Modul subusers auf prepared statements umgestellt / Typo (a53636c)

@@ -23,7 +23,7 @@ require_once("inc/debug.php");
 function list_subusers()
 {
   $uid = (int) $_SESSION['userinfo']['uid'];
-  $result = db_query("SELECT id, username, modules FROM system.subusers WHERE uid={$uid}");
+  $result = db_query("SELECT id, username, modules FROM system.subusers WHERE uid=?", array($uid));
   $subusers = array();
   while ($item = $result->fetch())
   {
@@ -36,10 +36,9 @@ function list_subusers()
 
 
 function load_subuser($id) {
-  $id = (int) $id;
-  $uid = (int) $_SESSION['userinfo']['uid'];
+  $args = array(":id" => $id, ":uid" => $_SESSION['userinfo']['uid']);
   
-  $result = db_query("SELECT id, username, modules FROM system.subusers WHERE uid={$uid} AND id={$id}");
+  $result = db_query("SELECT id, username, modules FROM system.subusers WHERE uid=:uid AND id=:id", $args);
   $item = $result->fetch();
   $item['modules'] = explode(',', $item['modules']);
   return $item;
@@ -63,23 +62,22 @@ function available_modules()
 }
 
 function delete_subuser($id) {
-  $id = (int) $id;
-  $uid = (int) $_SESSION['userinfo']['uid'];
+  $args = array(":id" => $id, ":uid" => $_SESSION['userinfo']['uid']);
   
-  db_query("DELETE FROM system.subusers WHERE id={$id} AND uid={$uid}");
+  db_query("DELETE FROM system.subusers WHERE id=:id AND uid=:uid", $args);
 }
 
 function empty_subuser()
 {
-  $subuser = array("id" => NULL, "username" => $_SESSION['userinfo']['username'].'_', "modules" => array('index'));
+  $subuser = array("id" => NULL, 
+                   "username" => $_SESSION['userinfo']['username'].'_', 
+                   "modules" => array('index'));
   return $subuser;
 }
 
 function new_subuser($username, $requested_modules, $password) 
 {
-  $uid = (int) $_SESSION['userinfo']['uid'];
-
-  $username = db_escape_string(filter_input_username($username));
+  $username = filter_input_username($username);
   if (strpos($username, $_SESSION['userinfo']['username']) !== 0) {
     // Username nicht enthalten (FALSE) oder nicht am Anfang (>0)
     system_failure("Ungültiger Benutzername!");
@@ -100,15 +98,18 @@ function new_subuser($username, $requested_modules, $password)
   if (count($modules) == 0) {
     system_failure("Es sind (nach der Filterung) keine Module mehr übrig!");
   }
-  $modules = db_escape_string(implode(',', $modules));
   
   $result = strong_password($password);
   if ($result !== true) {
     system_failure("Unsicheres Passwort. Die Meldung von cracklib lautet: ".$result);
   }
-  $password = hash("sha256", $password);
 
-  db_query("INSERT INTO system.subusers (uid, username, password, modules) VALUES ({$uid}, '{$username}', '{$password}', '{$modules}')");
+  $args = array(":uid" => $_SESSION['userinfo']['uid'],
+                ":username" => $username,
+                ":password" => hash("sha256", $password),
+                ":modules" => implode(',', $modules));
+
+  db_query("INSERT INTO system.subusers (uid, username, password, modules) VALUES (:uid, :username, :password, :modules)", $args);
 }
 
 
@@ -128,7 +129,7 @@ function edit_subuser($id, $username, $requested_modules, $password)
     system_failure("Kann diesen Account nicht finden!");
   }
 
