Changeset: f91156d63be0 https://sourceforge.net/p/mrbs/hg-code/ci/f91156d63be04766c6bf8b7d07da0cedd6822c3f Author: John Beranek <jbera...@users.sourceforge.net> Date: Sun Sep 18 09:45:49 2016 +0100 Log message:
Changed sql_syntax_casesensitive_equals() so you pass the SQL params array by reference for it to modify. Fixed varags usage in new parameterised SQL calls. diffstat: web/auth/auth_db.inc | 13 +++++++------ web/auth/auth_db_ext.inc | 31 ++++++++++++++++++++++--------- web/dbsys.inc | 22 +++++++++++++--------- web/edit_area_room.php | 8 ++++++-- web/mysqli.inc | 8 +++++++- web/pgsql.inc | 8 +++++++- web/report.php | 5 ++--- 7 files changed, 64 insertions(+), 31 deletions(-) diffs (283 lines): diff -r 8be20a19a8be -r f91156d63be0 web/auth/auth_db.inc --- a/web/auth/auth_db.inc Sat Sep 17 19:01:33 2016 +0100 +++ b/web/auth/auth_db.inc Sun Sep 18 09:45:49 2016 +0100 @@ -39,6 +39,8 @@ global $tbl_users; $result = 0; + $sql_params = array(); + // We use sql_syntax_casesensitive_equals() rather than just '=' because '=' in MySQL // permits trailing spacings, eg 'john' = 'john '. We could use LIKE, but that then // permits wildcards, so we could use a comnination of LIKE and '=' but that's a bit @@ -46,11 +48,11 @@ $sql = "SELECT password_hash FROM $tbl_users WHERE " . - sql_syntax_casesensitive_equals('name', utf8_strtolower($user)) . + sql_syntax_casesensitive_equals('name', utf8_strtolower($user), $sql_params) . " LIMIT 1"; - $res = sql_query($sql, array(utf8_strtolower($user))); + $res = sql_query($sql, $sql_params); if ($res == FALSE) { trigger_error(sql_error(), E_USER_WARNING); @@ -100,13 +102,12 @@ if ($do_rehash) { + $sql_params = array(password_hash($pass, PASSWORD_DEFAULT)); $sql = "UPDATE $tbl_users SET password_hash=? WHERE " . - sql_syntax_casesensitive_equals('name', utf8_strtolower($user)); - sql_command($sql, - array(password_hash($pass, PASSWORD_DEFAULT), - utf8_strtolower($user))); + sql_syntax_casesensitive_equals('name', utf8_strtolower($user), $sql_params); + sql_command($sql, $sql_params); } return $result; diff -r 8be20a19a8be -r f91156d63be0 web/auth/auth_db_ext.inc --- a/web/auth/auth_db_ext.inc Sat Sep 17 19:01:33 2016 +0100 +++ b/web/auth/auth_db_ext.inc Sun Sep 18 09:45:49 2016 +0100 @@ -62,13 +62,18 @@ $persist, $port); - // sql_syntax_casesensitive_equals() inserts a param placeholder so we must pass the param. We need an exact match - + // sql_syntax_casesensitive_equals() modifies our SQL params array for us. We need an exact match - // MySQL allows trailing spaces when using an '=' comparison, eg 'john' = 'john ' + + $sql_params = array(); + $query = "SELECT " . sql_quote($auth['db_ext']['column_name_password']) . " FROM " . sql_quote($auth['db_ext']['db_table']) . - " WHERE " . sql_syntax_casesensitive_equals($auth['db_ext']['column_name_username'], utf8_strtolower($user)); + " WHERE " . sql_syntax_casesensitive_equals($auth['db_ext']['column_name_username'], + utf8_strtolower($user), + $sql_params); - $r = sql_query($query, array(utf8_strtolower($user)), $conn); + $r = sql_query($query, $sql_params, $conn); if ($r === FALSE) { @@ -173,14 +178,18 @@ $persist, $port); - // sql_syntax_casesensitive_equals() inserts a param placeholder, so we need to pass the param. We need an exact match - + // sql_syntax_casesensitive_equals() modifies our SQL params array for us. We need an exact match - // MySQL allows trailing spaces when using an '=' comparison, eg 'john' = 'john ' + + $sql_params = array(); $query = "SELECT " . sql_quote($auth['db_ext']['column_name_level']) . " FROM " . sql_quote($auth['db_ext']['db_table']) . " - WHERE " . sql_syntax_casesensitive_equals($auth['db_ext']['column_name_username'], utf8_strtolower($user)) . " + WHERE " . sql_syntax_casesensitive_equals($auth['db_ext']['column_name_username'], + utf8_strtolower($user), + $sql_params) . " LIMIT 1"; - $r = sql_query($query, array(utf8_strtolower($user), $conn); + $r = sql_query($query, $sql_params, $conn); if ($r === FALSE) { @@ -235,14 +244,18 @@ $persist, $port); - // sql_syntax_casesensitive_equals() inserts a param placeholder, so we need to pass the param. We need an exact match - + // sql_syntax_casesensitive_equals() modifies our SQL params array for us. We need an exact match - // MySQL allows trailing spaces when using an '=' comparison, eg 'john' = 'john ' + + $sql_params = array(); $query = "SELECT " . sql_quote($auth['db_ext']['column_name_email']) . " FROM " . sql_quote($auth['db_ext']['db_table']) . " - WHERE " . sql_syntax_casesensitive_equals($auth['db_ext']['column_name_username'], utf8_strtolower($user)) . " + WHERE " . sql_syntax_casesensitive_equals($auth['db_ext']['column_name_username'], + utf8_strtolower($user), + $sql_params) . " LIMIT 1"; - $r = sql_query($query, array(utf8_strtolower($user)), $conn); + $r = sql_query($query, $sql_params), $conn); if ($r === FALSE) { diff -r 8be20a19a8be -r f91156d63be0 web/dbsys.inc --- a/web/dbsys.inc Sat Sep 17 19:01:33 2016 +0100 +++ b/web/dbsys.inc Sun Sep 18 09:45:49 2016 +0100 @@ -90,7 +90,7 @@ { if (func_num_args() > 2) { - $handle = func_get_arg(1); + $handle = func_get_arg(2); $db_sys = $handle['system']; $db_conn = $handle['connection']; } @@ -113,7 +113,7 @@ { if (func_num_args() > 2) { - $handle = func_get_arg(1); + $handle = func_get_arg(2); $db_sys = $handle['system']; $db_conn = $handle['connection']; } @@ -137,7 +137,7 @@ { if (func_num_args() > 2) { - $handle = func_get_arg(1); + $handle = func_get_arg(2); $db_conn = $handle['connection']; } else @@ -168,7 +168,7 @@ { if (func_num_args() > 2) { - $handle = func_get_arg(1); + $handle = func_get_arg(2); $db_sys = $handle['system']; $db_conn = $handle['connection']; } @@ -475,7 +475,7 @@ { if (func_num_args() > 1) { - $handle = func_get_arg(1); + $handle = func_get_arg(2); $db_sys = $handle['system']; $db_conn = $handle['connection']; } @@ -493,15 +493,19 @@ // Returns the syntax for a case sensitive string "equals" function +// +// Also takes a required pass-by-reference parameter to modify the SQL +// parameters appropriately. +// // (By default MySQL is case insensitive, whereas PostgreSQL is not) // NB: This function is also assumed to do a strict comparison, ie // take account of training spaces. (The '=' comparison in MySQL allows // trailing spaces, eg 'john' = 'john '). -function sql_syntax_casesensitive_equals($fieldname, $s) +function sql_syntax_casesensitive_equals($fieldname, $string, &$params) { - if (func_num_args() > 2) + if (func_num_args() > 3) { - $handle = func_get_arg(2); + $handle = func_get_arg(3); $db_sys = $handle['system']; $db_conn = $handle['connection']; } @@ -514,7 +518,7 @@ } $f = __NAMESPACE__ . "\\sql_${db_sys}_syntax_casesensitive_equals"; - return $f($fieldname, $s, $db_conn); + return $f($fieldname, $string, $params, $db_conn); } diff -r 8be20a19a8be -r f91156d63be0 web/edit_area_room.php --- a/web/edit_area_room.php Sat Sep 17 19:01:33 2016 +0100 +++ b/web/edit_area_room.php Sun Sep 18 09:45:49 2016 +0100 @@ -516,6 +516,9 @@ { $capacity = 0; } + + // Used purely for the