Weitere Umstellungen auf prepared statements (c0def06) - webinterface.git

Weitere Umstellungen auf prepared statements

Bernd Wurst commited on 2014-02-03 20:49:24
Zeige 7 geänderte Dateien mit 92 Einfügungen und 87 Löschungen.

class/database.php 387a93e..638c9a6
modules/email/imap.php eae1ef0..be4bcd3
modules/email/include/mailaccounts.php 8659690..a516f4d
modules/greylisting/include/greylisting.php a96b120..1d3050b
modules/jabber/include/jabberaccounts.php 256621d..70fc787
modules/mailman/include/mailman.php 7f43e44..4c60385
modules/webmailtotp/include/totp.php 3dd5d7a..f61f0c3

class/database.php

@@ -39,6 +39,13 @@ class DB extends PDO {
   */
   function query($stmt, $params = NULL) {
     if (is_array($params)) {
+      if (config("enable_debug")) {
+        foreach (array_values($params) as $p) {
+          if ($p === '') {
+            warning("Potential bug, empty string found in database parameters");
+          }
+        }
+      }
       $response = parent::prepare($stmt);
       $response->execute($params);
       return $response;

modules/email/imap.php

Zeige Datei @ c0def06

@@ -71,8 +71,7 @@ if (isset($_GET['action']) && $_GET['action'] == 'save')
     $error = check_valid($acc);
     if ($error != "")
     {
-      input_error($error);
-      output("");
+      system_failure($error);
     }
     else
     {

modules/email/include/mailaccounts.php

Zeige Datei @ c0def06

@@ -77,9 +77,9 @@ function change_mailaccount($id, $arr)
   if (isset($arr['mailbox'])) {
     array_push($conditions, "`maildir`=:maildir");
     if ($arr['mailbox'] == '')
-      $values[":mailbox"] = NULL;
+      $values[":maildir"] = NULL;
     else
-      $values[":mailbox"] = $arr['mailbox'];
+      $values[":maildir"] = $arr['mailbox'];
   }
 
   if (isset($arr['password']))

modules/greylisting/include/greylisting.php

Zeige Datei @ c0def06

@@ -17,7 +17,7 @@ Nevertheless, in case you use a significant part of this code, we ask (but not r
 function whitelist_entries() 
 {
 	$uid = (int) $_SESSION['userinfo']['uid'];
-	$res = db_query("SELECT id,local,domain,date,expire FROM mail.greylisting_manual_whitelist WHERE uid={$uid};");
+	$res = db_query("SELECT id,local,domain,date,expire FROM mail.greylisting_manual_whitelist WHERE uid=?", array($uid));
 	$return = array();
 	while ($line = $res->fetch())
 		array_push($return, $line);
@@ -27,9 +27,9 @@ function whitelist_entries()
 
 function get_whitelist_details($id)
 {
-	$id = (int) $id;
-	$uid = (int) $_SESSION['userinfo']['uid'];
-	$res = db_query("SELECT id,local,domain,date,expire FROM mail.greylisting_manual_whitelist WHERE uid={$uid} AND id={$id};");
+  $args = array(":id" => $id,
+                ":uid" => $_SESSION['userinfo']['uid']);
+	$res = db_query("SELECT id,local,domain,date,expire FROM mail.greylisting_manual_whitelist WHERE uid=:uid AND id=:id", $args);
 	if ($res->rowCount() != 1)
 		system_failure('Kann diesen Eintrag nicht finden');
 	return $res->fetch();
@@ -42,7 +42,7 @@ function delete_from_whitelist($id)
 	// Check if the ID is valid: This will die if not.
 	$entry = get_whitelist_details($id);
 
-	db_query("DELETE FROM mail.greylisting_manual_whitelist WHERE id={$id} LIMIT 1;");
+	db_query("DELETE FROM mail.greylisting_manual_whitelist WHERE id=?", array($id));
 }
 
 
@@ -55,8 +55,9 @@ function valid_entry($local, $domain)
 			system_failure('Diese E-Mail-Adresse gehört Ihnen nicht!');
 		return true;
 	}
-	$d = db_escape_string($domain);
-	$res = db_query("SELECT id FROM mail.v_domains WHERE domainname='{$d}' AND user={$_SESSION['userinfo']['uid']} LIMIT 1");
+  $args = array(":domain" => $domain,
+                ":uid" => $_SESSION['userinfo']['uid']);
+	$res = db_query("SELECT id FROM mail.v_domains WHERE domainname=:domain AND user=:uid", $args);
 	if ($res->rowCount() != 1)
 		system_failure('Diese domain gehört Ihnen nicht!');
 	return true;
@@ -66,17 +67,19 @@ function valid_entry($local, $domain)
 function new_whitelist_entry($local, $domain, $minutes)
 {
 	valid_entry($local, $domain);
-	$uid = (int) $_SESSION['userinfo']['uid'];
-	$local = maybe_null($local);
-	$domain = db_escape_string($domain);
+  $args = array(":uid" => $_SESSION['userinfo']['uid'],
+                ":local" => $local,
+                ":domain" => $domain);
 	
-	$expire = '';
-	if ($minutes == 'none')
 	$expire = 'NULL';
-	else
-		$expire = "NOW() + INTERVAL ". (int) $minutes ." MINUTE";
+	if ($minutes == 'none') {
+		$expire = 'NULL';
+  }	else {
+    $args[':minutes'] = $minutes;
+		$expire = "NOW() + INTERVAL :minutes MINUTE";
+  }
 	db_query("INSERT INTO mail.greylisting_manual_whitelist (local,domain,date,expire,uid) VALUES ".
-	         "({$local}, '{$domain}', NOW(), {$expire}, $uid);");
+	         "(:local, :domain, NOW(), {$expire}, :uid)", $args);
 }
 
