From 3308e790279cfe67a230705160345448f684da6e Mon Sep 17 00:00:00 2001
From: Bernd Bestel <bernd@berrnd.de>
Date: Fri, 15 Sep 2023 13:58:57 +0200
Subject: [PATCH] Use bind params when copying a recipe (fixes #2337)

---
 changelog/74_UNRELEASED_xxxx-xx-xx.md |  2 +-
 services/DatabaseService.php          | 18 +++++++++++++++---
 services/RecipesService.php           |  6 +++---
 3 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/changelog/74_UNRELEASED_xxxx-xx-xx.md b/changelog/74_UNRELEASED_xxxx-xx-xx.md
index 39eced5f..487501ce 100644
--- a/changelog/74_UNRELEASED_xxxx-xx-xx.md
+++ b/changelog/74_UNRELEASED_xxxx-xx-xx.md
@@ -18,7 +18,7 @@
 
 ### Recipes
 
-- xxx
+- Fixed that copying recipes with special characters in the name was not possible
 
 ### Meal plan
 
diff --git a/services/DatabaseService.php b/services/DatabaseService.php
index 4a05bda1..e22d0c76 100644
--- a/services/DatabaseService.php
+++ b/services/DatabaseService.php
@@ -23,7 +23,7 @@ class DatabaseService
 		return false;
 	}
 
-	public function ExecuteDbStatement(string $sql)
+	public function ExecuteDbStatement(string $sql, array $params = null)
 	{
 		$pdo = $this->GetDbConnectionRaw();
 
@@ -36,9 +36,21 @@ class DatabaseService
 			}
 		}
 
-		if ($pdo->exec($sql) === false)
+		if ($params == null)
 		{
-			throw new \Exception($pdo->errorInfo());
+
+			if ($pdo->exec($sql) === false)
+			{
+				throw new \Exception($pdo->errorInfo());
+			}
+		}
+		else
+		{
+			$cmd = $pdo->prepare($sql);
+			if ($cmd->execute($params) === false)
+			{
+				throw new \Exception($pdo->errorInfo());
+			}
 		}
 
 		return true;
diff --git a/services/RecipesService.php b/services/RecipesService.php
index db8f1236..adad30fc 100644
--- a/services/RecipesService.php
+++ b/services/RecipesService.php
@@ -145,10 +145,10 @@ class RecipesService extends BaseService
 
 		$newName = $this->getLocalizationService()->__t('Copy of %s', $this->getDataBase()->recipes($recipeId)->name);
 
-		$this->getDatabaseService()->ExecuteDbStatement('INSERT INTO recipes (name, description, picture_file_name, base_servings, desired_servings, not_check_shoppinglist, type, product_id) SELECT \'' . $newName . '\', description, picture_file_name, base_servings, desired_servings, not_check_shoppinglist, type, product_id FROM recipes WHERE id = ' . $recipeId);
+		$this->getDatabaseService()->ExecuteDbStatement('INSERT INTO recipes (name, description, picture_file_name, base_servings, desired_servings, not_check_shoppinglist, type, product_id) SELECT :new_name, description, picture_file_name, base_servings, desired_servings, not_check_shoppinglist, type, product_id FROM recipes WHERE id = :recipe_id', ['recipe_id' => $recipeId, 'new_name' => $newName]);
 		$lastInsertId = $this->getDatabase()->lastInsertId();
-		$this->getDatabaseService()->ExecuteDbStatement('INSERT INTO recipes_pos (recipe_id, product_id, amount, note, qu_id, only_check_single_unit_in_stock, ingredient_group, not_check_stock_fulfillment, variable_amount, price_factor) SELECT ' . $lastInsertId . ', product_id, amount, note, qu_id, only_check_single_unit_in_stock, ingredient_group, not_check_stock_fulfillment, variable_amount, price_factor FROM recipes_pos WHERE recipe_id = ' . $recipeId);
-		$this->getDatabaseService()->ExecuteDbStatement('INSERT INTO recipes_nestings (recipe_id, includes_recipe_id, servings) SELECT ' . $lastInsertId . ', includes_recipe_id, servings FROM recipes_nestings WHERE recipe_id = ' . $recipeId);
+		$this->getDatabaseService()->ExecuteDbStatement('INSERT INTO recipes_pos (recipe_id, product_id, amount, note, qu_id, only_check_single_unit_in_stock, ingredient_group, not_check_stock_fulfillment, variable_amount, price_factor) SELECT :last_insert_id, product_id, amount, note, qu_id, only_check_single_unit_in_stock, ingredient_group, not_check_stock_fulfillment, variable_amount, price_factor FROM recipes_pos WHERE recipe_id = :recipe_id', ['recipe_id' => $recipeId, 'last_insert_id' => $lastInsertId]);
+		$this->getDatabaseService()->ExecuteDbStatement('INSERT INTO recipes_nestings (recipe_id, includes_recipe_id, servings) SELECT :last_insert_id, includes_recipe_id, servings FROM recipes_nestings WHERE recipe_id = :recipe_id', ['recipe_id' => $recipeId, 'last_insert_id' => $lastInsertId]);
 
 		return $lastInsertId;
 	}