Changeset:
b3661954f347
https://sourceforge.net/p/mrbs/hg-code/ci/b3661954f347c2dc5534704fd67a6f1ac2d1c83c
Author:
John Beranek <[email protected]>
Date:
Sat Sep 17 17:15:07 2016 +0100
Log message:
Removed all remaining references to sql_escape()
diffstat:
web/dbsys.inc | 22 ----------------------
web/functions_ical.inc | 30 +++++++++++++++---------------
web/import.php | 18 +++++++++---------
web/mysqli.inc | 9 ---------
web/pgsql.inc | 9 ---------
web/report.php | 24 ++++++++++++++++--------
web/upgrade/15/post.inc | 10 +++-------
web/upgrade/21/post.inc | 10 +++-------
web/upgrade/34/post.inc | 6 +++---
9 files changed, 49 insertions(+), 89 deletions(-)
diffs (truncated from 336 to 300 lines):
diff -r 3d4daa0a0f89 -r b3661954f347 web/dbsys.inc
--- a/web/dbsys.inc Sat Sep 17 16:37:47 2016 +0100
+++ b/web/dbsys.inc Sat Sep 17 17:15:07 2016 +0100
@@ -72,28 +72,6 @@
}
-// Escapes special characters in a string for use in an SQL statement
-function sql_escape($str)
-{
- if (func_num_args() > 1)
- {
- $handle = func_get_arg(1);
- $db_sys = $handle['system'];
- $db_conn = $handle['connection'];
- }
- else
- {
- global $dbsys;
-
- $db_sys = $dbsys;
- $db_conn = null;
- }
-
- $f = __NAMESPACE__ . "\\sql_${db_sys}_escape";
- return $f($str, $db_conn);
-}
-
-
// Quote a table or column name
// NOTE: In PostgreSQL the identifier is also converted to lower case. See
// the comments in pgsql.inc for an explanation.
diff -r 3d4daa0a0f89 -r b3661954f347 web/functions_ical.inc
--- a/web/functions_ical.inc Sat Sep 17 16:37:47 2016 +0100
+++ b/web/functions_ical.inc Sat Sep 17 17:15:07 2016 +0100
@@ -112,10 +112,10 @@
// Look and see if there's a component in the database
$sql = "SELECT vtimezone, last_updated
FROM $tbl_zoneinfo
- WHERE timezone='" . sql_escape($tz) . "'
- AND outlook_compatible=$zoneinfo_outlook_compatible
+ WHERE timezone=?
+ AND outlook_compatible=?
LIMIT 1";
- $res = sql_query($sql);
+ $res = sql_query($sql, array($tz,$zoneinfo_outlook_compatible));
if ($res === FALSE)
{
trigger_error(sql_error(), E_USER_WARNING);
@@ -174,11 +174,11 @@
// we couldn't get a new VTIMEZONE is that the site doesn't have
external internet
// access, so there's no point in retrying for a while).
$sql = "UPDATE $tbl_zoneinfo
- SET vtimezone='" . sql_escape($vtimezone) . "',
- last_updated=" . time() . "
- WHERE timezone='" . sql_escape($tz) . "'
- AND outlook_compatible=$zoneinfo_outlook_compatible";
- if (sql_command($sql) < 0)
+ SET vtimezone=?,
+ last_updated=?
+ WHERE timezone=?
+ AND outlook_compatible=?";
+ if (sql_command($sql, array($vtimezone, time(), $tz,
$zoneinfo_outlook_compatible)) < 0)
{
trigger_error(sql_error(), E_USER_WARNING);
fatal_error(FALSE, get_vocab("fatal_db_error"));
@@ -199,11 +199,11 @@
{
$sql = "INSERT INTO $tbl_zoneinfo
(timezone, outlook_compatible, vtimezone, last_updated)
- VALUES ('" . sql_escape($tz) . "',
- $zoneinfo_outlook_compatible,
- '" . sql_escape($vtimezone) . "', " .
- time() . ")";
- if (sql_command($sql) < 0)
+ VALUES (?,
+ ?,
+ ?,
+ ?)";
+ if (sql_command($sql, array($tz, $zoneinfo_outlook_compatible,
$vtimezone, time())) < 0)
{
trigger_error(sql_error(), E_USER_WARNING);
fatal_error(FALSE, get_vocab("fatal_db_error"));
@@ -311,8 +311,8 @@
// If we're using the 'db' auth rtpe, then look the username up in the users
table
if ($auth['type'] == 'db')
{
- $sql = "SELECT name FROM $tbl_users WHERE email='" . sql_escape($email) .
