Migrate all DB code to use PDO

All DB code currently uses the quickly aging mysql_* functions. These functions are strongly discouraged and may eventually be deprecated. Transition all code to utilize the PDO data access abstraction layer. PDO allows for consistent query code across multiple databases. This could potentially allow for someone to use a database other than MySQL with minimal code changes. All functions and behaviors are reproduced as faithfully as possible with PDO equivalents and some changes in code. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2025-02-03 10:43:03 +01:00 · 2012-08-08 18:09:51 -04:00 · 2012-08-08 18:09:51 -04:00 · e171f6f34e
commit e171f6f34e
parent b3393208fb
11 changed files with 355 additions and 383 deletions
--- a/2
+++ b/2
@ -45,7 +45,7 @@ Setup on Arch Linux:
   Make sure you have mysql and json enabled in PHP.
 - Edit php.ini and uncomment/add these lines:
-   extension=mysql.so
+   extension=pdo_mysql.so
   extension=json.so
   If those php extensions are separate packages on your system, install
--- a/2
+++ b/2
@ -15,6 +15,8 @@ ALTER TABLE Users ADD COLUMN PGPKey VARCHAR(40) NULL DEFAULT NULL;
 3. Update Archive_Tar to version greater than 1.3.7.
 4. Enable the PDO MySQL extension (pdo_mysql.so) in "php.ini".
 From 1.9.0 to 1.9.1
 -------------------
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@ -135,17 +135,16 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
 		# NOTE: a race condition exists here if we care...
 		#
 		$q = "SELECT COUNT(*) AS CNT FROM Users ";
-		$q.= "WHERE Username = '".db_escape_string($U)."'";
+		$q.= "WHERE Username = " . $dbh->quote($U);
 		if ($TYPE == "edit") {
 			$q.= " AND ID != ".intval($UID);
 		}
-		$result = db_query($q, $dbh);
+		$result = $dbh->query($q);
-		if ($result) {
+		$row = $result->fetch(PDO::FETCH_NUM);
-			$row = mysql_fetch_array($result);
+
-			if ($row[0]) {
+		if ($row[0]) {
-				$error = __("The username, %s%s%s, is already in use.",
+			$error = __("The username, %s%s%s, is already in use.",
-					"<b>", htmlspecialchars($U,ENT_QUOTES), "</b>");
+				"<b>", htmlspecialchars($U,ENT_QUOTES), "</b>");
 			}
 		}
 	}
 	if (!$error) {
@ -153,17 +152,16 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
 		# NOTE: a race condition exists here if we care...
 		#
 		$q = "SELECT COUNT(*) AS CNT FROM Users ";
-		$q.= "WHERE Email = '".db_escape_string($E)."'";
+		$q.= "WHERE Email = " . $dbh->quote($E);
 		if ($TYPE == "edit") {
 			$q.= " AND ID != ".intval($UID);
 		}
-		$result = db_query($q, $dbh);
+		$result = $dbh->query($q);
-		if ($result) {
+		$row = $result->fetch(PDO::FETCH_NUM);
-			$row = mysql_fetch_array($result);
+
-			if ($row[0]) {
+		if ($row[0]) {
-				$error = __("The address, %s%s%s, is already in use.",
+			$error = __("The address, %s%s%s, is already in use.",
-						"<b>", htmlspecialchars($E,ENT_QUOTES), "</b>");
+					"<b>", htmlspecialchars($E,ENT_QUOTES), "</b>");
 			}
 		}
 	}
 	if ($error) {
@ -175,16 +173,22 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
 			# no errors, go ahead and create the unprivileged user
 			$salt = generate_salt();
 			$P = salted_hash($P, $salt);
-			$escaped = array_map('db_escape_string',
+			$U = $dbh->quote($U);
-				array($U, $E, $P, $salt, $R, $L, $I, str_replace(" ", "", $K)));
+			$E = $dbh->quote($E);
-			$q = "INSERT INTO Users (" .
+			$P = $dbh->quote($P);
-				"AccountTypeID, Suspended, Username, Email, Passwd, Salt" .
+			$salt = $dbh->quote($salt);
-				", RealName, LangPreference, IRCNick, PGPKey) " .
+			$R = $dbh->quote($R);
-				"VALUES (1, 0, '" . implode("', '", $escaped) . "')";
+			$L = $dbh->quote($L);
-			$result = db_query($q, $dbh);
+			$I = $dbh->quote($I);
 			$K = $dbh->quote(str_replace(" ", "", $K));
 			$q = "INSERT INTO Users (AccountTypeID, Suspended, ";
 			$q.= "Username, Email, Passwd, Salt, RealName, ";
 			$q.= "LangPreference, IRCNick, PGPKey) VALUES (1, 0, ";
 			$q.= "$U, $E, $P, $salt, $R, $L, $I, $K)";
 			$result = $dbh->exec($q);
 			if (!$result) {
-				print __("Error trying to create account, %s%s%s: %s.",
+				print __("Error trying to create account, %s%s%s.",
-						"<b>", htmlspecialchars($U,ENT_QUOTES), "</b>", mysql_error($dbh));
+						"<b>", htmlspecialchars($U,ENT_QUOTES), "</b>");
 			} else {
 				# account created/modified, tell them so.
 				#
@ -199,7 +203,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
 			# no errors, go ahead and modify the user account
 			$q = "UPDATE Users SET ";
-			$q.= "Username = '".db_escape_string($U)."'";
+			$q.= "Username = " . $dbh->quote($U);
 			if ($T) {
 				$q.= ", AccountTypeID = ".intval($T);
 			}
@ -208,21 +212,21 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
 			} else {
 				$q.= ", Suspended = 0";
 			}
-			$q.= ", Email = '".db_escape_string($E)."'";
+			$q.= ", Email = " . $dbh->quote($E);
 			if ($P) {
 				$salt = generate_salt();
 				$hash = salted_hash($P, $salt);
 				$q .= ", Passwd = '$hash', Salt = '$salt'";
 			}
-			$q.= ", RealName = '".db_escape_string($R)."'";
+			$q.= ", RealName = " . $dbh->quote($R);
-			$q.= ", LangPreference = '".db_escape_string($L)."'";
+			$q.= ", LangPreference = " . $dbh->quote($L);
-			$q.= ", IRCNick = '".db_escape_string($I)."'";
+			$q.= ", IRCNick = " . $dbh->quote($I);
-			$q.= ", PGPKey = '".db_escape_string(str_replace(" ", "", $K))."'";
+			$q.= ", PGPKey = " . $dbh->quote(str_replace(" ", "", $K));
 			$q.= " WHERE ID = ".intval($UID);
-			$result = db_query($q, $dbh);
+			$result = $dbh->exec($q);
 			if (!$result) {
-				print __("Error trying to modify account, %s%s%s: %s.",
+				print __("Error trying to modify account, %s%s%s.",
-						"<b>", htmlspecialchars($U,ENT_QUOTES), "</b>", mysql_error($dbh));
+						"<b>", htmlspecialchars($U,ENT_QUOTES), "</b>");
 			} else {
 				print __("The account, %s%s%s, has been successfully modified.",
 						"<b>", htmlspecialchars($U,ENT_QUOTES), "</b>");
@ -265,6 +269,10 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="",
 	}
 	$search_vars = array();
 	if (!$dbh) {
 		$dbh = db_connect();
 	}
 	$q = "SELECT Users.*, AccountTypes.AccountType ";
 	$q.= "FROM Users, AccountTypes ";
 	$q.= "WHERE AccountTypes.ID = Users.AccountTypeID ";
@ -283,23 +291,28 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="",
 		$search_vars[] = "S";
 	}
 	if ($U) {
-		$q.= "AND Username LIKE '%".db_escape_like($U)."%' ";
+		$U = "%" . addcslashes($U, '%_') . "%";
 		$q.= "AND Username LIKE " . $dbh->quote($U) . " ";
 		$search_vars[] = "U";
 	}
 	if ($E) {
-		$q.= "AND Email LIKE '%".db_escape_like($E)."%' ";
+		$E = "%" . addcslashes($E, '%_') . "%";
 		$q.= "AND Email LIKE " . $dbh->quote($E) . " ";
 		$search_vars[] = "E";
 	}
 	if ($R) {
-		$q.= "AND RealName LIKE '%".db_escape_like($R)."%' ";
+		$R = "%" . addcslashes($R, '%_') . "%";
 		$q.= "AND RealName LIKE " . $dbh->quote($R) . " ";
 		$search_vars[] = "R";
 	}
 	if ($I) {
-		$q.= "AND IRCNick LIKE '%".db_escape_like($I)."%' ";
+		$I = "%" . addcslashes($I, '%_') . "%";
 		$q.= "AND IRCNick LIKE " . $dbh->quote($I) . " ";
 		$search_vars[] = "I";
 	}
 	if ($K) {
-		$q.= "AND PGPKey LIKE '%".db_escape_like(str_replace(" ", "", $K))."%' ";
+		$K = "%" . addcslashes(str_replace(" ", "", $K), '%_') . "%";
 		$q.= "AND PGPKey LIKE " . $dbh->quote($K) . " ";
 		$search_vars[] = "K";
 	}
 	switch ($SB) {
@ -326,10 +339,9 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="",
 		$dbh = db_connect();
 	}
-	$result = db_query($q, $dbh);
+	$result = $dbh->query($q);
 	$num_rows = mysql_num_rows($result);
-	while ($row = mysql_fetch_assoc($result)) {
+	while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
 		$userinfo[] = $row;
 	}
@ -377,13 +389,13 @@ function try_login($dbh=NULL) {
 					$q.= "ON s.SessionID = q.SessionID ";
 					$q.= "WHERE s.UsersId = " . $userID . " ";
 					$q.= "AND q.SessionID IS NULL;";
-					db_query($q, $dbh);
+					$dbh->query($q);
 				}
 				$new_sid = new_sid();
 				$q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS)"
 				  ." VALUES (" . $userID . ", '" . $new_sid . "', UNIX_TIMESTAMP())";
-				$result = db_query($q, $dbh);
+				$result = $dbh->exec($q);
 				# Query will fail if $new_sid is not unique
 				if ($result) {
@ -397,7 +409,7 @@ function try_login($dbh=NULL) {
 			if ($logged_in) {
 				$q = "UPDATE Users SET LastLogin = UNIX_TIMESTAMP() ";
 				$q.= "WHERE ID = '$userID'";
-				db_query($q, $dbh);
+				$dbh->exec($q);
