From: Harvie Date: Sat, 14 May 2011 00:38:10 +0000 (+0200) Subject: Migration to PDO database abstraction layer X-Git-Url: https://git.harvie.cz/?p=mirrors%2FKyberia-bloodline.git;a=commitdiff_plain;h=78f1a5f44941de2459b71c375e36cf88227c689c Migration to PDO database abstraction layer --- diff --git a/wwwroot/backend/mysql/backend.inc b/wwwroot/backend/mysql/backend.inc index 515b344..daba57b 100644 --- a/wwwroot/backend/mysql/backend.inc +++ b/wwwroot/backend/mysql/backend.inc @@ -181,9 +181,9 @@ function getUserByLogin($login) { static function getNodeIdByName($name, $external_link=false) { global $db; - $qh = sprintf('select node_id from nodes where node_name = "%s"', mysql_real_escape_string($name)); + $qh = sprintf('select node_id from nodes where node_name = "%s"', db_escape_string($name)); if ($external_link) - $qh .= sprintf(' and external_link="%s"', mysql_real_escape_string($external_link)); + $qh .= sprintf(' and external_link="%s"', db_escape_string($external_link)); $set = $db->query($qh); $set->next(); diff --git a/wwwroot/inc/database.inc b/wwwroot/inc/database.inc index e378192..80a03a9 100644 --- a/wwwroot/inc/database.inc +++ b/wwwroot/inc/database.inc @@ -1,160 +1,101 @@ Database=$database; - $this->Password=$password; - $this->User=$user; - $this->Url=$url; -*/ - -function CLASS_DATABASE() { - $this->connect(DB_HOST,DB_USER,DB_PASS,DB_DATABASE); +function db_escape_string($str) { + global $db; + //This function should be used in whole project instead of *_escape_string() functions! + //return mysql_escape_string($str); //XXX TODO $db->quote($str), mysql_real_escape_string() or pg_escape_string() should be used here! + return preg_replace('(^.|.$)', '', $db->quote($str)); //XXX HACK } -function connect($url,$user,$password,$database, $halt_on_error = true) { - global $error; - $this->_halt_on_error = $halt_on_error; - if ($this->_linkId == false) { - $this->_linkId=mysql_connect($url, $user, $password); - if ($this->_linkId == false) { - $error='chcipla databaza'; - $this->exception($error); - return false; - //die(); - }// else { - // mysql_query('set character set utf8'); - //} - $this->_url=$url; - $this->_user=$user; - $this->_password=$password; +class CLASS_DATABASE extends PDO { + //All functions in this class are deprecated! + //Please use only native PDO functions! - if ($this->_linkId == false || mysql_select_db($database, $this->_linkId) == false) { - $this->exception("1Database failed."); - return false; - die(); - } - $this->_database=$database; - } - return true; -} + var $Master = true; + var $_linkId = false; + var $_url = ""; + var $_user = ""; + var $_password = ""; + var $_database = ""; + var $_halt_on_error = true; -/* DEPRECATED! -function closeMysql() { - mysql_close($this->_linkId); -} -*/ - -function query($sql) { - - $this->_linkId = false; - $this->connect(DB_HOST,DB_USER,DB_PASS,DB_DATABASE); - $this->Master = true; - - // Simple IDS, against automats - // When possible attack is detected, - // query & session information is stored into log - // Looking for following string in SQL query: - // - "user()" (get cur. user) - // - "@@version" (get mysql version) - // - "AND 1=1" (blind sqli) (too many false positives?) - // - "information_schema" (for listing of tables, columns...) - - // - "/*" (comment) (too many false positives?) - // - "--" (comment) (too many false positives?) - - if (preg_match('/user\(\)/',$sql) || preg_match('/@@version/',$sql) - || preg_match('/information_schema/',$sql)|| preg_match('/AND 1=1/',$sql) - ) { - logger::log('SQL ALARM',$sql); - + function __construct() { + $this->connect(DB_HOST, DB_USER, DB_PASS, DB_DATABASE); } - $this->_queryId = mysql_query($sql,$this->_linkId); - - if ((isset($_SESSION['debugging']) && $_SESSION['debugging'])) { - echo $sql; - global $timer_start; - echo "
