Browse code
Modul index auf prepared statements umgestellt
Bernd Wurst authored on06/02/2014 09:30:25 Showing1 changed files
| ... | ... |
@@ -18,9 +18,9 @@ require_once('session/checkuser.php');
|
| 18 | 18 |
|
| 19 | 19 |
function user_customer_match($cust, $user) |
| 20 | 20 |
{
|
| 21 |
- $customerno = (int) $cust; |
|
| 22 |
- $username = db_escape_string($user); |
|
| 23 |
- $result = db_query("SELECT uid FROM system.useraccounts WHERE kunde={$customerno} AND username='{$username}' AND kundenaccount=1;");
|
|
| 21 |
+ $args = array(":cid" => $cust,
|
|
| 22 |
+ ":user" => $user); |
|
| 23 |
+ $result = db_query("SELECT uid FROM system.useraccounts WHERE kunde=:cid AND username=:user AND kundenaccount=1", $args);
|
|
| 24 | 24 |
if ($result->rowCount() > 0) |
| 25 | 25 |
return true; |
| 26 | 26 |
return false; |
| ... | ... |
@@ -30,9 +30,9 @@ function user_customer_match($cust, $user) |
| 30 | 30 |
|
| 31 | 31 |
function customer_has_email($customerno, $email) |
| 32 | 32 |
{
|
| 33 |
- $customerno = (int) $customerno; |
|
| 34 |
- $email = db_escape_string($email); |
|
| 35 |
- $result = db_query("SELECT NULL FROM kundendaten.kunden WHERE id=".$customerno." AND (email='{$email}' OR email_extern='{$email}' OR email_rechnung='{$email}');");
|
|
| 33 |
+ $args = array(":cid" => $customerno,
|
|
| 34 |
+ ":email" => $email); |
|
| 35 |
+ $result = db_query("SELECT NULL FROM kundendaten.kunden WHERE id=:cid AND (email=:email OR email_extern=:email OR email_rechnung=:email)", $args);
|
|
| 36 | 36 |
return ($result->rowCount() > 0); |
| 37 | 37 |
} |
| 38 | 38 |
|
| ... | ... |
@@ -40,9 +40,9 @@ function customer_has_email($customerno, $email) |
| 40 | 40 |
function validate_token($customerno, $token) |
| 41 | 41 |
{
|
| 42 | 42 |
expire_tokens(); |
| 43 |
- $customerno = (int) $customerno; |
|
| 44 |
- $token = db_escape_string($token); |
|
| 45 |
- $result = db_query("SELECT NULL FROM kundendaten.kunden WHERE id={$customerno} AND token='{$token}';");
|
|
| 43 |
+ $args = array(":cid" => $customerno,
|
|
| 44 |
+ ":token" => $token); |
|
| 45 |
+ $result = db_query("SELECT NULL FROM kundendaten.kunden WHERE id=:cid AND token=:token", $args);
|
|
| 46 | 46 |
return ($result->rowCount() > 0); |
| 47 | 47 |
} |
| 48 | 48 |
|
| ... | ... |
@@ -50,8 +50,7 @@ function validate_token($customerno, $token) |
| 50 | 50 |
function get_uid_for_token($token) |
| 51 | 51 |
{
|
| 52 | 52 |
expire_tokens(); |
| 53 |
- $token = db_escape_string($token); |
|
| 54 |
- $result = db_query("SELECT uid FROM system.usertoken WHERE token='{$token}';");
|
|
| 53 |
+ $result = db_query("SELECT uid FROM system.usertoken WHERE token=?", array($token));
|
|
| 55 | 54 |
if ($result->rowCount() == 0) {
|
| 56 | 55 |
return NULL; |
| 57 | 56 |
} |
| ... | ... |
@@ -61,8 +60,7 @@ function get_uid_for_token($token) |
| 61 | 60 |
|
| 62 | 61 |
function get_username_for_uid($uid) |
| 63 | 62 |
{
|
| 64 |
- $uid = (int) $uid; |
|
| 65 |
- $result = db_query("SELECT username FROM system.useraccounts WHERE uid={$uid}");
|
|
| 63 |
+ $result = db_query("SELECT username FROM system.useraccounts WHERE uid=?", array($uid));
|
|
| 66 | 64 |
if ($result->rowCount() != 1) {
|
| 67 | 65 |
system_failure("Unexpected number of users with this uid (!= 1)!");
|
| 68 | 66 |
} |
| ... | ... |
@@ -73,9 +71,9 @@ function get_username_for_uid($uid) |
| 73 | 71 |
function validate_uid_token($uid, $token) |
| 74 | 72 |
{
|
| 75 | 73 |
expire_tokens(); |
| 76 |
- $uid = (int) $uid; |
|
| 77 |
- $token = db_escape_string($token); |
|
| 78 |
- $result = db_query("SELECT NULL FROM system.usertoken WHERE uid={$uid} AND token='{$token}';");
|
|
| 74 |
+ $args = array(":uid" => $uid,
|
|
| 75 |
+ ":token" => $token); |
|
| 76 |
+ $result = db_query("SELECT NULL FROM system.usertoken WHERE uid=:uid AND token=:token", $args);
|
|
| 79 | 77 |
return ($result->rowCount() > 0); |
| 80 | 78 |
} |
| 81 | 79 |
|
| ... | ... |