 				# set our SID cookie
 				if (isset($_POST['remember_me']) &&
@ -408,7 +420,7 @@ function try_login($dbh=NULL) {
 					# Set session for 30 days.
 					$q = "UPDATE Sessions SET LastUpdateTS = $cookie_time ";
 					$q.= "WHERE SessionID = '$new_sid'";
-					db_query($q, $dbh);
+					$dbh->exec($q);
 				}
 				else
 					$cookie_time = 0;
@ -472,13 +484,13 @@ function valid_user($user, $dbh=NULL) {
 	}
 	if ( $user ) {
-		$q = "SELECT ID FROM Users WHERE Username = '"
+		$q = "SELECT ID FROM Users ";
-			. db_escape_string($user). "'";
+		$q.= "WHERE Username = " . $dbh->quote($user);
-		$result = db_query($q, $dbh);
+		$result = $dbh->query($q);
 		# Is the username in the database?
 		if ($result) {
-			$row = mysql_fetch_row($result);
+			$row = $result->fetch(PDO::FETCH_NUM);
 			return $row[0];
 		}
 	}
@ -490,10 +502,10 @@ function open_user_proposals($user, $dbh=NULL) {
 	if(!$dbh) {
 		$dbh = db_connect();
 	}
-	$q = "SELECT * FROM TU_VoteInfo WHERE User = '" . db_escape_string($user) . "'";
+	$q = "SELECT * FROM TU_VoteInfo WHERE User = " . $dbh->quote($user) . " ";
-	$q.= " AND End > UNIX_TIMESTAMP()";
+	$q.= "AND End > UNIX_TIMESTAMP()";
-	$result = db_query($q, $dbh);
+	$result = $dbh->query($q);
-	if (mysql_num_rows($result)) {
+	if ($result->fetchColumn()) {
 		return true;
 	}
 	else {
@ -507,13 +519,12 @@ function add_tu_proposal($agenda, $user, $votelength, $submitteruid, $dbh=NULL)
 	if(!$dbh) {
 		$dbh = db_connect();
 	}
 	$q = "INSERT INTO TU_VoteInfo (Agenda, User, Submitted, End, SubmitterID) VALUES ";
 	$q.= "('" . db_escape_string($agenda) . "', ";
 	$q.= "'" . db_escape_string($user) . "', ";
 	$q.= "UNIX_TIMESTAMP(), UNIX_TIMESTAMP() + " . db_escape_string($votelength);
 	$q.= ", " . $submitteruid . ")";
 	db_query($q, $dbh);
 	$q = "INSERT INTO TU_VoteInfo (Agenda, User, Submitted, End, SubmitterID) VALUES ";
 	$q.= "(" . $dbh->quote($agenda) . ", " . $dbh->quote($user) . ", ";
 	$q.= "UNIX_TIMESTAMP(), UNIX_TIMESTAMP() + " . $dbh->quote($votelength);
 	$q.= ", " . $submitteruid . ")";
 	$result = $dbh->exec($q);
 }
 # Add a reset key for a specific user
@ -524,7 +535,7 @@ function create_resetkey($resetkey, $uid, $dbh=NULL) {
 	$q = "UPDATE Users ";
 	$q.= "SET ResetKey = '" . $resetkey . "' ";
 	$q.= "WHERE ID = " . $uid;
-	db_query($q, $dbh);
+	$dbh->exec($q);
 }
 # Change a password and save the salt only if reset key and email are correct
@ -537,11 +548,11 @@ function password_reset($hash, $salt, $resetkey, $email, $dbh=NULL) {
 	$q.= "Salt = '$salt', ";
 	$q.= "ResetKey = '' ";
 	$q.= "WHERE ResetKey != '' ";
-	$q.= "AND ResetKey = '".db_escape_string($resetkey)."' ";
+	$q.= "AND ResetKey = " . $dbh->quote($resetkey) . " ";
-	$q.= "AND Email = '".db_escape_string($email)."'";
+	$q.= "AND Email = " . $dbh->quote($email);
-	$result = db_query($q, $dbh);
+	$result = $dbh->exec($q);
-	if (!mysql_affected_rows($dbh)) {
+	if (!$result) {
 		$error = __('Invalid e-mail and reset key combination.');
 		return $error;
 	} else {
@ -569,25 +580,25 @@ function valid_passwd($userID, $passwd, $dbh=NULL) {
 		$salt = get_salt($userID);
 		if ($salt) {
 			# use salt
-			$passwd_q = "SELECT ID FROM Users" .
+			$q = "SELECT ID FROM Users ";
-				" WHERE ID = " . $userID  . " AND Passwd = '" .
+			$q.= "WHERE ID = " . $userID . " ";
-				salted_hash($passwd, $salt) . "'";
+			$q.= "AND Passwd = " . $dbh->quote(salted_hash($passwd, $salt));
-			$result = db_query($passwd_q, $dbh);
+			$result = $dbh->query($q);
 			if ($result) {
-				$passwd_result = mysql_fetch_row($result);
+				$row = $result->fetch(PDO::FETCH_NUM);
-				if ($passwd_result[0]) {
+				if ($row[0]) {
 					return true;
 				}
 			}
 		} else {
 			# check without salt
-			$nosalt_q = "SELECT ID FROM Users".
+			$q = "SELECT ID FROM Users ";
-				" WHERE ID = " . $userID .
+			$q.= "WHERE ID = " . $userID . " ";
-				" AND Passwd = '" . md5($passwd) . "'";
+			$q.= "AND Passwd = " . $dbh->quote(md5($passwd));
-			$result = db_query($nosalt_q, $dbh);
+			$result = $dbh->query($q);
 			if ($result) {
-				$nosalt_row = mysql_fetch_row($result);
+				$row = $result->fetch(PDO::FETCH_NUM);
-				if ($nosalt_row[0]) {
+				if ($row[0]) {
 					# password correct, but salt it first
 					if (!save_salt($userID, $passwd)) {
 						trigger_error("Unable to salt user's password;" .
@ -621,9 +632,9 @@ function user_suspended($id, $dbh=NULL) {
 		return false;
 	}
 	$q = "SELECT Suspended FROM Users WHERE ID = " . $id;
-	$result = db_query($q, $dbh);
+	$result = $dbh->query($q);
 	if ($result) {
-		$row = mysql_fetch_row($result);
+		$row = $result->fetch(PDO::FETCH_NUM);
 		if ($row[0]) {
 			return true;
 		}
@ -639,7 +650,7 @@ function user_delete($id, $dbh=NULL) {
 		$dbh = db_connect();
 	}
 	$q = "DELETE FROM Users WHERE ID = " . $id;
-	db_query($q, $dbh);
+	$dbh->query($q);
 	return;
 }
@ -652,9 +663,9 @@ function user_is_privileged($id, $dbh=NULL) {
 		$dbh = db_connect();
 	}
 	$q = "SELECT AccountTypeID FROM Users WHERE ID = " . $id;
-	$result = db_query($q, $dbh);
+	$result = $dbh->query($q);
 	if ($result) {
-		$row = mysql_fetch_row($result);
+		$row = $result->fetch(PDO::FETCH_NUM);
 		if($row[0] > 1) {
 			return $row[0];
 		}
@ -669,9 +680,8 @@ function delete_session_id($sid, $dbh=NULL) {
 		$dbh = db_connect();
 	}
-	$q = "DELETE FROM Sessions WHERE SessionID = '";
+	$q = "DELETE FROM Sessions WHERE SessionID = " . $dbh->quote($sid);
-	$q.= db_escape_string($sid) . "'";
+	$dbh->query($q);
 	db_query($q, $dbh);
