Umstellung auf PDO-Datenbankverbindung (f1f231f) - webinterface.git

Umstellung auf PDO-Datenbankverbindung

Bernd Wurst commited on 2014-02-01 18:38:23
Zeige 39 geänderte Dateien mit 491 Einfügungen und 434 Löschungen.

certlogin/ajax.php fd52b89..1e2e0ac
certlogin/index.php 34c5aad..e0af199
class/customer.php be0cb53..9c9a5e4
class/database.php 0000000..53a4af6
class/domain.php bc8afe1..ffc8849
class/keksdata.php 95118a2..a1506e1
dispatch.php b0fc97b..c946f55
inc/base.php 6306cee..763b45f
inc/db_connect.php e2c594d..0000000
modules/adddomain/include/adddomain.php b5d467e..1dbec97
modules/crm/include/crm.php a097ebc..a62496b
modules/dns/include/dnsinclude.php 2c13f55..51bcc7b
modules/domains/include/domains.php c719818..52252e3
modules/email/include/hasaccount.php 92d3ef8..cb47ba0
modules/email/include/hasdomain.php bbd4b9b..22769ae
modules/email/include/mailaccounts.php 7d9979e..e264d8c
modules/email/include/vmail.php 3d1d87d..c32e2ec
modules/ftpusers/include/ftpusers.php 90d992e..570cdea
modules/greylisting/include/greylisting.php ee3abf7..a96b120
modules/index/include/newpass.php 09baaec..ab599e5
modules/index/include/x509.php 83d059c..c015e0b
modules/invoice/include/invoice.php 3af50cc..60174af
modules/invoice/sepamandat_copydata.php 131a97c..d205987
modules/jabber/include/jabberaccounts.php 27dc243..256621d
modules/mailman/include/mailman.php 5b10552..7f43e44
modules/mysql/include/mysql.php bd7a5a4..0693223
modules/newsletter/includes/newsletter.php c9643f2..5df4a57
modules/register/include/newpass.php 82deab7..ac1ec2c
modules/register/include/register.php 69a96b5..0132019
modules/su/include/su.php 871e9f1..64b2a2b
modules/subusers/include/subuser.php a89fd5d..21cf9be
modules/systemuser/include/useraccounts.php 092c653..05a49c8
modules/vhosts/include/certs.php 99489d6..4054cbb
modules/vhosts/include/vhosts.php 1e798ee..0b2d8c7
modules/webapps/freewvs.php 27ab0a7..b33cc57
modules/webapps/include/freewvs.php 1407251..ed78b4c
modules/webapps/include/webapp-installer.php 6905838..60fae42
modules/webmailtotp/include/totp.php 997b431..3dd5d7a
session/checkuser.php 12d5982..8e9e8d0

certlogin/ajax.php

@@ -39,14 +39,14 @@ function prepare_cert($cert)
 
 function get_logins_by_cert($cert) 
 {
-	$cert = mysql_real_escape_string(prepare_cert($cert));
+	$cert = db_escape_string(prepare_cert($cert));
 	$query = "SELECT type,username,startpage FROM system.clientcert WHERE cert='{$cert}'";
 	$result = db_query($query);
-	if (mysql_num_rows($result) < 1)
+	if ($result->rowCount() < 1)
 		return NULL;
 	else {
 		$ret = array();
-		while ($row = mysql_fetch_assoc($result)) {
+		while ($row = $result->fetch()) {
 			$ret[] = $row;
 		}
 		return $ret;

certlogin/index.php

Zeige Datei @ f1f231f

@@ -39,14 +39,14 @@ function prepare_cert($cert)
 
 function get_logins_by_cert($cert) 
 {
-	$cert = mysql_real_escape_string(prepare_cert($cert));
+	$cert = db_escape_string(prepare_cert($cert));
 	$query = "SELECT type,username,startpage FROM system.clientcert WHERE cert='{$cert}'";
 	$result = db_query($query);
-	if (mysql_num_rows($result) < 1)
+	if ($result->rowCount() < 1)
 		return NULL;
 	else {
 		$ret = array();
-		while ($row = mysql_fetch_assoc($result)) {
+		while ($row = $result->fetch()) {
 			$ret[] = $row;
 		}
 		return $ret;

class/customer.php

Zeige Datei @ f1f231f

@@ -14,7 +14,6 @@ http://creativecommons.org/publicdomain/zero/1.0/
 Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.
 */
 
-require_once('inc/db_connect.php');
 require_once('inc/base.php');
 require_once('inc/debug.php');
 

class/database.php

Zeige Datei @ f1f231f

...	...	@@ -0,0 +1,119 @@
	1	+<?php
	2	+/*
	3	+This file belongs to the Webinterface of schokokeks.org Hosting
	4	+
	5	+Written 2008-2013 by schokokeks.org Hosting, namely
	6	+ Bernd Wurst <bernd@schokokeks.org>
	7	+ Hanno Böck <hanno@schokokeks.org>
	8	+
	9	+To the extent possible under law, the author(s) have dedicated all copyright and related and neighboring rights to this software to the public domain worldwide. This software is distributed without any warranty.
	10	+
	11	+You should have received a copy of the CC0 Public Domain Dedication along with this software. If not, see
	12	+http://creativecommons.org/publicdomain/zero/1.0/
	13	+
	14	+Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.
	15	+*/
	16	+
	17	+require_once('inc/base.php');
	18	+require_once('inc/error.php');
	19	+require_once('inc/debug.php');
	20	+
	21	+
	22	+class DB extends PDO {
	23	+ function __construct() {
	24	+ $dsn = "mysql:host=".config('db_host');
	25	+ if (config('db_port', true)) {
	26	+ $dsn .= ';port='.config('db_port', true);
	27	+ }
	28	+ $username = config('db_user', true);
	29	+ $password = config('db_pass', true);
	30	+ parent::__construct($dsn, $username, $password);
	31	+ }
	32	+
	33	+
	34	+ /*
	35	+ Wenn Parameter übergeben werden, werden Queries immer als Prepared statements übertragen
	36	+ */
	37	+ function query($stmt, $params = NULL) {
	38	+ if (is_array($params)) {
	39	+ $response = parent::prepare($stmt);
	40	+ $response->execute($params);
	41	+ return $response;
	42	+ } else {
	43	+ return parent::query($stmt);
	44	+ }
	45	+ }
	46	+}
	47	+
	48	+
	49	+/* FIXME
	50	+ Das ist etwas unelegant. Soll nur übergangsweise verwendet werden bis alles auf prepared statements umgestellt ist
	51	+*/
	52	+function db_escape_string($string)
	53	+{
	54	+ global $db;
	55	+ __ensure_connected();
	56	+ $quoted = $db->quote($string);
	57	+ // entferne die quotes, damit wird es drop-in-Kompatibel zu db_escape_string()
	58	+ $ret = substr($quoted, 1, -1);
	59	+ return $ret;
	60	+}
	61	+
	62	+
	63	+function db_insert_id()
	64	+{
	65	+ global $db;
	66	+ __ensure_connected();
	67	+ return $db->lastInsertId();
	68	+}
	69	+
	70	+
	71	+function __ensure_connected()
	72	+{
	73	+ /*
	74	+ Dieses Kontrukt ist vermultich noch schlimmer als ein normales singleton
	75	+ aber es hilft uns in unserem prozeduralen Kontext
	76	+ */
	77	+ global $db;
	78	+ if (! isset($db)) {
	79	+ try {
	80	+ DEBUG("Neue Datenbankverbindung!");
	81	+ $db = new DB();
	82	+ $db->query("SET NAMES utf8");
	83	+ $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
	84	+ $db->setAttribute(PDO::ATTR_AUTOCOMMIT, true);
	85	+ } catch (PDOException $e) {
	86	+ global $debugmode;
	87	+ if ($debugmode) {
	88	+ system_failure("MySQL-Fehler: ".$e->getMessage());
	89	+ } else {
	90	+ system_failure("Fehler bei der Datenbankverbindung!");
	91	+ }
	92	+ }
	93	+ }
	94	+}
	95	+
	96	+
	97	+function db_query($stmt, $params = NULL)
	98	+{
	99	+ global $db;
	100	+ __ensure_connected();
	101	+ DEBUG($stmt);
	102	+ if ($params) {
	103	+ DEBUG($params);
	104	+ }
	105	+ try {
	106	+ $result = $db->query($stmt, $params);
	107	+ DEBUG('=> '.$result->rowCount().' rows');
	108	+ } catch (PDOException $e) {
	109	+ global $debugmode;
	110	+ if ($debugmode) {
	111	+ system_failure("MySQL-Fehler: ".$e->getMessage());
	112	+ } else {
	113	+ system_failure("Datenbankfehler");
	114	+ }
	115	+ }
	116	+ return $result;
	117	+}
	118	+
	119	+

class/domain.php

Zeige Datei @ f1f231f

@@ -14,7 +14,6 @@ http://creativecommons.org/publicdomain/zero/1.0/
 Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.
 */
 
-require_once('inc/db_connect.php');
 require_once('inc/base.php');
 require_once('inc/debug.php');
 
@@ -42,7 +41,7 @@ class Domain extends KeksData
 
   function loadByName($name)
   {
-    $name = mysql_real_escape_string($name);
+    $name = db_escape_string($name);
     $res = $this->getData("*", "CONCAT_WS('.', domainname, tld)='{$name}' LIMIT 1");
     if (count($res) < 1)
       return false;
@@ -112,9 +111,9 @@ function get_domain_list($customerno, $uid = NULL)
   $query .= " ORDER BY domainname,tld";
   $result = db_query($query);
   $domains = array();
-  DEBUG('Result set is '.mysql_num_rows($result)." rows.<br />\n");
-  if (mysql_num_rows($result) > 0)
-    while ($domain = mysql_fetch_object($result))
+  DEBUG('Result set is '.$result->rowCount()." rows.<br />\n");
+  if ($result->rowCount() > 0)
+    while ($domain = $result->fetch(PDO::FETCH_OBJ))
       array_push($domains, new Domain((int) $domain->id));
   DEBUG($domains);
 	return $domains;	

class/keksdata.php

Zeige Datei @ f1f231f

@@ -14,7 +14,6 @@ http://creativecommons.org/publicdomain/zero/1.0/
 Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.
 */
 
-require_once('inc/db_connect.php');
 require_once('inc/base.php');
 require_once('inc/debug.php');
 
@@ -57,7 +56,7 @@ abstract class KeksData
   {
     $fields = array();
     $res = db_query("DESCRIBE {$this->default_table}");
-    while ($f = mysql_fetch_object($res))
+    while ($f = $res->fetch(PDO::FETCH_OBJ))
     {
       $fields[$f->Field] = $f->Default;
     }
@@ -80,7 +79,7 @@ abstract class KeksData
     
     $res = db_query("SELECT {$fields} FROM {$table} {$where}");
     $return = array();
-    while ($arr = mysql_fetch_assoc($res))
+    while ($arr = $res->fetch())
       array_push($return, $arr);
     return $return;
   }
@@ -102,7 +101,7 @@ abstract class KeksData
     $upd = array();
     foreach ($this->changes as $key => $value)
     {
-      $value = mysql_real_escape_string($value);
+      $value = db_escape_string($value);
       array_push($upd, "`{$key}`='{$value}'");
     }
     db_query("UPDATE {$this->default_table} SET ".implode(', ', $upd)." WHERE id={$this->data['id']};");

dispatch.php

Zeige Datei @ f1f231f

@@ -17,7 +17,6 @@ Nevertheless, in case you use a significant part of this code, we ask (but not r
 
 require_once('config.php');
 require_once('inc/debug.php');
-require_once('inc/db_connect.php');
 require_once("inc/base.php");
 require_once("inc/theme.php");
 

inc/base.php

Zeige Datei @ f1f231f

@@ -14,7 +14,7 @@ http://creativecommons.org/publicdomain/zero/1.0/
 Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.
 */
 
-require_once('inc/db_connect.php');
+require_once('class/database.php');
 require_once('inc/debug.php');
 
 function config($key)
@@ -36,9 +36,9 @@ function config($key)
     return $config[$key];
   
   /* read configuration from database */
-  $options = db_query( "SELECT `key`, value FROM misc.config" );
+  $result = db_query( "SELECT `key`, value FROM misc.config" );
   
-  while( $object = mysql_fetch_assoc( $options ) ) {
+  while( $object = $result->fetch() ) {
     if (!array_key_exists($object['key'], $config)) {
 	    $config[$object['key']]=$object['value'];
     }
@@ -56,8 +56,9 @@ function config($key)
 
 function get_server_by_id($id) {
   $id = (int) $id;
-  $result = mysql_fetch_assoc(db_query("SELECT hostname FROM system.servers WHERE id='{$id}'"));
-  return $result['hostname'];
+  $result = db_query("SELECT hostname FROM system.servers WHERE id='{$id}'");
+  $ret = $result->fetch();
+  return $ret['hostname'];
 }
 
 
@@ -74,7 +75,7 @@ function my_server_id()
 {
   $uid = (int) $_SESSION['userinfo']['uid'];
   $result = db_query("SELECT server FROM system.useraccounts WHERE uid={$uid}");
-  $r = mysql_fetch_assoc($result);
+  $r = $result->fetch();
   DEBUG($r);
   return $r['server'];
 }
@@ -85,7 +86,7 @@ function additional_servers()
   $uid = (int) $_SESSION['userinfo']['uid'];
   $result = db_query("SELECT server FROM system.user_server WHERE uid={$uid}");
   $servers = array();
-  while ($s = mysql_fetch_assoc($result))
+  while ($s = $result->fetch())
     $servers[] = $s['server'];
   DEBUG($servers);
   return $servers;
@@ -96,39 +97,22 @@ function server_names()
 {
   $result = db_query("SELECT id, hostname FROM system.servers");
   $servers = array();
-  while ($s = mysql_fetch_assoc($result))
+  while ($s = $result->fetch())
     $servers[$s['id']] = $s['hostname'];
   DEBUG($servers);
   return $servers;
 }
 
 
-function db_query($query)
-{
-  DEBUG($query);
-  $result = @mysql_query($query);
-  if (mysql_error())
-  {
-    $error = mysql_error();
-    logger(LOG_ERR, "inc/base", "dberror", "mysql error: {$error}");
-    system_failure('Interner Datenbankfehler: »'.iconv('ISO-8859-1', 'UTF-8', $error).'«.');
-  }
-  $count = @mysql_num_rows($result);
-  if (! $count)
-    $count = 'no';
-  DEBUG("=> {$count} rows");
-  return $result; 
-}
-
-
-
+// FIXME
+// Diese Funktion funktioniert nicht für preprared statements
 function maybe_null($value)
 {
   if ($value == NULL)
     return 'NULL';
 
   if (strlen( (string) $value ) > 0)
-    return "'".mysql_real_escape_string($value)."'";
+    return "'".db_escape_string($value)."'";
   else
     return 'NULL';
 }
@@ -148,11 +133,11 @@ function logger($severity, $scriptname, $scope, $message)
   elseif ($_SESSION['role'] & ROLE_CUSTOMER)
     $user = "'{$_SESSION['customerinfo']['customerno']}'";
   
-  $remote = mysql_real_escape_string($_SERVER['REMOTE_ADDR']);
+  $remote = db_escape_string($_SERVER['REMOTE_ADDR']);
 
-  $scriptname = mysql_real_escape_string($scriptname);
-  $scope = mysql_real_escape_string($scope);
-  $message = mysql_real_escape_string($message);
+  $scriptname = db_escape_string($scriptname);
+  $scope = db_escape_string($scope);
+  $message = db_escape_string($message);
 
   db_query("INSERT INTO misc.scriptlog (remote, user,scriptname,scope,message) VALUES ('{$remote}', {$user}, '{$scriptname}', '{$scope}', '{$message}');");
 }

inc/db_connect.php

Zeige Datei @ 4a4082f

@@ -1,33 +0,0 @@
                         -<?php
                         -/*
                         -This file belongs to the Webinterface of schokokeks.org Hosting
+                        -
                         -Written 2008-2013 by schokokeks.org Hosting, namely
                         -  Bernd Wurst <bernd@schokokeks.org>
                         -  Hanno Böck <hanno@schokokeks.org>
+                        -
                         -To the extent possible under law, the author(s) have dedicated all copyright and related and neighboring rights to this software to the public domain worldwide. This software is distributed without any warranty.
+                        -
                         -You should have received a copy of the CC0 Public Domain Dedication along with this software. If not, see
                         -http://creativecommons.org/publicdomain/zero/1.0/
+                        -
                         -Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.
                         -*/
+                        -
                         -require_once('inc/error.php');
+                        -
                         -include("config.php");
                         -global $config;
+                        -
                         -$host = $config['db_host'];
                         -if ($config['db_port']) {
                         -  $host .= ":".$config['db_port'];
                         -}
+                        -
                         -if (!@mysql_connect($host, $config['db_user'], $config['db_pass']))
                         -	die('Konnte nicht zur Datenbank verbinden. Wenn dieser Fehler wiederholt auftritt, beachrichtigen Sie bitte den Administrator.');
+                        -
                         -if (!@mysql_query('SET NAMES utf8'))
                         -	die('Fehler bei der Auswahl der Zeichencodierung. Bitte melden Sie diesen Fehler einem Administrator!');
+                        -
                         -?>

modules/adddomain/include/adddomain.php

Zeige Datei @ f1f231f

@@ -15,7 +15,6 @@ Nevertheless, in case you use a significant part of this code, we ask (but not r
 */
 
 require_once('inc/debug.php');
-require_once('inc/db_connect.php');
 require_once('inc/base.php');
 require_once('inc/security.php');
 require_once('inc/error.php');
@@ -38,14 +37,14 @@ function get_domain_offer($domainname)
   $data = array("domainname" => $domainname, "basename" => $basename, "tld" => $tld);
 
   $result = db_query("SELECT tld, gebuehr, setup FROM misc.domainpreise_kunde WHERE kunde={$cid} AND tld='{$tld}' AND ruecksprache='N'");
-  if (mysql_num_rows($result) != 1) {
+  if ($result->rowCount() != 1) {
     $result = db_query("SELECT tld, gebuehr, setup FROM misc.domainpreise WHERE tld='{$tld}' AND ruecksprache='N'");
   }
-  if (mysql_num_rows($result) != 1) {
+  if ($result->rowCount() != 1) {
     warning('Die Endung »'.$tld.'« steht zur automatischen Eintragung nicht zur Verfügung.');
     return;
   }
-  $temp = mysql_fetch_assoc($result);
+  $temp = $result->fetch();
   $data["gebuehr"] = $temp["gebuehr"];
   $data["setup"] = ($temp["setup"] ? $temp["setup"] : 0.0);
   
@@ -93,7 +92,7 @@ function list_useraccounts()
   $customerno = (int) $_SESSION['customerinfo']['customerno'];
   $result = db_query("SELECT uid,username,name FROM system.useraccounts WHERE kunde={$customerno}");
   $ret = array();
-  while ($item = mysql_fetch_assoc($result))
+  while ($item = $result->fetch())
   {
     $ret[] = $item;
   }

modules/crm/include/crm.php

Zeige Datei @ f1f231f

@@ -19,7 +19,7 @@ require_once('inc/base.php');
 
 function find_customers($string) 
 {
-  $string = mysql_real_escape_string(chop($string));
+  $string = db_escape_string(chop($string));
   $return = array();
   $result = db_query("SELECT k.id FROM kundendaten.kunden AS k LEFT JOIN kundendaten.kundenkontakt AS kk ".
                      "ON (kk.kundennr = k.id) LEFT JOIN system.useraccounts AS u ON (k.id=u.kunde) WHERE ".
@@ -30,7 +30,7 @@ function find_customers($string)
                      "notizen LIKE '%{$string}%' OR kk.name LIKE '%{$string}%' OR ".
                      "kk.wert LIKE '%{$string}%' OR u.name LIKE '%{$string}%' OR ".
                      "u.username LIKE '%{$string}%' OR k.id='{$string}' OR u.uid='{$string}';");
-  while ($entry = mysql_fetch_assoc($result))
+  while ($entry = $result->fetch())
     $return[] = $entry['id'];
 
   return $return;
@@ -43,7 +43,7 @@ function find_users_for_customer($id)
   $return = array();
   $result = db_query("SELECT uid, username FROM system.useraccounts WHERE ".
                      "kunde='{$id}';");
-  while ($entry = mysql_fetch_assoc($result))
+  while ($entry = $result->fetch())
     $return[$entry['uid']] = $entry['username'];
 
   return $return;
@@ -56,7 +56,7 @@ function hosting_contracts($cid)
   $cid = (int) $cid;
   $result = db_query("SELECT u.username, werber, beschreibung, betrag, brutto, monate, anzahl, startdatum, startdatum + INTERVAL laufzeit MONTH - INTERVAL 1 DAY AS mindestlaufzeit, kuendigungsdatum, gesperrt, notizen FROM kundendaten.hosting AS h LEFT JOIN system.useraccounts AS u ON (h.hauptuser=u.uid) WHERE h.kunde=".$cid);
   $ret = array();
-  while ($x = mysql_fetch_assoc($result))
+  while ($x = $result->fetch())
     array_push($ret, $x);
   DEBUG($ret);
 

modules/dns/include/dnsinclude.php

Zeige Datei @ f1f231f

@@ -15,7 +15,6 @@ Nevertheless, in case you use a significant part of this code, we ask (but not r
 */
 
 require_once('inc/debug.php');
-require_once('inc/db_connect.php');
 require_once('inc/base.php');
 require_once('inc/security.php');
 require_once('inc/error.php');
@@ -28,7 +27,7 @@ function get_dyndns_accounts()
   $uid = (int) $_SESSION['userinfo']['uid'];
   $result = db_query("SELECT * FROM dns.dyndns WHERE uid={$uid}");
   $list = array();
-  while ($item = mysql_fetch_assoc($result)) {
+  while ($item = $result->fetch()) {
     array_push($list, $item);
   }
   DEBUG($list);
@@ -41,11 +40,11 @@ function get_dyndns_account($id)
   $id = (int) $id;
   $uid = (int) $_SESSION['userinfo']['uid'];
   $result = db_query("SELECT * FROM dns.dyndns WHERE id={$id} AND uid={$uid}");
-  if (mysql_num_rows($result) != 1) {
+  if ($result->rowCount() != 1) {
     logger(LOG_WARNING, "modules/dns/include/dnsinclude", "dyndns", "account »{$id}« invalid for uid »{$uid}«.");
     system_failure("Account ungültig");
   }
-  $item = mysql_fetch_assoc($result);
+  $item = $result->fetch();
   DEBUG($item);
   return $item;
 }
@@ -58,8 +57,8 @@ function create_dyndns_account($handle, $password_http, $sshkey)
   if ($password_http == '' && $sshkey == '')
     system_failure('Sie müssen entweder einen SSH-Key oder ein Passwort zum Web-Update eingeben.');  
 
-  $handle = maybe_null(mysql_real_escape_string(filter_input_username($handle)));
-  $sshkey = maybe_null(mysql_real_escape_string(filter_input_general($sshkey)));
+  $handle = maybe_null(db_escape_string(filter_input_username($handle)));
+  $sshkey = maybe_null(db_escape_string(filter_input_general($sshkey)));
 
   $pwhash = 'NULL';
   if ($password_http)
@@ -73,8 +72,8 @@ function create_dyndns_account($handle, $password_http, $sshkey)
 function edit_dyndns_account($id, $handle, $password_http, $sshkey)
 {
   $id = (int) $id;
-  $handle = maybe_null(mysql_real_escape_string(filter_input_username($handle)));
-  $sshkey = maybe_null(mysql_real_escape_string(filter_input_general($sshkey)));
+  $handle = maybe_null(db_escape_string(filter_input_username($handle)));
+  $sshkey = maybe_null(db_escape_string(filter_input_general($sshkey)));
 
