Changeset: b3661954f347 https://sourceforge.net/p/mrbs/hg-code/ci/b3661954f347c2dc5534704fd67a6f1ac2d1c83c Author: John Beranek <jbera...@users.sourceforge.net> Date: Sat Sep 17 17:15:07 2016 +0100 Log message:
Removed all remaining references to sql_escape() diffstat: web/dbsys.inc | 22 ---------------------- web/functions_ical.inc | 30 +++++++++++++++--------------- web/import.php | 18 +++++++++--------- web/mysqli.inc | 9 --------- web/pgsql.inc | 9 --------- web/report.php | 24 ++++++++++++++++-------- web/upgrade/15/post.inc | 10 +++------- web/upgrade/21/post.inc | 10 +++------- web/upgrade/34/post.inc | 6 +++--- 9 files changed, 49 insertions(+), 89 deletions(-) diffs (truncated from 336 to 300 lines): diff -r 3d4daa0a0f89 -r b3661954f347 web/dbsys.inc --- a/web/dbsys.inc Sat Sep 17 16:37:47 2016 +0100 +++ b/web/dbsys.inc Sat Sep 17 17:15:07 2016 +0100 @@ -72,28 +72,6 @@ } -// Escapes special characters in a string for use in an SQL statement -function sql_escape($str) -{ - if (func_num_args() > 1) - { - $handle = func_get_arg(1); - $db_sys = $handle['system']; - $db_conn = $handle['connection']; - } - else - { - global $dbsys; - - $db_sys = $dbsys; - $db_conn = null; - } - - $f = __NAMESPACE__ . "\\sql_${db_sys}_escape"; - return $f($str, $db_conn); -} - - // Quote a table or column name // NOTE: In PostgreSQL the identifier is also converted to lower case. See // the comments in pgsql.inc for an explanation. diff -r 3d4daa0a0f89 -r b3661954f347 web/functions_ical.inc --- a/web/functions_ical.inc Sat Sep 17 16:37:47 2016 +0100 +++ b/web/functions_ical.inc Sat Sep 17 17:15:07 2016 +0100 @@ -112,10 +112,10 @@ // Look and see if there's a component in the database $sql = "SELECT vtimezone, last_updated FROM $tbl_zoneinfo - WHERE timezone='" . sql_escape($tz) . "' - AND outlook_compatible=$zoneinfo_outlook_compatible + WHERE timezone=? + AND outlook_compatible=? LIMIT 1"; - $res = sql_query($sql); + $res = sql_query($sql, array($tz,$zoneinfo_outlook_compatible)); if ($res === FALSE) { trigger_error(sql_error(), E_USER_WARNING); @@ -174,11 +174,11 @@ // we couldn't get a new VTIMEZONE is that the site doesn't have external internet // access, so there's no point in retrying for a while). $sql = "UPDATE $tbl_zoneinfo - SET vtimezone='" . sql_escape($vtimezone) . "', - last_updated=" . time() . " - WHERE timezone='" . sql_escape($tz) . "' - AND outlook_compatible=$zoneinfo_outlook_compatible"; - if (sql_command($sql) < 0) + SET vtimezone=?, + last_updated=? + WHERE timezone=? + AND outlook_compatible=?"; + if (sql_command($sql, array($vtimezone, time(), $tz, $zoneinfo_outlook_compatible)) < 0) { trigger_error(sql_error(), E_USER_WARNING); fatal_error(FALSE, get_vocab("fatal_db_error")); @@ -199,11 +199,11 @@ { $sql = "INSERT INTO $tbl_zoneinfo (timezone, outlook_compatible, vtimezone, last_updated) - VALUES ('" . sql_escape($tz) . "', - $zoneinfo_outlook_compatible, - '" . sql_escape($vtimezone) . "', " . - time() . ")"; - if (sql_command($sql) < 0) + VALUES (?, + ?, + ?, + ?)"; + if (sql_command($sql, array($tz, $zoneinfo_outlook_compatible, $vtimezone, time())) < 0) { trigger_error(sql_error(), E_USER_WARNING); fatal_error(FALSE, get_vocab("fatal_db_error")); @@ -311,8 +311,8 @@ // If we're using the 'db' auth rtpe, then look the username up in the users table if ($auth['type'] == 'db') { - $sql = "SELECT name FROM $tbl_users WHERE email='" . sql_escape($email) . "'"; - $res = sql_query($sql); + $sql = "SELECT name FROM $tbl_users WHERE email=?"; + $res = sql_query($sql, array($email)); if ($res === FALSE) { trigger_error(sql_error(), E_USER_WARNING); diff -r 3d4daa0a0f89 -r b3661954f347 web/import.php --- a/web/import.php Sat Sep 17 16:37:47 2016 +0100 +++ b/web/import.php Sat Sep 17 17:15:07 2016 +0100 @@ -78,8 +78,8 @@ // know which area to put it in. if ($location_area == '') { - $sql = "SELECT COUNT(*) FROM $tbl_room WHERE room_name='" . sql_escape($location_room) . "'"; - $count = sql_query1($sql); + $sql = "SELECT COUNT(*) FROM $tbl_room WHERE room_name=?"; + $count = sql_query1($sql, array($location_room)); if ($count < 0) { fatal_error(FALSE, get_vocab("fatal_db_error")); @@ -96,8 +96,8 @@ } else // we've got a unique room name { - $sql = "SELECT id FROM $tbl_room WHERE room_name='" . sql_escape($location_room) . "' LIMIT 1"; - $id = sql_query1($sql); + $sql = "SELECT id FROM $tbl_room WHERE room_name=? LIMIT 1"; + $id = sql_query1($sql, array($location_room)); if ($id < 0) { fatal_error(FALSE, get_vocab("fatal_db_error")); @@ -112,9 +112,9 @@ // First of all get the area id $sql = "SELECT id FROM $tbl_area - WHERE area_name='" . sql_escape($location_area) . "' + WHERE area_name=? LIMIT 1"; - $area_id = sql_query1($sql); + $area_id = sql_query1($sql, array($location_area)); if ($area_id < 0) { // The area does not exist - create it if we are allowed to @@ -139,10 +139,10 @@ // Now we've got the area_id get the room_id $sql = "SELECT id FROM $tbl_room - WHERE room_name='" . sql_escape($location_room) . "' - AND area_id=$area_id + WHERE room_name=? + AND area_id=? LIMIT 1"; - $room_id = sql_query1($sql); + $room_id = sql_query1($sql, array($location_room, $area_id)); if ($room_id < 0) { // The room does not exist - create it if we are allowed to diff -r 3d4daa0a0f89 -r b3661954f347 web/mysqli.inc --- a/web/mysqli.inc Sat Sep 17 16:37:47 2016 +0100 +++ b/web/mysqli.inc Sat Sep 17 17:15:07 2016 +0100 @@ -38,15 +38,6 @@ } -// Escapes special characters in a string for use in an SQL statement -function sql_mysqli_escape($str, $db_conn = null) -{ - sql_mysqli_ensure_handle($db_conn); - - return addslashes($str); -} - - // Quote a table or column name (which could be a qualified identifier, eg 'table.column') function sql_mysqli_quote($identifier) { diff -r 3d4daa0a0f89 -r b3661954f347 web/pgsql.inc --- a/web/pgsql.inc Sat Sep 17 16:37:47 2016 +0100 +++ b/web/pgsql.inc Sat Sep 17 17:15:07 2016 +0100 @@ -67,15 +67,6 @@ } -// Escapes special characters in a string for use in an SQL statement -function sql_pgsql_escape($str, $db_conn = null) -{ - sql_pgsql_ensure_handle($db_conn); - - return addslashes($str); -} - - // Quote a table or column name (which could be a qualified identifier, eg 'table.column') // NOTE: We fold the identifier to lower case here even though it is quoted. Unlike MySQL, diff -r 3d4daa0a0f89 -r b3661954f347 web/report.php --- a/web/report.php Sat Sep 17 16:37:47 2016 +0100 +++ b/web/report.php Sat Sep 17 17:15:07 2016 +0100 @@ -1133,7 +1133,8 @@ function get_match_condition($full_column_name, $match) { global $select_options, $field_natures, $field_lengths; - + + $sql_params = array(); $sql = ''; // First simple case: no match required @@ -1176,7 +1177,8 @@ if (($option_key !== '') && (strpos(utf8_strtolower($option_value), utf8_strtolower($match)) !