 }
 # Clear out old expired sessions.
@ -683,7 +693,7 @@ function clear_expired_sessions($dbh=NULL) {
 	}
 	$q = "DELETE FROM Sessions WHERE LastUpdateTS < (UNIX_TIMESTAMP() - $LOGIN_TIMEOUT)";
-	db_query($q, $dbh);
+	$dbh->query($q);
 	return;
 }
@ -698,12 +708,12 @@ function account_details($uid, $username, $dbh=NULL) {
 	if (!empty($uid)) {
 		$q.= "AND Users.ID = ".intval($uid);
 	} else {
-		$q.= "AND Users.Username = '".db_escape_string($username) . "'";
+		$q.= "AND Users.Username = " . $dbh->quote($username);
 	}
-	$result = db_query($q, $dbh);
+	$result = $dbh->query($q);
 	if ($result) {
-		$row = mysql_fetch_assoc($result);
+		$row = $result->fetch(PDO::FETCH_ASSOC);
 	}
 	return $row;
@ -717,12 +727,11 @@ function own_account_details($sid, $dbh=NULL) {
 	$q.= "FROM Users, AccountTypes, Sessions ";
 	$q.= "WHERE AccountTypes.ID = Users.AccountTypeID ";
 	$q.= "AND Users.ID = Sessions.UsersID ";
-	$q.= "AND Sessions.SessionID = '";
+	$q.= "AND Sessions.SessionID = " . $dbh->quote($sid);
-	$q.= db_escape_string($sid)."'";
+	$result = $dbh->query($q);
 	$result = db_query($q, $dbh);
 	if ($result) {
-		$row = mysql_fetch_assoc($result);
+		$row = $result->fetch(PDO::FETCH_ASSOC);
 	}
 	return $row;
@ -733,9 +742,10 @@ function tu_voted($voteid, $uid, $dbh=NULL) {
 		$dbh = db_connect();
 	}
-	$q = "SELECT * FROM TU_Votes WHERE VoteID = " . intval($voteid) . " AND UserID = " . intval($uid);
+	$q = "SELECT COUNT(*) FROM TU_Votes ";
-	$result = db_query($q, $dbh);
+	$q.= "WHERE VoteID = " . intval($voteid) . " AND UserID = " . intval($uid);
-	if (mysql_num_rows($result)) {
+	$result = $dbh->query($q);
 	if ($result->fetchColumn() > 0) {
 		return true;
 	}
 	else {
@ -749,10 +759,10 @@ function current_proposal_list($order, $dbh=NULL) {
 	}
 	$q = "SELECT * FROM TU_VoteInfo WHERE End > " . time() . " ORDER BY Submitted " . $order;
-	$result = db_query($q, $dbh);
+	$result = $dbh->query($q);
 	$details = array();
-	while ($row = mysql_fetch_assoc($result)) {
+	while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
 		$details[] = $row;
 	}
@ -765,10 +775,10 @@ function past_proposal_list($order, $lim, $dbh=NULL) {
 	}
 	$q = "SELECT * FROM TU_VoteInfo WHERE End < " . time() . " ORDER BY Submitted " . $order . $lim;
-	$result = db_query($q, $dbh);
+	$result = $dbh->query($q);
 	$details = array();
-	while ($row = mysql_fetch_assoc($result)) {
+	while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
 		$details[] = $row;
 	}
@ -781,8 +791,8 @@ function proposal_count($dbh=NULL) {
 	}
 	$q = "SELECT COUNT(*) FROM TU_VoteInfo";
-	$result = db_query($q, $dbh);
+	$result = $dbh->query($q);
-	$row = mysql_fetch_row($result);
+	$row = $result->fetch(PDO::FETCH_NUM);
 	return $row[0];
 }
@ -795,8 +805,8 @@ function vote_details($voteid, $dbh=NULL) {
 	$q = "SELECT * FROM TU_VoteInfo ";
 	$q.= "WHERE ID = " . intval($voteid);
-	$result = db_query($q, $dbh);
+	$result = $dbh->query($q);
-	$row = mysql_fetch_assoc($result);
+	$row = $result->fetch(PDO::FETCH_ASSOC);
 	return $row;
 }
@ -814,9 +824,9 @@ function voter_list($voteid, $dbh=NULL) {
 	$q.= " AND tv.UserID = U.ID ";
 	$q.= "ORDER BY Username";
-	$result = db_query($q, $dbh);
+	$result = $dbh->query($q);
 	if ($result) {
-		while ($row = mysql_fetch_assoc($result)) {
+		while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
 			$whovoted.= '<a href="' . get_uri('/accounts/') . '?Action=AccountInfo&amp;ID='.$row['UserID'].'">'.$row['Username'].'</a> ';
 		}
 	}
@ -828,10 +838,9 @@ function cast_proposal_vote($voteid, $uid, $vote, $newtotal, $dbh=NULL) {
 		$dbh = db_connect();
 	}
-	$q = "UPDATE TU_VoteInfo SET " . $vote . " = " . ($newtotal) . " WHERE ID = " . $voteid;
+	$q = "UPDATE TU_VoteInfo SET " . $vote . " = (" . $newtotal . ") WHERE ID = " . $voteid;
-	db_query($q, $dbh);
+	$result = $dbh->exec($q);
 	$q = "INSERT INTO TU_Votes (VoteID, UserID) VALUES (" . $voteid . ", " . $uid . ")";
 	db_query($q, $dbh);
 	$q = "INSERT INTO TU_Votes (VoteID, UserID) VALUES (" . intval($voteid) . ", " . intval($uid) . ")";
 	$result = $dbh->exec($q);
 }
--- a/web/lib/aur.inc.php
+++ b/web/lib/aur.inc.php
@ -30,14 +30,15 @@ function check_sid($dbh=NULL) {
 			$dbh = db_connect();
 		}
 		$q = "SELECT LastUpdateTS, UNIX_TIMESTAMP() FROM Sessions ";
-		$q.= "WHERE SessionID = '" . db_escape_string($_COOKIE["AURSID"]) . "'";
+		$q.= "WHERE SessionID = " . $dbh->quote($_COOKIE["AURSID"]);
-		$result = db_query($q, $dbh);
+		$result = $dbh->query($q);
-		if (mysql_num_rows($result) == 0) {
+		$row = $result->fetch(PDO::FETCH_NUM);
 		if (!$row[0]) {
 			# Invalid SessionID - hacker alert!
 			#
 			$failed = 1;
 		} else {
 			$row = mysql_fetch_row($result);
 			$last_update = $row[0];
 			if ($last_update + $LOGIN_TIMEOUT <= $row[1]) {
 				$failed = 2;
@ -68,8 +69,8 @@ function check_sid($dbh=NULL) {
 			# overwritten.
 			if ($last_update < time() + $LOGIN_TIMEOUT) {
 				$q = "UPDATE Sessions SET LastUpdateTS = UNIX_TIMESTAMP() ";
-				$q.= "WHERE SessionID = '".db_escape_string($_COOKIE["AURSID"])."'";
+				$q.= "WHERE SessionID = " . $dbh->quote($_COOKIE["AURSID"]);
-				db_query($q, $dbh);
+				$dbh->exec($q);
 			}
 		}
 	}
@ -119,12 +120,12 @@ function username_from_id($id="", $dbh=NULL) {
 	if(!$dbh) {
 		$dbh = db_connect();
 	}
-	$q = "SELECT Username FROM Users WHERE ID = " . db_escape_string($id);
+	$q = "SELECT Username FROM Users WHERE ID = " . $dbh->quote($id);
-	$result = db_query($q, $dbh);
+	$result = $dbh->query($q);
 	if (!$result) {
 		return "None";
 	}
-	$row = mysql_fetch_row($result);
+	$row = $result->fetch(PDO::FETCH_NUM);
 	return $row[0];
 }
@ -142,12 +143,12 @@ function username_from_sid($sid="", $dbh=NULL) {
 	$q = "SELECT Username ";
 	$q.= "FROM Users, Sessions ";
 	$q.= "WHERE Users.ID = Sessions.UsersID ";
-	$q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'";
+	$q.= "AND Sessions.SessionID = " . $dbh->quote($sid);
-	$result = db_query($q, $dbh);
+	$result = $dbh->query($q);
 	if (!$result) {
 		return "";
 	}
-	$row = mysql_fetch_row($result);
+	$row = $result->fetch(PDO::FETCH_NUM);
 	return $row[0];
 }
@ -164,12 +165,12 @@ function email_from_sid($sid="", $dbh=NULL) {
 	$q = "SELECT Email ";
 	$q.= "FROM Users, Sessions ";
 	$q.= "WHERE Users.ID = Sessions.UsersID ";
-	$q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'";
+	$q.= "AND Sessions.SessionID = " . $dbh->quote($sid);
-	$result = db_query($q, $dbh);
+	$result = $dbh->query($q);
 	if (!$result) {
 		return "";
 	}
-	$row = mysql_fetch_row($result);
+	$row = $result->fetch(PDO::FETCH_NUM);
 	return $row[0];
 }
@ -188,12 +189,12 @@ function account_from_sid($sid="", $dbh=NULL) {
 	$q.= "FROM Users, AccountTypes, Sessions ";
 	$q.= "WHERE Users.ID = Sessions.UsersID ";
 	$q.= "AND AccountTypes.ID = Users.AccountTypeID ";
-	$q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'";
+	$q.= "AND Sessions.SessionID = " . $dbh->quote($sid);
-	$result = db_query($q, $dbh);
+	$result = $dbh->query($q);
 	if (!$result) {
 		return "";
 	}
-	$row = mysql_fetch_row($result);
+	$row = $result->fetch(PDO::FETCH_NUM);
 	return $row[0];
 }
@ -210,12 +211,12 @@ function uid_from_sid($sid="", $dbh=NULL) {
 	$q = "SELECT Users.ID ";
 	$q.= "FROM Users, Sessions ";
 	$q.= "WHERE Users.ID = Sessions.UsersID ";
-	$q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'";
+	$q.= "AND Sessions.SessionID = " . $dbh->quote($sid);
-	$result = db_query($q, $dbh);
+	$result = $dbh->query($q);
 	if (!$result) {
 		return 0;
 	}
-	$row = mysql_fetch_row($result);
+	$row = $result->fetch(PDO::FETCH_NUM);
 	return $row[0];
 }
@ -223,66 +224,16 @@ function uid_from_sid($sid="", $dbh=NULL) {
 # connect to the database
 #
 function db_connect() {
-	$handle = mysql_connect(AUR_db_host, AUR_db_user, AUR_db_pass);
+	try {
-	if (!$handle) {
+		$dbh = new PDO(AUR_db_DSN_prefix . ":" . AUR_db_host . ";dbname=" . AUR_db_name, AUR_db_user, AUR_db_pass);
-		die("Error connecting to AUR database: " . mysql_error());
+	}
 	catch (PDOException $e) {
 		echo "Error - Could not connect to AUR database: " . $e->getMessage();
 	}
-	mysql_select_db(AUR_db_name, $handle) or
+	$dbh->exec("SET NAMES 'utf8' COLLATE 'utf8_general_ci';");
 		die("Error selecting AUR database: " . mysql_error());
-	db_query("SET NAMES 'utf8' COLLATE 'utf8_general_ci';", $handle);
+	return $dbh;
 	return $handle;
