* Weitere Module auf prepared-statements umgestellt * Warnung beim Aufruf von db_escape_string() und maybe_null() hinzugefügt
Bernd Wurst commited on 2014-02-03 16:57:44
Zeige 17 geänderte Dateien mit 241 Einfügungen und 214 Löschungen.
- class/database.php 581d0b5..387a93e
- inc/base.php aed4721..5a1a86a
- modules/adddomain/include/adddomain.php 1dbec97..da1ee02
- modules/dns/dns_record_save.php a10c033..888f6f1
- modules/dns/include/dnsinclude.php 51bcc7b..60ac711
- modules/index/include/x509.php c015e0b..c9068e8
- modules/invoice/include/invoice.php aaa8c87..48f2a29
- modules/invoice/sepamandat_copydata.php d205987..88381c8
- modules/newsletter/includes/newsletter.php 5df4a57..ac6524f
- modules/newsletter/save.php 75287f7..05de8b9
- modules/su/include/su.php 64b2a2b..b066f18
- modules/vhosts/include/certs.php 266924e..1a02482
- modules/vhosts/include/vhosts.php 7c07c4d..34a85bc
- modules/webapps/freewvs.php b33cc57..00b2a2a
- modules/webapps/include/freewvs.php ed78b4c..b800195
- modules/webapps/include/webapp-installer.php 60fae42..fbe5486
- session/checkuser.php 8e9e8d0..607948d
| ... | ... |
@@ -62,6 +62,10 @@ class DB extends PDO {
|
| 62 | 62 |
*/ |
| 63 | 63 |
function db_escape_string($string) |
| 64 | 64 |
{
|
| 65 |
+ if (config("enable_debug")) {
|
|
| 66 |
+ $backtrace = debug_backtrace(); |
|
| 67 |
+ warning("call to db_escape_string() in {$backtrace[1]['file']} line {$backtrace[1]['line']}");
|
|
| 68 |
+ } |
|
| 65 | 69 |
global $_db; |
| 66 | 70 |
__ensure_connected(); |
| 67 | 71 |
$quoted = $_db->quote($string); |
| ... | ... |
@@ -112,6 +112,10 @@ function server_names() |
| 112 | 112 |
// Diese Funktion funktioniert nicht für preprared statements |
| 113 | 113 |
function maybe_null($value) |
| 114 | 114 |
{
|
| 115 |
+ if (config("enable_debug")) {
|
|
| 116 |
+ $backtrace = debug_backtrace(); |
|
| 117 |
+ warning("call to maybe_null() in {$backtrace[1]['file']} line {$backtrace[1]['line']}");
|
|
| 118 |
+ } |
|
| 115 | 119 |
if ($value == NULL) |
| 116 | 120 |
return 'NULL'; |
| 117 | 121 |
|
| ... | ... |
@@ -131,19 +135,19 @@ function logger($severity, $scriptname, $scope, $message) |
| 131 | 135 |
if (config('logging') <= $severity)
|
| 132 | 136 |
return; |
| 133 | 137 |
|
| 134 |
- $user = 'NULL'; |
|
| 138 |
+ $user = NULL; |
|
| 135 | 139 |
if ($_SESSION['role'] & ROLE_SYSTEMUSER) |
| 136 |
- $user = "'{$_SESSION['userinfo']['username']}'";
|
|
| 140 |
+ $user = $_SESSION['userinfo']['username']; |
|
| 137 | 141 |
elseif ($_SESSION['role'] & ROLE_CUSTOMER) |
| 138 |
- $user = "'{$_SESSION['customerinfo']['customerno']}'";
|
|
| 139 |
- |
|
| 140 |
- $remote = db_escape_string($_SERVER['REMOTE_ADDR']); |
|
| 142 |
+ $user = $_SESSION['customerinfo']['customerno']; |
|
| 141 | 143 |
|
| 142 |
- $scriptname = db_escape_string($scriptname); |
|
| 143 |
- $scope = db_escape_string($scope); |
|
| 144 |
- $message = db_escape_string($message); |
|
| 144 |
+ $args = array(":user" => $user,
|
|
| 145 |
+ ":remote" => $_SERVER['REMOTE_ADDR'], |
|
| 146 |
+ ":scriptname" => $scriptname, |
|
| 147 |
+ ":scope" => $scope, |
|
| 148 |
+ ":message" => $message); |
|
| 145 | 149 |
|
| 146 |
- db_query("INSERT INTO misc.scriptlog (remote, user,scriptname,scope,message) VALUES ('{$remote}', {$user}, '{$scriptname}', '{$scope}', '{$message}');");
|
|
| 150 |
+ db_query("INSERT INTO misc.scriptlog (remote, user,scriptname,scope,message) VALUES (:remote, :user, :scriptname, :scope, :message)", $args);
|
|
| 147 | 151 |
} |
| 148 | 152 |
|
| 149 | 153 |
function html_header($arg) |
| ... | ... |
@@ -36,9 +36,9 @@ function get_domain_offer($domainname) |
| 36 | 36 |
|
| 37 | 37 |
$data = array("domainname" => $domainname, "basename" => $basename, "tld" => $tld);
|
| 38 | 38 |
|
| 39 |
- $result = db_query("SELECT tld, gebuehr, setup FROM misc.domainpreise_kunde WHERE kunde={$cid} AND tld='{$tld}' AND ruecksprache='N'");
|
|
| 39 |
+ $result = db_query("SELECT tld, gebuehr, setup FROM misc.domainpreise_kunde WHERE kunde=:cid AND tld=:tld AND ruecksprache='N'", array(":cid" => $cid, ":tld" => $tld));
|
|
| 40 | 40 |
if ($result->rowCount() != 1) {
|
| 41 |
- $result = db_query("SELECT tld, gebuehr, setup FROM misc.domainpreise WHERE tld='{$tld}' AND ruecksprache='N'");
|
|
| 41 |
+ $result = db_query("SELECT tld, gebuehr, setup FROM misc.domainpreise WHERE tld=:tld AND ruecksprache='N'", array(":tld" => $tld));
|
|
| 42 | 42 |
} |
| 43 | 43 |
if ($result->rowCount() != 1) {
|
| 44 | 44 |
warning('Die Endung »'.$tld.'« steht zur automatischen Eintragung nicht zur Verfügung.');
|
| ... | ... |
@@ -81,16 +81,23 @@ function register_domain($domainname, $uid) |
| 81 | 81 |
system_failure('Kein User gesetzt');
|
| 82 | 82 |
} |
| 83 | 83 |
|
| 84 |
- db_query("INSERT INTO kundendaten.domains (kunde, useraccount, domainname, tld, billing, registrierungsdatum, dns,webserver, mail, provider, betrag, brutto) VALUES ({$cid}, {$useraccount}, '{$data['basename']}', '{$data['tld']}', 'regular', NULL, 1, 1, 'auto', 'terions', {$data['gebuehr']}, 1) ");
|
|
| 84 |
+ $args = array(":cid" => $cid,
|
|
| 85 |
+ ":useraccount" => $useraccount, |
|
| 86 |
+ ":basename" => $data['basename'], |
|
| 87 |
+ ":tld" => $data['tld'], |
|
| 88 |
+ ":gebuehr" => $data['gebuehr']); |
|
| 89 |
+ db_query("INSERT INTO kundendaten.domains (kunde, useraccount, domainname, tld, billing, registrierungsdatum, dns,webserver, mail, provider, betrag, brutto) VALUES ".
|
|
| 90 |
+ "(:cid, :useraccount, :basename, :tld, 'regular', NULL, 1, 1, 'auto', 'terions', :gebuehr, 1) ", $args); |
|
| 85 | 91 |
if ($data['setup']) {
|
| 86 |
- db_query("INSERT INTO kundendaten.leistungen (kunde,periodisch,datum,betrag,brutto,beschreibung,anzahl) VALUES ({$cid}, 0, CURDATE(), {$data['setup']}, 1, 'Einmalige Setup-Gebühren für Domain \"{$data['domainname']}\"', 1)");
|
|
| 92 |
+ $args = array(":cid" => $cid, ":setup" => $data['setup'], ":text" => 'Einmalige Setup-Gebühren für Domain "'.$data['domainname'].'"');
|
|
| 93 |
+ db_query("INSERT INTO kundendaten.leistungen (kunde,periodisch,datum,betrag,brutto,beschreibung,anzahl) VALUES (:cid, 0, CURDATE(), :setup, 1, :text, 1)", $args);
|
|
| 87 | 94 |
} |
| 88 | 95 |
} |
| 89 | 96 |
|
| 90 | 97 |
function list_useraccounts() |
| 91 | 98 |
{
|
| 92 | 99 |
$customerno = (int) $_SESSION['customerinfo']['customerno']; |
| 93 |
- $result = db_query("SELECT uid,username,name FROM system.useraccounts WHERE kunde={$customerno}");
|
|
| 100 |
+ $result = db_query("SELECT uid,username,name FROM system.useraccounts WHERE kunde=?", array($customerno));
|
|
| 94 | 101 |
$ret = array(); |
| 95 | 102 |
while ($item = $result->fetch()) |
| 96 | 103 |
{
|
| ... | ... |
@@ -70,10 +70,10 @@ else |
| 70 | 70 |
|
| 71 | 71 |
$record['hostname'] = $_REQUEST['hostname']; |
| 72 | 72 |
$record['domain'] = (int) $_REQUEST['domain']; |
| 73 |
- $record['ip'] = (isset($_REQUEST['ip']) ? $_REQUEST['ip'] : ''); |
|
| 74 |
- $record['data'] = $_REQUEST['data']; |
|
| 75 |
- $record['dyndns'] = (isset($_REQUEST['dyndns']) ? (int) $_REQUEST['dyndns'] : ''); |
|
| 76 |
- $record['spec'] = (isset($_REQUEST['spec']) ? (int) $_REQUEST['spec'] : ''); |
|
| 73 |
+ $record['ip'] = (isset($_REQUEST['ip']) ? $_REQUEST['ip'] : NULL); |
|
| 74 |
+ $record['data'] = (isset($_REQUEST['data']) ? $_REQUEST['data'] : NULL); |
|
| 75 |
+ $record['dyndns'] = (isset($_REQUEST['dyndns']) ? (int) $_REQUEST['dyndns'] : NULL); |
|
| 76 |
+ $record['spec'] = (isset($_REQUEST['spec']) ? (int) $_REQUEST['spec'] : NULL); |
|
| 77 | 77 |
$record['ttl'] = (int) $_REQUEST['ttl']; |
| 78 | 78 |
|
| 79 | 79 |
save_dns_record($id, $record); |
| ... | ... |
@@ -25,7 +25,7 @@ require_once('class/domain.php');
|
| 25 | 25 |
function get_dyndns_accounts() |
| 26 | 26 |
{
|
| 27 | 27 |
$uid = (int) $_SESSION['userinfo']['uid']; |
| 28 |
- $result = db_query("SELECT * FROM dns.dyndns WHERE uid={$uid}");
|
|
| 28 |
+ $result = db_query("SELECT * FROM dns.dyndns WHERE uid=?", array($uid));
|
|
| 29 | 29 |
$list = array(); |
| 30 | 30 |
while ($item = $result->fetch()) {
|
| 31 | 31 |
array_push($list, $item); |
| ... | ... |
@@ -37,9 +37,9 @@ function get_dyndns_accounts() |
| 37 | 37 |
|
| 38 | 38 |
function get_dyndns_account($id) |
| 39 | 39 |
{
|
| 40 |
- $id = (int) $id; |
|
| 41 |
- $uid = (int) $_SESSION['userinfo']['uid']; |
|
| 42 |
- $result = db_query("SELECT * FROM dns.dyndns WHERE id={$id} AND uid={$uid}");
|
|
| 40 |
+ $args = array(":id" => (int) $id,
|
|
| 41 |
+ ":uid" => (int) $_SESSION['userinfo']['uid']); |
|
| 42 |
+ $result = db_query("SELECT * FROM dns.dyndns WHERE id=:id AND uid=:uid", $args);
|
|
| 43 | 43 |
if ($result->rowCount() != 1) {
|
| 44 | 44 |
logger(LOG_WARNING, "modules/dns/include/dnsinclude", "dyndns", "account »{$id}« invalid for uid »{$uid}«.");
|
| 45 | 45 |
system_failure("Account ungültig");
|
| ... | ... |
@@ -57,14 +57,16 @@ function create_dyndns_account($handle, $password_http, $sshkey) |
| 57 | 57 |
if ($password_http == '' && $sshkey == '') |
| 58 | 58 |
system_failure('Sie müssen entweder einen SSH-Key oder ein Passwort zum Web-Update eingeben.');
|
| 59 | 59 |
|
| 60 |
- $handle = maybe_null(db_escape_string(filter_input_username($handle))); |
|
| 61 |
- $sshkey = maybe_null(db_escape_string(filter_input_general($sshkey))); |
|
| 60 |
+ $handle = filter_input_username($handle); |
|
| 61 |
+ $sshkey = filter_input_general($sshkey); |
|
| 62 | 62 |
|
| 63 | 63 |
$pwhash = 'NULL'; |
| 64 | 64 |
if ($password_http) |
| 65 | 65 |
$pwhash = "'{SHA}".base64_encode(sha1($password_http, true))."'";
|
| 66 | 66 |
|
| 67 |
- db_query("INSERT INTO dns.dyndns (uid, handle, password, sshkey) VALUES ({$uid}, {$handle}, {$pwhash}, {$sshkey})");
|
|
| 67 |
+ db_query("INSERT INTO dns.dyndns (uid, handle, password, sshkey) VALUES ".
