Browse code

Modul mysql auf prepared statements umgestellt

Bernd Wurst authored on06/02/2014 11:18:49
Showing2 changed files
... ...
@@ -16,8 +16,7 @@ Nevertheless, in case you use a significant part of this code, we ask (but not r
16 16
 
17 17
 function get_mysql_accounts($UID)
18 18
 {
19
-  $UID = (int) $UID;
20
-  $result = db_query("SELECT id, username, description, created FROM misc.mysql_accounts WHERE useraccount=$UID ORDER BY username");
19
+  $result = db_query("SELECT id, username, description, created FROM misc.mysql_accounts WHERE useraccount=? ORDER BY username", array($UID));
21 20
   if ($result->rowCount() == 0)
22 21
     return array();
23 22
   $list = array();
... ...
@@ -30,8 +29,7 @@ function get_mysql_accounts($UID)
30 29
 
31 30
 function get_mysql_databases($UID)
32 31
 {
33
-  $UID = (int) $UID;
34
-  $result = db_query("SELECT id, name, description, created FROM misc.mysql_database WHERE useraccount=$UID ORDER BY name");
32
+  $result = db_query("SELECT id, name, description, created FROM misc.mysql_database WHERE useraccount=? ORDER BY name", array($UID));
35 33
   if ($result->rowCount() == 0)
36 34
     return array();
37 35
   $list = array();
... ...
@@ -54,8 +52,9 @@ function set_database_description($dbname, $description)
54 52
   if ($thisdb == NULL) {
55 53
     system_failure('Ungültige Datenbank');
56 54
   }
57
-  $description = maybe_null(filter_input_general($description));
58
-  db_query("UPDATE misc.mysql_database SET description={$description} WHERE id={$thisdb['id']}");
55
+  $args = array(":id" => $thisdb['id'],
56
+                ":desc" => filter_input_general($description));
57
+  db_query("UPDATE misc.mysql_database SET description=:desc WHERE id=:id", $args);
59 58
 }
60 59
 
61 60
 function set_dbuser_description($username, $description) 
... ...
@@ -70,15 +69,15 @@ function set_dbuser_description($username, $description)
70 69
   if ($thisuser == NULL) {
71 70
     system_failure('Ungültiger Benutzer');
72 71
   }
73
-  $description = maybe_null(filter_input_general($description));
74
-  db_query("UPDATE misc.mysql_accounts SET description={$description} WHERE id={$thisuser['id']}");
72
+  $args = array(":id" => $thisuser['id'],
73
+                ":desc" => filter_input_general($description));
74
+  db_query("UPDATE misc.mysql_accounts SET description=:desc WHERE id=:id", $args);
75 75
 }
76 76
 