   $pwhash = 'NULL';
   if ($password_http)
@@ -104,7 +103,7 @@ function get_dyndns_records($id)
   $id = (int) $id;
   $result = db_query("SELECT hostname, domain, type, ttl, lastchange, id FROM dns.custom_records WHERE dyndns={$id}");
   $data = array();
-  while ($entry = mysql_fetch_assoc($result)) {
+  while ($entry = $result->fetch()) {
     $dom = new Domain((int) $entry['domain']);
     $dom->ensure_userdomain();
     $entry['fqdn'] = $entry['hostname'].'.'.$dom->fqdn;
@@ -144,9 +143,9 @@ function get_dns_record($id)
 {
   $id = (int) $id;
   $result = db_query("SELECT hostname, domain, type, ip, dyndns, spec, data, ttl FROM dns.custom_records WHERE id={$id}");
-  if (mysql_num_rows($result) != 1)
+  if ($result->rowCount() != 1)
     system_failure('illegal ID');
-  $data = mysql_fetch_assoc($result);
+  $data = $result->fetch();
   $dom = new Domain( (int) $data['domain']);
   $dom->ensure_userdomain();
   DEBUG($data);
@@ -159,7 +158,7 @@ function get_domain_records($dom)
   $dom = (int) $dom;
   $result = db_query("SELECT hostname, domain, type, ip, dyndns, spec, data, ttl, id FROM dns.custom_records WHERE domain={$dom}");
   $data = array();
-  while ($entry = mysql_fetch_assoc($result)) {
+  while ($entry = $result->fetch()) {
     $dom = new Domain((int) $entry['domain']);
     $dom->ensure_userdomain();
     $entry['fqdn'] = $entry['hostname'].'.'.$dom->fqdn;
@@ -173,11 +172,11 @@ function get_domain_records($dom)
 
 function get_domain_auto_records($domainname)
 {
-  $domainname = mysql_real_escape_string($domainname);
+  $domainname = db_escape_string($domainname);
   //$result = db_query("SELECT hostname, domain, CONCAT_WS('.', hostname, domain) AS fqdn, type, ip, spec, data, TRIM(ttl) FROM dns.v_autogenerated_records WHERE domain='{$domainname}'");
   $result = db_query("SELECT hostname, domain, CONCAT_WS('.', hostname, domain) AS fqdn, type, ip, spec, data, ttl FROM dns.tmp_autorecords WHERE domain='{$domainname}'");
   $data = array();
-  while ($entry = mysql_fetch_assoc($result)) {
+  while ($entry = $result->fetch()) {
     array_push($data, $entry);
   }
   DEBUG($data);
@@ -329,7 +328,7 @@ function domain_is_maildomain($domain)
 {
   $domain = (int) $domain;
   $result = db_query("SELECT mail FROM kundendaten.domains WHERE id={$domain}");
-  $dom = mysql_fetch_assoc($result);
+  $dom = $result->fetch();
   return ($dom['mail'] != 'none');
 }
 

modules/domains/include/domains.php

Zeige Datei @ f1f231f

@@ -27,7 +27,7 @@ function mailman_subdomains($domain)
   $domain = (int) $domain;
   $result = db_query("SELECT id, hostname FROM mail.mailman_domains WHERE domain={$domain}");
   $ret = array();
-  while ($line = mysql_fetch_assoc($result))
+  while ($line = $result->fetch())
   {
     $ret[] = $line;
   }
@@ -40,7 +40,7 @@ function dns_in_use($domain)
     return false;
   $domain = (int) $domain;
   $result = db_query("SELECT id FROM dns.custom_records WHERE domain={$domain}");
-  return (mysql_num_rows($result) > 0);
+  return ($result->rowCount() > 0);
 }
 
 
@@ -52,16 +52,16 @@ function mail_in_use($domain)
   }
   $domain = (int) $domain;
   $result = db_query("SELECT mail FROM kundendaten.domains WHERE id={$domain}");
-  if (mysql_num_rows($result) < 1)
+  if ($result->rowCount() < 1)
     system_failure("Domain not found");
-  $d = mysql_fetch_assoc($result);
+  $d = $result->fetch();
   if ($d['mail'] == 'none')
     return false; // manually disabled
   $result = db_query("SELECT id FROM mail.virtual_mail_domains WHERE domain={$domain}");
-  if (mysql_num_rows($result) < 1)
+  if ($result->rowCount() < 1)
     return true; // .courier
   $result = db_query("SELECT acc.id FROM mail.vmail_accounts acc LEFT JOIN mail.virtual_mail_domains dom ON (acc.domain=dom.id) WHERE dom.domain={$domain}");
-  return (mysql_num_rows($result) > 0);
+  return ($result->rowCount() > 0);
 }
 
 function web_in_use($domain)
@@ -72,12 +72,12 @@ function web_in_use($domain)
   $domain = (int) $domain;
 
   $result = db_query("SELECT id FROM kundendaten.domains WHERE id={$domain} AND webserver=1");
-  if (mysql_num_rows($result) < 1)
+  if ($result->rowCount() < 1)
     return false;
 
   $result = db_query("SELECT id FROM vhosts.vhost WHERE domain={$domain}");
   $result2 = db_query("SELECT id FROM vhosts.alias WHERE domain={$domain}");
-  return (mysql_num_rows($result) > 0 || mysql_num_rows($result2) > 0);
+  return ($result->rowCount() > 0 || $result2->rowCount() > 0);
 }
 
 

modules/email/include/hasaccount.php

Zeige Datei @ f1f231f

@@ -20,8 +20,8 @@ function user_has_accounts()
 {
   $uid = (int) $_SESSION['userinfo']['uid'];
   $result = db_query("SELECT id from `mail`.`mailaccounts` WHERE uid=$uid");
-  DEBUG(mysql_num_rows($result)." accounts");
-  return (mysql_num_rows($result) > 0);
+  DEBUG($result->rowCount()." accounts");
+  return ($result->rowCount() > 0);
 }
 
 if (! function_exists("user_has_vmail_domain"))
@@ -34,7 +34,7 @@ if (! function_exists("user_has_vmail_domain"))
         }
         $uid = (int) $_SESSION['userinfo']['uid'];
         $result = db_query("SELECT COUNT(*) FROM mail.v_vmail_domains WHERE useraccount='{$uid}'");
-        $row = mysql_fetch_array($result);
+        $row = $result->fetch();
         $count = $row[0];
         DEBUG("User has {$count} vmail-domains");
         return ( (int) $count > 0 );

modules/email/include/hasdomain.php

Zeige Datei @ f1f231f

@@ -24,7 +24,7 @@ if (! function_exists("user_has_vmail_domain"))
 	}
 	$uid = (int) $_SESSION['userinfo']['uid'];
 	$result = db_query("SELECT COUNT(*) FROM mail.v_vmail_domains WHERE useraccount='{$uid}'");
-	$row = mysql_fetch_array($result);
+	$row = $result->fetch();
 	$count = $row[0];
 	DEBUG("User has {$count} vmail-domains");
 	return ( (int) $count > 0 );
@@ -42,7 +42,7 @@ if (! function_exists("user_has_dotcourier_domain"))
 	$uid = (int) $_SESSION['userinfo']['uid'];
 	$result = db_query("select 1 from mail.custom_mappings as c left join mail.v_domains as d on (d.id=c.domain) where d.user={$uid} or c.uid={$uid} UNION ". 
             "SELECT 1 FROM mail.v_domains AS d WHERE d.user={$uid} AND d.id != ALL(SELECT domain FROM mail.virtual_mail_domains);");
-  $ret = (mysql_num_rows($result) > 0);
+  $ret = ($result->rowCount() > 0);
   if ($ret)
     DEBUG("User {$uid} has dotcourier-domains");
   return $ret;

modules/email/include/mailaccounts.php

Zeige Datei @ f1f231f

@@ -15,7 +15,6 @@ Nevertheless, in case you use a significant part of this code, we ask (but not r
 */
 
 require_once('inc/debug.php');
-require_once('inc/db_connect.php');
 require_once('inc/base.php');
 require_once('inc/security.php');
 
@@ -27,10 +26,10 @@ function mailaccounts($uid)
 {
   $uid = (int) $uid;
   $result = db_query("SELECT m.id,concat_ws('@',`m`.`local`,if(isnull(`m`.`domain`),'".config('masterdomain')."',`d`.`domainname`)) AS `account`, `m`.`password` AS `cryptpass`,`m`.`maildir` AS `maildir`,aktiv from (`mail`.`mailaccounts` `m` left join `mail`.`v_domains` `d` on((`d`.`id` = `m`.`domain`))) WHERE m.uid=$uid ORDER BY if(isnull(`m`.`domain`),'".config('masterdomain')."',`d`.`domainname`), local");
-  DEBUG("Found ".@mysql_num_rows($result)." rows!");
+  DEBUG("Found ".@$result->rowCount()." rows!");
   $accounts = array();
-  if (@mysql_num_rows($result) > 0)
-    while ($acc = @mysql_fetch_object($result))
+  if (@$result->rowCount() > 0)
+    while ($acc = @$result->fetch(PDO::FETCH_OBJ))
       array_push($accounts, array('id'=> $acc->id, 'account' => $acc->account, 'mailbox' => $acc->maildir, 'cryptpass' => $acc->cryptpass, 'enabled' => ($acc->aktiv == 1)));
   return $accounts;
 }
@@ -40,10 +39,10 @@ function get_mailaccount($id)
   $id = (int) $id;
   $uid = (int) $_SESSION['userinfo']['uid'];
   $result = db_query("SELECT concat_ws('@',`m`.`local`,if(isnull(`m`.`domain`),'".config('masterdomain')."',`d`.`domainname`)) AS `account`, `m`.`password` AS `cryptpass`,`m`.`maildir` AS `maildir`,aktiv from (`mail`.`mailaccounts` `m` left join `mail`.`v_domains` `d` on((`d`.`id` = `m`.`domain`))) WHERE m.id=$id AND m.uid={$uid}");
-  DEBUG("Found ".mysql_num_rows($result)." rows!");
-  if (mysql_num_rows($result) != 1)
+  DEBUG("Found ".$result->rowCount()." rows!");
+  if ($result->rowCount() != 1)
     system_failure('Dieser Mailaccount existiert nicht oder gehört Ihnen nicht');
-  $acc = mysql_fetch_object($result);
+  $acc = $result->fetch(PDO::FETCH_OBJ);
   $ret = array('account' => $acc->account, 'mailbox' => $acc->maildir,  'enabled' => ($acc->aktiv == 1));
   DEBUG(print_r($ret, true));
   return $ret;
@@ -73,13 +72,13 @@ function change_mailaccount($id, $arr)
         array_push($conditions, "domain={$domain->id}");
       }
     }
-    array_push($conditions, "local='".mysql_real_escape_string($local)."'");
+    array_push($conditions, "local='".db_escape_string($local)."'");
   }
   if (isset($arr['mailbox']))
     if ($arr['mailbox'] == '')
       array_push($conditions, "`maildir`=NULL");
     else
-      array_push($conditions, "`maildir`='".mysql_real_escape_string($arr['mailbox'])."'");
+      array_push($conditions, "`maildir`='".db_escape_string($arr['mailbox'])."'");
 
   if (isset($arr['password']))
   {
@@ -121,13 +120,13 @@ function create_mailaccount($arr)
     }
   }
 
-  $values['local'] = "'".mysql_real_escape_string($local)."'";
+  $values['local'] = "'".db_escape_string($local)."'";
 
   if (isset($arr['mailbox']))
     if ($arr['mailbox'] == '')
       $values['maildir'] = 'NULL';
     else
-      $values['maildir']= "'".mysql_real_escape_string($arr['mailbox'])."'";
+      $values['maildir']= "'".db_escape_string($arr['mailbox'])."'";
 
 
   if (isset($arr['password']))
@@ -149,13 +148,13 @@ function get_mailaccount_id($accountname)
 {
   list($local, $domain) = explode('@', $accountname, 2);
 
-  $local = mysql_real_escape_string($local);
-  $domain = mysql_real_escape_string($domain);
+  $local = db_escape_string($local);
+  $domain = db_escape_string($domain);
 
   $result = db_query("SELECT acc.id FROM mail.mailaccounts AS acc LEFT JOIN mail.v_domains AS dom ON (dom.id=acc.domain) WHERE local='{$local}' AND dom.domainname='{$domain}'");
-  if (mysql_num_rows($result) != 1)
+  if ($result->rowCount() != 1)
     system_failure('account nicht eindeutig');
-  $acc = mysql_fetch_assoc($result);
+  $acc = $result->fetch();
   return $acc['id'];
 }
     
@@ -214,7 +213,7 @@ function imap_on_vmail_domain()
 {
   $uid = (int) $_SESSION['userinfo']['uid'];
   $result = db_query("SELECT m.id FROM mail.mailaccounts AS m INNER JOIN mail.virtual_mail_domains AS vd USING (domain) WHERE m.uid={$uid}");
-  if (mysql_num_rows($result) > 0)
+  if ($result->rowCount() > 0)
     return true;
   return false;
 }
@@ -224,11 +223,11 @@ function user_has_only_vmail_domains()
   $uid = (int) $_SESSION['userinfo']['uid'];
   $result = db_query("SELECT id FROM mail.v_vmail_domains WHERE useraccount={$uid}");
   // User hat keine VMail-Domains
-  if (mysql_num_rows($result) == 0)
+  if ($result->rowCount() == 0)
     return false;
   $result = db_query("SELECT d.id FROM mail.v_domains AS d LEFT JOIN mail.v_vmail_domains AS vd USING (domainname) WHERE vd.id IS NULL AND d.user={$uid}");
   // User hat keine Domains die nicht vmail-Domains sind
-  if (mysql_num_rows($result) == 0)
+  if ($result->rowCount() == 0)
     return true;
   return false;
 }

modules/email/include/vmail.php

Zeige Datei @ f1f231f

@@ -58,9 +58,9 @@ Ihre E-Mail wird nicht weitergeleitet.',
 
 function get_vmail_id_by_emailaddr($emailaddr) 
 {
-  $emailaddr = mysql_real_escape_string( $emailaddr );
+  $emailaddr = db_escape_string( $emailaddr );
   $result = db_query("SELECT id FROM mail.v_vmail_accounts WHERE CONCAT(local, '@', domainname) = '{$emailaddr}'");
-  $entry = mysql_fetch_assoc($result);
+  $entry = $result->fetch();
   return (int) $entry['id'];
 }
 
@@ -74,10 +74,10 @@ function get_account_details($id, $checkuid = true)
     $uid_check = "useraccount='{$uid}' AND ";
   }
   $result = db_query("SELECT id, local, domain, password, spamfilter, forwards, autoresponder, server, quota, COALESCE(quota_used, 0) AS quota_used, quota_threshold from mail.v_vmail_accounts WHERE {$uid_check}id={$id} LIMIT 1");
-	if (mysql_num_rows($result) == 0)
+	if ($result->rowCount() == 0)
 		system_failure('Ungültige ID oder kein eigener Account');
 	$acc = empty_account();
-	$res = mysql_fetch_assoc($result);
+	$res = $result->fetch();
 	foreach ($res AS $key => $value) {
 	  if ($key == 'forwards')
 	    continue;
@@ -85,13 +85,13 @@ function get_account_details($id, $checkuid = true)
 	}
 	if ($acc['forwards'] > 0) {
 	  $result = db_query("SELECT id, spamfilter, destination FROM mail.vmail_forward WHERE account={$acc['id']};");
-	  while ($item = mysql_fetch_assoc($result)){
+	  while ($item = $result->fetch()){
 	    array_push($acc['forwards'], array("id" => $item['id'], 'spamfilter' => $item['spamfilter'], 'destination' => $item['destination']));
 	  }
 	}
   if ($acc['autoresponder'] > 0) {
     $result = db_query("SELECT id, IF(valid_from IS NULL OR valid_from > NOW() OR valid_until < NOW(), 0, 1) AS active, DATE(valid_from) AS valid_from, DATE(valid_until) AS valid_until, fromname, fromaddr, subject, message, quote FROM mail.vmail_autoresponder WHERE account={$acc['id']}");
-    $item = mysql_fetch_assoc($result);
+    $item = $result->fetch();
     DEBUG($item);
     $acc['autoresponder'] = $item;
   } else {
@@ -108,7 +108,7 @@ function get_vmail_accounts()
 	$uid = (int) $_SESSION['userinfo']['uid'];
 	$result = db_query("SELECT * from mail.v_vmail_accounts WHERE useraccount='{$uid}' ORDER BY domainname,local ASC");
 	$ret = array();
-	while ($line = mysql_fetch_assoc($result))
+	while ($line = $result->fetch())
 	{
 		array_push($ret, $line);
 	}
@@ -122,10 +122,10 @@ function get_vmail_domains()
 {
 	$uid = (int) $_SESSION['userinfo']['uid'];
 	$result = db_query("SELECT id, domainname, server FROM mail.v_vmail_domains WHERE useraccount='{$uid}' ORDER BY domainname");
-	if (mysql_num_rows($result) == 0)
+	if ($result->rowCount() == 0)
 		system_failure('Sie haben keine Domains für virtuelle Mail-Verarbeitung');
 	$ret = array();
-	while ($tmp = mysql_fetch_assoc($result))
+	while ($tmp = $result->fetch())
 		array_push($ret, $tmp);
 	return $ret;
 }
@@ -133,7 +133,7 @@ function get_vmail_domains()
 
 function find_account_id($accname)
 {
-  $accname = mysql_real_escape_string($accname);
+  $accname = db_escape_string($accname);
   DEBUG($accname);
   $tmp = explode('@', $accname, 2);
   DEBUG($tmp);
@@ -142,9 +142,9 @@ function find_account_id($accname)
   list( $local, $domainname) = $tmp;
 
   $result = db_query("SELECT id FROM mail.v_vmail_accounts WHERE local='{$local}' AND domainname='{$domainname}' LIMIT 1");
-  if (mysql_num_rows($result) == 0)
+  if ($result->rowCount() == 0)
     system_failure("Der Account konnte nicht gefunden werden");
-  $tmp = mysql_fetch_array($result);
+  $tmp = $result->fetch();
   return $tmp[0];
 }
 
@@ -152,7 +152,7 @@ function find_account_id($accname)
 function change_vmail_password($accname, $newpass)
 {
   $accid = find_account_id($accname);
-  $encpw = mysql_real_escape_string(encrypt_mail_password($newpass));
+  $encpw = db_escape_string(encrypt_mail_password($newpass));
   db_query("UPDATE mail.vmail_accounts SET password='{$encpw}' WHERE id={$accid} LIMIT 1;");
 }
 
@@ -177,7 +177,7 @@ function get_max_mailboxquota($server, $oldquota) {
   $uid = (int) $_SESSION['userinfo']['uid'];
   $server = (int) $server;
   $result = db_query("SELECT systemquota - (COALESCE(systemquota_used,0) + COALESCE(mailquota,0)) AS free FROM system.v_quota WHERE uid='{$uid}' AND server='{$server}'");
-  $item = mysql_fetch_assoc($result);
+  $item = $result->fetch();
   DEBUG("Free space: ".$item['free']." / Really: ".($item['free'] + ($oldquota - config('vmail_basequota'))));
   return $item['free'] + ($oldquota - config('vmail_basequota'));
 }
@@ -313,8 +313,8 @@ function save_vmail_account($account)
     $account['quota_threshold'] = min( (int) $account['quota_threshold'], (int) $account['quota'] );
   }
   
-  $account['local'] = mysql_real_escape_string(strtolower($account['local']));
-  $account['password'] = mysql_real_escape_string($account['password']);
+  $account['local'] = db_escape_string(strtolower($account['local']));
+  $account['password'] = db_escape_string($account['password']);
   $account['spamexpire'] = (int) $account['spamexpire'];
 
   $query = '';
@@ -341,14 +341,14 @@ function save_vmail_account($account)
     $ar = $account['autoresponder'];
     $valid_from = maybe_null($ar['valid_from']);
     $valid_until = maybe_null($ar['valid_until']);
-    $fromname = maybe_null( mysql_real_escape_string($ar['fromname']) );
+    $fromname = maybe_null( db_escape_string($ar['fromname']) );
     $fromaddr = NULL;
     if ($ar['fromaddr']) {
-      $fromaddr = mysql_real_escape_string(check_emailaddr($ar['fromaddr']));
+      $fromaddr = db_escape_string(check_emailaddr($ar['fromaddr']));
     }
     $fromaddr = maybe_null( $fromaddr );
-    $subject = maybe_null( mysql_real_escape_string($ar['subject']));
-    $message = mysql_real_escape_string($ar['message']);
+    $subject = maybe_null( db_escape_string($ar['subject']));
+    $message = db_escape_string($ar['message']);
     $quote = "'inline'";
     if ($ar['quote'] == 'attach')
       $quote = "'attach'";
@@ -417,7 +417,7 @@ Wussten Sie schon, dass Sie auf mehrere Arten Ihre E-Mails abrufen können?
   if ($_SESSION['role'] == ROLE_SYSTEMUSER) {
     $uid = (int) $_SESSION['userinfo']['uid'];
     $result = db_query("SELECT useraccount, server, SUM(quota-(SELECT value FROM misc.config WHERE `key`='vmail_basequota')) AS quota, SUM(GREATEST(quota_used-(SELECT value FROM misc.config WHERE `key`='vmail_basequota'), 0)) AS used FROM mail.v_vmail_accounts WHERE useraccount=".$uid." GROUP BY useraccount, server");
-    while ($line = mysql_fetch_assoc($result)) {
+    while ($line = $result->fetch()) {
       if ($line['quota'] !== NULL) {
         db_query("REPLACE INTO mail.vmailquota (uid, server, quota, used) VALUES ('{$line['useraccount']}', '{$line['server']}', '{$line['quota']}', '{$line['used']}')");
       }
@@ -447,7 +447,7 @@ function domainsettings($only_domain=NULL) {
   // Domains
   $result = db_query("SELECT d.id, CONCAT_WS('.',d.domainname,d.tld) AS name, d.mail, d.mailserver_lock, m.id AS m_id, v.id AS v_id FROM kundendaten.domains AS d LEFT JOIN mail.virtual_mail_domains AS v ON (d.id=v.domain AND v.hostname IS NULL) LEFT JOIN mail.custom_mappings AS m ON (d.id=m.domain AND m.subdomain IS NULL) WHERE d.useraccount={$uid} OR m.uid={$uid} ORDER BY CONCAT_WS('.',d.domainname,d.tld);");
 
-  while ($mydom = mysql_fetch_assoc($result)) {
+  while ($mydom = $result->fetch()) {
     if (! array_key_exists($mydom['id'], $domains)) {
       if ($mydom['v_id'])
         $mydom['mail'] = 'virtual';
@@ -463,7 +463,7 @@ function domainsettings($only_domain=NULL) {
 
   // Subdomains
   $result = db_query("SELECT d.id, CONCAT_WS('.',d.domainname,d.tld) AS name, d.mail, m.id AS m_id, v.id AS v_id, IF(ISNULL(v.hostname),m.subdomain,v.hostname) AS hostname FROM kundendaten.domains AS d LEFT JOIN mail.virtual_mail_domains AS v ON (d.id=v.domain AND v.hostname IS NOT NULL) LEFT JOIN mail.custom_mappings AS m ON (d.id=m.domain AND m.subdomain IS NOT NULL) WHERE (m.id IS NOT NULL OR v.id IS NOT NULL) AND d.useraccount={$uid} OR m.uid={$uid};");
-  while ($mydom = mysql_fetch_assoc($result)) {
+  while ($mydom = $result->fetch()) {
     if (! array_key_exists($mydom['id'], $subdomains))
       $subdomains[$mydom['id']] = array();
         
@@ -483,14 +483,14 @@ function domain_has_vmail_accounts($domid)
 {
   $domid = (int) $domid;
   $result = db_query("SELECT dom.id FROM mail.vmail_accounts AS acc LEFT JOIN mail.virtual_mail_domains AS dom ON (dom.id=acc.domain) WHERE dom.domain={$domid}");
-  return (mysql_num_rows($result) > 0);
+  return ($result->rowCount() > 0);
 }
 
 
 function change_domain($id, $type)
 {
   $id = (int) $id;
-  $type = mysql_real_escape_string($type);
+  $type = db_escape_string($type);
   if (domain_has_vmail_accounts($id))
     system_failure("Sie müssen zuerst alle E-Mail-Konten mit dieser Domain löschen, bevor Sie die Webinterface-Verwaltung für diese Domain abschalten können.");
   

modules/ftpusers/include/ftpusers.php

Zeige Datei @ f1f231f

@@ -21,7 +21,7 @@ function list_ftpusers()
   $uid = (int) $_SESSION['userinfo']['uid'];
   $result = db_query("SELECT id, username, homedir, active, forcessl FROM system.ftpusers WHERE uid=$uid");
   $ftpusers = array();
-  while ($u = mysql_fetch_assoc($result)) {
+  while ($u = $result->fetch()) {
     $ftpusers[] = $u;
   }
   return $ftpusers;
@@ -40,9 +40,9 @@ function load_ftpuser($id)
   $uid = (int) $_SESSION['userinfo']['uid'];
   $id = (int) $id;
   $result = db_query("SELECT id, username, password, homedir, active, forcessl, server FROM system.ftpusers WHERE uid={$uid} AND id='{$id}' LIMIT 1");
-  if (mysql_num_rows($result) != 1)
+  if ($result->rowCount() != 1)
     system_failure("Fehler beim auslesen des Accounts");
-  $account = mysql_fetch_assoc($result);
+  $account = $result->fetch();
   DEBUG($account);
   return $account;
 }
@@ -117,11 +117,11 @@ function delete_ftpuser($id)
 
 function get_gid($groupname)
 {
-  $groupname = mysql_real_escape_string($groupname);
+  $groupname = db_escape_string($groupname);
   $result = db_query("SELECT gid FROM system.gruppen WHERE name='{$groupname}' LIMIT 1");
-  if (mysql_num_rows($result) != 1)
+  if ($result->rowCount() != 1)
     system_failure('cannot determine gid of ftpusers group');
-  $a = mysql_fetch_assoc($result);
+  $a = $result->fetch();
   $gid = (int) $a['gid'];
   if ($gid == 0)
     system_failure('error on determining gid of ftpusers group');
@@ -134,7 +134,7 @@ function have_regular_ftp()
   $gid = get_gid('ftpusers');
   $uid = (int) $_SESSION['userinfo']['uid'];
   $result = db_query("SELECT * FROM system.gruppenzugehoerigkeit WHERE gid='$gid' AND uid='$uid'");
-  return (mysql_num_rows($result) > 0);
+  return ($result->rowCount() > 0);
 }
 
