Modul index auf prepared statements umgestellt (d903422) - webinterface.git

@@ -18,9 +18,9 @@ require_once('session/checkuser.php');
 
 function user_customer_match($cust, $user)
 {
-  $customerno = (int) $cust;
-  $username = db_escape_string($user);
-  $result = db_query("SELECT uid FROM system.useraccounts WHERE kunde={$customerno} AND username='{$username}' AND kundenaccount=1;");
+  $args = array(":cid" => $cust,
+                ":user" => $user);
+  $result = db_query("SELECT uid FROM system.useraccounts WHERE kunde=:cid AND username=:user AND kundenaccount=1", $args);
   if ($result->rowCount() > 0)
     return true;
   return false;
@@ -30,9 +30,9 @@ function user_customer_match($cust, $user)
 
 function customer_has_email($customerno, $email)
 {
-  $customerno = (int) $customerno;
-  $email = db_escape_string($email);
-  $result = db_query("SELECT NULL FROM kundendaten.kunden WHERE id=".$customerno." AND (email='{$email}' OR email_extern='{$email}' OR email_rechnung='{$email}');");
+  $args = array(":cid" => $customerno,
+                ":email" => $email);
+  $result = db_query("SELECT NULL FROM kundendaten.kunden WHERE id=:cid AND (email=:email OR email_extern=:email OR email_rechnung=:email)", $args);
   return ($result->rowCount() > 0);
 }
 
@@ -40,9 +40,9 @@ function customer_has_email($customerno, $email)
 function validate_token($customerno, $token)
 {
   expire_tokens();
-  $customerno = (int) $customerno;
-  $token = db_escape_string($token);
-  $result = db_query("SELECT NULL FROM kundendaten.kunden WHERE id={$customerno} AND token='{$token}';");
+  $args = array(":cid" => $customerno,
+                ":token" => $token);
+  $result = db_query("SELECT NULL FROM kundendaten.kunden WHERE id=:cid AND token=:token", $args);
   return ($result->rowCount() > 0);
 }
 
@@ -50,8 +50,7 @@ function validate_token($customerno, $token)
 function get_uid_for_token($token) 
 {
   expire_tokens();
-  $token = db_escape_string($token);
-  $result = db_query("SELECT uid FROM system.usertoken WHERE token='{$token}';");
+  $result = db_query("SELECT uid FROM system.usertoken WHERE token=?", array($token));
   if ($result->rowCount() == 0) {
     return NULL;
   }
@@ -61,8 +60,7 @@ function get_uid_for_token($token)
 
 function get_username_for_uid($uid) 
 {
-  $uid = (int) $uid;
-  $result = db_query("SELECT username FROM system.useraccounts WHERE uid={$uid}");
+  $result = db_query("SELECT username FROM system.useraccounts WHERE uid=?", array($uid));
   if ($result->rowCount() != 1) {
     system_failure("Unexpected number of users with this uid (!= 1)!");
   }
@@ -73,9 +71,9 @@ function get_username_for_uid($uid)
 function validate_uid_token($uid, $token)
 {
   expire_tokens();
-  $uid = (int) $uid;
-  $token = db_escape_string($token);
-  $result = db_query("SELECT NULL FROM system.usertoken WHERE uid={$uid} AND token='{$token}';");
+  $args = array(":uid" => $uid,
+                ":token" => $token);
+  $result = db_query("SELECT NULL FROM system.usertoken WHERE uid=:uid AND token=:token", $args);
   return ($result->rowCount() > 0);
 }
 
@@ -89,38 +87,35 @@ function expire_tokens()
 
 function invalidate_customer_token($customerno)
 {
-  $customerno = (int) $customerno;
-  db_query("UPDATE kundendaten.kunden SET token=NULL, token_create=NULL WHERE id={$customerno} LIMIT 1;");
+  db_query("UPDATE kundendaten.kunden SET token=NULL, token_create=NULL WHERE id=?", array($customerno));
 }
  
 function invalidate_systemuser_token($uid)
 {
-  $uid = (int) $uid;
-  db_query("DELETE FROM system.usertoken WHERE uid={$uid} LIMIT 1;");
+  db_query("DELETE FROM system.usertoken WHERE uid=?", array($uid));
 }
  
 function create_token($username)
 {
-  $username = db_escape_string($username);
   expire_tokens();
-  $result = db_query("SELECT uid FROM system.useraccounts WHERE username='{$username}'");
+  $result = db_query("SELECT uid FROM system.useraccounts WHERE username=?", array($username));
   $uid = (int) $result->fetch()['uid'];
   
-  $result = db_query("SELECT created FROM system.usertoken WHERE uid={$uid}");
+  $result = db_query("SELECT created FROM system.usertoken WHERE uid=?", array($uid));
   if ($result->rowCount() > 0) {
     system_failure("Für Ihr Benutzerkonto ist bereits eine Passwort-Erinnerung versendet worden. Bitte wenden Sie sich an den Support wenn Sie diese nicht erhalten haben.");
   }
   
