Changeset:
        7d80e093122f
        
https://sourceforge.net/p/mrbs/hg-code/ci/7d80e093122f9e0e1eff70440975ac2da440ac6c
Author:
        John Beranek <jbera...@users.sourceforge.net>
Date:
        Sat Sep 17 13:29:27 2016 +0100
Log message:

Finished parameterisation of mrbs_sql.inc

diffstat:

 web/mrbs_sql.inc |  172 ++++++++++++++++++++++++++++++------------------------
 1 files changed, 94 insertions(+), 78 deletions(-)

diffs (truncated from 474 to 300 lines):

diff -r 6e0aa8dfd402 -r 7d80e093122f web/mrbs_sql.inc
--- a/web/mrbs_sql.inc  Sat Sep 17 13:29:14 2016 +0100
+++ b/web/mrbs_sql.inc  Sat Sep 17 13:29:27 2016 +0100
@@ -28,25 +28,33 @@
   
   get_area_settings(get_area($room_id));
 
+  $sql_params = array();
+
   // Select any meetings which overlap for this room:
   $sql = "SELECT E.id, name, start_time, create_by, status, room_name
             FROM $tbl_entry E, $tbl_room R
            WHERE E.room_id=R.id
-             AND start_time < ${booking['end_time']}
-             AND end_time > ${booking['start_time']}
-             AND E.room_id = $room_id";
+             AND start_time < ?
+             AND end_time > ?
+             AND E.room_id = ?";
+
+  $sql_params = array($booking['end_time'],
+                      $booking['start_time'],
+                      $room_id);
 
   if ($ignore > 0)
   {
-    $sql .= " AND E.id <> $ignore";
+    $sql .= " AND E.id <> ?";
+    $sql_params[] = $ignore;
   }
   if ($repignore > 0)
   {
-    $sql .= " AND (repeat_id IS NULL OR repeat_id <> $repignore)";
+    $sql .= " AND (repeat_id IS NULL OR repeat_id <> ?)";
+    $sql_params[] = $repignore;
   }
   $sql .= " ORDER BY start_time";
 
-  $res = sql_query($sql);
+  $res = sql_query($sql, $sql_params);
   if (! $res)
   {
     // probably because the table hasn't been created properly
@@ -440,10 +448,10 @@
   
   $sql = "SELECT *
             FROM $tbl_entry
-           WHERE id=$id
+           WHERE id=?
            LIMIT 1";
    
-  $res = sql_query($sql);
+  $res = sql_query($sql, array($id));
   
   if ($res === FALSE)
   {
@@ -468,12 +476,12 @@
   $sql = "SELECT E.*
             FROM $tbl_entry E, $tbl_room R
            WHERE E.room_id = R.id
-             AND R.area_id = $area_id
+             AND R.area_id = ?
              AND R.disabled = 0
-             AND start_time <= $interval_end AND end_time > $interval_start
+             AND start_time <= ? AND end_time > ?
         ORDER BY start_time";   // necessary so that multiple bookings appear 
in the right order
 
-  $res = sql_query($sql);
+  $res = sql_query($sql, array($area_id, $interval_end, $interval_start));
   if ($res === FALSE)
   {
     trigger_error(sql_error(), E_USER_WARNING);
@@ -496,10 +504,10 @@
   
   $sql = "SELECT *
             FROM $tbl_entry
-           WHERE room_id = $room_id
-             AND start_time <= $interval_end AND end_time > $interval_start
+           WHERE room_id = ?
+             AND start_time <= ? AND end_time > ?
         ORDER BY start_time";   // necessary so that multiple bookings appear 
in the right order
-    $res = sql_query($sql);
+    $res = sql_query($sql, array($room_id, $interval_end,  $interval_start));
     
   if ($res === FALSE)
   {
@@ -534,7 +542,7 @@
   $start_times = array();
 