|
|
| 68 |
+ "(:uid, :handle, :pwhash, :sshkey)", |
|
| 69 |
+ array(":uid" => $uid, ":handle" => $handle, ":pwhash" => $pwhash, ":sshkey" => $sshkey));
|
|
| 68 | 70 |
logger(LOG_INFO, "modules/dns/include/dnsinclude", "dyndns", "inserted account"); |
| 69 | 71 |
} |
| 70 | 72 |
|
| ... | ... |
@@ -72,10 +74,10 @@ function create_dyndns_account($handle, $password_http, $sshkey) |
| 72 | 74 |
function edit_dyndns_account($id, $handle, $password_http, $sshkey) |
| 73 | 75 |
{
|
| 74 | 76 |
$id = (int) $id; |
| 75 |
- $handle = maybe_null(db_escape_string(filter_input_username($handle))); |
|
| 76 |
- $sshkey = maybe_null(db_escape_string(filter_input_general($sshkey))); |
|
| 77 |
+ $handle = filter_input_username($handle); |
|
| 78 |
+ $sshkey = filter_input_general($sshkey); |
|
| 77 | 79 |
|
| 78 |
- $pwhash = 'NULL'; |
|
| 80 |
+ $pwhash = NULL; |
|
| 79 | 81 |
if ($password_http) |
| 80 | 82 |
{
|
| 81 | 83 |
if ($password_http == '************') |
| ... | ... |
@@ -84,7 +86,8 @@ function edit_dyndns_account($id, $handle, $password_http, $sshkey) |
| 84 | 86 |
$pwhash = "'{SHA}".base64_encode(sha1($password_http, true))."'";
|
| 85 | 87 |
} |
| 86 | 88 |
|
| 87 |
- db_query("UPDATE dns.dyndns SET handle={$handle}, password={$pwhash}, sshkey={$sshkey} WHERE id={$id} LIMIT 1");
|
|
| 89 |
+ $args = array(":handle" => $handle, ":pwhash" => $pwhash, ":sshkey" => $sshkey, ":id" => $id);
|
|
| 90 |
+ db_query("UPDATE dns.dyndns SET handle=:handle, password=:pwhash, sshkey=:sshkey WHERE id=:id", $args);
|
|
| 88 | 91 |
logger(LOG_INFO, "modules/dns/include/dnsinclude", "dyndns", "edited account »{$id}«");
|
| 89 | 92 |
} |
| 90 | 93 |
|
| ... | ... |
@@ -93,7 +96,7 @@ function delete_dyndns_account($id) |
| 93 | 96 |
{
|
| 94 | 97 |
$id = (int) $id; |
| 95 | 98 |
|
| 96 |
- db_query("DELETE FROM dns.dyndns WHERE id={$id} LIMIT 1");
|
|
| 99 |
+ db_query("DELETE FROM dns.dyndns WHERE id=?", array($id));
|
|
| 97 | 100 |
logger(LOG_INFO, "modules/dns/include/dnsinclude", "dyndns", "deleted account »{$id}«");
|
| 98 | 101 |
} |
| 99 | 102 |
|
| ... | ... |
@@ -101,7 +104,7 @@ function delete_dyndns_account($id) |
| 101 | 104 |
function get_dyndns_records($id) |
| 102 | 105 |
{
|
| 103 | 106 |
$id = (int) $id; |
| 104 |
- $result = db_query("SELECT hostname, domain, type, ttl, lastchange, id FROM dns.custom_records WHERE dyndns={$id}");
|
|
| 107 |
+ $result = db_query("SELECT hostname, domain, type, ttl, lastchange, id FROM dns.custom_records WHERE dyndns=?", array($id));
|
|
| 105 | 108 |
$data = array(); |
| 106 | 109 |
while ($entry = $result->fetch()) {
|
| 107 | 110 |
$dom = new Domain((int) $entry['domain']); |
| ... | ... |
@@ -142,7 +145,7 @@ function blank_dns_record($type) |
| 142 | 145 |
function get_dns_record($id) |
| 143 | 146 |
{
|
| 144 | 147 |
$id = (int) $id; |
| 145 |
- $result = db_query("SELECT hostname, domain, type, ip, dyndns, spec, data, ttl FROM dns.custom_records WHERE id={$id}");
|
|
| 148 |
+ $result = db_query("SELECT hostname, domain, type, ip, dyndns, spec, data, ttl FROM dns.custom_records WHERE id=?", array($id));
|
|
| 146 | 149 |
if ($result->rowCount() != 1) |
| 147 | 150 |
system_failure('illegal ID');
|
| 148 | 151 |
$data = $result->fetch(); |
| ... | ... |
@@ -156,7 +159,7 @@ function get_dns_record($id) |
| 156 | 159 |
function get_domain_records($dom) |
| 157 | 160 |
{
|
| 158 | 161 |
$dom = (int) $dom; |
| 159 |
- $result = db_query("SELECT hostname, domain, type, ip, dyndns, spec, data, ttl, id FROM dns.custom_records WHERE domain={$dom}");
|
|
| 162 |
+ $result = db_query("SELECT hostname, domain, type, ip, dyndns, spec, data, ttl, id FROM dns.custom_records WHERE domain=?", array($dom));
|
|
| 160 | 163 |
$data = array(); |
| 161 | 164 |
while ($entry = $result->fetch()) {
|
| 162 | 165 |
$dom = new Domain((int) $entry['domain']); |
| ... | ... |
@@ -172,9 +175,7 @@ function get_domain_records($dom) |
| 172 | 175 |
|
| 173 | 176 |
function get_domain_auto_records($domainname) |
| 174 | 177 |
{
|
| 175 |
- $domainname = db_escape_string($domainname); |
|
| 176 |
- //$result = db_query("SELECT hostname, domain, CONCAT_WS('.', hostname, domain) AS fqdn, type, ip, spec, data, TRIM(ttl) FROM dns.v_autogenerated_records WHERE domain='{$domainname}'");
|
|
| 177 |
- $result = db_query("SELECT hostname, domain, CONCAT_WS('.', hostname, domain) AS fqdn, type, ip, spec, data, ttl FROM dns.tmp_autorecords WHERE domain='{$domainname}'");
|
|
| 178 |
+ $result = db_query("SELECT hostname, domain, CONCAT_WS('.', hostname, domain) AS fqdn, type, ip, spec, data, ttl FROM dns.tmp_autorecords WHERE domain=?", array($domainname));
|
|
| 178 | 179 |
$data = array(); |
| 179 | 180 |
while ($entry = $result->fetch()) {
|
| 180 | 181 |
array_push($data, $entry); |
| ... | ... |
@@ -208,37 +209,37 @@ function save_dns_record($id, $record) |
| 208 | 209 |
if ($record['dyndns']) |
| 209 | 210 |
{
|
| 210 | 211 |
get_dyndns_account( $record['dyndns'] ); |
| 211 |
- $record['ip'] = ''; |
|
| 212 |
+ $record['ip'] = NULL; |
|
| 212 | 213 |
} |
| 213 | 214 |
else |
| 214 | 215 |
{
|
| 215 | 216 |
verify_input_ipv4($record['ip']); |
| 216 |
- $record['data'] = ''; |
|
| 217 |
- $record['spec'] = ''; |
|
| 217 |
+ $record['data'] = NULL; |
|
| 218 |
+ $record['spec'] = NULL; |
|
| 218 | 219 |
} |
| 219 | 220 |
break; |
| 220 | 221 |
case 'aaaa': |
| 221 |
- $record['dyndns'] = ''; |
|
| 222 |
+ $record['dyndns'] = NULL; |
|
| 222 | 223 |
verify_input_ipv6($record['ip']); |
| 223 |
- $record['data'] = ''; |
|
| 224 |
- $record['spec'] = ''; |
|
| 224 |
+ $record['data'] = NULL; |
|
| 225 |
+ $record['spec'] = NULL; |
|
| 225 | 226 |
break; |
| 226 | 227 |
case 'mx': |
| 227 |
- $record['dyndns'] = ''; |
|
| 228 |
+ $record['dyndns'] = NULL; |
|
| 228 | 229 |
$record['spec'] = (int) $record['spec']; |
| 229 | 230 |
if ($record['spec'] < 1) |
| 230 | 231 |
systen_failure("invalid priority");
|
| 231 | 232 |
verify_input_hostname($record['data']); |
| 232 | 233 |
if (! $record['data'] ) |
| 233 | 234 |
system_failure('MX hostname missing');
|
| 234 |
- $record['ip'] = ''; |
|
| 235 |
+ $record['ip'] = NULL; |
|
| 235 | 236 |
break; |
| 236 | 237 |
case 'cname': |
| 237 | 238 |
case 'ptr': |
| 238 | 239 |
case 'ns': |
| 239 |
- $record['dyndns'] = ''; |
|
| 240 |
- $record['spec'] = ''; |
|
| 241 |
- $record['ip'] = ''; |
|
| 240 |
+ $record['dyndns'] = NULL; |
|
| 241 |
+ $record['spec'] = NULL; |
|
| 242 |
+ $record['ip'] = NULL; |
|
| 242 | 243 |
verify_input_hostname($record['data']); |
| 243 | 244 |
if (! $record['data'] ) |
| 244 | 245 |
system_failure('destination host missing');
|
| ... | ... |
@@ -246,17 +247,17 @@ function save_dns_record($id, $record) |
| 246 | 247 |
|
| 247 | 248 |
case 'spf': |
| 248 | 249 |
case 'txt': |
| 249 |
- $record['dyndns'] = ''; |
|
| 250 |
- $record['spec'] = ''; |
|
| 251 |
- $record['ip'] = ''; |
|
| 250 |
+ $record['dyndns'] = NULL; |
|
| 251 |
+ $record['spec'] = NULL; |
|
| 252 |
+ $record['ip'] = NULL; |
|
| 252 | 253 |
if (! $record['data'] ) |
| 253 | 254 |
system_failure('text entry missing');
|
| 254 | 255 |
break; |
| 255 | 256 |
|
| 256 | 257 |
case 'sshfp': |
| 257 |
- $record['dyndns'] = ''; |
|
| 258 |
+ $record['dyndns'] = NULL; |
|
| 258 | 259 |
$record['spec'] = max( (int) $record['spec'], 1); |
| 259 |
- $record['ip'] = ''; |
|
| 260 |
+ $record['ip'] = NULL; |
|
| 260 | 261 |
if (! $record['data'] ) |
| 261 | 262 |
system_failure('text entry missing');
|
| 262 | 263 |
break; |
| ... | ... |
@@ -268,16 +269,20 @@ function save_dns_record($id, $record) |
| 268 | 269 |
system_failure('Not implemented');
|
| 269 | 270 |
} |
| 270 | 271 |
$id = (int) $id; |
| 271 |
- $record['hostname'] = maybe_null($record['hostname']); |
|
| 272 |
- $record['ttl'] = ($record['ttl'] == 0 ? 'NULL' : (int) $record['ttl']); |
|
| 273 |
- $record['ip'] = maybe_null($record['ip']); |
|
| 274 |
- $record['data'] = maybe_null($record['data']); |
|
| 275 |
- $record['spec'] = maybe_null($record['spec']); |
|
| 276 |
- $record['dyndns'] = maybe_null($record['dyndns']); |
|
| 277 |
- if ($id) |
|
| 278 |
- db_query("UPDATE dns.custom_records SET hostname={$record['hostname']}, domain={$dom->id}, type='{$record['type']}', ttl={$record['ttl']}, ip={$record['ip']}, dyndns={$record['dyndns']}, data={$record['data']}, spec={$record['spec']} WHERE id={$id} LIMIT 1");