-  $username = db_escape_string(filter_input_username($username));
+  $username = filter_input_username($username);
   if (strpos($username, $_SESSION['userinfo']['username']) !== 0) {
     // Username nicht enthalten (FALSE) oder nicht am Anfang (>0)
     system_failure("Ungültiger Benutzername!");
@@ -148,7 +149,11 @@ function edit_subuser($id, $username, $requested_modules, $password)
   if (count($modules) == 0) {
     system_failure("Es sind (nach der Filterung) keine Module mehr übrig!");
   }
-  $modules = db_escape_string(implode(',', $modules));
+  
+  $args = array(":uid" => $_SESSION['userinfo']['uid'],
+                ":id" => $id,
+                ":username" => $username,
+                ":modules" => implode(',', $modules));
 
   $pwchange = '';
   if ($password) {
@@ -156,12 +161,12 @@ function edit_subuser($id, $username, $requested_modules, $password)
     if ($result !== true) {
       system_failure("Unsicheres Passwort. Die Meldung von cracklib lautet: ".$result);
     }
-    $password = hash("sha256", $password);
-    $pwchange = ", password='{$password}'";
+    $args[':password'] = hash("sha256", $password);
+    $pwchange = ", password=:password";
   }
 
 
-  db_query("UPDATE system.subusers SET username='{$username}', modules='{$modules}'{$pwchange} WHERE id={$id} AND uid={$uid}");
+  db_query("UPDATE system.subusers SET username=:username, modules=:modules{$pwchange} WHERE id=:id AND uid=:uid", $args);
 }
 
 

