Changeset:
31b95cb1598a
https://sourceforge.net/p/mrbs/hg-code/ci/31b95cb1598a6bf7072ed64a760a28d5721ff915
Author:
John Beranek <[email protected]>
Date:
Sat Sep 17 12:57:14 2016 +0100
Log message:
Parameterised SQL queries in edit_users.php
diffstat:
web/config.inc.php | 80 +++++++++++++++++++++++++++++++++++++++++++++++------
web/edit_users.php | 42 +++++++++++++++++----------
2 files changed, 97 insertions(+), 25 deletions(-)
diffs (244 lines):
diff -r 2a45140bb5e1 -r 31b95cb1598a web/config.inc.php
--- a/web/config.inc.php Sat Sep 17 12:35:26 2016 +0100
+++ b/web/config.inc.php Sat Sep 17 12:57:14 2016 +0100
@@ -34,14 +34,17 @@
//
// A list of valid timezones can be found at
http://php.net/manual/timezones.php
// The following line must be uncommented by removing the '//' at the beginning
-//$timezone = "Europe/London";
+$timezone = "Europe/London";
/*******************
* Database settings
******************/
-// Which database system: "pgsql"=PostgreSQL, "mysqli"=MySQL
+// Which database system: "pgsql"=PostgreSQL, "mysql"=MySQL,
+// "mysqli"=MySQL via the mysqli PHP extension
$dbsys = "mysqli";
+#$dbsys = "pgsql";
+
// Hostname of database server. For pgsql, can use "" instead of localhost
// to use Unix Domain Sockets instead of TCP/IP. For mysql/mysqli "localhost"
// tells the system to use Unix Domain Sockets, and $db_port will be ignored;
@@ -63,17 +66,76 @@
// Prefix for table names. This will allow multiple installations where only
// one database is available
$db_tbl_prefix = "mrbs_";
-// Set $db_persist to TRUE to use PHP persistent (pooled) database
connections. Note
-// that persistent connections are not recommended unless your system suffers
significant
-// performance problems without them. They can cause problems with
transactions and
-// locks (see http://php.net/manual/en/features.persistent-connections.php)
and although
-// MRBS tries to avoid those problems, it is generally better not to use
persistent
-// connections if you can.
-$db_persist = FALSE;
+// Uncomment this to use PHP persistent (pooled) database connections:
+// $db_persist = true;
/* Add lines from systemdefaults.inc.php and areadefaults.inc.php below here
to change the default configuration. Do _NOT_ modify systemdefaults.inc.php
or areadefaults.inc.php. */
+$auth['type'] = 'db';
+#$auth['type'] = 'ldap';
+$ldap_host = "localhost";
+$ldap_user_attrib = "cn";
+$ldap_debug = true;
+$ldap_base_dn = 'dc=theberaneks,dc=org,dc=uk';
+/* Email settings */
+$mrbs_admin_email = '[email protected]';
+$mail_settings['admin_on_bookings'] = true;
+
+$url_base = "https://home.redux.org.uk/mrbs/";;
+
+$mail_settings['details'] = TRUE; // Set to TRUE if you want full booking
details;
+ // otherwise you just get a link to the
entry
+$mail_settings['html'] = TRUE; // Set to true if you want HTML mail
+$mail_settings['icalendar'] = TRUE; // Set to TRUE to include iCalendar details
+
+// Set the name of the backend used to transport your mails. Either 'mail',
+// 'smtp' or 'sendmail'. Default is 'mail'.
+#$mail_settings['admin_backend'] = 'mail';
+$mail_settings['admin_backend'] = 'sendmail';
+#$mail_settings['admin_backend'] = 'smtp';
+
+// Set the path of the Sendmail program (only used with "sendmail" backend).
+// Default is '/usr/bin/sendmail'
+$sendmail_settings['path'] = '/usr/sbin/sendmail';
+// Set additional Sendmail parameters (only used with "sendmail" backend).
+// (example "-t -i"). Default is ''
+$sendmail_settings['args'] = '-t -i';
+
+/*******************
+ * SMTP settings
+ */
+
+// These settings are only used with the "smtp" backend
+$smtp_settings['host'] = 'smtp.gmail.com'; // SMTP server
+$smtp_settings['port'] = 587; // SMTP port number
+$smtp_settings['auth'] = TRUE; // Whether to use SMTP authentication
+$smtp_settings['secure'] = 'tls'; // Encryption method: 'tls' or 'ssl'
+$smtp_settings['username'] = '[email protected]'; // Username (if
using authentication)
+$smtp_settings['password'] = 'LatticeC9'; // Password (if using
authentication)
+
+// Set the email address of the From field. Default is '[email protected]'
+//$mail_settings['from'] = '[email protected]';
+$mail_settings['from'] = '[email protected]';
+
+// The address to be used for the ORGANIZER in an iCalendar event. Do not
make
+// this email address the same as the admin email address or the recipients
+// email address because on some mail systems, eg IBM Domino, the iCalendar
email
+// notification is silently discarded if the organizer's email address is the
same
+// as the recipient's. On other systems you may get a "Meeting not found"
message.