|
|
| 279 |
- else |
|
| 280 |
- db_query("INSERT INTO dns.custom_records (hostname, domain, type, ttl, ip, dyndns, data, spec) VALUES ({$record['hostname']}, {$dom->id}, '{$record['type']}', {$record['ttl']}, {$record['ip']}, {$record['dyndns']}, {$record['data']}, {$record['spec']})");
|
|
| 272 |
+ $args = array(":domain" => $dom->id,
|
|
| 273 |
+ ":hostname" => $record['hostname'], |
|
| 274 |
+ ":type" => $record['type'], |
|
| 275 |
+ ":ttl" => ($record['ttl'] == 0 ? NULL : (int) $record['ttl']), |
|
| 276 |
+ ":ip" => $record['ip'], |
|
| 277 |
+ ":dyndns" => $record['dyndns'], |
|
| 278 |
+ ":data" => $record['data'], |
|
| 279 |
+ ":spec" => $record['spec']); |
|
| 280 |
+ if ($id) {
|
|
| 281 |
+ $args[":id"] = $id; |
|
| 282 |
+ db_query("UPDATE dns.custom_records SET hostname=:hostname, domain=:domain, type=:type, ttl=:ttl, ip=:ip, dyndns=:dyndns, data=:data, spec=:spec WHERE id=:id", $args);
|
|
| 283 |
+ } else {
|
|
| 284 |
+ db_query("INSERT INTO dns.custom_records (hostname, domain, type, ttl, ip, dyndns, data, spec) VALUES (:hostname, :domain, :type, :ttl, :ip, :dyndns, :data, :spec)", $args);
|
|
| 285 |
+ } |
|
| 281 | 286 |
|
| 282 | 287 |
} |
| 283 | 288 |
|
| ... | ... |
@@ -287,7 +292,7 @@ function delete_dns_record($id) |
| 287 | 292 |
$id = (int) $id; |
| 288 | 293 |
// Diese Funktion prüft, ob der Eintrag einer eigenen Domain gehört |
| 289 | 294 |
$record = get_dns_record($id); |
| 290 |
- db_query("DELETE FROM dns.custom_records WHERE id={$id} LIMIT 1");
|
|
| 295 |
+ db_query("DELETE FROM dns.custom_records WHERE id=?", array($id));
|
|
| 291 | 296 |
} |
| 292 | 297 |
|
| 293 | 298 |
|
| ... | ... |
@@ -297,7 +302,7 @@ function convert_from_autorecords($domainid) |
| 297 | 302 |
$dom->ensure_userdomain(); |
| 298 | 303 |
$dom = $dom->id; |
| 299 | 304 |
|
| 300 |
- db_query("INSERT IGNORE INTO dns.custom_records SELECT r.id, r.lastchange, type, d.id, hostname, ip, NULL AS dyndns, data, spec, ttl FROM dns.v_tmptable_allrecords AS r INNER JOIN dns.v_domains AS d ON (d.name=r.domain) WHERE d.id={$dom}");
|
|
| 305 |
+ db_query("INSERT IGNORE INTO dns.custom_records SELECT r.id, r.lastchange, type, d.id, hostname, ip, NULL AS dyndns, data, spec, ttl FROM dns.v_tmptable_allrecords AS r INNER JOIN dns.v_domains AS d ON (d.name=r.domain) WHERE d.id=?", array($dom));
|
|
| 301 | 306 |
disable_autorecords($dom); |
| 302 | 307 |
db_query("UPDATE dns.dnsstatus SET status='outdated'");
|
| 303 | 308 |
warning("Die automatischen Einträge werden in Kürze abgeschaltet, bitte haben Sie einen Moment Geduld.");
|
| ... | ... |
@@ -310,7 +315,7 @@ function enable_autorecords($domainid) |
| 310 | 315 |
$dom->ensure_userdomain(); |
| 311 | 316 |
$dom = $dom->id; |
| 312 | 317 |
|
| 313 |
- db_query("UPDATE kundendaten.domains SET autodns=1 WHERE id={$dom} LIMIT 1");
|
|
| 318 |
+ db_query("UPDATE kundendaten.domains SET autodns=1 WHERE id=?", array($dom));
|
|
| 314 | 319 |
warning("Die automatischen Einträge werden in Kürze aktiviert, bitte haben Sie einen Moment Geduld.");
|
| 315 | 320 |
} |
| 316 | 321 |
|
| ... | ... |
@@ -320,14 +325,14 @@ function disable_autorecords($domainid) |
| 320 | 325 |
$dom->ensure_userdomain(); |
| 321 | 326 |
$dom = $dom->id; |
| 322 | 327 |
|
| 323 |
- db_query("UPDATE kundendaten.domains SET autodns=0 WHERE id={$dom} LIMIT 1");
|
|
| 328 |
+ db_query("UPDATE kundendaten.domains SET autodns=0 WHERE id=?", array($dom));
|
|
| 324 | 329 |
} |
| 325 | 330 |
|
| 326 | 331 |
|
| 327 | 332 |
function domain_is_maildomain($domain) |
| 328 | 333 |
{
|
| 329 | 334 |
$domain = (int) $domain; |
| 330 |
- $result = db_query("SELECT mail FROM kundendaten.domains WHERE id={$domain}");
|
|
| 335 |
+ $result = db_query("SELECT mail FROM kundendaten.domains WHERE id=?", array($domain));
|
|
| 331 | 336 |
$dom = $result->fetch(); |
| 332 | 337 |
return ($dom['mail'] != 'none'); |
| 333 | 338 |
} |
| ... | ... |
@@ -35,9 +35,8 @@ function do_ajax_cert_login() {
|
| 35 | 35 |
|
| 36 | 36 |
function get_logins_by_cert($cert) |
| 37 | 37 |
{
|
| 38 |
- $cert = db_escape_string(str_replace(array('-----BEGIN CERTIFICATE-----', '-----END CERTIFICATE-----', ' ', "\n"), array(), $cert));
|
|
| 39 |
- $query = "SELECT type,username,startpage FROM system.clientcert WHERE cert='{$cert}'";
|
|
| 40 |
- $result = db_query($query); |
|
| 38 |
+ $cert = str_replace(array('-----BEGIN CERTIFICATE-----', '-----END CERTIFICATE-----', ' ', "\n"), array(), $cert);
|
|
| 39 |
+ $result = db_query("SELECT type,username,startpage FROM system.clientcert WHERE cert=?", array($cert));
|
|
| 41 | 40 |
if ($result->rowCount() < 1) |
| 42 | 41 |
return NULL; |
| 43 | 42 |
else {
|
| ... | ... |
@@ -54,8 +53,7 @@ function get_cert_by_id($id) |
| 54 | 53 |
$id = (int) $id; |
| 55 | 54 |
if ($id == 0) |
| 56 | 55 |
system_failure('no ID');
|
| 57 |
- $query = "SELECT id,dn,issuer,cert,username,startpage FROM system.clientcert WHERE `id`='{$id}' LIMIT 1";
|
|
| 58 |
- $result = db_query($query); |
|
| 56 |
+ $result = db_query("SELECT id,dn,issuer,cert,username,startpage FROM system.clientcert WHERE `id`=?", array($id));
|
|
| 59 | 57 |
if ($result->rowCount() < 1) |
| 60 | 58 |
return NULL; |
| 61 | 59 |
$ret = $result->fetch(); |
| ... | ... |
@@ -66,11 +64,9 @@ function get_cert_by_id($id) |
| 66 | 64 |
|
| 67 | 65 |
function get_certs_by_username($username) |
| 68 | 66 |
{
|
| 69 |
- $username = db_escape_string($username); |
|
| 70 | 67 |
if ($username == '') |
| 71 | 68 |
system_failure('empty username');
|
| 72 |
- $query = "SELECT id,dn,issuer,cert,startpage FROM system.clientcert WHERE `username`='{$username}'";
|
|
| 73 |
- $result = db_query($query); |
|
| 69 |
+ $result = db_query("SELECT id,dn,issuer,cert,startpage FROM system.clientcert WHERE `username`=?", array($username));
|
|
| 74 | 70 |
if ($result->rowCount() < 1) |
| 75 | 71 |
return NULL; |
| 76 | 72 |
while ($row = $result->fetch()) {
|
| ... | ... |
@@ -86,33 +82,34 @@ function add_clientcert($certdata, $dn, $issuer, $startpage='') |
| 86 | 82 |
$username = NULL; |
| 87 | 83 |
if ($_SESSION['role'] & ROLE_SYSTEMUSER) {
|
| 88 | 84 |
$type = 'user'; |
| 89 |
- $username = db_escape_string($_SESSION['userinfo']['username']); |
|
| 85 |
+ $username = $_SESSION['userinfo']['username']; |
|
| 90 | 86 |
if (isset($_SESSION['subuser'])) {
|
| 91 |
- $username = db_escape_string($_SESSION['subuser']); |
|
| 87 |
+ $username = $_SESSION['subuser']; |
|
| 92 | 88 |
$type = 'subuser'; |
| 93 | 89 |
} |
| 94 | 90 |
} elseif ($_SESSION['role'] & ROLE_VMAIL_ACCOUNT) {
|
| 95 | 91 |
$type = 'email'; |
| 96 |
- $username = db_escape_string($_SESSION['mailaccount']); |
|
| 92 |
+ $username = $_SESSION['mailaccount']; |
|
| 97 | 93 |
} |
| 98 | 94 |
if (! $type || ! $username) {
|
| 99 | 95 |
system_failure('cannot get type or username of login');
|
| 100 | 96 |
} |
| 101 |
- $certdata = db_escape_string($certdata); |
|
| 102 |
- $dn = maybe_null(db_escape_string($dn)); |
|
| 103 |
- $issuer = maybe_null(db_escape_string($issuer)); |
|
| 104 | 97 |
if ($startpage && ! check_path($startpage)) |
| 105 | 98 |
system_failure('Startseite kaputt');
|
| 106 |
- $startpage = maybe_null(db_escape_string($startpage)); |
|
| 107 | 99 |
|
| 108 | 100 |
if ($certdata == '') |
| 109 | 101 |
system_failure('Kein Zertifikat');
|
| 110 |
- DEBUG($certdata); |
|
| 111 |
- DEBUG($dn); |
|
| 112 |
- DEBUG($issuer); |
|
| 102 |
+ |
|
| 103 |
+ $args = array(":dn" => $dn,
|
|
| 104 |
+ ":issuer" => $issuer, |
|
| 105 |
+ ":certdata" => $certdata, |
|
| 106 |
+ ":type" => $type, |
|
| 107 |
+ ":username" => $username, |
|
| 108 |
+ ":startpage" => $startpage); |
|
| 109 |
+ DEBUG($args); |
|
| 113 | 110 |
|
| 114 | 111 |
db_query("INSERT INTO system.clientcert (`dn`, `issuer`, `cert`, `type`, `username`, `startpage`)
|
| 115 |
-VALUES ({$dn}, {$issuer}, '{$certdata}', '{$type}', '{$username}', {$startpage})");
|
|
| 112 |
+VALUES (:dn, :issuer, :certdata, :type, :username, :startpage)", $args); |
|
| 116 | 113 |
|
| 117 | 114 |
} |
| 118 | 115 |
|
| ... | ... |
@@ -124,18 +121,19 @@ function delete_clientcert($id) |
| 124 | 121 |