 

modules/greylisting/include/greylisting.php

Zeige Datei @ f1f231f

@@ -19,7 +19,7 @@ function whitelist_entries()
 	$uid = (int) $_SESSION['userinfo']['uid'];
 	$res = db_query("SELECT id,local,domain,date,expire FROM mail.greylisting_manual_whitelist WHERE uid={$uid};");
 	$return = array();
-	while ($line = mysql_fetch_assoc($res))
+	while ($line = $res->fetch())
 		array_push($return, $line);
 	return $return;
 }
@@ -30,9 +30,9 @@ function get_whitelist_details($id)
 	$id = (int) $id;
 	$uid = (int) $_SESSION['userinfo']['uid'];
 	$res = db_query("SELECT id,local,domain,date,expire FROM mail.greylisting_manual_whitelist WHERE uid={$uid} AND id={$id};");
-	if (mysql_num_rows($res) != 1)
+	if ($res->rowCount() != 1)
 		system_failure('Kann diesen Eintrag nicht finden');
-	return mysql_fetch_assoc($res);
+	return $res->fetch();
 }
 
 
@@ -55,9 +55,9 @@ function valid_entry($local, $domain)
 			system_failure('Diese E-Mail-Adresse gehört Ihnen nicht!');
 		return true;
 	}
-	$d = mysql_real_escape_string($domain);
+	$d = db_escape_string($domain);
 	$res = db_query("SELECT id FROM mail.v_domains WHERE domainname='{$d}' AND user={$_SESSION['userinfo']['uid']} LIMIT 1");
-	if (mysql_num_rows($res) != 1)
+	if ($res->rowCount() != 1)
 		system_failure('Diese domain gehört Ihnen nicht!');
 	return true;
 }
@@ -68,7 +68,7 @@ function new_whitelist_entry($local, $domain, $minutes)
 	valid_entry($local, $domain);
 	$uid = (int) $_SESSION['userinfo']['uid'];
 	$local = maybe_null($local);
-	$domain = mysql_real_escape_string($domain);
+	$domain = db_escape_string($domain);
 	
 	$expire = '';
 	if ($minutes == 'none')

modules/index/include/newpass.php

Zeige Datei @ f1f231f

@@ -14,15 +14,14 @@ http://creativecommons.org/publicdomain/zero/1.0/
 Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.
 */
 
-require_once('inc/db_connect.php');
 require_once('session/checkuser.php');
 
 function user_customer_match($cust, $user)
 {
   $customerno = (int) $cust;
-  $username = mysql_real_escape_string($user);
+  $username = db_escape_string($user);
   $result = db_query("SELECT uid FROM system.useraccounts WHERE kunde={$customerno} AND username='{$username}' AND kundenaccount=1;");
-  if (mysql_num_rows($result) > 0)
+  if ($result->rowCount() > 0)
     return true;
   return false;
 }
@@ -32,9 +31,9 @@ function user_customer_match($cust, $user)
 function customer_has_email($customerno, $email)
 {
   $customerno = (int) $customerno;
-  $email = mysql_real_escape_string($email);
+  $email = db_escape_string($email);
   $result = db_query("SELECT NULL FROM kundendaten.kunden WHERE id=".$customerno." AND (email='{$email}' OR email_extern='{$email}' OR email_rechnung='{$email}');");
-  return (mysql_num_rows($result) > 0);
+  return ($result->rowCount() > 0);
 }
 
 
@@ -42,21 +41,21 @@ function validate_token($customerno, $token)
 {
   expire_tokens();
   $customerno = (int) $customerno;
-  $token = mysql_real_escape_string($token);
+  $token = db_escape_string($token);
   $result = db_query("SELECT NULL FROM kundendaten.kunden WHERE id={$customerno} AND token='{$token}';");
-  return (mysql_num_rows($result) > 0);
+  return ($result->rowCount() > 0);
 }
 
 
 function get_uid_for_token($token) 
 {
   expire_tokens();
-  $token = mysql_real_escape_string($token);
+  $token = db_escape_string($token);
   $result = db_query("SELECT uid FROM system.usertoken WHERE token='{$token}';");
-  if (mysql_num_rows($result) == 0) {
+  if ($result->rowCount() == 0) {
     return NULL;
   }
-  $data = mysql_fetch_assoc($result);
+  $data = $result->fetch();
   return $data['uid'];  
 }
 
@@ -64,10 +63,10 @@ function get_username_for_uid($uid)
 {
   $uid = (int) $uid;
   $result = db_query("SELECT username FROM system.useraccounts WHERE uid={$uid}");
-  if (mysql_num_rows($result) != 1) {
+  if ($result->rowCount() != 1) {
     system_failure("Unexpected number of users with this uid (!= 1)!");
   }
-  $item = mysql_fetch_assoc($result);
+  $item = $result->fetch();
   return $item['username'];
 }
 
@@ -75,9 +74,9 @@ function validate_uid_token($uid, $token)
 {
   expire_tokens();
   $uid = (int) $uid;
-  $token = mysql_real_escape_string($token);
+  $token = db_escape_string($token);
   $result = db_query("SELECT NULL FROM system.usertoken WHERE uid={$uid} AND token='{$token}';");
-  return (mysql_num_rows($result) > 0);
+  return ($result->rowCount() > 0);
 }
 
 
@@ -102,13 +101,13 @@ function invalidate_systemuser_token($uid)
  
 function create_token($username)
 {
-  $username = mysql_real_escape_string($username);
+  $username = db_escape_string($username);
   expire_tokens();
   $result = db_query("SELECT uid FROM system.useraccounts WHERE username='{$username}'");
-  $uid = (int) mysql_fetch_assoc($result)['uid'];
+  $uid = (int) $result->fetch()['uid'];
   
   $result = db_query("SELECT created FROM system.usertoken WHERE uid={$uid}");
-  if (mysql_num_rows($result) > 0) {
+  if ($result->rowCount() > 0) {
     system_failure("Für Ihr Benutzerkonto ist bereits eine Passwort-Erinnerung versendet worden. Bitte wenden Sie sich an den Support wenn Sie diese nicht erhalten haben.");
   }
   
@@ -120,9 +119,9 @@ function create_token($username)
 
 function emailaddress_for_user($username)
 {
-  $username = mysql_real_escape_string($username);
+  $username = db_escape_string($username);
   $result = db_query("SELECT k.email FROM kundendaten.kunden AS k INNER JOIN system.useraccounts AS u ON (u.kunde=k.id) WHERE u.username='{$username}'");
-  $data = mysql_fetch_assoc($result);
+  $data = $result->fetch();
   return $data['email'];
 }
 
@@ -132,17 +131,17 @@ function get_customer_token($customerno)
   $customerno = (int) $customerno;
   expire_tokens();
   $result = db_query("SELECT token FROM kundendaten.kunden WHERE id={$customerno} AND token IS NOT NULL;");
-  if (mysql_num_rows($result) < 1)
+  if ($result->rowCount() < 1)
     system_failure("Kann das Token nicht auslesen!");
-  return mysql_fetch_object($result)->token;
+  return $result->fetch(PDO::FETCH_OBJ)->token;
 }
 
 
 function get_user_token($username) 
 {
-  $username = mysql_real_escape_string($username);
+  $username = db_escape_string($username);
   $result = db_query("SELECT token FROM system.usertoken AS t INNER JOIN system.useraccounts AS u USING (uid) WHERE username='{$username}'");
-  $tmp = mysql_fetch_assoc($result);
+  $tmp = $result->fetch();
   return $tmp['token'];
 }
 

modules/index/include/x509.php

Zeige Datei @ f1f231f

@@ -35,14 +35,14 @@ function do_ajax_cert_login() {
 
 function get_logins_by_cert($cert) 
 {
-	$cert = mysql_real_escape_string(str_replace(array('-----BEGIN CERTIFICATE-----', '-----END CERTIFICATE-----', ' ', "\n"), array(), $cert));
+	$cert = db_escape_string(str_replace(array('-----BEGIN CERTIFICATE-----', '-----END CERTIFICATE-----', ' ', "\n"), array(), $cert));
 	$query = "SELECT type,username,startpage FROM system.clientcert WHERE cert='{$cert}'";
 	$result = db_query($query);
-	if (mysql_num_rows($result) < 1)
+	if ($result->rowCount() < 1)
 		return NULL;
 	else {
 		$ret = array();
-		while ($row = mysql_fetch_assoc($result)) {
+		while ($row = $result->fetch()) {
 			$ret[] = $row;
 		}
 		return $ret;
@@ -56,9 +56,9 @@ function get_cert_by_id($id)
 	  system_failure('no ID');
 	$query = "SELECT id,dn,issuer,cert,username,startpage FROM system.clientcert WHERE `id`='{$id}' LIMIT 1";
 	$result = db_query($query);
-	if (mysql_num_rows($result) < 1)
+	if ($result->rowCount() < 1)
 		return NULL;
-	$ret = mysql_fetch_assoc($result);
+	$ret = $result->fetch();
   DEBUG($ret);
   return $ret;
 }
@@ -66,14 +66,14 @@ function get_cert_by_id($id)
 
 function get_certs_by_username($username) 
 {
-	$username = mysql_real_escape_string($username);
+	$username = db_escape_string($username);
 	if ($username == '')
 	  system_failure('empty username');
 	$query = "SELECT id,dn,issuer,cert,startpage FROM system.clientcert WHERE `username`='{$username}'";
 	$result = db_query($query);
-	if (mysql_num_rows($result) < 1)
+	if ($result->rowCount() < 1)
 		return NULL;
-	while ($row = mysql_fetch_assoc($result)) {
+	while ($row = $result->fetch()) {
 	  $ret[] = $row;
 	}
 	return $ret;
@@ -86,24 +86,24 @@ function add_clientcert($certdata, $dn, $issuer, $startpage='')
   $username = NULL;
   if ($_SESSION['role'] & ROLE_SYSTEMUSER) {
     $type = 'user';
-    $username = mysql_real_escape_string($_SESSION['userinfo']['username']);
+    $username = db_escape_string($_SESSION['userinfo']['username']);
     if (isset($_SESSION['subuser'])) {
-      $username = mysql_real_escape_string($_SESSION['subuser']);
+      $username = db_escape_string($_SESSION['subuser']);
       $type = 'subuser';
     }
   } elseif ($_SESSION['role'] & ROLE_VMAIL_ACCOUNT) {
     $type = 'email';
-    $username = mysql_real_escape_string($_SESSION['mailaccount']);
+    $username = db_escape_string($_SESSION['mailaccount']);
   }
   if (! $type || ! $username) {
     system_failure('cannot get type or username of login');
   }
-  $certdata = mysql_real_escape_string($certdata);
-  $dn = maybe_null(mysql_real_escape_string($dn));
-  $issuer = maybe_null(mysql_real_escape_string($issuer));
+  $certdata = db_escape_string($certdata);
+  $dn = maybe_null(db_escape_string($dn));
+  $issuer = maybe_null(db_escape_string($issuer));
   if ($startpage &&  ! check_path($startpage))
     system_failure('Startseite kaputt');
-  $startpage = maybe_null(mysql_real_escape_string($startpage));
+  $startpage = maybe_null(db_escape_string($startpage));
 
   if ($certdata == '')
     system_failure('Kein Zertifikat');
@@ -124,14 +124,14 @@ function delete_clientcert($id)
   $username = NULL;
   if ($_SESSION['role'] & ROLE_SYSTEMUSER) {
     $type = 'user';
-    $username = mysql_real_escape_string($_SESSION['userinfo']['username']);
+    $username = db_escape_string($_SESSION['userinfo']['username']);
     if (isset($_SESSION['subuser'])) {
-      $username = mysql_real_escape_string($_SESSION['subuser']);
+      $username = db_escape_string($_SESSION['subuser']);
       $type = 'subuser';
     }
   } elseif ($_SESSION['role'] & ROLE_VMAIL_ACCOUNT) {
     $type = 'email';
-    $username = mysql_real_escape_string($_SESSION['mailaccount']);
+    $username = db_escape_string($_SESSION['mailaccount']);
   }
   if (! $type || ! $username) {
     system_failure('cannot get type or username of login');

modules/invoice/include/invoice.php

Zeige Datei @ f1f231f

@@ -25,7 +25,7 @@ function my_invoices()
   $c = (int) $_SESSION['customerinfo']['customerno'];
   $result = db_query("SELECT id,datum,betrag,bezahlt,abbuchung,sepamandat FROM kundendaten.ausgestellte_rechnungen WHERE kunde={$c} ORDER BY id DESC");
   $ret = array();
-  while($line = mysql_fetch_assoc($result))
+  while($line = $result->fetch())
   	array_push($ret, $line);
   return $ret;
 }
@@ -36,9 +36,9 @@ function get_pdf($id)
   $c = (int) $_SESSION['customerinfo']['customerno'];
   $id = (int) $id;
   $result = db_query("SELECT pdfdata FROM kundendaten.ausgestellte_rechnungen WHERE kunde={$c} AND id={$id}");
-  if (mysql_num_rows($result) == 0)
+  if ($result->rowCount() == 0)
 	  system_failure('Ungültige Rechnungsnummer oder nicht eingeloggt');
-  return mysql_fetch_object($result)->pdfdata;
+  return $result->fetch(PDO::FETCH_OBJ)->pdfdata;
 
 }
 
@@ -48,9 +48,9 @@ function invoice_details($id)
   $c = (int) $_SESSION['customerinfo']['customerno'];
   $id = (int) $id;
   $result = db_query("SELECT kunde,datum,betrag,bezahlt,abbuchung FROM kundendaten.ausgestellte_rechnungen WHERE kunde={$c} AND id={$id}");
-  if (mysql_num_rows($result) == 0)
+  if ($result->rowCount() == 0)
   	system_failure('Ungültige Rechnungsnummer oder nicht eingeloggt');
-  return mysql_fetch_assoc($result);
+  return $result->fetch();
 }
 
 function invoice_items($id)
@@ -58,10 +58,10 @@ function invoice_items($id)
   $c = (int) $_SESSION['customerinfo']['customerno'];
   $id = (int) $id;
   $result = db_query("SELECT id, beschreibung, datum, enddatum, betrag, einheit, brutto, mwst, anzahl FROM kundendaten.rechnungsposten WHERE rechnungsnummer={$id} AND kunde={$c}");
-  if (mysql_num_rows($result) == 0)
+  if ($result->rowCount() == 0)
   	system_failure('Ungültige Rechnungsnummer oder nicht eingeloggt');
   $ret = array();
-  while($line = mysql_fetch_assoc($result))
+  while($line = $result->fetch())
   array_push($ret, $line);
   return $ret;
 }
@@ -72,7 +72,7 @@ function upcoming_items()
   $c = (int) $_SESSION['customerinfo']['customerno'];
   $result = db_query("SELECT anzahl, beschreibung, startdatum, enddatum, betrag, einheit, brutto, mwst FROM kundendaten.upcoming_items WHERE kunde={$c} ORDER BY startdatum ASC");
   $ret = array();
-  while($line = mysql_fetch_assoc($result))
+  while($line = $result->fetch())
 	  array_push($ret, $line);
   return $ret;
 }
@@ -166,19 +166,19 @@ function generate_bezahlcode_image($id)
 function get_lastschrift($rechnungsnummer) {
   $rechnungsnummer = (int) $rechnungsnummer;
   $result = db_query("SELECT rechnungsnummer, rechnungsdatum, sl.betrag, buchungsdatum FROM kundendaten.sepalastschrift sl LEFT JOIN kundendaten.ausgestellte_rechnungen re ON (re.id=sl.rechnungsnummer) WHERE rechnungsnummer='${rechnungsnummer}' AND re.abbuchung=1");
-  if (mysql_num_rows($result) == 0) {
+  if ($result->rowCount() == 0) {
     return NULL;
   }
-  $item = mysql_fetch_assoc($result);
+  $item = $result->fetch();
   return $item;
 }
 
 function get_lastschriften($mandatsreferenz)
 {
-  $mandatsreferenz = mysql_real_escape_string($mandatsreferenz);
+  $mandatsreferenz = db_escape_string($mandatsreferenz);
   $result = db_query("SELECT rechnungsnummer, rechnungsdatum, betrag, buchungsdatum FROM kundendaten.sepalastschrift WHERE mandatsreferenz='${mandatsreferenz}' ORDER BY buchungsdatum DESC");
   $ret = array();
-  while ($item = mysql_fetch_assoc($result)) {
+  while ($item = $result->fetch()) {
     $ret[] = $item;
   }
   return $ret;
@@ -189,7 +189,7 @@ function get_sepamandate()
   $cid = (int) $_SESSION['customerinfo']['customerno'];
   $result = db_query("SELECT id, mandatsreferenz, glaeubiger_id, erteilt, medium, gueltig_ab, gueltig_bis, erstlastschrift, kontoinhaber, adresse, iban, bic, bankname FROM kundendaten.sepamandat WHERE kunde={$cid}");
   $ret = array();
-  while ($entry = mysql_fetch_assoc($result)) {
+  while ($entry = $result->fetch()) {
     array_push($ret, $entry);
   }
   return $ret;
@@ -198,9 +198,9 @@ function get_sepamandate()
 
 function yesterday($date) 
 {
-  $date = mysql_real_escape_string($date);
+  $date = db_escape_string($date);
   $result = db_query("SELECT '{$date}' - INTERVAL 1 DAY");
-  return mysql_fetch_array($result)[0];
+  return $result->fetch()[0];
 }
 
 
@@ -208,7 +208,7 @@ function invalidate_sepamandat($id, $date)
 {
   $cid = (int) $_SESSION['customerinfo']['customerno'];
   $id = (int) $id;
-  $date = mysql_real_escape_string($date);
+  $date = db_escape_string($date);
   db_query("UPDATE kundendaten.sepamandat SET gueltig_bis='{$date}' WHERE id={$id} AND kunde={$cid}");
 }
 
@@ -216,12 +216,12 @@ function invalidate_sepamandat($id, $date)
 function sepamandat($name, $adresse, $iban, $bankname, $bic, $gueltig_ab)
 {
   $cid = (int) $_SESSION['customerinfo']['customerno'];
-  $name = mysql_real_escape_string($name);
-  $adresse = mysql_real_escape_string($adresse);
-  $iban = mysql_real_escape_string($iban);
-  $bankname = mysql_real_escape_string($bankname);
-  $bic = mysql_real_escape_string($bic);
-  $gueltig_ab = mysql_real_escape_string($gueltig_ab);
+  $name = db_escape_string($name);
+  $adresse = db_escape_string($adresse);
+  $iban = db_escape_string($iban);
+  $bankname = db_escape_string($bankname);
+  $bic = db_escape_string($bic);
+  $gueltig_ab = db_escape_string($gueltig_ab);
 
   $first_date = date('Y-m-d');
   $invoices = my_invoices();

modules/invoice/sepamandat_copydata.php

Zeige Datei @ f1f231f

@@ -22,7 +22,7 @@ require_once('invoice.php');
 $kundenname = $_SESSION['customerinfo']['name'];
 $id = (int) $_SESSION['customerinfo']['customerno'];
 $result = db_query("SELECT CONCAT(adresse, '\\\\n', plz, ' ', ort) AS adresse FROM kundendaten.kunden WHERE id={$id}");
-$r = mysql_fetch_assoc($result);
+$r = $result->fetch();
 
 header("Content-Type: text/javascript");
 echo ' { "kundenname": "'.$kundenname.'", "adresse": "'.$r["adresse"].'" } ';

modules/jabber/include/jabberaccounts.php

Zeige Datei @ f1f231f

@@ -15,7 +15,6 @@ Nevertheless, in case you use a significant part of this code, we ask (but not r
 */
 
 require_once("inc/debug.php");
-require_once("inc/db_connect.php");
 require_once("inc/security.php");
 
 require_once('class/domain.php');
@@ -25,8 +24,8 @@ function get_jabber_accounts() {
   $customerno = (int) $_SESSION['customerinfo']['customerno'];
   $result = db_query("SELECT id, `create`, created, lastactivity, local, domain FROM jabber.accounts WHERE customerno='$customerno' AND `delete`=0;");
   $accounts = array();
-  if (@mysql_num_rows($result) > 0)
-    while ($acc = @mysql_fetch_assoc($result))
+  if (@$result->rowCount() > 0)
+    while ($acc = @$result->fetch())
       array_push($accounts, $acc);
   return $accounts;
 }
@@ -41,9 +40,9 @@ function get_jabberaccount_details($id)
   $id = (int) $id;
 
   $result = db_query("SELECT id, local, domain FROM jabber.accounts WHERE customerno={$customerno} AND id={$id} LIMIT 1");
-  if (mysql_num_rows($result) != 1)
+  if ($result->rowCount() != 1)
     system_failure("Invalid account");
-  $data = mysql_fetch_assoc($result);
+  $data = $result->fetch();
   if ($data['domain'] == NULL)
     $data['domain'] = config('masterdomain');
   else
@@ -72,19 +71,19 @@ function create_jabber_account($local, $domain, $password)
   require_role(ROLE_CUSTOMER);
   $customerno = (int) $_SESSION['customerinfo']['customerno'];
 
-  $local = mysql_real_escape_string( filter_input_username($local) );
+  $local = db_escape_string( filter_input_username($local) );
   $domain = (int) $domain;
   if (! valid_jabber_password($password))
   {
     input_error('Das Passwort enthält Zeichen, die aufgrund technischer Beschränkungen momentan nicht benutzt werden können.');
     return;
   }
-  $password = mysql_real_escape_string( $password );
+  $password = db_escape_string( $password );
   
   if ($domain > 0)
   {
     $result = db_query("SELECT id FROM kundendaten.domains WHERE kunde={$customerno} AND jabber=1 AND id={$domain};");
-    if (mysql_num_rows($result) == 0)
+    if ($result->rowCount() == 0)
     {
       logger(LOG_WARNING, "modules/jabber/include/jabberaccounts", "jabber", "attempt to create account for invalid domain »{$domain}«");
       system_failure("Invalid domain!");
@@ -98,7 +97,7 @@ function create_jabber_account($local, $domain, $password)
     $domainquery = 'domain IS NULL'; 
   }
   $result = db_query("SELECT id FROM jabber.accounts WHERE local='{$local}' AND {$domainquery}");
-  if (mysql_num_rows($result) > 0)
+  if ($result->rowCount() > 0)
   {
     logger(LOG_WARNING, "modules/jabber/include/jabberaccounts", "jabber", "attempt to create already existing account »{$local}@{$domain}«");
     system_failure("Diesen Account gibt es bereits!");
@@ -120,7 +119,7 @@ function change_jabber_password($id, $password)
     input_error('Das Passwort enthält Zeichen, die aufgrund technischer Beschränkungen momentan nicht benutzt werden können.');
     return;
   }
-  $password = mysql_real_escape_string( $password );
+  $password = db_escape_string( $password );
   
   db_query("UPDATE jabber.accounts SET password='{$password}' WHERE customerno={$customerno} AND id={$id} LIMIT 1");
   logger(LOG_INFO, "modules/jabber/include/jabberaccounts", "jabber", "changed password for account  »{$id}«");

modules/mailman/include/mailman.php

Zeige Datei @ f1f231f

@@ -24,7 +24,7 @@ function get_lists()
   $uid = (int) $_SESSION['userinfo']['uid'];
   $result = db_query("SELECT id, status, listname, fqdn, admin, archivesize FROM mail.v_mailman_lists WHERE owner={$uid};");
   $ret = array();
-  while ($list = mysql_fetch_assoc($result))
+  while ($list = $result->fetch())
     $ret[] = $list;
   DEBUG($ret);
   return $ret;
@@ -36,9 +36,9 @@ function get_list($id)
   $id = (int) $id;
   $uid = (int) $_SESSION['userinfo']['uid'];
   $result = db_query("SELECT id, status, listname, fqdn, admin, archivesize FROM mail.v_mailman_lists WHERE owner={$uid} AND id={$id};");
-  if (mysql_num_rows($result) < 1)
+  if ($result->rowCount() < 1)
     system_failure('Die gewünschte Mailingliste konnte nicht gefunden werden');
-  $list = mysql_fetch_assoc($result);
+  $list = $result->fetch();
   DEBUG($list);
 
   return $list;
@@ -61,13 +61,13 @@ function create_list($listname, $maildomain, $admin)
   verify_input_general($admin);
   if (! check_emailaddr($admin))
     system_failure('Der Verwalter muss eine gültige E-Mail-Adresse sein ('.$admin.').');
-  $admin = mysql_real_escape_string($admin);
+  $admin = db_escape_string($admin);
   $result = db_query("SELECT id FROM mail.mailman_lists WHERE listname='{$listname}'");
-  if (mysql_num_rows($result) > 0)
+  if ($result->rowCount() > 0)
     system_failure('Eine Liste mit diesem Namen existiert bereits (unter dieser oder einer anderen Domain). Jeder Listenname kann nur einmal verwendet werden.');
 
   db_query("INSERT INTO mail.mailman_lists (status, listname, maildomain, owner, admin) VALUES ('pending', '{$listname}', {$maildomain}, {$owner}, '{$admin}');");
-  DEBUG('Neue ID: '.mysql_insert_id());
+  DEBUG('Neue ID: '.db_insert_id());
 }
 
