- Compress API filters to a loop

- Check for filters for valid fields
2024-10-07 16:52:45 +00:00 · 2016-01-14 05:22:37 +10:00
parent 6286d7cb6a
commit 87e88dacfd
2 changed files with 17 additions and 27 deletions
--- a/html/includes/api_functions.inc.php
+++ b/html/includes/api_functions.inc.php
@@ -519,29 +519,15 @@ function get_components() {

    // Do some filtering if the user requests.
    $options = array();
-    if (isset($_GET['type'])) {
-        // set a type = filter
-        $options['filter']['type'] = array('=',$_GET['type']);
-    }
-    if (isset($_GET['id'])) {
-        // set a id = filter
-        $options['filter']['id'] = array('=',$_GET['id']);
-    }
+    // We need to specify the label as this is a LIKE query
    if (isset($_GET['label'])) {
        // set a label like filter
        $options['filter']['label'] = array('LIKE',$_GET['label']);
+        unset ($_GET['label']);
    }
-    if (isset($_GET['status'])) {
-        // set a status = filter
-        $options['filter']['status'] = array('=',$_GET['status']);
-    }
-    if (isset($_GET['disabled'])) {
-        // set a disabled = filter
-        $options['filter']['disabled'] = array('=',$_GET['disabled']);
-    }
-    if (isset($_GET['ignore'])) {
-        // set a ignore = filter
-        $options['filter']['ignore'] = array('=',$_GET['ignore']);
+    // Add the rest of the options with an equals query
+    foreach ($_GET as $k) {
+        $options['filter'][$k] = array('=',$_GET[$k]);
    }

    // use hostname as device_id if it's all digits
--- a/includes/component.php
+++ b/includes/component.php
@@ -69,17 +69,21 @@ class component {
        $COUNT = 0;
        if (isset($options['filter'])) {
            $COUNT++;
+            $validFields = array('device_id','type','id','label','status','disabled','ignore','error');
            $SQL .= " ( ";
            foreach ($options['filter'] as $field => $array) {
-                if ($array[0] == 'LIKE') {
-                    $SQL .= "`".$field."` LIKE ? AND ";
-                    $array[1] = "%".$array[1]."%";
+                // Only add valid fields to the query
+                if (in_array($field,$validFields)) {
+                    if ($array[0] == 'LIKE') {
+                        $SQL .= "`".$field."` LIKE ? AND ";
+                        $array[1] = "%".$array[1]."%";
+                    }
+                    else {
+                        // Equals operator is the default
+                        $SQL .= "`".$field."` = ? AND ";
+                    }
+                    array_push($PARAM,$array[1]);
                }
-                else {
-                    // Equals operator is the default
-                    $SQL .= "`".$field."` = ? AND ";
-                }
-                array_push($PARAM,$array[1]);
            }
            // Strip the last " AND " before closing the bracket.
            $SQL = substr($SQL,0,-5)." )";