commit dce653c0b76993e406c1f367414eda94ddf3771c
parent 00672e4dcc652f7b57e255a45b0d09435c3b386b
Author: dankert <devnull@localhost>
Date: Wed, 14 Oct 2009 01:11:43 +0200
Bei SQL-Statements keine \"stringlist\" benutzen, da damit keine Prepared-Statements möglich sind.
Diffstat:
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/objectClasses/Template.class.php b/objectClasses/Template.class.php
@@ -308,19 +308,20 @@ class Template
function getWritableElements()
{
$list = array();
+ $e = new Element();
+ $readonlyList = "'".implode("','",$e->readonlyElementNames)."'";
+
$db = db_connection();
-
- $sql = new Sql( <<<SQL
+
+ $sql = new Sql( <<<SQL
SELECT * FROM {t_element}
WHERE templateid={templateid}
AND writable=1
- AND type NOT IN ({readonlyList})
+ AND type NOT IN ($readonlyList)
ORDER BY name ASC
-SQL
-);
- $sql->setInt ( 'templateid' ,$this->templateid );
- $e = new Element();
- $sql->setStringList( 'readonlyList',$e->readonlyElementNames );
+SQL
+);
+ $sql->setInt ( 'templateid' ,$this->templateid );
foreach( $db->getAll( $sql ) as $row )
{
$e = new Element( $row['id'] );