mirror of
https://gitlab.archlinux.org/archlinux/aurweb.git
synced 2025-02-03 10:43:03 +01:00
Wrap mysql_real_escape_string() in a function
Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Conflicts: web/lib/aur.inc.php
This commit is contained in:
Lukas Fleischer
parent
e1687f1830
commit
10b6a8fff7
12 changed files with 67 additions and 61 deletions
|
|
@ -111,7 +111,7 @@ if (isset($_COOKIE["AURSID"])) {
|
||||||
$q.= "WHERE AccountTypes.ID = Users.AccountTypeID ";
|
$q.= "WHERE AccountTypes.ID = Users.AccountTypeID ";
|
||||||
$q.= "AND Users.ID = Sessions.UsersID ";
|
$q.= "AND Users.ID = Sessions.UsersID ";
|
||||||
$q.= "AND Sessions.SessionID = '";
|
$q.= "AND Sessions.SessionID = '";
|
||||||
$q.= mysql_real_escape_string($_COOKIE["AURSID"])."'";
|
$q.= db_escape_string($_COOKIE["AURSID"])."'";
|
||||||
$result = db_query($q, $dbh);
|
$result = db_query($q, $dbh);
|
||||||
if (!mysql_num_rows($result)) {
|
if (!mysql_num_rows($result)) {
|
||||||
print __("Could not retrieve information for the specified user.");
|
print __("Could not retrieve information for the specified user.");
|
||||||
|
|
|
||||||
|
|
@ -20,7 +20,7 @@ if ($atype == "Trusted User" OR $atype == "Developer") {
|
||||||
$error = "";
|
$error = "";
|
||||||
|
|
||||||
if (!empty($_POST['user'])) {
|
if (!empty($_POST['user'])) {
|
||||||
$qcheck = "SELECT * FROM Users WHERE Username = '" . mysql_real_escape_string($_POST['user']) . "'";
|
$qcheck = "SELECT * FROM Users WHERE Username = '" . db_escape_string($_POST['user']) . "'";
|
||||||
$result = db_query($qcheck, $dbh);
|
$result = db_query($qcheck, $dbh);
|
||||||
if ($result) {
|
if ($result) {
|
||||||
$check = mysql_num_rows($result);
|
$check = mysql_num_rows($result);
|
||||||
|
|
@ -32,7 +32,7 @@ if ($atype == "Trusted User" OR $atype == "Developer") {
|
||||||
if ($check == 0) {
|
if ($check == 0) {
|
||||||
$error.= __("Username does not exist.");
|
$error.= __("Username does not exist.");
|
||||||
} else {
|
} else {
|
||||||
$qcheck = "SELECT * FROM TU_VoteInfo WHERE User = '" . mysql_real_escape_string($_POST['user']) . "'";
|
$qcheck = "SELECT * FROM TU_VoteInfo WHERE User = '" . db_escape_string($_POST['user']) . "'";
|
||||||
$qcheck.= " AND End > UNIX_TIMESTAMP()";
|
$qcheck.= " AND End > UNIX_TIMESTAMP()";
|
||||||
$result = db_query($qcheck, $dbh);
|
$result = db_query($qcheck, $dbh);
|
||||||
if ($result) {
|
if ($result) {
|
||||||
|
|
@ -67,9 +67,9 @@ if ($atype == "Trusted User" OR $atype == "Developer") {
|
||||||
|
|
||||||
if (!empty($_POST['addVote']) && empty($error)) {
|
if (!empty($_POST['addVote']) && empty($error)) {
|
||||||
$q = "INSERT INTO TU_VoteInfo (Agenda, User, Submitted, End, SubmitterID) VALUES ";
|
$q = "INSERT INTO TU_VoteInfo (Agenda, User, Submitted, End, SubmitterID) VALUES ";
|
||||||
$q.= "('" . mysql_real_escape_string($_POST['agenda']) . "', ";
|
$q.= "('" . db_escape_string($_POST['agenda']) . "', ";
|
||||||
$q.= "'" . mysql_real_escape_string($_POST['user']) . "', ";
|
$q.= "'" . db_escape_string($_POST['user']) . "', ";
|
||||||
$q.= "UNIX_TIMESTAMP(), UNIX_TIMESTAMP() + " . mysql_real_escape_string($len);
|
$q.= "UNIX_TIMESTAMP(), UNIX_TIMESTAMP() + " . db_escape_string($len);
|
||||||
$q.= ", " . uid_from_sid($_COOKIE["AURSID"]) . ")";
|
$q.= ", " . uid_from_sid($_COOKIE["AURSID"]) . ")";
|
||||||
|
|
||||||
db_query($q, $dbh);
|
db_query($q, $dbh);
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ include_once("acctfuncs.inc.php"); # access AUR common functions
|
||||||
if (isset($_COOKIE["AURSID"])) {
|
if (isset($_COOKIE["AURSID"])) {
|
||||||
$dbh = db_connect();
|
$dbh = db_connect();
|
||||||
$q = "DELETE FROM Sessions WHERE SessionID = '";
|
$q = "DELETE FROM Sessions WHERE SessionID = '";
|
||||||
$q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'";
|
$q.= db_escape_string($_COOKIE["AURSID"]) . "'";
|
||||||
db_query($q, $dbh);
|
db_query($q, $dbh);
|
||||||
# setting expiration to 1 means '1 second after midnight January 1, 1970'
|
# setting expiration to 1 means '1 second after midnight January 1, 1970'
|
||||||
setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true);
|
setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true);
|
||||||
|
|
|
||||||
|
|
@ -40,8 +40,8 @@ if (isset($_GET['resetkey'], $_POST['email'], $_POST['password'], $_POST['confir
|
||||||
Salt = '$salt',
|
Salt = '$salt',
|
||||||
ResetKey = ''
|
ResetKey = ''
|
||||||
WHERE ResetKey != ''
|
WHERE ResetKey != ''
|
||||||
AND ResetKey = '".mysql_real_escape_string($resetkey)."'
