Browse code

Modul subusers auf prepared statements umgestellt / Typo

Bernd Wurst authored on06/02/2014 09:18:48
Showing3 changed files
... ...
@@ -23,7 +23,7 @@ require_once("inc/debug.php");
23 23
 function list_subusers()
24 24
 {
25 25
   $uid = (int) $_SESSION['userinfo']['uid'];
26
-  $result = db_query("SELECT id, username, modules FROM system.subusers WHERE uid={$uid}");
26
+  $result = db_query("SELECT id, username, modules FROM system.subusers WHERE uid=?", array($uid));
27 27
   $subusers = array();
28 28
   while ($item = $result->fetch())
29 29
   {
... ...
@@ -36,10 +36,9 @@ function list_subusers()
36 36
 
37 37
 
38 38
 function load_subuser($id) {
39
-  $id = (int) $id;
40
-  $uid = (int) $_SESSION['userinfo']['uid'];
39
+  $args = array(":id" => $id, ":uid" => $_SESSION['userinfo']['uid']);
41 40
   
42
-  $result = db_query("SELECT id, username, modules FROM system.subusers WHERE uid={$uid} AND id={$id}");
41
+  $result = db_query("SELECT id, username, modules FROM system.subusers WHERE uid=:uid AND id=:id", $args);
43 42
   $item = $result->fetch();
44 43
   $item['modules'] = explode(',', $item['modules']);
45 44
   return $item;
... ...
@@ -63,23 +62,22 @@ function available_modules()
63 62
 }
64 63
 
65 64
 function delete_subuser($id) {
66
-  $id = (int) $id;
67
-  $uid = (int) $_SESSION['userinfo']['uid'];
65
+  $args = array(":id" => $id, ":uid" => $_SESSION['userinfo']['uid']);
68 66
   
69
-  db_query("DELETE FROM system.subusers WHERE id={$id} AND uid={$uid}");
67
+  db_query("DELETE FROM system.subusers WHERE id=:id AND uid=:uid", $args);
70 68
 }
71 69
 
72 70
 function empty_subuser()
73 71
 {
74
-  $subuser = array("id" => NULL, "username" => $_SESSION['userinfo']['username'].'_', "modules" => array('index'));
72
+  $subuser = array("id" => NULL, 
73
+                   "username" => $_SESSION['userinfo']['username'].'_', 
74
+                   "modules" => array('index'));
75 75
   return $subuser;
76 76
 }
77 77
 
78 78
 function new_subuser($username, $requested_modules, $password) 
79 79
 {
80
-  $uid = (int) $_SESSION['userinfo']['uid'];
81
-
82
-  $username = db_escape_string(filter_input_username($username));
80
+  $username = filter_input_username($username);
83 81
   if (strpos($username, $_SESSION['userinfo']['username']) !== 0) {
84 82
     // Username nicht enthalten (FALSE) oder nicht am Anfang (>0)
85 83
     system_failure("Ungültiger Benutzername!");
... ...
@@ -100,15 +98,18 @@ function new_subuser($username, $requested_modules, $password)
100 98
   if (count($modules) == 0) {
101 99
     system_failure("Es sind (nach der Filterung) keine Module mehr übrig!");
102 100
   }
103
-  $modules = db_escape_string(implode(',', $modules));
104 101
   
105 102
   $result = strong_password($password);
106 103
   if ($result !== true) {
107 104
     system_failure("Unsicheres Passwort. Die Meldung von cracklib lautet: ".$result);
108 105
   }
109
-  $password = hash("sha256", $password);
110 106
 
111
-  db_query("INSERT INTO system.subusers (uid, username, password, modules) VALUES ({$uid}, '{$username}', '{$password}', '{$modules}')");
107
+  $args = array(":uid" => $_SESSION['userinfo']['uid'],
108
+                ":username" => $username,
109
+                ":password" => hash("sha256", $password),
110
+                ":modules" => implode(',', $modules));
111
+
112
+  db_query("INSERT INTO system.subusers (uid, username, password, modules) VALUES (:uid, :username, :password, :modules)", $args);
112 113
 }
113 114
 
114 115
 
... ...
@@ -128,7 +129,7 @@ function edit_subuser($id, $username, $requested_modules, $password)
128 129
     system_failure("Kann diesen Account nicht finden!");
129 130
   }
130 131
 
131
-  $username = db_escape_string(filter_input_username($username));
132
+  $username = filter_input_username($username);
132 133
   if (strpos($username, $_SESSION['userinfo']['username']) !== 0) {
133 134
     // Username nicht enthalten (FALSE) oder nicht am Anfang (>0)
134 135
     system_failure("Ungültiger Benutzername!");
... ...
@@ -148,20 +149,24 @@ function edit_subuser($id, $username, $requested_modules, $password)
148 149
   if (count($modules) == 0) {
149 150
     system_failure("Es sind (nach der Filterung) keine Module mehr übrig!");
150 151
   }
151
-  $modules = db_escape_string(implode(',', $modules));
152 152
   
153
+  $args = array(":uid" => $_SESSION['userinfo']['uid'],
154
+                ":id" => $id,
155
+                ":username" => $username,
156
+                ":modules" => implode(',', $modules));
157
+
153 158
   $pwchange = '';
154 159
   if ($password) {
155 160
     $result = strong_password($password);
156 161
     if ($result !== true) {
157 162
       system_failure("Unsicheres Passwort. Die Meldung von cracklib lautet: ".$result);
158 163
     }
159
-    $password = hash("sha256", $password);
160
-    $pwchange = ", password='{$password}'";
164
+    $args[':password'] = hash("sha256", $password);
165
+    $pwchange = ", password=:password";
161 166
   }
162 167
 
163 168
 
164
-  db_query("UPDATE system.subusers SET username='{$username}', modules='{$modules}'{$pwchange} WHERE id={$id} AND uid={$uid}");
169
+  db_query("UPDATE system.subusers SET username=:username, modules=:modules{$pwchange} WHERE id=:id AND uid=:uid", $args);
165 170
 }
166 171
 
167 172
 
... ...
@@ -0,0 +1,4 @@
1
+name = webapps
2
+description = Web-Anwendungen installieren
3
+permission = Web-Anwendungen installieren / Freewvs-Meldungen einsehen
4
+
... ...
@@ -297,7 +297,7 @@ function setup_session($role, $useridentity)
297 297
     $_SESSION['role'] = ROLE_SYSTEMUSER | ROLE_SUBUSER;
298 298
     $_SESSION['subuser'] = $useridentity;
299 299
     $data = db_query("SELECT kundenaccount FROM system.useraccounts WHERE username=?", array($info['username']));
300
-    if ($entry = $data->fetch) {
300
+    if ($entry = $data->fetch()) {
301 301
       if ($entry['kundenaccount'] == 1) {
302 302
         $customer = get_customer_info($_SESSION['userinfo']['username']);
303 303
         $_SESSION['customerinfo'] = $customer;