name}";
                 break;
 
             case 'priority':
@@ -643,26 +646,58 @@ class Folder extends Item implements QUI\Interfaces\Projects\Media\File
                 $order_by = $order;
         }
 
+        $limit = '';
+
         if (isset($params['limit'])) {
-            $query['limit'] = $params['limit'];
+            $limitParams = explode(',', $params['limit']);
+
+            if (count($limitParams) === 2) {
+                $limitParams[0] = (int)$limitParams[0];
+                $limitParams[1] = (int)$limitParams[1];
+
+                $limit = "LIMIT {$limitParams[0]}, {$limitParams[1]}";
+            } else {
+                $limitParams[0] = (int)$limitParams[0];
+                $limit          = "LIMIT {$limitParams[0]}";
+            }
         }
 
-        $query = [
-            'select' => 'id',
-            'from'   => [
-                $table,
-                $table_rel
-            ],
-            'where'  => [
-                $table_rel.'.parent' => $this->getId(),
-                $table_rel.'.child'  => '`'.$table.'.id`',
-                $table.'.deleted'    => 0
-            ],
-            'order'  => $order_by
-        ];
+        $query = "
+        
+        SELECT id
+        FROM {$table}, {$table_rel}
+        WHERE
+            {$table_parent} = {$parentId} AND
+            {$table_child}  = {$table_id} AND
+            {$table_delete} = 0
+        ORDER BY
+            {$order_by} {$limit}
+        ;
+        ";
+
+//        $query = [
+//            'select' => 'id',
+//            'from'   => [
+//                $table,
+//                $table_rel
+//            ],
+//            'where'  => [
+//                $table_rel.'.parent' => $this->getId(),
+//                $table_rel.'.child'  => '`'.$table.'.id`',
+//                $table.'.deleted'    => 0
+//            ],
+//            'order'  => $order_by
+//        ];
 
 
-        $fetch  = QUI::getDataBase()->fetch($query);
+        try {
+            $fetch = QUI::getDataBase()->fetchSQL($query);
+        } catch (QUI\Exception $Exception) {
+            QUI\System\Log::writeException($Exception);
+
+            return [];
+        }
+
         $result = [];
 
         foreach ($fetch as $entry) {
@@ -670,6 +705,7 @@ class Folder extends Item implements QUI\Interfaces\Projects\Media\File
         }
 
         return $result;
+
     }
 
     /**
-- 
GitLab