|
AND ResetKey = '".db_escape_string($resetkey)."'
|
||||||
AND Email = '".mysql_real_escape_string($email)."'";
|
AND Email = '".db_escape_string($email)."'";
|
||||||
$result = db_query($q, $dbh);
|
$result = db_query($q, $dbh);
|
||||||
if (!mysql_affected_rows($dbh)) {
|
if (!mysql_affected_rows($dbh)) {
|
||||||
$error = __('Invalid e-mail and reset key combination.');
|
$error = __('Invalid e-mail and reset key combination.');
|
||||||
|
|
|
||||||
|
|
@ -301,7 +301,7 @@ if ($uid):
|
||||||
$dbh = db_connect();
|
$dbh = db_connect();
|
||||||
db_query("BEGIN", $dbh);
|
db_query("BEGIN", $dbh);
|
||||||
|
|
||||||
$q = "SELECT * FROM Packages WHERE Name = '" . mysql_real_escape_string($new_pkgbuild['pkgname']) . "'";
|
$q = "SELECT * FROM Packages WHERE Name = '" . db_escape_string($new_pkgbuild['pkgname']) . "'";
|
||||||
$result = db_query($q, $dbh);
|
$result = db_query($q, $dbh);
|
||||||
$pdata = mysql_fetch_assoc($result);
|
$pdata = mysql_fetch_assoc($result);
|
||||||
|
|
||||||
|
|
@ -346,11 +346,11 @@ if ($uid):
|
||||||
|
|
||||||
# Update package data
|
# Update package data
|
||||||
$q = sprintf("UPDATE Packages SET ModifiedTS = UNIX_TIMESTAMP(), Name = '%s', Version = '%s', License = '%s', Description = '%s', URL = '%s', OutOfDateTS = NULL, MaintainerUID = %d WHERE ID = %d",
|
$q = sprintf("UPDATE Packages SET ModifiedTS = UNIX_TIMESTAMP(), Name = '%s', Version = '%s', License = '%s', Description = '%s', URL = '%s', OutOfDateTS = NULL, MaintainerUID = %d WHERE ID = %d",
|
||||||
mysql_real_escape_string($new_pkgbuild['pkgname']),
|
db_escape_string($new_pkgbuild['pkgname']),
|
||||||
mysql_real_escape_string($pkg_version),
|
db_escape_string($pkg_version),
|
||||||
mysql_real_escape_string($new_pkgbuild['license']),
|
db_escape_string($new_pkgbuild['license']),
|
||||||
mysql_real_escape_string($new_pkgbuild['pkgdesc']),
|
db_escape_string($new_pkgbuild['pkgdesc']),
|
||||||
mysql_real_escape_string($new_pkgbuild['url']),
|
db_escape_string($new_pkgbuild['url']),
|
||||||
$uid,
|
$uid,
|
||||||
$packageID);
|
$packageID);
|
||||||
|
|
||||||
|
|
@ -359,12 +359,12 @@ if ($uid):
|
||||||
} else {
|
} else {
|
||||||
# This is a brand new package
|
# This is a brand new package
|
||||||
$q = sprintf("INSERT INTO Packages (Name, License, Version, CategoryID, Description, URL, SubmittedTS, ModifiedTS, SubmitterUID, MaintainerUID) VALUES ('%s', '%s', '%s', %d, '%s', '%s', UNIX_TIMESTAMP(), UNIX_TIMESTAMP(), %d, %d)",
|
$q = sprintf("INSERT INTO Packages (Name, License, Version, CategoryID, Description, URL, SubmittedTS, ModifiedTS, SubmitterUID, MaintainerUID) VALUES ('%s', '%s', '%s', %d, '%s', '%s', UNIX_TIMESTAMP(), UNIX_TIMESTAMP(), %d, %d)",
|
||||||
mysql_real_escape_string($new_pkgbuild['pkgname']),
|
db_escape_string($new_pkgbuild['pkgname']),
|
||||||
mysql_real_escape_string($new_pkgbuild['license']),
|
db_escape_string($new_pkgbuild['license']),
|
||||||
mysql_real_escape_string($pkg_version),
|
db_escape_string($pkg_version),
|
||||||
$category_id,
|
$category_id,
|
||||||
mysql_real_escape_string($new_pkgbuild['pkgdesc']),
|
db_escape_string($new_pkgbuild['pkgdesc']),
|
||||||
mysql_real_escape_string($new_pkgbuild['url']),
|
db_escape_string($new_pkgbuild['url']),
|
||||||
$uid,
|
$uid,
|
||||||
$uid);
|
$uid);
|
||||||
|
|
||||||
|
|
@ -389,8 +389,8 @@ if ($uid):
|
||||||
|
|