@@ -89,38 +87,35 @@ function expire_tokens() |
| 89 | 87 |
|
| 90 | 88 |
function invalidate_customer_token($customerno) |
| 91 | 89 |
{
|
| 92 |
- $customerno = (int) $customerno; |
|
| 93 |
- db_query("UPDATE kundendaten.kunden SET token=NULL, token_create=NULL WHERE id={$customerno} LIMIT 1;");
|
|
| 90 |
+ db_query("UPDATE kundendaten.kunden SET token=NULL, token_create=NULL WHERE id=?", array($customerno));
|
|
| 94 | 91 |
} |
| 95 | 92 |
|
| 96 | 93 |
function invalidate_systemuser_token($uid) |
| 97 | 94 |
{
|
| 98 |
- $uid = (int) $uid; |
|
| 99 |
- db_query("DELETE FROM system.usertoken WHERE uid={$uid} LIMIT 1;");
|
|
| 95 |
+ db_query("DELETE FROM system.usertoken WHERE uid=?", array($uid));
|
|
| 100 | 96 |
} |
| 101 | 97 |
|
| 102 | 98 |
function create_token($username) |
| 103 | 99 |
{
|
| 104 |
- $username = db_escape_string($username); |
|
| 105 | 100 |
expire_tokens(); |
| 106 |
- $result = db_query("SELECT uid FROM system.useraccounts WHERE username='{$username}'");
|
|
| 101 |
+ $result = db_query("SELECT uid FROM system.useraccounts WHERE username=?", array($username));
|
|
| 107 | 102 |
$uid = (int) $result->fetch()['uid']; |
| 108 | 103 |
|
| 109 |
- $result = db_query("SELECT created FROM system.usertoken WHERE uid={$uid}");
|
|
| 104 |
+ $result = db_query("SELECT created FROM system.usertoken WHERE uid=?", array($uid));
|
|
| 110 | 105 |
if ($result->rowCount() > 0) {
|
| 111 | 106 |
system_failure("Für Ihr Benutzerkonto ist bereits eine Passwort-Erinnerung versendet worden. Bitte wenden Sie sich an den Support wenn Sie diese nicht erhalten haben.");
|
| 112 | 107 |
} |
| 113 | 108 |
|
| 114 |
- $token = random_string(16); |
|
| 115 |
- db_query("INSERT INTO system.usertoken VALUES ({$uid}, NOW(), NOW() + INTERVAL 1 DAY, '{$token}')");
|
|
| 109 |
+ $args = array(":uid" => $uid,
|
|
| 110 |
+ ":token" => random_string(16)); |
|
| 111 |
+ db_query("INSERT INTO system.usertoken VALUES (:uid} NOW(), NOW() + INTERVAL 1 DAY, :token)", $args);
|
|
| 116 | 112 |
return true; |
| 117 | 113 |
} |
| 118 | 114 |
|
| 119 | 115 |
|
| 120 | 116 |
function emailaddress_for_user($username) |
| 121 | 117 |
{
|
| 122 |
- $username = db_escape_string($username); |
|
| 123 |
- $result = db_query("SELECT k.email FROM kundendaten.kunden AS k INNER JOIN system.useraccounts AS u ON (u.kunde=k.id) WHERE u.username='{$username}'");
|
|
| 118 |
+ $result = db_query("SELECT k.email FROM kundendaten.kunden AS k INNER JOIN system.useraccounts AS u ON (u.kunde=k.id) WHERE u.username=?", array($username));
|
|
| 124 | 119 |
$data = $result->fetch(); |
| 125 | 120 |
return $data['email']; |
| 126 | 121 |
} |
| ... | ... |
@@ -128,9 +123,8 @@ function emailaddress_for_user($username) |
| 128 | 123 |
|
| 129 | 124 |
function get_customer_token($customerno) |
| 130 | 125 |
{
|
| 131 |
- $customerno = (int) $customerno; |
|
| 132 | 126 |
expire_tokens(); |
| 133 |
- $result = db_query("SELECT token FROM kundendaten.kunden WHERE id={$customerno} AND token IS NOT NULL;");
|
|
| 127 |
+ $result = db_query("SELECT token FROM kundendaten.kunden WHERE id=? AND token IS NOT NULL", array($customerno));
|
|
| 134 | 128 |
if ($result->rowCount() < 1) |
| 135 | 129 |
system_failure("Kann das Token nicht auslesen!");
|
| 136 | 130 |
return $result->fetch(PDO::FETCH_OBJ)->token; |
| ... | ... |
@@ -139,8 +133,7 @@ function get_customer_token($customerno) |
| 139 | 133 |
|
| 140 | 134 |
function get_user_token($username) |
| 141 | 135 |
{
|
| 142 |
- $username = db_escape_string($username); |
|
| 143 |
- $result = db_query("SELECT token FROM system.usertoken AS t INNER JOIN system.useraccounts AS u USING (uid) WHERE username='{$username}'");
|
|
| 136 |
+ $result = db_query("SELECT token FROM system.usertoken AS t INNER JOIN system.useraccounts AS u USING (uid) WHERE username=?", array($username));
|
|
| 144 | 137 |
$tmp = $result->fetch(); |
| 145 | 138 |
return $tmp['token']; |
| 146 | 139 |
} |