$username = NULL; |
| 125 | 122 |
if ($_SESSION['role'] & ROLE_SYSTEMUSER) {
|
| 126 | 123 |
$type = 'user'; |
| 127 |
- $username = db_escape_string($_SESSION['userinfo']['username']); |
|
| 124 |
+ $username = $_SESSION['userinfo']['username']; |
|
| 128 | 125 |
if (isset($_SESSION['subuser'])) {
|
| 129 |
- $username = db_escape_string($_SESSION['subuser']); |
|
| 126 |
+ $username = $_SESSION['subuser']; |
|
| 130 | 127 |
$type = 'subuser'; |
| 131 | 128 |
} |
| 132 | 129 |
} elseif ($_SESSION['role'] & ROLE_VMAIL_ACCOUNT) {
|
| 133 | 130 |
$type = 'email'; |
| 134 |
- $username = db_escape_string($_SESSION['mailaccount']); |
|
| 131 |
+ $username = $_SESSION['mailaccount']; |
|
| 135 | 132 |
} |
| 136 | 133 |
if (! $type || ! $username) {
|
| 137 | 134 |
system_failure('cannot get type or username of login');
|
| 138 | 135 |
} |
| 139 |
- db_query("DELETE FROM system.clientcert WHERE id={$id} AND type='{$type}' AND username='{$username}' LIMIT 1");
|
|
| 136 |
+ db_query("DELETE FROM system.clientcert WHERE id=:id AND type=:type AND username=:username",
|
|
| 137 |
+ array(":id" => $id, ":type" => $type, ":username" => $username));
|
|
| 140 | 138 |
} |
| 141 | 139 |
|
| ... | ... |
@@ -175,7 +175,6 @@ function get_lastschrift($rechnungsnummer) {
|
| 175 | 175 |
|
| 176 | 176 |
function get_lastschriften($mandatsreferenz) |
| 177 | 177 |
{
|
| 178 |
- $mandatsreferenz = db_escape_string($mandatsreferenz); |
|
| 179 | 178 |
$result = db_query("SELECT rechnungsnummer, rechnungsdatum, betrag, buchungsdatum FROM kundendaten.sepalastschrift WHERE mandatsreferenz=? ORDER BY buchungsdatum DESC", array($mandatsreferenz));
|
| 180 | 179 |
$ret = array(); |
| 181 | 180 |
while ($item = $result->fetch()) {
|
| ... | ... |
@@ -198,8 +197,7 @@ function get_sepamandate() |
| 198 | 197 |
|
| 199 | 198 |
function yesterday($date) |
| 200 | 199 |
{
|
| 201 |
- $date = db_escape_string($date); |
|
| 202 |
- $result = db_query("SELECT '{$date}' - INTERVAL 1 DAY");
|
|
| 200 |
+ $result = db_query("SELECT ? - INTERVAL 1 DAY", array($date));
|
|
| 203 | 201 |
return $result->fetch()[0]; |
| 204 | 202 |
} |
| 205 | 203 |
|
| ... | ... |
@@ -21,7 +21,7 @@ require_once('invoice.php');
|
| 21 | 21 |
|
| 22 | 22 |
$kundenname = $_SESSION['customerinfo']['name']; |
| 23 | 23 |
$id = (int) $_SESSION['customerinfo']['customerno']; |
| 24 |
-$result = db_query("SELECT CONCAT(adresse, '\\\\n', plz, ' ', ort) AS adresse FROM kundendaten.kunden WHERE id={$id}");
|
|
| 24 |
+$result = db_query("SELECT CONCAT(adresse, '\\\\n', plz, ' ', ort) AS adresse FROM kundendaten.kunden WHERE id=?", array($id));
|
|
| 25 | 25 |
$r = $result->fetch(); |
| 26 | 26 |
|
| 27 | 27 |
header("Content-Type: text/javascript");
|
| ... | ... |
@@ -16,21 +16,19 @@ Nevertheless, in case you use a significant part of this code, we ask (but not r |
| 16 | 16 |
|
| 17 | 17 |
function set_newsletter_address($address) {
|
| 18 | 18 |
$cid = $_SESSION['customerinfo']['customerno']; |
| 19 |
- $address = maybe_null(db_escape_string($address)); |
|
| 20 |
- db_query("UPDATE kundendaten.kunden SET email_newsletter={$address} WHERE id={$cid}");
|
|
| 19 |
+ db_query("UPDATE kundendaten.kunden SET email_newsletter=:address WHERE id=:cid", array(":address" => $address, ":cid" => $cid));
|
|
| 21 | 20 |
} |
| 22 | 21 |
|
| 23 | 22 |
function get_newsletter_address() {
|
| 24 | 23 |
$cid = $_SESSION['customerinfo']['customerno']; |
| 25 |
- $result = db_query("SELECT email_newsletter FROM kundendaten.kunden WHERE id={$cid}");
|
|
| 24 |
+ $result = db_query("SELECT email_newsletter FROM kundendaten.kunden WHERE id=?", array($cid));
|
|
| 26 | 25 |
$r = $result->fetch(); |
| 27 | 26 |
return $r['email_newsletter']; |
| 28 | 27 |
} |
| 29 | 28 |
|
| 30 | 29 |
|
| 31 | 30 |
function get_latest_news() {
|
| 32 |
- $today = strftime('%Y-%m-%d');
|
|
| 33 |
- $result = db_query("SELECT id, date, subject, content FROM misc.news WHERE date > '{$today}' - INTERVAL 1 YEAR ORDER BY date DESC");
|
|
| 31 |
+ $result = db_query("SELECT id, date, subject, content FROM misc.news WHERE date > CURDATE() - INTERVAL 1 YEAR ORDER BY date DESC");
|
|
| 34 | 32 |
$ret = array(); |
| 35 | 33 |
while ($item = $result->fetch()) {
|
| 36 | 34 |
$ret[] = $item; |
| ... | ... |
@@ -42,7 +40,7 @@ function get_latest_news() {
|
| 42 | 40 |
|
| 43 | 41 |
function get_news_item($id) {
|
| 44 | 42 |
$id = (int) $id; |
| 45 |
- $result = db_query("SELECT date, subject, content FROM misc.news WHERE id={$id}");
|
|
| 43 |
+ $result = db_query("SELECT date, subject, content FROM misc.news WHERE id=?", array($id));
|
|
| 46 | 44 |
$ret = $result->fetch(); |
| 47 | 45 |
DEBUG($ret); |
| 48 | 46 |
return $ret; |
| ... | ... |
@@ -19,7 +19,7 @@ require_once("inc/security.php");
|
| 19 | 19 |
require_once("inc/base.php");
|
| 20 | 20 |
|
| 21 | 21 |
|
| 22 |
-if ($_POST['newsletter'] == 'no' || $_POST['recipient'] == "") {
|
|
| 22 |
+if ((isset($_REQUEST['newsletter']) && $_REQUEST['newsletter'] == 'no') || (isset($_REQUEST['recipient']) && $_REQUEST['recipient'] == "")) {
|
|
| 23 | 23 |
$sure = user_is_sure(); |
| 24 | 24 |
if ($sure === NULL) |
| 25 | 25 |
{
|
| ... | ... |
@@ -39,10 +39,10 @@ if ($_POST['newsletter'] == 'no' || $_POST['recipient'] == "") {
|
| 39 | 39 |
} |
| 40 | 40 |
} else {
|
| 41 | 41 |
check_form_token('newsletter');
|
| 42 |
- if (! check_emailaddr($_POST['recipient']) || filter_input_general($_POST['recipient']) != $_POST['recipient']) {
|
|
| 42 |
+ if (! check_emailaddr($_REQUEST['recipient']) || filter_input_general($_REQUEST['recipient']) != $_REQUEST['recipient']) {
|
|
| 43 | 43 |
system_failure("Keine gültige E-Mail-Adresse!");
|
| 44 | 44 |
} |
| 45 |
- set_newsletter_address($_POST['recipient']); |
|
| 45 |
+ set_newsletter_address($_REQUEST['recipient']); |
|
| 46 | 46 |
if (! $debugmode) |
| 47 | 47 |
header('Location: newsletter');
|
| 48 | 48 |
} |
| ... | ... |
@@ -45,22 +45,23 @@ function list_customers() |
| 45 | 45 |
|
| 46 | 46 |
function find_customers($string) |
| 47 | 47 |
{
|
| 48 |
- $string = db_escape_string(chop($string)); |
|
| 48 |
+ $args = array(":string" => '%'.chop($string).'%', ":number" => $string);
|
|
| 49 | 49 |
$return = array(); |
| 50 | 50 |
$result = db_query("SELECT k.id FROM kundendaten.kunden AS k LEFT JOIN system.useraccounts AS u ON (k.id=u.kunde) WHERE ".
|
| 51 |
- "firma LIKE '%{$string}%' OR firma2 LIKE '%{$string}%' OR ".
|
|
| 52 |
- "nachname LIKE '%{$string}%' OR vorname LIKE '%{$string}%' OR ".
|
|
| 53 |
- "adresse LIKE '%{$string}%' OR adresse2 LIKE '%{$string}%' OR ".
|
|
| 54 |
- "ort LIKE '%{$string}%' OR pgp_id LIKE '%{$string}%' OR ".
|
|
| 55 |
- "notizen LIKE '%{$string}%' OR email_rechnung LIKE '%{$string}%' OR ".
|
|
| 56 |
- "email LIKE '%{$string}%' OR email_extern LIKE '%{$string}%' OR u.name LIKE '%{$string}%' OR ".
|
|
| 57 |
- "u.username LIKE '%{$string}%' OR k.id='{$string}' OR u.uid='{$string}';");
|
|
| 51 |
+ "firma LIKE :string OR firma2 LIKE :string OR ". |
|
| 52 |
+ "nachname LIKE :string OR vorname LIKE :string OR ". |
|
| 53 |
+ "adresse LIKE :string OR adresse2 LIKE :string OR ". |
|
| 54 |
+ "ort LIKE :string OR pgp_id LIKE :string OR ". |
|
| 55 |
+ "notizen LIKE :string OR email_rechnung LIKE :string OR ". |
|
| 56 |
+ "email LIKE :string OR email_extern LIKE :string OR u.name LIKE :string OR ". |
|
| 57 |
+ "u.username LIKE :string OR k.id=:number OR u.uid=:number", $args); |
|
| 58 | 58 |
while ($entry = $result->fetch()) |
| 59 | 59 |
$return[] = $entry['id']; |
| 60 | 60 |
|
| 61 |
+ unset($args[':number']); |
|
| 61 | 62 |
$result = db_query("SELECT kunde FROM kundendaten.domains WHERE kunde IS NOT NULL AND (
|
| 62 |
- domainname LIKE '%{$string}%' OR CONCAT_WS('.', domainname, tld) LIKE '%{$string}%'
|
|
| 63 |
- )"); |
|
| 63 |
+ domainname LIKE :string OR CONCAT_WS('.', domainname, tld) LIKE :string
|
|
| 64 |
+ )", $args); |
|
| 64 | 65 |
|
| 65 | 66 |
while ($entry = $result->fetch()) |
| 66 | 67 |
$return[] = $entry['kunde']; |
| ... | ... |
@@ -74,7 +75,7 @@ function find_users_for_customer($id) |
| 74 | 75 |
$id = (int) $id; |
| 75 | 76 |
$return = array(); |
| 76 | 77 |
$result = db_query("SELECT uid, username, name FROM system.useraccounts WHERE ".
