I am working on a custom extension/special page for the first time. I am trying to create a simple page that queries the database and display the result on the page. I got the following code that does that:
class SpecialBuildRating extends SpecialPage {
function __construct() {
parent::__construct( 'BuildRating' );
}
function execute( $par ) {
if(isset($_GET['id'])){
$buildId = $_GET['id'];
$db = wfGetDB( DB_SLAVE );
$res = $db->select(
'build_rating',
array('article_id', 'user_id', 'vote', 'comment', 'date'),
'article_id = 1485', //BuildId instead of 1485
__METHOD__,
array( 'ORDER BY' => 'date ASC' )
);
}
$request = $this->getRequest();
$output = $this->getOutput();
$this->setHeaders();
# Get request data from, e.g.
$param = $request->getText( 'param' );
# Do stuff
# ...
$wikitext = 'Hello world!';
$output->addWikiText( $wikitext );
$outP = '<table style="width:100%">
<tr>
<td>article_id</td>
<td>user_id</td>
<td>vote</td>
<td>comment</td>
<td>date</td>
</tr>
';
if ($res != null) {
foreach( $res as $row ) {
$outP .= '<td>' . $row->article_id . '</td><td>' . $row->user_id . '</td><td>' . $row->vote . '</td><td>' . $row->comment . '</td><td>' . $row->date . '</td>';
}
}
$output->addWikiText( $outP );
}
}
How do I pass the $buildIdto the WHERE statement instead of 1485 in a safe way that prevents injection?
Another question that I have that isn't really an issue is the $output->addWikiText($var); output call, is there any easier/more effective way to do it?
See https://www.mediawiki.org/wiki/Manual:Database_access for details.
As of outputting, use
$output->addHTML(), however in that case you're responsible yourself for preventing XSS.Another point, in MediaWiki it's recommended to use
$this->getRequest()->getInt( 'name', $defaultValue )instead of accessing request globals directly.