||||||
$q = sprintf("INSERT INTO PackageDepends (PackageID, DepName, DepCondition) VALUES (%d, '%s', '%s')",
|
$q = sprintf("INSERT INTO PackageDepends (PackageID, DepName, DepCondition) VALUES (%d, '%s', '%s')",
|
||||||
$packageID,
|
$packageID,
|
||||||
mysql_real_escape_string($deppkgname),
|
db_escape_string($deppkgname),
|
||||||
mysql_real_escape_string($depcondition));
|
db_escape_string($depcondition));
|
||||||
|
|
||||||
db_query($q, $dbh);
|
db_query($q, $dbh);
|
||||||
}
|
}
|
||||||
|
|
@ -401,7 +401,7 @@ if ($uid):
|
||||||
foreach ($sources as $src) {
|
foreach ($sources as $src) {
|
||||||
if ($src != "" ) {
|
if ($src != "" ) {
|
||||||
$q = "INSERT INTO PackageSources (PackageID, Source) VALUES (";
|
$q = "INSERT INTO PackageSources (PackageID, Source) VALUES (";
|
||||||
$q .= $packageID . ", '" . mysql_real_escape_string($src) . "')";
|
$q .= $packageID . ", '" . db_escape_string($src) . "')";
|
||||||
db_query($q, $dbh);
|
db_query($q, $dbh);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@ include('pkgfuncs.inc.php');
|
||||||
|
|
||||||
function getvotes($pkgid) {
|
function getvotes($pkgid) {
|
||||||
$dbh = db_connect();
|
$dbh = db_connect();
|
||||||
$pkgid = mysql_real_escape_string($pkgid);
|
$pkgid = db_escape_string($pkgid);
|
||||||
|
|
||||||
$result = db_query("SELECT UsersID,Username FROM PackageVotes LEFT JOIN Users on (UsersID = ID) WHERE PackageID = $pkgid ORDER BY Username", $dbh);
|
$result = db_query("SELECT UsersID,Username FROM PackageVotes LEFT JOIN Users on (UsersID = ID) WHERE PackageID = $pkgid ORDER BY Username", $dbh);
|
||||||
return $result;
|
return $result;
|
||||||
|
|
|
||||||
|
|
@ -225,7 +225,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
|
||||||
# NOTE: a race condition exists here if we care...
|
# NOTE: a race condition exists here if we care...
|
||||||
#
|
#
|
||||||
$q = "SELECT COUNT(*) AS CNT FROM Users ";
|
$q = "SELECT COUNT(*) AS CNT FROM Users ";
|
||||||
$q.= "WHERE Username = '".mysql_real_escape_string($U)."'";
|
$q.= "WHERE Username = '".db_escape_string($U)."'";
|
||||||
if ($TYPE == "edit") {
|
if ($TYPE == "edit") {
|
||||||
$q.= " AND ID != ".intval($UID);
|
$q.= " AND ID != ".intval($UID);
|
||||||
}
|
}
|
||||||
|
|
@ -243,7 +243,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
|
||||||
# NOTE: a race condition exists here if we care...
|
# NOTE: a race condition exists here if we care...
|
||||||
#
|
#
|
||||||
$q = "SELECT COUNT(*) AS CNT FROM Users ";
|
$q = "SELECT COUNT(*) AS CNT FROM Users ";
|
||||||
$q.= "WHERE Email = '".mysql_real_escape_string($E)."'";
|
$q.= "WHERE Email = '".db_escape_string($E)."'";
|
||||||
if ($TYPE == "edit") {
|
if ($TYPE == "edit") {
|
||||||
$q.= " AND ID != ".intval($UID);
|
$q.= " AND ID != ".intval($UID);
|
||||||
}
|
}
|
||||||
|
|
@ -265,7 +265,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
|
||||||
# no errors, go ahead and create the unprivileged user
|
# no errors, go ahead and create the unprivileged user
|
||||||
$salt = generate_salt();
|
$salt = generate_salt();
|
||||||
$P = salted_hash($P, $salt);
|
$P = salted_hash($P, $salt);
|
||||||
$escaped = array_map('mysql_real_escape_string',
|
$escaped = array_map('db_escape_string',
|
||||||
array($U, $E, $P, $salt, $R, $L, $I));
|
array($U, $E, $P, $salt, $R, $L, $I));
|
||||||
$q = "INSERT INTO Users (" .