|
| 77 |
- "kunde='{$id}';");
|
|
| 78 |
+ "kunde=?", array($id)); |
|
| 78 | 79 |
while ($entry = $result->fetch()) |
| 79 | 80 |
$return[] = $entry; |
| 80 | 81 |
|
| ... | ... |
@@ -197,13 +197,6 @@ function refresh_cert($id, $info, $cert, $key = NULL) |
| 197 | 197 |
|
| 198 | 198 |
$id = (int) $id; |
| 199 | 199 |
$oldcert = cert_details($id); |
| 200 |
- $cert = db_escape_string($cert); |
|
| 201 |
- $subject = db_escape_string(filter_input_general($info['subject'])); |
|
| 202 |
- $cn = db_escape_string(filter_input_general($info['cn'])); |
|
| 203 |
- |
|
| 204 |
- $valid_from = db_escape_string($info['valid_from']); |
|
| 205 |
- $valid_until = db_escape_string($info['valid_until']); |
|
| 206 |
- |
|
| 207 | 200 |
$args = array(":subject" => filter_input_general($info['subject']),
|
| 208 | 201 |
":cn" => filter_input_general($info['cn']), |
| 209 | 202 |
":cert" => $cert, |
| ... | ... |
@@ -307,7 +300,6 @@ function save_csr($cn, $bits, $replace=NULL) |
| 307 | 300 |
list($csr, $key) = create_csr($cn, $bits); |
| 308 | 301 |
|
| 309 | 302 |
$uid = (int) $_SESSION['userinfo']['uid']; |
| 310 |
- $cn = db_escape_string(filter_input_hostname($cn, true)); |
|
| 311 | 303 |
db_query("INSERT INTO vhosts.csr (uid, hostname, bits, `replace`, csr, `key`) VALUES (:uid, :cn, :bits, :replace, :csr, :key)",
|
| 312 | 304 |
array(":uid" => $uid, ":cn" => filter_input_hostname($cn, true), ":bits" => $bits,
|
| 313 | 305 |
":replace" => $replace, ":csr" => $csr, ":key" => $key)); |
| ... | ... |
@@ -62,9 +62,8 @@ function list_vhosts() |
| 62 | 62 |
|
| 63 | 63 |
function ipv6_possible($server) |
| 64 | 64 |
{
|
| 65 |
- $serverid = (int) $server; |
|
| 66 |
- $servername = db_escape_string($server); |
|
| 67 |
- $result = db_query("SELECT v6_prefix FROM system.servers WHERE id={$serverid} OR hostname='{$servername}'");
|
|
| 65 |
+ $args = array(":server" => $server);
|
|
| 66 |
+ $result = db_query("SELECT v6_prefix FROM system.servers WHERE id=:server OR hostname=:server", $args);
|
|
| 68 | 67 |
$line = $result->fetch(); |
| 69 | 68 |
DEBUG("Server {$server} is v6-capable: ". ($line['v6_prefix'] != NULL));
|
| 70 | 69 |
return ($line['v6_prefix'] != NULL); |
| ... | ... |
@@ -150,7 +149,7 @@ function get_vhost_details($id) |
| 150 | 149 |
{
|
| 151 | 150 |
$id = (int) $id; |
| 152 | 151 |
$uid = (int) $_SESSION['userinfo']['uid']; |
| 153 |
- $result = db_query("SELECT vh.*,IF(dav.id IS NULL OR dav.type='svn', 0, 1) AS is_dav,IF(dav.id IS NULL OR dav.type='dav', 0, 1) AS is_svn, IF(webapps.id IS NULL, 0, 1) AS is_webapp FROM vhosts.v_vhost AS vh LEFT JOIN vhosts.dav ON (dav.vhost=vh.id) LEFT JOIN vhosts.webapps ON (webapps.vhost = vh.id) WHERE uid={$uid} AND vh.id={$id}");
|
|
| 152 |
+ $result = db_query("SELECT vh.*,IF(dav.id IS NULL OR dav.type='svn', 0, 1) AS is_dav,IF(dav.id IS NULL OR dav.type='dav', 0, 1) AS is_svn, IF(webapps.id IS NULL, 0, 1) AS is_webapp FROM vhosts.v_vhost AS vh LEFT JOIN vhosts.dav ON (dav.vhost=vh.id) LEFT JOIN vhosts.webapps ON (webapps.vhost = vh.id) WHERE uid=:uid AND vh.id=:id", array(":uid" => $uid, ":id" => $id));
|
|
| 154 | 153 |
if ($result->rowCount() != 1) |
| 155 | 154 |
system_failure('Interner Fehler beim Auslesen der Daten');
|
| 156 | 155 |
|
| ... | ... |
@@ -213,7 +212,7 @@ function delete_vhost($id) |
| 213 | 212 |
system_failure("id == 0");
|
| 214 | 213 |
$vhost = get_vhost_details($id); |
| 215 | 214 |
logger(LOG_INFO, 'modules/vhosts/include/vhosts', 'vhosts', 'Removing vhost #'.$id.' ('.$vhost['hostname'].'.'.$vhost['domain'].')');
|
| 216 |
- db_query("DELETE FROM vhosts.vhost WHERE id={$vhost['id']} LIMIT 1");
|
|
| 215 |
+ db_query("DELETE FROM vhosts.vhost WHERE id=?", array($vhost['id']));
|
|
| 217 | 216 |
} |
| 218 | 217 |
|
| 219 | 218 |
|
| ... | ... |
@@ -224,8 +223,8 @@ function make_svn_vhost($id) |
| 224 | 223 |
if ($id == 0) |
| 225 | 224 |
system_failure("id == 0");
|
| 226 | 225 |
logger(LOG_INFO, 'modules/vhosts/include/vhosts', 'vhosts', 'Converting vhost #'.$id.' to SVN'); |
| 227 |
- db_query("REPLACE INTO vhosts.dav (vhost, type) VALUES ({$id}, 'svn')");
|
|
| 228 |
- db_query("DELETE FROM vhosts.webapps WHERE vhost={$id}");
|
|
| 226 |
+ db_query("REPLACE INTO vhosts.dav (vhost, type) VALUES (?, 'svn')", array($id));
|
|
| 227 |
+ db_query("DELETE FROM vhosts.webapps WHERE vhost=?", array($id));
|
|
| 229 | 228 |
} |
| 230 | 229 |
|
| 231 | 230 |
function make_dav_vhost($id) |
| ... | ... |
@@ -234,8 +233,8 @@ function make_dav_vhost($id) |
| 234 | 233 |
if ($id == 0) |
| 235 | 234 |
system_failure("id == 0");
|
| 236 | 235 |
logger(LOG_INFO, 'modules/vhosts/include/vhosts', 'vhosts', 'Converting vhost #'.$id.' to WebDAV'); |
| 237 |
- db_query("REPLACE INTO vhosts.dav (vhost, type, options) VALUES ({$id}, 'dav', 'nouserfile')");
|
|
| 238 |
- db_query("DELETE FROM vhosts.webapps WHERE vhost={$id}");
|
|
| 236 |
+ db_query("REPLACE INTO vhosts.dav (vhost, type, options) VALUES (?, 'dav', 'nouserfile')", array($id));
|
|
| 237 |
+ db_query("DELETE FROM vhosts.webapps WHERE vhost=?", array($id));
|
|
| 239 | 238 |
} |
| 240 | 239 |
|
| 241 | 240 |
function make_regular_vhost($id) |
| ... | ... |
@@ -244,8 +243,8 @@ function make_regular_vhost($id) |
| 244 | 243 |
if ($id == 0) |
| 245 | 244 |
system_failure("id == 0");
|
| 246 | 245 |
logger(LOG_INFO, 'modules/vhosts/include/vhosts', 'vhosts', 'Converting vhost #'.$id.' to regular'); |
| 247 |
- db_query("DELETE FROM vhosts.dav WHERE vhost={$id}");
|
|
| 248 |
- db_query("DELETE FROM vhosts.webapps WHERE vhost={$id}");
|
|
| 246 |
+ db_query("DELETE FROM vhosts.dav WHERE vhost=?", array($id));
|
|
| 247 |
+ db_query("DELETE FROM vhosts.webapps WHERE vhost=?", array($id));
|
|
| 249 | 248 |
} |
| 250 | 249 |
|
| 251 | 250 |
|
| ... | ... |
@@ -255,12 +254,12 @@ function make_webapp_vhost($id, $webapp) |
| 255 | 254 |
$webapp = (int) $webapp; |
| 256 | 255 |
if ($id == 0) |
| 257 | 256 |
system_failure("id == 0");
|
| 258 |
- $result = db_query("SELECT displayname FROM vhosts.global_webapps WHERE id={$webapp};");
|
|
| 257 |
+ $result = db_query("SELECT displayname FROM vhosts.global_webapps WHERE id=?", array($webapp));
|
|
| 259 | 258 |
if ($result->rowCount() == 0) |
| 260 | 259 |
system_failure("webapp-id invalid");
|
| 261 | 260 |
$webapp_name = $result->fetch(PDO::FETCH_OBJ)->displayname; |
| 262 | 261 |
logger(LOG_INFO, 'modules/vhosts/include/vhosts', 'vhosts', 'Setting up webapp '.$webapp_name.' on vhost #'.$id); |
| 263 |
- db_query("REPLACE INTO vhosts.webapps (vhost, webapp) VALUES ({$id}, {$webapp})");
|
|
| 262 |
+ db_query("REPLACE INTO vhosts.webapps (vhost, webapp) VALUES (?, ?)", array($id, $webapp));
|
|
| 264 | 263 |
mail('webapps-setup@schokokeks.org', 'setup', 'setup');
|
| 265 | 264 |
} |
| 266 | 265 |
|
| ... | ... |
@@ -269,22 +268,26 @@ function check_hostname_collision($hostname, $domain) |
| 269 | 268 |
{
|
| 270 | 269 |
$uid = (int) $_SESSION['userinfo']['uid']; |
| 271 | 270 |
# Neuer vhost => Prüfe Duplikat |
| 272 |
- $hostnamecheck = "hostname='".db_escape_string($hostname)."'"; |
|
| 271 |
+ $args = array(":hostname" => $hostname, ":domain" => $domain);
|
|
| 272 |
+ $hostnamecheck = "hostname=:hostname"; |
|
| 273 | 273 |
if (! $hostname) {
|
| 274 | 274 |
$hostnamecheck = "hostname IS NULL"; |
| 275 |
+ unset($args[":hostname"]); |
|
| 275 | 276 |
} |
| 276 |
- $domaincheck = "domain=". (int) $domain ; |
|
| 277 |
+ $domaincheck = "domain=:domain"; |
|
| 277 | 278 |
if ($domain == -1) {
|
| 278 |
- $domaincheck = "domain IS NULL AND user={$uid}";
|
|
| 279 |
+ $args[":uid"] = $uid; |
|
| 280 |
+ unset($args[":domain"]); |
|
| 281 |
+ $domaincheck = "domain IS NULL AND user=:uid"; |
|
| 279 | 282 |
} |
| 280 |
- $result = db_query("SELECT id FROM vhosts.vhost WHERE {$hostnamecheck} AND {$domaincheck}");
|
|
| 283 |
+ $result = db_query("SELECT id FROM vhosts.vhost WHERE {$hostnamecheck} AND {$domaincheck}", $args);
|
|
| 281 | 284 |
if ($result->rowCount() > 0) {
|
| 282 | 285 |
system_failure('Eine Konfiguration mit diesem Namen gibt es bereits.');
|
| 283 | 286 |
} |
| 284 | 287 |
if ($domain == -1) {
|
| 285 | 288 |
return ; |
| 286 | 289 |
} |
| 287 |
- $result = db_query("SELECT id, vhost FROM vhosts.alias WHERE {$hostnamecheck} AND {$domaincheck}");
|
|
| 290 |
+ $result = db_query("SELECT id, vhost FROM vhosts.alias WHERE {$hostnamecheck} AND {$domaincheck}", $args);
|
|
| 288 | 291 |
if ($result->rowCount() > 0) {
|
| 289 | 292 |
$data = $result->fetch(); |
| 290 | 293 |
$vh = get_vhost_details($data['vhost']); |
| ... | ... |
@@ -297,46 +300,42 @@ function save_vhost($vhost) |
| 297 | 300 |
if (! is_array($vhost)) |
| 298 | 301 |
system_failure('$vhost kein array!');
|
| 299 | 302 |
$id = (int) $vhost['id']; |
| 300 |
- $hostname = maybe_null($vhost['hostname']); |
|
| 303 |
+ $hostname = $vhost['hostname']; |
|
| 301 | 304 |
$domain = (int) $vhost['domain_id']; |
| 302 | 305 |
if ($domain == 0) |
| 303 | 306 |
system_failure('$domain == 0');
|
| 304 | 307 |
