Migration to PDO database abstraction layer

diff --git a/wwwroot/backend/mysql/backend.inc b/wwwroot/backend/mysql/backend.inc
index 515b344aa00d701f4b52671bb35029d220fdd738..daba57b314d00aced86904a748ebd0d60c94d845 100644 (file)
--- a/wwwroot/backend/mysql/backend.inc
+++ b/wwwroot/backend/mysql/backend.inc
@@ -181,9 +181,9 @@ function getUserByLogin($login) {
 static function getNodeIdByName($name, $external_link=false) {
        global $db;
 
 static function getNodeIdByName($name, $external_link=false) {
        global $db;
 

-       $qh = sprintf('select node_id from nodes where node_name = "%s"', mysql_real_escape_string($name));
+       $qh = sprintf('select node_id from nodes where node_name = "%s"', db_escape_string($name));

        if ($external_link)
        if ($external_link)

-               $qh .= sprintf(' and external_link="%s"', mysql_real_escape_string($external_link));
+               $qh .= sprintf(' and external_link="%s"', db_escape_string($external_link));

 
        $set = $db->query($qh);
        $set->next();
 
        $set = $db->query($qh);
        $set->next();

diff --git a/wwwroot/inc/database.inc b/wwwroot/inc/database.inc
index e3781925afd812a1b151069f3692814e6e37584d..80a03a93711275078acf726b4ec75ff55cbe5182 100644 (file)
--- a/wwwroot/inc/database.inc
+++ b/wwwroot/inc/database.inc
@@ -1,160 +1,101 @@
 <?php
 <?php

-require ("result.inc");

 
 

-class CLASS_DATABASE {
+require("result.inc");

 
 

-/*
-var $Database="";
-var $User="";
-var $Password="";
-var $Url="";
-*/
-
-var $Master = true;
-var $_linkId = false;
-var $_url = "";
-var $_user = "";
-var $_password = "";
-var $_database = "";
-var $_halt_on_error = true;
-
-/*
-function CLASS_DATABASE ($database=DB_DATABASE,$user=DB_USER,$password=DB_PASS,$url=DB_HOST) {
-       $this->Database=$database;
-       $this->Password=$password;
-       $this->User=$user;
-       $this->Url=$url;
-*/
-
-function CLASS_DATABASE() {
-       $this->connect(DB_HOST,DB_USER,DB_PASS,DB_DATABASE);
+function db_escape_string($str) {
+       global $db;
+       //This function should be used in whole project instead of *_escape_string() functions! 
+       //return mysql_escape_string($str); //XXX TODO $db->quote($str), mysql_real_escape_string() or pg_escape_string() should be used here!
+       return preg_replace('(^.|.$)', '', $db->quote($str)); //XXX HACK

 }
 
 }
 

-function connect($url,$user,$password,$database, $halt_on_error = true) {
-               global $error;
-               $this->_halt_on_error = $halt_on_error;
-               if ($this->_linkId == false) {
-                       $this->_linkId=mysql_connect($url, $user, $password);
-                       if ($this->_linkId == false) {
-                               $error='chcipla databaza';
-                               $this->exception($error);
-                               return false;
-                               //die();
-                       }// else {
-                        //     mysql_query('set character set utf8');
-                        //}
-                       $this->_url=$url;
-                       $this->_user=$user;
-                       $this->_password=$password;
+class CLASS_DATABASE extends PDO {
+       //All functions in this class are deprecated!
+       //Please use only native PDO functions!

 
 

-                       if ($this->_linkId == false || mysql_select_db($database, $this->_linkId) == false) {
-                               $this->exception("1Database failed.");
-                               return false;
-                               die();
-                       }
-                       $this->_database=$database;
-               }
-               return true;
-}
+       var $Master = true;
+       var $_linkId = false;
+       var $_url = "";
+       var $_user = "";
+       var $_password = "";
+       var $_database = "";
+       var $_halt_on_error = true;

 
 

-/* DEPRECATED!
-function closeMysql() {
-       mysql_close($this->_linkId);
-}
-*/
-
-function query($sql) {
-
-       $this->_linkId = false;
-       $this->connect(DB_HOST,DB_USER,DB_PASS,DB_DATABASE);
-       $this->Master = true;
-
-       // Simple IDS, against automats
-       // When possible attack is detected, 
-       // query & session information is stored into log
-       // Looking for following string in SQL query:
-       // - "user()" (get cur. user)
-       // - "@@version" (get mysql version)
-       // - "AND 1=1" (blind sqli) (too many false positives?)
-       // - "information_schema" (for listing of tables, columns...)
-
-       // - "/*" (comment) (too many false positives?)
-       // - "--" (comment) (too many false positives?)
-
-       if (preg_match('/user\(\)/',$sql) || preg_match('/@@version/',$sql)
-       || preg_match('/information_schema/',$sql)|| preg_match('/AND 1=1/',$sql)
-       ) {
-               logger::log('SQL ALARM',$sql);
-               
+       function __construct() {
+               $this->connect(DB_HOST, DB_USER, DB_PASS, DB_DATABASE);

        }
 
        }
 

-       $this->_queryId = mysql_query($sql,$this->_linkId);
-
-       if ((isset($_SESSION['debugging']) && $_SESSION['debugging'])) {
-               echo $sql;
-               global $timer_start;
-               echo "<BR>".SubStr((Time()+SubStr(MicroTime(),0,8)-$timer_start),0,7);
-       }
+       protected function connect($host, $user, $password, $database, $halt_on_error = true) {
+               global $error;
+               parent::__construct("mysql:host=$host;dbname=$database", $user,
+                                   $password);
+               /*{
+                  $error='chcipla databaza';
+                  $this->exception($error); //deprecated
+                  }; */
+               $this->setAttribute(PDO::ATTR_STATEMENT_CLASS,
+                                   array('result', array($this)));

 
 

