...
|
...
|
@@ -18,9 +18,9 @@ require_once('session/checkuser.php');
|
18
|
18
|
|
19
|
19
|
function user_customer_match($cust, $user)
|
20
|
20
|
{
|
21
|
|
- $customerno = (int) $cust;
|
22
|
|
- $username = db_escape_string($user);
|
23
|
|
- $result = db_query("SELECT uid FROM system.useraccounts WHERE kunde={$customerno} AND username='{$username}' AND kundenaccount=1;");
|
|
21
|
+ $args = array(":cid" => $cust,
|
|
22
|
+ ":user" => $user);
|
|
23
|
+ $result = db_query("SELECT uid FROM system.useraccounts WHERE kunde=:cid AND username=:user AND kundenaccount=1", $args);
|
24
|
24
|
if ($result->rowCount() > 0)
|
25
|
25
|
return true;
|
26
|
26
|
return false;
|
...
|
...
|
@@ -30,9 +30,9 @@ function user_customer_match($cust, $user)
|
30
|
30
|
|
31
|
31
|
function customer_has_email($customerno, $email)
|
32
|
32
|
{
|
33
|
|
- $customerno = (int) $customerno;
|
34
|
|
- $email = db_escape_string($email);
|
35
|
|
- $result = db_query("SELECT NULL FROM kundendaten.kunden WHERE id=".$customerno." AND (email='{$email}' OR email_extern='{$email}' OR email_rechnung='{$email}');");
|
|
33
|
+ $args = array(":cid" => $customerno,
|
|
34
|
+ ":email" => $email);
|
|
35
|
+ $result = db_query("SELECT NULL FROM kundendaten.kunden WHERE id=:cid AND (email=:email OR email_extern=:email OR email_rechnung=:email)", $args);
|
36
|
36
|
return ($result->rowCount() > 0);
|
37
|
37
|
}
|
38
|
38
|
|
...
|
...
|
@@ -40,9 +40,9 @@ function customer_has_email($customerno, $email)
|
40
|
40
|
function validate_token($customerno, $token)
|
41
|
41
|
{
|
42
|
42
|
expire_tokens();
|
43
|
|
- $customerno = (int) $customerno;
|
44
|
|
- $token = db_escape_string($token);
|
45
|
|
- $result = db_query("SELECT NULL FROM kundendaten.kunden WHERE id={$customerno} AND token='{$token}';");
|
|
43
|
+ $args = array(":cid" => $customerno,
|
|
44
|
+ ":token" => $token);
|
|
45
|
+ $result = db_query("SELECT NULL FROM kundendaten.kunden WHERE id=:cid AND token=:token", $args);
|
46
|
46
|
return ($result->rowCount() > 0);
|
47
|
47
|
}
|
48
|
48
|
|
...
|
...
|
@@ -50,8 +50,7 @@ function validate_token($customerno, $token)
|
50
|
50
|
function get_uid_for_token($token)
|
51
|
51
|
{
|
52
|
52
|
expire_tokens();
|
53
|
|
- $token = db_escape_string($token);
|
54
|
|
- $result = db_query("SELECT uid FROM system.usertoken WHERE token='{$token}';");
|
|
53
|
+ $result = db_query("SELECT uid FROM system.usertoken WHERE token=?", array($token));
|
55
|
54
|
if ($result->rowCount() == 0) {
|
56
|
55
|
return NULL;
|
57
|
56
|
}
|
...
|
...
|
@@ -61,8 +60,7 @@ function get_uid_for_token($token)
|
61
|
60
|
|
62
|
61
|
function get_username_for_uid($uid)
|
63
|
62
|
{
|
64
|
|
- $uid = (int) $uid;
|
65
|
|
- $result = db_query("SELECT username FROM system.useraccounts WHERE uid={$uid}");
|
|
63
|
+ $result = db_query("SELECT username FROM system.useraccounts WHERE uid=?", array($uid));
|
66
|
64
|
if ($result->rowCount() != 1) {
|
67
|
65
|
system_failure("Unexpected number of users with this uid (!= 1)!");
|
68
|
66
|
}
|
...
|
...
|
@@ -73,9 +71,9 @@ function get_username_for_uid($uid)
|
73
|
71
|
function validate_uid_token($uid, $token)
|
74
|
72
|
{
|
75
|
73
|
expire_tokens();
|
76
|
|
- $uid = (int) $uid;
|
77
|
|
- $token = db_escape_string($token);
|
78
|
|
- $result = db_query("SELECT NULL FROM system.usertoken WHERE uid={$uid} AND token='{$token}';");
|
|
74
|
+ $args = array(":uid" => $uid,
|
|
75
|
+ ":token" => $token);
|
|
76
|
+ $result = db_query("SELECT NULL FROM system.usertoken WHERE uid=:uid AND token=:token", $args);
|
79
|
77
|
return ($result->rowCount() > 0);
|
80
|
78
|
}
|
81
|
79
|
|
...
|
...