".SubStr((Time()+SubStr(MicroTime(),0,8)-$timer_start),0,7); - } + protected function connect($host, $user, $password, $database, $halt_on_error = true) { + global $error; + parent::__construct("mysql:host=$host;dbname=$database", $user, + $password); + /*{ + $error='chcipla databaza'; + $this->exception($error); //deprecated + }; */ + $this->setAttribute(PDO::ATTR_STATEMENT_CLASS, + array('result', array($this))); - if ($this->_queryId == false) { - $this->exception("query failed ::$sql::"); + $this->_halt_on_error = $halt_on_error; + $this->_url = $host; + $this->_user = $user; + $this->_password = $password; + /* if ($this->_linkId == false) { + $this->_linkId=mysql_connect($host, $user, $password); + if ($this->_linkId == false) { + $error='chcipla databaza'; + $this->exception($error); + return false; + //die(); + }// else { + // mysql_query('set character set utf8'); + //} + $this->_url=$host; + $this->_user=$user; + $this->_password=$password; + + if ($this->_linkId == false || mysql_select_db($database, $this->_linkId) == false) { + $this->exception("1Database failed."); + return false; + die(); + } + $this->_database=$database; + } + */ + return true; } - return new result($this->_queryId, $sql); -} - -/* DEPRECATED! -function executequery($sql) { //same as query()! - return($this->query($sql)); -} - -function executetransaction($queries) { - $this->executequery("set autocommit=0"); - if (is_array($queries)) { - foreach ($queries as $query) { - $this->executequery($query); + function update($sql) { //DEPRECATED!!! Use $db->query($sql)->rowCount(); instead!!! + if (!$this->Master) { + $this->_linkId = false; + $this->connect(DB_HOST, DB_USER, DB_PASS, DB_DATABASE); + $this->Master = true; } - } - $this->executequery("commit"); - $this->executequery("set autocommit=1"); -} -function executeupdate($sql) { - return($this->update($sql)); -} -*/ - -function update($sql) { - if (!$this->Master) { - $this->_linkId = false; - $this->connect(DB_HOST,DB_USER,DB_PASS,DB_DATABASE); - $this->Master = true; - } - - $this->_queryId = @mysql_db_query($this->_database,$sql,$this->_linkId); + $this->_queryId = $this->query($sql); if ($this->_queryId == false) { $this->exception("update failed."); } - $rows=@mysql_affected_rows($this->_linkId); - return($rows); -} + $rows = @$this->_queryId->rowCount(); + return ($rows); + } -function getLastInsertId() { - return(@mysql_insert_id($this->_linkId)); -} + function getLastInsertId() { //DEPRECATED!!! Use $db->lastInsertId(); instead!!! + return (@$this->lastInsertId()); + } -function exception($errorMessage) { //Internal only! + protected function exception($errorMessage) { - echo ""; + echo ""; - if ($this->_halt_on_error) { - die("
".$errorMessage."
"); + if ($this->_halt_on_error) { + die("
".$errorMessage."
"); } else { echo $errorMessage."