-       if ($this->_queryId == false) {
-               $this->exception("query failed ::$sql::");
+               $this->_halt_on_error = $halt_on_error;
+               $this->_url = $host;
+               $this->_user = $user;
+               $this->_password = $password;
+               /* if ($this->_linkId == false) {
+                  $this->_linkId=mysql_connect($host, $user, $password);
+                  if ($this->_linkId == false) {
+                  $error='chcipla databaza';
+                  $this->exception($error);
+                  return false;
+                  //die();
+                  }// else {
+                  //   mysql_query('set character set utf8');
+                  //}
+                  $this->_url=$host;
+                  $this->_user=$user;
+                  $this->_password=$password;
+
+                  if ($this->_linkId == false || mysql_select_db($database, $this->_linkId) == false) {
+                  $this->exception("1Database failed.");
+                  return false;
+                  die();
+                  }
+                  $this->_database=$database;
+                  }
+                */
+               return true;

        }
 
        }
 

-       return new result($this->_queryId, $sql);
-}
-
-/* DEPRECATED!
-function executequery($sql) { //same as query()!
-       return($this->query($sql));
-}
-
-function executetransaction($queries) {
-       $this->executequery("set autocommit=0");
-       if (is_array($queries)) {
-               foreach ($queries as $query) {
-                       $this->executequery($query);
+       function update($sql) { //DEPRECATED!!! Use $db->query($sql)->rowCount(); instead!!!
+               if (!$this->Master) {
+                       $this->_linkId = false;
+                       $this->connect(DB_HOST, DB_USER, DB_PASS, DB_DATABASE);
+                       $this->Master = true;

                }
                }

-       }
-       $this->executequery("commit");
-       $this->executequery("set autocommit=1");
-}

 
 

-function executeupdate($sql) {
-       return($this->update($sql));
-}
-*/
-
-function update($sql) {
-       if (!$this->Master) {
-               $this->_linkId = false;
-               $this->connect(DB_HOST,DB_USER,DB_PASS,DB_DATABASE);
-                $this->Master = true;
-       }
-
-       $this->_queryId = @mysql_db_query($this->_database,$sql,$this->_linkId);
+               $this->_queryId = $this->query($sql);

                if ($this->_queryId == false) {
                        $this->exception("update failed.");
                }
                if ($this->_queryId == false) {
                        $this->exception("update failed.");
                }

-               $rows=@mysql_affected_rows($this->_linkId);
-               return($rows);
-}
+               $rows = @$this->_queryId->rowCount();
+               return ($rows);
+       }

 
 

-function getLastInsertId() {
-               return(@mysql_insert_id($this->_linkId));
-}
+       function getLastInsertId() {    //DEPRECATED!!! Use $db->lastInsertId(); instead!!!
+               return (@$this->lastInsertId());
+       }

 
 

-function exception($errorMessage) { //Internal only!
+       protected function exception($errorMessage) {

 
 

-       echo "<!-- ";
-       echo @mysql_error($this->_linkId)," (",@mysql_errno($this->_linkId),")";
-       echo "-->";
+               echo "<!-- ";
+               //echo @mysql_error($this->_linkId)," (",@mysql_errno($this->_linkId),")";
+               echo "-->";

 
 

-       if ($this->_halt_on_error) {
-               die("<pre>".$errorMessage."</pre>");
+               if ($this->_halt_on_error) {
+                       die("<pre>".$errorMessage."</pre>");

                } else {
                        echo $errorMessage."<br>";
                        return false;
                }
        }
 }
                } else {
                        echo $errorMessage."<br>";
                        return false;
                }
        }
 }

-?>
+

diff --git a/wwwroot/inc/eventz/add.inc b/wwwroot/inc/eventz/add.inc
index 7bd3f9a0727c9611a7ee31da13b123129ba23a0b..36986a76cbb467672ff1292b62b952107ee1af83 100644 (file)
--- a/wwwroot/inc/eventz/add.inc
+++ b/wwwroot/inc/eventz/add.inc
@@ -114,7 +114,7 @@ function add() {
     $params['node_parent']=$node_parent;
     $params['node_system_access']=$node_system_access;
     $params['node_creator']=$_SESSION['user_id'];
     $params['node_parent']=$node_parent;
     $params['node_system_access']=$node_system_access;
     $params['node_creator']=$_SESSION['user_id'];

-    $params['node_content']=mysql_escape_string($node_content);
+    $params['node_content']=db_escape_string($node_content);

     $params['external_link']=$external_link;
     nodes::addNode($params);
     return true;
     $params['external_link']=$external_link;
     nodes::addNode($params);
     return true;

diff --git a/wwwroot/inc/eventz/addEvent.inc b/wwwroot/inc/eventz/addEvent.inc
index 756cfe4d1deaa75472431698ec379e012e5c8f6e..90dfcee3dc1a664e1050414bd72fbdf62d6478f2 100644 (file)
--- a/wwwroot/inc/eventz/addEvent.inc
+++ b/wwwroot/inc/eventz/addEvent.inc
@@ -37,9 +37,9 @@ function addEvent() {
     $params['node_content'] .= "<br />node_parent: <a href='$node_parent'>".$node_parent."</a>";
     $params['node_content'] .= "<br />node_system_access: ".$node_system_access;
     $params['node_content'] .= "<br />node_creator: <a href='$node_creator'>".$node_creator."</a>";
     $params['node_content'] .= "<br />node_parent: <a href='$node_parent'>".$node_parent."</a>";
     $params['node_content'] .= "<br />node_system_access: ".$node_system_access;
     $params['node_content'] .= "<br />node_creator: <a href='$node_creator'>".$node_creator."</a>";

-    $params['node_content'] = mysql_real_escape_string($params['node_content']);
+    $params['node_content'] = db_escape_string($params['node_content']);

     nodes::addNode($params);
 
     return true;
 }
     nodes::addNode($params);
 
     return true;
 }

-?>
\ No newline at end of file
+?>

diff --git a/wwwroot/inc/eventz/addPlugin.inc b/wwwroot/inc/eventz/addPlugin.inc
index f127cf72bbf96d2df4adf9dee00f7119eeda70fe..706d6177bb4648b331d22876b88c51afc62c7ace 100644 (file)
--- a/wwwroot/inc/eventz/addPlugin.inc
+++ b/wwwroot/inc/eventz/addPlugin.inc
@@ -34,9 +34,9 @@ function addPlugin() {
     $params['node_content'] .= "<br />node_parent: <a href='$node_parent'>".$node_parent."</a>";
     $params['node_content'] .= "<br />node_system_access: ".$node_system_access;
     $params['node_content'] .= "<br />node_creator: <a href='$node_creator'>".$node_creator."</a>";
     $params['node_content'] .= "<br />node_parent: <a href='$node_parent'>".$node_parent."</a>";
     $params['node_content'] .= "<br />node_system_access: ".$node_system_access;
     $params['node_content'] .= "<br />node_creator: <a href='$node_creator'>".$node_creator."</a>";

