Browse code

Modul index auf prepared statements umgestellt

Bernd Wurst authored on06/02/2014 09:30:25
Showing1 changed files
... ...
@@ -18,9 +18,9 @@ require_once('session/checkuser.php');
18 18
 
19 19
 function user_customer_match($cust, $user)
20 20
 {
21
-  $customerno = (int) $cust;
22
-  $username = db_escape_string($user);
23
-  $result = db_query("SELECT uid FROM system.useraccounts WHERE kunde={$customerno} AND username='{$username}' AND kundenaccount=1;");
21
+  $args = array(":cid" => $cust,
22
+                ":user" => $user);
23
+  $result = db_query("SELECT uid FROM system.useraccounts WHERE kunde=:cid AND username=:user AND kundenaccount=1", $args);
24 24
   if ($result->rowCount() > 0)
25 25
     return true;
26 26
   return false;
... ...
@@ -30,9 +30,9 @@ function user_customer_match($cust, $user)
30 30
 
31 31
 function customer_has_email($customerno, $email)
32 32
 {
33
-  $customerno = (int) $customerno;
34
-  $email = db_escape_string($email);
35
-  $result = db_query("SELECT NULL FROM kundendaten.kunden WHERE id=".$customerno." AND (email='{$email}' OR email_extern='{$email}' OR email_rechnung='{$email}');");
33
+  $args = array(":cid" => $customerno,
34
+                ":email" => $email);
35
+  $result = db_query("SELECT NULL FROM kundendaten.kunden WHERE id=:cid AND (email=:email OR email_extern=:email OR email_rechnung=:email)", $args);
36 36
   return ($result->rowCount() > 0);
37 37
 }
38 38
 
... ...
@@ -40,9 +40,9 @@ function customer_has_email($customerno, $email)
40 40
 function validate_token($customerno, $token)
41 41
 {
42 42
   expire_tokens();
43
-  $customerno = (int) $customerno;
44
-  $token = db_escape_string($token);
45
-  $result = db_query("SELECT NULL FROM kundendaten.kunden WHERE id={$customerno} AND token='{$token}';");
43
+  $args = array(":cid" => $customerno,
44
+                ":token" => $token);
45
+  $result = db_query("SELECT NULL FROM kundendaten.kunden WHERE id=:cid AND token=:token", $args);
46 46
   return ($result->rowCount() > 0);
47 47
 }
48 48
 
... ...
@@ -50,8 +50,7 @@ function validate_token($customerno, $token)
50 50
 function get_uid_for_token($token) 
51 51
 {
52 52
   expire_tokens();
53
-  $token = db_escape_string($token);
54
-  $result = db_query("SELECT uid FROM system.usertoken WHERE token='{$token}';");
53
+  $result = db_query("SELECT uid FROM system.usertoken WHERE token=?", array($token));
55 54
   if ($result->rowCount() == 0) {
56 55
     return NULL;
57 56
   }
... ...
@@ -61,8 +60,7 @@ function get_uid_for_token($token)
61 60
 
62 61
 function get_username_for_uid($uid) 
63 62
 {
64
-  $uid = (int) $uid;
65
-  $result = db_query("SELECT username FROM system.useraccounts WHERE uid={$uid}");
63
+  $result = db_query("SELECT username FROM system.useraccounts WHERE uid=?", array($uid));
66 64
   if ($result->rowCount() != 1) {
67 65
     system_failure("Unexpected number of users with this uid (!= 1)!");
68 66
   }
... ...
@@ -73,9 +71,9 @@ function get_username_for_uid($uid)
73 71
 function validate_uid_token($uid, $token)
74 72
 {
75 73
   expire_tokens();
76
-  $uid = (int) $uid;
77
-  $token = db_escape_string($token);
78
-  $result = db_query("SELECT NULL FROM system.usertoken WHERE uid={$uid} AND token='{$token}';");
74
+  $args = array(":uid" => $uid,
75
+                ":token" => $token);
76
+  $result = db_query("SELECT NULL FROM system.usertoken WHERE uid=:uid AND token=:token", $args);
79 77
   return ($result->rowCount() > 0);
80 78
 }
81 79
 