|
$q = "INSERT INTO Users (" .
|
||||||
"AccountTypeID, Suspended, Username, Email, Passwd, Salt" .
|
"AccountTypeID, Suspended, Username, Email, Passwd, Salt" .
|
||||||
|
|
@ -289,7 +289,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
|
||||||
# no errors, go ahead and modify the user account
|
# no errors, go ahead and modify the user account
|
||||||
|
|
||||||
$q = "UPDATE Users SET ";
|
$q = "UPDATE Users SET ";
|
||||||
$q.= "Username = '".mysql_real_escape_string($U)."'";
|
$q.= "Username = '".db_escape_string($U)."'";
|
||||||
if ($T) {
|
if ($T) {
|
||||||
$q.= ", AccountTypeID = ".intval($T);
|
$q.= ", AccountTypeID = ".intval($T);
|
||||||
}
|
}
|
||||||
|
|
@ -298,15 +298,15 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
|
||||||
} else {
|
} else {
|
||||||
$q.= ", Suspended = 0";
|
$q.= ", Suspended = 0";
|
||||||
}
|
}
|
||||||
$q.= ", Email = '".mysql_real_escape_string($E)."'";
|
$q.= ", Email = '".db_escape_string($E)."'";
|
||||||
if ($P) {
|
if ($P) {
|
||||||
$salt = generate_salt();
|
$salt = generate_salt();
|
||||||
$hash = salted_hash($P, $salt);
|
$hash = salted_hash($P, $salt);
|
||||||
$q .= ", Passwd = '$hash', Salt = '$salt'";
|
$q .= ", Passwd = '$hash', Salt = '$salt'";
|
||||||
}
|
}
|
||||||
$q.= ", RealName = '".mysql_real_escape_string($R)."'";
|
$q.= ", RealName = '".db_escape_string($R)."'";
|
||||||
$q.= ", LangPreference = '".mysql_real_escape_string($L)."'";
|
$q.= ", LangPreference = '".db_escape_string($L)."'";
|
||||||
$q.= ", IRCNick = '".mysql_real_escape_string($I)."'";
|
$q.= ", IRCNick = '".db_escape_string($I)."'";
|
||||||
$q.= " WHERE ID = ".intval($UID);
|
$q.= " WHERE ID = ".intval($UID);
|
||||||
$result = db_query($q, $dbh);
|
$result = db_query($q, $dbh);
|
||||||
if (!$result) {
|
if (!$result) {
|
||||||
|
|
@ -372,19 +372,19 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="",
|
||||||
$search_vars[] = "S";
|
$search_vars[] = "S";
|
||||||
}
|
}
|
||||||
if ($U) {
|
if ($U) {
|
||||||
$q.= "AND Username LIKE '%".mysql_real_escape_string($U)."%' ";
|
$q.= "AND Username LIKE '%".db_escape_string($U)."%' ";
|
||||||
$search_vars[] = "U";
|
$search_vars[] = "U";
|
||||||
}
|
}
|
||||||
if ($E) {
|
if ($E) {
|
||||||
$q.= "AND Email LIKE '%".mysql_real_escape_string($E)."%' ";
|
$q.= "AND Email LIKE '%".db_escape_string($E)."%' ";
|
||||||
$search_vars[] = "E";
|
$search_vars[] = "E";
|
||||||
}
|
}
|
||||||
if ($R) {
|
if ($R) {
|
||||||
$q.= "AND RealName LIKE '%".mysql_real_escape_string($R)."%' ";
|
$q.= "AND RealName LIKE '%".db_escape_string($R)."%' ";
|
||||||
$search_vars[] = "R";
|
$search_vars[] = "R";
|
||||||
}
|
}
|
||||||
if ($I) {
|
if ($I) {
|
||||||
$q.= "AND IRCNick LIKE '%".mysql_real_escape_string($I)."%' ";
|
$q.= "AND IRCNick LIKE '%".db_escape_string($I)."%' ";
|
||||||
$search_vars[] = "I";
|
$search_vars[] = "I";
|
||||||
}
|
}
|
||||||
switch ($SB) {
|
switch ($SB) {
|
||||||
|
|
@ -716,7 +716,7 @@ function valid_user( $user )
|
||||||
if ( $user ) {
|
if ( $user ) {
|
||||||
$dbh = db_connect();
|
$dbh = db_connect();
|
||||||
$q = "SELECT ID FROM Users WHERE Username = '"
|
$q = "SELECT ID FROM Users WHERE Username = '"
|
||||||
. mysql_real_escape_string($user). "'";
|
. db_escape_string($user). "'";
|
||||||
|
|
||||||
$result = db_query($q, $dbh);
|
$result = db_query($q, $dbh);