if ($vhost['domain_id'] == -1) |
| 305 |
- $domain = 'NULL'; |
|
| 308 |
+ $domain = NULL; |
|
| 306 | 309 |
if ($id == 0) {
|
| 307 | 310 |
check_hostname_collision($vhost['hostname'], $vhost['domain_id']); |
| 308 | 311 |
} |
| 309 |
- $docroot = maybe_null($vhost['docroot']); |
|
| 310 |
- $php = maybe_null($vhost['php']); |
|
| 311 |
- $cgi = ($vhost['cgi'] == 1 ? 1 : 0); |
|
| 312 |
- $ssl = maybe_null($vhost['ssl']); |
|
| 313 | 312 |
$hsts = (int) $vhost['hsts']; |
| 314 | 313 |
if ($hsts < 0) {
|
| 315 |
- $hsts = "NULL"; |
|
| 314 |
+ $hsts = NULL; |
|
| 316 | 315 |
} |
| 317 |
- $suexec_user = 'NULL'; |
|
| 316 |
+ $suexec_user = NULL; |
|
| 318 | 317 |
|
| 319 | 318 |
$available_suexec = available_suexec_users(); |
| 320 | 319 |
foreach ($available_suexec AS $u) |
| 321 | 320 |
if ($u['uid'] == $vhost['suexec_user']) |
| 322 | 321 |
$suexec_user = $u['uid']; |
| 323 | 322 |
|
| 324 |
- $server = 'NULL'; |
|
| 323 |
+ $server = NULL; |
|
| 325 | 324 |
$available_servers = additional_servers(); |
| 326 | 325 |
if (in_array($vhost['server'], $available_servers)) {
|
| 327 | 326 |
$server = (int) $vhost['server']; |
| 328 | 327 |
} |
| 329 | 328 |
if ($server == my_server_id()) {
|
| 330 |
- $server = 'NULL'; |
|
| 329 |
+ $server = NULL; |
|
| 331 | 330 |
} |
| 332 | 331 |
|
| 333 |
- $logtype = maybe_null($vhost['logtype']); |
|
| 334 |
- $errorlog = (int) $vhost['errorlog']; |
|
| 335 | 332 |
if ($vhost['is_svn']) {
|
| 336 |
- if (! $vhost['options']) $vhost['options']='nodocroot'; |
|
| 337 |
- else $vhost['options']+=",nodocroot"; |
|
| 333 |
+ if (! $vhost['options']) {
|
|
| 334 |
+ $vhost['options']='nodocroot'; |
|
| 335 |
+ } else {
|
|
| 336 |
+ $vhost['options']+=",nodocroot"; |
|
| 337 |
+ } |
|
| 338 | 338 |
} |
| 339 |
- $options = db_escape_string( $vhost['options'] ); |
|
| 340 | 339 |
|
| 341 | 340 |
$cert = 0; |
| 342 | 341 |
$certs = user_certs(); |
| ... | ... |
@@ -344,13 +343,13 @@ function save_vhost($vhost) |
| 344 | 343 |
if ($c['id'] == $vhost['cert']) |
| 345 | 344 |
$cert = $c['id']; |
| 346 | 345 |
if ($cert == 0) |
| 347 |
- $cert = 'NULL'; |
|
| 346 |
+ $cert = NULL; |
|
| 348 | 347 |
|
| 349 |
- $ipv4 = 'NULL'; |
|
| 348 |
+ $ipv4 = NULL; |
|
| 350 | 349 |
$ipv4_avail = user_ipaddrs(); |
| 351 | 350 |
if (in_array($vhost['ipv4'], $ipv4_avail)) |
| 352 | 351 |
{
|
| 353 |
- $ipv4 = maybe_null($vhost['ipv4']); |
|
| 352 |
+ $ipv4 = $vhost['ipv4']; |
|
| 354 | 353 |
} |
| 355 | 354 |
|
| 356 | 355 |
$autoipv6 = 1; |
| ... | ... |
@@ -358,15 +357,33 @@ function save_vhost($vhost) |
| 358 | 357 |
$autoipv6 = $vhost['autoipv6']; |
| 359 | 358 |
} |
| 360 | 359 |
|
| 361 |
- $stats = maybe_null($vhost['stats']); |
|
| 362 |
- |
|
| 360 |
+ $args = array(":hostname" => $hostname,
|
|
| 361 |
+ ":domain" => $domain, |
|
| 362 |
+ ":docroot" => $vhost['docroot'], |
|
| 363 |
+ ":php" => $vhost['php'], |
|
| 364 |
+ ":cgi" => ($vhost['cgi'] == 1 ? 1 : 0), |
|
| 365 |
+ ":ssl" => $vhost['ssl'], |
|
| 366 |
+ ":hsts" => $hsts, |
|
| 367 |
+ ":suexec_user" => $suexec_user, |
|
| 368 |
+ ":server" => $server, |
|
| 369 |
+ ":logtype" => $vhost['logtype'], |
|
| 370 |
+ ":errorlog" => (int) $vhost['errorlog'], |
|
| 371 |
+ ":cert" => $cert, |
|
| 372 |
+ ":ipv4" => $ipv4, |
|
| 373 |
+ ":autoipv6" => $autoipv6, |
|
| 374 |
+ ":options" => $vhost['options'], |
|
| 375 |
+ ":stats" => $vhost['stats'], |
|
| 376 |
+ ":id" => $id); |
|
| 363 | 377 |
if ($id != 0) {
|
| 364 | 378 |
logger(LOG_INFO, 'modules/vhosts/include/vhosts', 'vhosts', 'Updating vhost #'.$id.' ('.$vhost['hostname'].'.'.$vhost['domain'].')');
|
| 365 |
- db_query("UPDATE vhosts.vhost SET hostname={$hostname}, domain={$domain}, docroot={$docroot}, php={$php}, cgi={$cgi}, `ssl`={$ssl}, hsts={$hsts}, `suexec_user`={$suexec_user}, `server`={$server}, logtype={$logtype}, errorlog={$errorlog}, certid={$cert}, ipv4={$ipv4}, autoipv6={$autoipv6}, options='{$options}', stats={$stats} WHERE id={$id} LIMIT 1");
|
|
| 379 |
+ db_query("UPDATE vhosts.vhost SET hostname=:hostname, domain=:domain, docroot=:docroot, php=:php, cgi=:cgi, `ssl`=:ssl, hsts=:hsts, `suexec_user`=:suexec_user, `server`=:server, logtype=:logtype, errorlog=:errorlog, certid=:cert, ipv4=:ipv4, autoipv6=:autoipv6, options=:options, stats=:stats WHERE id=:id", $args);
|
|
| 366 | 380 |
} |
| 367 | 381 |
else {
|
| 382 |
+ $args[":user"] = $_SESSION['userinfo']['uid']; |
|
| 383 |
+ unset($args[":id"]); |
|
| 368 | 384 |
logger(LOG_INFO, 'modules/vhosts/include/vhosts', 'vhosts', 'Creating vhost '.$vhost['hostname'].'.'.$vhost['domain'].''); |
| 369 |
- $result = db_query("INSERT INTO vhosts.vhost (user, hostname, domain, docroot, php, cgi, `ssl`, hsts, `suexec_user`, `server`, logtype, errorlog, certid, ipv4, autoipv6, options, stats) VALUES ({$_SESSION['userinfo']['uid']}, {$hostname}, {$domain}, {$docroot}, {$php}, {$cgi}, {$ssl}, {$hsts}, {$suexec_user}, {$server}, {$logtype}, {$errorlog}, {$cert}, {$ipv4}, {$autoipv6}, '{$options}', {$stats})");
|
|
| 385 |
+ $result = db_query("INSERT INTO vhosts.vhost (user, hostname, domain, docroot, php, cgi, `ssl`, hsts, `suexec_user`, `server`, logtype, errorlog, certid, ipv4, autoipv6, options, stats) VALUES ".
|
|
| 386 |
+ "(:user, :hostname, :domain, :docroot, :php, :cgi, :ssl, :hsts, :suexec_user, :server, :logtype, :errorlog, :cert, :ipv4, :autoipv6, :options, :stats)", $args); |
|
| 370 | 387 |
$id = db_insert_id(); |
| 371 | 388 |
} |
| 372 | 389 |
$oldvhost = get_vhost_details($id); |
| ... | ... |
@@ -389,7 +406,7 @@ function get_alias_details($id) |
| 389 | 406 |
{
|
| 390 | 407 |
$id = (int) $id; |
| 391 | 408 |
$uid = (int) $_SESSION['userinfo']['uid']; |
| 392 |
- $result = db_query("SELECT * FROM vhosts.v_alias WHERE id={$id}");
|
|
| 409 |
+ $result = db_query("SELECT * FROM vhosts.v_alias WHERE id=?", array($id));
|
|
| 393 | 410 |
|
| 394 | 411 |
if ($result->rowCount() != 1) |
| 395 | 412 |
system_failure('Interner Fehler beim Auslesen der Alias-Daten');
|
| ... | ... |
@@ -413,7 +430,7 @@ function delete_alias($id) |
| 413 | 430 |
$alias = get_alias_details($id); |
| 414 | 431 |
|
| 415 | 432 |
logger(LOG_INFO, 'modules/vhosts/include/vhosts', 'aliases', 'Removing alias #'.$id.' ('.$alias['hostname'].'.'.$alias['domain'].')');
|
| 416 |
- db_query("DELETE FROM vhosts.alias WHERE id={$id}");
|
|
| 433 |
+ db_query("DELETE FROM vhosts.alias WHERE id=?", array($id));
|
|
| 417 | 434 |
} |
| 418 | 435 |
|
| 419 | 436 |
function save_alias($alias) |
| ... | ... |
@@ -421,21 +438,26 @@ function save_alias($alias) |
| 421 | 438 |
if (! is_array($alias)) |
| 422 | 439 |
system_failure('$alias kein array!');
|
| 423 | 440 |
$id = (isset($alias['id']) ? (int) $alias['id'] : 0); |
| 424 |
- $hostname = maybe_null($alias['hostname']); |
|
| 425 | 441 |
$domain = (int) $alias['domain_id']; |
| 426 | 442 |
if ($domain == 0) |
| 427 | 443 |
system_failure('$domain == 0');
|
| 428 | 444 |
if ($alias['domain_id'] == -1) |
| 429 |
- $domain = 'NULL'; |
|
| 445 |
+ $domain = NULL; |
|
| 430 | 446 |
$vhost = get_vhost_details( (int) $alias['vhost']); |
| 431 |
- $options = db_escape_string( $alias['options'] ); |
|
| 447 |
+ $args = array(":hostname" => $alias['hostname'],
|
|
| 448 |
+ ":domain" => $domain, |
|
| 449 |
+ ":vhost" => $vhost['id'], |
|
| 450 |
+ ":options" => $alias['options'], |
|
| 451 |
+ ":id" => $id); |
|
| 432 | 452 |
if ($id == 0) {
|
| 453 |
+ unset($args[":id"]); |
|
| 433 | 454 |
logger(LOG_INFO, 'modules/vhosts/include/vhosts', 'aliases', 'Creating alias '.$alias['hostname'].'.'.$alias['domain'].' for VHost '.$vhost['id']); |
| 434 |
- db_query("INSERT INTO vhosts.alias (hostname, domain, vhost, options) VALUES ({$hostname}, {$domain}, {$vhost['id']}, '{$options}')");
|
|
| 455 |
+ db_query("INSERT INTO vhosts.alias (hostname, domain, vhost, options) VALUES (:hostname, :domain, :vhost, :options)", $args);
|
|
| 435 | 456 |
} |
| 436 | 457 |
else {
|
| 458 |
+ unset($args[":vhost"]); |
|
| 437 | 459 |
logger(LOG_INFO, 'modules/vhosts/include/vhosts', 'aliases', 'Updating alias #'.$id.' ('.$alias['hostname'].'.'.$alias['domain'].')');
|
| 438 |
- db_query("UPDATE vhosts.alias SET hostname={$hostname}, domain={$domain}, options='{$options}' WHERE id={$id} LIMIT 1");
|
|
| 460 |
+ db_query("UPDATE vhosts.alias SET hostname=:hostname, domain=:domain, options=:options WHERE id=:id", $args);
|
|
| 439 | 461 |
} |
| 440 | 462 |
} |
| 441 | 463 |
|
| ... | ... |
@@ -443,7 +465,7 @@ function save_alias($alias) |
| 443 | 465 |
function available_suexec_users() |
| 444 | 466 |
{
|
| 445 | 467 |
$uid = (int) $_SESSION['userinfo']['uid']; |
| 446 |
- $result = db_query("SELECT uid, username FROM vhosts.available_users LEFT JOIN vhosts.v_useraccounts ON (uid = suexec_user) WHERE mainuser={$uid}");
|
|
| 468 |
+ $result = db_query("SELECT uid, username FROM vhosts.available_users LEFT JOIN vhosts.v_useraccounts ON (uid = suexec_user) WHERE mainuser=?", array($uid));
|
|
| 447 | 469 |
$ret = array(); |
| 448 | 470 |
while ($i = $result->fetch()) |
