From 10b6a8fff7e6d407421c74889455b969be7f867f Mon Sep 17 00:00:00 2001
From: Lukas Fleischer <archlinux@cryptocrack.de>
Date: Thu, 20 Oct 2011 08:15:02 +0200
Subject: Wrap mysql_real_escape_string() in a function
Wrap mysql_real_escape_string() in a wrapper function db_escape_string()
to ease porting to other databases, and as another step to pulling more
of the database code into a central location.
This is a rebased version of a patch by elij submitted about half a year
ago.
Thanks-to: elij <elij.mx@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Conflicts:
web/lib/aur.inc.php
---
web/html/account.php | 2 +-
web/html/addvote.php | 10 +++++-----
web/html/logout.php | 2 +-
web/html/passreset.php | 4 ++--
web/html/pkgsubmit.php | 28 ++++++++++++++--------------
web/html/voters.php | 2 +-
6 files changed, 24 insertions(+), 24 deletions(-)
(limited to 'web/html')
diff --git a/web/html/account.php b/web/html/account.php
index ca05d1a..387fd93 100644
--- a/web/html/account.php
+++ b/web/html/account.php
@@ -111,7 +111,7 @@ if (isset($_COOKIE["AURSID"])) {
$q.= "WHERE AccountTypes.ID = Users.AccountTypeID ";
$q.= "AND Users.ID = Sessions.UsersID ";
$q.= "AND Sessions.SessionID = '";
- $q.= mysql_real_escape_string($_COOKIE["AURSID"])."'";
+ $q.= db_escape_string($_COOKIE["AURSID"])."'";
$result = db_query($q, $dbh);
if (!mysql_num_rows($result)) {
print __("Could not retrieve information for the specified user.");
diff --git a/web/html/addvote.php b/web/html/addvote.php
index fe3037d..f0e7d31 100644
--- a/web/html/addvote.php
+++ b/web/html/addvote.php
@@ -20,7 +20,7 @@ if ($atype == "Trusted User" OR $atype == "Developer") {
$error = "";
if (!empty($_POST['user'])) {
- $qcheck = "SELECT * FROM Users WHERE Username = '" . mysql_real_escape_string($_POST['user']) . "'";
+ $qcheck = "SELECT * FROM Users WHERE Username = '" . db_escape_string($_POST['user']) . "'";
$result = db_query($qcheck, $dbh);
if ($result) {
$check = mysql_num_rows($result);
@@ -32,7 +32,7 @@ if ($atype == "Trusted User" OR $atype == "Developer") {
if ($check == 0) {
$error.= __("Username does not exist.");
} else {
- $qcheck = "SELECT * FROM TU_VoteInfo WHERE User = '" . mysql_real_escape_string($_POST['user']) . "'";
+ $qcheck = "SELECT * FROM TU_VoteInfo WHERE User = '" . db_escape_string($_POST['user']) . "'";
$qcheck.= " AND End > UNIX_TIMESTAMP()";
$result = db_query($qcheck, $dbh);
if ($result) {
@@ -67,9 +67,9 @@ if ($atype == "Trusted User" OR $atype == "Developer") {
if (!empty($_POST['addVote']) && empty($error)) {
$q = "INSERT INTO TU_VoteInfo (Agenda, User, Submitted, End, SubmitterID) VALUES ";
- $q.= "('" . mysql_real_escape_string($_POST['agenda']) . "', ";
- $q.= "'" . mysql_real_escape_string($_POST['user']) . "', ";
- $q.= "UNIX_TIMESTAMP(), UNIX_TIMESTAMP() + " . mysql_real_escape_string($len);
+ $q.= "('" . db_escape_string($_POST['agenda']) . "', ";
+ $q.= "'" . db_escape_string($_POST['user']) . "', ";
+ $q.= "UNIX_TIMESTAMP(), UNIX_TIMESTAMP() + " . db_escape_string($len);
$q.= ", " . uid_from_sid($_COOKIE["AURSID"]) . ")";
db_query($q, $dbh);
diff --git a/web/html/logout.php b/web/html/logout.php
index 1cdf453..45ab564 100644
--- a/web/html/logout.php
+++ b/web/html/logout.php
@@ -12,7 +12,7 @@ include_once("acctfuncs.inc.php"); # access AUR common functions
if (isset($_COOKIE["AURSID"])) {
$dbh = db_connect();
$q = "DELETE FROM Sessions WHERE SessionID = '";
- $q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'";
+ $q.= db_escape_string($_COOKIE["AURSID"]) . "'";
db_query($q, $dbh);
# setting expiration to 1 means '1 second after midnight January 1, 1970'
setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true);
diff --git a/web/html/passreset.php b/web/html/passreset.php
index ed5d4d3..97fbebb 100644
--- a/web/html/passreset.php
+++ b/web/html/passreset.php
@@ -40,8 +40,8 @@ if (isset($_GET['resetkey'], $_POST['email'], $_POST['password'], $_POST['confir
Salt = '$salt',
ResetKey = ''
WHERE ResetKey != ''
- AND ResetKey = '".mysql_real_escape_string($resetkey)."'
