Changeset:
f91156d63be0
https://sourceforge.net/p/mrbs/hg-code/ci/f91156d63be04766c6bf8b7d07da0cedd6822c3f
Author:
John Beranek <[email protected]>
Date:
Sun Sep 18 09:45:49 2016 +0100
Log message:
Changed sql_syntax_casesensitive_equals() so you pass the SQL params
array by reference for it to modify.
Fixed varags usage in new parameterised SQL calls.
diffstat:
web/auth/auth_db.inc | 13 +++++++------
web/auth/auth_db_ext.inc | 31 ++++++++++++++++++++++---------
web/dbsys.inc | 22 +++++++++++++---------
web/edit_area_room.php | 8 ++++++--
web/mysqli.inc | 8 +++++++-
web/pgsql.inc | 8 +++++++-
web/report.php | 5 ++---
7 files changed, 64 insertions(+), 31 deletions(-)
diffs (283 lines):
diff -r 8be20a19a8be -r f91156d63be0 web/auth/auth_db.inc
--- a/web/auth/auth_db.inc Sat Sep 17 19:01:33 2016 +0100
+++ b/web/auth/auth_db.inc Sun Sep 18 09:45:49 2016 +0100
@@ -39,6 +39,8 @@
global $tbl_users;
$result = 0;
+ $sql_params = array();
+
// We use sql_syntax_casesensitive_equals() rather than just '=' because '='
in MySQL
// permits trailing spacings, eg 'john' = 'john '. We could use LIKE, but
that then
// permits wildcards, so we could use a comnination of LIKE and '=' but
that's a bit
@@ -46,11 +48,11 @@
$sql = "SELECT password_hash
FROM $tbl_users
WHERE " .
- sql_syntax_casesensitive_equals('name', utf8_strtolower($user)) .
+ sql_syntax_casesensitive_equals('name', utf8_strtolower($user),
$sql_params) .
"
LIMIT 1";
- $res = sql_query($sql, array(utf8_strtolower($user)));
+ $res = sql_query($sql, $sql_params);
if ($res == FALSE)
{
trigger_error(sql_error(), E_USER_WARNING);
@@ -100,13 +102,12 @@
if ($do_rehash)
{
+ $sql_params = array(password_hash($pass, PASSWORD_DEFAULT));
$sql = "UPDATE $tbl_users
SET password_hash=?
WHERE " .
- sql_syntax_casesensitive_equals('name', utf8_strtolower($user));
- sql_command($sql,
- array(password_hash($pass, PASSWORD_DEFAULT),
- utf8_strtolower($user)));
+ sql_syntax_casesensitive_equals('name', utf8_strtolower($user),
$sql_params);
+ sql_command($sql, $sql_params);
}
return $result;
diff -r 8be20a19a8be -r f91156d63be0 web/auth/auth_db_ext.inc
--- a/web/auth/auth_db_ext.inc Sat Sep 17 19:01:33 2016 +0100
+++ b/web/auth/auth_db_ext.inc Sun Sep 18 09:45:49 2016 +0100
@@ -62,13 +62,18 @@
$persist,
$port);
- // sql_syntax_casesensitive_equals() inserts a param placeholder so we must
pass the param. We need an exact match -
+ // sql_syntax_casesensitive_equals() modifies our SQL params array for us.
We need an exact match -
// MySQL allows trailing spaces when using an '=' comparison, eg 'john' =
'john '
+
+ $sql_params = array();
+
$query = "SELECT " . sql_quote($auth['db_ext']['column_name_password']) .
" FROM " . sql_quote($auth['db_ext']['db_table']) .
- " WHERE " .
sql_syntax_casesensitive_equals($auth['db_ext']['column_name_username'],
utf8_strtolower($user));
+ " WHERE " .
sql_syntax_casesensitive_equals($auth['db_ext']['column_name_username'],
+ utf8_strtolower($user),
+ $sql_params);
- $r = sql_query($query, array(utf8_strtolower($user)), $conn);
+ $r = sql_query($query, $sql_params, $conn);
if ($r === FALSE)
{
@@ -173,14 +178,18 @@
$persist,
$port);
- // sql_syntax_casesensitive_equals() inserts a param placeholder, so we
need to pass the param. We need an exact match -
+ // sql_syntax_casesensitive_equals() modifies our SQL params array for
us. We need an exact match -
// MySQL allows trailing spaces when using an '=' comparison, eg 'john' =
'john '
+
+ $sql_params = array();
$query = "SELECT " . sql_quote($auth['db_ext']['column_name_level']) . "
FROM " . sql_quote($auth['db_ext']['db_table']) . "
- WHERE " .
