prepare sql

Model/NotesModel.php

@@ -2,25 +2,40 @@
 
 namespace ppa\Model;
 use ppa\Model\ParticipantModel;
+use ppb\Library\Msg;
+use PDOException;
 
 class NotesModel extends Database
 {
     public function selectNotesForUser($userid, $sortBy = 'updated_at', $sortOrder = 'DESC')
     {
+        $pdo = $this->linkDB();
+		
+		$erg=array();
+		$params=array();
+
         $sql = "SELECT n.*, u.username AS owner_username 
             FROM notes n 
             JOIN users u ON n.user_id = u.id 
-            ORDER BY {$sortBy} {$sortOrder}";
+            ORDER BY :sortBy :sortOrder";
 
-        $pdo = $this->linkDB();
+        $params[':sortBy']=$sortBy;
+        $params[':sortOrder']=$sortOrder;
 
         try {
-            $res = $pdo->query($sql);
-        } catch (\PDOException $e) {
-            new \ppa\Library\ErrorMsg("Ihre Anfrage konnte nicht verarbeitet werden", $e); 
-            die;
-        }
+			$stmt=$pdo->prepare($sql);
+			$stmt->execute($params);
+		} catch (PDOException $e) {
+			new Msg(true, null, $e);
+			return false;
+		}
+        
+        $erg=$stmt->fetchAll(\PDO::FETCH_ASSOC);
 
-        return $res->fetchAll(\PDO::FETCH_ASSOC);
+		foreach($erg as $key=>$row) {
+			$erg[$key]['id']+=0;
+		}
+
+		return $erg;
     }
 }