 
@@ -76,7 +76,7 @@ function get_mailman_domains()
   $uid = (int) $_SESSION['userinfo']['uid'];
   $result = db_query("SELECT md.id, md.fqdn FROM mail.v_mailman_domains AS md left join mail.v_domains AS d on (d.id=md.domain) where d.user={$uid}");
   $ret = array();
-  while ($dom = mysql_fetch_assoc($result))
+  while ($dom = $result->fetch())
     $ret[] = $dom;
   DEBUG($ret);
   return $ret;

modules/mysql/include/mysql.php

Zeige Datei @ f1f231f

@@ -18,10 +18,10 @@ function get_mysql_accounts($UID)
 {
   $UID = (int) $UID;
   $result = db_query("SELECT id, username, description, created FROM misc.mysql_accounts WHERE useraccount=$UID ORDER BY username");
-  if (mysql_num_rows($result) == 0)
+  if ($result->rowCount() == 0)
     return array();
   $list = array();
-  while ($item = mysql_fetch_assoc($result))
+  while ($item = $result->fetch())
   {
     $list[] = $item;
   }
@@ -32,10 +32,10 @@ function get_mysql_databases($UID)
 {
   $UID = (int) $UID;
   $result = db_query("SELECT id, name, description, created FROM misc.mysql_database WHERE useraccount=$UID ORDER BY name");
-  if (mysql_num_rows($result) == 0)
+  if ($result->rowCount() == 0)
     return array();
   $list = array();
-  while ($item = mysql_fetch_assoc($result))
+  while ($item = $result->fetch())
   {
     $list[] = $item;
   }
@@ -80,7 +80,7 @@ function servers_for_databases()
   
   $result = db_query("SELECT db.name AS db, hostname FROM misc.mysql_database AS db LEFT JOIN system.useraccounts AS u ON (db.useraccount=u.uid) LEFT JOIN system.servers ON (COALESCE(db.server, u.server) = servers.id) WHERE db.useraccount={$uid}");
   $ret = array();
-  while ($line = mysql_fetch_assoc($result)) {
+  while ($line = $result->fetch()) {
     $ret[$line['db']] = $line['hostname'];
   }
   DEBUG($ret);
@@ -96,9 +96,9 @@ function get_mysql_access($db, $account)
   {
     $mysql_access = array();
     $result = db_query("SELECT db.name AS db, acc.username AS user FROM misc.mysql_access AS access LEFT JOIN misc.mysql_database AS db ON (db.id=access.database) LEFT JOIN misc.mysql_accounts AS acc ON (acc.id = access.user) WHERE acc.useraccount={$uid} OR db.useraccount={$uid};");
-    if (mysql_num_rows($result) == 0)
+    if ($result->rowCount() == 0)
       return false;
-    while ($line = mysql_fetch_object($result))
+    while ($line = $result->fetch(PDO::FETCH_OBJ))
       $mysql_access[$line->db][$line->user] = true;
   }
   return (array_key_exists($db, $mysql_access) && array_key_exists($account, $mysql_access[$db]));
@@ -108,8 +108,8 @@ function get_mysql_access($db, $account)
 function set_mysql_access($db, $account, $status)
 {
   $uid = $_SESSION['userinfo']['uid'];
-  $db = mysql_real_escape_string($db);
-  $account = mysql_real_escape_string($account);
+  $db = db_escape_string($db);
+  $account = db_escape_string($account);
   DEBUG("User »{$account}« soll ".($status ? "" : "NICHT ")."auf die Datenbank »{$db}« zugreifen");
   $query = '';
   if ($status)
@@ -117,13 +117,13 @@ function set_mysql_access($db, $account, $status)
     if (get_mysql_access($db, $account))
       return NULL;
     $result = db_query("SELECT id FROM misc.mysql_database WHERE name='{$db}' AND useraccount={$uid} LIMIT 1");
-    if (mysql_num_rows($result) != 1)
+    if ($result->rowCount() != 1)
     {
       logger(LOG_ERR, "modules/mysql/include/mysql", "mysql", "cannot find database {$db}");
       system_failure("cannot find database »{$db}«");
     }
     $result = db_query("SELECT id FROM misc.mysql_accounts WHERE username='{$account}' AND useraccount={$uid} LIMIT 1");
-    if (mysql_num_rows($result) != 1)
+    if ($result->rowCount() != 1)
     {
       logger(LOG_ERR, "modules/mysql/include/mysql", "mysql", "cannot find user {$account}");
       system_failure("cannot find database user »{$account}«");
@@ -151,7 +151,7 @@ function create_mysql_account($username, $description = '')
     return NULL;
   }
   $uid = $_SESSION['userinfo']['uid'];
-  $username = mysql_real_escape_string($username);
+  $username = db_escape_string($username);
   $description = maybe_null($description);
   logger(LOG_INFO, "modules/mysql/include/mysql", "mysql", "creating user »{$username}«");
   db_query("INSERT INTO misc.mysql_accounts (username, password, useraccount, description) VALUES ('$username', '!', $uid, $description);");
@@ -160,7 +160,7 @@ function create_mysql_account($username, $description = '')
 
 function delete_mysql_account($username)
 {
-  $username = mysql_real_escape_string($username);
+  $username = db_escape_string($username);
   $uid = $_SESSION['userinfo']['uid'];
   logger(LOG_INFO, "modules/mysql/include/mysql", "mysql", "deleting user »{$username}«");
   db_query("DELETE FROM misc.mysql_accounts WHERE username='{$username}' AND useraccount='{$uid}' LIMIT 1;");
@@ -175,7 +175,7 @@ function create_mysql_database($dbname, $description = '', $server = NULL)
     input_error("Der eingegebene Datenbankname entspricht leider nicht der Konvention. Bitte tragen Sie einen passenden Namen ein.");
     return NULL;
   }
-  $dbname = mysql_real_escape_string($dbname);
+  $dbname = db_escape_string($dbname);
   $uid = $_SESSION['userinfo']['uid'];
   $description = maybe_null($description); 
   $server = (int) $server;
@@ -189,7 +189,7 @@ function create_mysql_database($dbname, $description = '', $server = NULL)
 
 function delete_mysql_database($dbname)
 {
-  $dbname = mysql_real_escape_string($dbname);
+  $dbname = db_escape_string($dbname);
   $uid = $_SESSION['userinfo']['uid'];
   logger(LOG_INFO, "modules/mysql/include/mysql", "mysql", "removing database »{$dbname}«");
   db_query("DELETE FROM misc.mysql_database WHERE name='{$dbname}' AND useraccount='{$uid}' LIMIT 1;");
@@ -212,8 +212,8 @@ function validate_mysql_username($username)
 
 function set_mysql_password($username, $password)
 {
-  $username = mysql_real_escape_string($username);
-  $password = mysql_real_escape_string($password);
+  $username = db_escape_string($username);
+  $password = db_escape_string($password);
   $uid = $_SESSION['userinfo']['uid'];
   logger(LOG_INFO, "modules/mysql/include/mysql", "mysql", "updating password for »{$username}«");
   db_query("UPDATE misc.mysql_accounts SET password=PASSWORD('$password') WHERE username='$username' AND useraccount=$uid;");
@@ -223,18 +223,18 @@ function set_mysql_password($username, $password)
 function has_mysql_database($dbname)
 {
   $uid = $_SESSION['userinfo']['uid'];
-  $dbname = mysql_real_escape_string($dbname);
+  $dbname = db_escape_string($dbname);
   $result = db_query("SELECT NULL FROM misc.mysql_database WHERE name='{$dbname}' AND useraccount='{$uid}' LIMIT 1;");
-  return (mysql_num_rows($result) == 1);
+  return ($result->rowCount() == 1);
 }
 
 
 function has_mysql_user($username)
 {
   $uid = $_SESSION['userinfo']['uid'];
-  $userame = mysql_real_escape_string($username);
+  $userame = db_escape_string($username);
   $result = db_query("SELECT NULL FROM misc.mysql_accounts WHERE username='{$username}' AND useraccount='{$uid}' LIMIT 1;");
-  return (mysql_num_rows($result) == 1);
+  return ($result->rowCount() == 1);
 }
 
 

modules/newsletter/includes/newsletter.php

Zeige Datei @ f1f231f

@@ -16,14 +16,14 @@ Nevertheless, in case you use a significant part of this code, we ask (but not r
 
 function set_newsletter_address($address) {
   $cid = $_SESSION['customerinfo']['customerno'];
-  $address = maybe_null(mysql_real_escape_string($address));
+  $address = maybe_null(db_escape_string($address));
   db_query("UPDATE kundendaten.kunden SET email_newsletter={$address} WHERE id={$cid}");
 }
 
 function get_newsletter_address() {
   $cid = $_SESSION['customerinfo']['customerno'];
   $result = db_query("SELECT email_newsletter FROM kundendaten.kunden WHERE id={$cid}");
-  $r = mysql_fetch_assoc($result);
+  $r = $result->fetch();
   return $r['email_newsletter'];
 }
 
@@ -32,7 +32,7 @@ function get_latest_news() {
   $today = strftime('%Y-%m-%d');
   $result = db_query("SELECT id, date, subject, content FROM misc.news WHERE date > '{$today}' - INTERVAL 1 YEAR ORDER BY date DESC");
   $ret = array();
-  while ($item = mysql_fetch_assoc($result)) {
+  while ($item = $result->fetch()) {
     $ret[] = $item;
   }
   DEBUG($ret);
@@ -43,7 +43,7 @@ function get_latest_news() {
 function get_news_item($id) {
   $id = (int) $id;
   $result = db_query("SELECT date, subject, content FROM misc.news WHERE id={$id}");
-  $ret = mysql_fetch_assoc($result);
+  $ret = $result->fetch();
   DEBUG($ret);
   return $ret;
 }

modules/register/include/newpass.php

Zeige Datei @ f1f231f

@@ -14,15 +14,14 @@ http://creativecommons.org/publicdomain/zero/1.0/
 Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.
 */
 
-require_once('inc/db_connect.php');
 require_once('session/checkuser.php');
 
 function customer_has_email($customerno, $email)
 {
   $customerno = (int) $customerno;
-  $email = mysql_real_escape_string($email);
+  $email = db_escape_string($email);
   $result = db_query("SELECT NULL FROM kundendaten.kunden WHERE id=".$customerno." AND (email='".$email."' OR email_extern='{$email}' OR email_rechnung='{$email'}');");
-  return (mysql_num_rows($result) > 0);
+  return ($result->rowCount() > 0);
 }
 
 
@@ -30,9 +29,9 @@ function validate_token($customerno, $token)
 {
   expire_tokens();
   $customerno = (int) $customerno;
-  $token = mysql_real_escape_string($token);
+  $token = db_escape_string($token);
   $result = db_query("SELECT NULL FROM kundendaten.kunden WHERE id={$customerno} AND token='{$token}';");
-  return (mysql_num_rows($result) > 0);
+  return ($result->rowCount() > 0);
 }
 
 
@@ -53,9 +52,9 @@ function create_token($customerno)
   $customerno = (int) $customerno;
   expire_tokens();
   $result = db_query("SELECT token_create FROM kundendaten.kunden WHERE id={$customerno} AND token_create IS NOT NULL;");
-  if (mysql_num_rows($result) > 0)
+  if ($result->rowCount() > 0)
   {
-    $res = mysql_fetch_object($result)->token_create;
+    $res = $result->fetch(PDO::FETCH_OBJ)->token_create;
     input_error("Sie haben diese Funktion kürzlich erst benutzt, an Ihre E-Mail-Adresse wurde bereits am {$res} eine Nachricht verschickt. Sie können diese Funktion erst nach Ablauf von 24 Stunden erneut benutzen.");
     return false;
   }
@@ -70,9 +69,9 @@ function get_customer_token($customerno)
   $customerno = (int) $customerno;
   expire_tokens();
   $result = db_query("SELECT token FROM kundendaten.kunden WHERE id={$customerno} AND token IS NOT NULL;");
-  if (mysql_num_rows($result) < 1)
+  if ($result->rowCount() < 1)
     system_failure("Kann das Token nicht auslesen!");
-  return mysql_fetch_object($result)->token;
+  return $result->fetch(PDO::FETCH_OBJ)->token;
 }
 
 

modules/register/include/register.php

Zeige Datei @ f1f231f

@@ -14,17 +14,16 @@ http://creativecommons.org/publicdomain/zero/1.0/
 Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.
 */
 
-require_once('inc/db_connect.php');
 require_once('mail.php');
 
 function customer_with_email($email)
 {
-  $email = mysql_real_escape_string($email);
+  $email = db_escape_string($email);
   $result = db_query("SELECT id FROM kundendaten.kunden WHERE email='{$email}' OR email_rechnung='{$email}' OR email_extern='{$email}' LIMIT 1;");
-  if (mysql_num_rows($result) == 0)
+  if ($result->rowCount() == 0)
     return NULL;
   else
-    return mysql_fetch_object($result)->id;
+    return $result->fetch(PDO::FETCH_OBJ)->id;
 }
 
 
@@ -38,11 +37,11 @@ function create_customer($data)
     return NULL;
   }
 
-  $anrede = mysql_escape_string($data['anrede']);
-  $firma = mysql_escape_string($data['firma']);
-  $vorname = mysql_escape_string($data['vorname']);
-  $nachname = mysql_escape_string($data['nachname']);
-  $email = mysql_escape_string($data['email']);
+  $anrede = db_escape_string($data['anrede']);
+  $firma = db_escape_string($data['firma']);
+  $vorname = db_escape_string($data['vorname']);
+  $nachname = db_escape_string($data['nachname']);
+  $email = db_escape_string($data['email']);
 
   logger(LOG_INFO, 'modules/register/include/register', 'register', "Creating new account: {$anrede} / {$firma} / {$vorname} / {$nachname} / {$email}");
   
@@ -53,7 +52,7 @@ function create_customer($data)
 
   db_query("BEGIN");
   db_query("INSERT INTO kundendaten.kunden (firma, nachname, vorname, anrede, email, erstellungsdatum,status) VALUES ({$firma}, {$nachname}, {$vorname}, {$anrede}, {$email}, CURDATE(), 3)");
-  $customerno = mysql_insert_id();
+  $customerno = db_insert_id();
   db_query("COMMIT");
   return $customerno;
 

modules/su/include/su.php

Zeige Datei @ f1f231f

@@ -24,7 +24,7 @@ function list_system_users()
   $result = db_query("SELECT uid,username FROM system.v_useraccounts ORDER BY username");
   
   $ret = array();
-  while ($item = mysql_fetch_object($result))
+  while ($item = $result->fetch(PDO::FETCH_OBJ))
     array_push($ret, $item);
   return $ret;
 }
@@ -37,7 +37,7 @@ function list_customers()
   $result = db_query("SELECT id, IF(firma IS NULL, CONCAT_WS(' ', vorname, nachname), CONCAT(firma, ' (', CONCAT_WS(' ', vorname, nachname), ')')) AS name FROM kundendaten.kunden");
   
   $ret = array();
-  while ($item = mysql_fetch_object($result))
+  while ($item = $result->fetch(PDO::FETCH_OBJ))
     array_push($ret, $item);
   return $ret;
 }
@@ -45,7 +45,7 @@ function list_customers()
 
 function find_customers($string) 
 {
-  $string = mysql_real_escape_string(chop($string));
+  $string = db_escape_string(chop($string));
   $return = array();
   $result = db_query("SELECT k.id FROM kundendaten.kunden AS k LEFT JOIN system.useraccounts AS u ON (k.id=u.kunde) WHERE ".
                      "firma LIKE '%{$string}%' OR firma2 LIKE '%{$string}%' OR ".
@@ -55,14 +55,14 @@ function find_customers($string)
                      "notizen LIKE '%{$string}%' OR email_rechnung LIKE '%{$string}%' OR ".
                      "email LIKE '%{$string}%' OR email_extern LIKE '%{$string}%' OR u.name LIKE '%{$string}%' OR ".
                      "u.username LIKE '%{$string}%' OR k.id='{$string}' OR u.uid='{$string}';");
-  while ($entry = mysql_fetch_assoc($result))
+  while ($entry = $result->fetch())
     $return[] = $entry['id'];
 
   $result = db_query("SELECT kunde FROM kundendaten.domains WHERE kunde IS NOT NULL AND (
                       domainname LIKE '%{$string}%' OR CONCAT_WS('.', domainname, tld) LIKE '%{$string}%'
                       )");
 
-  while ($entry = mysql_fetch_assoc($result))
+  while ($entry = $result->fetch())
     $return[] = $entry['kunde'];
 
   return $return;
@@ -75,7 +75,7 @@ function find_users_for_customer($id)
   $return = array();
   $result = db_query("SELECT uid, username, name FROM system.useraccounts WHERE ".
                      "kunde='{$id}';");
-  while ($entry = mysql_fetch_assoc($result))
+  while ($entry = $result->fetch())
     $return[] = $entry;
 
   return $return;

modules/subusers/include/subuser.php

Zeige Datei @ f1f231f

@@ -25,7 +25,7 @@ function list_subusers()
   $uid = (int) $_SESSION['userinfo']['uid'];
   $result = db_query("SELECT id, username, modules FROM system.subusers WHERE uid={$uid}");
   $subusers = array();
-  while ($item = mysql_fetch_assoc($result))
+  while ($item = $result->fetch())
   {
     $item['modules'] = explode(',', $item['modules']);
     $subusers[] = $item;
@@ -40,7 +40,7 @@ function load_subuser($id) {
   $uid = (int) $_SESSION['userinfo']['uid'];
   
   $result = db_query("SELECT id, username, modules FROM system.subusers WHERE uid={$uid} AND id={$id}");
-  $item = mysql_fetch_assoc($result);
+  $item = $result->fetch();
   $item['modules'] = explode(',', $item['modules']);
   return $item;
 }
@@ -79,7 +79,7 @@ function new_subuser($username, $requested_modules, $password)
 {
   $uid = (int) $_SESSION['userinfo']['uid'];
 
-  $username = mysql_real_escape_string(filter_input_username($username));
+  $username = db_escape_string(filter_input_username($username));
   if (strpos($username, $_SESSION['userinfo']['username']) !== 0) {
     // Username nicht enthalten (FALSE) oder nicht am Anfang (>0)
     system_failure("Ungültiger Benutzername!");
@@ -100,7 +100,7 @@ function new_subuser($username, $requested_modules, $password)
   if (count($modules) == 0) {
     system_failure("Es sind (nach der Filterung) keine Module mehr übrig!");
   }
-  $modules = mysql_real_escape_string(implode(',', $modules));
+  $modules = db_escape_string(implode(',', $modules));
   
   $result = strong_password($password);
   if ($result !== true) {
@@ -128,7 +128,7 @@ function edit_subuser($id, $username, $requested_modules, $password)
     system_failure("Kann diesen Account nicht finden!");
   }
 
-  $username = mysql_real_escape_string(filter_input_username($username));
+  $username = db_escape_string(filter_input_username($username));
   if (strpos($username, $_SESSION['userinfo']['username']) !== 0) {
     // Username nicht enthalten (FALSE) oder nicht am Anfang (>0)
     system_failure("Ungültiger Benutzername!");
@@ -148,7 +148,7 @@ function edit_subuser($id, $username, $requested_modules, $password)
   if (count($modules) == 0) {
     system_failure("Es sind (nach der Filterung) keine Module mehr übrig!");
   }
-  $modules = mysql_real_escape_string(implode(',', $modules));
+  $modules = db_escape_string(implode(',', $modules));
   
   $pwchange = '';
   if ($password) {

modules/systemuser/include/useraccounts.php

Zeige Datei @ f1f231f

@@ -15,7 +15,6 @@ Nevertheless, in case you use a significant part of this code, we ask (but not r
 */
 
 require_once("inc/debug.php");
-require_once("inc/db_connect.php");
 
 
 
@@ -23,14 +22,14 @@ function customer_may_have_useraccounts()
 {
   $customerno = (int) $_SESSION['customerinfo']['customerno'];
   $result = db_query("SELECT COUNT(*) FROM system.useraccounts WHERE kunde={$customerno}");
-  return (mysql_num_rows($result) > 0);
+  return ($result->rowCount() > 0);
 }
 
 function customer_useraccount($uid) {
   $uid = (int) $uid;
   $customerno = (int) $_SESSION['customerinfo']['customerno'];
   $result = db_query("SELECT 1 FROM system.useraccounts WHERE kunde={$customerno} AND uid={$uid} AND kundenaccount=1");
-  return mysql_num_rows($result) > 0;
+  return $result->rowCount() > 0;
 }
 
 function primary_useraccount()
@@ -39,7 +38,7 @@ function primary_useraccount()
     return NULL;
   $customerno = (int) $_SESSION['customerinfo']['customerno'];
   $result = db_query("SELECT MIN(uid) AS uid FROM system.useraccounts WHERE kunde={$customerno}");
-  $uid = mysql_fetch_object($result)->uid;
+  $uid = $result->fetch(PDO::FETCH_OBJ)->uid;
   DEBUG("primary useraccount: {$uid}");
   return $uid;
 }
@@ -49,7 +48,7 @@ function available_shells()
 {
   $result = db_query("SELECT path, name FROM system.shells WHERE usable=1");
   $ret = array();
-  while ($s = mysql_fetch_assoc($result))
+  while ($s = $result->fetch())
   {
     $ret[$s['path']] = $s['name'];
   }
@@ -63,7 +62,7 @@ function list_useraccounts()
   $customerno = (int) $_SESSION['customerinfo']['customerno'];
   $result = db_query("SELECT uid,username,name,erstellungsdatum,quota,shell FROM system.useraccounts WHERE kunde={$customerno}");
   $ret = array();
-  while ($item = mysql_fetch_assoc($result))
+  while ($item = $result->fetch())
   {
     array_push($ret, $item);
   }
@@ -79,9 +78,9 @@ function get_account_details($uid, $customerno=0)
   if ($customerno == 0)
     $customerno = $_SESSION['customerinfo']['customerno'];
   $result = db_query("SELECT uid,username,name,shell,quota,erstellungsdatum FROM system.useraccounts WHERE kunde={$customerno} AND uid={$uid}");
-  if (mysql_num_rows($result) == 0)
+  if ($result->rowCount() == 0)
     system_failure("Cannot find the requestes useraccount (for this customer).");
-  return mysql_fetch_assoc($result);
+  return $result->fetch();
 }
 
 function get_used_quota($uid)
@@ -89,7 +88,7 @@ function get_used_quota($uid)
   $uid = (int) $uid;
   $result = db_query("SELECT s.hostname AS server, systemquota, systemquota_used, mailquota, mailquota_used FROM system.v_quota AS q LEFT JOIN system.servers AS s ON (s.id=q.server) WHERE uid='{$uid}'");
   $ret = array();
-  while ($line = mysql_fetch_assoc($result))
+  while ($line = $result->fetch())
     $ret[] = $line;
   DEBUG($ret);
   return $ret;
@@ -105,8 +104,8 @@ function set_account_details($account)
   else
     $customerno = (int) $_SESSION['userinfo']['customerno'];
 
-  $fullname = maybe_null(mysql_real_escape_string(filter_input_general($account['name'])));
-  $shell = mysql_real_escape_string(filter_input_general($account['shell']));
+  $fullname = maybe_null(db_escape_string(filter_input_general($account['name'])));
+  $shell = db_escape_string(filter_input_general($account['shell']));
   $quota = (int) $account['quota'];
 
   db_query("UPDATE system.useraccounts SET name={$fullname}, quota={$quota}, shell='{$shell}' WHERE kunde={$customerno} AND uid={$uid}");
@@ -118,7 +117,7 @@ function get_customer_quota()
 {
   $cid = (int) $_SESSION['customerinfo']['customerno'];
   $result = db_query("SELECT SUM(u.quota) AS assigned, cq.quota AS max FROM system.customerquota AS cq INNER JOIN system.useraccounts AS u ON (u.kunde=cq.cid) WHERE cq.cid={$cid}");
-  $ret = mysql_fetch_assoc($result);
+  $ret = $result->fetch();
   DEBUG($ret);
   return $ret;
 }

modules/vhosts/include/certs.php

Zeige Datei @ f1f231f

@@ -26,7 +26,7 @@ function user_certs()
   $uid = (int) $_SESSION['userinfo']['uid'];
   $result = db_query("SELECT id, valid_from, valid_until, subject, cn FROM vhosts.certs WHERE uid=${uid} ORDER BY cn");
   $ret = array();
-  while ($i = mysql_fetch_assoc($result))
+  while ($i = $result->fetch())
     $ret[] = $i;
   DEBUG($ret);
   return $ret;
@@ -37,7 +37,7 @@ function user_csr()
   $uid = (int) $_SESSION['userinfo']['uid'];
   $result = db_query("SELECT id, created, hostname, bits FROM vhosts.csr WHERE uid=${uid} ORDER BY hostname");
   $ret = array();
-  while ($i = mysql_fetch_assoc($result))
+  while ($i = $result->fetch())
     $ret[] = $i;
   DEBUG($ret);
   return $ret;
@@ -49,9 +49,9 @@ function cert_details($id)
   $uid = (int) $_SESSION['userinfo']['uid'];
   