"; return false; } } } -?> + diff --git a/wwwroot/inc/eventz/add.inc b/wwwroot/inc/eventz/add.inc index 7bd3f9a..36986a7 100644 --- a/wwwroot/inc/eventz/add.inc +++ b/wwwroot/inc/eventz/add.inc @@ -114,7 +114,7 @@ function add() { $params['node_parent']=$node_parent; $params['node_system_access']=$node_system_access; $params['node_creator']=$_SESSION['user_id']; - $params['node_content']=mysql_escape_string($node_content); + $params['node_content']=db_escape_string($node_content); $params['external_link']=$external_link; nodes::addNode($params); return true; diff --git a/wwwroot/inc/eventz/addEvent.inc b/wwwroot/inc/eventz/addEvent.inc index 756cfe4..90dfcee 100644 --- a/wwwroot/inc/eventz/addEvent.inc +++ b/wwwroot/inc/eventz/addEvent.inc @@ -37,9 +37,9 @@ function addEvent() { $params['node_content'] .= "
node_parent: ".$node_parent.""; $params['node_content'] .= "
node_system_access: ".$node_system_access; $params['node_content'] .= "
node_creator: ".$node_creator.""; - $params['node_content'] = mysql_real_escape_string($params['node_content']); + $params['node_content'] = db_escape_string($params['node_content']); nodes::addNode($params); return true; } -?> \ No newline at end of file +?> diff --git a/wwwroot/inc/eventz/addPlugin.inc b/wwwroot/inc/eventz/addPlugin.inc index f127cf7..706d617 100644 --- a/wwwroot/inc/eventz/addPlugin.inc +++ b/wwwroot/inc/eventz/addPlugin.inc @@ -34,9 +34,9 @@ function addPlugin() { $params['node_content'] .= "
node_parent: ".$node_parent.""; $params['node_content'] .= "
node_system_access: ".$node_system_access; $params['node_content'] .= "
node_creator: ".$node_creator.""; - $params['node_content'] = mysql_real_escape_string($params['node_content']); + $params['node_content'] = db_escape_string($params['node_content']); nodes::addNode($params); return true; } -?> \ No newline at end of file +?> diff --git a/wwwroot/inc/eventz/addTemplate.inc b/wwwroot/inc/eventz/addTemplate.inc index 9364866..682e290 100644 --- a/wwwroot/inc/eventz/addTemplate.inc +++ b/wwwroot/inc/eventz/addTemplate.inc @@ -13,7 +13,7 @@ $params['node_creator'] = UBIK_ID; $params['node_parent'] = 2029360; $params['node_name'] = "addTemplate execute: node $add_template_id"; - $params['node_content'] = mysql_real_escape_string("addTemplate execute: node $add_template_id by user ".$_SESSION['user_name']); + $params['node_content'] = db_escape_string("addTemplate execute: node $add_template_id by user ".$_SESSION['user_name']); nodes::addNode($params); $set=$db->query("select node_content from nodes where node_id='$add_template_id'"); diff --git a/wwwroot/inc/eventz/banlist.inc b/wwwroot/inc/eventz/banlist.inc index 3f08d4d..8f14448 100644 --- a/wwwroot/inc/eventz/banlist.inc +++ b/wwwroot/inc/eventz/banlist.inc @@ -9,7 +9,7 @@ $error=$error_messages['EVENT_PERMISSION_ERROR']; return false; } $bans = explode(";",$_POST['bans']); // XXX sqli? - $bans = array_map('mysql_real_escape_string', $bans); + $bans = array_map('db_escape_string', $bans); $db->query("update node_access set node_permission='' where node_id=$node_id and node_permission='ban'"); foreach ($bans as $ban) { diff --git a/wwwroot/inc/eventz/configure.inc b/wwwroot/inc/eventz/configure.inc index 8479152..9024d16 100644 --- a/wwwroot/inc/eventz/configure.inc +++ b/wwwroot/inc/eventz/configure.inc @@ -42,11 +42,11 @@ } } - $node_vector=mysql_real_escape_string($_POST['node_vector']); + $node_vector=db_escape_string($_POST['node_vector']); $old_vector=$node['node_vector']; if (is_numeric($_POST['template_id'])) $template_id=$_POST['template_id']; $node_parent=intval($_POST['node_parent']); - $node_created=mysql_real_escape_string($_POST['node_created']); + $node_created=db_escape_string($_POST['node_created']); $node_id=$node['node_id']; @@ -64,10 +64,10 @@ $node_vector=$parent_node['node_vector'].";".