-    $params['node_content'] = mysql_real_escape_string($params['node_content']);
+    $params['node_content'] = db_escape_string($params['node_content']);

     nodes::addNode($params);
 
     return true;
 }
     nodes::addNode($params);
 
     return true;
 }

-?>
\ No newline at end of file
+?>

diff --git a/wwwroot/inc/eventz/addTemplate.inc b/wwwroot/inc/eventz/addTemplate.inc
index 93648661c44e01681744e9600b2d3831eff001e8..682e2902e77402f6790ba911cfd07dc37bfa757f 100644 (file)
--- a/wwwroot/inc/eventz/addTemplate.inc
+++ b/wwwroot/inc/eventz/addTemplate.inc
@@ -13,7 +13,7 @@
         $params['node_creator'] = UBIK_ID;
         $params['node_parent'] = 2029360;
         $params['node_name'] = "addTemplate execute: node $add_template_id";
         $params['node_creator'] = UBIK_ID;
         $params['node_parent'] = 2029360;
         $params['node_name'] = "addTemplate execute: node $add_template_id";

-        $params['node_content'] = mysql_real_escape_string("addTemplate execute: node <a href='$add_template_id'>$add_template_id</a> by user ".$_SESSION['user_name']);
+        $params['node_content'] = db_escape_string("addTemplate execute: node <a href='$add_template_id'>$add_template_id</a> by user ".$_SESSION['user_name']);

         nodes::addNode($params);
 
         $set=$db->query("select node_content from nodes where node_id='$add_template_id'");
         nodes::addNode($params);
 
         $set=$db->query("select node_content from nodes where node_id='$add_template_id'");

diff --git a/wwwroot/inc/eventz/banlist.inc b/wwwroot/inc/eventz/banlist.inc
index 3f08d4d01cf9e0bd5bc26413e8ca025fb47ba620..8f14448b3f372f1613fff245f7d489f98aa2ba90 100644 (file)
--- a/wwwroot/inc/eventz/banlist.inc
+++ b/wwwroot/inc/eventz/banlist.inc
@@ -9,7 +9,7 @@ $error=$error_messages['EVENT_PERMISSION_ERROR'];
 return false;
 }
                $bans = explode(";",$_POST['bans']); // XXX sqli?
 return false;
 }
                $bans = explode(";",$_POST['bans']); // XXX sqli?

-               $bans = array_map('mysql_real_escape_string', $bans); 
+               $bans = array_map('db_escape_string', $bans); 

 
                $db->query("update node_access set node_permission='' where node_id=$node_id and node_permission='ban'");
                foreach ($bans as $ban) {
 
                $db->query("update node_access set node_permission='' where node_id=$node_id and node_permission='ban'");
                foreach ($bans as $ban) {

diff --git a/wwwroot/inc/eventz/configure.inc b/wwwroot/inc/eventz/configure.inc
index 8479152c035019886102c12cc4846f19b4a1679e..9024d16f7c96449a21fbeed7d12269c203720aac 100644 (file)
--- a/wwwroot/inc/eventz/configure.inc
+++ b/wwwroot/inc/eventz/configure.inc
@@ -42,11 +42,11 @@
                                }
                        }
 
                                }
                        }
 

-                       $node_vector=mysql_real_escape_string($_POST['node_vector']);
+                       $node_vector=db_escape_string($_POST['node_vector']);

                        $old_vector=$node['node_vector'];
                        if (is_numeric($_POST['template_id'])) $template_id=$_POST['template_id'];
                        $node_parent=intval($_POST['node_parent']);
                        $old_vector=$node['node_vector'];
                        if (is_numeric($_POST['template_id'])) $template_id=$_POST['template_id'];
                        $node_parent=intval($_POST['node_parent']);

-                       $node_created=mysql_real_escape_string($_POST['node_created']);
+                       $node_created=db_escape_string($_POST['node_created']);

                        $node_id=$node['node_id'];
 
 
                        $node_id=$node['node_id'];
 
 


@@ -64,10 +64,10 @@
                                $node_vector=$parent_node['node_vector'].";".$parent_node['node_id'];;
                        }
 
                                $node_vector=$parent_node['node_vector'].";".$parent_node['node_id'];;
                        }
 

-                       $node_name=mysql_real_escape_string($_POST['node_name']);
+                       $node_name=db_escape_string($_POST['node_name']);

 
 

-                       $node_external_access=mysql_real_escape_string($_POST['node_external_access']);
-                       $node_system_access=mysql_real_escape_string($_POST['node_system_access']);
+                       $node_external_access=db_escape_string($_POST['node_external_access']);
+                       $node_system_access=db_escape_string($_POST['node_system_access']);

 
                        require(INCLUDE_DIR.'htmlparse.inc');
                        global $htmlparse;
 
                        require(INCLUDE_DIR.'htmlparse.inc');
                        global $htmlparse;

diff --git a/wwwroot/inc/eventz/configure_content.inc b/wwwroot/inc/eventz/configure_content.inc
index 5d31e74c66f2667b7fc77c4f404ec3d467065008..27a43d98beab4a1bef4b9917aa9b53ed74bc3eba 100644 (file)
--- a/wwwroot/inc/eventz/configure_content.inc
+++ b/wwwroot/inc/eventz/configure_content.inc
@@ -14,7 +14,7 @@ function configure_content() {
         $params['node_creator'] = UBIK_ID;
         $params['node_parent'] = WARNING_ZONE;
         $params['node_name'] = "node $node_id configured as code";
         $params['node_creator'] = UBIK_ID;
         $params['node_parent'] = WARNING_ZONE;
         $params['node_name'] = "node $node_id configured as code";

