From 1ac861749e4a65f015530ad1b9f56794bbcf175a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Nana?= <sebastien.nana@maarch.org>
Date: Tue, 21 Jul 2015 07:57:00 +0000
Subject: [PATCH] FEAT #2717 PDO security

---
 sendmail/trunk/batch/batch_tools.php         |  3 ++-
 sendmail/trunk/batch/process_emails.php      |  6 +++---
 sendmail/trunk/class/class_modules_tools.php | 16 ++++++++++++----
 3 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/sendmail/trunk/batch/batch_tools.php b/sendmail/trunk/batch/batch_tools.php
index 364f67e25e9..6cb42e5d872 100644
--- a/sendmail/trunk/batch/batch_tools.php
+++ b/sendmail/trunk/batch/batch_tools.php
@@ -39,7 +39,8 @@
  */
 function Bt_doQuery($dbConn, $queryTxt, $param=array(), $transaction=false)
 {
-    $stmt = $dbConn->query($queryTxt, true);
+    $stmt = $dbConn->query($queryTxt, $param, true);
+    //$stmt = $dbConn->query($queryTxt);
     if (!$stmt) {
         if ($transaction) {
             $GLOBALS['logger']->write('ROLLBACK', 'INFO');
diff --git a/sendmail/trunk/batch/process_emails.php b/sendmail/trunk/batch/process_emails.php
index 6e191a779a9..24d8e165361 100644
--- a/sendmail/trunk/batch/process_emails.php
+++ b/sendmail/trunk/batch/process_emails.php
@@ -188,10 +188,10 @@ while ($state <> 'END') {
 			}
 			//Update emails table
 			$query = "UPDATE " . EMAILS_TABLE 
-				. " SET send_date = ? "
+				. " SET send_date = CURRENT_TIMESTAMP "
 				. ", email_status = ? "
 				. " WHERE email_id = ? ";
-			$stmt = Bt_doQuery($GLOBALS['db'], $query, array($GLOBALS['db']->current_datetime(), $exec_result, $email->email_id));
+			$stmt = Bt_doQuery($GLOBALS['db'], $query, array($exec_result, $email->email_id));
 			$currentEmail++;
 			$state = 'SEND_AN_EMAIL';
 		} else {
@@ -205,7 +205,7 @@ $GLOBALS['logger']->write('End of process', 'INFO');
 Bt_logInDataBase(
     $totalEmailsToProcess, 0, 'process without error'
 );
-$GLOBALS['db']->disconnect();
+
 //unlink($GLOBALS['lckFile']);
 exit($GLOBALS['exitCode']);
 ?>
diff --git a/sendmail/trunk/class/class_modules_tools.php b/sendmail/trunk/class/class_modules_tools.php
index 38560eb4a66..fd1515df1a0 100644
--- a/sendmail/trunk/class/class_modules_tools.php
+++ b/sendmail/trunk/class/class_modules_tools.php
@@ -281,18 +281,26 @@ class sendmail extends Database
         if (!empty($id)) {
 			$db = new Database();
             if ( $owner=== true) {
+				
                 $where = " and user_id = ? ";
                 $arrayPDO = array($_SESSION['user']['UserId']);
+                 $stmt = $db->query("select * from "
+                . EMAILS_TABLE 
+                . " where email_id = ? " . $where, array( $id, $_SESSION['user']['UserId']));
             } else {
                 $where = "";
+                $stmt = $db->query("select * from "
+                . EMAILS_TABLE 
+                . " where email_id = ? " . $where, array($id));
             }
-            
-            $stmt = $db->query("select * from "
+   
+            /*$stmt = $db->query("select * from "
                 . EMAILS_TABLE 
-                . " where email_id = ? " . $where, array_merge($arrayPDO, $id));
+                . " where email_id = ? " . $where, array_merge($arrayPDO, $id));*/
+               
             //
             if ($stmt->rowCount() > 0) {
-                $res = $tstmt->fetchObject();
+                $res = $stmt->fetchObject();
                 $email['id'] = $res->email_id;
                 $email['collId'] = $res->coll_id;
                 $email['resId'] = $res->res_id;
-- 
GitLab