77 77
 function servers_for_databases()
78 78
 {
79 79
   $uid = (int) $_SESSION['userinfo']['uid'];
80
-  
81
-  $result = db_query("SELECT db.name AS db, hostname FROM misc.mysql_database AS db LEFT JOIN system.useraccounts AS u ON (db.useraccount=u.uid) LEFT JOIN system.servers ON (COALESCE(db.server, u.server) = servers.id) WHERE db.useraccount={$uid}");
80
+  $result = db_query("SELECT db.name AS db, hostname FROM misc.mysql_database AS db LEFT JOIN system.useraccounts AS u ON (db.useraccount=u.uid) LEFT JOIN system.servers ON (COALESCE(db.server, u.server) = servers.id) WHERE db.useraccount=?", array($uid));
82 81
   $ret = array();
83 82
   while ($line = $result->fetch()) {
84 83
     $ret[$line['db']] = $line['hostname'];
... ...
@@ -95,7 +94,7 @@ function get_mysql_access($db, $account)
95 94
   if (!is_array($mysql_access))
96 95
   {
97 96
     $mysql_access = array();
98
-    $result = db_query("SELECT db.name AS db, acc.username AS user FROM misc.mysql_access AS access LEFT JOIN misc.mysql_database AS db ON (db.id=access.database) LEFT JOIN misc.mysql_accounts AS acc ON (acc.id = access.user) WHERE acc.useraccount={$uid} OR db.useraccount={$uid};");
97
+    $result = db_query("SELECT db.name AS db, acc.username AS user FROM misc.mysql_access AS access LEFT JOIN misc.mysql_database AS db ON (db.id=access.database) LEFT JOIN misc.mysql_accounts AS acc ON (acc.id = access.user) WHERE acc.useraccount=:uid OR db.useraccount=:uid", array(":uid" => $uid));
99 98
     if ($result->rowCount() == 0)
100 99
       return false;
101 100
     while ($line = $result->fetch(PDO::FETCH_OBJ))
... ...
@@ -108,37 +107,38 @@ function get_mysql_access($db, $account)
108 107
 function set_mysql_access($db, $account, $status)
109 108
 {
110 109
   $uid = $_SESSION['userinfo']['uid'];
111
-  $db = db_escape_string($db);
112
-  $account = db_escape_string($account);
113 110
   DEBUG("User »{$account}« soll ".($status ? "" : "NICHT ")."auf die Datenbank »{$db}« zugreifen");
114 111
   $query = '';
115 112
   if ($status)
116 113
   {
117 114
     if (get_mysql_access($db, $account))
118 115
       return NULL;
119
-    $result = db_query("SELECT id FROM misc.mysql_database WHERE name='{$db}' AND useraccount={$uid} LIMIT 1");
116
+    $args = array(":db" => $db, ":uid" => $uid);
117
+    $result = db_query("SELECT id FROM misc.mysql_database WHERE name=:db AND useraccount=:uid", $args);
120 118
     if ($result->rowCount() != 1)
121 119
     {
122 120
       logger(LOG_ERR, "modules/mysql/include/mysql", "mysql", "cannot find database {$db}");
123 121
       system_failure("cannot find database »{$db}«");
124 122
     }
125
-    $result = db_query("SELECT id FROM misc.mysql_accounts WHERE username='{$account}' AND useraccount={$uid} LIMIT 1");
123
+    $args = array(":account" => $account, ":uid" => $uid);
124
+    $result = db_query("SELECT id FROM misc.mysql_accounts WHERE username=:account AND useraccount=:uid", $args);
126 125
     if ($result->rowCount() != 1)
127 126
     {
128 127
       logger(LOG_ERR, "modules/mysql/include/mysql", "mysql", "cannot find user {$account}");
129 128
       system_failure("cannot find database user »{$account}«");
130 129
     }
131
-    $query = "INSERT INTO misc.mysql_access (`database`,user) VALUES ((SELECT id FROM misc.mysql_database WHERE name='{$db}' AND useraccount={$uid} LIMIT 1), (SELECT id FROM misc.mysql_accounts WHERE username='{$account}' AND useraccount={$uid}));";
130
+    $args = array(":db" => $db, ":uid" => $uid, ":account" => $account);
131
+    db_query("INSERT INTO misc.mysql_access (`database`,user) VALUES ((SELECT id FROM misc.mysql_database WHERE name=:db AND useraccount=:uid LIMIT 1), (SELECT id FROM misc.mysql_accounts WHERE username=:account AND useraccount=:uid))", $args);
132 132
     logger(LOG_INFO, "modules/mysql/include/mysql", "mysql", "granting access on »{$db}« to »{$account}«");
133 133
   }
134 134
   else
135 135
   {
136 136
     if (! get_mysql_access($db, $account))
137 137
       return NULL;
138
-    $query = "DELETE FROM misc.mysql_access WHERE `database`=(SELECT id FROM misc.mysql_database WHERE name='{$db}' AND useraccount={$uid} LIMIT 1) AND user=(SELECT id FROM misc.mysql_accounts WHERE username='{$account}' AND useraccount={$uid});";
138
+    $args = array(":db" => $db, ":account" => $account, ":uid" => $uid);
139
+    db_query("DELETE FROM misc.mysql_access WHERE `database`=(SELECT id FROM misc.mysql_database WHERE name=:db AND useraccount=:uid LIMIT 1) AND user=(SELECT id FROM misc.mysql_accounts WHERE username=:account AND useraccount=:uid)", $args);
139 140
     logger(LOG_INFO, "modules/mysql/include/mysql", "mysql", "revoking access on »{$db}« from »{$account}«");
140 141
   }
141
-  db_query($query);
142 142
 }
143 143
 
144 144
 
... ...
@@ -150,20 +150,20 @@ function create_mysql_account($username, $description = '')
150 150
     input_error("Der eingegebene Benutzername entspricht leider nicht der Konvention. Bitte tragen Sie einen passenden Namen ein.");
151 151
     return NULL;
152 152
   }
153
-  $uid = $_SESSION['userinfo']['uid'];
154
-  $username = db_escape_string($username);
155
-  $description = maybe_null($description);
153
+  $args = array(":uid" => $_SESSION['userinfo']['uid'],
154
+                ":username" => $username,
155
+                ":desc" => $description);
156 156
   logger(LOG_INFO, "modules/mysql/include/mysql", "mysql", "creating user »{$username}«");
157
-  db_query("INSERT INTO misc.mysql_accounts (username, password, useraccount, description) VALUES ('$username', '!', $uid, $description);");
157
+  db_query("INSERT INTO misc.mysql_accounts (username, password, useraccount, description) VALUES (:username, '!', :uid, :desc)", $args);
158 158
 }
159 159
 
160 160
 
161 161
 function delete_mysql_account($username)
162 162
 {
163
-  $username = db_escape_string($username);
164
-  $uid = $_SESSION['userinfo']['uid'];
163
+  $args = array(":uid" => $_SESSION['userinfo']['uid'],
164
+                ":username" => $username);
165 165
   logger(LOG_INFO, "modules/mysql/include/mysql", "mysql", "deleting user »{$username}«");
166
-  db_query("DELETE FROM misc.mysql_accounts WHERE username='{$username}' AND useraccount='{$uid}' LIMIT 1;");
166
+  db_query("DELETE FROM misc.mysql_accounts WHERE username=:username AND useraccount=:uid", $args);
167 167
 }
168 168
 