-        $params['node_content'] = mysql_real_escape_string("node <a href=/id/$node_id>$node_id</a> added as code  by user ".$_SESSION['user_name']);
+        $params['node_content'] = db_escape_string("node <a href=/id/$node_id>$node_id</a> added as code  by user ".$_SESSION['user_name']);

         unset($_POST['code']);
         nodes::addNode($params);
     }
         unset($_POST['code']);
         nodes::addNode($params);
     }


@@ -34,11 +34,11 @@ function configure_content() {
             from nodes where node_id = '$node_id'";
     $db->query($qtiamat);
 
             from nodes where node_id = '$node_id'";
     $db->query($qtiamat);
 

-    $qu = "update nodes set node_content = '".mysql_real_escape_string($node_content)."' where node_id = '$node_id'";
+    $qu = "update nodes set node_content = '".db_escape_string($node_content)."' where node_id = '$node_id'";

     $result = $db->update($qu);
     $result = $db->update($qu);

-    $qu2 = "update node_content set node_content = '".mysql_real_escape_string($node_content)."' where node_id = '$node_id'";
+    $qu2 = "update node_content set node_content = '".db_escape_string($node_content)."' where node_id = '$node_id'";

     $result = $db->update($qu2);
 
     return true;
 }
     $result = $db->update($qu2);
 
     return true;
 }

-?>
\ No newline at end of file
+?>

diff --git a/wwwroot/inc/eventz/configure_node_name.inc b/wwwroot/inc/eventz/configure_node_name.inc
index a79c6bc604dc442bcfc211a7bc98a6d467816f60..1a4eaa6a51b8250bef8ae209564feeb3c7dd83f0 100644 (file)
--- a/wwwroot/inc/eventz/configure_node_name.inc
+++ b/wwwroot/inc/eventz/configure_node_name.inc
@@ -5,7 +5,7 @@ function configure_node_name() {
     $user_id=$_SESSION['user_id'];\r
 \r
     if (($node['node_permission']=='owner') || ($node['node_permission']=='master')) {\r
     $user_id=$_SESSION['user_id'];\r
 \r
     if (($node['node_permission']=='owner') || ($node['node_permission']=='master')) {\r

-        $node_name = mysql_real_escape_string($_POST['node_name']);\r
+        $node_name = db_escape_string($_POST['node_name']);\r

         $test=$node_name.'[Locked_OUT]';\r
 \r
         if(!empty($node_id)) {\r
         $test=$node_name.'[Locked_OUT]';\r
 \r
         if(!empty($node_id)) {\r


@@ -36,4 +36,4 @@ function configure_node_name() {
     }\r
     return true;\r
 }\r
     }\r
     return true;\r
 }\r

-?>
\ No newline at end of file
+?>\r

diff --git a/wwwroot/inc/eventz/configure_system_access.inc b/wwwroot/inc/eventz/configure_system_access.inc
index 014dff27c401db43ee8e5561156974c132628b67..338400ca3a4f34aa45c51441e308cfbdc05be418 100644 (file)
--- a/wwwroot/inc/eventz/configure_system_access.inc
+++ b/wwwroot/inc/eventz/configure_system_access.inc
@@ -3,7 +3,7 @@
                global $db,$error,$node;
                $node_id=$node['node_id'];
                $user_id=$_SESSION['user_id'];
                global $db,$error,$node;
                $node_id=$node['node_id'];
                $user_id=$_SESSION['user_id'];

-               $node_system_access=mysql_real_escape_string($_POST['node_system_access']);
+               $node_system_access=db_escape_string($_POST['node_system_access']);

 
                if (($node['node_permission']=='owner') || ($node['node_permission']=='master')) {
 
 
                if (($node['node_permission']=='owner') || ($node['node_permission']=='master')) {
 

diff --git a/wwwroot/inc/eventz/display.inc b/wwwroot/inc/eventz/display.inc
index 8b4a883957cc667348a93ff4aa3080279cd864d5..1793463cab663bccc57d135c9497abd420807268 100644 (file)
--- a/wwwroot/inc/eventz/display.inc
+++ b/wwwroot/inc/eventz/display.inc
@@ -226,13 +226,13 @@ if (!empty($_POST['template_event'])) {
        $descendant_count=$node['node_descendant_count'];
 
         if (isset($_POST['listing_amount']) && is_numeric($_POST['listing_amount'])) { 
        $descendant_count=$node['node_descendant_count'];
 
         if (isset($_POST['listing_amount']) && is_numeric($_POST['listing_amount'])) { 

-               $listing_amount=mysql_real_escape_string($_POST['listing_amount']);
+               $listing_amount=db_escape_string($_POST['listing_amount']);

        }elseif (!empty($_SESSION['listing_amount'])) $listing_amount=$_SESSION['listing_amount'];
         else $listing_amount=DEFAULT_LISTING_AMOUNT;
        $smarty->assign('listing_amount',$listing_amount);
 
        if (isset($_POST['listing_order']) && $_POST['listing_order']) {
        }elseif (!empty($_SESSION['listing_amount'])) $listing_amount=$_SESSION['listing_amount'];
         else $listing_amount=DEFAULT_LISTING_AMOUNT;
        $smarty->assign('listing_amount',$listing_amount);
 
        if (isset($_POST['listing_order']) && $_POST['listing_order']) {

-               $listing_order=mysql_real_escape_string($_POST['listing_order']);
+               $listing_order=db_escape_string($_POST['listing_order']);

        } elseif (!empty($_SESSION['listing_order'])) $listing_order=$_SESSION['listing_order'];
        else $listing_order=DEFAULT_LISTING_ORDER;
        $smarty->assign('listing_order',$listing_order);
        } elseif (!empty($_SESSION['listing_order'])) $listing_order=$_SESSION['listing_order'];
        else $listing_order=DEFAULT_LISTING_ORDER;
        $smarty->assign('listing_order',$listing_order);

diff --git a/wwwroot/inc/eventz/k_wallet.inc b/wwwroot/inc/eventz/k_wallet.inc
index 939ff79028c5819582e90e87c23e4cb6dd4ee749..863215f0a04a4c619b4e8a6ecea6bef31acf4b89 100644 (file)
--- a/wwwroot/inc/eventz/k_wallet.inc
+++ b/wwwroot/inc/eventz/k_wallet.inc
@@ -4,7 +4,7 @@ function k_wallet() {
 
 global $db,$node,$error;
 $user_id=$_SESSION['user_id'];
 
 global $db,$node,$error;
 $user_id=$_SESSION['user_id'];