...	...	@@ -23,7 +23,7 @@ require_once("inc/debug.php");
23	23	function list_subusers()
24	24	{
25	25	$uid = (int) $_SESSION['userinfo']['uid'];
26		- $result = db_query("SELECT id, username, modules FROM system.subusers WHERE uid={$uid}");
	26	+ $result = db_query("SELECT id, username, modules FROM system.subusers WHERE uid=?", array($uid));
27	27	$subusers = array();
28	28	while ($item = $result->fetch())
29	29	{
...	...	@@ -36,10 +36,9 @@ function list_subusers()
36	36
37	37
38	38	function load_subuser($id) {
39		- $id = (int) $id;
40		- $uid = (int) $_SESSION['userinfo']['uid'];
	39	+ $args = array(":id" => $id, ":uid" => $_SESSION['userinfo']['uid']);
41	40
42		- $result = db_query("SELECT id, username, modules FROM system.subusers WHERE uid={$uid} AND id={$id}");
	41	+ $result = db_query("SELECT id, username, modules FROM system.subusers WHERE uid=:uid AND id=:id", $args);
43	42	$item = $result->fetch();
44	43	$item['modules'] = explode(',', $item['modules']);
45	44	return $item;
...	...	@@ -63,23 +62,22 @@ function available_modules()
63	62	}
64	63
65	64	function delete_subuser($id) {
66		- $id = (int) $id;
67		- $uid = (int) $_SESSION['userinfo']['uid'];
	65	+ $args = array(":id" => $id, ":uid" => $_SESSION['userinfo']['uid']);
68	66
69		- db_query("DELETE FROM system.subusers WHERE id={$id} AND uid={$uid}");
	67	+ db_query("DELETE FROM system.subusers WHERE id=:id AND uid=:uid", $args);
70	68	}
71	69
72	70	function empty_subuser()
73	71	{
74		- $subuser = array("id" => NULL, "username" => $_SESSION['userinfo']['username'].'_', "modules" => array('index'));
	72	+ $subuser = array("id" => NULL,
	73	+ "username" => $_SESSION['userinfo']['username'].'_',
	74	+ "modules" => array('index'));
75	75	return $subuser;
76	76	}
77	77
78	78	function new_subuser($username, $requested_modules, $password)
79	79	{
80		- $uid = (int) $_SESSION['userinfo']['uid'];
81		-
82		- $username = db_escape_string(filter_input_username($username));
	80	+ $username = filter_input_username($username);
83	81	if (strpos($username, $_SESSION['userinfo']['username']) !== 0) {
84	82	// Username nicht enthalten (FALSE) oder nicht am Anfang (>0)
85	83	system_failure("Ungültiger Benutzername!");
...	...	@@ -100,15 +98,18 @@ function new_subuser($username, $requested_modules, $password)
100	98	if (count($modules) == 0) {
101	99	system_failure("Es sind (nach der Filterung) keine Module mehr übrig!");
102	100	}
103		- $modules = db_escape_string(implode(',', $modules));
104	101
105	102	$result = strong_password($password);
106	103	if ($result !== true) {
107	104	system_failure("Unsicheres Passwort. Die Meldung von cracklib lautet: ".$result);
108	105	}
109		- $password = hash("sha256", $password);
110	106
111		- db_query("INSERT INTO system.subusers (uid, username, password, modules) VALUES ({$uid}, '{$username}', '{$password}', '{$modules}')");
	107	+ $args = array(":uid" => $_SESSION['userinfo']['uid'],
	108	+ ":username" => $username,
	109	+ ":password" => hash("sha256", $password),
	110	+ ":modules" => implode(',', $modules));
	111	+
	112	+ db_query("INSERT INTO system.subusers (uid, username, password, modules) VALUES (:uid, :username, :password, :modules)", $args);
112	113	}
113	114
114	115
...	...	@@ -128,7 +129,7 @@ function edit_subuser($id, $username, $requested_modules, $password)
128	129	system_failure("Kann diesen Account nicht finden!");
129	130	}
130	131
131		- $username = db_escape_string(filter_input_username($username));
	132	+ $username = filter_input_username($username);
132	133	if (strpos($username, $_SESSION['userinfo']['username']) !== 0) {
133	134	// Username nicht enthalten (FALSE) oder nicht am Anfang (>0)
134	135	system_failure("Ungültiger Benutzername!");
...	...	@@ -148,7 +149,11 @@ function edit_subuser($id, $username, $requested_modules, $password)
148	149	if (count($modules) == 0) {
149	150	system_failure("Es sind (nach der Filterung) keine Module mehr übrig!");
150	151	}
151		- $modules = db_escape_string(implode(',', $modules));
	152	+
	153	+ $args = array(":uid" => $_SESSION['userinfo']['uid'],
	154	+ ":id" => $id,
	155	+ ":username" => $username,
	156	+ ":modules" => implode(',', $modules));
152	157
153	158	$pwchange = '';
154	159	if ($password) {
...	...	@@ -156,12 +161,12 @@ function edit_subuser($id, $username, $requested_modules, $password)
156	161	if ($result !== true) {
157	162	system_failure("Unsicheres Passwort. Die Meldung von cracklib lautet: ".$result);
158	163	}
159		- $password = hash("sha256", $password);
160		- $pwchange = ", password='{$password}'";
	164	+ $args[':password'] = hash("sha256", $password);
	165	+ $pwchange = ", password=:password";
161	166	}
162	167
163	168
164		- db_query("UPDATE system.subusers SET username='{$username}', modules='{$modules}'{$pwchange} WHERE id={$id} AND uid={$uid}");
	169	+ db_query("UPDATE system.subusers SET username=:username, modules=:modules{$pwchange} WHERE id=:id AND uid=:uid", $args);
165	170	}
166	171
167	172

...	...	@@ -0,0 +1,4 @@
	1	+name = webapps
	2	+description = Web-Anwendungen installieren
	3	+permission = Web-Anwendungen installieren / Freewvs-Meldungen einsehen
	4	+

...	...	@@ -297,7 +297,7 @@ function setup_session($role, $useridentity)
297	297	$_SESSION['role'] = ROLE_SYSTEMUSER \| ROLE_SUBUSER;
298	298	$_SESSION['subuser'] = $useridentity;
299	299	$data = db_query("SELECT kundenaccount FROM system.useraccounts WHERE username=?", array($info['username']));
300		- if ($entry = $data->fetch) {
	300	+ if ($entry = $data->fetch()) {
301	301	if ($entry['kundenaccount'] == 1) {
302	302	$customer = get_customer_info($_SESSION['userinfo']['username']);
303	303	$_SESSION['customerinfo'] = $customer;
304	304

webinterface.git