   // Get the repeat_id and room_id for this entry
-  $res = sql_query("SELECT repeat_id, room_id FROM $tbl_entry WHERE id=$id 
LIMIT 1");
+  $res = sql_query("SELECT repeat_id, room_id FROM $tbl_entry WHERE id=? LIMIT 
1", array($id));
   if (($res === FALSE) || (sql_count($res) <= 0))
   {
     return FALSE;
@@ -544,17 +552,21 @@
   $room_id = $row['room_id'];
 
   $sql = "SELECT start_time, end_time, room_id, create_by, id, entry_type FROM 
$tbl_entry WHERE ";
-   
+
+  $sql_params = array();
+  
   if ($series)
   {
-    $sql .= "repeat_id=$repeat_id";
+    $sql .= "repeat_id=";
+    $sql_params[] = $repeat_id;
   }
   else
   {
-    $sql .= "id=$id";
+    $sql .= "id=?";
+    $sql_params[] = $id;
   }
 
-  $res = sql_query($sql);
+  $res = sql_query($sql, $sql_params);
 
   for ($i = 0; ($row = sql_row_keyed($res, $i)); $i++)
   {
@@ -575,7 +587,7 @@
       continue;
     }
    
-    if (sql_command("DELETE FROM $tbl_entry WHERE id=" . $row['id']) > 0)
+    if (sql_command("DELETE FROM $tbl_entry WHERE id=?", array($row['id'])) > 
0)
     {
       $start_times[] = $row['start_time'];
     }
@@ -583,9 +595,9 @@
 
   // Get rid of any orphaned rows in the repeat table
   if (!empty($repeat_id) &&
-      sql_query1("SELECT COUNT(*) FROM $tbl_entry WHERE repeat_id=$repeat_id") 
== 0)
+      sql_query1("SELECT COUNT(*) FROM $tbl_entry WHERE 
repeat_id=?",array($repeat_id)) == 0)
   {
-    sql_command("DELETE FROM $tbl_repeat WHERE id=$repeat_id");
+    sql_command("DELETE FROM $tbl_repeat WHERE id=?",array($repeat_id));
   }
 
   asort($start_times);
@@ -1070,10 +1082,10 @@
   
   $sql = "SELECT repeat_id
             FROM $tbl_entry
-           WHERE id=$entry_id
+           WHERE id=?
            LIMIT 1";
            
-  $res = sql_query($sql);
+  $res = sql_query($sql, array($entry_id));
   
   if ($res === FALSE)
   {
@@ -1110,32 +1122,32 @@
     $sql = "UPDATE $tbl_repeat
                SET reminded=$now,
                    ical_sequence=ical_sequence+1
-             WHERE id=$id";
-    if (sql_command($sql) >= 0)
+             WHERE id=?";
+    if (sql_command($sql, array($id)) >= 0)
     {
       $sql = "UPDATE $tbl_entry
-                 SET reminded=$now,
+                 SET reminded=?,
                      ical_sequence=ical_sequence+1
-               WHERE repeat_id=$id";
-      return sql_command($sql);
+               WHERE repeat_id=?";
+      return sql_command($sql, array($now, $id));
     }
   }
   else
   {
     $sql = "UPDATE $tbl_entry
-               SET reminded=$now,
+               SET reminded=?,
                    ical_sequence=ical_sequence+1
-             WHERE id=$id";
-    if (sql_command($sql) > 0)
+             WHERE id=?";
+    if (sql_command($sql, array($now,$id)) > 0)
     {
       $repeat_id = get_repeat_id($id);
       if (isset($repeat_id))
       {
         $sql = "UPDATE $tbl_repeat
-                   SET reminded=$now,
+                   SET reminded=?,
                        ical_sequence=ical_sequence+1
-                 WHERE id=$repeat_id";
-        return sql_command($sql);
+                 WHERE id=?";
+        return sql_command($sql, array($now,$id));
       }
     }
   }
@@ -1157,12 +1169,18 @@
   
