From: Johan Vervloet Date: Wed, 13 Aug 2014 18:28:22 +0000 (+0200) Subject: CRM-15104 - applied the changes suggested by @colemanw. X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=ca4329ca1f55a97ee92b0f228883af24dc740634;p=civicrm-core.git CRM-15104 - applied the changes suggested by @colemanw. ---------------------------------------- * CRM-15104: Line item issues when creating a participant using the API https://issues.civicrm.org/jira/browse/CRM-15104 --- diff --git a/api/v3/Participant.php b/api/v3/Participant.php index c3a705b7e6..21c5efd163 100644 --- a/api/v3/Participant.php +++ b/api/v3/Participant.php @@ -84,14 +84,10 @@ function _civicrm_api3_participant_createlineitem(&$params, $participant){ // it is possible that a fee level contains information about multiple // price field values. - $priceFieldValueDetails = explode( - CRM_Core_DAO::VALUE_SEPARATOR, + $priceFieldValueDetails = CRM_Utils_Array::explodePadded( $params["fee_level"]); foreach($priceFieldValueDetails as $detail) { - if (empty($detail)) continue; - - if (preg_match('/- ([0-9]+)$/', $detail, $matches)) { // it is possible that a price field value is payd for multiple times. // (FIXME: if the price field value ends in minus followed by whitespace @@ -106,18 +102,21 @@ function _civicrm_api3_participant_createlineitem(&$params, $participant){ $qty = 1; } - // TODO: I think we might have troubles with SQL injection below. - $sql = " SELECT ps.id AS setID, pf.id AS priceFieldID, pfv.id AS priceFieldValueID, pfv.amount AS amount FROM civicrm_price_set_entity cpse - LEFT JOIN civicrm_price_set ps ON cpse.price_set_id = ps.id AND cpse.entity_id = {$params['event_id']} AND cpse.entity_table = 'civicrm_event' + LEFT JOIN civicrm_price_set ps ON cpse.price_set_id = ps.id AND cpse.entity_id = %1 AND cpse.entity_table = 'civicrm_event' LEFT JOIN civicrm_price_field pf ON pf.`price_set_id` = ps.id LEFT JOIN civicrm_price_field_value pfv ON pfv.price_field_id = pf.id - where ps.id is not null and pfv.label = '{$label}' + where ps.id is not null and pfv.label = %2 "; - $dao = CRM_Core_DAO::executeQuery($sql); + $qParams = array( + 1 => array($params['event_id'], 'Integer'), + 2 => array($label, 'String'), + ); + + $dao = CRM_Core_DAO::executeQuery($sql, $qParams); if ($dao->fetch()) { $lineItemparams = array( 'price_field_id' => $dao->priceFieldID,