|
||||||
# Is the username in the database?
|
# Is the username in the database?
|
||||||
|
|
|
||||||
|
|
@ -29,7 +29,7 @@ function check_sid($dbh=NULL) {
|
||||||
$dbh = db_connect();
|
$dbh = db_connect();
|
||||||
}
|
}
|
||||||
$q = "SELECT LastUpdateTS, UNIX_TIMESTAMP() FROM Sessions ";
|
$q = "SELECT LastUpdateTS, UNIX_TIMESTAMP() FROM Sessions ";
|
||||||
$q.= "WHERE SessionID = '" . mysql_real_escape_string($_COOKIE["AURSID"]) . "'";
|
$q.= "WHERE SessionID = '" . db_escape_string($_COOKIE["AURSID"]) . "'";
|
||||||
$result = db_query($q, $dbh);
|
$result = db_query($q, $dbh);
|
||||||
if (mysql_num_rows($result) == 0) {
|
if (mysql_num_rows($result) == 0) {
|
||||||
# Invalid SessionID - hacker alert!
|
# Invalid SessionID - hacker alert!
|
||||||
|
|
@ -53,7 +53,7 @@ function check_sid($dbh=NULL) {
|
||||||
# session id timeout was reached and they must login again.
|
# session id timeout was reached and they must login again.
|
||||||
#
|
#
|
||||||
$q = "DELETE FROM Sessions WHERE SessionID = '";
|
$q = "DELETE FROM Sessions WHERE SessionID = '";
|
||||||
$q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'";
|
$q.= db_escape_string($_COOKIE["AURSID"]) . "'";
|
||||||
db_query($q, $dbh);
|
db_query($q, $dbh);
|
||||||
|
|
||||||
setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true);
|
setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true);
|
||||||
|
|
@ -69,7 +69,7 @@ function check_sid($dbh=NULL) {
|
||||||
# overwritten.
|
# overwritten.
|
||||||
if ($last_update < time() + $LOGIN_TIMEOUT) {
|
if ($last_update < time() + $LOGIN_TIMEOUT) {
|
||||||
$q = "UPDATE Sessions SET LastUpdateTS = UNIX_TIMESTAMP() ";
|
$q = "UPDATE Sessions SET LastUpdateTS = UNIX_TIMESTAMP() ";
|
||||||
$q.= "WHERE SessionID = '".mysql_real_escape_string($_COOKIE["AURSID"])."'";
|
$q.= "WHERE SessionID = '".db_escape_string($_COOKIE["AURSID"])."'";
|
||||||
db_query($q, $dbh);
|
db_query($q, $dbh);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -106,7 +106,7 @@ function username_from_id($id="", $dbh=NULL) {
|
||||||
if(!$dbh) {
|
if(!$dbh) {
|
||||||
$dbh = db_connect();
|
$dbh = db_connect();
|
||||||
}
|
}
|
||||||
$q = "SELECT Username FROM Users WHERE ID = " . mysql_real_escape_string($id);
|
$q = "SELECT Username FROM Users WHERE ID = " . db_escape_string($id);
|
||||||
$result = db_query($q, $dbh);
|
$result = db_query($q, $dbh);
|
||||||
if (!$result) {
|
if (!$result) {
|
||||||
return "None";
|
return "None";
|
||||||
|
|
@ -129,7 +129,7 @@ function username_from_sid($sid="", $dbh=NULL) {
|
||||||
$q = "SELECT Username ";
|
$q = "SELECT Username ";
|
||||||
$q.= "FROM Users, Sessions ";
|
$q.= "FROM Users, Sessions ";
|
||||||
$q.= "WHERE Users.ID = Sessions.UsersID ";
|
$q.= "WHERE Users.ID = Sessions.UsersID ";
|
||||||
$q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'";
|
$q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'";
|
||||||
$result = db_query($q, $dbh);
|
$result = db_query($q, $dbh);
|
||||||
if (!$result) {
|
if (!$result) {
|
||||||
return "";
|
return "";
|
||||||
|
|
@ -151,7 +151,7 @@ function email_from_sid($sid="", $dbh=NULL) {
|
||||||
$q = "SELECT Email ";
|
$q = "SELECT Email ";
|
||||||
$q.= "FROM Users, Sessions ";
|
$q.= "FROM Users, Sessions ";
|
||||||
$q.= "WHERE Users.ID = Sessions.UsersID ";
|
$q.= "WHERE Users.ID = Sessions.UsersID ";
|
||||||
$q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'";
|
$q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'";
|
||||||
$result = db_query($q, $dbh);
|
$result = db_query($q, $dbh);
|
||||||
if (!$result) {
|
if (!$result) {
|
||||||
return "";
|
return "";
|
||||||
|
|
@ -175,7 +175,7 @@ function account_from_sid($sid="", $dbh=NULL) {
|
||||||
$q.= "FROM Users, AccountTypes, Sessions ";
|
$q.= "FROM Users, AccountTypes, Sessions ";
|
||||||
$q.= "WHERE Users.ID = Sessions.UsersID ";
|
$q.= "WHERE Users.ID = Sessions.UsersID ";
|
||||||
$q.= "AND AccountTypes.ID = Users.AccountTypeID ";
|
$q.= "AND AccountTypes.ID = Users.AccountTypeID ";
|
||||||
$q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'";
|
$q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'";
|
||||||
$result = db_query($q, $dbh);
|
$result = db_query($q, $dbh);
|
||||||
if (!$result) {
|
if (!$result) {
|
||||||
return "";
|
return "";
|
||||||
|
|
@ -197,7 +197,7 @@ function uid_from_sid($sid="", $dbh=NULL) {
|
||||||
$q = "SELECT Users.ID ";
|
$q = "SELECT Users.ID ";
|
||||||
$q.= "FROM Users, Sessions ";
|
$q.= "FROM Users, Sessions ";
|
||||||
$q.= "WHERE Users.ID = Sessions.UsersID ";
|
$q.= "WHERE Users.ID = Sessions.UsersID ";
|
||||||
$q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'";
|
$q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'";
|
||||||
$result = db_query($q, $dbh);
|
$result = db_query($q, $dbh);
|
||||||
if (!$result) {
|
if (!$result) {
|
||||||
return 0;
|
return 0;
|
||||||
|
|
@ -223,6 +223,12 @@ function db_connect() {
|
||||||
return $handle;
|
return $handle;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Escape strings for SQL query usage.
