account.php: Pull out DB code

* Move DB code in account.php to new functions in  acctfuncs.inc.php
* Centralization of DB code important in a future transition to PDO interface
* Consolidate redudant SQL statements from DisplayAccount and AccountInfo
* Consolidation also adds ability to edit accounts based on username

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

web/html/account.php

@@ -44,17 +44,10 @@ if (isset($_COOKIE["AURSID"])) {
 	} elseif ($action == "DisplayAccount") {
 		# the user has clicked 'edit', display the account details in a form
 		#
-		$q = "SELECT Users.*, AccountTypes.AccountType ";
+		$row = account_details(in_request("ID"), in_request("U"));
-		$q.= "FROM Users, AccountTypes ";
+		if (empty($row)) {
-		$q.= "WHERE AccountTypes.ID = Users.AccountTypeID ";
-		$q.= "AND Users.ID = ".intval(in_request("ID"));
-		$result = db_query($q, $dbh);
-		if (!mysql_num_rows($result)) {
 			print __("Could not retrieve information for the specified user.");
-
 		} else {
-			$row = mysql_fetch_assoc($result);
-
 			# double check to make sure logged in user can edit this account
 			#
 			if ($atype == "User" || ($atype == "Trusted User" && $row["AccountType"] == "Developer")) {
@@ -71,19 +64,10 @@ if (isset($_COOKIE["AURSID"])) {
 	} elseif ($action == "AccountInfo") {
 		# no editing, just looking up user info
 		#
-		$q = "SELECT Users.*, AccountTypes.AccountType ";
+		$row = account_details(in_request("ID"), in_request("U"));
-		$q.= "FROM Users, AccountTypes ";
+		if (empty($row)) {
-		$q.= "WHERE AccountTypes.ID = Users.AccountTypeID ";
-		if (isset($_REQUEST["ID"])) {
-			$q.= "AND Users.ID = ".intval(in_request("ID"));
-		} else {
-			$q.= "AND Users.Username = '".db_escape_string(in_request("U")) . "'";
-		}
-		$result = db_query($q, $dbh);
-		if (!mysql_num_rows($result)) {
 			print __("Could not retrieve information for the specified user.");
 		} else {
-			$row = mysql_fetch_assoc($result);
 		display_account_info($row["Username"],
 					$row["AccountType"], $row["Email"], $row["RealName"],
 					$row["IRCNick"], $row["PGPKey"], $row["LastVoted"]);
@@ -110,18 +94,10 @@ if (isset($_COOKIE["AURSID"])) {
 			# A normal user, give them the ability to edit
 			# their own account
 			#
-			$q = "SELECT Users.*, AccountTypes.AccountType ";
+			$row = own_account_details($_COOKIE["AURSID"]);
-			$q.= "FROM Users, AccountTypes, Sessions ";
+			if (empty($row)) {
-			$q.= "WHERE AccountTypes.ID = Users.AccountTypeID ";
-			$q.= "AND Users.ID = Sessions.UsersID ";
-			$q.= "AND Sessions.SessionID = '";
-			$q.= db_escape_string($_COOKIE["AURSID"])."'";
-			$result = db_query($q, $dbh);
-			if (!mysql_num_rows($result)) {
 				print __("Could not retrieve information for the specified user.");
-
 			} else {
-				$row = mysql_fetch_assoc($result);
 				# don't need to check if they have permissions, this is a
 				# normal user editing themselves.
 				#

web/lib/acctfuncs.inc.php

@@ -740,3 +740,42 @@ function clear_expired_sessions($dbh=NULL) {
 	return;
 }
 
+function account_details($uid, $username, $dbh=NULL) {
+	if(!$dbh) {
+		$dbh = db_connect();
+	}
+	$q = "SELECT Users.*, AccountTypes.AccountType ";
+	$q.= "FROM Users, AccountTypes ";
+	$q.= "WHERE AccountTypes.ID = Users.AccountTypeID ";
+	if (!empty($uid)) {
+		$q.= "AND Users.ID = ".intval($uid);
+	} else {
+		$q.= "AND Users.Username = '".db_escape_string($username) . "'";
+	}
+	$result = db_query($q, $dbh);
+
+	if ($result) {
+		$row = mysql_fetch_assoc($result);
+	}
+
+	return $row;
+}
+
+function own_account_details($sid, $dbh=NULL) {
+	if(!$dbh) {
+		$dbh = db_connect();
+	}
+	$q = "SELECT Users.*, AccountTypes.AccountType ";
+	$q.= "FROM Users, AccountTypes, Sessions ";
+	$q.= "WHERE AccountTypes.ID = Users.AccountTypeID ";
+	$q.= "AND Users.ID = Sessions.UsersID ";
+	$q.= "AND Sessions.SessionID = '";
+	$q.= db_escape_string($sid)."'";
+	$result = db_query($q, $dbh);
+
+	if ($result) {
+		$row = mysql_fetch_assoc($result);
+	}
+
+	return $row;
+}