 

modules/jabber/include/jabberaccounts.php

Zeige Datei @ c0def06

@@ -22,7 +22,7 @@ require_once('class/domain.php');
 function get_jabber_accounts() {
   require_role(ROLE_CUSTOMER);
   $customerno = (int) $_SESSION['customerinfo']['customerno'];
-  $result = db_query("SELECT id, `create`, created, lastactivity, local, domain FROM jabber.accounts WHERE customerno='$customerno' AND `delete`=0;");
+  $result = db_query("SELECT id, `create`, created, lastactivity, local, domain FROM jabber.accounts WHERE customerno=? AND `delete`=0", array($customerno));
   $accounts = array();
   if (@$result->rowCount() > 0)
     while ($acc = @$result->fetch())
@@ -35,11 +35,10 @@ function get_jabber_accounts() {
 function get_jabberaccount_details($id)
 {
   require_role(ROLE_CUSTOMER);
-  $customerno = (int) $_SESSION['customerinfo']['customerno'];
-
-  $id = (int) $id;
+  $args = array(":customerno" => $_SESSION['customerinfo']['customerno'],
+                ":id" => $id);
 
-  $result = db_query("SELECT id, local, domain FROM jabber.accounts WHERE customerno={$customerno} AND id={$id} LIMIT 1");
+  $result = db_query("SELECT id, local, domain FROM jabber.accounts WHERE customerno=:customerno AND id=:id", $args);
   if ($result->rowCount() != 1)
     system_failure("Invalid account");
   $data = $result->fetch();
@@ -69,20 +68,20 @@ function valid_jabber_password($pass)
 function create_jabber_account($local, $domain, $password)
 {
   require_role(ROLE_CUSTOMER);
-  $customerno = (int) $_SESSION['customerinfo']['customerno'];
-
-  $local = db_escape_string( filter_input_username($local) );
-  $domain = (int) $domain;
+  $data = array(":customerno" => $_SESSION['customerinfo']['customerno'],
+                ":local" => filter_input_username($local),
+                ":domain" => $domain);
   if (! valid_jabber_password($password))
   {
     input_error('Das Passwort enthält Zeichen, die aufgrund technischer Beschränkungen momentan nicht benutzt werden können.');
     return;
   }
-  $password = db_escape_string( $password );
+  $data[':password'] = $password;
   
   if ($domain > 0)
   {
-    $result = db_query("SELECT id FROM kundendaten.domains WHERE kunde={$customerno} AND jabber=1 AND id={$domain};");
+    $args = array(":domain" => $data[":domain"], ":customerno" => $data[":customerno"]);
+    $result = db_query("SELECT id FROM kundendaten.domains WHERE kunde=:customerno AND jabber=1 AND id=:domain", $args);
     if ($result->rowCount() == 0)
     {
       logger(LOG_WARNING, "modules/jabber/include/jabberaccounts", "jabber", "attempt to create account for invalid domain »{$domain}«");
@@ -90,20 +89,22 @@ function create_jabber_account($local, $domain, $password)
     }
   }
 
-  $domainquery = "domain={$domain}";
+  $args = array(":domain" => $data[":domain"], ":local" => $data[":local"]);
+  $domainquery = "domain=:domain";
   if ($domain == 0)
   {
-    $domain = 'NULL';
+    unset($args[":domain"]);
+    $data[":domain"] = NULL;
     $domainquery = 'domain IS NULL'; 
   }
-  $result = db_query("SELECT id FROM jabber.accounts WHERE local='{$local}' AND {$domainquery}");
+  $result = db_query("SELECT id FROM jabber.accounts WHERE local=:local AND {$domainquery}", $args);
   if ($result->rowCount() > 0)
   {
     logger(LOG_WARNING, "modules/jabber/include/jabberaccounts", "jabber", "attempt to create already existing account »{$local}@{$domain}«");
     system_failure("Diesen Account gibt es bereits!");
   }
 
-  db_query("INSERT INTO jabber.accounts (customerno,local,domain,password) VALUES ({$customerno}, '{$local}', {$domain}, '{$password}');");
+  db_query("INSERT INTO jabber.accounts (customerno,local,domain,password) VALUES (:customerno, :local, :domain, :password);", $data);
   logger(LOG_INFO, "modules/jabber/include/jabberaccounts", "jabber", "created account »{$local}@{$domain}«");
 }
 
@@ -112,16 +113,16 @@ function create_jabber_account($local, $domain, $password)
 function change_jabber_password($id, $password)
 {
   require_role(ROLE_CUSTOMER);
-  $customerno = (int) $_SESSION['customerinfo']['customerno'];
-  $id = (int) $id;
   if (! valid_jabber_password($password))
   {
     input_error('Das Passwort enthält Zeichen, die aufgrund technischer Beschränkungen momentan nicht benutzt werden können.');
     return;
   }
-  $password = db_escape_string( $password );
+  $args = array(":customerno" => $_SESSION['customerinfo']['customerno'],
+                ":id" => $id,
+                ":password" => $password);
   
-  db_query("UPDATE jabber.accounts SET password='{$password}' WHERE customerno={$customerno} AND id={$id} LIMIT 1");
+  db_query("UPDATE jabber.accounts SET password=:password WHERE customerno=:customerno AND id=:id", $args);
   logger(LOG_INFO, "modules/jabber/include/jabberaccounts", "jabber", "changed password for account  »{$id}«");
 }
 
@@ -130,11 +131,11 @@ function change_jabber_password($id, $password)
 function delete_jabber_account($id)
 {
   require_role(ROLE_CUSTOMER);
-  $customerno = (int) $_SESSION['customerinfo']['customerno'];
   
-  $id = (int) $id;
+  $args = array(":customerno" => $_SESSION['customerinfo']['customerno'],
+                ":id" => $id);
 
-  db_query("UPDATE jabber.accounts SET `delete`=1 WHERE customerno={$customerno} AND id={$id} LIMIT 1");
+  db_query("UPDATE jabber.accounts SET `delete`=1 WHERE customerno=:customerno AND id=:id", $args);
   logger(LOG_INFO, "modules/jabber/include/jabberaccounts", "jabber", "deleted account »{$id}«");
 }
 
@@ -143,7 +144,7 @@ function new_jabber_domain($id)
 {
   $d = new Domain( (int) $id );
   $d->ensure_customerdomain();
-  db_query("UPDATE kundendaten.domains SET jabber=2 WHERE jabber=0 AND id={$d->id} LIMIT 1");
+  db_query("UPDATE kundendaten.domains SET jabber=2 WHERE jabber=0 AND id=?", array($d->id));
 }
 