| 449 | 471 |
$ret[] = $i; |
| ... | ... |
@@ -457,7 +479,7 @@ function available_suexec_users() |
| 457 | 479 |
function user_ipaddrs() |
| 458 | 480 |
{
|
| 459 | 481 |
$uid = (int) $_SESSION['userinfo']['uid']; |
| 460 |
- $result = db_query("SELECT ipaddr FROM vhosts.ipaddr_available WHERE uid={$uid}");
|
|
| 482 |
+ $result = db_query("SELECT ipaddr FROM vhosts.ipaddr_available WHERE uid=?", array($uid));
|
|
| 461 | 483 |
$ret = array(); |
| 462 | 484 |
while ($i = $result->fetch()) |
| 463 | 485 |
{
|
| ... | ... |
@@ -27,12 +27,13 @@ $uid = (int) $_SESSION['userinfo']['uid']; |
| 27 | 27 |
|
| 28 | 28 |
if (isset($_POST['freq']) && in_array($_POST['freq'],array("day","week","month"))) {
|
| 29 | 29 |
check_form_token('freewvs_freq');
|
| 30 |
- db_query("REPLACE INTO qatools.freewvs (user,freq) VALUES ({$uid},'{$_POST['freq']}');");
|
|
| 30 |
+ $args = array(":uid" => $uid, ":freq" => $_POST['freq']);
|
|
| 31 |
+ db_query("REPLACE INTO qatools.freewvs (user,freq) VALUES (:uid,:freq)", $args);
|
|
| 31 | 32 |
header("Location: freewvs");
|
| 32 | 33 |
die(); |
| 33 | 34 |
} |
| 34 | 35 |
|
| 35 |
-$result = db_query("SELECT freq FROM qatools.v_freewvs WHERE uid={$uid};");
|
|
| 36 |
+$result = db_query("SELECT freq FROM qatools.v_freewvs WHERE uid=?", array($uid));
|
|
| 36 | 37 |
$result=$result->fetch(); |
| 37 | 38 |
$freq=$result['freq']; |
| 38 | 39 |
|
| ... | ... |
@@ -20,7 +20,7 @@ require_once('inc/base.php');
|
| 20 | 20 |
function load_results() |
| 21 | 21 |
{
|
| 22 | 22 |
$uid = (int) $_SESSION['userinfo']['uid']; |
| 23 |
- $result = db_query("SELECT directory, docroot, lastcheck, appname, version, state, safeversion, vulninfo FROM qatools.freewvs_results WHERE uid={$uid}");
|
|
| 23 |
+ $result = db_query("SELECT directory, docroot, lastcheck, appname, version, state, safeversion, vulninfo FROM qatools.freewvs_results WHERE uid=?", array($uid));
|
|
| 24 | 24 |
$ret = array(); |
| 25 | 25 |
while ($line = $result->fetch()) {
|
| 26 | 26 |
array_push($ret, $line); |
| ... | ... |
@@ -30,7 +30,7 @@ function load_results() |
| 30 | 30 |
|
| 31 | 31 |
function get_upgradeinstructions($appname) {
|
| 32 | 32 |
$appname = db_escape_string($appname); |
| 33 |
- $result = db_query("SELECT url FROM qatools.freewvs_upgradeinstructions WHERE appname='{$appname}' LIMIT 1");
|
|
| 33 |
+ $result = db_query("SELECT url FROM qatools.freewvs_upgradeinstructions WHERE appname=?", array($appname));
|
|
| 34 | 34 |
if ($result->rowCount() > 0) {
|
| 35 | 35 |
$tmp = $result->fetch(); |
| 36 | 36 |
return $tmp[0]; |
| ... | ... |
@@ -20,12 +20,12 @@ function create_new_webapp($appname, $directory, $url, $data) |
| 20 | 20 |
{
|
| 21 | 21 |
if (directory_in_use($directory)) |
| 22 | 22 |
system_failure('Sie haben erst kürzlich eine Anwendung in diesem Verzeichnis installieren lassen. Aus Sicherheitsgründen können Sie in diesem Verzeichnis am selben Tag nicht schon wieder eine Anwendung installieren.');
|
| 23 |
- $username = db_escape_string($_SESSION['userinfo']['username']); |
|
| 24 |
- $appname = db_escape_string($appname); |
|
| 25 |
- $directory = db_escape_string($directory); |
|
| 26 |
- $url = db_escape_string($url); |
|
| 27 |
- $data = db_escape_string($data); |
|
| 28 |
- db_query("INSERT INTO vhosts.webapp_installer (appname, directory, url, state, username, data) VALUES ('{$appname}', '{$directory}', '{$url}', 'new', '{$username}', '{$data}')");
|
|
| 23 |
+ $args = array(":username" => $_SESSION['userinfo']['username'],
|
|
| 24 |
+ ":appname" => $appname, |
|
| 25 |
+ ":dir" => $directory, |
|
| 26 |
+ ":url" => $url, |
|
| 27 |
+ ":data" => $data); |
|
| 28 |
+ db_query("INSERT INTO vhosts.webapp_installer (appname, directory, url, state, username, data) VALUES (:appname, :dir, :url, 'new', :username, :data)", $args);
|
|
| 29 | 29 |
} |
| 30 | 30 |
|
| 31 | 31 |
|
| ... | ... |
@@ -33,17 +33,16 @@ function request_update($appname, $directory, $url) |
| 33 | 33 |
{
|
| 34 | 34 |
if (directory_in_use($directory)) |
| 35 | 35 |
system_failure('Sie haben erst kürzlich eine Anwendung in diesem Verzeichnis installieren lassen oder ein Update in diesem Verzeichnis angefordert. Bitte warten Sie bis diese Aktion durchgeführt wurde.');
|
| 36 |
- $username = db_escape_string($_SESSION['userinfo']['username']); |
|
| 37 |
- $appname = db_escape_string($appname); |
|
| 38 |
- $directory = db_escape_string($directory); |
|
| 39 |
- $url = maybe_null(db_escape_string($url)); |
|
| 40 |
- db_query("INSERT INTO vhosts.webapp_installer (appname, directory, url, state, username) VALUES ('{$appname}', '{$directory}', {$url}, 'old', '{$username}')");
|
|
| 36 |
+ $args = array(":username" => $_SESSION['userinfo']['username'],
|
|
| 37 |
+ ":appname" => $appname, |
|
| 38 |
+ ":dir" => $directory, |
|
| 39 |
+ ":url" => $url); |
|
| 40 |
+ db_query("INSERT INTO vhosts.webapp_installer (appname, directory, url, state, username) VALUES (:appname, :dir, :url, 'old', :username)", $args);
|
|
| 41 | 41 |
} |
| 42 | 42 |
|
| 43 | 43 |
function directory_in_use($directory) |
| 44 | 44 |
{
|
| 45 |
- $directory = db_escape_string($directory); |
|
| 46 |
- $result = db_query("SELECT id FROM vhosts.webapp_installer WHERE (state IN ('new','old') OR DATE(lastchange)=CURDATE()) AND directory='{$directory}'");
|
|
| 45 |
+ $result = db_query("SELECT id FROM vhosts.webapp_installer WHERE (state IN ('new','old') OR DATE(lastchange)=CURDATE()) AND directory=?", array($directory));
|
|
| 47 | 46 |
if ($result->rowCount() > 0) |
| 48 | 47 |
return true; |
| 49 | 48 |
return false; |
| ... | ... |
@@ -101,8 +100,7 @@ function get_url_for_dir($docroot, $cutoff = '') |
| 101 | 100 |
{
|
| 102 | 101 |
if (substr($docroot, -1) == '/') |
| 103 | 102 |
$docroot = substr($docroot, 0, -1); |
| 104 |
- $docroot = db_escape_string($docroot); |
|
| 105 |
- $result = db_query("SELECT `ssl`, IF(FIND_IN_SET('aliaswww', options), CONCAT('www.',fqdn), fqdn) AS fqdn FROM vhosts.v_vhost WHERE docroot IN ('{$docroot}', '{$docroot}/') LIMIT 1");
|
|
| 103 |
+ $result = db_query("SELECT `ssl`, IF(FIND_IN_SET('aliaswww', options), CONCAT('www.',fqdn), fqdn) AS fqdn FROM vhosts.v_vhost WHERE docroot IN (?, ?)", array($docroot, $docroot.'/'));
|
|
| 106 | 104 |
if ($result->rowCount() < 1) |
| 107 | 105 |
{
|
| 108 | 106 |
if (!strstr($docroot, '/')) |
| ... | ... |
@@ -122,7 +120,7 @@ function create_webapp_mysqldb($application, $sitename) |
| 122 | 120 |
// dependet auf das mysql-modul |
| 123 | 121 |
require_once('modules/mysql/include/mysql.php');
|
| 124 | 122 |
|
| 125 |
- $username = db_escape_string($_SESSION['userinfo']['username']); |
|
| 123 |
+ $username = $_SESSION['userinfo']['username']; |
|
| 126 | 124 |
$description = "Automatisch erzeugte Datenbank für {$application} ({$sitename})";
|
| 127 | 125 |
|
| 128 | 126 |
// zuerst versuchen wir username_webappname. Wenn das nicht klappt, dann wird hochgezählt |
| ... | ... |
@@ -38,7 +38,7 @@ function find_role($login, $password, $i_am_admin = False) |
| 38 | 38 |
$uid = (int) $login; |
| 39 | 39 |
if ($uid == 0) |
| 40 | 40 |
$uid = 'NULL'; |
| 41 |
- $result = db_query("SELECT username, passwort AS password, kundenaccount AS `primary`, status, ((SELECT acc.uid FROM system.v_useraccounts AS acc LEFT JOIN system.gruppenzugehoerigkeit USING (uid) LEFT JOIN system.gruppen AS g ON (g.gid=gruppenzugehoerigkeit.gid) WHERE g.name='admin' AND acc.uid=u.uid) IS NOT NULL) AS admin FROM system.v_useraccounts AS u LEFT JOIN system.passwoerter USING(uid) WHERE u.uid={$uid} OR username='{$login}' LIMIT 1;");
|
|
| 41 |
+ $result = db_query("SELECT username, passwort AS password, kundenaccount AS `primary`, status, ((SELECT acc.uid FROM system.v_useraccounts AS acc LEFT JOIN system.gruppenzugehoerigkeit USING (uid) LEFT JOIN system.gruppen AS g ON (g.gid=gruppenzugehoerigkeit.gid) WHERE g.name='admin' AND acc.uid=u.uid) IS NOT NULL) AS admin FROM system.v_useraccounts AS u LEFT JOIN system.passwoerter USING(uid) WHERE u.uid=:uid OR username=:login LIMIT 1;", array(":uid" => $uid, ":login" => $login));
|
|
| 42 | 42 |
if (@$result->rowCount() > 0) |
| 43 | 43 |
{
|
| 44 | 44 |
$entry = $result->fetch(PDO::FETCH_OBJ); |
| ... | ... |
@@ -68,9 +68,9 @@ function find_role($login, $password, $i_am_admin = False) |
| 68 | 68 |
// Customer? |
| 69 | 69 |
$customerno = (int) $login; |
| 70 | 70 |
$pass = sha1($password); |
| 71 |
- $result = db_query("SELECT passwort AS password FROM kundendaten.kunden WHERE status=0 AND id={$customerno} AND passwort='{$pass}';");
|
|
| 71 |
+ $result = db_query("SELECT passwort AS password FROM kundendaten.kunden WHERE status=0 AND id=:customerno AND passwort=:pass", array(":customerno" => $customerno, ":pass" => $pass));
|
|
| 72 | 72 |
if ($i_am_admin) |
| 73 |
- $result = db_query("SELECT passwort AS password FROM kundendaten.kunden WHERE status=0 AND id={$customerno}");
|
|
| 73 |
+ $result = db_query("SELECT passwort AS password FROM kundendaten.kunden WHERE status=0 AND id=?", array($customerno));