sql_syntax_casesensitive_equals($auth['db_ext']['column_name_username'],
utf8_strtolower($user)) . "
+ WHERE " .
sql_syntax_casesensitive_equals($auth['db_ext']['column_name_username'],
+
utf8_strtolower($user),
+ $sql_params) . "
LIMIT 1";
- $r = sql_query($query, array(utf8_strtolower($user), $conn);
+ $r = sql_query($query, $sql_params, $conn);
if ($r === FALSE)
{
@@ -235,14 +244,18 @@
$persist,
$port);
- // sql_syntax_casesensitive_equals() inserts a param placeholder, so we need
to pass the param. We need an exact match -
+ // sql_syntax_casesensitive_equals() modifies our SQL params array for us.
We need an exact match -
// MySQL allows trailing spaces when using an '=' comparison, eg 'john' =
'john '
+
+ $sql_params = array();
$query = "SELECT " . sql_quote($auth['db_ext']['column_name_email']) . "
FROM " . sql_quote($auth['db_ext']['db_table']) . "
- WHERE " .
sql_syntax_casesensitive_equals($auth['db_ext']['column_name_username'],
utf8_strtolower($user)) . "
+ WHERE " .
sql_syntax_casesensitive_equals($auth['db_ext']['column_name_username'],
+ utf8_strtolower($user),
+ $sql_params) . "
LIMIT 1";
- $r = sql_query($query, array(utf8_strtolower($user)), $conn);
+ $r = sql_query($query, $sql_params), $conn);
if ($r === FALSE)
{
diff -r 8be20a19a8be -r f91156d63be0 web/dbsys.inc
--- a/web/dbsys.inc Sat Sep 17 19:01:33 2016 +0100
+++ b/web/dbsys.inc Sun Sep 18 09:45:49 2016 +0100
@@ -90,7 +90,7 @@
{
if (func_num_args() > 2)
{
- $handle = func_get_arg(1);
+ $handle = func_get_arg(2);
$db_sys = $handle['system'];
$db_conn = $handle['connection'];
}
@@ -113,7 +113,7 @@
{
if (func_num_args() > 2)
{
- $handle = func_get_arg(1);
+ $handle = func_get_arg(2);
$db_sys = $handle['system'];
$db_conn = $handle['connection'];
}
@@ -137,7 +137,7 @@
{
if (func_num_args() > 2)
{
- $handle = func_get_arg(1);
+ $handle = func_get_arg(2);
$db_conn = $handle['connection'];
}
else
@@ -168,7 +168,7 @@
{
if (func_num_args() > 2)
{
- $handle = func_get_arg(1);
+ $handle = func_get_arg(2);
$db_sys = $handle['system'];
$db_conn = $handle['connection'];
}
@@ -475,7 +475,7 @@
{
if (func_num_args() > 1)
{
- $handle = func_get_arg(1);
+ $handle = func_get_arg(2);
$db_sys = $handle['system'];
$db_conn = $handle['connection'];
}
@@ -493,15 +493,19 @@
// Returns the syntax for a case sensitive string "equals" function
+//
+// Also takes a required pass-by-reference parameter to modify the SQL
+// parameters appropriately.
+//
// (By default MySQL is case insensitive, whereas PostgreSQL is not)
// NB: This function is also assumed to do a strict comparison, ie
// take account of training spaces. (The '=' comparison in MySQL allows
// trailing spaces, eg 'john' = 'john ').
-function sql_syntax_casesensitive_equals($fieldname, $s)
+function sql_syntax_casesensitive_equals($fieldname, $string, &$params)
{
- if (func_num_args() > 2)
+ if (func_num_args() > 3)
{
- $handle = func_get_arg(2);
+ $handle = func_get_arg(3);
$db_sys = $handle['system'];
$db_conn = $handle['connection'];
}
@@ -514,7 +518,7 @@
}
$f = __NAMESPACE__ . "\\sql_${db_sys}_syntax_casesensitive_equals";
- return $f($fieldname, $s, $db_conn);
+ return $f($fieldname, $string, $params, $db_conn);
}
diff -r 8be20a19a8be -r f91156d63be0 web/edit_area_room.php
--- a/web/edit_area_room.php Sat Sep 17 19:01:33 2016 +0100
+++ b/web/edit_area_room.php Sun Sep 18 09:45:49 2016 +0100
@@ -516,6 +516,9 @@
{
$capacity = 0;
}
+
+ // Used purely for the sql_syntax_casesensitive_equals() call below, and
then ignored
+ $sql_params = array();
// Acquire a mutex to lock out others who might be deleting the new area
if (!sql_mutex_lock($tbl_area))
@@ -531,11 +534,12 @@
// (only do this if you're changing the room name or the area - if you're
// just editing the other details for an existing room we don't want to
reject
// the edit because the room already exists!)