   $result = db_query("SELECT id, lastchange, valid_from, valid_until, subject, cn, cert, `key` FROM vhosts.certs WHERE uid={$uid} AND id={$id}");
-  if (mysql_num_rows($result) != 1)
+  if ($result->rowCount() != 1)
     system_failure("Ungültiges Zertifikat #{$id}");
-  return mysql_fetch_assoc($result);
+  return $result->fetch();
 }
 
 
@@ -61,9 +61,9 @@ function csr_details($id)
   $uid = (int) $_SESSION['userinfo']['uid'];
   
   $result = db_query("SELECT id, created, hostname, bits, `replace`, csr, `key` FROM vhosts.csr WHERE uid={$uid} AND id={$id}");
-  if (mysql_num_rows($result) != 1)
+  if ($result->rowCount() != 1)
     system_failure("Ungültiger CSR");
-  return mysql_fetch_assoc($result);
+  return $result->fetch();
 }
 
 
@@ -87,11 +87,11 @@ function get_chain($cert)
   if (! isset($certdata['issuer']['CN'])) {
     return NULL;
   }
-  $issuer = mysql_real_escape_string($certdata['issuer']['CN']);
+  $issuer = db_escape_string($certdata['issuer']['CN']);
   $result = db_query("SELECT id FROM vhosts.certchain WHERE cn='{$issuer}'");
-  if (mysql_num_rows($result) > 0)
+  if ($result->rowCount() > 0)
   {
-    $c = mysql_fetch_assoc($result);
+    $c = $result->fetch();
     //$chainfile = '/etc/apache2/certs/chains/'.$c['id'].'.pem';
     DEBUG("identified fitting certificate chain #".$c['id']);
     return $c['id'];
@@ -140,7 +140,7 @@ function validate_certificate($cert, $key)
   if ($chain)
   {
     $result = db_query("SELECT content FROM vhosts.certchain WHERE id={$chain}");
-    $tmp = mysql_fetch_assoc($result);
+    $tmp = $result->fetch();
     $chaincert = $tmp['content'];
     $chainfile = tempnam(sys_get_temp_dir(), 'webinterface');
     $f = fopen($chainfile, "w");
@@ -183,13 +183,13 @@ function save_cert($info, $cert, $key)
 {
   openssl_pkey_export($key, $key);
   openssl_x509_export($cert, $cert);
-  $subject = mysql_real_escape_string(filter_input_general($info['subject']));
-  $cn = mysql_real_escape_string(filter_input_general($info['cn']));
-  $valid_from = mysql_real_escape_string($info['valid_from']);
-  $valid_until = mysql_real_escape_string($info['valid_until']);
+  $subject = db_escape_string(filter_input_general($info['subject']));
+  $cn = db_escape_string(filter_input_general($info['cn']));
+  $valid_from = db_escape_string($info['valid_from']);
+  $valid_until = db_escape_string($info['valid_until']);
   $chain = maybe_null( get_chain($cert) );
-  $cert = mysql_real_escape_string($cert);
-  $key = mysql_real_escape_string($key);
+  $cert = db_escape_string($cert);
+  $key = db_escape_string($key);
   $uid = (int) $_SESSION['userinfo']['uid'];
 
   db_query("INSERT INTO vhosts.certs (uid, subject, cn, valid_from, valid_until, chain, cert, `key`) VALUES ({$uid}, '{$subject}', '{$cn}', '{$valid_from}', '{$valid_until}', {$chain}, '{$cert}', '{$key}')");
@@ -203,17 +203,17 @@ function refresh_cert($id, $info, $cert, $key = NULL)
 
   $id = (int) $id;
   $oldcert = cert_details($id);
-  $cert = mysql_real_escape_string($cert);
-  $subject = mysql_real_escape_string(filter_input_general($info['subject']));
-  $cn = mysql_real_escape_string(filter_input_general($info['cn']));
+  $cert = db_escape_string($cert);
+  $subject = db_escape_string(filter_input_general($info['subject']));
+  $cn = db_escape_string(filter_input_general($info['cn']));
   
-  $valid_from = mysql_real_escape_string($info['valid_from']);
-  $valid_until = mysql_real_escape_string($info['valid_until']);
+  $valid_from = db_escape_string($info['valid_from']);
+  $valid_until = db_escape_string($info['valid_until']);
 
   $keyop = '';
   if ($key) {
     openssl_pkey_export($key, $key);
-    $keyop = ", `key`='".mysql_real_escape_string($key)."'";
+    $keyop = ", `key`='".db_escape_string($key)."'";
   }
   db_query("UPDATE vhosts.certs SET subject='{$subject}', cn='{$cn}', cert='{$cert}'{$keyop}, valid_from='{$valid_from}', valid_until='{$valid_until}', chain={$chain} WHERE id={$id} LIMIT 1");
 }
@@ -304,11 +304,11 @@ function save_csr($cn, $bits, $replace=NULL)
   list($csr, $key) = create_csr($cn, $bits);
   
   $uid = (int) $_SESSION['userinfo']['uid'];
-  $cn = mysql_real_escape_string(filter_input_hostname($cn, true));
+  $cn = db_escape_string(filter_input_hostname($cn, true));
   $bits = (int) $bits;
   $replace = ($replace ? (int) $replace : 'NULL');
-  $csr = mysql_real_escape_string($csr);
-  $key = mysql_real_escape_string($key);
+  $csr = db_escape_string($csr);
+  $key = db_escape_string($key);
   db_query("INSERT INTO vhosts.csr (uid, hostname, bits, `replace`, csr, `key`) VALUES ({$uid}, '{$cn}', {$bits}, {$replace}, '{$csr}', '{$key}')");
   $id = mysql_insert_id();
   return $id;  

modules/vhosts/include/vhosts.php

Zeige Datei @ f1f231f

@@ -27,14 +27,14 @@ function traffic_month($vhost_id)
 {
   $vhost_id = (int) $vhost_id;
   $result = db_query("SELECT sum(mb_in+mb_out) as mb FROM vhosts.traffic where date > CURDATE() - INTERVAL 1 MONTH AND vhost_id = {$vhost_id}");
-  $data = mysql_fetch_assoc($result);
+  $data = $result->fetch();
   return $data['mb'];
 }
 
 function autoipv6_address($vhost_id, $mode = 1)
 {
   $result = db_query("SELECT uid, v6_prefix FROM vhosts.v_vhost LEFT JOIN system.servers ON (servers.hostname = server) WHERE v_vhost.id={$vhost_id}");
-  $data = mysql_fetch_assoc($result);
+  $data = $result->fetch();
   if (!$data['v6_prefix'])
   {
     warning("IPv6-Adresse nicht verfügbar, Server unterstützt kein IPv6");
@@ -55,7 +55,7 @@ function list_vhosts()
   $uid = (int) $_SESSION['userinfo']['uid'];
   $result = db_query("SELECT vh.id,fqdn,domain,docroot,docroot_is_default,php,cgi,vh.certid AS cert, vh.ssl, vh.options,logtype,errorlog,IF(dav.id IS NULL OR dav.type='svn', 0, 1) AS is_dav,IF(dav.id IS NULL OR dav.type='dav', 0, 1) AS is_svn, IF(webapps.id IS NULL, 0, 1) AS is_webapp, stats FROM vhosts.v_vhost AS vh LEFT JOIN vhosts.dav ON (dav.vhost=vh.id) LEFT JOIN vhosts.webapps ON (webapps.vhost = vh.id) WHERE uid={$uid} ORDER BY domain,hostname");
   $ret = array();
-  while ($item = mysql_fetch_assoc($result))
+  while ($item = $result->fetch())
     array_push($ret, $item);
   return $ret;
 }
@@ -63,9 +63,9 @@ function list_vhosts()
 function ipv6_possible($server)
 {
   $serverid = (int) $server;
-  $servername = mysql_real_escape_string($server);
+  $servername = db_escape_string($server);
   $result = db_query("SELECT v6_prefix FROM system.servers WHERE id={$serverid} OR hostname='{$servername}'");
-  $line = mysql_fetch_assoc($result);
+  $line = $result->fetch();
   DEBUG("Server {$server} is v6-capable: ". ($line['v6_prefix'] != NULL));
   return ($line['v6_prefix'] != NULL);
 }
@@ -143,10 +143,10 @@ function get_vhost_details($id)
   $id = (int) $id;
   $uid = (int) $_SESSION['userinfo']['uid'];
   $result = db_query("SELECT vh.*,IF(dav.id IS NULL OR dav.type='svn', 0, 1) AS is_dav,IF(dav.id IS NULL OR dav.type='dav', 0, 1) AS is_svn, IF(webapps.id IS NULL, 0, 1) AS is_webapp FROM vhosts.v_vhost AS vh LEFT JOIN vhosts.dav ON (dav.vhost=vh.id) LEFT JOIN vhosts.webapps ON (webapps.vhost = vh.id) WHERE uid={$uid} AND vh.id={$id}");
-  if (mysql_num_rows($result) != 1)
+  if ($result->rowCount() != 1)
     system_failure('Interner Fehler beim Auslesen der Daten');
 
-  $ret = mysql_fetch_assoc($result);
+  $ret = $result->fetch();
 
   if ($ret['hsts'] === NULL) {
     DEBUG('HSTS: '.$ret['hsts']);
@@ -162,7 +162,7 @@ function get_aliases($vhost)
 {
   $result = db_query("SELECT id,fqdn,options FROM vhosts.v_alias WHERE vhost={$vhost}");
   $ret = array();
-  while ($item = mysql_fetch_assoc($result)) {
+  while ($item = $result->fetch()) {
     array_push($ret, $item);
   }
   return $ret;
@@ -192,7 +192,7 @@ function list_available_webapps()
 {
   $result = db_query("SELECT id,displayname FROM vhosts.global_webapps");
   $ret = array();
-  while ($item = mysql_fetch_assoc($result))
+  while ($item = $result->fetch())
     array_push($ret, $item);
   return $ret;
 }
@@ -248,9 +248,9 @@ function make_webapp_vhost($id, $webapp)
   if ($id == 0)
     system_failure("id == 0");
   $result = db_query("SELECT displayname FROM vhosts.global_webapps WHERE id={$webapp};");
-  if (mysql_num_rows($result) == 0)
+  if ($result->rowCount() == 0)
     system_failure("webapp-id invalid");
-  $webapp_name = mysql_fetch_object($result)->displayname;
+  $webapp_name = $result->fetch(PDO::FETCH_OBJ)->displayname;
   logger(LOG_INFO, 'modules/vhosts/include/vhosts', 'vhosts', 'Setting up webapp '.$webapp_name.' on vhost #'.$id);
   db_query("REPLACE INTO vhosts.webapps (vhost, webapp) VALUES ({$id}, {$webapp})");
   mail('webapps-setup@schokokeks.org', 'setup', 'setup');
@@ -261,7 +261,7 @@ function check_hostname_collision($hostname, $domain)
 {
   $uid = (int) $_SESSION['userinfo']['uid'];
   # Neuer vhost => Prüfe Duplikat
-  $hostnamecheck = "hostname='".mysql_real_escape_string($hostname)."'";
+  $hostnamecheck = "hostname='".db_escape_string($hostname)."'";
   if (! $hostname) {
     $hostnamecheck = "hostname IS NULL";
   }
@@ -270,15 +270,15 @@ function check_hostname_collision($hostname, $domain)
     $domaincheck = "domain IS NULL AND user={$uid}";
   }
   $result = db_query("SELECT id FROM vhosts.vhost WHERE {$hostnamecheck} AND {$domaincheck}");
-  if (mysql_num_rows($result) > 0) {
+  if ($result->rowCount() > 0) {
     system_failure('Eine Konfiguration mit diesem Namen gibt es bereits.');
   }
   if ($domain == -1) {
     return ;
   }
   $result = db_query("SELECT id, vhost FROM vhosts.alias WHERE {$hostnamecheck} AND {$domaincheck}");
-  if (mysql_num_rows($result) > 0) {
-    $data = mysql_fetch_assoc($result);
+  if ($result->rowCount() > 0) {
+    $data = $result->fetch();
     $vh = get_vhost_details($data['vhost']);
     system_failure('Dieser Hostname ist bereits als Alias für »'.$vh['fqdn'].'« eingerichtet');
   }
@@ -328,7 +328,7 @@ function save_vhost($vhost)
     if (! $vhost['options']) $vhost['options']='nodocroot';
     else $vhost['options']+=",nodocroot";
   }
-  $options = mysql_real_escape_string( $vhost['options'] );
+  $options = db_escape_string( $vhost['options'] );
 
   $cert = 0;
   $certs = user_certs();
@@ -383,10 +383,10 @@ function get_alias_details($id)
   $uid = (int) $_SESSION['userinfo']['uid'];
   $result = db_query("SELECT * FROM vhosts.v_alias WHERE id={$id}");
   
-  if (mysql_num_rows($result) != 1)
+  if ($result->rowCount() != 1)
     system_failure('Interner Fehler beim Auslesen der Alias-Daten');
   
-  $alias = mysql_fetch_assoc($result);
+  $alias = $result->fetch();
   
   if ($alias['domain_id'] == NULL) {
     $alias['domain_id'] = -1;
@@ -420,7 +420,7 @@ function save_alias($alias)
   if ($alias['domain_id'] == -1)
     $domain = 'NULL';
   $vhost = get_vhost_details( (int) $alias['vhost']);
-  $options = mysql_real_escape_string( $alias['options'] );
+  $options = db_escape_string( $alias['options'] );
   if ($id == 0) {
     logger(LOG_INFO, 'modules/vhosts/include/vhosts', 'aliases', 'Creating alias '.$alias['hostname'].'.'.$alias['domain'].' for VHost '.$vhost['id']);
     db_query("INSERT INTO vhosts.alias (hostname, domain, vhost, options) VALUES ({$hostname}, {$domain}, {$vhost['id']}, '{$options}')");
@@ -437,7 +437,7 @@ function available_suexec_users()
   $uid = (int) $_SESSION['userinfo']['uid'];
   $result = db_query("SELECT uid, username FROM vhosts.available_users LEFT JOIN vhosts.v_useraccounts ON (uid = suexec_user) WHERE mainuser={$uid}");
   $ret = array();
-  while ($i = mysql_fetch_assoc($result))
+  while ($i = $result->fetch())
     $ret[] = $i;
   DEBUG('available suexec-users:');
   DEBUG($ret);
@@ -451,7 +451,7 @@ function user_ipaddrs()
   $uid = (int) $_SESSION['userinfo']['uid'];
   $result = db_query("SELECT ipaddr FROM vhosts.ipaddr_available WHERE uid={$uid}");
   $ret = array();
-  while ($i = mysql_fetch_assoc($result))
+  while ($i = $result->fetch())
   {
     $ret[] = $i['ipaddr'];
   }

modules/webapps/freewvs.php

Zeige Datei @ f1f231f

@@ -33,7 +33,7 @@ if (isset($_POST['freq']) && in_array($_POST['freq'],array("day","week","month")
 }
 
 $result = db_query("SELECT freq FROM qatools.v_freewvs WHERE uid={$uid};");
-$result=mysql_fetch_assoc($result);
+$result=$result->fetch();
 $freq=$result['freq'];
 
 headline('Überprüfung Ihrer Web-Anwendungen auf Sicherheitslücken');

modules/webapps/include/freewvs.php

Zeige Datei @ f1f231f

@@ -22,17 +22,17 @@ function load_results()
   $uid = (int) $_SESSION['userinfo']['uid'];
   $result = db_query("SELECT directory, docroot, lastcheck, appname, version, state, safeversion, vulninfo FROM qatools.freewvs_results WHERE uid={$uid}");
   $ret = array();
-  while ($line = mysql_fetch_assoc($result)) {
+  while ($line = $result->fetch()) {
     array_push($ret, $line);
   }
   return $ret;
 }
 
 function get_upgradeinstructions($appname) {
-  $appname = mysql_real_escape_string($appname);
+  $appname = db_escape_string($appname);
   $result = db_query("SELECT url FROM qatools.freewvs_upgradeinstructions WHERE appname='{$appname}' LIMIT 1");
-  if (mysql_num_rows($result) > 0) {
-    $tmp = mysql_fetch_array($result);
+  if ($result->rowCount() > 0) {
+    $tmp = $result->fetch();
     return $tmp[0];
   }
   return NULL;

modules/webapps/include/webapp-installer.php

Zeige Datei @ f1f231f

@@ -20,11 +20,11 @@ function create_new_webapp($appname, $directory, $url, $data)
 {
   if (directory_in_use($directory))
     system_failure('Sie haben erst kürzlich eine Anwendung in diesem Verzeichnis installieren lassen. Aus Sicherheitsgründen können Sie in diesem Verzeichnis am selben Tag nicht schon wieder eine Anwendung installieren.');
-  $username = mysql_real_escape_string($_SESSION['userinfo']['username']);
-  $appname = mysql_real_escape_string($appname);
-  $directory = mysql_real_escape_string($directory);
-  $url = mysql_real_escape_string($url);
-  $data = mysql_real_escape_string($data);
+  $username = db_escape_string($_SESSION['userinfo']['username']);
+  $appname = db_escape_string($appname);
+  $directory = db_escape_string($directory);
+  $url = db_escape_string($url);
+  $data = db_escape_string($data);
   db_query("INSERT INTO vhosts.webapp_installer (appname, directory, url, state, username, data) VALUES ('{$appname}', '{$directory}', '{$url}', 'new', '{$username}', '{$data}')");
 }
 
@@ -33,18 +33,18 @@ function request_update($appname, $directory, $url)
 {
   if (directory_in_use($directory))
     system_failure('Sie haben erst kürzlich eine Anwendung in diesem Verzeichnis installieren lassen oder ein Update in diesem Verzeichnis angefordert. Bitte warten Sie bis diese Aktion durchgeführt wurde.');
-  $username = mysql_real_escape_string($_SESSION['userinfo']['username']);
-  $appname = mysql_real_escape_string($appname);
-  $directory = mysql_real_escape_string($directory);
-  $url = maybe_null(mysql_real_escape_string($url));
+  $username = db_escape_string($_SESSION['userinfo']['username']);
+  $appname = db_escape_string($appname);
+  $directory = db_escape_string($directory);
+  $url = maybe_null(db_escape_string($url));
   db_query("INSERT INTO vhosts.webapp_installer (appname, directory, url, state, username) VALUES ('{$appname}', '{$directory}', {$url}, 'old', '{$username}')");
 }
 
 function directory_in_use($directory)
 {
-  $directory = mysql_real_escape_string($directory);
+  $directory = db_escape_string($directory);
   $result = db_query("SELECT id FROM vhosts.webapp_installer WHERE (state IN ('new','old') OR DATE(lastchange)=CURDATE()) AND directory='{$directory}'");
-  if (mysql_num_rows($result) > 0)
+  if ($result->rowCount() > 0)
     return true;
   return false;
 }
@@ -101,15 +101,15 @@ function get_url_for_dir($docroot, $cutoff = '')
 {
   if (substr($docroot, -1) == '/')
     $docroot = substr($docroot, 0, -1);
-  $docroot = mysql_real_escape_string($docroot);
+  $docroot = db_escape_string($docroot);
   $result = db_query("SELECT `ssl`, IF(FIND_IN_SET('aliaswww', options), CONCAT('www.',fqdn), fqdn) AS fqdn FROM vhosts.v_vhost WHERE docroot IN ('{$docroot}', '{$docroot}/') LIMIT 1");
-  if (mysql_num_rows($result) < 1)
+  if ($result->rowCount() < 1)
   {
     if (!strstr($docroot, '/'))
       return NULL;
     return get_url_for_dir(substr($docroot, 0, strrpos($docroot, '/')), substr($docroot, strrpos($docroot, '/')).$cutoff);
   } 
-  $tmp = mysql_fetch_assoc($result);
+  $tmp = $result->fetch();
   $prefix = 'http://';
   if ($tmp['ssl'] == 'forward' || $tmp['ssl'] == 'https')
     $prefix = 'https://';
@@ -122,7 +122,7 @@ function create_webapp_mysqldb($application, $sitename)
   // dependet auf das mysql-modul
   require_once('modules/mysql/include/mysql.php'); 
   
-  $username = mysql_real_escape_string($_SESSION['userinfo']['username']);
+  $username = db_escape_string($_SESSION['userinfo']['username']);
   $description = "Automatisch erzeugte Datenbank für {$application} ({$sitename})";
   
   // zuerst versuchen wir username_webappname. Wenn das nicht klappt, dann wird hochgezählt

modules/webmailtotp/include/totp.php

Zeige Datei @ f1f231f

@@ -16,10 +16,10 @@ Nevertheless, in case you use a significant part of this code, we ask (but not r
 
 function account_has_totp($username)
 {
-  $username = mysql_real_escape_string($username);
+  $username = db_escape_string($username);
   $result = db_query("SELECT id FROM mail.webmail_totp WHERE email='{$username}'");
-  if (mysql_num_rows($result) > 0) {
-    $tmp = mysql_fetch_assoc($result);
+  if ($result->rowCount() > 0) {
+    $tmp = $result->fetch();
     $id = $tmp['id'];
     return $id;
   } else {
@@ -31,13 +31,13 @@ function account_has_totp($username)
 
 function validate_password($username, $password) 
 {
-  $username = mysql_real_escape_string($username);
+  $username = db_escape_string($username);
   $result = db_query("SELECT account, cryptpass FROM mail.courier_mailaccounts WHERE account='{$username}' UNION SELECT account, cryptpass FROM mail.courier_virtual_accounts WHERE account='{$username}'");
-  if (mysql_num_rows($result) != 1) {
+  if ($result->rowCount() != 1) {
     // Kein Account mit dem Namen oder Name nicht eindeutig
     return false;
   }
-  $account = mysql_fetch_assoc($result);
+  $account = $result->fetch();
   return (crypt($password, $account['cryptpass']) == $account['cryptpass']);
 }
 
@@ -87,9 +87,9 @@ function decode_webmail_password($crypted, $webmailpw)
 
 
 function get_imap_password($username, $webmailpass) {
-  $username = mysql_real_escape_string($username);
+  $username = db_escape_string($username);
   $result = db_query("SELECT webmailpass FROM mail.webmail_totp WHERE email='{$username}'");
-  $tmp = mysql_fetch_assoc($result);
+  $tmp = $result->fetch();
   
   $crypted = $tmp['webmailpass'];
     
@@ -107,7 +107,7 @@ function check_webmail_password($username, $webmailpass)
 
 function generate_secret($username)
 {
-  $username = mysql_real_escape_string($username);
+  $username = db_escape_string($username);
   require_once('external/googleauthenticator/GoogleAuthenticator.php');
   $ga = new PHPGangsta_GoogleAuthenticator();
   
@@ -120,9 +120,9 @@ function generate_secret($username)
 
 function check_locked($username) 
 {
-  $username = mysql_real_escape_string($username);
+  $username = db_escape_string($username);
   $result = db_query("SELECT 1 FROM mail.webmail_totp WHERE unlock_timestamp IS NOT NULL and unlock_timestamp > NOW() AND email='{$username}'");
-  return (mysql_num_rows($result) > 0);
+  return ($result->rowCount() > 0);
 }
 
 function check_totp($username, $code) {
@@ -131,10 +131,10 @@ function check_totp($username, $code) {
     return false;
   }
 
-  $username = mysql_real_escape_string($username);
+  $username = db_escape_string($username);
 