-  $token = random_string(16);
-  db_query("INSERT INTO system.usertoken VALUES ({$uid}, NOW(), NOW() + INTERVAL 1 DAY, '{$token}')");
+  $args = array(":uid" => $uid,
+                ":token" => random_string(16));
+  db_query("INSERT INTO system.usertoken VALUES (:uid} NOW(), NOW() + INTERVAL 1 DAY, :token)", $args);
   return true;
 }
 
 
 function emailaddress_for_user($username)
 {
-  $username = db_escape_string($username);
-  $result = db_query("SELECT k.email FROM kundendaten.kunden AS k INNER JOIN system.useraccounts AS u ON (u.kunde=k.id) WHERE u.username='{$username}'");
+  $result = db_query("SELECT k.email FROM kundendaten.kunden AS k INNER JOIN system.useraccounts AS u ON (u.kunde=k.id) WHERE u.username=?", array($username));
   $data = $result->fetch();
   return $data['email'];
 }
@@ -128,9 +123,8 @@ function emailaddress_for_user($username)
 
 function get_customer_token($customerno)
 {
-  $customerno = (int) $customerno;
   expire_tokens();
-  $result = db_query("SELECT token FROM kundendaten.kunden WHERE id={$customerno} AND token IS NOT NULL;");
+  $result = db_query("SELECT token FROM kundendaten.kunden WHERE id=? AND token IS NOT NULL", array($customerno));
   if ($result->rowCount() < 1)
     system_failure("Kann das Token nicht auslesen!");
   return $result->fetch(PDO::FETCH_OBJ)->token;
@@ -139,8 +133,7 @@ function get_customer_token($customerno)
 
 function get_user_token($username) 
 {
-  $username = db_escape_string($username);
-  $result = db_query("SELECT token FROM system.usertoken AS t INNER JOIN system.useraccounts AS u USING (uid) WHERE username='{$username}'");
+  $result = db_query("SELECT token FROM system.usertoken AS t INNER JOIN system.useraccounts AS u USING (uid) WHERE username=?", array($username));
   $tmp = $result->fetch();
   return $tmp['token'];
 }


