LotusGuild/tinker_tickets
3
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
92544d60cec805203dfc00bef93fa6884a8f7719
tinker_tickets/helpers/Database.php
Jared Vititoe 89a685a502 Integrate web_template design system and fix security/quality issues 
Security fixes:
- Add HTTP method validation to delete_comment.php (block CSRF via GET)
- Remove $_GET fallback in comment deletion (was CSRF bypass vector)
- Guard session_start() with session_status() check across API files
- Escape json_encode() data attributes with htmlspecialchars in views
- Escape inline APP_TIMEZONE config values in DashboardView/TicketView
- Validate timezone param against DateTimeZone::listIdentifiers() in index.php
- Remove Database::escape() (was using real_escape_string, not safe)
- Fix AttachmentModel hardcoded connection; inject via constructor

Backend fixes:
- Fix CommentModel bind_param type for ticket_id (s→i)
- Fix buildCommentThread orphan parent guard
- Fix StatsModel JOIN→LEFT JOIN so unassigned tickets aren't excluded
- Add ticket ID validation in BulkOperationsModel before implode()
- Add duplicate key retry in TicketModel::createTicket() for race conditions
- Wrap SavedFiltersModel default filter changes in transactions
- Add null result guards in WorkflowModel query methods

Frontend JS:
- Rewrite toast.js as lt.toast shim (base.js dependency)
- Delegate escapeHtml() to lt.escHtml()
- Rewrite keyboard-shortcuts.js using lt.keys.on()
- Migrate settings.js to lt.api.* and lt.modal.open/close()
- Migrate advanced-search.js to lt.api.* and lt.modal.open/close()
- Migrate dashboard.js fetch calls to lt.api.*; update all dynamic
  modals (bulk ops, quick actions, confirm/input) to lt-modal structure
- Migrate ticket.js fetchMentionUsers to lt.api.get()
- Remove console.log/error/warn calls from JS files

Views:
- Add /web_template/base.css and base.js to all 10 view files
- Call lt.keys.initDefaults() in DashboardView, TicketView, admin views
- Migrate all modal HTML from settings-modal/settings-content to
  lt-modal-overlay/lt-modal/lt-modal-header/lt-modal-body/lt-modal-footer
- Replace style="display:none" with aria-hidden="true" on all modals
- Replace modal open/close style.display with lt.modal.open/close()
- Update modal buttons to lt-btn lt-btn-primary/lt-btn-ghost classes
- Remove manual ESC keydown handlers (replaced by lt.keys.initDefaults)
- Fix unescaped timezone values in TicketView inline script

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-17 23:22:24 -04:00

167 lines
4.3 KiB
PHP
Raw Blame History

<?php
/**
* Database Connection Factory
*
* Centralizes database connection creation and management.
* Provides a singleton connection for the request lifecycle.
*/
class Database {
private static ?mysqli $connection = null;
/**
* Get database connection (singleton pattern)
*
* @return mysqli Database connection
* @throws Exception If connection fails
*/
public static function getConnection(): mysqli {
if (self::$connection === null) {
self::$connection = self::createConnection();
}
// Check if connection is still alive
if (!self::$connection->ping()) {
self::$connection = self::createConnection();
}
return self::$connection;
}
/**
* Create a new database connection
*
* @return mysqli Database connection
* @throws Exception If connection fails
*/
private static function createConnection(): mysqli {
// Ensure config is loaded
if (!isset($GLOBALS['config'])) {
require_once dirname(__DIR__) . '/config/config.php';
}
$conn = new mysqli(
$GLOBALS['config']['DB_HOST'],
$GLOBALS['config']['DB_USER'],
$GLOBALS['config']['DB_PASS'],
$GLOBALS['config']['DB_NAME']
);
if ($conn->connect_error) {
throw new Exception("Database connection failed: " . $conn->connect_error);
}
// Set charset to utf8mb4 for proper Unicode support
$conn->set_charset('utf8mb4');
return $conn;
}
/**
* Close the database connection
*/
public static function close(): void {
if (self::$connection !== null) {
self::$connection->close();
self::$connection = null;
}
}
/**
* Begin a transaction
*
* @return bool Success
*/
public static function beginTransaction(): bool {
return self::getConnection()->begin_transaction();
}
/**
* Commit a transaction
*
* @return bool Success
*/
public static function commit(): bool {
return self::getConnection()->commit();
}
/**
* Rollback a transaction
*
* @return bool Success
*/
public static function rollback(): bool {
return self::getConnection()->rollback();
}
/**
* Execute a query and return results
*
* @param string $sql SQL query with placeholders
* @param string $types Parameter types (i=int, s=string, d=double, b=blob)
* @param array $params Parameters to bind
* @return mysqli_result|bool Query result
*/
public static function query(string $sql, string $types = '', array $params = []) {
$conn = self::getConnection();
if (empty($types) || empty($params)) {
return $conn->query($sql);
}
$stmt = $conn->prepare($sql);
if (!$stmt) {
throw new Exception("Query preparation failed: " . $conn->error);
}
$stmt->bind_param($types, ...$params);
$stmt->execute();
$result = $stmt->get_result();
$stmt->close();
return $result;
}
/**
* Execute an INSERT/UPDATE/DELETE and return affected rows
*
* @param string $sql SQL query with placeholders
* @param string $types Parameter types
* @param array $params Parameters to bind
* @return int Affected rows (-1 on failure)
*/
public static function execute(string $sql, string $types = '', array $params = []): int {
$conn = self::getConnection();
$stmt = $conn->prepare($sql);
if (!$stmt) {
throw new Exception("Query preparation failed: " . $conn->error);
}
if (!empty($types) && !empty($params)) {
$stmt->bind_param($types, ...$params);
}
if ($stmt->execute()) {
$affected = $stmt->affected_rows;
$stmt->close();
return $affected;
}
$error = $stmt->error;
$stmt->close();
throw new Exception("Query execution failed: " . $error);
}
/**
* Get the last insert ID
*
* @return int Last insert ID
*/
public static function lastInsertId(): int {
return self::getConnection()->insert_id;
}
// escape() removed — use prepared statements with bind_param() instead
}
Reference in New Issue View Git Blame Copy Permalink