- AND Email = '".mysql_real_escape_string($email)."'";
+ AND ResetKey = '".db_escape_string($resetkey)."'
+ AND Email = '".db_escape_string($email)."'";
$result = db_query($q, $dbh);
if (!mysql_affected_rows($dbh)) {
$error = __('Invalid e-mail and reset key combination.');
diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php
index 21776f9..539f056 100644
--- a/web/html/pkgsubmit.php
+++ b/web/html/pkgsubmit.php
@@ -301,7 +301,7 @@ if ($uid):
$dbh = db_connect();
db_query("BEGIN", $dbh);
- $q = "SELECT * FROM Packages WHERE Name = '" . mysql_real_escape_string($new_pkgbuild['pkgname']) . "'";
+ $q = "SELECT * FROM Packages WHERE Name = '" . db_escape_string($new_pkgbuild['pkgname']) . "'";
$result = db_query($q, $dbh);
$pdata = mysql_fetch_assoc($result);
@@ -346,11 +346,11 @@ if ($uid):
# Update package data
$q = sprintf("UPDATE Packages SET ModifiedTS = UNIX_TIMESTAMP(), Name = '%s', Version = '%s', License = '%s', Description = '%s', URL = '%s', OutOfDateTS = NULL, MaintainerUID = %d WHERE ID = %d",
- mysql_real_escape_string($new_pkgbuild['pkgname']),
- mysql_real_escape_string($pkg_version),
- mysql_real_escape_string($new_pkgbuild['license']),
- mysql_real_escape_string($new_pkgbuild['pkgdesc']),
- mysql_real_escape_string($new_pkgbuild['url']),
+ db_escape_string($new_pkgbuild['pkgname']),
+ db_escape_string($pkg_version),
+ db_escape_string($new_pkgbuild['license']),
+ db_escape_string($new_pkgbuild['pkgdesc']),
+ db_escape_string($new_pkgbuild['url']),
$uid,
$packageID);
@@ -359,12 +359,12 @@ if ($uid):
} else {
# This is a brand new package
$q = sprintf("INSERT INTO Packages (Name, License, Version, CategoryID, Description, URL, SubmittedTS, ModifiedTS, SubmitterUID, MaintainerUID) VALUES ('%s', '%s', '%s', %d, '%s', '%s', UNIX_TIMESTAMP(), UNIX_TIMESTAMP(), %d, %d)",
- mysql_real_escape_string($new_pkgbuild['pkgname']),
- mysql_real_escape_string($new_pkgbuild['license']),
- mysql_real_escape_string($pkg_version),
+ db_escape_string($new_pkgbuild['pkgname']),
+ db_escape_string($new_pkgbuild['license']),
+ db_escape_string($pkg_version),
$category_id,
- mysql_real_escape_string($new_pkgbuild['pkgdesc']),
- mysql_real_escape_string($new_pkgbuild['url']),
+ db_escape_string($new_pkgbuild['pkgdesc']),
+ db_escape_string($new_pkgbuild['url']),
$uid,
$uid);
@@ -389,8 +389,8 @@ if ($uid):
$q = sprintf("INSERT INTO PackageDepends (PackageID, DepName, DepCondition) VALUES (%d, '%s', '%s')",
$packageID,
- mysql_real_escape_string($deppkgname),
- mysql_real_escape_string($depcondition));
+ db_escape_string($deppkgname),
+ db_escape_string($depcondition));
db_query($q, $dbh);
}
@@ -401,7 +401,7 @@ if ($uid):
foreach ($sources as $src) {
if ($src != "" ) {
$q = "INSERT INTO PackageSources (PackageID, Source) VALUES (";
- $q .= $packageID . ", '" . mysql_real_escape_string($src) . "')";
+ $q .= $packageID . ", '" . db_escape_string($src) . "')";
db_query($q, $dbh);
}
}
diff --git a/web/html/voters.php b/web/html/voters.php
index aa2aa50..02abe29 100644
--- a/web/html/voters.php
+++ b/web/html/voters.php
@@ -5,7 +5,7 @@ include('pkgfuncs.inc.php');
function getvotes($pkgid) {
$dbh = db_connect();
- $pkgid = mysql_real_escape_string($pkgid);
+ $pkgid = db_escape_string($pkgid);
$result = db_query("SELECT UsersID,Username FROM PackageVotes LEFT JOIN Users on (UsersID = ID) WHERE PackageID = $pkgid ORDER BY Username", $dbh);
return $result;
--
cgit v1.2.3-54-g00ecf