"'";
- $res = sql_query($sql);
+ $sql = "SELECT name FROM $tbl_users WHERE email=?";
+ $res = sql_query($sql, array($email));
if ($res === FALSE)
{
trigger_error(sql_error(), E_USER_WARNING);
diff -r 3d4daa0a0f89 -r b3661954f347 web/import.php
--- a/web/import.php Sat Sep 17 16:37:47 2016 +0100
+++ b/web/import.php Sat Sep 17 17:15:07 2016 +0100
@@ -78,8 +78,8 @@
// know which area to put it in.
if ($location_area == '')
{
- $sql = "SELECT COUNT(*) FROM $tbl_room WHERE room_name='" .
sql_escape($location_room) . "'";
- $count = sql_query1($sql);
+ $sql = "SELECT COUNT(*) FROM $tbl_room WHERE room_name=?";
+ $count = sql_query1($sql, array($location_room));
if ($count < 0)
{
fatal_error(FALSE, get_vocab("fatal_db_error"));
@@ -96,8 +96,8 @@
}
else // we've got a unique room name
{
- $sql = "SELECT id FROM $tbl_room WHERE room_name='" .
sql_escape($location_room) . "' LIMIT 1";
- $id = sql_query1($sql);
+ $sql = "SELECT id FROM $tbl_room WHERE room_name=? LIMIT 1";
+ $id = sql_query1($sql, array($location_room));
if ($id < 0)
{
fatal_error(FALSE, get_vocab("fatal_db_error"));
@@ -112,9 +112,9 @@
// First of all get the area id
$sql = "SELECT id
FROM $tbl_area
- WHERE area_name='" . sql_escape($location_area) . "'
+ WHERE area_name=?
LIMIT 1";
- $area_id = sql_query1($sql);
+ $area_id = sql_query1($sql, array($location_area));
if ($area_id < 0)
{
// The area does not exist - create it if we are allowed to
@@ -139,10 +139,10 @@
// Now we've got the area_id get the room_id
$sql = "SELECT id
FROM $tbl_room
- WHERE room_name='" . sql_escape($location_room) . "'
- AND area_id=$area_id
+ WHERE room_name=?
+ AND area_id=?
LIMIT 1";
- $room_id = sql_query1($sql);
+ $room_id = sql_query1($sql, array($location_room, $area_id));
if ($room_id < 0)
{
// The room does not exist - create it if we are allowed to
diff -r 3d4daa0a0f89 -r b3661954f347 web/mysqli.inc
--- a/web/mysqli.inc Sat Sep 17 16:37:47 2016 +0100
+++ b/web/mysqli.inc Sat Sep 17 17:15:07 2016 +0100
@@ -38,15 +38,6 @@
}
-// Escapes special characters in a string for use in an SQL statement
-function sql_mysqli_escape($str, $db_conn = null)
-{
- sql_mysqli_ensure_handle($db_conn);
-
- return addslashes($str);
-}
-
-
// Quote a table or column name (which could be a qualified identifier, eg
'table.column')
function sql_mysqli_quote($identifier)
{
diff -r 3d4daa0a0f89 -r b3661954f347 web/pgsql.inc
--- a/web/pgsql.inc Sat Sep 17 16:37:47 2016 +0100
+++ b/web/pgsql.inc Sat Sep 17 17:15:07 2016 +0100
@@ -67,15 +67,6 @@
}
-// Escapes special characters in a string for use in an SQL statement
-function sql_pgsql_escape($str, $db_conn = null)
-{
- sql_pgsql_ensure_handle($db_conn);
-
- return addslashes($str);
-}
-
-
// Quote a table or column name (which could be a qualified identifier, eg
'table.column')
// NOTE: We fold the identifier to lower case here even though it is quoted.