+$mail_settings['organizer'] = '[email protected]';
+
+// Set the recipient email. Default is '[email protected]'. You can define
+// more than one recipient like this "[email protected],[email protected]"
+//$mail_settings['recipients'] = '[email protected]';
+$mail_settings['recipients'] = '[email protected]';
+
+// Set email address of the Carbon Copy field. Default is ''. You can define
+// more than one recipient (see 'recipients')
+$mail_settings['cc'] = '';
+
+error_reporting(-1);
+ini_set('display_errors', '1');
diff -r 2a45140bb5e1 -r 31b95cb1598a web/edit_users.php
--- a/web/edit_users.php Sat Sep 17 12:35:26 2016 +0100
+++ b/web/edit_users.php Sat Sep 17 12:57:14 2016 +0100
@@ -277,7 +277,7 @@
if ($Id >= 0) /* -1 for new users, or >=0 for existing ones */
{
// If it's an existing user then get the data from the database
- $result = sql_query("select * from $tbl_users where id=$Id");
+ $result = sql_query("SELECT * FROM $tbl_users WHERE id=?", array($Id));
$data = sql_row_keyed($result, 0);
sql_free($result);
}
@@ -322,7 +322,7 @@
// or admin rights are removed!
if ($Action == "Edit")
{
- $n_admins = sql_query1("select count(*) from $tbl_users where
level=$max_level");
+ $n_admins = sql_query1("SELECT COUNT(*) FROM $tbl_users WHERE
level=?", array($max_level));
$editing_last_admin = ($n_admins <= 1) && ($data['level'] ==
$max_level);
}
else
@@ -523,7 +523,8 @@
if (isset($Action) && ($Action == "Update"))
{
// If you haven't got the rights to do this, then exit
- $my_id = sql_query1("SELECT id FROM $tbl_users WHERE
name='".sql_escape($user)."' LIMIT 1");
+ $my_id = sql_query1("SELECT id FROM $tbl_users WHERE name=? LIMIT 1",
+ array($user));
if (($level < $min_user_editing_level) && ($Id != $my_id ))
{
Header("Location: edit_users.php");
@@ -623,17 +624,22 @@
$valid_data = FALSE;
$q_string .= "&name_empty=1";
}
+
+ $sql_params = array();
+
// Check that the name is unique.
// If it's a new user, then to check to see if there are any rows
with that name.
// If it's an update, then check to see if there are any rows with
that name, except
// for that user.
- $query = "SELECT id FROM $tbl_users WHERE name='" .
sql_escape($value) . "'";
+ $query = "SELECT id FROM $tbl_users WHERE name=?";
+ $sql_params[] = $value;
if ($Id >= 0)
{
- $query .= " AND id!='$Id'";
+ $query .= " AND id != ?";
+ $sql_params[] = $Id;
}
$query .= " LIMIT 1"; // we only want to know if there is at least
one instance of the name
- $result = sql_query($query);
+ $result = sql_query($query, $params);
if (sql_count($result) > 0)
{
$valid_data = FALSE;
@@ -683,7 +689,8 @@
// If we got here, then we've passed validation and we need to
// enter the data into the database
-
+
+ $sql_params = array();
$sql_fields = array();
// For each db column get the value ready for the database
@@ -708,11 +715,11 @@
// Try and set it to NULL when we can because there will be
cases when we
// want to distinguish between NULL and 0 - especially when the
field
// is a genuine integer.
- $value = ($field['is_nullable']) ? 'NULL' : 0;
+ $value = ($field['is_nullable']) ? null : 0;
}
break;
default:
- $value = "'" . sql_escape($value) . "'";
+ // No special handling
break;
}
@@ -733,9 +740,11 @@
foreach ($sql_fields as $fieldname => $value)
{
- array_push($assign_array, sql_quote($fieldname) . "=$value");
+ array_push($assign_array, sql_quote($fieldname) . "=?");
+ $sql_params[] = $value;
}
- $operation .= implode(",", $assign_array) . " WHERE id=$Id;";
+ $operation .= implode(",", $assign_array) . " WHERE id=?";
+ $sql_params[] = $Id;
}
else
{
@@ -747,19 +756,20 @@
foreach ($sql_fields as $fieldname => $value)
{
array_push($fields_list,$fieldname);
- array_push($values_list,$value);
+ array_push($values_list,'?');
+ $sql_params[] = $value;
}
$fields_list = array_map(__NAMESPACE__ . "\\sql_quote", $fields_list);
$operation = "INSERT INTO $tbl_users " .
"(". implode(",", $fields_list) . ")" .
- " VALUES " . "(" . implode(",", $values_list) . ");";
+ " VALUES " . "(" . implode(",", $values_list) . ")";
}
/* DEBUG lines - check the actual sql statement going into the db */
//echo "Final SQL string: <code>" . htmlspecialchars($operation) .
"</code>";
//exit;
- $r = sql_command($operation);
+ $r = sql_command($operation, $sql_params);
if ($r == -1)
{
// Get the error message before the print_header() call because the
print_header()
@@ -792,7 +802,7 @@
if (isset($Action) && ($Action == "Delete"))
{
- $target_level = sql_query1("SELECT level FROM $tbl_users WHERE id=$Id LIMIT
1");
+ $target_level = sql_query1("SELECT level FROM $tbl_users WHERE id=? LIMIT
1", array($Id));
if ($target_level < 0)
{
fatal_error(TRUE, "Fatal error while deleting a user");
@@ -805,7 +815,7 @@
exit();
}
- $r = sql_command("delete from $tbl_users where id=$Id;");
+ $r = sql_command("DELETE FROM $tbl_users WHERE id=?", array($Id));
if ($r == -1)
{
print_header(0, 0, 0, "", "");
------------------------------------------------------------------------------
_______________________________________________
Mrbs-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mrbs-commits