$parent_node['node_id'];; } - $node_name=mysql_real_escape_string($_POST['node_name']); + $node_name=db_escape_string($_POST['node_name']); - $node_external_access=mysql_real_escape_string($_POST['node_external_access']); - $node_system_access=mysql_real_escape_string($_POST['node_system_access']); + $node_external_access=db_escape_string($_POST['node_external_access']); + $node_system_access=db_escape_string($_POST['node_system_access']); require(INCLUDE_DIR.'htmlparse.inc'); global $htmlparse; diff --git a/wwwroot/inc/eventz/configure_content.inc b/wwwroot/inc/eventz/configure_content.inc index 5d31e74..27a43d9 100644 --- a/wwwroot/inc/eventz/configure_content.inc +++ b/wwwroot/inc/eventz/configure_content.inc @@ -14,7 +14,7 @@ function configure_content() { $params['node_creator'] = UBIK_ID; $params['node_parent'] = WARNING_ZONE; $params['node_name'] = "node $node_id configured as code"; - $params['node_content'] = mysql_real_escape_string("node $node_id added as code by user ".$_SESSION['user_name']); + $params['node_content'] = db_escape_string("node $node_id added as code by user ".$_SESSION['user_name']); unset($_POST['code']); nodes::addNode($params); } @@ -34,11 +34,11 @@ function configure_content() { from nodes where node_id = '$node_id'"; $db->query($qtiamat); - $qu = "update nodes set node_content = '".mysql_real_escape_string($node_content)."' where node_id = '$node_id'"; + $qu = "update nodes set node_content = '".db_escape_string($node_content)."' where node_id = '$node_id'"; $result = $db->update($qu); - $qu2 = "update node_content set node_content = '".mysql_real_escape_string($node_content)."' where node_id = '$node_id'"; + $qu2 = "update node_content set node_content = '".db_escape_string($node_content)."' where node_id = '$node_id'"; $result = $db->update($qu2); return true; } -?> \ No newline at end of file +?> diff --git a/wwwroot/inc/eventz/configure_node_name.inc b/wwwroot/inc/eventz/configure_node_name.inc index a79c6bc..1a4eaa6 100644 --- a/wwwroot/inc/eventz/configure_node_name.inc +++ b/wwwroot/inc/eventz/configure_node_name.inc @@ -5,7 +5,7 @@ function configure_node_name() { $user_id=$_SESSION['user_id']; if (($node['node_permission']=='owner') || ($node['node_permission']=='master')) { - $node_name = mysql_real_escape_string($_POST['node_name']); + $node_name = db_escape_string($_POST['node_name']); $test=$node_name.'[Locked_OUT]'; if(!empty($node_id)) { @@ -36,4 +36,4 @@ function configure_node_name() { } return true; } -?> \ No newline at end of file +?> diff --git a/wwwroot/inc/eventz/configure_system_access.inc b/wwwroot/inc/eventz/configure_system_access.inc index 014dff2..338400c 100644 --- a/wwwroot/inc/eventz/configure_system_access.inc +++ b/wwwroot/inc/eventz/configure_system_access.inc @@ -3,7 +3,7 @@ global $db,$error,$node; $node_id=$node['node_id']; $user_id=$_SESSION['user_id']; - $node_system_access=mysql_real_escape_string($_POST['node_system_access']); + $node_system_access=db_escape_string($_POST['node_system_access']); if (($node['node_permission']=='owner') || ($node['node_permission']=='master')) { diff --git a/wwwroot/inc/eventz/display.inc