|
@@ -89,38 +87,35 @@ function expire_tokens()
|
89
|
87
|
|
90
|
88
|
function invalidate_customer_token($customerno)
|
91
|
89
|
{
|
92
|
|
- $customerno = (int) $customerno;
|
93
|
|
- db_query("UPDATE kundendaten.kunden SET token=NULL, token_create=NULL WHERE id={$customerno} LIMIT 1;");
|
|
90
|
+ db_query("UPDATE kundendaten.kunden SET token=NULL, token_create=NULL WHERE id=?", array($customerno));
|
94
|
91
|
}
|
95
|
92
|
|
96
|
93
|
function invalidate_systemuser_token($uid)
|
97
|
94
|
{
|
98
|
|
- $uid = (int) $uid;
|
99
|
|
- db_query("DELETE FROM system.usertoken WHERE uid={$uid} LIMIT 1;");
|
|
95
|
+ db_query("DELETE FROM system.usertoken WHERE uid=?", array($uid));
|
100
|
96
|
}
|
101
|
97
|
|
102
|
98
|
function create_token($username)
|
103
|
99
|
{
|
104
|
|
- $username = db_escape_string($username);
|
105
|
100
|
expire_tokens();
|
106
|
|
- $result = db_query("SELECT uid FROM system.useraccounts WHERE username='{$username}'");
|
|
101
|
+ $result = db_query("SELECT uid FROM system.useraccounts WHERE username=?", array($username));
|
107
|
102
|
$uid = (int) $result->fetch()['uid'];
|
108
|
103
|
|
109
|
|
- $result = db_query("SELECT created FROM system.usertoken WHERE uid={$uid}");
|
|
104
|
+ $result = db_query("SELECT created FROM system.usertoken WHERE uid=?", array($uid));
|
110
|
105
|
if ($result->rowCount() > 0) {
|
111
|
106
|
system_failure("Für Ihr Benutzerkonto ist bereits eine Passwort-Erinnerung versendet worden. Bitte wenden Sie sich an den Support wenn Sie diese nicht erhalten haben.");
|
112
|
107
|
}
|
113
|
108
|
|
114
|
|
- $token = random_string(16);
|
115
|
|
- db_query("INSERT INTO system.usertoken VALUES ({$uid}, NOW(), NOW() + INTERVAL 1 DAY, '{$token}')");
|
|
109
|
+ $args = array(":uid" => $uid,
|
|
110
|
+ ":token" => random_string(16));
|
|
111
|
+ db_query("INSERT INTO system.usertoken VALUES (:uid} NOW(), NOW() + INTERVAL 1 DAY, :token)", $args);
|
116
|
112
|
return true;
|
117
|
113
|
}
|
118
|
114
|
|
119
|
115
|
|
120
|
116
|
function emailaddress_for_user($username)
|
121
|
117
|
{
|
122
|
|
- $username = db_escape_string($username);
|
123
|
|
- $result = db_query("SELECT k.email FROM kundendaten.kunden AS k INNER JOIN system.useraccounts AS u ON (u.kunde=k.id) WHERE u.username='{$username}'");
|
|
118
|
+ $result = db_query("SELECT k.email FROM kundendaten.kunden AS k INNER JOIN system.useraccounts AS u ON (u.kunde=k.id) WHERE u.username=?", array($username));
|
124
|
119
|
$data = $result->fetch();
|
125
|
120
|
return $data['email'];
|
126
|
121
|
}
|
...
|
...
|
@@ -128,9 +123,8 @@ function emailaddress_for_user($username)
|
128
|
123
|
|
129
|
124
|
function get_customer_token($customerno)
|
130
|
125
|
{
|
131
|
|
- $customerno = (int) $customerno;
|
132
|
126
|
expire_tokens();
|
133
|
|
- $result = db_query("SELECT token FROM kundendaten.kunden WHERE id={$customerno} AND token IS NOT NULL;");
|
|
127
|
+ $result = db_query("SELECT token FROM kundendaten.kunden WHERE id=? AND token IS NOT NULL", array($customerno));
|
134
|
128
|
if ($result->rowCount() < 1)
|
135
|
129
|
system_failure("Kann das Token nicht auslesen!");
|
136
|
130
|
return $result->fetch(PDO::FETCH_OBJ)->token;
|
...
|
...
|
@@ -139,8 +133,7 @@ function get_customer_token($customerno)
|
139
|
133
|
|
140
|
134
|
function get_user_token($username)
|
141
|
135
|
{
|
142
|
|
- $username = db_escape_string($username);
|
143
|
|
- $result = db_query("SELECT token FROM system.usertoken AS t INNER JOIN system.useraccounts AS u USING (uid) WHERE username='{$username}'");
|
|
136
|
+ $result = db_query("SELECT token FROM system.usertoken AS t INNER JOIN system.useraccounts AS u USING (uid) WHERE username=?", array($username));
|
144
|
137
|
$tmp = $result->fetch();
|
145
|
138
|
return $tmp['token'];
|
146
|
139
|
}
|