== FALSE)) { - $or_array[] = "$full_column_name='" . sql_escape($option_key) . "'"; + $or_array[] = "$full_column_name=?"; + $sql_params[] = $option_key; } } if (count($or_array) > 0) @@ -1371,6 +1373,7 @@ $report_end = mktime(0, 0, 0, $to_month+0, $to_day+1, $to_year+0); // Construct the SQL query + $sql_params = array(); $sql = "SELECT E.*, " . sql_syntax_timestamp_to_unix("E.timestamp") . " AS last_updated, " . "A.area_name, R.room_name, " @@ -1389,7 +1392,9 @@ $sql .= " LEFT JOIN $tbl_repeat T ON E.repeat_id=T.id"; } $sql .= " WHERE E.room_id=R.id AND R.area_id=A.id" - . " AND E.start_time < $report_end AND E.end_time > $report_start"; + . " AND E.start_time < ? AND E.end_time > ?"; + $sql_params[] = $report_end; + $sql_params[] = $report_start; if ($output_format == OUTPUT_ICAL) { // We can't export periods in an iCalendar yet @@ -1405,7 +1410,7 @@ foreach ($match_columns as $column => $match) { - $sql .= get_match_condition($column, $match); + $sql .= get_match_condition($column, $match, $sql_params); } // Then do the special cases @@ -1417,6 +1422,7 @@ { // sql_syntax_casesensitive_equals() does the SQL escaping $or_array[] = sql_syntax_casesensitive_equals('E.type', $type); + $sql_params[] = $type; } $sql .= "(". implode(" OR ", $or_array ) .")"; } @@ -1453,7 +1459,7 @@ foreach ($custom_fields as $key => $value) { $var = "match_$key"; - $sql .= get_match_condition("E.$key", $$var); + $sql .= get_match_condition("E.$key", $$var, $sql_params); } // If we're not an admin (they are allowed to see everything), then we need @@ -1469,8 +1475,10 @@ // - their own bookings, and others' public bookings if private_override is set to 'none' // - just their own bookings, if private_override is set to 'private' $sql .= " AND ((A.private_override='public') OR - (A.private_override='none' AND ((E.status&" . STATUS_PRIVATE . "=0) OR E.create_by = '" . sql_escape($user) . "')) OR - (A.private_override='private' AND E.create_by = '" . sql_escape($user) . "'))"; + (A.private_override='none' AND ((E.status&" . STATUS_PRIVATE . "=0) OR E.create_by = ?)) OR + (A.private_override='private' AND E.create_by = ?))"; + $sql_params[] = $user; + $sql_params[] = $user; } else { @@ -1501,7 +1509,7 @@ // echo "<p>DEBUG: SQL: <tt> $sql </tt></p>\n"; - $res = sql_query($sql); + $res = sql_query($sql, $sql_params); if (! $res) { trigger_error(sql_error(), E_USER_WARNING); diff -r 3d4daa0a0f89 -r b3661954f347 web/upgrade/15/post.inc --- a/web/upgrade/15/post.inc Sat Sep 17 16:37:47 2016 +0100 +++ b/web/upgrade/15/post.inc Sat Sep 17 17:15:07 2016 +0100 @@ -20,16 +20,12 @@ { $sql_val = ($area_defaults[$key]) ? 1 : 0; } - elseif ($field['nature'] == 'integer') + else { $sql_val = $area_defaults[$key]; } - else - { - $sql_val = "'" . sql_escape($area_defaults[$key]) . "'"; - } - $sql = "UPDATE $tbl_area SET $key=$sql_val WHERE $key IS NULL"; - $res = sql_command($sql); + $sql = "UPDATE $tbl_area SET $key=? WHERE $key IS NULL"; + $res = sql_command($sql, array($sql_val)); if ($res == -1) { // No need to localise, should never happen diff -r 3d4daa0a0f89 -r b3661954f347 web/upgrade/21/post.inc --- a/web/upgrade/21/post.inc Sat Sep 17 16:37:47 2016 +0100 +++ b/web/upgrade/21/post.inc Sat Sep 17 17:15:07 2016 +0100 @@ -18,16 +18,12 @@ ------------------------------------------------------------------------------ _______________________________________________ Mrbs-commits mailing list Mrbs-commits@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mrbs-commits