 }
 # Escape strings for SQL query usage.
 # Wraps the database driver's provided method (for convenience and porting).
 function db_escape_string($string) {
 	return mysql_real_escape_string($string);
 }
 # Escape strings for usage in SQL LIKE operators.
 function db_escape_like($string) {
 	return addcslashes(mysql_real_escape_string($string), '%_');
 }
 # disconnect from the database
 # this won't normally be needed as PHP/reference counting will take care of
 # closing the connection once it is no longer referenced
 #
 function db_disconnect($db_handle="") {
 	if ($db_handle) {
 		mysql_close($db_handle);
 		return TRUE;
 	}
 	return FALSE;
 }
 # wrapper function around db_query in case we want to put
 # query logging/debugging in.
 #
 function db_query($query="", $db_handle="") {
 	if (!$query) {
 		return FALSE;
 	}
 	if (!$db_handle) {
 		die("DB handle was not provided to db_query");
 	}
 	if (defined('SQL_DEBUG') && SQL_DEBUG == 1) {
 		$bt = debug_backtrace();
 		error_log("DEBUG: ".$bt[0]['file'].":".$bt[0]['line']." query: $query\n");
 	}
 	$result = @mysql_query($query, $db_handle);
 	if (!$result) {
 		$bt = debug_backtrace();
 		error_log("ERROR: near ".$bt[0]['file'].":".$bt[0]['line']." in query: $query\n -> ".mysql_error($db_handle));
 	}
 	return $result;
 }
 # common header
@ -313,10 +264,13 @@ function can_submit_pkg($name="", $sid="", $dbh=NULL) {
 		$dbh = db_connect();
 	}
 	$q = "SELECT MaintainerUID ";
-	$q.= "FROM Packages WHERE Name = '".db_escape_string($name)."'";
+	$q.= "FROM Packages WHERE Name = " . $dbh->quote($name);
-	$result = db_query($q, $dbh);
+	$result = $dbh->query($q);
-	if (mysql_num_rows($result) == 0) {return 1;}
+	$row = $result->fetch(PDO::FETCH_NUM);
-	$row = mysql_fetch_row($result);
+
 	if (!$row[0]) {
 		return 1;
 	}
 	$my_uid = uid_from_sid($sid, $dbh);
 	if ($row[0] === NULL || $row[0] == $my_uid) {
@ -385,13 +339,12 @@ function uid_from_username($username="", $dbh=NULL) {
 	if(!$dbh) {
 		$dbh = db_connect();
 	}
-	$q = "SELECT ID FROM Users WHERE Username = '".db_escape_string($username)
+	$q = "SELECT ID FROM Users WHERE Username = " . $dbh->quote($username);
-				."'";
+	$result = $dbh->query($q);
 	$result = db_query($q, $dbh);
 	if (!$result) {
 		return "None";
 	}
-	$row = mysql_fetch_row($result);
+	$row = $result->fetch(PDO::FETCH_NUM);
 	return $row[0];
 }
@ -405,13 +358,12 @@ function uid_from_email($email="", $dbh=NULL) {
 	if(!$dbh) {
 		$dbh = db_connect();
 	}
-	$q = "SELECT ID FROM Users WHERE Email = '".db_escape_string($email)
+	$q = "SELECT ID FROM Users WHERE Email = " . $dbh->quote($email);
-				."'";
+	$result = $dbh->query($q);
 	$result = db_query($q, $dbh);
 	if (!$result) {
 		return "None";
 	}
-	$row = mysql_fetch_row($result);
+	$row = $result->fetch(PDO::FETCH_NUM);
 	return $row[0];
 }
@ -461,11 +413,11 @@ function get_salt($user_id, $dbh=NULL) {
 	if(!$dbh) {
 		$dbh = db_connect();
 	}
-	$salt_q = "SELECT Salt FROM Users WHERE ID = " . $user_id;
+	$q = "SELECT Salt FROM Users WHERE ID = " . $user_id;
-	$result = db_query($salt_q, $dbh);
+	$result = $dbh->query($q);
 	if ($result) {
-		$salt_row = mysql_fetch_row($result);
+		$row = $result->fetch(PDO::FETCH_NUM);
-		return $salt_row[0];
+		return $row[0];
 	}
 	return;
 }
@ -476,9 +428,9 @@ function save_salt($user_id, $passwd, $dbh=NULL) {
 	}
 	$salt = generate_salt();
 	$hash = salted_hash($passwd, $salt);
-	$salting_q = "UPDATE Users SET Salt = '" . $salt . "', " .
+	$q = "UPDATE Users SET Salt = " . $dbh->quote($salt) . ", ";
-		"Passwd = '" . $hash . "' WHERE ID = " . $user_id;
+	$q.= "Passwd = " . $dbh->quote($hash) . " WHERE ID = " . $user_id;
-	return db_query($salting_q, $dbh);
+	$result = $dbh->exec($q);
 }
 function generate_salt() {
@ -519,21 +471,21 @@ function begin_atomic_commit($dbh=NULL) {
 	if(!$dbh) {
 		$dbh = db_connect();
 	}
-	db_query("BEGIN", $dbh);
+	$dbh->beginTransaction();
 }
 function end_atomic_commit($dbh=NULL) {
 	if(!$dbh) {
 		$dbh = db_connect();
 	}
-	db_query("COMMIT", $dbh);
+	$dbh->commit();
 }
 function last_insert_id($dbh=NULL) {
 	if(!$dbh) {
 		$dbh = db_connect();
 	}
-	return mysql_insert_id($dbh);
+	return $dbh->lastInsertId();
 }
 function latest_pkgs($numpkgs, $dbh=NULL) {
@ -544,10 +496,10 @@ function latest_pkgs($numpkgs, $dbh=NULL) {
 	$q = "SELECT * FROM Packages ";
 	$q.= "ORDER BY SubmittedTS DESC ";
 	$q.= "LIMIT " .intval($numpkgs);
-	$result = db_query($q, $dbh);
+	$result = $dbh->query($q);
 	if ($result) {
-		while ($row = mysql_fetch_assoc($result)) {
+		while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
 			$packages[] = $row;
 		}
 	}
--- a/web/lib/aurjson.class.php
+++ b/web/lib/aurjson.class.php
@ -122,12 +122,13 @@ class AurJSON {
            "FROM Packages LEFT JOIN Users " .
            "ON Packages.MaintainerUID = Users.ID " .