 

modules/mailman/include/mailman.php

Zeige Datei @ c0def06

@@ -22,7 +22,7 @@ require_once('inc/security.php');
 function get_lists()
 {
   $uid = (int) $_SESSION['userinfo']['uid'];
-  $result = db_query("SELECT id, status, listname, fqdn, admin, archivesize FROM mail.v_mailman_lists WHERE owner={$uid};");
+  $result = db_query("SELECT id, status, listname, fqdn, admin, archivesize FROM mail.v_mailman_lists WHERE owner=?", array($uid));
   $ret = array();
   while ($list = $result->fetch())
     $ret[] = $list;
@@ -33,9 +33,9 @@ function get_lists()
 
 function get_list($id)
 {
-  $id = (int) $id;
-  $uid = (int) $_SESSION['userinfo']['uid'];
-  $result = db_query("SELECT id, status, listname, fqdn, admin, archivesize FROM mail.v_mailman_lists WHERE owner={$uid} AND id={$id};");
+  $args = array(":id" => $id,
+                ":uid" => $_SESSION['userinfo']['uid']);
+  $result = db_query("SELECT id, status, listname, fqdn, admin, archivesize FROM mail.v_mailman_lists WHERE owner=:uid AND id=:id", $args);
   if ($result->rowCount() < 1)
     system_failure('Die gewünschte Mailingliste konnte nicht gefunden werden');
   $list = $result->fetch();
@@ -47,26 +47,28 @@ function get_list($id)
 
 function delete_list($id)
 {
-  $uid = (int) $_SESSION['userinfo']['uid'];
-  $id = (int) $id;
-  db_query("UPDATE mail.mailman_lists SET status='delete' WHERE owner={$uid} AND id={$id};");
+  $args = array(":id" => $id,
+                ":uid" => $_SESSION['userinfo']['uid']);
+  db_query("UPDATE mail.mailman_lists SET status='delete' WHERE owner=:uid AND id=:id", $args);
 }
 
 
 function create_list($listname, $maildomain, $admin)
 {
   verify_input_username($listname);
-  $maildomain = maybe_null( (int) $maildomain );
-  $owner = (int) $_SESSION['userinfo']['uid'];
   verify_input_general($admin);
   if (! check_emailaddr($admin))
     system_failure('Der Verwalter muss eine gültige E-Mail-Adresse sein ('.$admin.').');
-  $admin = db_escape_string($admin);
-  $result = db_query("SELECT id FROM mail.mailman_lists WHERE listname='{$listname}'");
+  $result = db_query("SELECT id FROM mail.mailman_lists WHERE listname=?", array($listname));
   if ($result->rowCount() > 0)
     system_failure('Eine Liste mit diesem Namen existiert bereits (unter dieser oder einer anderen Domain). Jeder Listenname kann nur einmal verwendet werden.');
 
-  db_query("INSERT INTO mail.mailman_lists (status, listname, maildomain, owner, admin) VALUES ('pending', '{$listname}', {$maildomain}, {$owner}, '{$admin}');");
+  $args = array(":listname" => $listname,
+                ":maildomain" => $maildomain,
+                ":owner" => $_SESSION['userinfo']['uid'],
+                ":admin" => $admin);
+
+  db_query("INSERT INTO mail.mailman_lists (status, listname, maildomain, owner, admin) VALUES ('pending', :listname, :maildomain, :owner, :admin)", $args);
   DEBUG('Neue ID: '.db_insert_id());
 }
 
@@ -74,7 +76,7 @@ function create_list($listname, $maildomain, $admin)
 function get_mailman_domains()
 {
   $uid = (int) $_SESSION['userinfo']['uid'];
-  $result = db_query("SELECT md.id, md.fqdn FROM mail.v_mailman_domains AS md left join mail.v_domains AS d on (d.id=md.domain) where d.user={$uid}");
+  $result = db_query("SELECT md.id, md.fqdn FROM mail.v_mailman_domains AS md left join mail.v_domains AS d on (d.id=md.domain) where d.user=?", array($uid));
   $ret = array();
   while ($dom = $result->fetch())
     $ret[] = $dom;

modules/webmailtotp/include/totp.php

Zeige Datei @ c0def06

@@ -16,8 +16,7 @@ Nevertheless, in case you use a significant part of this code, we ask (but not r
 
 function account_has_totp($username)
 {
-  $username = db_escape_string($username);
-  $result = db_query("SELECT id FROM mail.webmail_totp WHERE email='{$username}'");
+  $result = db_query("SELECT id FROM mail.webmail_totp WHERE email=?", array($username));
   if ($result->rowCount() > 0) {
     $tmp = $result->fetch();
     $id = $tmp['id'];
@@ -31,8 +30,8 @@ function account_has_totp($username)
 
 function validate_password($username, $password) 
 {
-  $username = db_escape_string($username);
-  $result = db_query("SELECT account, cryptpass FROM mail.courier_mailaccounts WHERE account='{$username}' UNION SELECT account, cryptpass FROM mail.courier_virtual_accounts WHERE account='{$username}'");
+  $args[":username"] = $username;
+  $result = db_query("SELECT account, cryptpass FROM mail.courier_mailaccounts WHERE account=:username UNION SELECT account, cryptpass FROM mail.courier_virtual_accounts WHERE account=:username", $args);
   if ($result->rowCount() != 1) {
     // Kein Account mit dem Namen oder Name nicht eindeutig
     return false;
@@ -58,12 +57,12 @@ function store_webmail_password($username, $oldpw, $newpw)
   for ($i = 0 ; $i != strlen($oldpw) ; $i++) {
     $code .= chr( ord($oldpw[$i]) ^ ord($secret[$i]) );
   }
-  $code = base64_encode($code);
-  DEBUG(array($oldpw, $newpw, $code));
+  DEBUG(array($oldpw, $newpw));
+  $args = array(":uid" => $_SESSION['userinfo']['uid'],
+                ":username" => $username,
+                ":code" => base64_encode($code));
 
-  $uid = (int) $_SESSION['userinfo']['uid'];
-
-  db_query("REPLACE INTO mail.webmail_totp (useraccount, email, webmailpass) VALUES ({$uid}, '{$username}', '{$code}')");
+  db_query("REPLACE INTO mail.webmail_totp (useraccount, email, webmailpass) VALUES (:uid, :username, :code)", $args);
 }
 