Unlike MySQL,
diff -r 3d4daa0a0f89 -r b3661954f347 web/report.php
--- a/web/report.php Sat Sep 17 16:37:47 2016 +0100
+++ b/web/report.php Sat Sep 17 17:15:07 2016 +0100
@@ -1133,7 +1133,8 @@
function get_match_condition($full_column_name, $match)
{
global $select_options, $field_natures, $field_lengths;
-
+
+ $sql_params = array();
$sql = '';
// First simple case: no match required
@@ -1176,7 +1177,8 @@
if (($option_key !== '') &&
(strpos(utf8_strtolower($option_value), utf8_strtolower($match)) !==
FALSE))
{
- $or_array[] = "$full_column_name='" . sql_escape($option_key) . "'";
+ $or_array[] = "$full_column_name=?";
+ $sql_params[] = $option_key;
}
}
if (count($or_array) > 0)
@@ -1371,6 +1373,7 @@
$report_end = mktime(0, 0, 0, $to_month+0, $to_day+1, $to_year+0);
// Construct the SQL query
+ $sql_params = array();
$sql = "SELECT E.*, "
. sql_syntax_timestamp_to_unix("E.timestamp") . " AS last_updated, "
. "A.area_name, R.room_name, "
@@ -1389,7 +1392,9 @@
$sql .= " LEFT JOIN $tbl_repeat T ON E.repeat_id=T.id";
}
$sql .= " WHERE E.room_id=R.id AND R.area_id=A.id"
- . " AND E.start_time < $report_end AND E.end_time > $report_start";
+ . " AND E.start_time < ? AND E.end_time > ?";
+ $sql_params[] = $report_end;
+ $sql_params[] = $report_start;
if ($output_format == OUTPUT_ICAL)
{
// We can't export periods in an iCalendar yet
@@ -1405,7 +1410,7 @@
foreach ($match_columns as $column => $match)
{
- $sql .= get_match_condition($column, $match);
+ $sql .= get_match_condition($column, $match, $sql_params);
}
// Then do the special cases
@@ -1417,6 +1422,7 @@
{
// sql_syntax_casesensitive_equals() does the SQL escaping
$or_array[] = sql_syntax_casesensitive_equals('E.type', $type);
+ $sql_params[] = $type;
}
$sql .= "(". implode(" OR ", $or_array ) .")";
}
@@ -1453,7 +1459,7 @@
foreach ($custom_fields as $key => $value)
{
$var = "match_$key";
- $sql .= get_match_condition("E.$key", $$var);
+ $sql .= get_match_condition("E.$key", $$var, $sql_params);
}
// If we're not an admin (they are allowed to see everything), then we need
@@ -1469,8 +1475,10 @@
// - their own bookings, and others' public bookings if
private_override is set to 'none'
// - just their own bookings, if private_override is set to 'private'
$sql .= " AND ((A.private_override='public') OR
- (A.private_override='none' AND ((E.status&" .
STATUS_PRIVATE . "=0) OR E.create_by = '" . sql_escape($user) . "')) OR
- (A.private_override='private' AND E.create_by = '" .
sql_escape($user) . "'))";
+ (A.private_override='none' AND ((E.status&" .
STATUS_PRIVATE . "=0) OR E.create_by = ?)) OR
+ (A.private_override='private' AND E.create_by = ?))";
+ $sql_params[] = $user;
+ $sql_params[] = $user;
}
else
{
@@ -1501,7 +1509,7 @@
// echo "<p>DEBUG: SQL: <tt> $sql </tt></p>\n";
- $res = sql_query($sql);
+ $res = sql_query($sql, $sql_params);
if (! $res)
{
trigger_error(sql_error(), E_USER_WARNING);
diff -r 3d4daa0a0f89 -r b3661954f347 web/upgrade/15/post.inc
--- a/web/upgrade/15/post.inc Sat Sep 17 16:37:47 2016 +0100
+++ b/web/upgrade/15/post.inc Sat Sep 17 17:15:07 2016 +0100
@@ -20,16 +20,12 @@
{
$sql_val = ($area_defaults[$key]) ? 1 : 0;
}
- elseif ($field['nature'] == 'integer')
+ else
{
$sql_val = $area_defaults[$key];
}
- else
- {
- $sql_val = "'" . sql_escape($area_defaults[$key]) . "'";
- }
- $sql = "UPDATE $tbl_area SET $key=$sql_val WHERE $key IS NULL";
- $res = sql_command($sql);
+ $sql = "UPDATE $tbl_area SET $key=? WHERE $key IS NULL";
+ $res = sql_command($sql, array($sql_val));
if ($res == -1)
{
// No need to localise, should never happen
diff -r 3d4daa0a0f89 -r b3661954f347 web/upgrade/21/post.inc
--- a/web/upgrade/21/post.inc Sat Sep 17 16:37:47 2016 +0100
+++ b/web/upgrade/21/post.inc Sat Sep 17 17:15:07 2016 +0100
@@ -18,16 +18,12 @@
------------------------------------------------------------------------------
_______________________________________________
Mrbs-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mrbs-commits