            "WHERE ${where_condition}";
-        $result = db_query($query, $this->dbh);
+        $result = $this->dbh->query($query);
-        $resultcount = mysql_num_rows($result);
+        if ($result) {
-        if ( $result && $resultcount > 0 ) {
+            $resultcount = 0;
            $search_data = array();
-            while ( $row = mysql_fetch_assoc($result) ) {
+            while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
                $resultcount++;
                $name = $row['Name'];
                $row['URLPath'] = URL_DIR . substr($name, 0, 2) . "/" . $name . "/" . $name . ".tar.gz";
@ -148,7 +149,6 @@ class AurJSON {
                }
            }
            mysql_free_result($result);
            return $this->json_results($type, $resultcount, $search_data);
        }
        else {
@ -178,8 +178,7 @@ class AurJSON {
            if (is_numeric($arg)) {
                $id_args[] = intval($arg);
            } else {
-                $escaped = db_escape_string($arg, $this->dbh);
+                $name_args[] = $this->dbh->quote($arg);
                $name_args[] = "'" . $escaped . "'";
            }
        }
@ -196,10 +195,10 @@ class AurJSON {
            return $this->json_error('Query arg too small');
        }
-        $keyword_string = db_escape_like($keyword_string, $this->dbh);
+        $keyword_string = $this->dbh->quote("%" . addcslashes($keyword_string, '%_') . "%");
-        $where_condition = "( Name LIKE '%{$keyword_string}%' OR " .
+        $where_condition = "(Name LIKE {$keyword_string} OR ";
-            "Description LIKE '%{$keyword_string}%' )";
+        $where_condition.= "Description LIKE {$keyword_string})";
        return $this->process_query('search', $where_condition);
    }
@ -217,8 +216,7 @@ class AurJSON {
            $where_condition = "Packages.ID={$pqdata}";
        }
        else {
-            $where_condition = sprintf("Name=\"%s\"",
+            $where_condition = sprintf("Name=%s", $this->dbh->quote($pqdata));
                db_escape_string($pqdata, $this->dbh));
        }
        return $this->process_query('info', $where_condition);
    }
@ -260,9 +258,9 @@ class AurJSON {
     * @return mixed Returns an array of value data containing the package data
     **/
    private function msearch($maintainer) {
-        $maintainer = db_escape_string($maintainer, $this->dbh);
+        $maintainer = $this->dbh->quote($maintainer);
-        $where_condition = "Users.Username = '{$maintainer}'";
+        $where_condition = "Users.Username = {$maintainer}";
        return $this->process_query('msearch', $where_condition);
    }
--- a/web/lib/cachefuncs.inc.php
+++ b/web/lib/cachefuncs.inc.php
@ -71,8 +71,8 @@ function db_cache_value($dbq, $dbh, $key, $ttl=600) {
 	$status = false;
 	$value = get_cache_value($key, $status);
 	if (!$status) {
-		$result = db_query($dbq, $dbh);
+		$result = $dbh->query($dbq);
-		$row = mysql_fetch_row($result);
+		$row = $result->fetch(PDO::FETCH_NUM);
 		$value = $row[0];
 		set_cache_value($key, $value, $ttl);
 	}
--- a/web/lib/config.inc.php.proto
+++ b/web/lib/config.inc.php.proto
@ -2,7 +2,8 @@
 # NOTE: modify these variables if your MySQL setup is different
-define( "AUR_db_host", "localhost:/var/run/mysqld/mysqld.sock" );
+define( "AUR_db_DSN_prefix", "mysql" );
 define( "AUR_db_host", "unix_socket=/var/run/mysqld/mysqld.sock" );
 define( "AUR_db_name", "AUR" );
 define( "AUR_db_user", "aur" );
 define( "AUR_db_pass", "aur" );
--- a/web/lib/pkgfuncs.inc.php
+++ b/web/lib/pkgfuncs.inc.php
@ -16,9 +16,9 @@ function canDeleteComment($comment_id=0, $atype="", $uid=0, $dbh=NULL) {
 	$q.= "FROM PackageComments ";
 	$q.= "WHERE ID = " . intval($comment_id);
 	$q.= " AND UsersID = " . $uid;
-	$result = db_query($q, $dbh);
+	$result = $dbh->query($q);
 	if ($result != NULL) {
-		$row = mysql_fetch_assoc($result);
+		$row = $result->fetch(PDO::FETCH_ASSOC);
 		if ($row['CNT'] > 0) {
 			return TRUE;
 		}
@ -83,9 +83,9 @@ function pkgCategories($dbh=NULL) {
 	}
 	$q = "SELECT * FROM PackageCategories WHERE ID != 1 ";
 	$q.= "ORDER BY Category ASC";
-	$result = db_query($q, $dbh);
+	$result = $dbh->query($q);
 	if ($result) {
-		while ($row = mysql_fetch_row($result)) {
+		while ($row = $result->fetch(PDO::FETCH_NUM)) {
 			$cats[$row[0]] = $row[1];
 		}
 	}
@ -100,10 +100,12 @@ function pkgid_from_name($name="", $dbh=NULL) {
 		$dbh = db_connect();
 	}
 	$q = "SELECT ID FROM Packages ";
-	$q.= "WHERE Name = '".db_escape_string($name)."' ";
+	$q.= "WHERE Name = " . $dbh->quote($name);
-	$result = db_query($q, $dbh);
+	$result = $dbh->query($q);
-	if (!$result) {return NULL;}
+	if (!$result) {
-	$row = mysql_fetch_row($result);
+		return;
 	}
 	$row = $result->fetch(PDO::FETCH_NUM);
 	return $row[0];
 }
@ -120,9 +122,11 @@ function package_dependencies($pkgid, $dbh=NULL) {
 		$q.= "LEFT JOIN Packages p ON pd.DepName = p.Name ";
 		$q.= "WHERE pd.PackageID = ". $pkgid . " ";
 		$q.= "ORDER BY pd.DepName";
-		$result = db_query($q, $dbh);
+		$result = $dbh->query($q);
-		if (!$result) {return array();}
+		if (!$result) {
-		while ($row = mysql_fetch_row($result)) {
+			return array();
 		}
 		while ($row = $result->fetch(PDO::FETCH_NUM)) {
 			$deps[] = $row;
 		}
 	}
@ -137,11 +141,11 @@ function package_required($name="", $dbh=NULL) {
 		}
 		$q = "SELECT p.Name, PackageID FROM PackageDepends pd ";
 		$q.= "JOIN Packages p ON pd.PackageID = p.ID ";
-		$q.= "WHERE DepName = '".db_escape_string($name)."' ";
+		$q.= "WHERE DepName = " . $dbh->quote($name) . " ";
 		$q.= "ORDER BY p.Name";
-		$result = db_query($q, $dbh);
+		$result = $dbh->query($q);
 		if (!$result) {return array();}
-		while ($row = mysql_fetch_row($result)) {
+		while ($row = $result->fetch(PDO::FETCH_NUM)) {
 			$deps[] = $row;
 		}
 	}
@ -150,6 +154,10 @@ function package_required($name="", $dbh=NULL) {
 # Return the number of comments for a specified package
 function package_comments_count($pkgid, $dbh=NULL) {
 	if (!$dbh) {
 		$dbh = db_connect();
 	}
 	$pkgid = intval($pkgid);
 	if ($pkgid > 0) {
 		if(!$dbh) {
@ -159,13 +167,14 @@ function package_comments_count($pkgid, $dbh=NULL) {
 		$q.= "WHERE PackageID = " . $pkgid;
 		$q.= " AND DelUsersID IS NULL";
 	}
-	$result = db_query($q, $dbh);
+	$result = $dbh->query($q);
 	if (!$result) {
 		return;
 	}
-	return mysql_result($result, 0);
+	$row = $result->fetch(PDO::FETCH_NUM);
 	return $row[0];
 }
 # Return an array of package comments
@ -187,13 +196,13 @@ function package_comments($pkgid, $dbh=NULL) {
 			$q.= " LIMIT 10";
 		}
-		$result = db_query($q, $dbh);
+		$result = $dbh->query($q);
 		if (!$result) {
 			return;
 		}
-		while ($row = mysql_fetch_assoc($result)) {
+		while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
 			$comments[] = $row;
 		}
 	}