sql_syntax_casesensitive_equals() call below, and then ignored + $sql_params = array(); // Acquire a mutex to lock out others who might be deleting the new area if (!sql_mutex_lock($tbl_area)) @@ -531,11 +534,12 @@ // (only do this if you're changing the room name or the area - if you're // just editing the other details for an existing room we don't want to reject // the edit because the room already exists!) - // [sql_syntax_casesensitive_equals() inserts a param placeholder, so we must pass the param to sql_query1()] + // [sql_syntax_casesensitive_equals() modifies our SQL params for us, but we do it ourselves to + // keep the flow of this elseif block] elseif ( (($new_area != $old_area) || ($room_name != $old_room_name)) && sql_query1("SELECT COUNT(*) FROM $tbl_room - WHERE" . sql_syntax_casesensitive_equals("room_name", $room_name) . " + WHERE" . sql_syntax_casesensitive_equals("room_name", $room_name, $sql_params) . " AND area_id=? LIMIT 1", array($room_name, $new_area)) > 0) { diff -r 8be20a19a8be -r f91156d63be0 web/mysqli.inc --- a/web/mysqli.inc Sat Sep 17 19:01:33 2016 +0100 +++ b/web/mysqli.inc Sun Sep 18 09:45:49 2016 +0100 @@ -328,13 +328,19 @@ // Returns the syntax for a case sensitive string "equals" function // (By default MySQL is case insensitive, so we force a binary comparison) +// +// Also takes a required pass-by-reference parameter to modify the SQL +// parameters appropriately. +// // NB: This function is also assumed to do a strict comparison, ie // take account of training spaces. (The '=' comparison in MySQL allows // trailing spaces, eg 'john' = 'john '). -function sql_mysqli_syntax_casesensitive_equals($fieldname, $s, $db_conn = null) +function sql_mysqli_syntax_casesensitive_equals($fieldname, $string, &$params, $db_conn = null) { sql_mysqli_ensure_handle($db_conn); + $params[] = $string; + return " BINARY " . sql_mysqli_quote($fieldname) . "=?"; } diff -r 8be20a19a8be -r f91156d63be0 web/pgsql.inc --- a/web/pgsql.inc Sat Sep 17 19:01:33 2016 +0100 +++ b/web/pgsql.inc Sun Sep 18 09:45:49 2016 +0100 @@ -369,13 +369,19 @@ // Returns the syntax for a case sensitive string "equals" function +// +// Also takes a required pass-by-reference parameter to modify the SQL +// parameters appropriately. +// // NB: This function is also assumed to do a strict comparison, ie // take account of training spaces. (The '=' comparison in MySQL allows // trailing spaces, eg 'john' = 'john '). -function sql_pgsql_syntax_casesensitive_equals($fieldname, $s, $db_conn = null) +function sql_pgsql_syntax_casesensitive_equals($fieldname, $string, &$params, $db_conn = null) { sql_pgsql_ensure_handle($db_conn); + $params[] = $string; + return " " . sql_pgsql_quote($fieldname) . "=?"; } diff -r 8be20a19a8be -r f91156d63be0 web/report.php --- a/web/report.php Sat Sep 17 19:01:33 2016 +0100 +++ b/web/report.php Sun Sep 18 09:45:49 2016 +0100 @@ -1419,9 +1419,8 @@ $or_array = array(); foreach ( $typematch as $type ) { - // sql_syntax_casesensitive_equals() does the SQL escaping - $or_array[] = sql_syntax_casesensitive_equals('E.type', $type); - $sql_params[] = $type; + // sql_syntax_casesensitive_equals() modifies our SQL params array for us + $or_array[] = sql_syntax_casesensitive_equals('E.type', $type, $sql_params); } $sql .= "(". implode(" OR ", $or_array ) .")"; } ------------------------------------------------------------------------------ _______________________________________________ Mrbs-commits mailing list Mrbs-commits@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mrbs-commits