-$k_request=mysql_real_escape_string($_POST['k_wallet']);
+$k_request=db_escape_string($_POST['k_wallet']);

 
 $kset=$db->query("select user_k from users where user_id='$user_id'");
 $kset->next();
 
 $kset=$db->query("select user_k from users where user_id='$user_id'");
 $kset->next();

diff --git a/wwwroot/inc/eventz/login.inc b/wwwroot/inc/eventz/login.inc
index 5ebb3ae1a42b0b3186501c825c058af56b58e137..8f33e55e684b539d3cdcd0eb708b82577cd1eeb3 100644 (file)
--- a/wwwroot/inc/eventz/login.inc
+++ b/wwwroot/inc/eventz/login.inc
@@ -13,7 +13,7 @@ function jabberctl($command, $args) { //XXXTODO Move to some .inc file...
 function login_check($login, $password, $login_type='id') {
 
     global $db,$error,$node_id;
 function login_check($login, $password, $login_type='id') {
 
     global $db,$error,$node_id;

-               $login = mysql_real_escape_string($login); //Not SQLi in $password but be carefull
+               $login = db_escape_string($login); //Not SQLi in $password but be carefull

     $password_hash_algos=array('sha256','sha1','md5'); //List of supported algos can be obtained using: php -r 'print_r(hash_algos());'
 
     $hash_query='(';
     $password_hash_algos=array('sha256','sha1','md5'); //List of supported algos can be obtained using: php -r 'print_r(hash_algos());'
 
     $hash_query='(';

diff --git a/wwwroot/inc/eventz/put.inc b/wwwroot/inc/eventz/put.inc
index 06ec5634b7e27ac3b1449cb420e2e4df856a17b6..a688f5bd6146bfbff35b3c56c9edc144677e9353 100644 (file)
--- a/wwwroot/inc/eventz/put.inc
+++ b/wwwroot/inc/eventz/put.inc
@@ -2,8 +2,8 @@
 function put() {
 
 
 function put() {
 
 

-       if (!empty($_POST['nodeshell_id'])) $nodeshell_id = mysql_real_escape_string($_POST['nodeshell_id']);
-       else $nodeshell_id = mysql_real_escape_string($_POST['nodeshell_id_select']);
+       if (!empty($_POST['nodeshell_id'])) $nodeshell_id = db_escape_string($_POST['nodeshell_id']);
+       else $nodeshell_id = db_escape_string($_POST['nodeshell_id_select']);

 
        if (is_array($_POST['node_chosen'])) $put_array = $_POST['node_chosen'];
        else {
 
        if (is_array($_POST['node_chosen'])) $put_array = $_POST['node_chosen'];
        else {

diff --git a/wwwroot/inc/eventz/register.inc b/wwwroot/inc/eventz/register.inc
index 83c0f73215842967edadeeaf52ee614d78daf328..9ea7fe7bf3ab5a733bfa06e2367e3d5c57639ea8 100644 (file)
--- a/wwwroot/inc/eventz/register.inc
+++ b/wwwroot/inc/eventz/register.inc
@@ -2,13 +2,13 @@
 function register() {\r
     global $db, $error;\r
 \r
 function register() {\r
     global $db, $error;\r
 \r

-    $guild_id = mysql_real_escape_string(strip_tags(trim($_POST['guild_id'])));\r
-    $content = mysql_real_escape_string(strip_tags(trim($_POST['reg_content'])));\r
-    $email   = mysql_real_escape_string(strip_tags(trim($_POST['reg_email'])));\r
-    $login   = mysql_real_escape_string(strip_tags(trim($_POST['reg_login'])));\r
-    $xmpp    = mysql_real_escape_string(strtolower(strip_tags(trim($_POST['reg_login']))));\r
-    $pass    = mysql_real_escape_string($_POST['reg_pass']);\r
-    $pass2   = mysql_real_escape_string($_POST['reg_pass2']);\r
+    $guild_id = db_escape_string(strip_tags(trim($_POST['guild_id'])));\r
+    $content = db_escape_string(strip_tags(trim($_POST['reg_content'])));\r
+    $email   = db_escape_string(strip_tags(trim($_POST['reg_email'])));\r
+    $login   = db_escape_string(strip_tags(trim($_POST['reg_login'])));\r
+    $xmpp    = db_escape_string(strtolower(strip_tags(trim($_POST['reg_login']))));\r
+    $pass    = db_escape_string($_POST['reg_pass']);\r
+    $pass2   = db_escape_string($_POST['reg_pass2']);\r

     \r
     if (empty($login)) {\r
         $error = 'please enter your nick name';\r
     \r
     if (empty($login)) {\r
         $error = 'please enter your nick name';\r

diff --git a/wwwroot/inc/eventz/reset_password.inc b/wwwroot/inc/eventz/reset_password.inc
index ade11eeda969b279f35dc97ab54a95e1f7c84d58..9b0af652d4b7abf5c585255fa0335581b43b779d 100644 (file)
--- a/wwwroot/inc/eventz/reset_password.inc
+++ b/wwwroot/inc/eventz/reset_password.inc
@@ -1,11 +1,11 @@
 <?php
 function reset_password() {
     global $db,$error;
 <?php
 function reset_password() {
     global $db,$error;