   $result = db_query("SELECT totp_secret, failures FROM mail.webmail_totp WHERE email='{$username}' AND (unlock_timestamp IS NULL OR unlock_timestamp <= NOW())");
-  $tmp = mysql_fetch_assoc($result);
+  $tmp = $result->fetch();
   $secret = $tmp['totp_secret'];
 
   require_once('external/googleauthenticator/GoogleAuthenticator.php');
@@ -197,7 +197,7 @@ function accountname($id)
   $id = (int) $id;
   $uid = (int) $_SESSION['userinfo']['uid'];
   $result = db_query("SELECT email FROM mail.webmail_totp WHERE id={$id} AND useraccount={$uid}");
-  if ($tmp = mysql_fetch_assoc($result)) {
+  if ($tmp = $result->fetch()) {
     return $tmp['email'];
   }
 }
@@ -214,17 +214,17 @@ function delete_totp($id)
 
 function blacklist_token($email, $token)
 {
-  $email = mysql_real_escape_string($email);
-  $token = mysql_real_escape_string($token);
+  $email = db_escape_string($email);
+  $token = db_escape_string($token);
   db_query("INSERT INTO mail.webmail_totp_blacklist (timestamp, email, token) VALUES (NOW(), '{$email}', '{$token}')");
 }
 
 function check_blacklist($email, $token)
 {
-  $email = mysql_real_escape_string($email);
-  $token = mysql_real_escape_string($token);
+  $email = db_escape_string($email);
+  $token = db_escape_string($token);
   db_query("DELETE FROM mail.webmail_totp_blacklist WHERE timestamp < NOW() - INTERVAL 10 MINUTE");
   $result = db_query("SELECT id FROM mail.webmail_totp_blacklist WHERE email='{$email}' AND token='{$token}'");
-  return (mysql_num_rows($result) > 0);
+  return ($result->rowCount() > 0);
 }
 

session/checkuser.php

Zeige Datei @ f1f231f

@@ -18,7 +18,6 @@ require_once('inc/base.php');
 require_once('inc/debug.php');
 require_once('inc/error.php');
 
-require_once('inc/db_connect.php');
 
 define('ROLE_ANONYMOUS', 0);
 define('ROLE_MAILACCOUNT', 1);
@@ -33,16 +32,16 @@ define('ROLE_SUBUSER', 32);
 
 function find_role($login, $password, $i_am_admin = False)
 {
-  $login = mysql_real_escape_string($login);
+  $login = db_escape_string($login);
   // Domain-Admin?  <not implemented>
   // System-User?
   $uid = (int) $login;
   if ($uid == 0)
     $uid = 'NULL';
   $result = db_query("SELECT username, passwort AS password, kundenaccount AS `primary`, status, ((SELECT acc.uid FROM system.v_useraccounts AS acc LEFT JOIN system.gruppenzugehoerigkeit USING (uid) LEFT JOIN system.gruppen AS g ON (g.gid=gruppenzugehoerigkeit.gid) WHERE g.name='admin' AND acc.uid=u.uid) IS NOT NULL) AS admin FROM system.v_useraccounts AS u LEFT JOIN system.passwoerter USING(uid) WHERE u.uid={$uid} OR username='{$login}' LIMIT 1;");
-  if (@mysql_num_rows($result) > 0)
+  if (@$result->rowCount() > 0)
   {
-    $entry = mysql_fetch_object($result);
+    $entry = $result->fetch(PDO::FETCH_OBJ);
     if (strcasecmp($entry->username, $login) == 0 && $entry->username != $login) {
       // MySQL matched (warum auch immer) ohne Beachtung der Schreibweise. Wir wollen aber case-sensitive sein.
       logger(LOG_WARNING, "session/checkuser", "login", "denying login to wrong cased username »{$login}«.");
@@ -72,7 +71,7 @@ function find_role($login, $password, $i_am_admin = False)
   $result = db_query("SELECT passwort AS password FROM kundendaten.kunden WHERE status=0 AND id={$customerno} AND passwort='{$pass}';");
   if ($i_am_admin)
     $result = db_query("SELECT passwort AS password FROM kundendaten.kunden WHERE status=0 AND id={$customerno}");
-  if (@mysql_num_rows($result) > 0)
+  if (@$result->rowCount() > 0)
   {
     return ROLE_CUSTOMER;
   }
@@ -80,9 +79,9 @@ function find_role($login, $password, $i_am_admin = False)
   // Sub-User
 
   $result = db_query("SELECT password FROM system.subusers WHERE username='{$login}'");
-  if (@mysql_num_rows($result) > 0)
+  if (@$result->rowCount() > 0)
   {
-    $entry = mysql_fetch_object($result);
+    $entry = $result->fetch(PDO::FETCH_OBJ);
     $db_password = $entry->password;
     // SHA1 für alte Subuser (kaylee), SHA256 für neue Subuser
     if (hash("sha1", $password) == $db_password || hash("sha256", $password) == $db_password || $i_am_admin)
@@ -113,9 +112,9 @@ function find_role($login, $password, $i_am_admin = False)
     }
   }
   $result = db_query("SELECT cryptpass FROM mail.courier_mailaccounts WHERE account='{$account}' LIMIT 1;");
-  if (@mysql_num_rows($result) > 0)
+  if (@$result->rowCount() > 0)
   {
-    $entry = mysql_fetch_object($result);
+    $entry = $result->fetch(PDO::FETCH_OBJ);
     $db_password = $entry->cryptpass;
     $hash = crypt($password, $db_password);
     if ($hash == $db_password || $i_am_admin)
@@ -129,9 +128,9 @@ function find_role($login, $password, $i_am_admin = False)
   // virtueller Mail-Account
   $account = $login;
   $result = db_query("SELECT cryptpass FROM mail.courier_virtual_accounts WHERE account='{$account}' LIMIT 1;");
-  if (@mysql_num_rows($result) > 0)
+  if (@$result->rowCount() > 0)
   {
-    $entry = mysql_fetch_object($result);
+    $entry = $result->fetch(PDO::FETCH_OBJ);
     $db_password = $entry->cryptpass;
     $hash = crypt($password, $db_password);
     if ($hash == $db_password || $i_am_admin)
@@ -162,13 +161,13 @@ function get_customer_info($customer)
   }
   else
   {
-    $username = mysql_real_escape_string($customer);
+    $username = db_escape_string($customer);
     DEBUG('looking up customer info for username '.$username);
     $result = db_query("SELECT id, anrede, firma, CONCAT_WS(' ', vorname, nachname) AS name, COALESCE(email,email_rechnung,email_extern) AS email FROM kundendaten.kunden AS k JOIN system.v_useraccounts AS u ON (u.kunde=k.id) WHERE u.username='{$username}'");
   }
-  if (@mysql_num_rows($result) == 0)
+  if (@$result->rowCount() == 0)
     system_failure("Konnte Kundendaten nicht auslesen!");
-  $data = mysql_fetch_assoc($result);
+  $data = $result->fetch();
   DEBUG($data);
   $ret['customerno'] = $data['id'];
   $ret['title'] = $data['anrede'];
@@ -183,12 +182,12 @@ function get_customer_info($customer)
 function get_subuser_info($username)
 {
   $result = db_query("SELECT uid, modules FROM system.subusers WHERE username='{$username}'");
-  if (mysql_num_rows($result) < 1)
+  if ($result->rowCount() < 1)
   {
     logger(LOG_ERR, "session/checkuser", "login", "error reading subuser's data: »{$username}«");
     system_failure('Das Auslesen Ihrer Benutzerdaten ist fehlgeschlagen. Bitte melden Sie dies einem Administrator');
   }
-  $data = mysql_fetch_assoc($result);
+  $data = $result->fetch();
   $userinfo = get_user_info($data['uid']);
   $userinfo['modules'] = $data['modules'];
   return $userinfo;
@@ -197,15 +196,15 @@ function get_subuser_info($username)
 
 function get_user_info($username)
 {
-  $username = mysql_real_escape_string($username);
+  $username = db_escape_string($username);
   $result = db_query("SELECT kunde AS customerno, username, uid, homedir, name, server
                       FROM system.v_useraccounts WHERE username='{$username}' OR uid='{$username}' LIMIT 1");
-  if (mysql_num_rows($result) < 1)
+  if ($result->rowCount() < 1)
   {
     logger(LOG_ERR, "session/checkuser", "login", "error reading user's data: »{$username}«");
     system_failure('Das Auslesen Ihrer Benutzerdaten ist fehlgeschlagen. Bitte melden Sie dies einem Administrator');
   }
-  $val = @mysql_fetch_object($result);
+  $val = @$result->fetch(PDO::FETCH_OBJ);
   return array(
           'username'      => $val->username,
           'customerno'    => $val->customerno,
@@ -239,7 +238,7 @@ function set_customer_password($customerno, $newpass)
 
 function set_subuser_password($subuser, $newpass)
 {
-  $subuser = mysql_real_escape_string($subuser);
+  $subuser = db_escape_string($subuser);
   $uid = (int) $_SESSION['userinfo']['uid'];
   $newpass = sha1($newpass);
   db_query("UPDATE system.subusers SET password='$newpass' WHERE username='{$subuser}' AND uid={$uid}");
@@ -269,20 +268,20 @@ function set_systemuser_password($uid, $newpass)
 function user_for_mailaccount($account) 
 {
   $result = db_query("SELECT uid FROM mail.courier_mailaccounts WHERE account='{$account}' LIMIT 1;");
-  if (mysql_num_rows($result) != 1) {
+  if ($result->rowCount() != 1) {
     system_failure('Diese Adresse ist herrenlos?!');
   }
-  $tmp = mysql_fetch_assoc($result);
+  $tmp = $result->fetch();
   return $tmp['uid'];
 }
 
 function user_for_vmail_account($account)
 {
   $result = db_query("SELECT useraccount FROM mail.v_vmail_accounts WHERE CONCAT_WS('@', local, domainname)='{$account}' LIMIT 1;");
-  if (mysql_num_rows($result) != 1) {
+  if ($result->rowCount() != 1) {
     system_failure('Diese Adresse ist herrenlos?!');
   }
-  $tmp = mysql_fetch_assoc($result);
+  $tmp = $result->fetch();
   return $tmp['useraccount'];
 }
 
@@ -300,7 +299,7 @@ function setup_session($role, $useridentity)
     $_SESSION['role'] = ROLE_SYSTEMUSER | ROLE_SUBUSER;
     $_SESSION['subuser'] = $useridentity;
     $data = db_query("SELECT kundenaccount FROM system.useraccounts WHERE username='{$info['username']}'");
-    if ($entry = mysql_fetch_assoc($data)) {
+    if ($entry = $data->fetch) {
       if ($entry['kundenaccount'] == 1) {
         $customer = get_customer_info($_SESSION['userinfo']['username']);
         $_SESSION['customerinfo'] = $customer;


...	...	@@ -39,14 +39,14 @@ function prepare_cert($cert)
39	39
40	40	function get_logins_by_cert($cert)
41	41	{
42		- $cert = mysql_real_escape_string(prepare_cert($cert));
	42	+ $cert = db_escape_string(prepare_cert($cert));
43	43	$query = "SELECT type,username,startpage FROM system.clientcert WHERE cert='{$cert}'";
44	44	$result = db_query($query);
45		- if (mysql_num_rows($result) < 1)
	45	+ if ($result->rowCount() < 1)
46	46	return NULL;
47	47	else {
48	48	$ret = array();
49		- while ($row = mysql_fetch_assoc($result)) {
	49	+ while ($row = $result->fetch()) {
50	50	$ret[] = $row;
51	51	}
52	52	return $ret;

...	...	@@ -14,7 +14,6 @@ http://creativecommons.org/publicdomain/zero/1.0/
14	14	Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.
15	15	*/
16	16
17		-require_once('inc/db_connect.php');
18	17	require_once('inc/base.php');
19	18	require_once('inc/debug.php');
20	19

...	...	@@ -17,7 +17,6 @@ Nevertheless, in case you use a significant part of this code, we ask (but not r
17	17
18	18	require_once('config.php');
19	19	require_once('inc/debug.php');
20		-require_once('inc/db_connect.php');
21	20	require_once("inc/base.php");
22	21	require_once("inc/theme.php");
23	22

...	...	@@ -14,7 +14,7 @@ http://creativecommons.org/publicdomain/zero/1.0/
14	14	Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.
15	15	*/
16	16
17		-require_once('inc/db_connect.php');
	17	+require_once('class/database.php');
18	18	require_once('inc/debug.php');
19	19
20	20	function config($key)
...	...	@@ -36,9 +36,9 @@ function config($key)
36	36	return $config[$key];
37	37
38	38	/* read configuration from database */
39		- $options = db_query( "SELECT `key`, value FROM misc.config" );
	39	+ $result = db_query( "SELECT `key`, value FROM misc.config" );
40	40
41		- while( $object = mysql_fetch_assoc( $options ) ) {
	41	+ while( $object = $result->fetch() ) {
42	42	if (!array_key_exists($object['key'], $config)) {
43	43	$config[$object['key']]=$object['value'];
44	44	}
...	...	@@ -56,8 +56,9 @@ function config($key)
56	56
57	57	function get_server_by_id($id) {
58	58	$id = (int) $id;
59		- $result = mysql_fetch_assoc(db_query("SELECT hostname FROM system.servers WHERE id='{$id}'"));
60		- return $result['hostname'];
	59	+ $result = db_query("SELECT hostname FROM system.servers WHERE id='{$id}'");
	60	+ $ret = $result->fetch();
	61	+ return $ret['hostname'];
61	62	}
62	63
63	64
...	...	@@ -74,7 +75,7 @@ function my_server_id()
74	75	{
75	76	$uid = (int) $_SESSION['userinfo']['uid'];
76	77	$result = db_query("SELECT server FROM system.useraccounts WHERE uid={$uid}");
77		- $r = mysql_fetch_assoc($result);
	78	+ $r = $result->fetch();
78	79	DEBUG($r);
79	80	return $r['server'];
80	81	}
...	...	@@ -85,7 +86,7 @@ function additional_servers()
85	86	$uid = (int) $_SESSION['userinfo']['uid'];
86	87	$result = db_query("SELECT server FROM system.user_server WHERE uid={$uid}");
87	88	$servers = array();
88		- while ($s = mysql_fetch_assoc($result))
	89	+ while ($s = $result->fetch())
89	90	$servers[] = $s['server'];
90	91	DEBUG($servers);
91	92	return $servers;
...	...	@@ -96,39 +97,22 @@ function server_names()
96	97	{
97	98	$result = db_query("SELECT id, hostname FROM system.servers");
98	99	$servers = array();
99		- while ($s = mysql_fetch_assoc($result))
	100	+ while ($s = $result->fetch())
100	101	$servers[$s['id']] = $s['hostname'];
101	102	DEBUG($servers);
102	103	return $servers;
103	104	}
104	105
105	106
106		-function db_query($query)
107		-{
108		- DEBUG($query);
109		- $result = @mysql_query($query);
110		- if (mysql_error())
111		- {
112		- $error = mysql_error();
113		- logger(LOG_ERR, "inc/base", "dberror", "mysql error: {$error}");
114		- system_failure('Interner Datenbankfehler: »'.iconv('ISO-8859-1', 'UTF-8', $error).'«.');
115		- }
116		- $count = @mysql_num_rows($result);
117		- if (! $count)
118		- $count = 'no';
119		- DEBUG("=> {$count} rows");
120		- return $result;
121		-}
122		-
123		-
124		-
	107	+// FIXME
	108	+// Diese Funktion funktioniert nicht für preprared statements
125	109	function maybe_null($value)
126	110	{
127	111	if ($value == NULL)
128	112	return 'NULL';
129	113
130	114	if (strlen( (string) $value ) > 0)
131		- return "'".mysql_real_escape_string($value)."'";
	115	+ return "'".db_escape_string($value)."'";
132	116	else
133	117	return 'NULL';
134	118	}
...	...	@@ -148,11 +133,11 @@ function logger($severity, $scriptname, $scope, $message)
148	133	elseif ($_SESSION['role'] & ROLE_CUSTOMER)
149	134	$user = "'{$_SESSION['customerinfo']['customerno']}'";
150	135
151		- $remote = mysql_real_escape_string($_SERVER['REMOTE_ADDR']);
	136	+ $remote = db_escape_string($_SERVER['REMOTE_ADDR']);
152	137
153		- $scriptname = mysql_real_escape_string($scriptname);
154		- $scope = mysql_real_escape_string($scope);
155		- $message = mysql_real_escape_string($message);
	138	+ $scriptname = db_escape_string($scriptname);
	139	+ $scope = db_escape_string($scope);
	140	+ $message = db_escape_string($message);
156	141
157	142	db_query("INSERT INTO misc.scriptlog (remote, user,scriptname,scope,message) VALUES ('{$remote}', {$user}, '{$scriptname}', '{$scope}', '{$message}');");
158	143	}

...	...	@@ -15,7 +15,6 @@ Nevertheless, in case you use a significant part of this code, we ask (but not r
15	15	*/
16	16
17	17	require_once('inc/debug.php');
18		-require_once('inc/db_connect.php');
19	18	require_once('inc/base.php');
20	19	require_once('inc/security.php');
21	20	require_once('inc/error.php');
...	...	@@ -38,14 +37,14 @@ function get_domain_offer($domainname)
38	37	$data = array("domainname" => $domainname, "basename" => $basename, "tld" => $tld);
39	38
40	39	$result = db_query("SELECT tld, gebuehr, setup FROM misc.domainpreise_kunde WHERE kunde={$cid} AND tld='{$tld}' AND ruecksprache='N'");
41		- if (mysql_num_rows($result) != 1) {
	40	+ if ($result->rowCount() != 1) {
42	41	$result = db_query("SELECT tld, gebuehr, setup FROM misc.domainpreise WHERE tld='{$tld}' AND ruecksprache='N'");
43	42	}
44		- if (mysql_num_rows($result) != 1) {
	43	+ if ($result->rowCount() != 1) {
45	44	warning('Die Endung »'.$tld.'« steht zur automatischen Eintragung nicht zur Verfügung.');
46	45	return;
47	46	}
48		- $temp = mysql_fetch_assoc($result);
	47	+ $temp = $result->fetch();
49	48	$data["gebuehr"] = $temp["gebuehr"];
50	49	$data["setup"] = ($temp["setup"] ? $temp["setup"] : 0.0);
51	50
...	...	@@ -93,7 +92,7 @@ function list_useraccounts()
93	92	$customerno = (int) $_SESSION['customerinfo']['customerno'];
94	93	$result = db_query("SELECT uid,username,name FROM system.useraccounts WHERE kunde={$customerno}");
95	94	$ret = array();
96		- while ($item = mysql_fetch_assoc($result))
	95	+ while ($item = $result->fetch())
97	96	{
98	97	$ret[] = $item;
99	98	}

...	...	@@ -19,7 +19,7 @@ require_once('inc/base.php');
19	19
20	20	function find_customers($string)
21	21	{
22		- $string = mysql_real_escape_string(chop($string));
	22	+ $string = db_escape_string(chop($string));
23	23	$return = array();
24	24	$result = db_query("SELECT k.id FROM kundendaten.kunden AS k LEFT JOIN kundendaten.kundenkontakt AS kk ".
25	25	"ON (kk.kundennr = k.id) LEFT JOIN system.useraccounts AS u ON (k.id=u.kunde) WHERE ".
...	...	@@ -30,7 +30,7 @@ function find_customers($string)
30	30	"notizen LIKE '%{$string}%' OR kk.name LIKE '%{$string}%' OR ".
31	31	"kk.wert LIKE '%{$string}%' OR u.name LIKE '%{$string}%' OR ".
32	32	"u.username LIKE '%{$string}%' OR k.id='{$string}' OR u.uid='{$string}';");
33		- while ($entry = mysql_fetch_assoc($result))
	33	+ while ($entry = $result->fetch())
34	34	$return[] = $entry['id'];
35	35
36	36	return $return;
...	...	@@ -43,7 +43,7 @@ function find_users_for_customer($id)
43	43	$return = array();
44	44	$result = db_query("SELECT uid, username FROM system.useraccounts WHERE ".
45	45	"kunde='{$id}';");
46		- while ($entry = mysql_fetch_assoc($result))
	46	+ while ($entry = $result->fetch())
47	47	$return[$entry['uid']] = $entry['username'];
48	48
49	49	return $return;
...	...	@@ -56,7 +56,7 @@ function hosting_contracts($cid)
56	56	$cid = (int) $cid;
57	57	$result = db_query("SELECT u.username, werber, beschreibung, betrag, brutto, monate, anzahl, startdatum, startdatum + INTERVAL laufzeit MONTH - INTERVAL 1 DAY AS mindestlaufzeit, kuendigungsdatum, gesperrt, notizen FROM kundendaten.hosting AS h LEFT JOIN system.useraccounts AS u ON (h.hauptuser=u.uid) WHERE h.kunde=".$cid);
58	58	$ret = array();
59		- while ($x = mysql_fetch_assoc($result))
	59	+ while ($x = $result->fetch())
60	60	array_push($ret, $x);
61	61	DEBUG($ret);
62	62

...	...	@@ -27,7 +27,7 @@ function mailman_subdomains($domain)
27	27	$domain = (int) $domain;
28	28	$result = db_query("SELECT id, hostname FROM mail.mailman_domains WHERE domain={$domain}");
29	29	$ret = array();
30		- while ($line = mysql_fetch_assoc($result))
	30	+ while ($line = $result->fetch())
31	31	{
32	32	$ret[] = $line;
33	33	}
...	...	@@ -40,7 +40,7 @@ function dns_in_use($domain)
40	40	return false;
41	41	$domain = (int) $domain;
42	42	$result = db_query("SELECT id FROM dns.custom_records WHERE domain={$domain}");
43		- return (mysql_num_rows($result) > 0);
	43	+ return ($result->rowCount() > 0);
44	44	}
45	45
46	46
...	...	@@ -52,16 +52,16 @@ function mail_in_use($domain)
52	52	}
53	53	$domain = (int) $domain;
54	54	$result = db_query("SELECT mail FROM kundendaten.domains WHERE id={$domain}");
55		- if (mysql_num_rows($result) < 1)
	55	+ if ($result->rowCount() < 1)
56	56	system_failure("Domain not found");
57		- $d = mysql_fetch_assoc($result);
	57	+ $d = $result->fetch();
58	58	if ($d['mail'] == 'none')
59	59	return false; // manually disabled
60	60	$result = db_query("SELECT id FROM mail.virtual_mail_domains WHERE domain={$domain}");
61		- if (mysql_num_rows($result) < 1)
	61	+ if ($result->rowCount() < 1)
62	62	return true; // .courier
63	63	$result = db_query("SELECT acc.id FROM mail.vmail_accounts acc LEFT JOIN mail.virtual_mail_domains dom ON (acc.domain=dom.id) WHERE dom.domain={$domain}");
64		- return (mysql_num_rows($result) > 0);
	64	+ return ($result->rowCount() > 0);
65	65	}
66	66
67	67	function web_in_use($domain)
...	...	@@ -72,12 +72,12 @@ function web_in_use($domain)
72	72	$domain = (int) $domain;
73	73
74	74	$result = db_query("SELECT id FROM kundendaten.domains WHERE id={$domain} AND webserver=1");
75		- if (mysql_num_rows($result) < 1)
	75	+ if ($result->rowCount() < 1)
76	76	return false;
77	77
78	78	$result = db_query("SELECT id FROM vhosts.vhost WHERE domain={$domain}");
79	79	$result2 = db_query("SELECT id FROM vhosts.alias WHERE domain={$domain}");
80		- return (mysql_num_rows($result) > 0 \|\| mysql_num_rows($result2) > 0);
	80	+ return ($result->rowCount() > 0 \|\| $result2->rowCount() > 0);
81	81	}
82	82
83	83

...	...	@@ -20,8 +20,8 @@ function user_has_accounts()
20	20	{
21	21	$uid = (int) $_SESSION['userinfo']['uid'];
22	22	$result = db_query("SELECT id from `mail`.`mailaccounts` WHERE uid=$uid");
23		- DEBUG(mysql_num_rows($result)." accounts");
24		- return (mysql_num_rows($result) > 0);
	23	+ DEBUG($result->rowCount()." accounts");
	24	+ return ($result->rowCount() > 0);
25	25	}
26	26
27	27	if (! function_exists("user_has_vmail_domain"))
...	...	@@ -34,7 +34,7 @@ if (! function_exists("user_has_vmail_domain"))
34	34	}
35	35	$uid = (int) $_SESSION['userinfo']['uid'];
36	36	$result = db_query("SELECT COUNT(*) FROM mail.v_vmail_domains WHERE useraccount='{$uid}'");
37		- $row = mysql_fetch_array($result);
	37	+ $row = $result->fetch();
38	38	$count = $row[0];
39	39	DEBUG("User has {$count} vmail-domains");
40	40	return ( (int) $count > 0 );

...	...	@@ -24,7 +24,7 @@ if (! function_exists("user_has_vmail_domain"))
24	24	}
25	25	$uid = (int) $_SESSION['userinfo']['uid'];
26	26	$result = db_query("SELECT COUNT(*) FROM mail.v_vmail_domains WHERE useraccount='{$uid}'");
27		- $row = mysql_fetch_array($result);
	27	+ $row = $result->fetch();
28	28	$count = $row[0];
29	29	DEBUG("User has {$count} vmail-domains");
30	30	return ( (int) $count > 0 );
...	...	@@ -42,7 +42,7 @@ if (! function_exists("user_has_dotcourier_domain"))
42	42	$uid = (int) $_SESSION['userinfo']['uid'];
43	43	$result = db_query("select 1 from mail.custom_mappings as c left join mail.v_domains as d on (d.id=c.domain) where d.user={$uid} or c.uid={$uid} UNION ".
44	44	"SELECT 1 FROM mail.v_domains AS d WHERE d.user={$uid} AND d.id != ALL(SELECT domain FROM mail.virtual_mail_domains);");
45		- $ret = (mysql_num_rows($result) > 0);
	45	+ $ret = ($result->rowCount() > 0);
46	46	if ($ret)
47	47	DEBUG("User {$uid} has dotcourier-domains");
48	48	return $ret;