@ -207,32 +216,31 @@ function add_package_comment($pkgid, $uid, $comment, $dbh=NULL) {
 		$dbh = db_connect();
 	}
-	$q = 'INSERT INTO PackageComments ';
+	$q = "INSERT INTO PackageComments ";
-	$q.= '(PackageID, UsersID, Comments, CommentTS) VALUES (';
+	$q.= "(PackageID, UsersID, Comments, CommentTS) VALUES (";
-	$q.= intval($pkgid) . ', ' . $uid . ', ';
+	$q.= intval($pkgid) . ", " . $uid . ", ";
-	$q.= "'" . db_escape_string($comment) . "', ";
+	$q.= $dbh->quote($comment) . ", UNIX_TIMESTAMP())";
-	$q.= 'UNIX_TIMESTAMP())';
+	$dbh->exec($q);
 	db_query($q, $dbh);
 	# Send email notifications
-	$q = 'SELECT CommentNotify.*, Users.Email ';
+	$q = "SELECT CommentNotify.*, Users.Email ";
-	$q.= 'FROM CommentNotify, Users ';
+	$q.= "FROM CommentNotify, Users ";
-	$q.= 'WHERE Users.ID = CommentNotify.UserID ';
+	$q.= "WHERE Users.ID = CommentNotify.UserID ";
-	$q.= 'AND CommentNotify.UserID != ' . $uid . ' ';
+	$q.= "AND CommentNotify.UserID != " . $uid . " ";
-	$q.= 'AND CommentNotify.PkgID = ' . intval($pkgid);
+	$q.= "AND CommentNotify.PkgID = " . intval($pkgid);
-	$result = db_query($q, $dbh);
+	$result = $dbh->query($q);
 	$bcc = array();
-	if (mysql_num_rows($result)) {
+	if ($result) {
-		while ($row = mysql_fetch_assoc($result)) {
+		while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
 			array_push($bcc, $row['Email']);
 		}
-		$q = 'SELECT Packages.* ';
+		$q = "SELECT Packages.* ";
-		$q.= 'FROM Packages ';
+		$q.= "FROM Packages ";
-		$q.= 'WHERE Packages.ID = ' . intval($pkgid);
+		$q.= "WHERE Packages.ID = " . intval($pkgid);
-		$result = db_query($q, $dbh);
+		$result = $dbh->query($q);
-		$row = mysql_fetch_assoc($result);
+		$row = $result->fetch(PDO::FETCH_ASSOC);
 		# TODO: native language emails for users, based on their prefs
 		# Simply making these strings translatable won't work, users would be
@ -261,9 +269,11 @@ function package_sources($pkgid, $dbh=NULL) {
 		$q = "SELECT Source FROM PackageSources ";
 		$q.= "WHERE PackageID = " . $pkgid;
 		$q.= " ORDER BY Source";
-		$result = db_query($q, $dbh);
+		$result = $dbh->query($q);
-		if (!$result) {return array();}
+		if (!$result) {
-		while ($row = mysql_fetch_row($result)) {
+			return array();
 		}
 		while ($row = $result->fetch(PDO::FETCH_NUM)) {
 			$sources[] = $row[0];
 		}
 	}
@ -283,10 +293,10 @@ function pkgvotes_from_sid($sid="", $dbh=NULL) {
 	$q.= "FROM PackageVotes, Users, Sessions ";
 	$q.= "WHERE Users.ID = Sessions.UsersID ";
 	$q.= "AND Users.ID = PackageVotes.UsersID ";
-	$q.= "AND Sessions.SessionID = '".db_escape_string($sid)."'";
+	$q.= "AND Sessions.SessionID = " . $dbh->quote($sid);
-	$result = db_query($q, $dbh);
+	$result = $dbh->query($q);
 	if ($result) {
-		while ($row = mysql_fetch_row($result)) {
+		while ($row = $result->fetch(PDO::FETCH_NUM)) {
 			$pkgs[$row[0]] = 1;
 		}
 	}
@ -306,10 +316,10 @@ function pkgnotify_from_sid($sid="", $dbh=NULL) {
 	$q.= "FROM CommentNotify, Users, Sessions ";
 	$q.= "WHERE Users.ID = Sessions.UsersID ";
 	$q.= "AND Users.ID = CommentNotify.UserID ";
-	$q.= "AND Sessions.SessionID = '".db_escape_string($sid)."'";
+	$q.= "AND Sessions.SessionID = " . $dbh->quote($sid);
-	$result = db_query($q, $dbh);
+	$result = $dbh->query($q);
 	if ($result) {
-		while ($row = mysql_fetch_row($result)) {
+		while ($row = $result->fetch(PDO::FETCH_NUM)) {
 			$pkgs[$row[0]] = 1;
 		}
 	}
@ -325,11 +335,11 @@ function pkgname_from_id($pkgids, $dbh=NULL) {
 		if(!$dbh) {
 			$dbh = db_connect();
 		}
-		$q = "SELECT Name FROM Packages WHERE ID IN (" .
+		$q = "SELECT Name FROM Packages WHERE ID IN (";
-			implode(",", $pkgids) . ")";
+		$q.= implode(",", $pkgids) . ")";
-		$result = db_query($q, $dbh);
+		$result = $dbh->query($q);
-		if (mysql_num_rows($result) > 0) {
+		if ($result) {
-			while ($row = mysql_fetch_assoc($result)) {
+			while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
 				$names[] = $row['Name'];
 			}
 		}
@ -340,11 +350,11 @@ function pkgname_from_id($pkgids, $dbh=NULL) {
 			$dbh = db_connect();
 		}
 		$q = "SELECT Name FROM Packages WHERE ID = " . $pkgids;
-		$result = db_query($q, $dbh);
+		$result = $dbh->query($q);
-		if (mysql_num_rows($result) > 0) {
+		if ($result) {
-			$name = mysql_result($result, 0);
+			$name = $result->fetch(PDO::FETCH_NUM);
 		}
-		return $name;
+		return $name[0];
 	}
 	else {
 		return NULL;
@ -357,11 +367,12 @@ function pkgname_is_blacklisted($name, $dbh=NULL) {
 	if(!$dbh) {
 		$dbh = db_connect();
 	}
-	$q = "SELECT COUNT(*) FROM PackageBlacklist WHERE Name = '" . db_escape_string($name) . "'";
+	$q = "SELECT COUNT(*) FROM PackageBlacklist ";
-	$result = db_query($q, $dbh);
+	$q.= "WHERE Name = " . $dbh->quote($name);
 	$result = $dbh->query($q);
 	if (!$result) return false;
-	return (mysql_result($result, 0) > 0);
+	return ($result->fetch(PDO::FETCH_NUM) > 0);
 }
 # display package details
@ -378,13 +389,13 @@ function package_details($id=0, $SID="", $dbh=NULL) {
 	$q.= "FROM Packages,PackageCategories ";
 	$q.= "WHERE Packages.CategoryID = PackageCategories.ID ";
 	$q.= "AND Packages.ID = " . intval($id);
-	$results = db_query($q, $dbh);
+	$result = $dbh->query($q);
-	if (!$results) {
+	if (!$result) {
 		print "<p>" . __("Error retrieving package details.") . "</p>\n";
 	}
 	else {
-		$row = mysql_fetch_assoc($results);
+		$row = $result->fetch(PDO::FETCH_ASSOC);
 		if (empty($row)) {
 			print "<p>" . __("Package details could not be found.") . "</p>\n";
@ -532,7 +543,7 @@ function pkg_search_page($SID="", $dbh=NULL) {
 	if (isset($_GET['K'])) {
 		# Search by maintainer
 		if (isset($_GET["SeB"]) && $_GET["SeB"] == "m") {
-			$q_where .= "AND Users.Username = '".db_escape_string($_GET['K'])."' ";
+			$q_where .= "AND Users.Username = " . $dbh->quote($_GET['K']) . " ";
 		}
 		# Search by submitter
 		elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "s") {
@ -540,16 +551,18 @@ function pkg_search_page($SID="", $dbh=NULL) {
 		}
 		# Search by name
 		elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "n") {
-			$q_where .= "AND (Name LIKE '%".db_escape_like($_GET['K'])."%') ";
+			$K = "%" . addcslashes($_GET['K'], '%_') . "%";
 			$q_where .= "AND (Name LIKE " . $dbh->quote($K) . ") ";
 		}
 		# Search by name (exact match)
 		elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "x") {
-			$q_where .= "AND (Name = '".db_escape_string($_GET['K'])."') ";
+			$q_where .= "AND (Name = " . $dbh->quote($_GET['K']) . ") ";
 		}
 		# Search by name and description (Default)
 		else {
-			$q_where .= "AND (Name LIKE '%".db_escape_like($_GET['K'])."%' OR ";
+			$K = "%" . addcslashes($_GET['K'], '%_') . "%";
-			$q_where .= "Description LIKE '%".db_escape_like($_GET['K'])."%') ";
+			$q_where .= "AND (Name LIKE " . $dbh->quote($K) . " OR ";
 			$q_where .= "Description LIKE " . $dbh->quote($K) . ") ";
 		}
 	}
@ -602,10 +615,11 @@ function pkg_search_page($SID="", $dbh=NULL) {
