Search code examples
phpmysqlcontrollerblockconcrete5

concrete5 custom block not passing array to view

I have a custom block made in concrete5, it gets an array of all the workers from the database and pass it into the view. This block also uses a parameter which is given when the block is added into a page (its a part of a WHERE sql statement, ie parent_id=261) Here is my function in the block controller:

public function view() 
{
    $db = new mysqli(WP_SERVER, WP_USERNAME, WP_PASSWORD, WP_DATABASE);

    if($db->connect_errno > 0)
    {
        echo '<!-- Unable to connect to database [' . $db->connect_error . '] -->';
    } 
    else 
    {

      $SQL_ENTRIES = "SELECT * FROM `wp_posts` WHERE post_type = 'page' AND ".$query." order by replace(post_title,'£','LZ') asc";

      if(!$entries_result = $db->query($SQL_ENTRIES))
      {
        echo '<!-- There was an error running the query [' . $db->error . '] -->';
      } 
      else 
      {
          $entries = array();
          while($row = $entries_result->fetch_assoc()) $entries[] = $row;

          $SQL_META = "SELECT post_id, meta_key, meta_value FROM wp_postmeta WHERE post_id IN (SELECT ID FROM `wp_posts` WHERE post_type = 'page' AND ".$query.")";

        if(!$meta_result = $db->query($SQL_META)) 
        {
          echo '<!-- There was an error running the query [' . $db->error . '] -->';
        } 
        else 
        {
          $metas = array();
          while($row = $meta_result->fetch_assoc()) 
          {
            if (!isset($metas[$row['post_id']])) $metas[$row['post_id']] = array ();
            $metas[$row['post_id']][] = $row;
          }

          $updated_entries = array ();
          foreach ($entries as $entry) 
          {
            if (isset($metas[$entry['ID']])) 
            {
              foreach ($metas[$entry['ID']] as $meta) 
              {
                $entry[$meta['meta_key']] = $meta['meta_value'];
              }
            } 
            $updated_entries[] = $entry;
          }
          $this->set('updated_entries', $updated_entries);
        }
      }       
    }       
}

And in my view file:

$get = $updated_entries;
echo json_encode($get);

It lists nothing, which is weird, because when the function is placed within the view file, it lists everything normally. Any help ?

Solution

  • My guess it is because your code is using a $query variable, but this is not defined anywhere in the function. If this code works in your view file, then I bet that $query variable is set up in the view itself. Or maybe it's the WP_SERVER, WP_USERNAME, WP_PASSWORD, and WP_DATABASE constants that you are passing into the database connection? Where are those coming from?

    Side note: I really hope that this $query has been properly escaped to avoid sql injection. If you are just taking some arguments from $_GET or $_POST and feeding them into $query then you have a gaping security hole.