-    $login = mysql_real_escape_string($_POST['login']);
-    $login_type = mysql_real_escape_string($_POST['login_type']);
-    $vercode = mysql_real_escape_string($_POST['vercode']);
-    $password1 = mysql_real_escape_string($_POST['new_password1']);
-    $password2 = mysql_real_escape_string($_POST['new_password2']);
+    $login = db_escape_string($_POST['login']);
+    $login_type = db_escape_string($_POST['login_type']);
+    $vercode = db_escape_string($_POST['vercode']);
+    $password1 = db_escape_string($_POST['new_password1']);
+    $password2 = db_escape_string($_POST['new_password2']);

 
     if ($login == '') {
         $error="Please enter name or id";
 
     if ($login == '') {
         $error="Please enter name or id";

diff --git a/wwwroot/inc/eventz/send.inc b/wwwroot/inc/eventz/send.inc
index 6ea91aa28f7672b0ecdbdfe62a697725bd51c2cc..a3389330b944edcb8cd8917f085c909adef519b4 100644 (file)
--- a/wwwroot/inc/eventz/send.inc
+++ b/wwwroot/inc/eventz/send.inc
@@ -8,9 +8,9 @@ $error="Ak sa toto stane a citas tuto spravu chod navstivit buglist....ak robis
 return false;
 }
 
 return false;
 }
 

-                $user_id=mysql_real_escape_string($_SESSION['user_id']);
-                $user_name=mysql_real_escape_string($_SESSION['user_name']);
-                $mail_name=mysql_real_escape_string($_POST['mail_to']);
+                $user_id=db_escape_string($_SESSION['user_id']);
+                $user_name=db_escape_string($_SESSION['user_name']);
+                $mail_name=db_escape_string($_POST['mail_to']);

 
                if (!$mail_name) {
                                    global $error;
 
                if (!$mail_name) {
                                    global $error;


@@ -70,7 +70,7 @@ return false;
 
                 if ($mail_to_id) {
 
 
                 if ($mail_to_id) {
 

-                        $mail_text=mysql_real_escape_string(nodes::processContent($mail_text));
+                        $mail_text=db_escape_string(nodes::processContent($mail_text));

 global $htmlparse;
 if ($htmlparse) {
 $error=$htmlparse;
 global $htmlparse;
 if ($htmlparse) {
 $error=$htmlparse;


@@ -88,7 +88,7 @@ mail_to='$mail_to_id_send',mail_timestamp=NOW()";
                        $result=$db->query($q);
                        $db->query("update users set user_mail=user_mail+1,".
                        //"user_mail_name='$user_name',". //Not in DB yet!
                        $result=$db->query($q);
                        $db->query("update users set user_mail=user_mail+1,".
                        //"user_mail_name='$user_name',". //Not in DB yet!

-                       "user_mail_id='".mysql_real_escape_string($_SESSION['user_id'])."' where user_id='$mail_to_id_send'");
+                       "user_mail_id='".db_escape_string($_SESSION['user_id'])."' where user_id='$mail_to_id_send'");

                 }
             return true;
 
                 }
             return true;
 

diff --git a/wwwroot/inc/eventz/set_external_link.inc b/wwwroot/inc/eventz/set_external_link.inc
index e272c74e264cfbd1c916d0eba60b3824b4649398..eb1a868b4a8ee5ca49ea01c4be08f889eef2ac03 100644 (file)
--- a/wwwroot/inc/eventz/set_external_link.inc
+++ b/wwwroot/inc/eventz/set_external_link.inc
@@ -2,8 +2,8 @@
 function set_external_link() {
         global $error,$node,$db;
 
 function set_external_link() {
         global $error,$node,$db;
 

-        $new_exlink = mysql_real_escape_string($_POST['external_link']);
-        $node_id = mysql_real_escape_string($node['node_id']);
+        $new_exlink = db_escape_string($_POST['external_link']);
+        $node_id = db_escape_string($node['node_id']);

         $node_permission=$node['node_permission'];
         $find = '://';
         $validation = strpos($new_exlink, $find);
         $node_permission=$node['node_permission'];
         $find = '://';
         $validation = strpos($new_exlink, $find);


@@ -25,4 +25,4 @@ function set_external_link() {
          }
     }
 
          }
     }
 

-?>
\ No newline at end of file
+?>

diff --git a/wwwroot/inc/eventz/set_header_template.inc b/wwwroot/inc/eventz/set_header_template.inc
index 6743687d3e86ed0dcc4343981ccfca37b48777a2..f3f5d0b95e2b31198a238caab2ade3dac683d0dd 100644 (file)
--- a/wwwroot/inc/eventz/set_header_template.inc
+++ b/wwwroot/inc/eventz/set_header_template.inc
@@ -2,7 +2,7 @@
 // modifikacia ktora dovoli natiahnut iba spravny header template
 function set_header_template() {
 global $db,$error;
 // modifikacia ktora dovoli natiahnut iba spravny header template
 function set_header_template() {
 global $db,$error;

-$header_id=mysql_real_escape_string($_POST['header_id']);
+$header_id=db_escape_string($_POST['header_id']);

 $user_id=$_SESSION['user_id'];
 
 if (!$user_id) {
 $user_id=$_SESSION['user_id'];
 
 if (!$user_id) {


@@ -21,4 +21,4 @@ $db->query("update users set header_id='$header_id' where user_id='$user_id'");
 $_SESSION['header_id']=$header_id;
 }
 
 $_SESSION['header_id']=$header_id;
 }
 

-?>
\ No newline at end of file
+?>

diff --git a/wwwroot/inc/eventz/set_time_lock.inc b/wwwroot/inc/eventz/set_time_lock.inc
index 4fc6ffda64e42ec734eb5128ad0cddd6c60077a8..b5d0f16ce64de0b0bbdf7945f6a23843f6ac9feb 100644 (file)
--- a/wwwroot/inc/eventz/set_time_lock.inc
+++ b/wwwroot/inc/eventz/set_time_lock.inc
@@ -2,13 +2,13 @@
 function set_time_lock(){
 global $db,$error;
 $user_id = $_SESSION['user_id'];
 function set_time_lock(){
 global $db,$error;
 $user_id = $_SESSION['user_id'];

-$nick=mysql_real_escape_string($_SESSION['user_name']);
+$nick=db_escape_string($_SESSION['user_name']);

 $nick=$nick . '[Locked_OUT]';
 $nick=$nick . '[Locked_OUT]';

-$hodina=mysql_real_escape_string($_POST['hodina']);
-$minuta=mysql_real_escape_string($_POST['minuta']);
-$den=mysql_real_escape_string($_POST['den']);
-$mesiac=mysql_real_escape_string($_POST['mesiac']);
-$rok=mysql_real_escape_string($_POST['rok']);
+$hodina=db_escape_string($_POST['hodina']);
+$minuta=db_escape_string($_POST['minuta']);
+$den=db_escape_string($_POST['den']);
+$mesiac=db_escape_string($_POST['mesiac']);
+$rok=db_escape_string($_POST['rok']);