b/wwwroot/inc/eventz/display.inc index 8b4a883..1793463 100644 --- a/wwwroot/inc/eventz/display.inc +++ b/wwwroot/inc/eventz/display.inc @@ -226,13 +226,13 @@ if (!empty($_POST['template_event'])) { $descendant_count=$node['node_descendant_count']; if (isset($_POST['listing_amount']) && is_numeric($_POST['listing_amount'])) { - $listing_amount=mysql_real_escape_string($_POST['listing_amount']); + $listing_amount=db_escape_string($_POST['listing_amount']); }elseif (!empty($_SESSION['listing_amount'])) $listing_amount=$_SESSION['listing_amount']; else $listing_amount=DEFAULT_LISTING_AMOUNT; $smarty->assign('listing_amount',$listing_amount); if (isset($_POST['listing_order']) && $_POST['listing_order']) { - $listing_order=mysql_real_escape_string($_POST['listing_order']); + $listing_order=db_escape_string($_POST['listing_order']); } elseif (!empty($_SESSION['listing_order'])) $listing_order=$_SESSION['listing_order']; else $listing_order=DEFAULT_LISTING_ORDER; $smarty->assign('listing_order',$listing_order); diff --git a/wwwroot/inc/eventz/k_wallet.inc b/wwwroot/inc/eventz/k_wallet.inc index 939ff79..863215f 100644 --- a/wwwroot/inc/eventz/k_wallet.inc +++ b/wwwroot/inc/eventz/k_wallet.inc @@ -4,7 +4,7 @@ function k_wallet() { global $db,$node,$error; $user_id=$_SESSION['user_id']; -$k_request=mysql_real_escape_string($_POST['k_wallet']); +$k_request=db_escape_string($_POST['k_wallet']); $kset=$db->query("select user_k from users where user_id='$user_id'"); $kset->next(); diff --git a/wwwroot/inc/eventz/login.inc b/wwwroot/inc/eventz/login.inc index 5ebb3ae..8f33e55 100644 --- a/wwwroot/inc/eventz/login.inc +++ b/wwwroot/inc/eventz/login.inc @@ -13,7 +13,7 @@ function jabberctl($command, $args) { //XXXTODO Move to some .inc file... function login_check($login, $password, $login_type='id') { global $db,$error,$node_id; - $login = mysql_real_escape_string($login); //Not SQLi in $password but be carefull + $login = db_escape_string($login); //Not SQLi in $password but be carefull $password_hash_algos=array('sha256','sha1','md5'); //List of supported algos can be obtained using: php -r 'print_r(hash_algos());' $hash_query='('; diff --git a/wwwroot/inc/eventz/put.inc b/wwwroot/inc/eventz/put.inc index 06ec563..a688f5b 100644 --- a/wwwroot/inc/eventz/put.inc +++ b/wwwroot/inc/eventz/put.inc @@ -2,8 +2,8 @@ function put() { - if (!empty($_POST['nodeshell_id'])) $nodeshell_id = mysql_real_escape_string($_POST['nodeshell_id']); - else $nodeshell_id = mysql_real_escape_string($_POST['nodeshell_id_select']); + if (!empty($_POST['nodeshell_id'])) $nodeshell_id = db_escape_string($_POST['nodeshell_id']); + else $nodeshell_id = db_escape_string($_POST['nodeshell_id_select']); if (is_array($_POST['node_chosen'])) $put_array = $_POST['node_chosen']; else { diff --git a/wwwroot/inc/eventz/register.inc b/wwwroot/inc/eventz/register.inc index 83c0f73..9ea7fe7 100644 --- a/wwwroot/inc/eventz/register.inc +++ b/wwwroot/inc/eventz/register.inc @@ -2,13 +2,13 @@ function register() { global $db, $error; - $guild_id = mysql_real_escape_string(strip_tags(trim($_POST['guild_id']))); - $content = mysql_real_escape_string(strip_tags(trim($_POST['reg_content']))); - $email = mysql_real_escape_string(strip_tags(trim($_POST['reg_email']))); - $login = mysql_real_escape_string(strip_tags(trim($_POST['reg_login']))); - $xmpp = mysql_real_escape_string(strtolower(strip_tags(trim($_POST['reg_login'])))); - $pass = mysql_real_escape_string($_POST['reg_pass']); - $pass2 = mysql_real_escape_string($_POST['reg_pass2']); + $guild_id = db_escape_string(strip_tags(trim($_POST['guild_id']))); + $content = db_escape_string(strip_tags(trim($_POST['reg_content']))); + $email = db_escape_string(strip_tags(trim($_POST['reg_email']))); + $login = db_escape_string(strip_tags(trim($_POST['reg_login']))); + $xmpp = db_escape_string(strtolower(strip_tags(trim($_POST['reg_login'])))); + $pass = db_escape_string($_POST['reg_pass']); + $pass2 = db_escape_string($_POST['reg_pass2']); if (empty($login)) { $error = 'please enter your nick name'; diff --git a/wwwroot/inc/eventz/reset_password.inc b/wwwroot/inc/eventz/reset_password.inc index ade11ee..9b0af65 100644 --- a/wwwroot/inc/eventz/reset_password.inc +++ b/wwwroot/inc/eventz/reset_password.inc @@ -1,11 +1,11 @@ query($q); $db->query("update users set user_mail=user_mail+1,". //"user_mail_name='$user_name',". //Not in DB yet! - "user_mail_id='".mysql_real_escape_string($_SESSION['user_id'])."' where user_id='$mail_to_id_send'"); + "user_mail_id='".db_escape_string($_SESSION['user_id'])."' where user_id='$mail_to_id_send'"); } return true; diff --git a/wwwroot/inc/eventz/set_external_link.inc b/wwwroot/inc/eventz/set_external_link.inc index e272c74..eb1a868 100644 --- a/wwwroot/inc/eventz/set_external_link.inc +++ b/wwwroot/inc/eventz/set_external_link.inc @@ -2,8 +2,8 @@ function set_external_link() { global $error,$node,$db; - $new_exlink = mysql_real_escape_string($_POST['external_link']); - $node_id = mysql_real_escape_string($node['node_id']); + $new_exlink = db_escape_string($_POST['external_link']); + $node_id = db_escape_string($node['node_id']); $node_permission=$node['node_permission']; $find = '://'; $validation = strpos($new_exlink, $find); @@ -25,4 +25,4 @@ function set_external_link() { } } -?> \ No newline at end of file +?> diff --git a/wwwroot/inc/eventz/set_header_template.inc b/wwwroot/inc/eventz/set_header_template.inc index 6743687..f3f5d0b 100644 --- a/wwwroot/inc/eventz/set_header_template.inc +++ b/wwwroot/inc/eventz/set_header_template.inc @@ -2,7 +2,7 @@ // modifikacia ktora dovoli natiahnut iba spravny header template function set_header_template() { global $db,$error; -$header_id=mysql_real_escape_string($_POST['header_id']); +$header_id=db_escape_string($_POST['header_id']); $user_id=$_SESSION['user_id']; if (!$user_id) { @@ -21,4 +21,4 @@ $db->query("update users set header_id='$header_id' where user_id='$user_id'"); $_SESSION['header_id']=$header_id; } -?> \ No newline at end of file +?> diff --git a/wwwroot/inc/eventz/set_time_lock.inc b/wwwroot/inc/eventz/set_time_lock.inc index 4fc6ffd..b5d0f16 100644 --- a/wwwroot/inc/eventz/set_time_lock.inc +++ b/wwwroot/inc/eventz/set_time_lock.inc @@ -2,13 +2,13 @@ function set_time_lock(){ global $db,$error; $user_id = $_SESSION['user_id']; -$nick=mysql_real_escape_string($_SESSION['user_name']); +$nick=db_escape_string($_SESSION['user_name']); $nick=$nick . '[Locked_OUT]'; -$hodina=mysql_real_escape_string($_POST['hodina']); -$minuta=mysql_real_escape_string($_POST['minuta']); -$den=mysql_real_escape_string($_POST['den']); -$mesiac=mysql_real_escape_string($_POST['mesiac']); -$rok=mysql_real_escape_string($_POST['rok']); +$hodina=db_escape_string($_POST['hodina']); +$minuta=db_escape_string($_POST['minuta']); +$den=db_escape_string($_POST['den']); +$mesiac=db_escape_string($_POST['mesiac']); +$rok=db_escape_string($_POST['rok']); $now=date("Y-m-d