...	...	@@ -58,9 +58,9 @@ Ihre E-Mail wird nicht weitergeleitet.',
58	58
59	59	function get_vmail_id_by_emailaddr($emailaddr)
60	60	{
61		- $emailaddr = mysql_real_escape_string( $emailaddr );
	61	+ $emailaddr = db_escape_string( $emailaddr );
62	62	$result = db_query("SELECT id FROM mail.v_vmail_accounts WHERE CONCAT(local, '@', domainname) = '{$emailaddr}'");
63		- $entry = mysql_fetch_assoc($result);
	63	+ $entry = $result->fetch();
64	64	return (int) $entry['id'];
65	65	}
66	66
...	...	@@ -74,10 +74,10 @@ function get_account_details($id, $checkuid = true)
74	74	$uid_check = "useraccount='{$uid}' AND ";
75	75	}
76	76	$result = db_query("SELECT id, local, domain, password, spamfilter, forwards, autoresponder, server, quota, COALESCE(quota_used, 0) AS quota_used, quota_threshold from mail.v_vmail_accounts WHERE {$uid_check}id={$id} LIMIT 1");
77		- if (mysql_num_rows($result) == 0)
	77	+ if ($result->rowCount() == 0)
78	78	system_failure('Ungültige ID oder kein eigener Account');
79	79	$acc = empty_account();
80		- $res = mysql_fetch_assoc($result);
	80	+ $res = $result->fetch();
81	81	foreach ($res AS $key => $value) {
82	82	if ($key == 'forwards')
83	83	continue;
...	...	@@ -85,13 +85,13 @@ function get_account_details($id, $checkuid = true)
85	85	}
86	86	if ($acc['forwards'] > 0) {
87	87	$result = db_query("SELECT id, spamfilter, destination FROM mail.vmail_forward WHERE account={$acc['id']};");
88		- while ($item = mysql_fetch_assoc($result)){
	88	+ while ($item = $result->fetch()){
89	89	array_push($acc['forwards'], array("id" => $item['id'], 'spamfilter' => $item['spamfilter'], 'destination' => $item['destination']));
90	90	}
91	91	}
92	92	if ($acc['autoresponder'] > 0) {
93	93	$result = db_query("SELECT id, IF(valid_from IS NULL OR valid_from > NOW() OR valid_until < NOW(), 0, 1) AS active, DATE(valid_from) AS valid_from, DATE(valid_until) AS valid_until, fromname, fromaddr, subject, message, quote FROM mail.vmail_autoresponder WHERE account={$acc['id']}");
94		- $item = mysql_fetch_assoc($result);
	94	+ $item = $result->fetch();
95	95	DEBUG($item);
96	96	$acc['autoresponder'] = $item;
97	97	} else {
...	...	@@ -108,7 +108,7 @@ function get_vmail_accounts()
108	108	$uid = (int) $_SESSION['userinfo']['uid'];
109	109	$result = db_query("SELECT * from mail.v_vmail_accounts WHERE useraccount='{$uid}' ORDER BY domainname,local ASC");
110	110	$ret = array();
111		- while ($line = mysql_fetch_assoc($result))
	111	+ while ($line = $result->fetch())
112	112	{
113	113	array_push($ret, $line);
114	114	}
...	...	@@ -122,10 +122,10 @@ function get_vmail_domains()
122	122	{
123	123	$uid = (int) $_SESSION['userinfo']['uid'];
124	124	$result = db_query("SELECT id, domainname, server FROM mail.v_vmail_domains WHERE useraccount='{$uid}' ORDER BY domainname");
125		- if (mysql_num_rows($result) == 0)
	125	+ if ($result->rowCount() == 0)
126	126	system_failure('Sie haben keine Domains für virtuelle Mail-Verarbeitung');
127	127	$ret = array();
128		- while ($tmp = mysql_fetch_assoc($result))
	128	+ while ($tmp = $result->fetch())
129	129	array_push($ret, $tmp);
130	130	return $ret;
131	131	}
...	...	@@ -133,7 +133,7 @@ function get_vmail_domains()
133	133
134	134	function find_account_id($accname)
135	135	{
136		- $accname = mysql_real_escape_string($accname);
	136	+ $accname = db_escape_string($accname);
137	137	DEBUG($accname);
138	138	$tmp = explode('@', $accname, 2);
139	139	DEBUG($tmp);
...	...	@@ -142,9 +142,9 @@ function find_account_id($accname)
142	142	list( $local, $domainname) = $tmp;
143	143
144	144	$result = db_query("SELECT id FROM mail.v_vmail_accounts WHERE local='{$local}' AND domainname='{$domainname}' LIMIT 1");
145		- if (mysql_num_rows($result) == 0)
	145	+ if ($result->rowCount() == 0)
146	146	system_failure("Der Account konnte nicht gefunden werden");
147		- $tmp = mysql_fetch_array($result);
	147	+ $tmp = $result->fetch();
148	148	return $tmp[0];
149	149	}
150	150
...	...	@@ -152,7 +152,7 @@ function find_account_id($accname)
152	152	function change_vmail_password($accname, $newpass)
153	153	{
154	154	$accid = find_account_id($accname);
155		- $encpw = mysql_real_escape_string(encrypt_mail_password($newpass));
	155	+ $encpw = db_escape_string(encrypt_mail_password($newpass));
156	156	db_query("UPDATE mail.vmail_accounts SET password='{$encpw}' WHERE id={$accid} LIMIT 1;");
157	157	}
158	158
...	...	@@ -177,7 +177,7 @@ function get_max_mailboxquota($server, $oldquota) {
177	177	$uid = (int) $_SESSION['userinfo']['uid'];
178	178	$server = (int) $server;
179	179	$result = db_query("SELECT systemquota - (COALESCE(systemquota_used,0) + COALESCE(mailquota,0)) AS free FROM system.v_quota WHERE uid='{$uid}' AND server='{$server}'");
180		- $item = mysql_fetch_assoc($result);
	180	+ $item = $result->fetch();
181	181	DEBUG("Free space: ".$item['free']." / Really: ".($item['free'] + ($oldquota - config('vmail_basequota'))));
182	182	return $item['free'] + ($oldquota - config('vmail_basequota'));
183	183	}
...	...	@@ -313,8 +313,8 @@ function save_vmail_account($account)
313	313	$account['quota_threshold'] = min( (int) $account['quota_threshold'], (int) $account['quota'] );
314	314	}
315	315
316		- $account['local'] = mysql_real_escape_string(strtolower($account['local']));
317		- $account['password'] = mysql_real_escape_string($account['password']);
	316	+ $account['local'] = db_escape_string(strtolower($account['local']));
	317	+ $account['password'] = db_escape_string($account['password']);
318	318	$account['spamexpire'] = (int) $account['spamexpire'];
319	319
320	320	$query = '';
...	...	@@ -341,14 +341,14 @@ function save_vmail_account($account)
341	341	$ar = $account['autoresponder'];
342	342	$valid_from = maybe_null($ar['valid_from']);
343	343	$valid_until = maybe_null($ar['valid_until']);
344		- $fromname = maybe_null( mysql_real_escape_string($ar['fromname']) );
	344	+ $fromname = maybe_null( db_escape_string($ar['fromname']) );
345	345	$fromaddr = NULL;
346	346	if ($ar['fromaddr']) {
347		- $fromaddr = mysql_real_escape_string(check_emailaddr($ar['fromaddr']));
	347	+ $fromaddr = db_escape_string(check_emailaddr($ar['fromaddr']));
348	348	}
349	349	$fromaddr = maybe_null( $fromaddr );
350		- $subject = maybe_null( mysql_real_escape_string($ar['subject']));
351		- $message = mysql_real_escape_string($ar['message']);
	350	+ $subject = maybe_null( db_escape_string($ar['subject']));
	351	+ $message = db_escape_string($ar['message']);
352	352	$quote = "'inline'";
353	353	if ($ar['quote'] == 'attach')
354	354	$quote = "'attach'";
...	...	@@ -417,7 +417,7 @@ Wussten Sie schon, dass Sie auf mehrere Arten Ihre E-Mails abrufen können?
417	417	if ($_SESSION['role'] == ROLE_SYSTEMUSER) {
418	418	$uid = (int) $_SESSION['userinfo']['uid'];
419	419	$result = db_query("SELECT useraccount, server, SUM(quota-(SELECT value FROM misc.config WHERE `key`='vmail_basequota')) AS quota, SUM(GREATEST(quota_used-(SELECT value FROM misc.config WHERE `key`='vmail_basequota'), 0)) AS used FROM mail.v_vmail_accounts WHERE useraccount=".$uid." GROUP BY useraccount, server");
420		- while ($line = mysql_fetch_assoc($result)) {
	420	+ while ($line = $result->fetch()) {
421	421	if ($line['quota'] !== NULL) {
422	422	db_query("REPLACE INTO mail.vmailquota (uid, server, quota, used) VALUES ('{$line['useraccount']}', '{$line['server']}', '{$line['quota']}', '{$line['used']}')");
423	423	}
...	...	@@ -447,7 +447,7 @@ function domainsettings($only_domain=NULL) {
447	447	// Domains
448	448	$result = db_query("SELECT d.id, CONCAT_WS('.',d.domainname,d.tld) AS name, d.mail, d.mailserver_lock, m.id AS m_id, v.id AS v_id FROM kundendaten.domains AS d LEFT JOIN mail.virtual_mail_domains AS v ON (d.id=v.domain AND v.hostname IS NULL) LEFT JOIN mail.custom_mappings AS m ON (d.id=m.domain AND m.subdomain IS NULL) WHERE d.useraccount={$uid} OR m.uid={$uid} ORDER BY CONCAT_WS('.',d.domainname,d.tld);");
449	449
450		- while ($mydom = mysql_fetch_assoc($result)) {
	450	+ while ($mydom = $result->fetch()) {
451	451	if (! array_key_exists($mydom['id'], $domains)) {
452	452	if ($mydom['v_id'])
453	453	$mydom['mail'] = 'virtual';
...	...	@@ -463,7 +463,7 @@ function domainsettings($only_domain=NULL) {
463	463
464	464	// Subdomains
465	465	$result = db_query("SELECT d.id, CONCAT_WS('.',d.domainname,d.tld) AS name, d.mail, m.id AS m_id, v.id AS v_id, IF(ISNULL(v.hostname),m.subdomain,v.hostname) AS hostname FROM kundendaten.domains AS d LEFT JOIN mail.virtual_mail_domains AS v ON (d.id=v.domain AND v.hostname IS NOT NULL) LEFT JOIN mail.custom_mappings AS m ON (d.id=m.domain AND m.subdomain IS NOT NULL) WHERE (m.id IS NOT NULL OR v.id IS NOT NULL) AND d.useraccount={$uid} OR m.uid={$uid};");
466		- while ($mydom = mysql_fetch_assoc($result)) {
	466	+ while ($mydom = $result->fetch()) {
467	467	if (! array_key_exists($mydom['id'], $subdomains))
468	468	$subdomains[$mydom['id']] = array();
469	469
...	...	@@ -483,14 +483,14 @@ function domain_has_vmail_accounts($domid)
483	483	{
484	484	$domid = (int) $domid;
485	485	$result = db_query("SELECT dom.id FROM mail.vmail_accounts AS acc LEFT JOIN mail.virtual_mail_domains AS dom ON (dom.id=acc.domain) WHERE dom.domain={$domid}");
486		- return (mysql_num_rows($result) > 0);
	486	+ return ($result->rowCount() > 0);
487	487	}
488	488
489	489
490	490	function change_domain($id, $type)
491	491	{
492	492	$id = (int) $id;
493		- $type = mysql_real_escape_string($type);
	493	+ $type = db_escape_string($type);
494	494	if (domain_has_vmail_accounts($id))
495	495	system_failure("Sie müssen zuerst alle E-Mail-Konten mit dieser Domain löschen, bevor Sie die Webinterface-Verwaltung für diese Domain abschalten können.");
496	496

...	...	@@ -21,7 +21,7 @@ function list_ftpusers()
21	21	$uid = (int) $_SESSION['userinfo']['uid'];
22	22	$result = db_query("SELECT id, username, homedir, active, forcessl FROM system.ftpusers WHERE uid=$uid");
23	23	$ftpusers = array();
24		- while ($u = mysql_fetch_assoc($result)) {
	24	+ while ($u = $result->fetch()) {
25	25	$ftpusers[] = $u;
26	26	}
27	27	return $ftpusers;
...	...	@@ -40,9 +40,9 @@ function load_ftpuser($id)
40	40	$uid = (int) $_SESSION['userinfo']['uid'];
41	41	$id = (int) $id;
42	42	$result = db_query("SELECT id, username, password, homedir, active, forcessl, server FROM system.ftpusers WHERE uid={$uid} AND id='{$id}' LIMIT 1");
43		- if (mysql_num_rows($result) != 1)
	43	+ if ($result->rowCount() != 1)
44	44	system_failure("Fehler beim auslesen des Accounts");
45		- $account = mysql_fetch_assoc($result);
	45	+ $account = $result->fetch();
46	46	DEBUG($account);
47	47	return $account;
48	48	}
...	...	@@ -117,11 +117,11 @@ function delete_ftpuser($id)
117	117
118	118	function get_gid($groupname)
119	119	{
120		- $groupname = mysql_real_escape_string($groupname);
	120	+ $groupname = db_escape_string($groupname);
121	121	$result = db_query("SELECT gid FROM system.gruppen WHERE name='{$groupname}' LIMIT 1");
122		- if (mysql_num_rows($result) != 1)
	122	+ if ($result->rowCount() != 1)
123	123	system_failure('cannot determine gid of ftpusers group');
124		- $a = mysql_fetch_assoc($result);
	124	+ $a = $result->fetch();
125	125	$gid = (int) $a['gid'];
126	126	if ($gid == 0)
127	127	system_failure('error on determining gid of ftpusers group');
...	...	@@ -134,7 +134,7 @@ function have_regular_ftp()
134	134	$gid = get_gid('ftpusers');
135	135	$uid = (int) $_SESSION['userinfo']['uid'];
136	136	$result = db_query("SELECT * FROM system.gruppenzugehoerigkeit WHERE gid='$gid' AND uid='$uid'");
137		- return (mysql_num_rows($result) > 0);
	137	+ return ($result->rowCount() > 0);
138	138	}
139	139
140	140

...	...	@@ -19,7 +19,7 @@ function whitelist_entries()
19	19	$uid = (int) $_SESSION['userinfo']['uid'];
20	20	$res = db_query("SELECT id,local,domain,date,expire FROM mail.greylisting_manual_whitelist WHERE uid={$uid};");
21	21	$return = array();
22		- while ($line = mysql_fetch_assoc($res))
	22	+ while ($line = $res->fetch())
23	23	array_push($return, $line);
24	24	return $return;
25	25	}
...	...	@@ -30,9 +30,9 @@ function get_whitelist_details($id)
30	30	$id = (int) $id;
31	31	$uid = (int) $_SESSION['userinfo']['uid'];
32	32	$res = db_query("SELECT id,local,domain,date,expire FROM mail.greylisting_manual_whitelist WHERE uid={$uid} AND id={$id};");
33		- if (mysql_num_rows($res) != 1)
	33	+ if ($res->rowCount() != 1)
34	34	system_failure('Kann diesen Eintrag nicht finden');
35		- return mysql_fetch_assoc($res);
	35	+ return $res->fetch();
36	36	}
37	37
38	38
...	...	@@ -55,9 +55,9 @@ function valid_entry($local, $domain)
55	55	system_failure('Diese E-Mail-Adresse gehört Ihnen nicht!');
56	56	return true;
57	57	}
58		- $d = mysql_real_escape_string($domain);
	58	+ $d = db_escape_string($domain);
59	59	$res = db_query("SELECT id FROM mail.v_domains WHERE domainname='{$d}' AND user={$_SESSION['userinfo']['uid']} LIMIT 1");
60		- if (mysql_num_rows($res) != 1)
	60	+ if ($res->rowCount() != 1)
61	61	system_failure('Diese domain gehört Ihnen nicht!');
62	62	return true;
63	63	}
...	...	@@ -68,7 +68,7 @@ function new_whitelist_entry($local, $domain, $minutes)
68	68	valid_entry($local, $domain);
69	69	$uid = (int) $_SESSION['userinfo']['uid'];
70	70	$local = maybe_null($local);
71		- $domain = mysql_real_escape_string($domain);
	71	+ $domain = db_escape_string($domain);
72	72
73	73	$expire = '';
74	74	if ($minutes == 'none')

...	...	@@ -14,15 +14,14 @@ http://creativecommons.org/publicdomain/zero/1.0/
14	14	Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.
15	15	*/
16	16
17		-require_once('inc/db_connect.php');
18	17	require_once('session/checkuser.php');
19	18
20	19	function user_customer_match($cust, $user)
21	20	{
22	21	$customerno = (int) $cust;
23		- $username = mysql_real_escape_string($user);
	22	+ $username = db_escape_string($user);
24	23	$result = db_query("SELECT uid FROM system.useraccounts WHERE kunde={$customerno} AND username='{$username}' AND kundenaccount=1;");
25		- if (mysql_num_rows($result) > 0)
	24	+ if ($result->rowCount() > 0)
26	25	return true;
27	26	return false;
28	27	}
...	...	@@ -32,9 +31,9 @@ function user_customer_match($cust, $user)
32	31	function customer_has_email($customerno, $email)
33	32	{
34	33	$customerno = (int) $customerno;
35		- $email = mysql_real_escape_string($email);
	34	+ $email = db_escape_string($email);
36	35	$result = db_query("SELECT NULL FROM kundendaten.kunden WHERE id=".$customerno." AND (email='{$email}' OR email_extern='{$email}' OR email_rechnung='{$email}');");
37		- return (mysql_num_rows($result) > 0);
	36	+ return ($result->rowCount() > 0);
38	37	}
39	38
40	39
...	...	@@ -42,21 +41,21 @@ function validate_token($customerno, $token)
42	41	{
43	42	expire_tokens();
44	43	$customerno = (int) $customerno;
45		- $token = mysql_real_escape_string($token);
	44	+ $token = db_escape_string($token);
46	45	$result = db_query("SELECT NULL FROM kundendaten.kunden WHERE id={$customerno} AND token='{$token}';");
47		- return (mysql_num_rows($result) > 0);
	46	+ return ($result->rowCount() > 0);
48	47	}
49	48
50	49
51	50	function get_uid_for_token($token)
52	51	{
53	52	expire_tokens();
54		- $token = mysql_real_escape_string($token);
	53	+ $token = db_escape_string($token);
55	54	$result = db_query("SELECT uid FROM system.usertoken WHERE token='{$token}';");
56		- if (mysql_num_rows($result) == 0) {
	55	+ if ($result->rowCount() == 0) {
57	56	return NULL;
58	57	}
59		- $data = mysql_fetch_assoc($result);
	58	+ $data = $result->fetch();
60	59	return $data['uid'];
61	60	}
62	61
...	...	@@ -64,10 +63,10 @@ function get_username_for_uid($uid)
64	63	{
65	64	$uid = (int) $uid;
66	65	$result = db_query("SELECT username FROM system.useraccounts WHERE uid={$uid}");
67		- if (mysql_num_rows($result) != 1) {
	66	+ if ($result->rowCount() != 1) {
68	67	system_failure("Unexpected number of users with this uid (!= 1)!");
69	68	}
70		- $item = mysql_fetch_assoc($result);
	69	+ $item = $result->fetch();
71	70	return $item['username'];
72	71	}
73	72
...	...	@@ -75,9 +74,9 @@ function validate_uid_token($uid, $token)
75	74	{
76	75	expire_tokens();
77	76	$uid = (int) $uid;
78		- $token = mysql_real_escape_string($token);
	77	+ $token = db_escape_string($token);
79	78	$result = db_query("SELECT NULL FROM system.usertoken WHERE uid={$uid} AND token='{$token}';");
80		- return (mysql_num_rows($result) > 0);
	79	+ return ($result->rowCount() > 0);
81	80	}
82	81
83	82
...	...	@@ -102,13 +101,13 @@ function invalidate_systemuser_token($uid)
102	101
103	102	function create_token($username)
104	103	{
105		- $username = mysql_real_escape_string($username);
	104	+ $username = db_escape_string($username);
106	105	expire_tokens();
107	106	$result = db_query("SELECT uid FROM system.useraccounts WHERE username='{$username}'");
108		- $uid = (int) mysql_fetch_assoc($result)['uid'];
	107	+ $uid = (int) $result->fetch()['uid'];
109	108
110	109	$result = db_query("SELECT created FROM system.usertoken WHERE uid={$uid}");
111		- if (mysql_num_rows($result) > 0) {
	110	+ if ($result->rowCount() > 0) {
112	111	system_failure("Für Ihr Benutzerkonto ist bereits eine Passwort-Erinnerung versendet worden. Bitte wenden Sie sich an den Support wenn Sie diese nicht erhalten haben.");
113	112	}
114	113
...	...	@@ -120,9 +119,9 @@ function create_token($username)
120	119
121	120	function emailaddress_for_user($username)
122	121	{
123		- $username = mysql_real_escape_string($username);
	122	+ $username = db_escape_string($username);
124	123	$result = db_query("SELECT k.email FROM kundendaten.kunden AS k INNER JOIN system.useraccounts AS u ON (u.kunde=k.id) WHERE u.username='{$username}'");
125		- $data = mysql_fetch_assoc($result);
	124	+ $data = $result->fetch();
126	125	return $data['email'];
127	126	}
128	127
...	...	@@ -132,17 +131,17 @@ function get_customer_token($customerno)
132	131	$customerno = (int) $customerno;
133	132	expire_tokens();
134	133	$result = db_query("SELECT token FROM kundendaten.kunden WHERE id={$customerno} AND token IS NOT NULL;");
135		- if (mysql_num_rows($result) < 1)
	134	+ if ($result->rowCount() < 1)
136	135	system_failure("Kann das Token nicht auslesen!");
137		- return mysql_fetch_object($result)->token;
	136	+ return $result->fetch(PDO::FETCH_OBJ)->token;
138	137	}
139	138
140	139
141	140	function get_user_token($username)
142	141	{
143		- $username = mysql_real_escape_string($username);
	142	+ $username = db_escape_string($username);
144	143	$result = db_query("SELECT token FROM system.usertoken AS t INNER JOIN system.useraccounts AS u USING (uid) WHERE username='{$username}'");
145		- $tmp = mysql_fetch_assoc($result);
	144	+ $tmp = $result->fetch();
146	145	return $tmp['token'];
147	146	}
148	147