- // [sql_syntax_casesensitive_equals() inserts a param placeholder, so we
must pass the param to sql_query1()]
+ // [sql_syntax_casesensitive_equals() modifies our SQL params for us,
but we do it ourselves to
+ // keep the flow of this elseif block]
elseif ( (($new_area != $old_area) || ($room_name != $old_room_name))
&& sql_query1("SELECT COUNT(*)
FROM $tbl_room
- WHERE" .
sql_syntax_casesensitive_equals("room_name", $room_name) . "
+ WHERE" .
sql_syntax_casesensitive_equals("room_name", $room_name, $sql_params) . "
AND area_id=?
LIMIT 1", array($room_name, $new_area)) > 0)
{
diff -r 8be20a19a8be -r f91156d63be0 web/mysqli.inc
--- a/web/mysqli.inc Sat Sep 17 19:01:33 2016 +0100
+++ b/web/mysqli.inc Sun Sep 18 09:45:49 2016 +0100
@@ -328,13 +328,19 @@
// Returns the syntax for a case sensitive string "equals" function
// (By default MySQL is case insensitive, so we force a binary comparison)
+//
+// Also takes a required pass-by-reference parameter to modify the SQL
+// parameters appropriately.
+//
// NB: This function is also assumed to do a strict comparison, ie
// take account of training spaces. (The '=' comparison in MySQL allows
// trailing spaces, eg 'john' = 'john ').
-function sql_mysqli_syntax_casesensitive_equals($fieldname, $s, $db_conn =
null)
+function sql_mysqli_syntax_casesensitive_equals($fieldname, $string, &$params,
$db_conn = null)
{
sql_mysqli_ensure_handle($db_conn);
+ $params[] = $string;
+
return " BINARY " . sql_mysqli_quote($fieldname) . "=?";
}
diff -r 8be20a19a8be -r f91156d63be0 web/pgsql.inc
--- a/web/pgsql.inc Sat Sep 17 19:01:33 2016 +0100
+++ b/web/pgsql.inc Sun Sep 18 09:45:49 2016 +0100
@@ -369,13 +369,19 @@
// Returns the syntax for a case sensitive string "equals" function
+//
+// Also takes a required pass-by-reference parameter to modify the SQL
+// parameters appropriately.
+//
// NB: This function is also assumed to do a strict comparison, ie
// take account of training spaces. (The '=' comparison in MySQL allows
// trailing spaces, eg 'john' = 'john ').
-function sql_pgsql_syntax_casesensitive_equals($fieldname, $s, $db_conn = null)
+function sql_pgsql_syntax_casesensitive_equals($fieldname, $string, &$params,
$db_conn = null)
{
sql_pgsql_ensure_handle($db_conn);
+ $params[] = $string;
+
return " " . sql_pgsql_quote($fieldname) . "=?";
}
diff -r 8be20a19a8be -r f91156d63be0 web/report.php
--- a/web/report.php Sat Sep 17 19:01:33 2016 +0100
+++ b/web/report.php Sun Sep 18 09:45:49 2016 +0100
@@ -1419,9 +1419,8 @@
$or_array = array();
foreach ( $typematch as $type )
{
- // sql_syntax_casesensitive_equals() does the SQL escaping
- $or_array[] = sql_syntax_casesensitive_equals('E.type', $type);
- $sql_params[] = $type;
+ // sql_syntax_casesensitive_equals() modifies our SQL params array for us
+ $or_array[] = sql_syntax_casesensitive_equals('E.type', $type,
$sql_params);
}
$sql .= "(". implode(" OR ", $or_array ) .")";
}
------------------------------------------------------------------------------
_______________________________________________
Mrbs-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mrbs-commits