H:i:s"); $til_lockout="$rok-$mesiac-$den $hodina:$minuta:00"; diff --git a/wwwroot/inc/eventz/unset_time_lock.inc b/wwwroot/inc/eventz/unset_time_lock.inc index 5ba4036..2be4901 100644 --- a/wwwroot/inc/eventz/unset_time_lock.inc +++ b/wwwroot/inc/eventz/unset_time_lock.inc @@ -9,7 +9,7 @@ $kset=$db->query("select login from users where user_id='$user_id'"); $kset->next(); $nick=$kset->getString('login'); $exploded=explode("[Locked_OUT]", $nick); -$nick=mysql_real_escape_string($exploded[0]); +$nick=db_escape_string($exploded[0]); $q="update nodes set node_name='$nick' where node_id=$user_id"; diff --git a/wwwroot/inc/eventz/verify.inc b/wwwroot/inc/eventz/verify.inc index 2ee0187..7eb9008 100644 --- a/wwwroot/inc/eventz/verify.inc +++ b/wwwroot/inc/eventz/verify.inc @@ -2,8 +2,8 @@ function verify(){ global $db; -$uvercode=mysql_real_escape_string($_POST['vc']); -$login=mysql_real_escape_string($_POST['login']); +$uvercode=db_escape_string($_POST['vc']); +$login=db_escape_string($_POST['login']); $kset=$db->query("select user_id,guild_id from users where login='$login'"); $kset->next(); diff --git a/wwwroot/inc/nodes.inc b/wwwroot/inc/nodes.inc index c799850..8553edd 100644 --- a/wwwroot/inc/nodes.inc +++ b/wwwroot/inc/nodes.inc @@ -50,7 +50,7 @@ function processContent_hack($node_content) { } $node_content = eregi_Replace("((( )|(\n)|(^))+)(http://|ftp://|https://)([[:alnum:]][^,[:space:]]*)","\\2\\6\\7",$node_content); - //$node_content = mysql_real_escape_string($node_content); once is enough + //$node_content = db_escape_string($node_content); once is enough } return $node_content; diff --git a/wwwroot/inc/result.inc b/wwwroot/inc/result.inc index ce96b19..ab421a6 100644 --- a/wwwroot/inc/result.inc +++ b/wwwroot/inc/result.inc @@ -1,5 +1,9 @@ _queryId = $queryId; - $this->_sql = $sql; - if ($this->_queryId != false) { - $this->_numRows = @mysql_num_rows($this->_queryId); - $this->_numFields = @mysql_num_fields($this->_queryId); + public $dbh; + protected function __construct($dbh) { + $this->dbh = $dbh; + + $this->_numRows = @$this->rowCount(); + //$this->_numFields = @mysql_num_fields($this->_queryId); $this->_currentRow = -1; $this->_currentRecord = array(); - } else { - $this->exception("result failed."); } -} - function next() { - if ($this->_currentRow + 1 >= $this->_numRows) { - return false; - } else { - $this->_currentRecord = @mysql_fetch_assoc($this->_queryId); - $this->_currentRow++; - return true; + function next() { //DEPRECATED!!! Use $this->fetch(); instead!!! + if ($this->_currentRow + 1 >= $this->_numRows) { + return false; + } else { + $this->_currentRecord = @$this->fetch(); + $this->_currentRow++; + return true; + } } -} -/* DEPRECATED! -function absolute($row) { - if ($row > 0) { -// positive row number - @mysql_data_seek($this->_queryId, $row-1); - $this->_currentRecord = @mysql_fetch_assoc($this->_queryId); - $this->_currentRow = $row; - } elseif ($row < 0) { - // not implemented yet - } else { - $this->exception("Cannot absolute position to row 0"); + function getRecord() { //DEPRECATED!!! Use $this->fetch(); instead!!! + return $this->_currentRecord; } -} -*/ -function getRecord() { - return $this->_currentRecord; -} - -function getString($column) { - if (is_int($column) == true) { - return (string)$this->_currentRecord[$column-1]; - } else { - return (string)$this->_currentRecord["$column"]; + function getString($column) { //DEPRECATED!!! Use $this->fetch(); instead!!! + if (is_int($column) == true) { + return (string) $this->_currentRecord[$column - 1]; + } else { + return (string) $this->_currentRecord["$column"]; + } } -} -function getInt($column) { - if (is_int($column) == true) { - return (int)$this->_currentRecord[$column-1]; - } else { - return (int)$this->_currentRecord["$column"]; + function getInt($column) { //DEPRECATED!!! Use $this->fetch(); instead!!! + $this->getString(); //Dynamic typing OMG... } -} - -/* DEPRECATED! -function getVariable($column) { - return (int)$this->_currentRecord["$column"]; -} - -function getDouble() { - if (is_int($column) == true) { - return (double)$this->_currentRecord[$column-1]; - } else { - return (double)$this->_currentRecord["$column"]; - } -} - -function getRow() { - if ($this->_currentRow < 0) { - return 0; - } else { - return $this->_currentRow + 1; + function getNumRows() { //DEPRECATED!!! Use $this->rowCount(); instead!!! + return $this->_numRows; } -} -*/ - -function getNumRows() { - return $this->_numRows; -} - -/* DEPRECATED! -function getNumFields() { - return $this->_numFields; -} -*/ - -function exception($errorMsg) { //Internal only! - die("
SQLException: ".$msg."
"); -} } -?> diff --git a/wwwroot/inc/smarty/node_methodz/function.get_id_by_name.php b/wwwroot/inc/smarty/node_methodz/function.get_id_by_name.php index 7755205..ba6dab7 100644 --- a/wwwroot/inc/smarty/node_methodz/function.get_id_by_name.php +++ b/wwwroot/inc/smarty/node_methodz/function.get_id_by_name.php @@ -1,14 +1,14 @@ query($q); - if ($set->getNumRows() > 0) { - $set->next(); - $id=$set->getString('user_id'); - } - else $id = '1'; - $smarty->assign('get_id_by_name',$id); + $name = db_escape_string($params['name']); + global $db; + $q="select user_id from users where login='$name'"; + $set=$db->query($q); + if ($set && $set->getNumRows() > 0) { + $set->next(); + $id=$set->getString('user_id'); + } + else $id = '1'; + $smarty->assign('get_id_by_name',$id); } -?> \ No newline at end of file + diff --git a/wwwroot/inc/smarty/node_methodz/function.get_nodes_by_parent.php b/wwwroot/inc/smarty/node_methodz/function.get_nodes_by_parent.php index dc9c011..b392c51 100644 --- a/wwwroot/inc/smarty/node_methodz/function.get_nodes_by_parent.php +++ b/wwwroot/inc/smarty/node_methodz/function.get_nodes_by_parent.php @@ -32,7 +32,7 @@ if ($params['time']) $sql_time=" nodes.node_created > '".addslashes($params['tim if ($_POST['search_type']=='content') $sql_type.=" and node_content like '%".addslashes($_POST['node_content'])."%' "; else { - $q2="select user_id from users where login='".mysql_real_escape_string($_POST['node_content'])."'"; + $q2="select user_id from users where login='".db_escape_string($_POST['node_content'])."'"; $userset=$db->query($q2); $userset->next(); $id=$userset->getString('user_id'); diff --git a/wwwroot/inc/smarty/resource.kyberia.php b/wwwroot/inc/smarty/resource.kyberia.php index 1e4a7c1..895bb94 100644 --- a/wwwroot/inc/smarty/resource.kyberia.php +++ b/wwwroot/inc/smarty/resource.kyberia.php @@ -15,7 +15,7 @@ function db_get_template ($tpl_name, &$tpl_source, &$smarty_obj) { $params['node_creator'] = UBIK_ID; $params['node_parent'] = 2029360; $params['node_name'] = "addTemplate execute: node $add_template_id"; - $params['node_content'] = mysql_real_escape_string("addTemplate execute: node $add_template_id by user ".$_SESSION['user_name']); + $params['node_content'] = db_escape_string("addTemplate execute: node $add_template_id by user ".$_SESSION['user_name']); nodes::addNode($params); */ /*