Escape SQL update for updatecontactids

2d588496 · mattwire · aa1cd141 · 2d588496
Commit 2d588496 authored 6 years ago by mattwire
--- a/api/v3/StripeCustomer.php
+++ b/api/v3/StripeCustomer.php
@@ -106,8 +106,8 @@ function civicrm_api3_stripe_customer_updatecontactids($params) {
        'return' => "id",
        'email' => $dao->email,
      ]);
-
-    } catch (Exception $e) {
+    }
+    catch (Exception $e) {
      // Most common problem is duplicates.
      if(preg_match("/Expected one Contact but found/", $e->getMessage())) {
        // If we find more than one, first try to find it via a related subscription record
@@ -119,7 +119,7 @@ function civicrm_api3_stripe_customer_updatecontactids($params) {
            JOIN civicrm_contact c ON c.id = rc.contact_id
          WHERE c.is_deleted = 0 AND customer_id = %0
          ORDER BY start_date DESC LIMIT 1";
-        $dao_contribution = CRM_Core_DAO::executeQuery($sql, array(0 => array($dao->id, 'String')));
+        $dao_contribution = CRM_Core_DAO::executeQuery($sql, [0 => [$dao->id, 'String']]);
        $dao_contribution->fetch();
        if ($dao_contribution->id) {
          $contactId = $dao_contribution->id;
@@ -132,7 +132,7 @@ function civicrm_api3_stripe_customer_updatecontactids($params) {
            WHERE e.email = %0 AND c.is_deleted = 0 AND is_test = 0 AND
              trxn_id LIKE 'ch_%' AND contribution_status_id = 1
            ORDER BY receive_date DESC LIMIT 1";
-          $dao_contribution = CRM_Core_DAO::executeQuery($sql, array(0 => array($dao->email, 'String')));
+          $dao_contribution = CRM_Core_DAO::executeQuery($sql, [0 => [$dao->email, 'String']]);
          $dao_contribution->fetch();
          if ($dao_contribution->id) {
            $contactId = $dao_contribution->id;
@@ -141,14 +141,20 @@ function civicrm_api3_stripe_customer_updatecontactids($params) {
      }
      if (empty($contactId)) {
        // Still no luck. Log it and move on.
-        Civi::log()
-          ->debug('Stripe Upgrader: No contact ID found for stripe customer with email: ' . $dao->email);
+        Civi::log()->debug('Stripe Upgrader: No contact ID found for stripe customer with email: ' . $dao->email);
        $counts['failed']++;
        continue;
      }
    }
-    CRM_Core_DAO::executeQuery("UPDATE `civicrm_stripe_customers` SET contact_id={$contactId} WHERE email='{$dao->email}'");
+
+    $sqlParams = [
+      1 => [$contactId, 'Integer'],
+      2 => [$dao->email, 'String'],
+    ];
+    $sql = 'UPDATE civicrm_stripe_customers SET contact_id=%1 WHERE email=%2';
+    CRM_Core_DAO::executeQuery($sql, $sqlParams);
    $counts['updated']++;
  }
+
  return civicrm_api3_create_success($counts);
 }