169 169
 
... ...
@@ -175,24 +175,24 @@ function create_mysql_database($dbname, $description = '', $server = NULL)
175 175
     input_error("Der eingegebene Datenbankname entspricht leider nicht der Konvention. Bitte tragen Sie einen passenden Namen ein.");
176 176
     return NULL;
177 177
   }
178
-  $dbname = db_escape_string($dbname);
179
-  $uid = $_SESSION['userinfo']['uid'];
180
-  $description = maybe_null($description); 
181
-  $server = (int) $server;
182 178
   if (! in_array($server, additional_servers()) || ($server == my_server_id())) {
183 179
     $server = 'NULL';
184 180
   }
181
+  $args = array(":dbname" => $dbname,
182
+                ":uid" => $_SESSION['userinfo']['uid'],
183
+                ":desc" => $description,
184
+                ":server" => $server);
185 185
   logger(LOG_INFO, "modules/mysql/include/mysql", "mysql", "creating database »{$dbname}«");
186
-  db_query("INSERT INTO misc.mysql_database (name, useraccount, server, description) VALUES ('$dbname', $uid, $server, $description);");
186
+  db_query("INSERT INTO misc.mysql_database (name, useraccount, server, description) VALUES (:dbname, :uid, :server, :desc)", $args);
187 187
 }
188 188
 
189 189
 
190 190
 function delete_mysql_database($dbname)
191 191
 {
192
-  $dbname = db_escape_string($dbname);
193
-  $uid = $_SESSION['userinfo']['uid'];
192
+  $args = array(":dbname" => $dbname,
193
+                ":uid" => $_SESSION['userinfo']['uid']);
194 194
   logger(LOG_INFO, "modules/mysql/include/mysql", "mysql", "removing database »{$dbname}«");
195
-  db_query("DELETE FROM misc.mysql_database WHERE name='{$dbname}' AND useraccount='{$uid}' LIMIT 1;");
195
+  db_query("DELETE FROM misc.mysql_database WHERE name=:dbname AND useraccount=:uid", $args);
196 196
 }
197 197
 
198 198
 
... ...
@@ -212,28 +212,28 @@ function validate_mysql_username($username)
212 212
 
213 213
 function set_mysql_password($username, $password)
214 214
 {
215
-  $username = db_escape_string($username);
216
-  $password = db_escape_string($password);
217
-  $uid = $_SESSION['userinfo']['uid'];
215
+  $args = array(":uid" => $_SESSION['userinfo']['uid'],
216
+                ":username" => $username,
217
+                ":password" => $password);
218 218
   logger(LOG_INFO, "modules/mysql/include/mysql", "mysql", "updating password for »{$username}«");
219
-  db_query("UPDATE misc.mysql_accounts SET password=PASSWORD('$password') WHERE username='$username' AND useraccount=$uid;");
219
+  db_query("UPDATE misc.mysql_accounts SET password=PASSWORD(:password) WHERE username=:username AND useraccount=:uid", $args);
220 220
 }
221 221
 
222 222
 
223 223
 function has_mysql_database($dbname)
224 224
 {
225
-  $uid = $_SESSION['userinfo']['uid'];
226
-  $dbname = db_escape_string($dbname);
227
-  $result = db_query("SELECT NULL FROM misc.mysql_database WHERE name='{$dbname}' AND useraccount='{$uid}' LIMIT 1;");
225
+  $args = array(":uid" => $_SESSION['userinfo']['uid'],
226
+                ":dbname" => $dbname);
227
+  $result = db_query("SELECT NULL FROM misc.mysql_database WHERE name=:dbname AND useraccount=:uid", $args);
228 228
   return ($result->rowCount() == 1);
229 229
 }
230 230
 
231 231
 
232 232
 function has_mysql_user($username)
233 233
 {
234
-  $uid = $_SESSION['userinfo']['uid'];
235
-  $userame = db_escape_string($username);
236
-  $result = db_query("SELECT NULL FROM misc.mysql_accounts WHERE username='{$username}' AND useraccount='{$uid}' LIMIT 1;");
234
+  $args = array(":uid" => $_SESSION['userinfo']['uid'],
235
+                ":username" => $username);
236
+  $result = db_query("SELECT NULL FROM misc.mysql_accounts WHERE username=:username AND useraccount=:uid", $args);
237 237
   return ($result->rowCount() == 1);
238 238
 }
239 239
 
... ...
@@ -137,7 +137,7 @@ function check_totp($username, $code) {
137 137
   
138 138
   $checkResult = $ga->verifyCode($secret, $code, 2);    // 2 = 2*30sec clock tolerance
139 139
   if ($checkResult) {
140
-    db_query("UPDATE mail.webmail_totp SET failures = 0, unlock_timestamp=NULL WHERE email='{$username}'");
140
+    db_query("UPDATE mail.webmail_totp SET failures = 0, unlock_timestamp=NULL WHERE email=?", array($username));
141 141
     blacklist_token($username, $code);
142 142
     DEBUG('OK');
143 143
   } else {