Modul mysql auf prepared statements umgestellt
Bernd Wurst commited on 2014-02-06 11:18:49
Zeige 2 geänderte Dateien mit 44 Einfügungen und 44 Löschungen.
- modules/mysql/include/mysql.php 0693223..0bbe1b2
- modules/webmailtotp/include/totp.php f61f0c3..589f392
| ... | ... |
@@ -16,8 +16,7 @@ Nevertheless, in case you use a significant part of this code, we ask (but not r |
| 16 | 16 |
|
| 17 | 17 |
function get_mysql_accounts($UID) |
| 18 | 18 |
{
|
| 19 |
- $UID = (int) $UID; |
|
| 20 |
- $result = db_query("SELECT id, username, description, created FROM misc.mysql_accounts WHERE useraccount=$UID ORDER BY username");
|
|
| 19 |
+ $result = db_query("SELECT id, username, description, created FROM misc.mysql_accounts WHERE useraccount=? ORDER BY username", array($UID));
|
|
| 21 | 20 |
if ($result->rowCount() == 0) |
| 22 | 21 |
return array(); |
| 23 | 22 |
$list = array(); |
| ... | ... |
@@ -30,8 +29,7 @@ function get_mysql_accounts($UID) |
| 30 | 29 |
|
| 31 | 30 |
function get_mysql_databases($UID) |
| 32 | 31 |
{
|
| 33 |
- $UID = (int) $UID; |
|
| 34 |
- $result = db_query("SELECT id, name, description, created FROM misc.mysql_database WHERE useraccount=$UID ORDER BY name");
|
|
| 32 |
+ $result = db_query("SELECT id, name, description, created FROM misc.mysql_database WHERE useraccount=? ORDER BY name", array($UID));
|
|
| 35 | 33 |
if ($result->rowCount() == 0) |
| 36 | 34 |
return array(); |
| 37 | 35 |
$list = array(); |
| ... | ... |
@@ -54,8 +52,9 @@ function set_database_description($dbname, $description) |
| 54 | 52 |
if ($thisdb == NULL) {
|
| 55 | 53 |
system_failure('Ungültige Datenbank');
|
| 56 | 54 |
} |
| 57 |
- $description = maybe_null(filter_input_general($description)); |
|
| 58 |
- db_query("UPDATE misc.mysql_database SET description={$description} WHERE id={$thisdb['id']}");
|
|
| 55 |
+ $args = array(":id" => $thisdb['id'],
|
|
| 56 |
+ ":desc" => filter_input_general($description)); |
|
| 57 |
+ db_query("UPDATE misc.mysql_database SET description=:desc WHERE id=:id", $args);
|
|
| 59 | 58 |
} |
| 60 | 59 |
|
| 61 | 60 |
function set_dbuser_description($username, $description) |
| ... | ... |
@@ -70,15 +69,15 @@ function set_dbuser_description($username, $description) |
| 70 | 69 |
if ($thisuser == NULL) {
|
| 71 | 70 |
system_failure('Ungültiger Benutzer');
|
| 72 | 71 |
} |
| 73 |
- $description = maybe_null(filter_input_general($description)); |
|
| 74 |
- db_query("UPDATE misc.mysql_accounts SET description={$description} WHERE id={$thisuser['id']}");
|
|
| 72 |
+ $args = array(":id" => $thisuser['id'],
|
|
| 73 |
+ ":desc" => filter_input_general($description)); |
|
| 74 |
+ db_query("UPDATE misc.mysql_accounts SET description=:desc WHERE id=:id", $args);
|
|
| 75 | 75 |
} |
| 76 | 76 |
|
| 77 | 77 |
function servers_for_databases() |
| 78 | 78 |
{
|
| 79 | 79 |
$uid = (int) $_SESSION['userinfo']['uid']; |
| 80 |
- |
|
| 81 |
- $result = db_query("SELECT db.name AS db, hostname FROM misc.mysql_database AS db LEFT JOIN system.useraccounts AS u ON (db.useraccount=u.uid) LEFT JOIN system.servers ON (COALESCE(db.server, u.server) = servers.id) WHERE db.useraccount={$uid}");
|
|
| 80 |
+ $result = db_query("SELECT db.name AS db, hostname FROM misc.mysql_database AS db LEFT JOIN system.useraccounts AS u ON (db.useraccount=u.uid) LEFT JOIN system.servers ON (COALESCE(db.server, u.server) = servers.id) WHERE db.useraccount=?", array($uid));
|
|
| 82 | 81 |
$ret = array(); |
| 83 | 82 |
while ($line = $result->fetch()) {
|
| 84 | 83 |
$ret[$line['db']] = $line['hostname']; |
| ... | ... |