   $table = ($series) ? $tbl_repeat : $tbl_entry;
   $now = time();
+
+  $sql_params = array();
   $sql = "UPDATE $table SET";
-  $sql .= " info_time=$now";
-  $sql .= ", info_user='" . sql_escape($user) . "'";
-  $sql .= ", info_text='" . sql_escape($note) . "'";
-  $sql .= " WHERE id=$id";
-  return sql_command($sql);
+  $sql .= " info_time=?";
+  $sql_params[] = $now;
+  $sql .= ", info_user=?";
+  $sql_params[] = $user;
+  $sql .= ", info_text=?";
+  $sql_params[] = $note;
+  $sql .= " WHERE id=?";
+  $sql_params[] = $id;
+  return sql_command($sql, $sql_params);
 }
 
 // mrbsApproveEntry($id, $series)
@@ -1186,8 +1204,8 @@
     $sql = "UPDATE $tbl_repeat 
                SET status=status&(~" . STATUS_AWAITING_APPROVAL . "),
                    ical_sequence=ical_sequence+1
-             WHERE id=$id";  // PostgreSQL does not support LIMIT with UPDATE
-    if (sql_command($sql) < 0)
+             WHERE id=?";  // PostgreSQL does not support LIMIT with UPDATE
+    if (sql_command($sql, array($id)) < 0)
     {
       trigger_error(sql_error(), E_USER_WARNING);
       fatal_error(FALSE, get_vocab("fatal_db_error"));
@@ -1200,11 +1218,11 @@
   }
   // Then update the entry table.  First of all we get a list of the
   // start times that will be approved, then we do the approval.
-  $condition = "$id_column=$id AND status&" . STATUS_AWAITING_APPROVAL . "!=0";
+  $condition = "$id_column=? AND status&" . STATUS_AWAITING_APPROVAL . "!=0";
   $sql = "SELECT start_time
             FROM $tbl_entry
            WHERE $condition";
-  $start_times = sql_query_array($sql);
+  $start_times = sql_query_array($sql,array($id));
 
   if (($start_times !== FALSE) && (count($start_times) != 0))
   {
@@ -1325,9 +1343,9 @@
             FROM $table T, $tbl_room M, $tbl_area A
            WHERE T.room_id = M.id
              AND M.area_id = A.id
-             AND T.id=$id";
+             AND T.id=?";
 
-  $res = sql_query($sql);
+  $res = sql_query($sql, array($id));
   if (! $res)
   {
     trigger_error(sql_error(), E_USER_WARNING);
@@ -1386,7 +1404,7 @@
     {
       $res = sql_query("SELECT rep_type, end_date, rep_opt, rep_num_weeks, 
month_absolute, month_relative,
                         info_time AS repeat_info_time, info_user AS 
repeat_info_user, info_text AS repeat_info_text
-                        FROM $tbl_repeat WHERE id=${row['repeat_id']} LIMIT 
1");
+                        FROM $tbl_repeat WHERE id=? LIMIT 1", 
array($row['repeat_id']));
       if (!$res || (!$extra_row = sql_row_keyed($res, 0)))
       {
         if (!$res)
@@ -1431,14 +1449,14 @@
   
   $sql = "SELECT area_name
             FROM $tbl_area
-           WHERE id=$id";
+           WHERE id=?";
   if (empty($all))
   {
     $sql .= " AND disabled=0";
   }
   $sql .= " LIMIT 1";
   
-  $res = sql_query($sql);
+  $res = sql_query($sql, array($id));
   
   if ($res === FALSE)
   {
@@ -1498,10 +1516,10 @@
   
   $sql = "SELECT *
             FROM $tbl_area
-           WHERE id=$area_id
+           WHERE id=?
            LIMIT 1";
   
-  $res = sql_query($sql);
+  $res = sql_query($sql, array($area_id));
   
   if ($res === FALSE)
   {
@@ -1532,7 +1550,7 @@

------------------------------------------------------------------------------
_______________________________________________
Mrbs-commits mailing list
Mrbs-commits@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mrbs-commits

Reply via email to