From 09beeb449e23605e34e54277b39afe8b3b430935 Mon Sep 17 00:00:00 2001
From: steve-lad <72376554+steve-lad@users.noreply.github.com>
Date: Tue, 9 Feb 2021 12:31:06 +0100
Subject: [PATCH] Use bindParam on db executes

Use bind param to have stricter typing

Fix bug in Sccp-Manager where key and keyword were not the same
---
 Sccp_manager.class.php                 |  8 ++--
 Sccp_manager.inc/dbinterface.class.php | 51 +++++++++++---------------
 2 files changed, 25 insertions(+), 34 deletions(-)

diff --git a/Sccp_manager.class.php b/Sccp_manager.class.php
index 6f63211..9e170ed 100644
--- a/Sccp_manager.class.php
+++ b/Sccp_manager.class.php
@@ -869,7 +869,7 @@ class Sccp_manager extends \FreePBX_Helpers implements \BMO {
                 }
                 break;
             case 'getDeviceModel':
-dbug('getting Device model');
+//dbug('getting Device model');
                 switch ($request['type']) {
                     case 'all':
                     case 'extension':
@@ -930,7 +930,7 @@ dbug('getting Device model');
                 return $result;
                 break;
             case 'getExtensionGrid':
-dbug('getting Extension Grid');
+//dbug('getting Extension Grid');
                 $result = $this->dbinterface->HWextension_db_SccpTableData('SccpExtension');
                 if (empty($result)) {
                     return array();
@@ -954,7 +954,7 @@ dbug('getting Extension Grid');
                 return $result;
                 break;
             case 'getPhoneGrid':
-dbug('getting Phone Grid');
+//dbug('getting Phone Grid');
                 $cmd_type = !empty($request['type']) ? $request['type'] : '';
 
                 $result = $this->dbinterface->HWextension_db_SccpTableData('SccpDevice', array('type' => $cmd_type));
@@ -2132,7 +2132,7 @@ dbug('getting Phone Grid');
             $dir_list = $this->findAllFiles($dir, $file_ext, 'fileonly');
         }
         $raw_settings = $this->dbinterface->getDb_model_info($get, $format_list, $filter);
-dbug('reloading table');
+//dbug('reloading table');
         if ($validate) {
             for ($i = 0; $i < count($raw_settings); $i++) {
                 $raw_settings[$i]['validate'] = '-;-';
diff --git a/Sccp_manager.inc/dbinterface.class.php b/Sccp_manager.inc/dbinterface.class.php
index bbd213c..f24dff8 100644
--- a/Sccp_manager.inc/dbinterface.class.php
+++ b/Sccp_manager.inc/dbinterface.class.php
@@ -245,13 +245,6 @@ class dbinterface
 
     function write($table_name = "", $save_value = array(), $mode = 'update', $key_fld = "", $hwid = "")
     {
-//dbug('entering write for table', $table_name);
-if ($table_name === 'sccpdevmodel'){
-dbug('entering write with save_value', $save_value);
-dbug('entering write with mode', $mode);
-dbug('entering write with key_fld', $key_fld);
-dbug('entering write with hwid', $hwid);
-}
         // mode clear  - Empty table before update
         // mode update - update / replace record
         global $db;
@@ -259,33 +252,31 @@ dbug('entering write with hwid', $hwid);
         $delete_value = array();
         switch ($table_name) {
             case 'sccpsettings':
-                foreach ($save_value as $key_v => $data) {
-                    if (!empty($data) && isset($data['data'])) {
-                            if ($data['data'] == $this->val_null) {
-                                $delete_value[] = $save_value[$key_v]['keyword'];
-                                unset($save_value[$key_v]);
-                            }
-/*                      if (isset($data['data'])) {
-                            if ($data['data'] == $this->val_null) {
-                                $delete_value[] = $save_value[$key_v]['keyword'];
-                                unset($save_value[$key_v]);
-                            }
-                        }
-*/                    }
-                }
+                $time = -microtime(true);
                 if ($mode == 'clear') {
-//                    $sql = 'truncate `sccpsettings`';
                     $db->prepare('TRUNCATE sccpsettings')->execute();
-                    $stmt = $db->prepare('INSERT INTO sccpsettings (keyword, data, seq, type) VALUES (?,?,?,?)');
-                    $result = $db->executeMultiple($stmt, $save_value);
+                    $stmt = $db->prepare('INSERT INTO sccpsettings (keyword, data, seq, type) VALUES (:keyword,:data,:seq,:type)');
                 } else {
-                    if (!empty($delete_value)) {
-                        $stmt = $db->prepare('DELETE FROM sccpsettings WHERE keyword = ?');
-                        $result = $db->executeMultiple($stmt, $delete_value);
+                    $stmt = $db->prepare('REPLACE INTO sccpsettings (keyword, data, seq, type) VALUES (:keyword,:data,:seq,:type)');
+                }
+                foreach ($save_value as $key => $dataArr) {
+                    if (!empty($dataArr) && isset($dataArr['data'])) {
+                        if ($dataArr['data'] == $this->val_null) {
+                              $delete_value[] = $save_value[$key]['keyword'];
+                              break;
+                        }
                     }
-                    if (!empty($save_value)) {
-                        $stmt = $db->prepare('REPLACE INTO sccpsettings (keyword, data, seq, type) VALUES (?,?,?,?)');
-                        $result = $db->executeMultiple($stmt, $save_value);
+                    $stmt->bindParam(':keyword',$dataArr['keyword'],\PDO::PARAM_STR);
+                    $stmt->bindParam(':data',$dataArr['data'],\PDO::PARAM_STR);
+                    $stmt->bindParam(':seq',$dataArr['seq'],\PDO::PARAM_INT);
+                    $stmt->bindParam(':type',$dataArr['type'],\PDO::PARAM_INT);
+                    $result = $stmt->execute();
+                }
+                if (!empty($delete_value)) {
+                    $stmt = $db->prepare('DELETE FROM sccpsettings WHERE keyword = :keyword');
+                    foreach ($delete_value as $del_key) {
+                        $stmt->bindParam(':keyword',$del_key,\PDO::PARAM_STR);
+                        $result = $stmt->execute();
                     }
                 }
                 break;