... ...
@@ -89,38 +87,35 @@ function expire_tokens()
89 87
 
90 88
 function invalidate_customer_token($customerno)
91 89
 {
92
-  $customerno = (int) $customerno;
93
-  db_query("UPDATE kundendaten.kunden SET token=NULL, token_create=NULL WHERE id={$customerno} LIMIT 1;");
90
+  db_query("UPDATE kundendaten.kunden SET token=NULL, token_create=NULL WHERE id=?", array($customerno));
94 91
 }
95 92
  
96 93
 function invalidate_systemuser_token($uid)
97 94
 {
98
-  $uid = (int) $uid;
99
-  db_query("DELETE FROM system.usertoken WHERE uid={$uid} LIMIT 1;");
95
+  db_query("DELETE FROM system.usertoken WHERE uid=?", array($uid));
100 96
 }
101 97
  
102 98
 function create_token($username)
103 99
 {
104
-  $username = db_escape_string($username);
105 100
   expire_tokens();
106
-  $result = db_query("SELECT uid FROM system.useraccounts WHERE username='{$username}'");
101
+  $result = db_query("SELECT uid FROM system.useraccounts WHERE username=?", array($username));
107 102
   $uid = (int) $result->fetch()['uid'];
108 103
   
109
-  $result = db_query("SELECT created FROM system.usertoken WHERE uid={$uid}");
104
+  $result = db_query("SELECT created FROM system.usertoken WHERE uid=?", array($uid));
110 105
   if ($result->rowCount() > 0) {
111 106
     system_failure("Für Ihr Benutzerkonto ist bereits eine Passwort-Erinnerung versendet worden. Bitte wenden Sie sich an den Support wenn Sie diese nicht erhalten haben.");
112 107
   }
113 108
   
114
-  $token = random_string(16);
115
-  db_query("INSERT INTO system.usertoken VALUES ({$uid}, NOW(), NOW() + INTERVAL 1 DAY, '{$token}')");
109
+  $args = array(":uid" => $uid,
110
+                ":token" => random_string(16));
111
+  db_query("INSERT INTO system.usertoken VALUES (:uid} NOW(), NOW() + INTERVAL 1 DAY, :token)", $args);
116 112
   return true;
117 113
 }
118 114
 
119 115
 
120 116
 function emailaddress_for_user($username)
121 117
 {
122
-  $username = db_escape_string($username);
123
-  $result = db_query("SELECT k.email FROM kundendaten.kunden AS k INNER JOIN system.useraccounts AS u ON (u.kunde=k.id) WHERE u.username='{$username}'");
118
+  $result = db_query("SELECT k.email FROM kundendaten.kunden AS k INNER JOIN system.useraccounts AS u ON (u.kunde=k.id) WHERE u.username=?", array($username));
124 119
   $data = $result->fetch();
125 120
   return $data['email'];
126 121
 }
... ...
@@ -128,9 +123,8 @@ function emailaddress_for_user($username)
128 123
 
129 124
 function get_customer_token($customerno)
130 125
 {
131
-  $customerno = (int) $customerno;
132 126
   expire_tokens();
133
-  $result = db_query("SELECT token FROM kundendaten.kunden WHERE id={$customerno} AND token IS NOT NULL;");
127
+  $result = db_query("SELECT token FROM kundendaten.kunden WHERE id=? AND token IS NOT NULL", array($customerno));
134 128
   if ($result->rowCount() < 1)
135 129
     system_failure("Kann das Token nicht auslesen!");
136 130
   return $result->fetch(PDO::FETCH_OBJ)->token;
... ...
@@ -139,8 +133,7 @@ function get_customer_token($customerno)
139 133
 
140 134
 function get_user_token($username) 
141 135
 {
142
-  $username = db_escape_string($username);
143
-  $result = db_query("SELECT token FROM system.usertoken AS t INNER JOIN system.useraccounts AS u USING (uid) WHERE username='{$username}'");
136
+  $result = db_query("SELECT token FROM system.usertoken AS t INNER JOIN system.useraccounts AS u USING (uid) WHERE username=?", array($username));
144 137
   $tmp = $result->fetch();
145 138
   return $tmp['token'];
146 139
 }