...	...	@@ -18,9 +18,9 @@ require_once('session/checkuser.php');
18	18
19	19	function user_customer_match($cust, $user)
20	20	{
21		- $customerno = (int) $cust;
22		- $username = db_escape_string($user);
23		- $result = db_query("SELECT uid FROM system.useraccounts WHERE kunde={$customerno} AND username='{$username}' AND kundenaccount=1;");
	21	+ $args = array(":cid" => $cust,
	22	+ ":user" => $user);
	23	+ $result = db_query("SELECT uid FROM system.useraccounts WHERE kunde=:cid AND username=:user AND kundenaccount=1", $args);
24	24	if ($result->rowCount() > 0)
25	25	return true;
26	26	return false;
...	...	@@ -30,9 +30,9 @@ function user_customer_match($cust, $user)
30	30
31	31	function customer_has_email($customerno, $email)
32	32	{
33		- $customerno = (int) $customerno;
34		- $email = db_escape_string($email);
35		- $result = db_query("SELECT NULL FROM kundendaten.kunden WHERE id=".$customerno." AND (email='{$email}' OR email_extern='{$email}' OR email_rechnung='{$email}');");
	33	+ $args = array(":cid" => $customerno,
	34	+ ":email" => $email);
	35	+ $result = db_query("SELECT NULL FROM kundendaten.kunden WHERE id=:cid AND (email=:email OR email_extern=:email OR email_rechnung=:email)", $args);
36	36	return ($result->rowCount() > 0);
37	37	}
38	38
...	...	@@ -40,9 +40,9 @@ function customer_has_email($customerno, $email)
40	40	function validate_token($customerno, $token)
41	41	{
42	42	expire_tokens();
43		- $customerno = (int) $customerno;
44		- $token = db_escape_string($token);
45		- $result = db_query("SELECT NULL FROM kundendaten.kunden WHERE id={$customerno} AND token='{$token}';");
	43	+ $args = array(":cid" => $customerno,
	44	+ ":token" => $token);
	45	+ $result = db_query("SELECT NULL FROM kundendaten.kunden WHERE id=:cid AND token=:token", $args);
46	46	return ($result->rowCount() > 0);
47	47	}
48	48
...	...	@@ -50,8 +50,7 @@ function validate_token($customerno, $token)
50	50	function get_uid_for_token($token)
51	51	{
52	52	expire_tokens();
53		- $token = db_escape_string($token);
54		- $result = db_query("SELECT uid FROM system.usertoken WHERE token='{$token}';");
	53	+ $result = db_query("SELECT uid FROM system.usertoken WHERE token=?", array($token));
55	54	if ($result->rowCount() == 0) {
56	55	return NULL;
57	56	}
...	...	@@ -61,8 +60,7 @@ function get_uid_for_token($token)
61	60
62	61	function get_username_for_uid($uid)
63	62	{
64		- $uid = (int) $uid;
65		- $result = db_query("SELECT username FROM system.useraccounts WHERE uid={$uid}");
	63	+ $result = db_query("SELECT username FROM system.useraccounts WHERE uid=?", array($uid));
66	64	if ($result->rowCount() != 1) {
67	65	system_failure("Unexpected number of users with this uid (!= 1)!");
68	66	}
...	...	@@ -73,9 +71,9 @@ function get_username_for_uid($uid)
73	71	function validate_uid_token($uid, $token)
74	72	{
75	73	expire_tokens();
76		- $uid = (int) $uid;
77		- $token = db_escape_string($token);
78		- $result = db_query("SELECT NULL FROM system.usertoken WHERE uid={$uid} AND token='{$token}';");
	74	+ $args = array(":uid" => $uid,
	75	+ ":token" => $token);
	76	+ $result = db_query("SELECT NULL FROM system.usertoken WHERE uid=:uid AND token=:token", $args);
79	77	return ($result->rowCount() > 0);
80	78	}
81	79
...	...	@@ -89,38 +87,35 @@ function expire_tokens()
89	87
90	88	function invalidate_customer_token($customerno)
91	89	{
92		- $customerno = (int) $customerno;
93		- db_query("UPDATE kundendaten.kunden SET token=NULL, token_create=NULL WHERE id={$customerno} LIMIT 1;");
	90	+ db_query("UPDATE kundendaten.kunden SET token=NULL, token_create=NULL WHERE id=?", array($customerno));
94	91	}
95	92
96	93	function invalidate_systemuser_token($uid)
97	94	{
98		- $uid = (int) $uid;
99		- db_query("DELETE FROM system.usertoken WHERE uid={$uid} LIMIT 1;");
	95	+ db_query("DELETE FROM system.usertoken WHERE uid=?", array($uid));
100	96	}
101	97
102	98	function create_token($username)
103	99	{
104		- $username = db_escape_string($username);
105	100	expire_tokens();
106		- $result = db_query("SELECT uid FROM system.useraccounts WHERE username='{$username}'");
	101	+ $result = db_query("SELECT uid FROM system.useraccounts WHERE username=?", array($username));
107	102	$uid = (int) $result->fetch()['uid'];
108	103
109		- $result = db_query("SELECT created FROM system.usertoken WHERE uid={$uid}");
	104	+ $result = db_query("SELECT created FROM system.usertoken WHERE uid=?", array($uid));
110	105	if ($result->rowCount() > 0) {
111	106	system_failure("Für Ihr Benutzerkonto ist bereits eine Passwort-Erinnerung versendet worden. Bitte wenden Sie sich an den Support wenn Sie diese nicht erhalten haben.");
112	107	}
113	108
114		- $token = random_string(16);
115		- db_query("INSERT INTO system.usertoken VALUES ({$uid}, NOW(), NOW() + INTERVAL 1 DAY, '{$token}')");
	109	+ $args = array(":uid" => $uid,
	110	+ ":token" => random_string(16));
	111	+ db_query("INSERT INTO system.usertoken VALUES (:uid} NOW(), NOW() + INTERVAL 1 DAY, :token)", $args);
116	112	return true;
117	113	}
118	114
119	115
120	116	function emailaddress_for_user($username)
121	117	{
122		- $username = db_escape_string($username);
123		- $result = db_query("SELECT k.email FROM kundendaten.kunden AS k INNER JOIN system.useraccounts AS u ON (u.kunde=k.id) WHERE u.username='{$username}'");
	118	+ $result = db_query("SELECT k.email FROM kundendaten.kunden AS k INNER JOIN system.useraccounts AS u ON (u.kunde=k.id) WHERE u.username=?", array($username));
124	119	$data = $result->fetch();
125	120	return $data['email'];
126	121	}
...	...	@@ -128,9 +123,8 @@ function emailaddress_for_user($username)
128	123
129	124	function get_customer_token($customerno)
130	125	{
131		- $customerno = (int) $customerno;
132	126	expire_tokens();
133		- $result = db_query("SELECT token FROM kundendaten.kunden WHERE id={$customerno} AND token IS NOT NULL;");
	127	+ $result = db_query("SELECT token FROM kundendaten.kunden WHERE id=? AND token IS NOT NULL", array($customerno));
134	128	if ($result->rowCount() < 1)
135	129	system_failure("Kann das Token nicht auslesen!");
136	130	return $result->fetch(PDO::FETCH_OBJ)->token;
...	...	@@ -139,8 +133,7 @@ function get_customer_token($customerno)
139	133
140	134	function get_user_token($username)
141	135	{
142		- $username = db_escape_string($username);
143		- $result = db_query("SELECT token FROM system.usertoken AS t INNER JOIN system.useraccounts AS u USING (uid) WHERE username='{$username}'");
	136	+ $result = db_query("SELECT token FROM system.usertoken AS t INNER JOIN system.useraccounts AS u USING (uid) WHERE username=?", array($username));
144	137	$tmp = $result->fetch();
145	138	return $tmp['token'];
146	139	}
147	140