Changeset:
        31b95cb1598a
        
https://sourceforge.net/p/mrbs/hg-code/ci/31b95cb1598a6bf7072ed64a760a28d5721ff915
Author:
        John Beranek <jbera...@users.sourceforge.net>
Date:
        Sat Sep 17 12:57:14 2016 +0100
Log message:

Parameterised SQL queries in edit_users.php

diffstat:

 web/config.inc.php |  80 +++++++++++++++++++++++++++++++++++++++++++++++------
 web/edit_users.php |  42 +++++++++++++++++----------
 2 files changed, 97 insertions(+), 25 deletions(-)

diffs (244 lines):

diff -r 2a45140bb5e1 -r 31b95cb1598a web/config.inc.php
--- a/web/config.inc.php        Sat Sep 17 12:35:26 2016 +0100
+++ b/web/config.inc.php        Sat Sep 17 12:57:14 2016 +0100
@@ -34,14 +34,17 @@
 //
 // A list of valid timezones can be found at 
http://php.net/manual/timezones.php
 // The following line must be uncommented by removing the '//' at the beginning
-//$timezone = "Europe/London";
+$timezone = "Europe/London";
 
 
 /*******************
  * Database settings
  ******************/
-// Which database system: "pgsql"=PostgreSQL, "mysqli"=MySQL
+// Which database system: "pgsql"=PostgreSQL, "mysql"=MySQL,
+// "mysqli"=MySQL via the mysqli PHP extension
 $dbsys = "mysqli";
+#$dbsys = "pgsql";
+
 // Hostname of database server. For pgsql, can use "" instead of localhost
 // to use Unix Domain Sockets instead of TCP/IP. For mysql/mysqli "localhost"
 // tells the system to use Unix Domain Sockets, and $db_port will be ignored;
@@ -63,17 +66,76 @@
 // Prefix for table names.  This will allow multiple installations where only
 // one database is available
 $db_tbl_prefix = "mrbs_";
-// Set $db_persist to TRUE to use PHP persistent (pooled) database 
connections.  Note
-// that persistent connections are not recommended unless your system suffers 
significant
-// performance problems without them.   They can cause problems with 
transactions and
-// locks (see http://php.net/manual/en/features.persistent-connections.php) 
and although
-// MRBS tries to avoid those problems, it is generally better not to use 
persistent
-// connections if you can.
-$db_persist = FALSE;
+// Uncomment this to use PHP persistent (pooled) database connections:
+// $db_persist = true;
 
 
 /* Add lines from systemdefaults.inc.php and areadefaults.inc.php below here
    to change the default configuration. Do _NOT_ modify systemdefaults.inc.php
    or areadefaults.inc.php.  */
 
+$auth['type'] = 'db';
+#$auth['type'] = 'ldap';
+$ldap_host = "localhost";
+$ldap_user_attrib = "cn";
+$ldap_debug = true;
+$ldap_base_dn = 'dc=theberaneks,dc=org,dc=uk';
 