 
@@ -87,8 +86,7 @@ function decode_webmail_password($crypted, $webmailpw)
 
 
 function get_imap_password($username, $webmailpass) {
-  $username = db_escape_string($username);
-  $result = db_query("SELECT webmailpass FROM mail.webmail_totp WHERE email='{$username}'");
+  $result = db_query("SELECT webmailpass FROM mail.webmail_totp WHERE email=?", array($username));
   $tmp = $result->fetch();
   
   $crypted = $tmp['webmailpass'];
@@ -107,21 +105,20 @@ function check_webmail_password($username, $webmailpass)
 
 function generate_secret($username)
 {
-  $username = db_escape_string($username);
   require_once('external/googleauthenticator/GoogleAuthenticator.php');
   $ga = new PHPGangsta_GoogleAuthenticator();
   
   $secret = $ga->createSecret();
   DEBUG('GA-Secret: '.$secret);
   DEBUG('QrCode: '.$ga->getQRCodeGoogleUrl('Blog', $secret));
-  db_query("UPDATE mail.webmail_totp SET totp_secret='{$secret}' WHERE email='{$username}'");
+  $args = array(":secret" => $secret, ":username" => $username);
+  db_query("UPDATE mail.webmail_totp SET totp_secret=:secret WHERE email=:username", $args);
   return $secret;
 }
 
 function check_locked($username) 
 {
-  $username = db_escape_string($username);
-  $result = db_query("SELECT 1 FROM mail.webmail_totp WHERE unlock_timestamp IS NOT NULL and unlock_timestamp > NOW() AND email='{$username}'");
+  $result = db_query("SELECT 1 FROM mail.webmail_totp WHERE unlock_timestamp IS NOT NULL and unlock_timestamp > NOW() AND email=?", array($username));
   return ($result->rowCount() > 0);
 }
 
@@ -131,9 +128,7 @@ function check_totp($username, $code) {
     return false;
   }
 
-  $username = db_escape_string($username);
-
-  $result = db_query("SELECT totp_secret, failures FROM mail.webmail_totp WHERE email='{$username}' AND (unlock_timestamp IS NULL OR unlock_timestamp <= NOW())");
+  $result = db_query("SELECT totp_secret, failures FROM mail.webmail_totp WHERE email=? AND (unlock_timestamp IS NULL OR unlock_timestamp <= NOW())", array($username));
   $tmp = $result->fetch();
   $secret = $tmp['totp_secret'];
 
@@ -147,9 +142,9 @@ function check_totp($username, $code) {
     DEBUG('OK');
   } else {
     if ($tmp['failures'] > 0 && $tmp['failures'] % 5 == 0) {
-      db_query("UPDATE mail.webmail_totp SET failures = failures+1, unlock_timestamp = NOW() + INTERVAL 5 MINUTE WHERE email='{$username}'");
+      db_query("UPDATE mail.webmail_totp SET failures = failures+1, unlock_timestamp = NOW() + INTERVAL 5 MINUTE WHERE email=?", array($username));
     } else {
-      db_query("UPDATE mail.webmail_totp SET failures = failures+1 WHERE email='{$username}'");
+      db_query("UPDATE mail.webmail_totp SET failures = failures+1 WHERE email=?", array($username));
     }
     
     DEBUG('FAILED');
@@ -194,9 +189,9 @@ function generate_qrcode_image($secret) {
 
 function accountname($id) 
 {
-  $id = (int) $id;
-  $uid = (int) $_SESSION['userinfo']['uid'];
-  $result = db_query("SELECT email FROM mail.webmail_totp WHERE id={$id} AND useraccount={$uid}");
+  $args = array(":id" => $id,
+                ":uid" => $_SESSION['userinfo']['uid']);
+  $result = db_query("SELECT email FROM mail.webmail_totp WHERE id=:id AND useraccount=:uid", $args);
   if ($tmp = $result->fetch()) {
     return $tmp['email'];
   }
@@ -205,26 +200,24 @@ function accountname($id)
 
 function delete_totp($id) 
 {
-  $id = (int) $id;
-  $uid = (int) $_SESSION['userinfo']['uid'];
+  $args = array(":id" => $id,
+                ":uid" => $_SESSION['userinfo']['uid']);
   
-  db_query("DELETE FROM mail.webmail_totp WHERE id={$id} AND useraccount={$uid}");
+  db_query("DELETE FROM mail.webmail_totp WHERE id=:id AND useraccount=:uid", $args);
 }
 
 
 function blacklist_token($email, $token)
 {
-  $email = db_escape_string($email);
-  $token = db_escape_string($token);
-  db_query("INSERT INTO mail.webmail_totp_blacklist (timestamp, email, token) VALUES (NOW(), '{$email}', '{$token}')");
+  $args = array(":email" => $email, ":token" => $token);
+  db_query("INSERT INTO mail.webmail_totp_blacklist (timestamp, email, token) VALUES (NOW(), :email, :token)", $args);
 }
 
 function check_blacklist($email, $token)
 {
-  $email = db_escape_string($email);
-  $token = db_escape_string($token);
+  $args = array(":email" => $email, ":token" => $token);
   db_query("DELETE FROM mail.webmail_totp_blacklist WHERE timestamp < NOW() - INTERVAL 10 MINUTE");
-  $result = db_query("SELECT id FROM mail.webmail_totp_blacklist WHERE email='{$email}' AND token='{$token}'");
+  $result = db_query("SELECT id FROM mail.webmail_totp_blacklist WHERE email=:email AND token=:token", $args);
   return ($result->rowCount() > 0);
 }
 


...	...	@@ -39,6 +39,13 @@ class DB extends PDO {
39	39	*/
40	40	function query($stmt, $params = NULL) {
41	41	if (is_array($params)) {
	42	+ if (config("enable_debug")) {
	43	+ foreach (array_values($params) as $p) {
	44	+ if ($p === '') {
	45	+ warning("Potential bug, empty string found in database parameters");
	46	+ }
	47	+ }
	48	+ }
42	49	$response = parent::prepare($stmt);
43	50	$response->execute($params);
44	51	return $response;

...	...	@@ -71,8 +71,7 @@ if (isset($_GET['action']) && $_GET['action'] == 'save')
71	71	$error = check_valid($acc);
72	72	if ($error != "")
73	73	{
74		- input_error($error);
75		- output("");
	74	+ system_failure($error);
76	75	}
77	76	else
78	77	{