 
 $now=date("Y-m-d H:i:s");
 $til_lockout="$rok-$mesiac-$den $hodina:$minuta:00";
 
 $now=date("Y-m-d H:i:s");
 $til_lockout="$rok-$mesiac-$den $hodina:$minuta:00";

diff --git a/wwwroot/inc/eventz/unset_time_lock.inc b/wwwroot/inc/eventz/unset_time_lock.inc
index 5ba4036057b68f79bfaa0ef0fd0d0bd73e6249d3..2be4901b0f85fdf808ca9f0c7cd631aed9b95799 100644 (file)
--- a/wwwroot/inc/eventz/unset_time_lock.inc
+++ b/wwwroot/inc/eventz/unset_time_lock.inc
@@ -9,7 +9,7 @@ $kset=$db->query("select login from users where user_id='$user_id'");
 $kset->next();
 $nick=$kset->getString('login');
 $exploded=explode("[Locked_OUT]", $nick);
 $kset->next();
 $nick=$kset->getString('login');
 $exploded=explode("[Locked_OUT]", $nick);

-$nick=mysql_real_escape_string($exploded[0]);
+$nick=db_escape_string($exploded[0]);

 
 
   $q="update nodes set node_name='$nick' where node_id=$user_id";
 
 
   $q="update nodes set node_name='$nick' where node_id=$user_id";

diff --git a/wwwroot/inc/eventz/verify.inc b/wwwroot/inc/eventz/verify.inc
index 2ee01875fdec6d38b252fa19bda3245193172464..7eb9008f6050921d92f806635a527cf9a3678cc7 100644 (file)
--- a/wwwroot/inc/eventz/verify.inc
+++ b/wwwroot/inc/eventz/verify.inc
@@ -2,8 +2,8 @@
 function verify(){
 
 global $db;
 function verify(){
 
 global $db;

-$uvercode=mysql_real_escape_string($_POST['vc']);
-$login=mysql_real_escape_string($_POST['login']);
+$uvercode=db_escape_string($_POST['vc']);
+$login=db_escape_string($_POST['login']);

 
 $kset=$db->query("select user_id,guild_id from users where login='$login'");
 $kset->next();
 
 $kset=$db->query("select user_id,guild_id from users where login='$login'");
 $kset->next();

diff --git a/wwwroot/inc/nodes.inc b/wwwroot/inc/nodes.inc
index c7998508cfe47ba22df22b360b51ddccc2b62d9c..8553edd92c066b1b2f955665c0462ed2884dc112 100644 (file)
--- a/wwwroot/inc/nodes.inc
+++ b/wwwroot/inc/nodes.inc
@@ -50,7 +50,7 @@ function processContent_hack($node_content) {
                 }
 
                 $node_content = eregi_Replace("((( )|(\n)|(^))+)(http://|ftp://|https://)([[:alnum:]][^,[:space:]]*)","\\2<a target='_blank' href=\"\\6\\7\">\\6\\7</a>",$node_content);
                 }
 
                 $node_content = eregi_Replace("((( )|(\n)|(^))+)(http://|ftp://|https://)([[:alnum:]][^,[:space:]]*)","\\2<a target='_blank' href=\"\\6\\7\">\\6\\7</a>",$node_content);

-               //$node_content = mysql_real_escape_string($node_content); once is enough
+               //$node_content = db_escape_string($node_content); once is enough

         }
 
         return $node_content;
         }
 
         return $node_content;

diff --git a/wwwroot/inc/result.inc b/wwwroot/inc/result.inc
index ce96b198482319f0baf6a8c2942fcf7b54b3f719..ab421a612c789458d810246fc78b3c4879b7b48c 100644 (file)
--- a/wwwroot/inc/result.inc
+++ b/wwwroot/inc/result.inc
@@ -1,5 +1,9 @@
 <?php
 <?php

-class result {
+
+class result extends PDOStatement {
+       //All functions in this class are deprecated!
+       //Please use only native PDOStatement functions!
+

        var $_numRows = 0;
        var $_numFields = 0;
        var $_currentRow = -1;
        var $_numRows = 0;
        var $_numFields = 0;
        var $_currentRow = -1;


@@ -7,101 +11,45 @@ class result {
        var $_queryId = false;
        var $_sql = "";
 
        var $_queryId = false;
        var $_sql = "";
 

-function result($queryId, $sql) {
-       $this->_queryId = $queryId;
-       $this->_sql = $sql;
-       if ($this->_queryId != false) {
-               $this->_numRows = @mysql_num_rows($this->_queryId);
-               $this->_numFields = @mysql_num_fields($this->_queryId);
+       public $dbh;
+       protected function __construct($dbh) {
+               $this->dbh = $dbh;
+
+               $this->_numRows = @$this->rowCount();
+               //$this->_numFields = @mysql_num_fields($this->_queryId);

                $this->_currentRow = -1;
                $this->_currentRecord = array();
                $this->_currentRow = -1;
                $this->_currentRecord = array();

-       } else {
-               $this->exception("result failed.");

        }
        }

-}

 
 

- function next() {
-       if ($this->_currentRow + 1 >= $this->_numRows) {
-               return false;
-       } else {
-               $this->_currentRecord = @mysql_fetch_assoc($this->_queryId);
-               $this->_currentRow++;
-               return true;
+       function next() {       //DEPRECATED!!! Use $this->fetch(); instead!!!
+               if ($this->_currentRow + 1 >= $this->_numRows) {
+                       return false;
+               } else {
+                       $this->_currentRecord = @$this->fetch();
+                       $this->_currentRow++;
+                       return true;
+               }

        }
        }

-}

 
 

-/* DEPRECATED!
-function absolute($row) {
-       if ($row > 0) {
-// positive row number
-       @mysql_data_seek($this->_queryId, $row-1);
-               $this->_currentRecord = @mysql_fetch_assoc($this->_queryId);
-               $this->_currentRow = $row;
-       } elseif ($row < 0) {
-               // not implemented yet
-       } else {
-               $this->exception("Cannot absolute position to row 0");
+       function getRecord() {  //DEPRECATED!!! Use $this->fetch(); instead!!!
+               return $this->_currentRecord;