+/* Email settings */
+$mrbs_admin_email = 'j...@redux.org.uk';
+$mail_settings['admin_on_bookings']      = true;
+
+$url_base = "https://home.redux.org.uk/mrbs/";;
+
+$mail_settings['details']   = TRUE; // Set to TRUE if you want full booking 
details;
+                                     // otherwise you just get a link to the 
entry
+$mail_settings['html']      = TRUE; // Set to true if you want HTML mail
+$mail_settings['icalendar'] = TRUE; // Set to TRUE to include iCalendar details
+
+// Set the name of the backend used to transport your mails. Either 'mail',
+// 'smtp' or 'sendmail'. Default is 'mail'.
+#$mail_settings['admin_backend'] = 'mail';
+$mail_settings['admin_backend'] = 'sendmail';
+#$mail_settings['admin_backend'] = 'smtp';
+
+// Set the path of the Sendmail program (only used with "sendmail" backend).
+// Default is '/usr/bin/sendmail'
+$sendmail_settings['path'] = '/usr/sbin/sendmail';
+// Set additional Sendmail parameters (only used with "sendmail" backend).
+// (example "-t -i"). Default is ''
+$sendmail_settings['args'] = '-t -i';
+
+/*******************
+ * SMTP settings
+ */
+  
+// These settings are only used with the "smtp" backend
+$smtp_settings['host'] = 'smtp.gmail.com';  // SMTP server
+$smtp_settings['port'] = 587;           // SMTP port number
+$smtp_settings['auth'] = TRUE;        // Whether to use SMTP authentication
+$smtp_settings['secure'] = 'tls';      // Encryption method: 'tls' or 'ssl'
+$smtp_settings['username'] = 'john.re...@gmail.com';       // Username (if 
using authentication)
+$smtp_settings['password'] = 'LatticeC9';       // Password (if using 
authentication)
+ 
+// Set the email address of the From field. Default is 'admin_em...@your.org'
+//$mail_settings['from'] = 'j...@redux.org.uk';
+$mail_settings['from'] = 'webmas...@redux.org.uk';
+
+// The address to be used for the ORGANIZER in an iCalendar event.   Do not 
make
+// this email address the same as the admin email address or the recipients
+// email address because on some mail systems, eg IBM Domino, the iCalendar 
email
+// notification is silently discarded if the organizer's email address is the 
same
+// as the recipient's.  On other systems you may get a "Meeting not found" 
message.
+$mail_settings['organizer'] = 'webmas...@redux.org.uk';
+
+// Set the recipient email. Default is 'admin_em...@your.org'. You can define
+// more than one recipient like this "j...@doe.com,sc...@tiger.com"
+//$mail_settings['recipients'] = 'jo...@press.net';
+$mail_settings['recipients'] = 'j...@redux.org.uk';
+
+// Set email address of the Carbon Copy field. Default is ''. You can define
+// more than one recipient (see 'recipients')
+$mail_settings['cc'] = '';
+
+error_reporting(-1);
+ini_set('display_errors', '1');
diff -r 2a45140bb5e1 -r 31b95cb1598a web/edit_users.php
--- a/web/edit_users.php        Sat Sep 17 12:35:26 2016 +0100
+++ b/web/edit_users.php        Sat Sep 17 12:57:14 2016 +0100
@@ -277,7 +277,7 @@
   if ($Id >= 0) /* -1 for new users, or >=0 for existing ones */
   {
     // If it's an existing user then get the data from the database
-    $result = sql_query("select * from $tbl_users where id=$Id");
+    $result = sql_query("SELECT * FROM $tbl_users WHERE id=?", array($Id));
     $data = sql_row_keyed($result, 0);
     sql_free($result);
   }
@@ -322,7 +322,7 @@
           // or admin rights are removed!
           if ($Action == "Edit")
           {
-            $n_admins = sql_query1("select count(*) from $tbl_users where 
level=$max_level");
+            $n_admins = sql_query1("SELECT COUNT(*) FROM $tbl_users WHERE 
level=?", array($max_level));
             $editing_last_admin = ($n_admins <= 1) && ($data['level'] == 
$max_level);
           }
           else
@@ -523,7 +523,8 @@
 if (isset($Action) && ($Action == "Update"))
 {
   // If you haven't got the rights to do this, then exit
-  $my_id = sql_query1("SELECT id FROM $tbl_users WHERE 
name='".sql_escape($user)."' LIMIT 1");
+  $my_id = sql_query1("SELECT id FROM $tbl_users WHERE name=? LIMIT 1",
+                      array($user));
   if (($level < $min_user_editing_level) && ($Id != $my_id ))
   {
     Header("Location: edit_users.php");
@@ -623,17 +624,22 @@
             $valid_data = FALSE;
             $q_string .= "&name_empty=1";
           }
+
+          $sql_params = array();
+
           // Check that the name is unique.
           // If it's a new user, then to check to see if there are any rows 
with that name.
           // If it's an update, then check to see if there are any rows with 
that name, except
           // for that user.
-          $query = "SELECT id FROM $tbl_users WHERE name='" . 
sql_escape($value) . "'";
+          $query = "SELECT id FROM $tbl_users WHERE name=?";
+          $sql_params[] = $value;
           if ($Id >= 0)
           {
-            $query .= " AND id!='$Id'";
+            $query .= " AND id != ?";
+            $sql_params[] = $Id;
           }
           $query .= " LIMIT 1";  // we only want to know if there is at least 
one instance of the name
-          $result = sql_query($query);
+          $result = sql_query($query, $params);
           if (sql_count($result) > 0)
           {
             $valid_data = FALSE;
@@ -683,7 +689,8 @@
     