...	...	@@ -77,9 +77,9 @@ function change_mailaccount($id, $arr)
77	77	if (isset($arr['mailbox'])) {
78	78	array_push($conditions, "`maildir`=:maildir");
79	79	if ($arr['mailbox'] == '')
80		- $values[":mailbox"] = NULL;
	80	+ $values[":maildir"] = NULL;
81	81	else
82		- $values[":mailbox"] = $arr['mailbox'];
	82	+ $values[":maildir"] = $arr['mailbox'];
83	83	}
84	84
85	85	if (isset($arr['password']))

...	...	@@ -17,7 +17,7 @@ Nevertheless, in case you use a significant part of this code, we ask (but not r
17	17	function whitelist_entries()
18	18	{
19	19	$uid = (int) $_SESSION['userinfo']['uid'];
20		- $res = db_query("SELECT id,local,domain,date,expire FROM mail.greylisting_manual_whitelist WHERE uid={$uid};");
	20	+ $res = db_query("SELECT id,local,domain,date,expire FROM mail.greylisting_manual_whitelist WHERE uid=?", array($uid));
21	21	$return = array();
22	22	while ($line = $res->fetch())
23	23	array_push($return, $line);
...	...	@@ -27,9 +27,9 @@ function whitelist_entries()
27	27
28	28	function get_whitelist_details($id)
29	29	{
30		- $id = (int) $id;
31		- $uid = (int) $_SESSION['userinfo']['uid'];
32		- $res = db_query("SELECT id,local,domain,date,expire FROM mail.greylisting_manual_whitelist WHERE uid={$uid} AND id={$id};");
	30	+ $args = array(":id" => $id,
	31	+ ":uid" => $_SESSION['userinfo']['uid']);
	32	+ $res = db_query("SELECT id,local,domain,date,expire FROM mail.greylisting_manual_whitelist WHERE uid=:uid AND id=:id", $args);
33	33	if ($res->rowCount() != 1)
34	34	system_failure('Kann diesen Eintrag nicht finden');
35	35	return $res->fetch();
...	...	@@ -42,7 +42,7 @@ function delete_from_whitelist($id)
42	42	// Check if the ID is valid: This will die if not.
43	43	$entry = get_whitelist_details($id);
44	44
45		- db_query("DELETE FROM mail.greylisting_manual_whitelist WHERE id={$id} LIMIT 1;");
	45	+ db_query("DELETE FROM mail.greylisting_manual_whitelist WHERE id=?", array($id));
46	46	}
47	47
48	48
...	...	@@ -55,8 +55,9 @@ function valid_entry($local, $domain)
55	55	system_failure('Diese E-Mail-Adresse gehört Ihnen nicht!');
56	56	return true;
57	57	}
58		- $d = db_escape_string($domain);
59		- $res = db_query("SELECT id FROM mail.v_domains WHERE domainname='{$d}' AND user={$_SESSION['userinfo']['uid']} LIMIT 1");
	58	+ $args = array(":domain" => $domain,
	59	+ ":uid" => $_SESSION['userinfo']['uid']);
	60	+ $res = db_query("SELECT id FROM mail.v_domains WHERE domainname=:domain AND user=:uid", $args);
60	61	if ($res->rowCount() != 1)
61	62	system_failure('Diese domain gehört Ihnen nicht!');
62	63	return true;
...	...	@@ -66,17 +67,19 @@ function valid_entry($local, $domain)
66	67	function new_whitelist_entry($local, $domain, $minutes)
67	68	{
68	69	valid_entry($local, $domain);
69		- $uid = (int) $_SESSION['userinfo']['uid'];
70		- $local = maybe_null($local);
71		- $domain = db_escape_string($domain);
	70	+ $args = array(":uid" => $_SESSION['userinfo']['uid'],
	71	+ ":local" => $local,
	72	+ ":domain" => $domain);
72	73
73		- $expire = '';
74		- if ($minutes == 'none')
75	74	$expire = 'NULL';
76		- else
77		- $expire = "NOW() + INTERVAL ". (int) $minutes ." MINUTE";
	75	+ if ($minutes == 'none') {
	76	+ $expire = 'NULL';
	77	+ } else {
	78	+ $args[':minutes'] = $minutes;
	79	+ $expire = "NOW() + INTERVAL :minutes MINUTE";
	80	+ }
78	81	db_query("INSERT INTO mail.greylisting_manual_whitelist (local,domain,date,expire,uid) VALUES ".
79		- "({$local}, '{$domain}', NOW(), {$expire}, $uid);");
	82	+ "(:local, :domain, NOW(), {$expire}, :uid)", $args);
80	83	}
81	84
82	85

...	...	@@ -22,7 +22,7 @@ require_once('class/domain.php');
22	22	function get_jabber_accounts() {
23	23	require_role(ROLE_CUSTOMER);
24	24	$customerno = (int) $_SESSION['customerinfo']['customerno'];
25		- $result = db_query("SELECT id, `create`, created, lastactivity, local, domain FROM jabber.accounts WHERE customerno='$customerno' AND `delete`=0;");
	25	+ $result = db_query("SELECT id, `create`, created, lastactivity, local, domain FROM jabber.accounts WHERE customerno=? AND `delete`=0", array($customerno));
26	26	$accounts = array();
27	27	if (@$result->rowCount() > 0)
28	28	while ($acc = @$result->fetch())
...	...	@@ -35,11 +35,10 @@ function get_jabber_accounts() {
35	35	function get_jabberaccount_details($id)
36	36	{
37	37	require_role(ROLE_CUSTOMER);
38		- $customerno = (int) $_SESSION['customerinfo']['customerno'];
39		-
40		- $id = (int) $id;
	38	+ $args = array(":customerno" => $_SESSION['customerinfo']['customerno'],
	39	+ ":id" => $id);
41	40
42		- $result = db_query("SELECT id, local, domain FROM jabber.accounts WHERE customerno={$customerno} AND id={$id} LIMIT 1");
	41	+ $result = db_query("SELECT id, local, domain FROM jabber.accounts WHERE customerno=:customerno AND id=:id", $args);
43	42	if ($result->rowCount() != 1)
44	43	system_failure("Invalid account");
45	44	$data = $result->fetch();
...	...	@@ -69,20 +68,20 @@ function valid_jabber_password($pass)
69	68	function create_jabber_account($local, $domain, $password)
70	69	{
71	70	require_role(ROLE_CUSTOMER);
72		- $customerno = (int) $_SESSION['customerinfo']['customerno'];
73		-
74		- $local = db_escape_string( filter_input_username($local) );
75		- $domain = (int) $domain;
	71	+ $data = array(":customerno" => $_SESSION['customerinfo']['customerno'],
	72	+ ":local" => filter_input_username($local),
	73	+ ":domain" => $domain);
76	74	if (! valid_jabber_password($password))
77	75	{
78	76	input_error('Das Passwort enthält Zeichen, die aufgrund technischer Beschränkungen momentan nicht benutzt werden können.');
79	77	return;
80	78	}
81		- $password = db_escape_string( $password );
	79	+ $data[':password'] = $password;
82	80
83	81	if ($domain > 0)
84	82	{
85		- $result = db_query("SELECT id FROM kundendaten.domains WHERE kunde={$customerno} AND jabber=1 AND id={$domain};");
	83	+ $args = array(":domain" => $data[":domain"], ":customerno" => $data[":customerno"]);
	84	+ $result = db_query("SELECT id FROM kundendaten.domains WHERE kunde=:customerno AND jabber=1 AND id=:domain", $args);
86	85	if ($result->rowCount() == 0)
87	86	{
88	87	logger(LOG_WARNING, "modules/jabber/include/jabberaccounts", "jabber", "attempt to create account for invalid domain »{$domain}«");
...	...	@@ -90,20 +89,22 @@ function create_jabber_account($local, $domain, $password)
90	89	}
91	90	}
92	91
93		- $domainquery = "domain={$domain}";
	92	+ $args = array(":domain" => $data[":domain"], ":local" => $data[":local"]);
	93	+ $domainquery = "domain=:domain";
94	94	if ($domain == 0)
95	95	{
96		- $domain = 'NULL';
	96	+ unset($args[":domain"]);
	97	+ $data[":domain"] = NULL;
97	98	$domainquery = 'domain IS NULL';
98	99	}
99		- $result = db_query("SELECT id FROM jabber.accounts WHERE local='{$local}' AND {$domainquery}");
	100	+ $result = db_query("SELECT id FROM jabber.accounts WHERE local=:local AND {$domainquery}", $args);
100	101	if ($result->rowCount() > 0)
101	102	{
102	103	logger(LOG_WARNING, "modules/jabber/include/jabberaccounts", "jabber", "attempt to create already existing account »{$local}@{$domain}«");
103	104	system_failure("Diesen Account gibt es bereits!");
104	105	}
105	106
106		- db_query("INSERT INTO jabber.accounts (customerno,local,domain,password) VALUES ({$customerno}, '{$local}', {$domain}, '{$password}');");
	107	+ db_query("INSERT INTO jabber.accounts (customerno,local,domain,password) VALUES (:customerno, :local, :domain, :password);", $data);
107	108	logger(LOG_INFO, "modules/jabber/include/jabberaccounts", "jabber", "created account »{$local}@{$domain}«");
108	109	}
109	110
...	...	@@ -112,16 +113,16 @@ function create_jabber_account($local, $domain, $password)
112	113	function change_jabber_password($id, $password)
113	114	{
114	115	require_role(ROLE_CUSTOMER);
115		- $customerno = (int) $_SESSION['customerinfo']['customerno'];
116		- $id = (int) $id;
117	116	if (! valid_jabber_password($password))
118	117	{
119	118	input_error('Das Passwort enthält Zeichen, die aufgrund technischer Beschränkungen momentan nicht benutzt werden können.');
120	119	return;
121	120	}
122		- $password = db_escape_string( $password );
	121	+ $args = array(":customerno" => $_SESSION['customerinfo']['customerno'],
	122	+ ":id" => $id,
	123	+ ":password" => $password);
123	124
124		- db_query("UPDATE jabber.accounts SET password='{$password}' WHERE customerno={$customerno} AND id={$id} LIMIT 1");
	125	+ db_query("UPDATE jabber.accounts SET password=:password WHERE customerno=:customerno AND id=:id", $args);
125	126	logger(LOG_INFO, "modules/jabber/include/jabberaccounts", "jabber", "changed password for account »{$id}«");
126	127	}
127	128
...	...	@@ -130,11 +131,11 @@ function change_jabber_password($id, $password)
130	131	function delete_jabber_account($id)
131	132	{
132	133	require_role(ROLE_CUSTOMER);
133		- $customerno = (int) $_SESSION['customerinfo']['customerno'];
134	134
135		- $id = (int) $id;
	135	+ $args = array(":customerno" => $_SESSION['customerinfo']['customerno'],
	136	+ ":id" => $id);
136	137
137		- db_query("UPDATE jabber.accounts SET `delete`=1 WHERE customerno={$customerno} AND id={$id} LIMIT 1");
	138	+ db_query("UPDATE jabber.accounts SET `delete`=1 WHERE customerno=:customerno AND id=:id", $args);
138	139	logger(LOG_INFO, "modules/jabber/include/jabberaccounts", "jabber", "deleted account »{$id}«");
139	140	}
140	141
...	...	@@ -143,7 +144,7 @@ function new_jabber_domain($id)
143	144	{
144	145	$d = new Domain( (int) $id );
145	146	$d->ensure_customerdomain();
146		- db_query("UPDATE kundendaten.domains SET jabber=2 WHERE jabber=0 AND id={$d->id} LIMIT 1");
	147	+ db_query("UPDATE kundendaten.domains SET jabber=2 WHERE jabber=0 AND id=?", array($d->id));
147	148	}
148	149
149	150

...	...	@@ -22,7 +22,7 @@ require_once('inc/security.php');
22	22	function get_lists()
23	23	{
24	24	$uid = (int) $_SESSION['userinfo']['uid'];
25		- $result = db_query("SELECT id, status, listname, fqdn, admin, archivesize FROM mail.v_mailman_lists WHERE owner={$uid};");
	25	+ $result = db_query("SELECT id, status, listname, fqdn, admin, archivesize FROM mail.v_mailman_lists WHERE owner=?", array($uid));
26	26	$ret = array();
27	27	while ($list = $result->fetch())
28	28	$ret[] = $list;
...	...	@@ -33,9 +33,9 @@ function get_lists()
33	33
34	34	function get_list($id)
35	35	{
36		- $id = (int) $id;
37		- $uid = (int) $_SESSION['userinfo']['uid'];
38		- $result = db_query("SELECT id, status, listname, fqdn, admin, archivesize FROM mail.v_mailman_lists WHERE owner={$uid} AND id={$id};");
	36	+ $args = array(":id" => $id,
	37	+ ":uid" => $_SESSION['userinfo']['uid']);
	38	+ $result = db_query("SELECT id, status, listname, fqdn, admin, archivesize FROM mail.v_mailman_lists WHERE owner=:uid AND id=:id", $args);
39	39	if ($result->rowCount() < 1)
40	40	system_failure('Die gewünschte Mailingliste konnte nicht gefunden werden');
41	41	$list = $result->fetch();
...	...	@@ -47,26 +47,28 @@ function get_list($id)
47	47
48	48	function delete_list($id)
49	49	{
50		- $uid = (int) $_SESSION['userinfo']['uid'];
51		- $id = (int) $id;
52		- db_query("UPDATE mail.mailman_lists SET status='delete' WHERE owner={$uid} AND id={$id};");
	50	+ $args = array(":id" => $id,
	51	+ ":uid" => $_SESSION['userinfo']['uid']);
	52	+ db_query("UPDATE mail.mailman_lists SET status='delete' WHERE owner=:uid AND id=:id", $args);
53	53	}
54	54
55	55
56	56	function create_list($listname, $maildomain, $admin)
57	57	{
58	58	verify_input_username($listname);
59		- $maildomain = maybe_null( (int) $maildomain );
60		- $owner = (int) $_SESSION['userinfo']['uid'];
61	59	verify_input_general($admin);
62	60	if (! check_emailaddr($admin))
63	61	system_failure('Der Verwalter muss eine gültige E-Mail-Adresse sein ('.$admin.').');
64		- $admin = db_escape_string($admin);
65		- $result = db_query("SELECT id FROM mail.mailman_lists WHERE listname='{$listname}'");
	62	+ $result = db_query("SELECT id FROM mail.mailman_lists WHERE listname=?", array($listname));
66	63	if ($result->rowCount() > 0)
67	64	system_failure('Eine Liste mit diesem Namen existiert bereits (unter dieser oder einer anderen Domain). Jeder Listenname kann nur einmal verwendet werden.');
68	65
69		- db_query("INSERT INTO mail.mailman_lists (status, listname, maildomain, owner, admin) VALUES ('pending', '{$listname}', {$maildomain}, {$owner}, '{$admin}');");
	66	+ $args = array(":listname" => $listname,
	67	+ ":maildomain" => $maildomain,
	68	+ ":owner" => $_SESSION['userinfo']['uid'],
	69	+ ":admin" => $admin);
	70	+
	71	+ db_query("INSERT INTO mail.mailman_lists (status, listname, maildomain, owner, admin) VALUES ('pending', :listname, :maildomain, :owner, :admin)", $args);
70	72	DEBUG('Neue ID: '.db_insert_id());
71	73	}
72	74
...	...	@@ -74,7 +76,7 @@ function create_list($listname, $maildomain, $admin)
74	76	function get_mailman_domains()
75	77	{
76	78	$uid = (int) $_SESSION['userinfo']['uid'];
77		- $result = db_query("SELECT md.id, md.fqdn FROM mail.v_mailman_domains AS md left join mail.v_domains AS d on (d.id=md.domain) where d.user={$uid}");
	79	+ $result = db_query("SELECT md.id, md.fqdn FROM mail.v_mailman_domains AS md left join mail.v_domains AS d on (d.id=md.domain) where d.user=?", array($uid));
78	80	$ret = array();
79	81	while ($dom = $result->fetch())
80	82	$ret[] = $dom;

...	...	@@ -16,8 +16,7 @@ Nevertheless, in case you use a significant part of this code, we ask (but not r
16	16
17	17	function account_has_totp($username)
18	18	{
19		- $username = db_escape_string($username);
20		- $result = db_query("SELECT id FROM mail.webmail_totp WHERE email='{$username}'");
	19	+ $result = db_query("SELECT id FROM mail.webmail_totp WHERE email=?", array($username));
21	20	if ($result->rowCount() > 0) {
22	21	$tmp = $result->fetch();
23	22	$id = $tmp['id'];
...	...	@@ -31,8 +30,8 @@ function account_has_totp($username)
31	30
32	31	function validate_password($username, $password)
33	32	{
34		- $username = db_escape_string($username);
35		- $result = db_query("SELECT account, cryptpass FROM mail.courier_mailaccounts WHERE account='{$username}' UNION SELECT account, cryptpass FROM mail.courier_virtual_accounts WHERE account='{$username}'");
	33	+ $args[":username"] = $username;
	34	+ $result = db_query("SELECT account, cryptpass FROM mail.courier_mailaccounts WHERE account=:username UNION SELECT account, cryptpass FROM mail.courier_virtual_accounts WHERE account=:username", $args);
36	35	if ($result->rowCount() != 1) {
37	36	// Kein Account mit dem Namen oder Name nicht eindeutig
38	37	return false;
...	...	@@ -58,12 +57,12 @@ function store_webmail_password($username, $oldpw, $newpw)
58	57	for ($i = 0 ; $i != strlen($oldpw) ; $i++) {
59	58	$code .= chr( ord($oldpw[$i]) ^ ord($secret[$i]) );
60	59	}
61		- $code = base64_encode($code);
62		- DEBUG(array($oldpw, $newpw, $code));
	60	+ DEBUG(array($oldpw, $newpw));
	61	+ $args = array(":uid" => $_SESSION['userinfo']['uid'],
	62	+ ":username" => $username,
	63	+ ":code" => base64_encode($code));
63	64
64		- $uid = (int) $_SESSION['userinfo']['uid'];
65		-
66		- db_query("REPLACE INTO mail.webmail_totp (useraccount, email, webmailpass) VALUES ({$uid}, '{$username}', '{$code}')");
	65	+ db_query("REPLACE INTO mail.webmail_totp (useraccount, email, webmailpass) VALUES (:uid, :username, :code)", $args);
67	66	}
68	67
69	68
...	...	@@ -87,8 +86,7 @@ function decode_webmail_password($crypted, $webmailpw)
87	86
88	87
89	88	function get_imap_password($username, $webmailpass) {
90		- $username = db_escape_string($username);
91		- $result = db_query("SELECT webmailpass FROM mail.webmail_totp WHERE email='{$username}'");
	89	+ $result = db_query("SELECT webmailpass FROM mail.webmail_totp WHERE email=?", array($username));
92	90	$tmp = $result->fetch();
93	91
94	92	$crypted = $tmp['webmailpass'];
...	...	@@ -107,21 +105,20 @@ function check_webmail_password($username, $webmailpass)
107	105
108	106	function generate_secret($username)
109	107	{
110		- $username = db_escape_string($username);
111	108	require_once('external/googleauthenticator/GoogleAuthenticator.php');
112	109	$ga = new PHPGangsta_GoogleAuthenticator();
113	110
114	111	$secret = $ga->createSecret();
115	112	DEBUG('GA-Secret: '.$secret);
116	113	DEBUG('QrCode: '.$ga->getQRCodeGoogleUrl('Blog', $secret));
117		- db_query("UPDATE mail.webmail_totp SET totp_secret='{$secret}' WHERE email='{$username}'");
	114	+ $args = array(":secret" => $secret, ":username" => $username);
	115	+ db_query("UPDATE mail.webmail_totp SET totp_secret=:secret WHERE email=:username", $args);
118	116	return $secret;
119	117	}
120	118
121	119	function check_locked($username)
122	120	{
123		- $username = db_escape_string($username);
124		- $result = db_query("SELECT 1 FROM mail.webmail_totp WHERE unlock_timestamp IS NOT NULL and unlock_timestamp > NOW() AND email='{$username}'");
	121	+ $result = db_query("SELECT 1 FROM mail.webmail_totp WHERE unlock_timestamp IS NOT NULL and unlock_timestamp > NOW() AND email=?", array($username));
125	122	return ($result->rowCount() > 0);
126	123	}
127	124
...	...	@@ -131,9 +128,7 @@ function check_totp($username, $code) {
131	128	return false;
132	129	}
133	130
134		- $username = db_escape_string($username);
135		-
136		- $result = db_query("SELECT totp_secret, failures FROM mail.webmail_totp WHERE email='{$username}' AND (unlock_timestamp IS NULL OR unlock_timestamp <= NOW())");
	131	+ $result = db_query("SELECT totp_secret, failures FROM mail.webmail_totp WHERE email=? AND (unlock_timestamp IS NULL OR unlock_timestamp <= NOW())", array($username));
137	132	$tmp = $result->fetch();
138	133	$secret = $tmp['totp_secret'];
139	134
...	...	@@ -147,9 +142,9 @@ function check_totp($username, $code) {
147	142	DEBUG('OK');
148	143	} else {
149	144	if ($tmp['failures'] > 0 && $tmp['failures'] % 5 == 0) {
150		- db_query("UPDATE mail.webmail_totp SET failures = failures+1, unlock_timestamp = NOW() + INTERVAL 5 MINUTE WHERE email='{$username}'");
	145	+ db_query("UPDATE mail.webmail_totp SET failures = failures+1, unlock_timestamp = NOW() + INTERVAL 5 MINUTE WHERE email=?", array($username));
151	146	} else {
152		- db_query("UPDATE mail.webmail_totp SET failures = failures+1 WHERE email='{$username}'");
	147	+ db_query("UPDATE mail.webmail_totp SET failures = failures+1 WHERE email=?", array($username));
153	148	}
154	149
155	150	DEBUG('FAILED');
...	...	@@ -194,9 +189,9 @@ function generate_qrcode_image($secret) {
194	189
195	190	function accountname($id)
196	191	{
197		- $id = (int) $id;
198		- $uid = (int) $_SESSION['userinfo']['uid'];
199		- $result = db_query("SELECT email FROM mail.webmail_totp WHERE id={$id} AND useraccount={$uid}");
	192	+ $args = array(":id" => $id,
	193	+ ":uid" => $_SESSION['userinfo']['uid']);
	194	+ $result = db_query("SELECT email FROM mail.webmail_totp WHERE id=:id AND useraccount=:uid", $args);
200	195	if ($tmp = $result->fetch()) {
201	196	return $tmp['email'];
202	197	}
...	...	@@ -205,26 +200,24 @@ function accountname($id)
205	200
206	201	function delete_totp($id)
207	202	{
208		- $id = (int) $id;
209		- $uid = (int) $_SESSION['userinfo']['uid'];
	203	+ $args = array(":id" => $id,
	204	+ ":uid" => $_SESSION['userinfo']['uid']);
210	205
211		- db_query("DELETE FROM mail.webmail_totp WHERE id={$id} AND useraccount={$uid}");
	206	+ db_query("DELETE FROM mail.webmail_totp WHERE id=:id AND useraccount=:uid", $args);
212	207	}
213	208
214	209
215	210	function blacklist_token($email, $token)
216	211	{
217		- $email = db_escape_string($email);
218		- $token = db_escape_string($token);
219		- db_query("INSERT INTO mail.webmail_totp_blacklist (timestamp, email, token) VALUES (NOW(), '{$email}', '{$token}')");
	212	+ $args = array(":email" => $email, ":token" => $token);
	213	+ db_query("INSERT INTO mail.webmail_totp_blacklist (timestamp, email, token) VALUES (NOW(), :email, :token)", $args);
220	214	}
221	215
222	216	function check_blacklist($email, $token)
223	217	{
224		- $email = db_escape_string($email);
225		- $token = db_escape_string($token);
	218	+ $args = array(":email" => $email, ":token" => $token);
226	219	db_query("DELETE FROM mail.webmail_totp_blacklist WHERE timestamp < NOW() - INTERVAL 10 MINUTE");
227		- $result = db_query("SELECT id FROM mail.webmail_totp_blacklist WHERE email='{$email}' AND token='{$token}'");
	220	+ $result = db_query("SELECT id FROM mail.webmail_totp_blacklist WHERE email=:email AND token=:token", $args);
228	221	return ($result->rowCount() > 0);
229	222	}
230	223
231	224