@@ -95,7 +94,7 @@ function get_mysql_access($db, $account) |
| 95 | 94 |
if (!is_array($mysql_access)) |
| 96 | 95 |
{
|
| 97 | 96 |
$mysql_access = array(); |
| 98 |
- $result = db_query("SELECT db.name AS db, acc.username AS user FROM misc.mysql_access AS access LEFT JOIN misc.mysql_database AS db ON (db.id=access.database) LEFT JOIN misc.mysql_accounts AS acc ON (acc.id = access.user) WHERE acc.useraccount={$uid} OR db.useraccount={$uid};");
|
|
| 97 |
+ $result = db_query("SELECT db.name AS db, acc.username AS user FROM misc.mysql_access AS access LEFT JOIN misc.mysql_database AS db ON (db.id=access.database) LEFT JOIN misc.mysql_accounts AS acc ON (acc.id = access.user) WHERE acc.useraccount=:uid OR db.useraccount=:uid", array(":uid" => $uid));
|
|
| 99 | 98 |
if ($result->rowCount() == 0) |
| 100 | 99 |
return false; |
| 101 | 100 |
while ($line = $result->fetch(PDO::FETCH_OBJ)) |
| ... | ... |
@@ -108,37 +107,38 @@ function get_mysql_access($db, $account) |
| 108 | 107 |
function set_mysql_access($db, $account, $status) |
| 109 | 108 |
{
|
| 110 | 109 |
$uid = $_SESSION['userinfo']['uid']; |
| 111 |
- $db = db_escape_string($db); |
|
| 112 |
- $account = db_escape_string($account); |
|
| 113 | 110 |
DEBUG("User »{$account}« soll ".($status ? "" : "NICHT ")."auf die Datenbank »{$db}« zugreifen");
|
| 114 | 111 |
$query = ''; |
| 115 | 112 |
if ($status) |
| 116 | 113 |
{
|
| 117 | 114 |
if (get_mysql_access($db, $account)) |
| 118 | 115 |
return NULL; |
| 119 |
- $result = db_query("SELECT id FROM misc.mysql_database WHERE name='{$db}' AND useraccount={$uid} LIMIT 1");
|
|
| 116 |
+ $args = array(":db" => $db, ":uid" => $uid);
|
|
| 117 |
+ $result = db_query("SELECT id FROM misc.mysql_database WHERE name=:db AND useraccount=:uid", $args);
|
|
| 120 | 118 |
if ($result->rowCount() != 1) |
| 121 | 119 |
{
|
| 122 | 120 |
logger(LOG_ERR, "modules/mysql/include/mysql", "mysql", "cannot find database {$db}");
|
| 123 | 121 |
system_failure("cannot find database »{$db}«");
|
| 124 | 122 |
} |
| 125 |
- $result = db_query("SELECT id FROM misc.mysql_accounts WHERE username='{$account}' AND useraccount={$uid} LIMIT 1");
|
|
| 123 |
+ $args = array(":account" => $account, ":uid" => $uid);
|
|
| 124 |
+ $result = db_query("SELECT id FROM misc.mysql_accounts WHERE username=:account AND useraccount=:uid", $args);
|
|
| 126 | 125 |
if ($result->rowCount() != 1) |
| 127 | 126 |
{
|
| 128 | 127 |
logger(LOG_ERR, "modules/mysql/include/mysql", "mysql", "cannot find user {$account}");
|
| 129 | 128 |
system_failure("cannot find database user »{$account}«");
|
| 130 | 129 |
} |
| 131 |
- $query = "INSERT INTO misc.mysql_access (`database`,user) VALUES ((SELECT id FROM misc.mysql_database WHERE name='{$db}' AND useraccount={$uid} LIMIT 1), (SELECT id FROM misc.mysql_accounts WHERE username='{$account}' AND useraccount={$uid}));";
|
|
| 130 |
+ $args = array(":db" => $db, ":uid" => $uid, ":account" => $account);
|
|
| 131 |
+ db_query("INSERT INTO misc.mysql_access (`database`,user) VALUES ((SELECT id FROM misc.mysql_database WHERE name=:db AND useraccount=:uid LIMIT 1), (SELECT id FROM misc.mysql_accounts WHERE username=:account AND useraccount=:uid))", $args);
|
|
| 132 | 132 |
logger(LOG_INFO, "modules/mysql/include/mysql", "mysql", "granting access on »{$db}« to »{$account}«");
|
| 133 | 133 |
} |
| 134 | 134 |
else |
| 135 | 135 |
{
|
| 136 | 136 |
if (! get_mysql_access($db, $account)) |
| 137 | 137 |
return NULL; |
| 138 |
