Modul ftpusers auf prepared statements umgestellt (d15336e) - webinterface.git

@@ -19,7 +19,7 @@ require_once('inc/base.php');
 function list_ftpusers()
 {
   $uid = (int) $_SESSION['userinfo']['uid'];
-  $result = db_query("SELECT id, username, homedir, active, forcessl FROM system.ftpusers WHERE uid=$uid");
+  $result = db_query("SELECT id, username, homedir, active, forcessl FROM system.ftpusers WHERE uid=?", array($uid));
   $ftpusers = array();
   while ($u = $result->fetch()) {
     $ftpusers[] = $u;
@@ -37,9 +37,8 @@ function load_ftpuser($id)
 {
   if ($id == 0)
     return empty_ftpuser();
-  $uid = (int) $_SESSION['userinfo']['uid'];
-  $id = (int) $id;
-  $result = db_query("SELECT id, username, password, homedir, active, forcessl, server FROM system.ftpusers WHERE uid={$uid} AND id='{$id}' LIMIT 1");
+  $args = array(":id" => $id, ":uid" => $_SESSION['userinfo']['uid']);
+  $result = db_query("SELECT id, username, password, homedir, active, forcessl, server FROM system.ftpusers WHERE uid=:uid AND id=:id", $args);
   if ($result->rowCount() != 1)
     system_failure("Fehler beim auslesen des Accounts");
   $account = $result->fetch();
@@ -50,21 +49,15 @@ function load_ftpuser($id)
 
 function save_ftpuser($data)
 {
-  $uid = (int) $_SESSION['userinfo']['uid'];
-  $id = (int) $data['id'];
   verify_input_username($data['username']);
   if ($data['username'] == '')
     system_failure('Bitte geben Sie eine Erweiterung für den Benutzernamen an!');
-  $username = $_SESSION['userinfo']['username'].'-'.$data['username'];
   $homedir = filter_input_general($data['homedir']);
   if (substr($homedir, 0, 1) == '/')
     $homedir = substr($homedir, 1);
   $homedir = $_SESSION['userinfo']['homedir'].'/'.$homedir;
   if (! in_homedir($homedir))
     system_failure('Pfad scheint nicht in Ihrem Home zu sein oder enthielt ungültige Zeichen.');
-  $active = ($data['active'] == 1 ? '1' : '0');
-
-  $forcessl = ($data['forcessl'] == 0 ? '0' : '1');
 
   $server = NULL;
   if ($data['server'] == my_server_id())
@@ -75,9 +68,8 @@ function save_ftpuser($data)
   {
     $server = (int) $data['server'];
   }
-  $server = maybe_null($server);
 
-  $password_query = '';
+  $set_password = false;
   $password_hash = '';
   if ($data['password'] != '')
   {
@@ -92,33 +84,46 @@ function save_ftpuser($data)
       $salt = random_string(8);
       $password_hash = crypt($data['password'], "\$1\${$salt}\$");
     }
+    $set_pasword = true;
     $password_query = "password='{$password_hash}', ";
   }
-  elseif (! $id)
+  elseif (! $data['id'])
   {
     system_failure('Wenn Sie einen neuen Zugang anlegen, müssen Sie ein Passwort setzen');
   }
     
+  $args = array(":username" => $_SESSION['userinfo']['username'].'-'.$data['username'],
+                ":homedir" => $homedir,
+                ":active" => ($data['active'] == 1 ? 1 : 0),
+                ":forcessl" => ($data['forcessl'] == 0 ? 0 : 1),
+                ":server" => $server,
+                ":uid" => $_SESSION['userinfo']['uid']);
   