|
||||||
|
# Wraps the database driver's provided method (for convenience and porting).
|
||||||
|
function db_escape_string($string) {
|
||||||
|
return mysql_real_escape_string($string);
|
||||||
|
}
|
||||||
|
|
||||||
# disconnect from the database
|
# disconnect from the database
|
||||||
# this won't normally be needed as PHP/reference counting will take care of
|
# this won't normally be needed as PHP/reference counting will take care of
|
||||||
# closing the connection once it is no longer referenced
|
# closing the connection once it is no longer referenced
|
||||||
|
|
@ -290,7 +296,7 @@ function set_lang($dbh=NULL) {
|
||||||
$q = "SELECT LangPreference FROM Users, Sessions ";
|
$q = "SELECT LangPreference FROM Users, Sessions ";
|
||||||
$q.= "WHERE Users.ID = Sessions.UsersID ";
|
$q.= "WHERE Users.ID = Sessions.UsersID ";
|
||||||
$q.= "AND Sessions.SessionID = '";
|
$q.= "AND Sessions.SessionID = '";
|
||||||
$q.= mysql_real_escape_string($_COOKIE["AURSID"])."'";
|
$q.= db_escape_string($_COOKIE["AURSID"])."'";
|
||||||
$result = db_query($q, $dbh);
|
$result = db_query($q, $dbh);
|
||||||
|
|
||||||
if ($result) {
|
if ($result) {
|
||||||
|
|
@ -355,7 +361,7 @@ function can_submit_pkg($name="", $sid="", $dbh=NULL) {
|
||||||
$dbh = db_connect();
|
$dbh = db_connect();
|
||||||
}
|
}
|
||||||
$q = "SELECT MaintainerUID ";
|
$q = "SELECT MaintainerUID ";
|
||||||
$q.= "FROM Packages WHERE Name = '".mysql_real_escape_string($name)."'";
|
$q.= "FROM Packages WHERE Name = '".db_escape_string($name)."'";
|
||||||
$result = db_query($q, $dbh);
|
$result = db_query($q, $dbh);
|
||||||
if (mysql_num_rows($result) == 0) {return 1;}
|
if (mysql_num_rows($result) == 0) {return 1;}
|
||||||
$row = mysql_fetch_row($result);
|
$row = mysql_fetch_row($result);
|
||||||
|
|
@ -428,7 +434,7 @@ function uid_from_username($username="", $dbh=NULL)
|
||||||
if(!$dbh) {
|
if(!$dbh) {
|
||||||
$dbh = db_connect();
|
$dbh = db_connect();
|
||||||
}
|
}
|
||||||
$q = "SELECT ID FROM Users WHERE Username = '".mysql_real_escape_string($username)
|
$q = "SELECT ID FROM Users WHERE Username = '".db_escape_string($username)
|
||||||
."'";
|
."'";
|
||||||
$result = db_query($q, $dbh);
|
$result = db_query($q, $dbh);
|
||||||
if (!$result) {
|
if (!$result) {
|
||||||
|
|
@ -449,7 +455,7 @@ function uid_from_email($email="", $dbh=NULL)
|
||||||
if(!$dbh) {
|
if(!$dbh) {
|
||||||
$dbh = db_connect();
|
$dbh = db_connect();
|
||||||
}
|
}
|
||||||
$q = "SELECT ID FROM Users WHERE Email = '".mysql_real_escape_string($email)
|
$q = "SELECT ID FROM Users WHERE Email = '".db_escape_string($email)
|
||||||
."'";
|
."'";
|
||||||
$result = db_query($q, $dbh);
|
$result = db_query($q, $dbh);
|
||||||
if (!$result) {
|
if (!$result) {
|
||||||
|
|
|
||||||
|
|
@ -166,7 +166,7 @@ class AurJSON {
|
||||||
if (is_numeric($arg)) {
|
if (is_numeric($arg)) {
|
||||||
$id_args[] = intval($arg);
|
$id_args[] = intval($arg);
|
||||||
} else {
|
} else {
|
||||||
$escaped = mysql_real_escape_string($arg, $this->dbh);
|
$escaped = db_escape_string($arg, $this->dbh);
|
||||||
$name_args[] = "'" . $escaped . "'";
|
$name_args[] = "'" . $escaped . "'";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -184,7 +184,7 @@ class AurJSON {
|
||||||
return $this->json_error('Query arg too small');
|
return $this->json_error('Query arg too small');
|
||||||
}
|
}
|
||||||
|
|
||||||
$keyword_string = mysql_real_escape_string($keyword_string, $this->dbh);
|
$keyword_string = db_escape_string($keyword_string, $this->dbh);
|
||||||
$keyword_string = addcslashes($keyword_string, '%_');
|
$keyword_string = addcslashes($keyword_string, '%_');
|
||||||
|
|
||||||
$where_condition = "( Name LIKE '%{$keyword_string}%' OR " .