 	$q = $q_select . $q_from . $q_from_extra . $q_where . $q_sort . $q_limit;
 	$q_total = "SELECT COUNT(*) " . $q_from . $q_where;
-	$result = db_query($q, $dbh);
+	$result = $dbh->query($q);
-	$result_t = db_query($q_total, $dbh);
+	$result_t = $dbh->query($q_total);
 	if ($result_t) {
-		$total = mysql_result($result_t, 0);
+		$row = $result_t->fetch(PDO::FETCH_NUM);
 		$total = $row[0];
 	}
 	else {
 		$total = 0;
@ -657,8 +671,10 @@ function pkg_search_page($SID="", $dbh=NULL) {
 	include('pkg_search_form.php');
-	while ($row = mysql_fetch_assoc($result)) {
+	if ($result) {
-		$searchresults[] = $row;
+		while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
 			$searchresults[] = $row;
 		}
 	}
 	include('pkg_search_results.php');
@ -732,7 +748,7 @@ function pkg_flag ($atype, $ids, $action=true, $dbh=NULL) {
 		$q.= "AND MaintainerUID = " . uid_from_sid($_COOKIE["AURSID"], $dbh);
 	}
-	db_query($q, $dbh);
+	$dbh->exec($q);
 	if ($action) {
 		# Notify of flagging by email
@ -744,9 +760,9 @@ function pkg_flag ($atype, $ids, $action=true, $dbh=NULL) {
 		$q.= "WHERE Packages.ID IN (" . implode(",", $ids) .") ";
 		$q.= "AND Users.ID = Packages.MaintainerUID ";
 		$q.= "AND Users.ID != " . $f_uid;
-		$result = db_query($q, $dbh);
+		$result = $dbh->query($q);
-		if (mysql_num_rows($result)) {
+		if ($result) {
-			while ($row = mysql_fetch_assoc($result)) {
+			while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
 				# construct email
 				$body = "Your package " . $row['Name'] . " has been flagged out of date by " . $f_name . " [1]. You may view your package at:\n" . $AUR_LOCATION . "/" . get_pkg_uri($row['Name']) . "\n\n[1] - " . $AUR_LOCATION . "/" . get_uri('/accounts/') . "?Action=AccountInfo&ID=" . $f_uid;
 				$body = wordwrap($body, 70);
@ -797,15 +813,15 @@ function pkg_delete ($atype, $ids, $mergepkgid, $dbh=NULL) {
 	# Send email notifications
 	foreach ($ids as $pkgid) {
-		$q = 'SELECT CommentNotify.*, Users.Email ';
+		$q = "SELECT CommentNotify.*, Users.Email ";
-		$q.= 'FROM CommentNotify, Users ';
+		$q.= "FROM CommentNotify, Users ";
-		$q.= 'WHERE Users.ID = CommentNotify.UserID ';
+		$q.= "WHERE Users.ID = CommentNotify.UserID ";
-		$q.= 'AND CommentNotify.UserID != ' . uid_from_sid($_COOKIE['AURSID']) . ' ';
+		$q.= "AND CommentNotify.UserID != " . uid_from_sid($_COOKIE['AURSID']) . " ";
-		$q.= 'AND CommentNotify.PkgID = ' . $pkgid;
+		$q.= "AND CommentNotify.PkgID = " . $pkgid;
-		$result = db_query($q, $dbh);
+		$result = $dbh->query($q);
 		$bcc = array();
-		while ($row = mysql_fetch_assoc($result)) {
+		while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
 			array_push($bcc, $row['Email']);
 		}
 		if (!empty($bcc)) {
@ -834,7 +850,7 @@ function pkg_delete ($atype, $ids, $mergepkgid, $dbh=NULL) {
 		$q = "UPDATE PackageComments ";
 		$q.= "SET PackageID = " . intval($mergepkgid) . " ";
 		$q.= "WHERE PackageID IN (" . implode(",", $ids) . ")";
-		db_query($q, $dbh);
+		$dbh->exec($q);
 		/* Merge votes */
 		foreach ($ids as $pkgid) {
@ -846,18 +862,18 @@ function pkg_delete ($atype, $ids, $mergepkgid, $dbh=NULL) {
 			$q.= "FROM PackageVotes ";
 			$q.= "WHERE PackageID = " . intval($mergepkgid);
 			$q.= ") temp)";
-			db_query($q, $dbh);
+			$dbh->exec($q);
 		}
 		$q = "UPDATE Packages ";
 		$q.= "SET NumVotes = (SELECT COUNT(*) FROM PackageVotes ";
 		$q.= "WHERE PackageID = " . intval($mergepkgid) . ") ";
 		$q.= "WHERE ID = " . intval($mergepkgid);
-		db_query($q, $dbh);
+		$dbh->exec($q);
 	}
 	$q = "DELETE FROM Packages WHERE ID IN (" . implode(",", $ids) . ")";
-	$result = db_query($q, $dbh);
+	$result = $dbh->exec($q);
 	return __("The selected packages have been deleted.");
 }
@ -912,7 +928,7 @@ function pkg_adopt ($atype, $ids, $action=true, $dbh=NULL) {
 		$q.= "AND $field = " . uid_from_sid($_COOKIE["AURSID"], $dbh);
 	}
-	db_query($q, $dbh);
+	$dbh->exec($q);
 	if ($action) {
 		pkg_notify(account_from_sid($_COOKIE["AURSID"], $dbh), $ids, $dbh);
@ -985,7 +1001,7 @@ function pkg_vote ($atype, $ids, $action=true, $dbh=NULL) {
 	$q = "UPDATE Packages SET NumVotes = NumVotes $op 1 ";
 	$q.= "WHERE ID IN ($vote_ids)";
-	db_query($q, $dbh);
+	$dbh->exec($q);
 	if ($action) {
 		$q = "INSERT INTO PackageVotes (UsersID, PackageID) VALUES ";
@ -995,13 +1011,12 @@ function pkg_vote ($atype, $ids, $action=true, $dbh=NULL) {
 		$q.= "AND PackageID IN ($vote_ids)";
 	}
-	db_query($q, $dbh);
+	$dbh->exec($q);
 	if ($action) {
 		$q = "UPDATE Users SET LastVoted = UNIX_TIMESTAMP() ";
 		$q.= "WHERE ID = $uid";
-
+		$dbh->exec($q);
 		db_query($q, $dbh);
 	}
 	if ($action) {
@ -1017,19 +1032,17 @@ function getvotes($pkgid, $dbh=NULL) {
 		$dbh = db_connect();
 	}
 	$pkgid = db_escape_string($pkgid);
 	$q = "SELECT UsersID,Username FROM PackageVotes ";
 	$q.= "LEFT JOIN Users on (UsersID = ID) ";
-	$q.= "WHERE PackageID = ". $pkgid . " ";
+	$q.= "WHERE PackageID = ". $dbh->quote($pkgid) . " ";
 	$q.= "ORDER BY Username";
-	$result = db_query($q, $dbh);
+	$result = $dbh->query($q);
 	if (!$result) {
 		return;
 	}
-	while ($row = mysql_fetch_assoc($result)) {
+	while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
 		$votes[] = $row;
 	}
@ -1042,13 +1055,11 @@ function user_voted($uid, $pkgid, $dbh=NULL) {
 		$dbh = db_connect();
 	}
-	$uid = db_escape_string($uid);
+	$q = "SELECT * FROM PackageVotes WHERE UsersID = ". $dbh->quote($uid);
-	$pkgid = db_escape_string($pkgid);
+	$q.= " AND PackageID = " . $dbh->quote($pkgid);
 	$result = $dbh->query($q);
-	$q = "SELECT * FROM PackageVotes WHERE UsersID = ". $uid;
+	if ($result->fetch(PDO::FETCH_NUM)) {
 	$q.= " AND PackageID = ".$pkgid;
 	$result = db_query($q, $dbh);
 	if (mysql_num_rows($result)) {
 		return true;
 	}
 	else {
@ -1062,13 +1073,11 @@ function user_notify($uid, $pkgid, $dbh=NULL) {
 		$dbh = db_connect();
 	}
-	$uid = db_escape_string($uid);
+	$q = "SELECT * FROM CommentNotify WHERE UserID = " . $dbh->quote($uid);
-	$pkgid = db_escape_string($pkgid);
+	$q.= " AND PkgID = " . $dbh->quote($pkgid);
 	$result = $dbh->query($q);
-	$q = "SELECT * FROM CommentNotify WHERE UserID = ". $uid;
+	if ($result->fetch(PDO::FETCH_NUM)) {
 	$q.= " AND PkgID = ".$pkgid;
 	$result = db_query($q, $dbh);
 	if (mysql_num_rows($result)) {
 		return true;
 	}
 	else {
@ -1107,9 +1116,10 @@ function pkg_notify ($atype, $ids, $action=true, $dbh=NULL) {
 	# format in which it's sent requires this.
 	foreach ($ids as $pid) {
 		$q = "SELECT Name FROM Packages WHERE ID = $pid";
-		$result = db_query($q, $dbh);
+		$result = $dbh->query($q);
 		if ($result) {
-			$pkgname = mysql_result($result , 0);
+			$row = $result->fetch(PDO::FETCH_NUM);
 			$pkgname = $row[0];
 		}
 		else {
 			$pkgname = '';
@ -1126,10 +1136,10 @@ function pkg_notify ($atype, $ids, $action=true, $dbh=NULL) {
 			$q .= " AND PkgID = $pid";