- $query = "DELETE FROM misc.mysql_access WHERE `database`=(SELECT id FROM misc.mysql_database WHERE name='{$db}' AND useraccount={$uid} LIMIT 1) AND user=(SELECT id FROM misc.mysql_accounts WHERE username='{$account}' AND useraccount={$uid});";
|
|
| 138 |
+ $args = array(":db" => $db, ":account" => $account, ":uid" => $uid);
|
|
| 139 |
+ db_query("DELETE FROM misc.mysql_access WHERE `database`=(SELECT id FROM misc.mysql_database WHERE name=:db AND useraccount=:uid LIMIT 1) AND user=(SELECT id FROM misc.mysql_accounts WHERE username=:account AND useraccount=:uid)", $args);
|
|
| 139 | 140 |
logger(LOG_INFO, "modules/mysql/include/mysql", "mysql", "revoking access on »{$db}« from »{$account}«");
|
| 140 | 141 |
} |
| 141 |
- db_query($query); |
|
| 142 | 142 |
} |
| 143 | 143 |
|
| 144 | 144 |
|
| ... | ... |
@@ -150,20 +150,20 @@ function create_mysql_account($username, $description = '') |
| 150 | 150 |
input_error("Der eingegebene Benutzername entspricht leider nicht der Konvention. Bitte tragen Sie einen passenden Namen ein.");
|
| 151 | 151 |
return NULL; |
| 152 | 152 |
} |
| 153 |
- $uid = $_SESSION['userinfo']['uid']; |
|
| 154 |
- $username = db_escape_string($username); |
|
| 155 |
- $description = maybe_null($description); |
|
| 153 |
+ $args = array(":uid" => $_SESSION['userinfo']['uid'],
|
|
| 154 |
+ ":username" => $username, |
|
| 155 |
+ ":desc" => $description); |
|
| 156 | 156 |
logger(LOG_INFO, "modules/mysql/include/mysql", "mysql", "creating user »{$username}«");
|
| 157 |
- db_query("INSERT INTO misc.mysql_accounts (username, password, useraccount, description) VALUES ('$username', '!', $uid, $description);");
|
|
| 157 |
+ db_query("INSERT INTO misc.mysql_accounts (username, password, useraccount, description) VALUES (:username, '!', :uid, :desc)", $args);
|
|
| 158 | 158 |
} |
| 159 | 159 |
|
| 160 | 160 |
|
| 161 | 161 |
function delete_mysql_account($username) |
| 162 | 162 |
{
|
| 163 |
- $username = db_escape_string($username); |
|
| 164 |
- $uid = $_SESSION['userinfo']['uid']; |
|
| 163 |
+ $args = array(":uid" => $_SESSION['userinfo']['uid'],
|
|
| 164 |
+ ":username" => $username); |
|
| 165 | 165 |
logger(LOG_INFO, "modules/mysql/include/mysql", "mysql", "deleting user »{$username}«");
|
| 166 |
- db_query("DELETE FROM misc.mysql_accounts WHERE username='{$username}' AND useraccount='{$uid}' LIMIT 1;");
|
|
| 166 |
+ db_query("DELETE FROM misc.mysql_accounts WHERE username=:username AND useraccount=:uid", $args);
|
|
| 167 | 167 |
} |
| 168 | 168 |
|
| 169 | 169 |
|
| ... | ... |
@@ -175,24 +175,24 @@ function create_mysql_database($dbname, $description = '', $server = NULL) |
| 175 | 175 |
input_error("Der eingegebene Datenbankname entspricht leider nicht der Konvention. Bitte tragen Sie einen passenden Namen ein.");
|
| 176 | 176 |
return NULL; |
| 177 | 177 |
} |
| 178 |
- $dbname = db_escape_string($dbname); |
|
| 179 |
- $uid = $_SESSION['userinfo']['uid']; |
|
| 180 |
- $description = maybe_null($description); |
|
| 181 |
- $server = (int) $server; |
|
| 182 | 178 |
if (! in_array($server, additional_servers()) || ($server == my_server_id())) {
|
| 183 | 179 |
$server = 'NULL'; |
| 184 | 180 |
} |
| 181 |
+ $args = array(":dbname" => $dbname,
|
|
| 182 |
+ ":uid" => $_SESSION['userinfo']['uid'], |
|
| 183 |
+ ":desc" => $description, |
|
| 184 |
+ ":server" => $server); |
|
| 185 | 185 |
logger(LOG_INFO, "modules/mysql/include/mysql", "mysql", "creating database »{$dbname}«");
|
| 186 |
- db_query("INSERT INTO misc.mysql_database (name, useraccount, server, description) VALUES ('$dbname', $uid, $server, $description);");
|
|
| 186 |