|
$where_condition = "( Name LIKE '%{$keyword_string}%' OR " .
|
||||||
|
|
@ -207,7 +207,7 @@ class AurJSON {
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$where_condition = sprintf("Name=\"%s\"",
|
$where_condition = sprintf("Name=\"%s\"",
|
||||||
mysql_real_escape_string($pqdata, $this->dbh));
|
db_escape_string($pqdata, $this->dbh));
|
||||||
}
|
}
|
||||||
return $this->process_query('info', $where_condition);
|
return $this->process_query('info', $where_condition);
|
||||||
}
|
}
|
||||||
|
|
@ -249,7 +249,7 @@ class AurJSON {
|
||||||
* @return mixed Returns an array of value data containing the package data
|
* @return mixed Returns an array of value data containing the package data
|
||||||
**/
|
**/
|
||||||
private function msearch($maintainer) {
|
private function msearch($maintainer) {
|
||||||
$maintainer = mysql_real_escape_string($maintainer, $this->dbh);
|
$maintainer = db_escape_string($maintainer, $this->dbh);
|
||||||
|
|
||||||
$where_condition = "Users.Username = '{$maintainer}'";
|
$where_condition = "Users.Username = '{$maintainer}'";
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -100,7 +100,7 @@ function pkgid_from_name($name="", $dbh=NULL) {
|
||||||
$dbh = db_connect();
|
$dbh = db_connect();
|
||||||
}
|
}
|
||||||
$q = "SELECT ID FROM Packages ";
|
$q = "SELECT ID FROM Packages ";
|
||||||
$q.= "WHERE Name = '".mysql_real_escape_string($name)."' ";
|
$q.= "WHERE Name = '".db_escape_string($name)."' ";
|
||||||
$result = db_query($q, $dbh);
|
$result = db_query($q, $dbh);
|
||||||
if (!$result) {return NULL;}
|
if (!$result) {return NULL;}
|
||||||
$row = mysql_fetch_row($result);
|
$row = mysql_fetch_row($result);
|
||||||
|
|
@ -137,7 +137,7 @@ function package_required($name="", $dbh=NULL) {
|
||||||
}
|
}
|
||||||
$q = "SELECT p.Name, PackageID FROM PackageDepends pd ";
|
$q = "SELECT p.Name, PackageID FROM PackageDepends pd ";
|
||||||
$q.= "JOIN Packages p ON pd.PackageID = p.ID ";
|
$q.= "JOIN Packages p ON pd.PackageID = p.ID ";
|
||||||
$q.= "WHERE DepName = '".mysql_real_escape_string($name)."' ";
|
$q.= "WHERE DepName = '".db_escape_string($name)."' ";
|
||||||
$q.= "ORDER BY p.Name";
|
$q.= "ORDER BY p.Name";
|
||||||
$result = db_query($q, $dbh);
|
$result = db_query($q, $dbh);
|
||||||
if (!$result) {return array();}
|
if (!$result) {return array();}
|
||||||
|
|
@ -234,7 +234,7 @@ function pkgvotes_from_sid($sid="", $dbh=NULL) {
|
||||||
$q.= "FROM PackageVotes, Users, Sessions ";
|
$q.= "FROM PackageVotes, Users, Sessions ";
|
||||||
$q.= "WHERE Users.ID = Sessions.UsersID ";
|
$q.= "WHERE Users.ID = Sessions.UsersID ";
|
||||||
$q.= "AND Users.ID = PackageVotes.UsersID ";
|
$q.= "AND Users.ID = PackageVotes.UsersID ";
|
||||||
$q.= "AND Sessions.SessionID = '".mysql_real_escape_string($sid)."'";
|
$q.= "AND Sessions.SessionID = '".db_escape_string($sid)."'";
|
||||||
$result = db_query($q, $dbh);
|
$result = db_query($q, $dbh);
|
||||||
if ($result) {
|
if ($result) {
|
||||||
while ($row = mysql_fetch_row($result)) {
|
while ($row = mysql_fetch_row($result)) {
|
||||||
|
|
@ -257,7 +257,7 @@ function pkgnotify_from_sid($sid="", $dbh=NULL) {