     // If we got here, then we've passed validation and we need to
     // enter the data into the database
-    
+
+    $sql_params = array();
     $sql_fields = array();
   
     // For each db column get the value ready for the database
@@ -708,11 +715,11 @@
               // Try and set it to NULL when we can because there will be 
cases when we
               // want to distinguish between NULL and 0 - especially when the 
field
               // is a genuine integer.
-              $value = ($field['is_nullable']) ? 'NULL' : 0;
+              $value = ($field['is_nullable']) ? null : 0;
             }
             break;
           default:
-            $value = "'" . sql_escape($value) . "'";
+            // No special handling
             break;
         }
        
@@ -733,9 +740,11 @@
   
       foreach ($sql_fields as $fieldname => $value)
       {
-        array_push($assign_array, sql_quote($fieldname) . "=$value");
+        array_push($assign_array, sql_quote($fieldname) . "=?");
+        $sql_params[] = $value;
       }
-      $operation .= implode(",", $assign_array) . " WHERE id=$Id;";
+      $operation .= implode(",", $assign_array) . " WHERE id=?";
+      $sql_params[] = $Id;
     }
     else
     {
@@ -747,19 +756,20 @@
       foreach ($sql_fields as $fieldname => $value)
       {
         array_push($fields_list,$fieldname);
-        array_push($values_list,$value);
+        array_push($values_list,'?');
+        $sql_params[] = $value;
       }
 
       $fields_list = array_map(__NAMESPACE__ . "\\sql_quote", $fields_list);
       $operation = "INSERT INTO $tbl_users " .
         "(". implode(",", $fields_list) . ")" .
-        " VALUES " . "(" . implode(",", $values_list) . ");";
+        " VALUES " . "(" . implode(",", $values_list) . ")";
     }
   
     /* DEBUG lines - check the actual sql statement going into the db */
     //echo "Final SQL string: <code>" . htmlspecialchars($operation) . 
"</code>";
     //exit;
-    $r = sql_command($operation);
+    $r = sql_command($operation, $sql_params);
     if ($r == -1)
     {
       // Get the error message before the print_header() call because the 
print_header()
@@ -792,7 +802,7 @@
 
 if (isset($Action) && ($Action == "Delete"))
 {
-  $target_level = sql_query1("SELECT level FROM $tbl_users WHERE id=$Id LIMIT 
1");
+  $target_level = sql_query1("SELECT level FROM $tbl_users WHERE id=? LIMIT 
1", array($Id));
   if ($target_level < 0)
   {
     fatal_error(TRUE, "Fatal error while deleting a user");
@@ -805,7 +815,7 @@
     exit();
   }
 
-  $r = sql_command("delete from $tbl_users where id=$Id;");
+  $r = sql_command("DELETE FROM $tbl_users WHERE id=?", array($Id));
   if ($r == -1)
   {
     print_header(0, 0, 0, "", "");

------------------------------------------------------------------------------
_______________________________________________
Mrbs-commits mailing list
Mrbs-commits@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mrbs-commits

Reply via email to