|
|
| 74 | 74 |
if (@$result->rowCount() > 0) |
| 75 | 75 |
{
|
| 76 | 76 |
return ROLE_CUSTOMER; |
| ... | ... |
@@ -78,7 +78,7 @@ function find_role($login, $password, $i_am_admin = False) |
| 78 | 78 |
|
| 79 | 79 |
// Sub-User |
| 80 | 80 |
|
| 81 |
- $result = db_query("SELECT password FROM system.subusers WHERE username='{$login}'");
|
|
| 81 |
+ $result = db_query("SELECT password FROM system.subusers WHERE username=?", array($login));
|
|
| 82 | 82 |
if (@$result->rowCount() > 0) |
| 83 | 83 |
{
|
| 84 | 84 |
$entry = $result->fetch(PDO::FETCH_OBJ); |
| ... | ... |
@@ -111,7 +111,7 @@ function find_role($login, $password, $i_am_admin = False) |
| 111 | 111 |
} |
| 112 | 112 |
} |
| 113 | 113 |
} |
| 114 |
- $result = db_query("SELECT cryptpass FROM mail.courier_mailaccounts WHERE account='{$account}' LIMIT 1;");
|
|
| 114 |
+ $result = db_query("SELECT cryptpass FROM mail.courier_mailaccounts WHERE account=?", array($account));
|
|
| 115 | 115 |
if (@$result->rowCount() > 0) |
| 116 | 116 |
{
|
| 117 | 117 |
$entry = $result->fetch(PDO::FETCH_OBJ); |
| ... | ... |
@@ -127,7 +127,7 @@ function find_role($login, $password, $i_am_admin = False) |
| 127 | 127 |
|
| 128 | 128 |
// virtueller Mail-Account |
| 129 | 129 |
$account = $login; |
| 130 |
- $result = db_query("SELECT cryptpass FROM mail.courier_virtual_accounts WHERE account='{$account}' LIMIT 1;");
|
|
| 130 |
+ $result = db_query("SELECT cryptpass FROM mail.courier_virtual_accounts WHERE account=?", array($account));
|
|
| 131 | 131 |
if (@$result->rowCount() > 0) |
| 132 | 132 |
{
|
| 133 | 133 |
$entry = $result->fetch(PDO::FETCH_OBJ); |
| ... | ... |
@@ -157,13 +157,13 @@ function get_customer_info($customer) |
| 157 | 157 |
if ($customerno != 0) |
| 158 | 158 |
{
|
| 159 | 159 |
DEBUG('Looking up customerinfo for customer no. '.$customerno);
|
| 160 |
- $result = db_query("SELECT id, anrede, firma, CONCAT_WS(' ', vorname, nachname) AS name, COALESCE(email,email_rechnung,email_extern) AS email FROM kundendaten.kunden WHERE id={$customerno} LIMIT 1;");
|
|
| 160 |
+ $result = db_query("SELECT id, anrede, firma, CONCAT_WS(' ', vorname, nachname) AS name, COALESCE(email,email_rechnung,email_extern) AS email FROM kundendaten.kunden WHERE id=?", array($customerno));
|
|
| 161 | 161 |
} |
| 162 | 162 |
else |
| 163 | 163 |
{
|
| 164 |
- $username = db_escape_string($customer); |
|
| 164 |
+ $username = $customer; |
|
| 165 | 165 |
DEBUG('looking up customer info for username '.$username);
|
| 166 |
- $result = db_query("SELECT id, anrede, firma, CONCAT_WS(' ', vorname, nachname) AS name, COALESCE(email,email_rechnung,email_extern) AS email FROM kundendaten.kunden AS k JOIN system.v_useraccounts AS u ON (u.kunde=k.id) WHERE u.username='{$username}'");
|
|
| 166 |
+ $result = db_query("SELECT id, anrede, firma, CONCAT_WS(' ', vorname, nachname) AS name, COALESCE(email,email_rechnung,email_extern) AS email FROM kundendaten.kunden AS k JOIN system.v_useraccounts AS u ON (u.kunde=k.id) WHERE u.username=?", array($username));
|
|
| 167 | 167 |
} |
| 168 | 168 |
if (@$result->rowCount() == 0) |
| 169 | 169 |
system_failure("Konnte Kundendaten nicht auslesen!");
|
| ... | ... |
@@ -181,7 +181,7 @@ function get_customer_info($customer) |
| 181 | 181 |
|
| 182 | 182 |
function get_subuser_info($username) |
| 183 | 183 |
{
|
| 184 |
- $result = db_query("SELECT uid, modules FROM system.subusers WHERE username='{$username}'");
|
|
| 184 |
+ $result = db_query("SELECT uid, modules FROM system.subusers WHERE username=?", array($username));
|
|
| 185 | 185 |
if ($result->rowCount() < 1) |
| 186 | 186 |
{
|
| 187 | 187 |
logger(LOG_ERR, "session/checkuser", "login", "error reading subuser's data: »{$username}«");
|
| ... | ... |
@@ -196,9 +196,8 @@ function get_subuser_info($username) |
| 196 | 196 |
|
| 197 | 197 |
function get_user_info($username) |
| 198 | 198 |
{
|
| 199 |
- $username = db_escape_string($username); |
|
| 200 | 199 |
$result = db_query("SELECT kunde AS customerno, username, uid, homedir, name, server
|
| 201 |
- FROM system.v_useraccounts WHERE username='{$username}' OR uid='{$username}' LIMIT 1");
|
|
| 200 |
+ FROM system.v_useraccounts WHERE username=:username OR uid=:username", array(":username" => $username));
|
|
| 202 | 201 |
if ($result->rowCount() < 1) |
| 203 | 202 |
{
|
| 204 | 203 |
logger(LOG_ERR, "session/checkuser", "login", "error reading user's data: »{$username}«");
|
| ... | ... |
@@ -218,30 +217,30 @@ function get_user_info($username) |
| 218 | 217 |
function set_customer_verified($customerno) |
| 219 | 218 |
{
|
| 220 | 219 |
$customerno = (int) $customerno; |
| 221 |
- db_query("UPDATE kundendaten.kunden SET status=0 WHERE id={$customerno};");
|
|
| 220 |
+ db_query("UPDATE kundendaten.kunden SET status=0 WHERE id=?", array($customerno));
|
|
| 222 | 221 |
logger(LOG_INFO, "session/checkuser", "register", "set customer's status to 0."); |
| 223 | 222 |
} |
| 224 | 223 |
|
| 225 | 224 |
function set_customer_lastlogin($customerno) |
| 226 | 225 |
{
|
| 227 | 226 |
$customerno = (int) $customerno; |
| 228 |
- db_query("UPDATE kundendaten.kunden SET lastlogin=NOW() WHERE id={$customerno};");
|
|
| 227 |
+ db_query("UPDATE kundendaten.kunden SET lastlogin=NOW() WHERE id=?", array($customerno));
|
|
| 229 | 228 |
} |
| 230 | 229 |
|
| 231 | 230 |
function set_customer_password($customerno, $newpass) |
| 232 | 231 |
{
|
| 233 | 232 |
$customerno = (int) $customerno; |
| 234 | 233 |
$newpass = sha1($newpass); |
| 235 |
- db_query("UPDATE kundendaten.kunden SET passwort='$newpass' WHERE id='".$customerno."' LIMIT 1");
|
|
| 234 |
+ db_query("UPDATE kundendaten.kunden SET passwort=:newpass WHERE id=:customerno", array(":newpass" => $newpass, ":customerno" => $customerno));
|
|
| 236 | 235 |
logger(LOG_INFO, "session/checkuser", "pwchange", "changed customer's password."); |
| 237 | 236 |
} |
| 238 | 237 |
|
| 239 | 238 |
function set_subuser_password($subuser, $newpass) |
| 240 | 239 |
{
|
| 241 |
- $subuser = db_escape_string($subuser); |
|
| 242 |
- $uid = (int) $_SESSION['userinfo']['uid']; |
|
| 243 |
- $newpass = sha1($newpass); |
|
| 244 |
- db_query("UPDATE system.subusers SET password='$newpass' WHERE username='{$subuser}' AND uid={$uid}");
|
|
| 240 |
+ $args = array(":subuser" => $subuser,
|
|
| 241 |
+ ":uid" => (int) $_SESSION['userinfo']['uid'], |
|
| 242 |
+ ":newpass" => sha1($newpass)); |
|
| 243 |
+ db_query("UPDATE system.subusers SET password=:newpass WHERE username=:subuser AND uid=:uid", $args);
|
|
| 245 | 244 |
logger(LOG_INFO, "session/checkuser", "pwchange", "changed subuser's password."); |
| 246 | 245 |
} |
| 247 | 246 |
|
| ... | ... |
@@ -260,14 +259,14 @@ function set_systemuser_password($uid, $newpass) |
| 260 | 259 |
$salt = random_string(8); |
| 261 | 260 |
$newpass = crypt($newpass, "\$1\${$salt}\$");
|
| 262 | 261 |
} |
| 263 |
- db_query("UPDATE system.passwoerter SET passwort='$newpass' WHERE uid='".$uid."' LIMIT 1");
|
|
| 262 |
+ db_query("UPDATE system.passwoerter SET passwort=:newpass WHERE uid=:uid", array(":newpass" => $newpass, ":uid" => $uid));
|
|
| 264 | 263 |
logger(LOG_INFO, "session/checkuser", "pwchange", "changed user's password."); |
| 265 | 264 |
} |
| 266 | 265 |
|
| 267 | 266 |
|
| 268 | 267 |
function user_for_mailaccount($account) |
| 269 | 268 |
{
|
| 270 |
- $result = db_query("SELECT uid FROM mail.courier_mailaccounts WHERE account='{$account}' LIMIT 1;");
|
|
| 269 |
+ $result = db_query("SELECT uid FROM mail.courier_mailaccounts WHERE account=?", array($account));
|
|
| 271 | 270 |
if ($result->rowCount() != 1) {
|
| 272 | 271 |
system_failure('Diese Adresse ist herrenlos?!');
|
| 273 | 272 |
} |
| ... | ... |
@@ -277,7 +276,7 @@ function user_for_mailaccount($account) |
| 277 | 276 |
|
| 278 | 277 |
function user_for_vmail_account($account) |
| 279 | 278 |
{
|
| 280 |
- $result = db_query("SELECT useraccount FROM mail.v_vmail_accounts WHERE CONCAT_WS('@', local, domainname)='{$account}' LIMIT 1;");
|
|
| 279 |
+ $result = db_query("SELECT useraccount FROM mail.v_vmail_accounts WHERE CONCAT_WS('@', local, domainname)=?", array($account));
|
|
| 281 | 280 |
if ($result->rowCount() != 1) {
|
| 282 | 281 |
system_failure('Diese Adresse ist herrenlos?!');
|
| 283 | 282 |
} |
| ... | ... |
@@ -298,7 +297,7 @@ function setup_session($role, $useridentity) |
| 298 | 297 |
$_SESSION['restrict_modules'] = explode(',', $info['modules']);
|
| 299 | 298 |
$_SESSION['role'] = ROLE_SYSTEMUSER | ROLE_SUBUSER; |
| 300 | 299 |
$_SESSION['subuser'] = $useridentity; |
| 301 |
- $data = db_query("SELECT kundenaccount FROM system.useraccounts WHERE username='{$info['username']}'");
|
|
| 300 |
+ $data = db_query("SELECT kundenaccount FROM system.useraccounts WHERE username=?", array($info['username']));
|
|
| 302 | 301 |
if ($entry = $data->fetch) {
|
| 303 | 302 |
if ($entry['kundenaccount'] == 1) {
|
| 304 | 303 |
$customer = get_customer_info($_SESSION['userinfo']['username']); |
| 305 | 304 |