-  if ($id)
-    db_query("UPDATE system.ftpusers SET username='{$username}', {$password_query} homedir='{$homedir}', active='{$active}', forcessl='{$forcessl}', server={$server} WHERE id={$id} AND uid={$uid} LIMIT 1");
-  else
-    db_query("INSERT INTO system.ftpusers (username, password, homedir, uid, active, forcessl, server) VALUES ('{$username}', '{$password_hash}', '{$homedir}', '{$uid}', '{$active}', '{$forcessl}', {$server})");
+  if ($data['id']) {
+    $args[":id"] = $data['id'];
+    if ($set_password) {
+      $args[':password'] = $password_hash;
+      db_query("UPDATE system.ftpusers SET username=:username, password=:password, homedir=:homedir, active=:active, forcessl=:forcessl, server=:server WHERE id=:id AND uid=:uid", $args);
+    } else {
+      db_query("UPDATE system.ftpusers SET username=:username, homedir=:homedir, active=:active, forcessl=:forcessl, server=:server WHERE id=:id AND uid=:uid", $args);
+    }
+  }  else {
+    $args[':password'] = $password_hash;
+    db_query("INSERT INTO system.ftpusers (username, password, homedir, uid, active, forcessl, server) VALUES (:username, :password, :homedir, :uid, :active, :forcessl, :server)", $args);
+  }
 }
 
 
 function delete_ftpuser($id)
 {
-  $uid = (int) $_SESSION['userinfo']['uid'];
-  $id = (int) $id;
-  db_query("DELETE FROM system.ftpusers WHERE id='{$id}' AND uid={$uid} LIMIT 1");
+  $args = array(":id" => $id, ":uid" => $_SESSION['userinfo']['uid']);
+  db_query("DELETE FROM system.ftpusers WHERE id=:id AND uid=:uid", $args);
 }
 
 
 function get_gid($groupname)
 {
-  $groupname = db_escape_string($groupname);
-  $result = db_query("SELECT gid FROM system.gruppen WHERE name='{$groupname}' LIMIT 1");
+  $result = db_query("SELECT gid FROM system.gruppen WHERE name=?", array($groupname));
   if ($result->rowCount() != 1)
     system_failure('cannot determine gid of ftpusers group');
   $a = $result->fetch();
@@ -131,9 +136,8 @@ function get_gid($groupname)
 
 function have_regular_ftp()
 {
-  $gid = get_gid('ftpusers');
-  $uid = (int) $_SESSION['userinfo']['uid'];
-  $result = db_query("SELECT * FROM system.gruppenzugehoerigkeit WHERE gid='$gid' AND uid='$uid'");
+  $args = array(":gid" => get_gid('ftpusers'), ":uid" => $_SESSION['userinfo']['uid']);
+  $result = db_query("SELECT * FROM system.gruppenzugehoerigkeit WHERE gid=:gid AND uid=:uid", $args);
   return ($result->rowCount() > 0);
 }
 
@@ -141,16 +145,14 @@ function have_regular_ftp()
 function enable_regular_ftp()
 {
   require_role(ROLE_SYSTEMUSER);
-  $gid = get_gid('ftpusers');
-  $uid = (int) $_SESSION['userinfo']['uid'];
-  db_query("REPLACE INTO system.gruppenzugehoerigkeit (gid, uid) VALUES ('$gid', '$uid')");
+  $args = array(":gid" => get_gid('ftpusers'), ":uid" => $_SESSION['userinfo']['uid']);
+  db_query("REPLACE INTO system.gruppenzugehoerigkeit (gid, uid) VALUES (:gid, :uid)", $args);
 }
 
 function disable_regular_ftp()
 {
-  $gid = get_gid('ftpusers');
-  $uid = (int) $_SESSION['userinfo']['uid'];
-  db_query("DELETE FROM system.gruppenzugehoerigkeit WHERE gid='$gid' AND uid='$uid'");
+  $args = array(":gid" => get_gid('ftpusers'), ":uid" => $_SESSION['userinfo']['uid']);
+  db_query("DELETE FROM system.gruppenzugehoerigkeit WHERE gid=:gid AND uid=:uid", $args);
 }
 
 


