Wrap mysql_real_escape_string() in a function

Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Conflicts: web/lib/aur.inc.php
2025-02-03 09:43:03 +00:00 · 2011-10-20 08:15:02 +02:00 · 2011-10-20 08:15:02 +02:00 · 10b6a8fff7
commit 10b6a8fff7
parent e1687f1830
12 changed files with 67 additions and 61 deletions
--- a/web/html/account.php
+++ b/web/html/account.php
@ -111,7 +111,7 @@ if (isset($_COOKIE["AURSID"])) {
 			$q.= "WHERE AccountTypes.ID = Users.AccountTypeID ";
 			$q.= "AND Users.ID = Sessions.UsersID ";
 			$q.= "AND Sessions.SessionID = '";
-			$q.= mysql_real_escape_string($_COOKIE["AURSID"])."'";
+			$q.= db_escape_string($_COOKIE["AURSID"])."'";
 			$result = db_query($q, $dbh);
 			if (!mysql_num_rows($result)) {
 				print __("Could not retrieve information for the specified user.");
--- a/web/html/addvote.php
+++ b/web/html/addvote.php
@ -20,7 +20,7 @@ if ($atype == "Trusted User" OR $atype == "Developer") {
 		$error = "";

 		if (!empty($_POST['user'])) {
-			$qcheck = "SELECT * FROM Users WHERE Username = '" . mysql_real_escape_string($_POST['user']) . "'";
+			$qcheck = "SELECT * FROM Users WHERE Username = '" . db_escape_string($_POST['user']) . "'";
 			$result = db_query($qcheck, $dbh);
 			if ($result) {
 				$check = mysql_num_rows($result);
@ -32,7 +32,7 @@ if ($atype == "Trusted User" OR $atype == "Developer") {
 			if ($check == 0) {
 				$error.= __("Username does not exist.");
 			} else {
-				$qcheck = "SELECT * FROM TU_VoteInfo WHERE User = '" . mysql_real_escape_string($_POST['user']) . "'";
+				$qcheck = "SELECT * FROM TU_VoteInfo WHERE User = '" . db_escape_string($_POST['user']) . "'";
 				$qcheck.= " AND End > UNIX_TIMESTAMP()";
 				$result = db_query($qcheck, $dbh);
 				if ($result) {
@ -67,9 +67,9 @@ if ($atype == "Trusted User" OR $atype == "Developer") {

 	if (!empty($_POST['addVote']) && empty($error)) {
 		$q = "INSERT INTO TU_VoteInfo (Agenda, User, Submitted, End, SubmitterID) VALUES ";
-		$q.= "('" . mysql_real_escape_string($_POST['agenda']) . "', ";
-		$q.= "'" . mysql_real_escape_string($_POST['user']) . "', ";
-		$q.= "UNIX_TIMESTAMP(), UNIX_TIMESTAMP() + " . mysql_real_escape_string($len);
+		$q.= "('" . db_escape_string($_POST['agenda']) . "', ";
+		$q.= "'" . db_escape_string($_POST['user']) . "', ";
+		$q.= "UNIX_TIMESTAMP(), UNIX_TIMESTAMP() + " . db_escape_string($len);
 		$q.= ", " . uid_from_sid($_COOKIE["AURSID"]) . ")";

 		db_query($q, $dbh);
--- a/web/html/logout.php
+++ b/web/html/logout.php
@ -12,7 +12,7 @@ include_once("acctfuncs.inc.php");         # access AUR common functions
 if (isset($_COOKIE["AURSID"])) {
 	$dbh = db_connect();
 	$q = "DELETE FROM Sessions WHERE SessionID = '";
-	$q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'";
+	$q.= db_escape_string($_COOKIE["AURSID"]) . "'";
 	db_query($q, $dbh);
 	# setting expiration to 1 means '1 second after midnight January 1, 1970'
 	setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true);
--- a/web/html/passreset.php
+++ b/web/html/passreset.php
@ -40,8 +40,8 @@ if (isset($_GET['resetkey'], $_POST['email'], $_POST['password'], $_POST['confir
 		      Salt = '$salt',
 		      ResetKey = ''
 		      WHERE ResetKey != ''
-		      AND ResetKey = '".mysql_real_escape_string($resetkey)."'
-		      AND Email = '".mysql_real_escape_string($email)."'";
+		      AND ResetKey = '".db_escape_string($resetkey)."'
+		      AND Email = '".db_escape_string($email)."'";
 		$result = db_query($q, $dbh);
 		if (!mysql_affected_rows($dbh)) {
 			$error = __('Invalid e-mail and reset key combination.');
--- a/web/html/pkgsubmit.php
+++ b/web/html/pkgsubmit.php
@ -301,7 +301,7 @@ if ($uid):
 			$dbh = db_connect();
 			db_query("BEGIN", $dbh);

