How to query database in MediaWiki?

1k views Asked by At

I am working on a custom extension/special page for the first time. I am trying to create a simple page that queries the database and display the result on the page. I got the following code that does that:

class SpecialBuildRating extends SpecialPage {

function __construct() {
    parent::__construct( 'BuildRating' );
}

function execute( $par ) {

    if(isset($_GET['id'])){

        $buildId = $_GET['id'];

        $db = wfGetDB( DB_SLAVE );

        $res = $db->select(
            'build_rating',
            array('article_id', 'user_id', 'vote', 'comment', 'date'),
            'article_id = 1485', //BuildId instead of 1485
            __METHOD__,
            array( 'ORDER BY' => 'date ASC' )
        );
    }

    $request = $this->getRequest();
    $output = $this->getOutput();
    $this->setHeaders();

    # Get request data from, e.g.
    $param = $request->getText( 'param' );

    # Do stuff
    # ...
    $wikitext = 'Hello world!';
    $output->addWikiText( $wikitext );

    $outP = '<table style="width:100%">
                <tr>
                    <td>article_id</td>
                    <td>user_id</td>
                    <td>vote</td>
                    <td>comment</td>
                    <td>date</td>
                </tr>
            ';

    if ($res != null) {
        foreach( $res as $row ) {
            $outP .= '<td>' . $row->article_id . '</td><td>' . $row->user_id . '</td><td>' . $row->vote . '</td><td>' . $row->comment . '</td><td>' . $row->date . '</td>';
        }
    }

    $output->addWikiText( $outP );
    }
}

How do I pass the $buildIdto the WHERE statement instead of 1485 in a safe way that prevents injection?

Another question that I have that isn't really an issue is the $output->addWikiText($var); output call, is there any easier/more effective way to do it?

1

There are 1 answers

3
MaxSem On
$res = $db->select(
    'build_rating',
    array('article_id', 'user_id', 'vote', 'comment', 'date'),
    array( 'article_id' => $buildId ),
    __METHOD__,
    array( 'ORDER BY' => 'date ASC' )
);

See https://www.mediawiki.org/wiki/Manual:Database_access for details.

As of outputting, use $output->addHTML(), however in that case you're responsible yourself for preventing XSS.

Another point, in MediaWiki it's recommended to use $this->getRequest()->getInt( 'name', $defaultValue ) instead of accessing request globals directly.