...	...	@@ -19,7 +19,7 @@ require_once('inc/base.php');
19	19	function list_ftpusers()
20	20	{
21	21	$uid = (int) $_SESSION['userinfo']['uid'];
22		- $result = db_query("SELECT id, username, homedir, active, forcessl FROM system.ftpusers WHERE uid=$uid");
	22	+ $result = db_query("SELECT id, username, homedir, active, forcessl FROM system.ftpusers WHERE uid=?", array($uid));
23	23	$ftpusers = array();
24	24	while ($u = $result->fetch()) {
25	25	$ftpusers[] = $u;
...	...	@@ -37,9 +37,8 @@ function load_ftpuser($id)
37	37	{
38	38	if ($id == 0)
39	39	return empty_ftpuser();
40		- $uid = (int) $_SESSION['userinfo']['uid'];
41		- $id = (int) $id;
42		- $result = db_query("SELECT id, username, password, homedir, active, forcessl, server FROM system.ftpusers WHERE uid={$uid} AND id='{$id}' LIMIT 1");
	40	+ $args = array(":id" => $id, ":uid" => $_SESSION['userinfo']['uid']);
	41	+ $result = db_query("SELECT id, username, password, homedir, active, forcessl, server FROM system.ftpusers WHERE uid=:uid AND id=:id", $args);
43	42	if ($result->rowCount() != 1)
44	43	system_failure("Fehler beim auslesen des Accounts");
45	44	$account = $result->fetch();
...	...	@@ -50,21 +49,15 @@ function load_ftpuser($id)
50	49
51	50	function save_ftpuser($data)
52	51	{
53		- $uid = (int) $_SESSION['userinfo']['uid'];
54		- $id = (int) $data['id'];
55	52	verify_input_username($data['username']);
56	53	if ($data['username'] == '')
57	54	system_failure('Bitte geben Sie eine Erweiterung für den Benutzernamen an!');
58		- $username = $_SESSION['userinfo']['username'].'-'.$data['username'];
59	55	$homedir = filter_input_general($data['homedir']);
60	56	if (substr($homedir, 0, 1) == '/')
61	57	$homedir = substr($homedir, 1);
62	58	$homedir = $_SESSION['userinfo']['homedir'].'/'.$homedir;
63	59	if (! in_homedir($homedir))
64	60	system_failure('Pfad scheint nicht in Ihrem Home zu sein oder enthielt ungültige Zeichen.');
65		- $active = ($data['active'] == 1 ? '1' : '0');
66		-
67		- $forcessl = ($data['forcessl'] == 0 ? '0' : '1');
68	61
69	62	$server = NULL;
70	63	if ($data['server'] == my_server_id())
...	...	@@ -75,9 +68,8 @@ function save_ftpuser($data)
75	68	{
76	69	$server = (int) $data['server'];
77	70	}
78		- $server = maybe_null($server);
79	71
80		- $password_query = '';
	72	+ $set_password = false;
81	73	$password_hash = '';
82	74	if ($data['password'] != '')
83	75	{
...	...	@@ -92,33 +84,46 @@ function save_ftpuser($data)
92	84	$salt = random_string(8);
93	85	$password_hash = crypt($data['password'], "\$1\${$salt}\$");
94	86	}
	87	+ $set_pasword = true;
95	88	$password_query = "password='{$password_hash}', ";
96	89	}
97		- elseif (! $id)
	90	+ elseif (! $data['id'])
98	91	{
99	92	system_failure('Wenn Sie einen neuen Zugang anlegen, müssen Sie ein Passwort setzen');
100	93	}
101	94
	95	+ $args = array(":username" => $_SESSION['userinfo']['username'].'-'.$data['username'],
	96	+ ":homedir" => $homedir,
	97	+ ":active" => ($data['active'] == 1 ? 1 : 0),
	98	+ ":forcessl" => ($data['forcessl'] == 0 ? 0 : 1),
	99	+ ":server" => $server,
	100	+ ":uid" => $_SESSION['userinfo']['uid']);
102	101
103		- if ($id)
104		- db_query("UPDATE system.ftpusers SET username='{$username}', {$password_query} homedir='{$homedir}', active='{$active}', forcessl='{$forcessl}', server={$server} WHERE id={$id} AND uid={$uid} LIMIT 1");
105		- else
