From: Mathieu Lutfy <mathieu@symbiotic.coop>
Date: Sun, 5 Jun 2016 23:33:57 +0000 (+0000)
Subject: CRM-18756: TrackableURLOpen: fix SQL parameter escaping convention.
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=795136fc9c7ef05a22890ab5d1521105a4f5bd8f;p=civicrm-core.git

CRM-18756: TrackableURLOpen: fix SQL parameter escaping convention.
---

diff --git a/CRM/Mailing/Event/BAO/TrackableURLOpen.php b/CRM/Mailing/Event/BAO/TrackableURLOpen.php
index 039c0dc092..94e05b2e7c 100644
--- a/CRM/Mailing/Event/BAO/TrackableURLOpen.php
+++ b/CRM/Mailing/Event/BAO/TrackableURLOpen.php
@@ -53,41 +53,57 @@ class CRM_Mailing_Event_BAO_TrackableURLOpen extends CRM_Mailing_Event_DAO_Track
    *   The redirection url, or base url on failure.
    */
   public static function track($queue_id, $url_id) {
-
-    $search = new CRM_Mailing_BAO_TrackableURL();
-
     // To find the url, we also join on the queue and job tables.  This
     // prevents foreign key violations.
-    $job = CRM_Mailing_BAO_MailingJob::getTableName();
-    $eq = CRM_Mailing_Event_BAO_Queue::getTableName();
-    $turl = CRM_Mailing_BAO_TrackableURL::getTableName();
+    $job = CRM_Utils_Type::escape(CRM_Mailing_BAO_MailingJob::getTableName(), 'MysqlColumnNameOrAlias');
+    $eq = CRM_Utils_Type::escape(CRM_Mailing_Event_BAO_Queue::getTableName(), 'MysqlColumnNameOrAlias');
+    $turl = CRM_Utils_Type::escape(CRM_Mailing_BAO_TrackableURL::getTableName(), 'MysqlColumnNameOrAlias');
 
     if (!$queue_id) {
-      $search->query("SELECT $turl.url as url from $turl
-                    WHERE $turl.id = " . CRM_Utils_Type::escape($url_id, 'Integer')
+      $search = CRM_Core_DAO::executeQuery(
+        "SELECT url
+           FROM $turl
+          WHERE $turl.id = %1",
+        array(
+          1 => array($url_id, 'Integer'),
+        )
       );
+
       if (!$search->fetch()) {
         return CRM_Utils_System::baseURL();
       }
+
       return $search->url;
     }
 
-    $search->query("SELECT $turl.url as url from $turl
-                    INNER JOIN $job ON $turl.mailing_id = $job.mailing_id
-                    INNER JOIN $eq ON $job.id = $eq.job_id
-                    WHERE $eq.id = " . CRM_Utils_Type::escape($queue_id, 'Integer') . " AND $turl.id = " . CRM_Utils_Type::escape($url_id, 'Integer')
+    $search = CRM_Core_DAO::executeQuery(
+      "SELECT $turl.url as url
+         FROM $turl
+        INNER JOIN $job ON $turl.mailing_id = $job.mailing_id
+        INNER JOIN $eq ON $job.id = $eq.job_id
+        WHERE $eq.id = %1 AND $turl.id = %2",
+      array(
+        1 => array($queue_id, 'Integer'),
+        2 => array($url_id, 'Integer'),
+      )
     );
 
     if (!$search->fetch()) {
       // Can't find either the URL or the queue. If we can find the URL then
       // return the URL without tracking.  Otherwise return the base URL.
-
-      $search->query("SELECT $turl.url as url from $turl
-                    WHERE $turl.id = " . CRM_Utils_Type::escape($url_id, 'Integer')
+      $search = CRM_Core_DAO::executeQuery(
+        "SELECT $turl.url as url
+           FROM $turl
+          WHERE $turl.id = %1",
+        array(
+          1 => array($url_id, 'Integer'),
+        )
       );
+
       if (!$search->fetch()) {
         return CRM_Utils_System::baseURL();
       }
+
       return $search->url;
     }