 			# Notification already added. Don't add again.
-			$result = db_query($q, $dbh);
+			$result = $dbh->query($q);
-			if (!mysql_num_rows($result)) {
+			if (!$result) {
 				$q = "INSERT INTO CommentNotify (PkgID, UserID) VALUES ($pid, $uid)";
-				db_query($q, $dbh);
+				$dbh->exec($q);
 			}
 			$output .= $pkgname;
@ -1137,7 +1147,7 @@ function pkg_notify ($atype, $ids, $action=true, $dbh=NULL) {
 		else {
 			$q = "DELETE FROM CommentNotify WHERE PkgID = $pid";
 			$q .= " AND UserID = $uid";
-			db_query($q, $dbh);
+			$dbh->exec($q);
 			$output .= $pkgname;
 		}
@ -1181,7 +1191,7 @@ function pkg_delete_comment($atype, $dbh=NULL) {
 		   $q = "UPDATE PackageComments ";
 		   $q.= "SET DelUsersID = ".$uid." ";
 		   $q.= "WHERE ID = ".intval($comment_id);
-		   db_query($q, $dbh);
+		$dbh->exec($q);
 		   return __("Comment has been deleted.");
 	} else {
 		   return __("You are not allowed to delete this comment.");
@ -1226,21 +1236,21 @@ function pkg_change_category($atype, $dbh=NULL) {
 	$q = "SELECT Packages.MaintainerUID ";
 	$q.= "FROM Packages ";
 	$q.= "WHERE Packages.ID = ".$pid;
-	$result = db_query($q, $dbh);
+	$result = $dbh->query($q);
 	if ($result) {
-		$pkg = mysql_fetch_assoc($result);
+		$row = $result->fetch(PDO::FETCH_ASSOC);
 	}
 	else {
 		return __("You are not allowed to change this package category.");
 	}
 	$uid = uid_from_sid($_COOKIE["AURSID"], $dbh);
-	if ($uid == $pkg["MaintainerUID"] ||
+	if ($uid == $row["MaintainerUID"] ||
 	($atype == "Developer" || $atype == "Trusted User")) {
 		$q = "UPDATE Packages ";
 		$q.= "SET CategoryID = ".intval($category_id)." ";
 		$q.= "WHERE ID = ".intval($pid);
-		db_query($q, $dbh);
+		$dbh->exec($q);
 		return __("Package category changed.");
 	} else {
 		return __("You are not allowed to change this package category.");
@ -1251,29 +1261,29 @@ function pkgdetails_by_pkgname($pkgname, $dbh=NULL) {
 	if(!$dbh) {
 		$dbh = db_connect();
 	}
-	$q = "SELECT * FROM Packages WHERE Name = '" . db_escape_string($pkgname) . "'";
+	$q = "SELECT * FROM Packages WHERE Name = " . $dbh->quote($pkgname);
-	$result = db_query($q, $dbh);
+	$result = $dbh->query($q);
 	if ($result) {
-		$pdata = mysql_fetch_assoc($result);
+		$row = $result->fetch(PDO::FETCH_ASSOC);
 	}
-	return $pdata;
+	return $row;
 }
 function new_pkgdetails($pkgname, $license, $pkgver, $category_id, $pkgdesc, $pkgurl, $uid, $dbh=NULL) {
 	if(!$dbh) {
 		$dbh = db_connect();
 	}
-	$q = sprintf("INSERT INTO Packages (Name, License, Version, CategoryID, Description, URL, SubmittedTS, ModifiedTS, SubmitterUID, MaintainerUID) VALUES ('%s', '%s', '%s', %d, '%s', '%s', UNIX_TIMESTAMP(), UNIX_TIMESTAMP(), %d, %d)",
+	$q = sprintf("INSERT INTO Packages (Name, License, Version, CategoryID, Description, URL, SubmittedTS, ModifiedTS, SubmitterUID, MaintainerUID) VALUES (%s, %s, %s, %d, %s, %s, UNIX_TIMESTAMP(), UNIX_TIMESTAMP(), %d, %d)",
-	db_escape_string($pkgname),
+	$dbh->quote($pkgname),
-	db_escape_string($license),
+	$dbh->quote($license),
-	db_escape_string($pkgver),
+	$dbh->quote($pkgver),
 	$category_id,
-	db_escape_string($pkgdesc),
+	$dbh->quote($pkgdesc),
-	db_escape_string($pkgurl),
+	$dbh->quote($pkgurl),
 	$uid,
 	$uid);
-	db_query($q, $dbh);
+	$dbh->exec($q);
 }
 function update_pkgdetails($pkgname, $license, $pkgver, $pkgdesc, $pkgurl, $uid, $pkgid, $dbh=NULL) {
@ -1281,28 +1291,28 @@ function update_pkgdetails($pkgname, $license, $pkgver, $pkgdesc, $pkgurl, $uid,
 		$dbh = db_connect();
 	}
 	# This is an overwrite of an existing package
-	$q = sprintf("UPDATE Packages SET ModifiedTS = UNIX_TIMESTAMP(), Name = '%s', Version = '%s', License = '%s', Description = '%s', URL = '%s', OutOfDateTS = NULL, MaintainerUID = %d WHERE ID = %d",
+	$q = sprintf("UPDATE Packages SET ModifiedTS = UNIX_TIMESTAMP(), Name = %s, Version = %s, License = %s, Description = %s, URL = %s, OutOfDateTS = NULL, MaintainerUID = %d WHERE ID = %d",
-	db_escape_string($pkgname),
+	$dbh->quote($pkgname),
-	db_escape_string($pkgver),
+	$dbh->quote($pkgver),
-	db_escape_string($license),
+	$dbh->quote($license),
-	db_escape_string($pkgdesc),
+	$dbh->quote($pkgdesc),
-	db_escape_string($pkgurl),
+	$dbh->quote($pkgurl),
 	$uid,
 	$pkgid);
-	db_query($q, $dbh);
+	$dbh->exec($q);
 }
 function add_pkg_dep($pkgid, $depname, $depcondition, $dbh=NULL) {
 	if(!$dbh) {
 		$dbh = db_connect();
 	}
-	$q = sprintf("INSERT INTO PackageDepends (PackageID, DepName, DepCondition) VALUES (%d, '%s', '%s')",
+	$q = sprintf("INSERT INTO PackageDepends (PackageID, DepName, DepCondition) VALUES (%d, %s, %s)",
 	$pkgid,
-	db_escape_string($depname),
+	$dbh->quote($depname),
-	db_escape_string($depcondition));
+	$dbh->quote($depcondition));
-	db_query($q, $dbh);
+	$dbh->exec($q);
 }
 function add_pkg_src($pkgid, $pkgsrc, $dbh=NULL) {
@ -1310,9 +1320,9 @@ function add_pkg_src($pkgid, $pkgsrc, $dbh=NULL) {
 		$dbh = db_connect();
 	}
 	$q = "INSERT INTO PackageSources (PackageID, Source) VALUES (";
-	$q .= $pkgid . ", '" . db_escape_string($pkgsrc) . "')";
+	$q .= $pkgid . ", " . $dbh->quote($pkgsrc) . ")";
-	db_query($q, $dbh);
+	$dbh->exec($q);
 }
 function update_pkg_category($pkgid, $category_id, $dbh=NULL) {
@ -1323,7 +1333,7 @@ function update_pkg_category($pkgid, $category_id, $dbh=NULL) {
 	$category_id,
 	$pkgid);
-	db_query($q, $dbh);
+	$dbh->exec($q);
 }
 function remove_pkg_deps($pkgid, $dbh=NULL) {
@ -1332,7 +1342,7 @@ function remove_pkg_deps($pkgid, $dbh=NULL) {
 	}
 	$q = "DELETE FROM PackageDepends WHERE PackageID = " . $pkgid;
-	db_query($q, $dbh);
+	$dbh->exec($q);
 }
 function remove_pkg_sources($pkgid, $dbh=NULL) {
@ -1341,5 +1351,5 @@ function remove_pkg_sources($pkgid, $dbh=NULL) {
 	}
 	$q = "DELETE FROM PackageSources WHERE PackageID = " . $pkgid;
-	db_query($q, $dbh);
+	$dbh->exec($q);
 }
--- a/web/lib/stats.inc.php
+++ b/web/lib/stats.inc.php
@ -6,10 +6,10 @@ function updates_table($dbh) {
 	$key = 'recent_updates';
 	if(!($newest_packages = get_cache_value($key))) {
 		$q = 'SELECT * FROM Packages ORDER BY ModifiedTS DESC LIMIT 10';
-		$result = db_query($q, $dbh);
+		$result = $dbh->query($q);
 		$newest_packages = new ArrayObject();
-		while ($row = mysql_fetch_assoc($result)) {
+		while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
 			$newest_packages->append($row);
 		}
 		set_cache_value($key, $newest_packages);
--- a/web/lib/translator.inc.php
+++ b/web/lib/translator.inc.php
@ -96,11 +96,11 @@ function set_lang($dbh=NULL) {
 		$q = "SELECT LangPreference FROM Users, Sessions ";
 		$q.= "WHERE Users.ID = Sessions.UsersID ";
 		$q.= "AND Sessions.SessionID = '";
-		$q.= mysql_real_escape_string($_COOKIE["AURSID"])."'";
+		$q.= $dbh->quote($_COOKIE["AURSID"]);
-		$result = db_query($q, $dbh);
+		$result = $dbh->query($q);
 		if ($result) {
-			$row = mysql_fetch_array($result);
+			$row = $result->fetchAll();
 			$LANG = $row[0];
 		}
 		$update_cookie = 1;
--- a/web/template/account_search_results.php
+++ b/web/template/account_search_results.php
@ -2,7 +2,7 @@
 if (!$result):
 	print __("No results matched your search criteria.");
 else:
-	if ($num_rows):
+	if ($result):
 ?>
 		<table class="results">
 			<thead>