-			$q = "SELECT * FROM Packages WHERE Name = '" . mysql_real_escape_string($new_pkgbuild['pkgname']) . "'";
+			$q = "SELECT * FROM Packages WHERE Name = '" . db_escape_string($new_pkgbuild['pkgname']) . "'";
 			$result = db_query($q, $dbh);
 			$pdata = mysql_fetch_assoc($result);

@ -346,11 +346,11 @@ if ($uid):

 				# Update package data
 				$q = sprintf("UPDATE Packages SET ModifiedTS = UNIX_TIMESTAMP(), Name = '%s', Version = '%s', License = '%s', Description = '%s', URL = '%s', OutOfDateTS = NULL, MaintainerUID = %d WHERE ID = %d",
-					mysql_real_escape_string($new_pkgbuild['pkgname']),
-					mysql_real_escape_string($pkg_version),
-					mysql_real_escape_string($new_pkgbuild['license']),
-					mysql_real_escape_string($new_pkgbuild['pkgdesc']),
-					mysql_real_escape_string($new_pkgbuild['url']),
+					db_escape_string($new_pkgbuild['pkgname']),
+					db_escape_string($pkg_version),
+					db_escape_string($new_pkgbuild['license']),
+					db_escape_string($new_pkgbuild['pkgdesc']),
+					db_escape_string($new_pkgbuild['url']),
 					$uid,
 					$packageID);

@ -359,12 +359,12 @@ if ($uid):
 			} else {
 				# This is a brand new package
 				$q = sprintf("INSERT INTO Packages (Name, License, Version, CategoryID, Description, URL, SubmittedTS, ModifiedTS, SubmitterUID, MaintainerUID) VALUES ('%s', '%s', '%s', %d, '%s', '%s', UNIX_TIMESTAMP(), UNIX_TIMESTAMP(), %d, %d)",
-					mysql_real_escape_string($new_pkgbuild['pkgname']),
-					mysql_real_escape_string($new_pkgbuild['license']),
-					mysql_real_escape_string($pkg_version),
+					db_escape_string($new_pkgbuild['pkgname']),
+					db_escape_string($new_pkgbuild['license']),
+					db_escape_string($pkg_version),
 					$category_id,
-					mysql_real_escape_string($new_pkgbuild['pkgdesc']),
-					mysql_real_escape_string($new_pkgbuild['url']),
+					db_escape_string($new_pkgbuild['pkgdesc']),
+					db_escape_string($new_pkgbuild['url']),
 					$uid,
 					$uid);

@ -389,8 +389,8 @@ if ($uid):

 					$q = sprintf("INSERT INTO PackageDepends (PackageID, DepName, DepCondition) VALUES (%d, '%s', '%s')",
 						$packageID,
-						mysql_real_escape_string($deppkgname),
-						mysql_real_escape_string($depcondition));
+						db_escape_string($deppkgname),
+						db_escape_string($depcondition));

 					db_query($q, $dbh);
 				}
@ -401,7 +401,7 @@ if ($uid):
 			foreach ($sources as $src) {
 				if ($src != "" ) {
 					$q = "INSERT INTO PackageSources (PackageID, Source) VALUES (";
-					$q .= $packageID . ", '" . mysql_real_escape_string($src) . "')";
+					$q .= $packageID . ", '" . db_escape_string($src) . "')";
 					db_query($q, $dbh);
 				}
 			}
--- a/web/html/voters.php
+++ b/web/html/voters.php
@ -5,7 +5,7 @@ include('pkgfuncs.inc.php');

 function getvotes($pkgid) {
 	$dbh = db_connect();
-	$pkgid = mysql_real_escape_string($pkgid);
+	$pkgid = db_escape_string($pkgid);

 	$result = db_query("SELECT UsersID,Username FROM PackageVotes LEFT JOIN Users on (UsersID = ID) WHERE PackageID = $pkgid ORDER BY Username", $dbh);
 	return $result;