+ db_query("INSERT INTO misc.mysql_database (name, useraccount, server, description) VALUES (:dbname, :uid, :server, :desc)", $args);
|
|
| 187 | 187 |
} |
| 188 | 188 |
|
| 189 | 189 |
|
| 190 | 190 |
function delete_mysql_database($dbname) |
| 191 | 191 |
{
|
| 192 |
- $dbname = db_escape_string($dbname); |
|
| 193 |
- $uid = $_SESSION['userinfo']['uid']; |
|
| 192 |
+ $args = array(":dbname" => $dbname,
|
|
| 193 |
+ ":uid" => $_SESSION['userinfo']['uid']); |
|
| 194 | 194 |
logger(LOG_INFO, "modules/mysql/include/mysql", "mysql", "removing database »{$dbname}«");
|
| 195 |
- db_query("DELETE FROM misc.mysql_database WHERE name='{$dbname}' AND useraccount='{$uid}' LIMIT 1;");
|
|
| 195 |
+ db_query("DELETE FROM misc.mysql_database WHERE name=:dbname AND useraccount=:uid", $args);
|
|
| 196 | 196 |
} |
| 197 | 197 |
|
| 198 | 198 |
|
| ... | ... |
@@ -212,28 +212,28 @@ function validate_mysql_username($username) |
| 212 | 212 |
|
| 213 | 213 |
function set_mysql_password($username, $password) |
| 214 | 214 |
{
|
| 215 |
- $username = db_escape_string($username); |
|
| 216 |
- $password = db_escape_string($password); |
|
| 217 |
- $uid = $_SESSION['userinfo']['uid']; |
|
| 215 |
+ $args = array(":uid" => $_SESSION['userinfo']['uid'],
|
|
| 216 |
+ ":username" => $username, |
|
| 217 |
+ ":password" => $password); |
|
| 218 | 218 |
logger(LOG_INFO, "modules/mysql/include/mysql", "mysql", "updating password for »{$username}«");
|
| 219 |
- db_query("UPDATE misc.mysql_accounts SET password=PASSWORD('$password') WHERE username='$username' AND useraccount=$uid;");
|
|
| 219 |
+ db_query("UPDATE misc.mysql_accounts SET password=PASSWORD(:password) WHERE username=:username AND useraccount=:uid", $args);
|
|
| 220 | 220 |
} |
| 221 | 221 |
|
| 222 | 222 |
|
| 223 | 223 |
function has_mysql_database($dbname) |
| 224 | 224 |
{
|
| 225 |
- $uid = $_SESSION['userinfo']['uid']; |
|
| 226 |
- $dbname = db_escape_string($dbname); |
|
| 227 |
- $result = db_query("SELECT NULL FROM misc.mysql_database WHERE name='{$dbname}' AND useraccount='{$uid}' LIMIT 1;");
|
|
| 225 |
+ $args = array(":uid" => $_SESSION['userinfo']['uid'],
|
|
| 226 |
+ ":dbname" => $dbname); |
|
| 227 |
+ $result = db_query("SELECT NULL FROM misc.mysql_database WHERE name=:dbname AND useraccount=:uid", $args);
|
|
| 228 | 228 |
return ($result->rowCount() == 1); |
| 229 | 229 |
} |
| 230 | 230 |
|
| 231 | 231 |
|
| 232 | 232 |
function has_mysql_user($username) |
| 233 | 233 |
{
|
| 234 |
- $uid = $_SESSION['userinfo']['uid']; |
|
| 235 |
- $userame = db_escape_string($username); |
|
| 236 |
- $result = db_query("SELECT NULL FROM misc.mysql_accounts WHERE username='{$username}' AND useraccount='{$uid}' LIMIT 1;");
|
|
| 234 |
+ $args = array(":uid" => $_SESSION['userinfo']['uid'],
|
|
| 235 |
+ ":username" => $username); |
|
| 236 |
+ $result = db_query("SELECT NULL FROM misc.mysql_accounts WHERE username=:username AND useraccount=:uid", $args);
|
|
| 237 | 237 |
return ($result->rowCount() == 1); |
| 238 | 238 |
} |
| 239 | 239 |
|
| ... | ... |
@@ -137,7 +137,7 @@ function check_totp($username, $code) {
|
| 137 | 137 |
|
| 138 | 138 |
$checkResult = $ga->verifyCode($secret, $code, 2); // 2 = 2*30sec clock tolerance |
| 139 | 139 |
if ($checkResult) {
|
| 140 |
- db_query("UPDATE mail.webmail_totp SET failures = 0, unlock_timestamp=NULL WHERE email='{$username}'");
|
|
| 140 |
+ db_query("UPDATE mail.webmail_totp SET failures = 0, unlock_timestamp=NULL WHERE email=?", array($username));
|
|
| 141 | 141 |
blacklist_token($username, $code); |
| 142 | 142 |
DEBUG('OK');
|
| 143 | 143 |
} else {
|
| 144 | 144 |