106		- db_query("INSERT INTO system.ftpusers (username, password, homedir, uid, active, forcessl, server) VALUES ('{$username}', '{$password_hash}', '{$homedir}', '{$uid}', '{$active}', '{$forcessl}', {$server})");
	102	+ if ($data['id']) {
	103	+ $args[":id"] = $data['id'];
	104	+ if ($set_password) {
	105	+ $args[':password'] = $password_hash;
	106	+ db_query("UPDATE system.ftpusers SET username=:username, password=:password, homedir=:homedir, active=:active, forcessl=:forcessl, server=:server WHERE id=:id AND uid=:uid", $args);
	107	+ } else {
	108	+ db_query("UPDATE system.ftpusers SET username=:username, homedir=:homedir, active=:active, forcessl=:forcessl, server=:server WHERE id=:id AND uid=:uid", $args);
	109	+ }
	110	+ } else {
	111	+ $args[':password'] = $password_hash;
	112	+ db_query("INSERT INTO system.ftpusers (username, password, homedir, uid, active, forcessl, server) VALUES (:username, :password, :homedir, :uid, :active, :forcessl, :server)", $args);
	113	+ }
107	114	}
108	115
109	116
110	117	function delete_ftpuser($id)
111	118	{
112		- $uid = (int) $_SESSION['userinfo']['uid'];
113		- $id = (int) $id;
114		- db_query("DELETE FROM system.ftpusers WHERE id='{$id}' AND uid={$uid} LIMIT 1");
	119	+ $args = array(":id" => $id, ":uid" => $_SESSION['userinfo']['uid']);
	120	+ db_query("DELETE FROM system.ftpusers WHERE id=:id AND uid=:uid", $args);
115	121	}
116	122
117	123
118	124	function get_gid($groupname)
119	125	{
120		- $groupname = db_escape_string($groupname);
121		- $result = db_query("SELECT gid FROM system.gruppen WHERE name='{$groupname}' LIMIT 1");
	126	+ $result = db_query("SELECT gid FROM system.gruppen WHERE name=?", array($groupname));
122	127	if ($result->rowCount() != 1)
123	128	system_failure('cannot determine gid of ftpusers group');
124	129	$a = $result->fetch();
...	...	@@ -131,9 +136,8 @@ function get_gid($groupname)
131	136
132	137	function have_regular_ftp()
133	138	{
134		- $gid = get_gid('ftpusers');
135		- $uid = (int) $_SESSION['userinfo']['uid'];
136		- $result = db_query("SELECT * FROM system.gruppenzugehoerigkeit WHERE gid='$gid' AND uid='$uid'");
	139	+ $args = array(":gid" => get_gid('ftpusers'), ":uid" => $_SESSION['userinfo']['uid']);
	140	+ $result = db_query("SELECT * FROM system.gruppenzugehoerigkeit WHERE gid=:gid AND uid=:uid", $args);
137	141	return ($result->rowCount() > 0);
138	142	}
139	143
...	...	@@ -141,16 +145,14 @@ function have_regular_ftp()
141	145	function enable_regular_ftp()
142	146	{
143	147	require_role(ROLE_SYSTEMUSER);
144		- $gid = get_gid('ftpusers');
145		- $uid = (int) $_SESSION['userinfo']['uid'];
146		- db_query("REPLACE INTO system.gruppenzugehoerigkeit (gid, uid) VALUES ('$gid', '$uid')");
	148	+ $args = array(":gid" => get_gid('ftpusers'), ":uid" => $_SESSION['userinfo']['uid']);
	149	+ db_query("REPLACE INTO system.gruppenzugehoerigkeit (gid, uid) VALUES (:gid, :uid)", $args);
147	150	}
148	151
149	152	function disable_regular_ftp()
150	153	{
151		- $gid = get_gid('ftpusers');
152		- $uid = (int) $_SESSION['userinfo']['uid'];
153		- db_query("DELETE FROM system.gruppenzugehoerigkeit WHERE gid='$gid' AND uid='$uid'");
	154	+ $args = array(":gid" => get_gid('ftpusers'), ":uid" => $_SESSION['userinfo']['uid']);
	155	+ db_query("DELETE FROM system.gruppenzugehoerigkeit WHERE gid=:gid AND uid=:uid", $args);
154	156	}
155	157
156	158
157	159