        }
        }

-}
-*/

 
 

-function getRecord() {
-       return $this->_currentRecord;
-}
-
-function getString($column) {
-       if (is_int($column) == true) {
-               return (string)$this->_currentRecord[$column-1];
-       } else {
-               return (string)$this->_currentRecord["$column"];
+       function getString($column) {   //DEPRECATED!!! Use $this->fetch(); instead!!!
+               if (is_int($column) == true) {
+                       return (string) $this->_currentRecord[$column - 1];
+               } else {
+                       return (string) $this->_currentRecord["$column"];
+               }

        }
        }

-}

 
 

-function getInt($column) {
-       if (is_int($column) == true) {
-               return (int)$this->_currentRecord[$column-1];
-       } else {
-               return (int)$this->_currentRecord["$column"];
+       function getInt($column) {      //DEPRECATED!!! Use $this->fetch(); instead!!!
+               $this->getString(); //Dynamic typing OMG...

        }
        }

-}
-
-/* DEPRECATED!
-function getVariable($column) {
-       return (int)$this->_currentRecord["$column"];

 
 

-}
-
-function getDouble() {
-       if (is_int($column) == true) {
-               return (double)$this->_currentRecord[$column-1];
-       } else {
-               return (double)$this->_currentRecord["$column"];
-       }
-}
-
-function getRow() {
-       if ($this->_currentRow < 0) {
-           return 0;
-       } else {
-       return $this->_currentRow + 1;
+       function getNumRows() { //DEPRECATED!!! Use $this->rowCount(); instead!!!
+               return $this->_numRows;

        }
        }

-}
-*/
-
-function getNumRows() {
-       return $this->_numRows;
-}
-
-/* DEPRECATED!
-function getNumFields() {
-       return $this->_numFields;
-}
-*/
-
-function exception($errorMsg) { //Internal only!
-       die("<pre>SQLException: ".$msg."</pre>");
-}

 
 }
 
 
 }
 

-?>

diff --git a/wwwroot/inc/smarty/node_methodz/function.get_id_by_name.php b/wwwroot/inc/smarty/node_methodz/function.get_id_by_name.php
index 77552050f94fb8b70b14a8a9330734e66bc7cfce..ba6dab7b41b6e216a76ee0aaba85e869ee997cdb 100644 (file)
--- a/wwwroot/inc/smarty/node_methodz/function.get_id_by_name.php
+++ b/wwwroot/inc/smarty/node_methodz/function.get_id_by_name.php
@@ -1,14 +1,14 @@
 <?php
 function smarty_function_get_id_by_name($params,&$smarty) {
 <?php
 function smarty_function_get_id_by_name($params,&$smarty) {

-    $name = mysql_real_escape_string($params['name']);
-    global $db;
-    $q="select user_id from users where login='$name'";
-    $set=$db->query($q);
-    if ($set->getNumRows() > 0) {
-        $set->next();
-        $id=$set->getString('user_id');
-    }
-    else $id = '1';
-    $smarty->assign('get_id_by_name',$id);
+       $name = db_escape_string($params['name']);
+       global $db;
+       $q="select user_id from users where login='$name'";
+       $set=$db->query($q);
+       if ($set && $set->getNumRows() > 0) {
+               $set->next();
+               $id=$set->getString('user_id');
+       }
+       else $id = '1';
+       $smarty->assign('get_id_by_name',$id);

 }
 }

-?>
\ No newline at end of file
+

diff --git a/wwwroot/inc/smarty/node_methodz/function.get_nodes_by_parent.php b/wwwroot/inc/smarty/node_methodz/function.get_nodes_by_parent.php
index dc9c011cde8436451f34be8bfeee1a937e0eaebd..b392c5155012fa0637da8c127aec10794c08aa83 100644 (file)
--- a/wwwroot/inc/smarty/node_methodz/function.get_nodes_by_parent.php
+++ b/wwwroot/inc/smarty/node_methodz/function.get_nodes_by_parent.php
@@ -32,7 +32,7 @@ if ($params['time']) $sql_time=" nodes.node_created > '".addslashes($params['tim
                 if ($_POST['search_type']=='content')
                                         $sql_type.=" and node_content like '%".addslashes($_POST['node_content'])."%' ";
                else {
                 if ($_POST['search_type']=='content')
                                         $sql_type.=" and node_content like '%".addslashes($_POST['node_content'])."%' ";
                else {

-                       $q2="select user_id from users where login='".mysql_real_escape_string($_POST['node_content'])."'";
+                       $q2="select user_id from users where login='".db_escape_string($_POST['node_content'])."'";

                        $userset=$db->query($q2);
                        $userset->next();
                        $id=$userset->getString('user_id');
                        $userset=$db->query($q2);
                        $userset->next();
                        $id=$userset->getString('user_id');

diff --git a/wwwroot/inc/smarty/resource.kyberia.php b/wwwroot/inc/smarty/resource.kyberia.php
index 1e4a7c1cc79ed32aaa2d0a06ab85115adb84e73b..895bb94f141cca8d8b0cfc89e8a0e2dc26a0eb5e 100644 (file)
--- a/wwwroot/inc/smarty/resource.kyberia.php
+++ b/wwwroot/inc/smarty/resource.kyberia.php
@@ -15,7 +15,7 @@ function db_get_template ($tpl_name, &$tpl_source, &$smarty_obj) {
         $params['node_creator'] = UBIK_ID;
         $params['node_parent'] = 2029360;
         $params['node_name'] = "addTemplate execute: node $add_template_id";
         $params['node_creator'] = UBIK_ID;
         $params['node_parent'] = 2029360;
         $params['node_name'] = "addTemplate execute: node $add_template_id";

-        $params['node_content'] = mysql_real_escape_string("addTemplate execute: node <a href='$add_template_id'>$add_template_id</a> by user ".$_SESSION['user_name']);
+        $params['node_content'] = db_escape_string("addTemplate execute: node <a href='$add_template_id'>$add_template_id</a> by user ".$_SESSION['user_name']);

         nodes::addNode($params);
                                */
                                /*
         nodes::addNode($params);
                                */
                                /*