|
||||||
$q.= "FROM CommentNotify, Users, Sessions ";
|
$q.= "FROM CommentNotify, Users, Sessions ";
|
||||||
$q.= "WHERE Users.ID = Sessions.UsersID ";
|
$q.= "WHERE Users.ID = Sessions.UsersID ";
|
||||||
$q.= "AND Users.ID = CommentNotify.UserID ";
|
$q.= "AND Users.ID = CommentNotify.UserID ";
|
||||||
$q.= "AND Sessions.SessionID = '".mysql_real_escape_string($sid)."'";
|
$q.= "AND Sessions.SessionID = '".db_escape_string($sid)."'";
|
||||||
$result = db_query($q, $dbh);
|
$result = db_query($q, $dbh);
|
||||||
if ($result) {
|
if ($result) {
|
||||||
while ($row = mysql_fetch_row($result)) {
|
while ($row = mysql_fetch_row($result)) {
|
||||||
|
|
@ -291,7 +291,7 @@ function pkgname_is_blacklisted($name, $dbh=NULL) {
|
||||||
if(!$dbh) {
|
if(!$dbh) {
|
||||||
$dbh = db_connect();
|
$dbh = db_connect();
|
||||||
}
|
}
|
||||||
$q = "SELECT COUNT(*) FROM PackageBlacklist WHERE Name = '" . mysql_real_escape_string($name) . "'";
|
$q = "SELECT COUNT(*) FROM PackageBlacklist WHERE Name = '" . db_escape_string($name) . "'";
|
||||||
$result = db_query($q, $dbh);
|
$result = db_query($q, $dbh);
|
||||||
|
|
||||||
if (!$result) return false;
|
if (!$result) return false;
|
||||||
|
|
@ -457,7 +457,7 @@ function pkg_search_page($SID="", $dbh=NULL) {
|
||||||
}
|
}
|
||||||
|
|
||||||
if (isset($_GET['K'])) {
|
if (isset($_GET['K'])) {
|
||||||
$_GET['K'] = mysql_real_escape_string(trim($_GET['K']));
|
$_GET['K'] = db_escape_string(trim($_GET['K']));
|
||||||
|
|
||||||
# Search by maintainer
|
# Search by maintainer
|
||||||
if (isset($_GET["SeB"]) && $_GET["SeB"] == "m") {
|
if (isset($_GET["SeB"]) && $_GET["SeB"] == "m") {
|
||||||
|
|
|
||||||
|
|
@ -20,7 +20,7 @@ function updates_table($dbh)
|
||||||
|
|
||||||
function user_table($user, $dbh)
|
function user_table($user, $dbh)
|
||||||
{
|
{
|
||||||
$escuser = mysql_real_escape_string($user);
|
$escuser = db_escape_string($user);
|
||||||
$base_q = "SELECT count(*) FROM Packages,Users WHERE Packages.MaintainerUID = Users.ID AND Users.Username='" . $escuser . "'";
|
$base_q = "SELECT count(*) FROM Packages,Users WHERE Packages.MaintainerUID = Users.ID AND Users.Username='" . $escuser . "'";
|
||||||
|
|
||||||
$maintainer_unsupported_count = db_cache_value($base_q, $dbh,
|
$maintainer_unsupported_count = db_cache_value($base_q, $dbh,
|
||||||
|
|
|
||||||
|
|
@ -7,7 +7,7 @@ if (isset($_REQUEST['comment'])) {
|
||||||
$q = 'INSERT INTO PackageComments ';
|
$q = 'INSERT INTO PackageComments ';
|
||||||
$q.= '(PackageID, UsersID, Comments, CommentTS) VALUES (';
|
$q.= '(PackageID, UsersID, Comments, CommentTS) VALUES (';
|
||||||
$q.= intval($_REQUEST['ID']) . ', ' . uid_from_sid($_COOKIE['AURSID']) . ', ';
|
$q.= intval($_REQUEST['ID']) . ', ' . uid_from_sid($_COOKIE['AURSID']) . ', ';
|
||||||
$q.= "'" . mysql_real_escape_string($_REQUEST['comment']) . "', ";
|
$q.= "'" . db_escape_string($_REQUEST['comment']) . "', ";
|
||||||
$q.= 'UNIX_TIMESTAMP())';
|
$q.= 'UNIX_TIMESTAMP())';
|
||||||
db_query($q, $dbh);
|
db_query($q, $dbh);
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue