Browse code

email-Modul auf prepared-statements umgestellt

Bernd Wurst authored on02/02/2014 08:03:52
Showing3 changed files
... ...
@@ -19,7 +19,7 @@ require_once('inc/base.php');
19 19
 function user_has_accounts()
20 20
 {
21 21
   $uid = (int) $_SESSION['userinfo']['uid'];
22
-  $result = db_query("SELECT id from `mail`.`mailaccounts` WHERE uid=$uid");
22
+  $result = db_query("SELECT id from `mail`.`mailaccounts` WHERE uid=?", array($uid));
23 23
   DEBUG($result->rowCount()." accounts");
24 24
   return ($result->rowCount() > 0);
25 25
 }
... ...
@@ -33,7 +33,7 @@ if (! function_exists("user_has_vmail_domain"))
33 33
                 return false;
34 34
         }
35 35
         $uid = (int) $_SESSION['userinfo']['uid'];
36
-        $result = db_query("SELECT COUNT(*) FROM mail.v_vmail_domains WHERE useraccount='{$uid}'");
36
+        $result = db_query("SELECT COUNT(*) FROM mail.v_vmail_domains WHERE useraccount=?", array($uid));
37 37
         $row = $result->fetch();
38 38
         $count = $row[0];
39 39
         DEBUG("User has {$count} vmail-domains");
... ...
@@ -23,7 +23,7 @@ if (! function_exists("user_has_vmail_domain"))
23 23
 		return false;
24 24
 	}
25 25
 	$uid = (int) $_SESSION['userinfo']['uid'];
26
-	$result = db_query("SELECT COUNT(*) FROM mail.v_vmail_domains WHERE useraccount='{$uid}'");
26
+	$result = db_query("SELECT COUNT(*) FROM mail.v_vmail_domains WHERE useraccount=?", array($uid));
27 27
 	$row = $result->fetch();
28 28
 	$count = $row[0];
29 29
 	DEBUG("User has {$count} vmail-domains");
... ...
@@ -40,8 +40,8 @@ if (! function_exists("user_has_dotcourier_domain"))
40 40
 		return false;
41 41
 	}
42 42
 	$uid = (int) $_SESSION['userinfo']['uid'];
43
-	$result = db_query("select 1 from mail.custom_mappings as c left join mail.v_domains as d on (d.id=c.domain) where d.user={$uid} or c.uid={$uid} UNION ". 
44
-            "SELECT 1 FROM mail.v_domains AS d WHERE d.user={$uid} AND d.id != ALL(SELECT domain FROM mail.virtual_mail_domains);");
43
+	$result = db_query("select 1 from mail.custom_mappings as c left join mail.v_domains as d on (d.id=c.domain) where d.user=:uid or c.uid=:uid}UNION ". 
44
+            "SELECT 1 FROM mail.v_domains AS d WHERE d.user=:uid AND d.id != ALL(SELECT domain FROM mail.virtual_mail_domains)", array(":uid" => $uid));
45 45
   $ret = ($result->rowCount() > 0);
46 46
   if ($ret)
47 47
     DEBUG("User {$uid} has dotcourier-domains");
... ...
@@ -25,7 +25,7 @@ require_once('common.php');
25 25
 function mailaccounts($uid)
26 26
 {
27 27
   $uid = (int) $uid;
28
-  $result = db_query("SELECT m.id,concat_ws('@',`m`.`local`,if(isnull(`m`.`domain`),'".config('masterdomain')."',`d`.`domainname`)) AS `account`, `m`.`password` AS `cryptpass`,`m`.`maildir` AS `maildir`,aktiv from (`mail`.`mailaccounts` `m` left join `mail`.`v_domains` `d` on((`d`.`id` = `m`.`domain`))) WHERE m.uid=$uid ORDER BY if(isnull(`m`.`domain`),'".config('masterdomain')."',`d`.`domainname`), local");
28
+  $result = db_query("SELECT m.id,concat_ws('@',`m`.`local`,if(isnull(`m`.`domain`),:masterdomain,`d`.`domainname`)) AS `account`, `m`.`password` AS `cryptpass`,`m`.`maildir` AS `maildir`,aktiv from (`mail`.`mailaccounts` `m` left join `mail`.`v_domains` `d` on((`d`.`id` = `m`.`domain`))) WHERE m.uid=:uid ORDER BY if(isnull(`m`.`domain`),:masterdomain,`d`.`domainname`), local", array(":masterdomain" => config("masterdomain"), ":uid" => $uid));
29 29
   DEBUG("Found ".@$result->rowCount()." rows!");
30 30
   $accounts = array();
31 31
   if (@$result->rowCount() > 0)
... ...
@@ -38,7 +38,7 @@ function get_mailaccount($id)
38 38
 {
39 39
   $id = (int) $id;
40 40
   $uid = (int) $_SESSION['userinfo']['uid'];
41
-  $result = db_query("SELECT concat_ws('@',`m`.`local`,if(isnull(`m`.`domain`),'".config('masterdomain')."',`d`.`domainname`)) AS `account`, `m`.`password` AS `cryptpass`,`m`.`maildir` AS `maildir`,aktiv from (`mail`.`mailaccounts` `m` left join `mail`.`v_domains` `d` on((`d`.`id` = `m`.`domain`))) WHERE m.id=$id AND m.uid={$uid}");
41
+  $result = db_query("SELECT concat_ws('@',`m`.`local`,if(isnull(`m`.`domain`),:masterdomain,`d`.`domainname`)) AS `account`, `m`.`password` AS `cryptpass`,`m`.`maildir` AS `maildir`,aktiv from (`mail`.`mailaccounts` `m` left join `mail`.`v_domains` `d` on((`d`.`id` = `m`.`domain`))) WHERE m.id=:mid AND m.uid=:uid", array(":masterdomain" => config("masterdomain"), ":uid" => $uid, ":mid" => $id));
42 42
   DEBUG("Found ".$result->rowCount()." rows!");
43 43
   if ($result->rowCount() != 1)
44 44
     system_failure('Dieser Mailaccount existiert nicht oder gehört Ihnen nicht');
... ...
@@ -52,45 +52,50 @@ function change_mailaccount($id, $arr)
52 52
 {
53 53
   $id = (int) $id;
54 54
   $uid = (int) $_SESSION['userinfo']['uid'];
55
-  $conditions = array();
55
+  $conditions = array("local=:local", "domain=:domain");
56
+  $values = array(":id" => $id, ":uid" => $uid);
56 57
 
57 58
   if (isset($arr['account']))
58 59
   {
59 60
     list($local, $domain) = explode('@', $arr['account'], 2);
60 61
     if ($domain == config('masterdomain'))
61 62
     {
62
-      $values['domain'] = "NULL";
63
+      $values[':domain'] = NULL;
63 64
     }
64 65
     else
65 66
     {
66 67
       $domain = new Domain( (string) $domain);
67
-      if ($domain->id == NULL)
68
-        array_push($conditions, "domain=NULL");
69
-      else
70
-      {
68
+      if ($domain->id == NULL) {
69
+        $values[":domain"] = NULL;
70
+      } else {
71 71
         $domain->ensure_userdomain();
72
-        array_push($conditions, "domain={$domain->id}");
72
+        $values[":domain"] = $domain->id;
73 73
       }
74 74
     }
75
-    array_push($conditions, "local='".db_escape_string($local)."'");
75
+    $values[":local"] = $local;
76 76
   }
77
-  if (isset($arr['mailbox']))
77
+  if (isset($arr['mailbox'])) {
78
+    array_push($conditions, "`maildir`=:maildir");
78 79
     if ($arr['mailbox'] == '')
79
-      array_push($conditions, "`maildir`=NULL");
80
+      $values[":mailbox"] = NULL;
80 81
     else
81
-      array_push($conditions, "`maildir`='".db_escape_string($arr['mailbox'])."'");
82
+      $values[":mailbox"] = $arr['mailbox'];
83
+  }
82 84
 
83 85
   if (isset($arr['password']))
84 86
   {
85 87
     $encpw = encrypt_mail_password($arr['password']);
86
-    array_push($conditions, "`password`='$encpw'");
88
+    array_push($conditions, "`password`=:password");
89
+    $values[":password"] = $encpw;
87 90
   }
88 91
 
89
-  if (isset($arr['enabled']))
90
-    array_push($conditions, "`aktiv`=".($arr['enabled'] == 'Y' ? "1" : "0"));
92
+  if (isset($arr['enabled'])) {
93
+    array_push($conditions, "`aktiv`=:aktiv");
94
+    $values[":aktiv"] = ($arr['enabled'] == 'Y' ? 1 : 0);
95
+  }
91 96
 
92 97
 
93
-  db_query("UPDATE mail.mailaccounts SET ".implode(",", $conditions)." WHERE id='$id' AND uid={$uid}");
98
+  db_query("UPDATE mail.mailaccounts SET ".implode(",", $conditions)." WHERE id=:id AND uid=:uid", $values);
94 99
   logger(LOG_INFO, "modules/imap/include/mailaccounts", "imap", "updated account »{$arr['account']}«");
95 100
 
96 101
 }
... ...
@@ -102,43 +107,44 @@ function create_mailaccount($arr)
102 107
   if (($arr['account']) == '')
103 108
     system_failure('empty account name!');
104 109
 
105
-  $values['uid'] = (int) $_SESSION['userinfo']['uid'];
110
+  $values[':uid'] = (int) $_SESSION['userinfo']['uid'];
106 111
 
107 112
   list($local, $domain) = explode('@', $arr['account'], 2);
108 113
   if ($domain == config('masterdomain'))
109 114
   {
110
-    $values['domain'] = "NULL";
115
+    $values[':domain'] = NULL;
111 116
   }
112 117
   else
113 118
   {
114 119
     $domain = new Domain( (string) $domain);
115 120
     if ($domain->id == NULL)
116
-      $values['domain'] = "NULL";
121
+      $values[':domain'] = NULL;
117 122
     else {
118 123
       $domain->ensure_userdomain();
119
-      $values['domain'] = $domain->id;
124
+      $values[':domain'] = $domain->id;
120 125
     }
121 126
   }
122 127
 
123
-  $values['local'] = "'".db_escape_string($local)."'";
128
+  $values[':local'] = $local;
124 129
 
125 130
   if (isset($arr['mailbox']))
126 131
     if ($arr['mailbox'] == '')
127
-      $values['maildir'] = 'NULL';
132
+      $values[':maildir'] = NULL;
128 133
     else
129
-      $values['maildir']= "'".db_escape_string($arr['mailbox'])."'";
134
+      $values[':maildir']= $arr['mailbox'];
130 135
 
131 136
 
132 137
   if (isset($arr['password']))
133 138
   {
134
-    $values['password'] = "'".encrypt_mail_password($arr['password'])."'";
139
+    $values[':password'] = encrypt_mail_password($arr['password']);
135 140
   }
136 141
 
137 142
   if (isset($arr['enabled']))
138
-    $values['aktiv'] = ($arr['enabled'] == 'Y' ? "1" : "0" );
143
+    $values[':aktiv'] = ($arr['enabled'] == 'Y' ? 1 : 0 );
139 144
 
140 145
 
141
-  db_query("INSERT INTO mail.mailaccounts (".implode(',', array_keys($values)).") VALUES (".implode(",", array_values($values)).")");
146
+  $fields = array_map( function ($k) { return substr($k, 1);}, array_keys($values));
147
+  db_query("INSERT INTO mail.mailaccounts (".implode(',', $fields).") VALUES (".implode(",", array_keys($values)).")", $values);
142 148
   logger(LOG_INFO, "modules/imap/include/mailaccounts", "imap", "created account »{$arr['account']}«");
143 149
 
144 150
 }
... ...
@@ -148,10 +154,10 @@ function get_mailaccount_id($accountname)
148 154
 {
149 155
   list($local, $domain) = explode('@', $accountname, 2);
150 156
 
151
-  $local = db_escape_string($local);
152
-  $domain = db_escape_string($domain);
157
+  $args = array(":local" => $local,
158
+                ":domain" => $domain);
153 159
 
154
-  $result = db_query("SELECT acc.id FROM mail.mailaccounts AS acc LEFT JOIN mail.v_domains AS dom ON (dom.id=acc.domain) WHERE local='{$local}' AND dom.domainname='{$domain}'");
160
+  $result = db_query("SELECT acc.id FROM mail.mailaccounts AS acc LEFT JOIN mail.v_domains AS dom ON (dom.id=acc.domain) WHERE local=:local AND dom.domainname=:domain", $args);
155 161
   if ($result->rowCount() != 1)
156 162
     system_failure('account nicht eindeutig');
157 163
   $acc = $result->fetch();
... ...
@@ -162,7 +168,7 @@ function get_mailaccount_id($accountname)
162 168
 function delete_mailaccount($id)
163 169
 {
164 170
   $id = (int) $id;
165
-  db_query("DELETE FROM mail.mailaccounts WHERE id=".$id." LIMIT 1");
171
+  db_query("DELETE FROM mail.mailaccounts WHERE id=?", array($id));
166 172
   logger(LOG_INFO, "modules/imap/include/mailaccounts", "imap", "deleted account »{$id}«");
167 173
 }
168 174
 
... ...
@@ -212,7 +218,7 @@ function check_valid($acc)
212 218
 function imap_on_vmail_domain()
213 219
 {
214 220
   $uid = (int) $_SESSION['userinfo']['uid'];
215
-  $result = db_query("SELECT m.id FROM mail.mailaccounts AS m INNER JOIN mail.virtual_mail_domains AS vd USING (domain) WHERE m.uid={$uid}");
221
+  $result = db_query("SELECT m.id FROM mail.mailaccounts AS m INNER JOIN mail.virtual_mail_domains AS vd USING (domain) WHERE m.uid=?", array($uid));
216 222
   if ($result->rowCount() > 0)
217 223
     return true;
218 224
   return false;
... ...
@@ -221,11 +227,11 @@ function imap_on_vmail_domain()
221 227
 function user_has_only_vmail_domains()
222 228
 {
223 229
   $uid = (int) $_SESSION['userinfo']['uid'];
224
-  $result = db_query("SELECT id FROM mail.v_vmail_domains WHERE useraccount={$uid}");
230
+  $result = db_query("SELECT id FROM mail.v_vmail_domains WHERE useraccount=?", array($uid));
225 231
   // User hat keine VMail-Domains
226 232
   if ($result->rowCount() == 0)
227 233
     return false;
228
-  $result = db_query("SELECT d.id FROM mail.v_domains AS d LEFT JOIN mail.v_vmail_domains AS vd USING (domainname) WHERE vd.id IS NULL AND d.user={$uid}");
234
+  $result = db_query("SELECT d.id FROM mail.v_domains AS d LEFT JOIN mail.v_vmail_domains AS vd USING (domainname) WHERE vd.id IS NULL AND d.user=?", array($uid));
229 235
   // User hat keine Domains die nicht vmail-Domains sind
230 236
   if ($result->rowCount() == 0)
231 237
     return true;