...	...	@@ -35,14 +35,14 @@ function do_ajax_cert_login() {
35	35
36	36	function get_logins_by_cert($cert)
37	37	{
38		- $cert = mysql_real_escape_string(str_replace(array('-----BEGIN CERTIFICATE-----', '-----END CERTIFICATE-----', ' ', "\n"), array(), $cert));
	38	+ $cert = db_escape_string(str_replace(array('-----BEGIN CERTIFICATE-----', '-----END CERTIFICATE-----', ' ', "\n"), array(), $cert));
39	39	$query = "SELECT type,username,startpage FROM system.clientcert WHERE cert='{$cert}'";
40	40	$result = db_query($query);
41		- if (mysql_num_rows($result) < 1)
	41	+ if ($result->rowCount() < 1)
42	42	return NULL;
43	43	else {
44	44	$ret = array();
45		- while ($row = mysql_fetch_assoc($result)) {
	45	+ while ($row = $result->fetch()) {
46	46	$ret[] = $row;
47	47	}
48	48	return $ret;
...	...	@@ -56,9 +56,9 @@ function get_cert_by_id($id)
56	56	system_failure('no ID');
57	57	$query = "SELECT id,dn,issuer,cert,username,startpage FROM system.clientcert WHERE `id`='{$id}' LIMIT 1";
58	58	$result = db_query($query);
59		- if (mysql_num_rows($result) < 1)
	59	+ if ($result->rowCount() < 1)
60	60	return NULL;
61		- $ret = mysql_fetch_assoc($result);
	61	+ $ret = $result->fetch();
62	62	DEBUG($ret);
63	63	return $ret;
64	64	}
...	...	@@ -66,14 +66,14 @@ function get_cert_by_id($id)
66	66
67	67	function get_certs_by_username($username)
68	68	{
69		- $username = mysql_real_escape_string($username);
	69	+ $username = db_escape_string($username);
70	70	if ($username == '')
71	71	system_failure('empty username');
72	72	$query = "SELECT id,dn,issuer,cert,startpage FROM system.clientcert WHERE `username`='{$username}'";
73	73	$result = db_query($query);
74		- if (mysql_num_rows($result) < 1)
	74	+ if ($result->rowCount() < 1)
75	75	return NULL;
76		- while ($row = mysql_fetch_assoc($result)) {
	76	+ while ($row = $result->fetch()) {
77	77	$ret[] = $row;
78	78	}
79	79	return $ret;
...	...	@@ -86,24 +86,24 @@ function add_clientcert($certdata, $dn, $issuer, $startpage='')
86	86	$username = NULL;
87	87	if ($_SESSION['role'] & ROLE_SYSTEMUSER) {
88	88	$type = 'user';
89		- $username = mysql_real_escape_string($_SESSION['userinfo']['username']);
	89	+ $username = db_escape_string($_SESSION['userinfo']['username']);
90	90	if (isset($_SESSION['subuser'])) {
91		- $username = mysql_real_escape_string($_SESSION['subuser']);
	91	+ $username = db_escape_string($_SESSION['subuser']);
92	92	$type = 'subuser';
93	93	}
94	94	} elseif ($_SESSION['role'] & ROLE_VMAIL_ACCOUNT) {
95	95	$type = 'email';
96		- $username = mysql_real_escape_string($_SESSION['mailaccount']);
	96	+ $username = db_escape_string($_SESSION['mailaccount']);
97	97	}
98	98	if (! $type \|\| ! $username) {
99	99	system_failure('cannot get type or username of login');
100	100	}
101		- $certdata = mysql_real_escape_string($certdata);
102		- $dn = maybe_null(mysql_real_escape_string($dn));
103		- $issuer = maybe_null(mysql_real_escape_string($issuer));
	101	+ $certdata = db_escape_string($certdata);
	102	+ $dn = maybe_null(db_escape_string($dn));
	103	+ $issuer = maybe_null(db_escape_string($issuer));
104	104	if ($startpage && ! check_path($startpage))
105	105	system_failure('Startseite kaputt');
106		- $startpage = maybe_null(mysql_real_escape_string($startpage));
	106	+ $startpage = maybe_null(db_escape_string($startpage));
107	107
108	108	if ($certdata == '')
109	109	system_failure('Kein Zertifikat');
...	...	@@ -124,14 +124,14 @@ function delete_clientcert($id)
124	124	$username = NULL;
125	125	if ($_SESSION['role'] & ROLE_SYSTEMUSER) {
126	126	$type = 'user';
127		- $username = mysql_real_escape_string($_SESSION['userinfo']['username']);
	127	+ $username = db_escape_string($_SESSION['userinfo']['username']);
128	128	if (isset($_SESSION['subuser'])) {
129		- $username = mysql_real_escape_string($_SESSION['subuser']);
	129	+ $username = db_escape_string($_SESSION['subuser']);
130	130	$type = 'subuser';
131	131	}
132	132	} elseif ($_SESSION['role'] & ROLE_VMAIL_ACCOUNT) {
133	133	$type = 'email';
134		- $username = mysql_real_escape_string($_SESSION['mailaccount']);
	134	+ $username = db_escape_string($_SESSION['mailaccount']);
135	135	}
136	136	if (! $type \|\| ! $username) {
137	137	system_failure('cannot get type or username of login');

...	...	@@ -25,7 +25,7 @@ function my_invoices()
25	25	$c = (int) $_SESSION['customerinfo']['customerno'];
26	26	$result = db_query("SELECT id,datum,betrag,bezahlt,abbuchung,sepamandat FROM kundendaten.ausgestellte_rechnungen WHERE kunde={$c} ORDER BY id DESC");
27	27	$ret = array();
28		- while($line = mysql_fetch_assoc($result))
	28	+ while($line = $result->fetch())
29	29	array_push($ret, $line);
30	30	return $ret;
31	31	}
...	...	@@ -36,9 +36,9 @@ function get_pdf($id)
36	36	$c = (int) $_SESSION['customerinfo']['customerno'];
37	37	$id = (int) $id;
38	38	$result = db_query("SELECT pdfdata FROM kundendaten.ausgestellte_rechnungen WHERE kunde={$c} AND id={$id}");
39		- if (mysql_num_rows($result) == 0)
	39	+ if ($result->rowCount() == 0)
40	40	system_failure('Ungültige Rechnungsnummer oder nicht eingeloggt');
41		- return mysql_fetch_object($result)->pdfdata;
	41	+ return $result->fetch(PDO::FETCH_OBJ)->pdfdata;
42	42
43	43	}
44	44
...	...	@@ -48,9 +48,9 @@ function invoice_details($id)
48	48	$c = (int) $_SESSION['customerinfo']['customerno'];
49	49	$id = (int) $id;
50	50	$result = db_query("SELECT kunde,datum,betrag,bezahlt,abbuchung FROM kundendaten.ausgestellte_rechnungen WHERE kunde={$c} AND id={$id}");
51		- if (mysql_num_rows($result) == 0)
	51	+ if ($result->rowCount() == 0)
52	52	system_failure('Ungültige Rechnungsnummer oder nicht eingeloggt');
53		- return mysql_fetch_assoc($result);
	53	+ return $result->fetch();
54	54	}
55	55
56	56	function invoice_items($id)
...	...	@@ -58,10 +58,10 @@ function invoice_items($id)
58	58	$c = (int) $_SESSION['customerinfo']['customerno'];
59	59	$id = (int) $id;
60	60	$result = db_query("SELECT id, beschreibung, datum, enddatum, betrag, einheit, brutto, mwst, anzahl FROM kundendaten.rechnungsposten WHERE rechnungsnummer={$id} AND kunde={$c}");
61		- if (mysql_num_rows($result) == 0)
	61	+ if ($result->rowCount() == 0)
62	62	system_failure('Ungültige Rechnungsnummer oder nicht eingeloggt');
63	63	$ret = array();
64		- while($line = mysql_fetch_assoc($result))
	64	+ while($line = $result->fetch())
65	65	array_push($ret, $line);
66	66	return $ret;
67	67	}
...	...	@@ -72,7 +72,7 @@ function upcoming_items()
72	72	$c = (int) $_SESSION['customerinfo']['customerno'];
73	73	$result = db_query("SELECT anzahl, beschreibung, startdatum, enddatum, betrag, einheit, brutto, mwst FROM kundendaten.upcoming_items WHERE kunde={$c} ORDER BY startdatum ASC");
74	74	$ret = array();
75		- while($line = mysql_fetch_assoc($result))
	75	+ while($line = $result->fetch())
76	76	array_push($ret, $line);
77	77	return $ret;
78	78	}
...	...	@@ -166,19 +166,19 @@ function generate_bezahlcode_image($id)
166	166	function get_lastschrift($rechnungsnummer) {
167	167	$rechnungsnummer = (int) $rechnungsnummer;
168	168	$result = db_query("SELECT rechnungsnummer, rechnungsdatum, sl.betrag, buchungsdatum FROM kundendaten.sepalastschrift sl LEFT JOIN kundendaten.ausgestellte_rechnungen re ON (re.id=sl.rechnungsnummer) WHERE rechnungsnummer='${rechnungsnummer}' AND re.abbuchung=1");
169		- if (mysql_num_rows($result) == 0) {
	169	+ if ($result->rowCount() == 0) {
170	170	return NULL;
171	171	}
172		- $item = mysql_fetch_assoc($result);
	172	+ $item = $result->fetch();
173	173	return $item;
174	174	}
175	175
176	176	function get_lastschriften($mandatsreferenz)
177	177	{
178		- $mandatsreferenz = mysql_real_escape_string($mandatsreferenz);
	178	+ $mandatsreferenz = db_escape_string($mandatsreferenz);
179	179	$result = db_query("SELECT rechnungsnummer, rechnungsdatum, betrag, buchungsdatum FROM kundendaten.sepalastschrift WHERE mandatsreferenz='${mandatsreferenz}' ORDER BY buchungsdatum DESC");
180	180	$ret = array();
181		- while ($item = mysql_fetch_assoc($result)) {
	181	+ while ($item = $result->fetch()) {
182	182	$ret[] = $item;
183	183	}
184	184	return $ret;
...	...	@@ -189,7 +189,7 @@ function get_sepamandate()
189	189	$cid = (int) $_SESSION['customerinfo']['customerno'];
190	190	$result = db_query("SELECT id, mandatsreferenz, glaeubiger_id, erteilt, medium, gueltig_ab, gueltig_bis, erstlastschrift, kontoinhaber, adresse, iban, bic, bankname FROM kundendaten.sepamandat WHERE kunde={$cid}");
191	191	$ret = array();
192		- while ($entry = mysql_fetch_assoc($result)) {
	192	+ while ($entry = $result->fetch()) {
193	193	array_push($ret, $entry);
194	194	}
195	195	return $ret;
...	...	@@ -198,9 +198,9 @@ function get_sepamandate()
198	198
199	199	function yesterday($date)
200	200	{
201		- $date = mysql_real_escape_string($date);
	201	+ $date = db_escape_string($date);
202	202	$result = db_query("SELECT '{$date}' - INTERVAL 1 DAY");
203		- return mysql_fetch_array($result)[0];
	203	+ return $result->fetch()[0];
204	204	}
205	205
206	206
...	...	@@ -208,7 +208,7 @@ function invalidate_sepamandat($id, $date)
208	208	{
209	209	$cid = (int) $_SESSION['customerinfo']['customerno'];
210	210	$id = (int) $id;
211		- $date = mysql_real_escape_string($date);
	211	+ $date = db_escape_string($date);
212	212	db_query("UPDATE kundendaten.sepamandat SET gueltig_bis='{$date}' WHERE id={$id} AND kunde={$cid}");
213	213	}
214	214
...	...	@@ -216,12 +216,12 @@ function invalidate_sepamandat($id, $date)
216	216	function sepamandat($name, $adresse, $iban, $bankname, $bic, $gueltig_ab)
217	217	{
218	218	$cid = (int) $_SESSION['customerinfo']['customerno'];
219		- $name = mysql_real_escape_string($name);
220		- $adresse = mysql_real_escape_string($adresse);
221		- $iban = mysql_real_escape_string($iban);
222		- $bankname = mysql_real_escape_string($bankname);
223		- $bic = mysql_real_escape_string($bic);
224		- $gueltig_ab = mysql_real_escape_string($gueltig_ab);
	219	+ $name = db_escape_string($name);
	220	+ $adresse = db_escape_string($adresse);
	221	+ $iban = db_escape_string($iban);
	222	+ $bankname = db_escape_string($bankname);
	223	+ $bic = db_escape_string($bic);
	224	+ $gueltig_ab = db_escape_string($gueltig_ab);
225	225
226	226	$first_date = date('Y-m-d');
227	227	$invoices = my_invoices();

...	...	@@ -22,7 +22,7 @@ require_once('invoice.php');
22	22	$kundenname = $_SESSION['customerinfo']['name'];
23	23	$id = (int) $_SESSION['customerinfo']['customerno'];
24	24	$result = db_query("SELECT CONCAT(adresse, '\\\\n', plz, ' ', ort) AS adresse FROM kundendaten.kunden WHERE id={$id}");
25		-$r = mysql_fetch_assoc($result);
	25	+$r = $result->fetch();
26	26
27	27	header("Content-Type: text/javascript");
28	28	echo ' { "kundenname": "'.$kundenname.'", "adresse": "'.$r["adresse"].'" } ';

...	...	@@ -15,7 +15,6 @@ Nevertheless, in case you use a significant part of this code, we ask (but not r
15	15	*/
16	16
17	17	require_once("inc/debug.php");
18		-require_once("inc/db_connect.php");
19	18	require_once("inc/security.php");
20	19
21	20	require_once('class/domain.php');
...	...	@@ -25,8 +24,8 @@ function get_jabber_accounts() {
25	24	$customerno = (int) $_SESSION['customerinfo']['customerno'];
26	25	$result = db_query("SELECT id, `create`, created, lastactivity, local, domain FROM jabber.accounts WHERE customerno='$customerno' AND `delete`=0;");
27	26	$accounts = array();
28		- if (@mysql_num_rows($result) > 0)
29		- while ($acc = @mysql_fetch_assoc($result))
	27	+ if (@$result->rowCount() > 0)
	28	+ while ($acc = @$result->fetch())
30	29	array_push($accounts, $acc);
31	30	return $accounts;
32	31	}
...	...	@@ -41,9 +40,9 @@ function get_jabberaccount_details($id)
41	40	$id = (int) $id;
42	41
43	42	$result = db_query("SELECT id, local, domain FROM jabber.accounts WHERE customerno={$customerno} AND id={$id} LIMIT 1");
44		- if (mysql_num_rows($result) != 1)
	43	+ if ($result->rowCount() != 1)
45	44	system_failure("Invalid account");
46		- $data = mysql_fetch_assoc($result);
	45	+ $data = $result->fetch();
47	46	if ($data['domain'] == NULL)
48	47	$data['domain'] = config('masterdomain');
49	48	else
...	...	@@ -72,19 +71,19 @@ function create_jabber_account($local, $domain, $password)
72	71	require_role(ROLE_CUSTOMER);
73	72	$customerno = (int) $_SESSION['customerinfo']['customerno'];
74	73
75		- $local = mysql_real_escape_string( filter_input_username($local) );
	74	+ $local = db_escape_string( filter_input_username($local) );
76	75	$domain = (int) $domain;
77	76	if (! valid_jabber_password($password))
78	77	{
79	78	input_error('Das Passwort enthält Zeichen, die aufgrund technischer Beschränkungen momentan nicht benutzt werden können.');
80	79	return;
81	80	}
82		- $password = mysql_real_escape_string( $password );
	81	+ $password = db_escape_string( $password );
83	82
84	83	if ($domain > 0)
85	84	{
86	85	$result = db_query("SELECT id FROM kundendaten.domains WHERE kunde={$customerno} AND jabber=1 AND id={$domain};");
87		- if (mysql_num_rows($result) == 0)
	86	+ if ($result->rowCount() == 0)
88	87	{
89	88	logger(LOG_WARNING, "modules/jabber/include/jabberaccounts", "jabber", "attempt to create account for invalid domain »{$domain}«");
90	89	system_failure("Invalid domain!");
...	...	@@ -98,7 +97,7 @@ function create_jabber_account($local, $domain, $password)
98	97	$domainquery = 'domain IS NULL';
99	98	}
100	99	$result = db_query("SELECT id FROM jabber.accounts WHERE local='{$local}' AND {$domainquery}");
101		- if (mysql_num_rows($result) > 0)
	100	+ if ($result->rowCount() > 0)
102	101	{
103	102	logger(LOG_WARNING, "modules/jabber/include/jabberaccounts", "jabber", "attempt to create already existing account »{$local}@{$domain}«");
104	103	system_failure("Diesen Account gibt es bereits!");
...	...	@@ -120,7 +119,7 @@ function change_jabber_password($id, $password)
120	119	input_error('Das Passwort enthält Zeichen, die aufgrund technischer Beschränkungen momentan nicht benutzt werden können.');
121	120	return;
122	121	}
123		- $password = mysql_real_escape_string( $password );
	122	+ $password = db_escape_string( $password );
124	123
125	124	db_query("UPDATE jabber.accounts SET password='{$password}' WHERE customerno={$customerno} AND id={$id} LIMIT 1");
126	125	logger(LOG_INFO, "modules/jabber/include/jabberaccounts", "jabber", "changed password for account »{$id}«");

...	...	@@ -24,7 +24,7 @@ function get_lists()
24	24	$uid = (int) $_SESSION['userinfo']['uid'];
25	25	$result = db_query("SELECT id, status, listname, fqdn, admin, archivesize FROM mail.v_mailman_lists WHERE owner={$uid};");
26	26	$ret = array();
27		- while ($list = mysql_fetch_assoc($result))
	27	+ while ($list = $result->fetch())
28	28	$ret[] = $list;
29	29	DEBUG($ret);
30	30	return $ret;
...	...	@@ -36,9 +36,9 @@ function get_list($id)
36	36	$id = (int) $id;
37	37	$uid = (int) $_SESSION['userinfo']['uid'];
38	38	$result = db_query("SELECT id, status, listname, fqdn, admin, archivesize FROM mail.v_mailman_lists WHERE owner={$uid} AND id={$id};");
39		- if (mysql_num_rows($result) < 1)
	39	+ if ($result->rowCount() < 1)
40	40	system_failure('Die gewünschte Mailingliste konnte nicht gefunden werden');
41		- $list = mysql_fetch_assoc($result);
	41	+ $list = $result->fetch();
42	42	DEBUG($list);
43	43
44	44	return $list;
...	...	@@ -61,13 +61,13 @@ function create_list($listname, $maildomain, $admin)
61	61	verify_input_general($admin);
62	62	if (! check_emailaddr($admin))
63	63	system_failure('Der Verwalter muss eine gültige E-Mail-Adresse sein ('.$admin.').');
64		- $admin = mysql_real_escape_string($admin);
	64	+ $admin = db_escape_string($admin);
65	65	$result = db_query("SELECT id FROM mail.mailman_lists WHERE listname='{$listname}'");
66		- if (mysql_num_rows($result) > 0)
	66	+ if ($result->rowCount() > 0)
67	67	system_failure('Eine Liste mit diesem Namen existiert bereits (unter dieser oder einer anderen Domain). Jeder Listenname kann nur einmal verwendet werden.');
68	68
69	69	db_query("INSERT INTO mail.mailman_lists (status, listname, maildomain, owner, admin) VALUES ('pending', '{$listname}', {$maildomain}, {$owner}, '{$admin}');");
70		- DEBUG('Neue ID: '.mysql_insert_id());
	70	+ DEBUG('Neue ID: '.db_insert_id());
71	71	}
72	72
73	73
...	...	@@ -76,7 +76,7 @@ function get_mailman_domains()
76	76	$uid = (int) $_SESSION['userinfo']['uid'];
77	77	$result = db_query("SELECT md.id, md.fqdn FROM mail.v_mailman_domains AS md left join mail.v_domains AS d on (d.id=md.domain) where d.user={$uid}");
78	78	$ret = array();
79		- while ($dom = mysql_fetch_assoc($result))
	79	+ while ($dom = $result->fetch())
80	80	$ret[] = $dom;
81	81	DEBUG($ret);
82	82	return $ret;

...	...	@@ -18,10 +18,10 @@ function get_mysql_accounts($UID)
18	18	{
19	19	$UID = (int) $UID;
20	20	$result = db_query("SELECT id, username, description, created FROM misc.mysql_accounts WHERE useraccount=$UID ORDER BY username");
21		- if (mysql_num_rows($result) == 0)
	21	+ if ($result->rowCount() == 0)
22	22	return array();
23	23	$list = array();
24		- while ($item = mysql_fetch_assoc($result))
	24	+ while ($item = $result->fetch())
25	25	{
26	26	$list[] = $item;
27	27	}
...	...	@@ -32,10 +32,10 @@ function get_mysql_databases($UID)
32	32	{
33	33	$UID = (int) $UID;
34	34	$result = db_query("SELECT id, name, description, created FROM misc.mysql_database WHERE useraccount=$UID ORDER BY name");
35		- if (mysql_num_rows($result) == 0)
	35	+ if ($result->rowCount() == 0)
36	36	return array();
37	37	$list = array();
38		- while ($item = mysql_fetch_assoc($result))
	38	+ while ($item = $result->fetch())
39	39	{
40	40	$list[] = $item;
41	41	}
...	...	@@ -80,7 +80,7 @@ function servers_for_databases()
80	80
81	81	$result = db_query("SELECT db.name AS db, hostname FROM misc.mysql_database AS db LEFT JOIN system.useraccounts AS u ON (db.useraccount=u.uid) LEFT JOIN system.servers ON (COALESCE(db.server, u.server) = servers.id) WHERE db.useraccount={$uid}");
82	82	$ret = array();
83		- while ($line = mysql_fetch_assoc($result)) {
	83	+ while ($line = $result->fetch()) {
84	84	$ret[$line['db']] = $line['hostname'];
85	85	}
86	86	DEBUG($ret);
...	...	@@ -96,9 +96,9 @@ function get_mysql_access($db, $account)
96	96	{
97	97	$mysql_access = array();
98	98	$result = db_query("SELECT db.name AS db, acc.username AS user FROM misc.mysql_access AS access LEFT JOIN misc.mysql_database AS db ON (db.id=access.database) LEFT JOIN misc.mysql_accounts AS acc ON (acc.id = access.user) WHERE acc.useraccount={$uid} OR db.useraccount={$uid};");
99		- if (mysql_num_rows($result) == 0)
	99	+ if ($result->rowCount() == 0)
100	100	return false;
101		- while ($line = mysql_fetch_object($result))
	101	+ while ($line = $result->fetch(PDO::FETCH_OBJ))
102	102	$mysql_access[$line->db][$line->user] = true;
103	103	}
104	104	return (array_key_exists($db, $mysql_access) && array_key_exists($account, $mysql_access[$db]));
...	...	@@ -108,8 +108,8 @@ function get_mysql_access($db, $account)
108	108	function set_mysql_access($db, $account, $status)
109	109	{
110	110	$uid = $_SESSION['userinfo']['uid'];
111		- $db = mysql_real_escape_string($db);
112		- $account = mysql_real_escape_string($account);
	111	+ $db = db_escape_string($db);
	112	+ $account = db_escape_string($account);
113	113	DEBUG("User »{$account}« soll ".($status ? "" : "NICHT ")."auf die Datenbank »{$db}« zugreifen");
114	114	$query = '';
115	115	if ($status)
...	...	@@ -117,13 +117,13 @@ function set_mysql_access($db, $account, $status)
117	117	if (get_mysql_access($db, $account))
118	118	return NULL;
119	119	$result = db_query("SELECT id FROM misc.mysql_database WHERE name='{$db}' AND useraccount={$uid} LIMIT 1");
120		- if (mysql_num_rows($result) != 1)
	120	+ if ($result->rowCount() != 1)
121	121	{
122	122	logger(LOG_ERR, "modules/mysql/include/mysql", "mysql", "cannot find database {$db}");
123	123	system_failure("cannot find database »{$db}«");
124	124	}
125	125	$result = db_query("SELECT id FROM misc.mysql_accounts WHERE username='{$account}' AND useraccount={$uid} LIMIT 1");
126		- if (mysql_num_rows($result) != 1)
	126	+ if ($result->rowCount() != 1)
127	127	{
128	128	logger(LOG_ERR, "modules/mysql/include/mysql", "mysql", "cannot find user {$account}");
129	129	system_failure("cannot find database user »{$account}«");
...	...	@@ -151,7 +151,7 @@ function create_mysql_account($username, $description = '')
151	151	return NULL;
152	152	}
153	153	$uid = $_SESSION['userinfo']['uid'];
154		- $username = mysql_real_escape_string($username);
	154	+ $username = db_escape_string($username);
155	155	$description = maybe_null($description);
156	156	logger(LOG_INFO, "modules/mysql/include/mysql", "mysql", "creating user »{$username}«");
157	157	db_query("INSERT INTO misc.mysql_accounts (username, password, useraccount, description) VALUES ('$username', '!', $uid, $description);");
...	...	@@ -160,7 +160,7 @@ function create_mysql_account($username, $description = '')
160	160
161	161	function delete_mysql_account($username)
162	162	{
163		- $username = mysql_real_escape_string($username);
	163	+ $username = db_escape_string($username);
164	164	$uid = $_SESSION['userinfo']['uid'];
165	165	logger(LOG_INFO, "modules/mysql/include/mysql", "mysql", "deleting user »{$username}«");
166	166	db_query("DELETE FROM misc.mysql_accounts WHERE username='{$username}' AND useraccount='{$uid}' LIMIT 1;");
...	...	@@ -175,7 +175,7 @@ function create_mysql_database($dbname, $description = '', $server = NULL)
175	175	input_error("Der eingegebene Datenbankname entspricht leider nicht der Konvention. Bitte tragen Sie einen passenden Namen ein.");
176	176	return NULL;
177	177	}
178		- $dbname = mysql_real_escape_string($dbname);
	178	+ $dbname = db_escape_string($dbname);
179	179	$uid = $_SESSION['userinfo']['uid'];
180	180	$description = maybe_null($description);
181	181	$server = (int) $server;
...	...	@@ -189,7 +189,7 @@ function create_mysql_database($dbname, $description = '', $server = NULL)
189	189
190	190	function delete_mysql_database($dbname)
191	191	{
192		- $dbname = mysql_real_escape_string($dbname);
	192	+ $dbname = db_escape_string($dbname);
193	193	$uid = $_SESSION['userinfo']['uid'];
194	194	logger(LOG_INFO, "modules/mysql/include/mysql", "mysql", "removing database »{$dbname}«");
195	195	db_query("DELETE FROM misc.mysql_database WHERE name='{$dbname}' AND useraccount='{$uid}' LIMIT 1;");
...	...	@@ -212,8 +212,8 @@ function validate_mysql_username($username)
212	212
213	213	function set_mysql_password($username, $password)
214	214	{
215		- $username = mysql_real_escape_string($username);
216		- $password = mysql_real_escape_string($password);
	215	+ $username = db_escape_string($username);
	216	+ $password = db_escape_string($password);
217	217	$uid = $_SESSION['userinfo']['uid'];
218	218	logger(LOG_INFO, "modules/mysql/include/mysql", "mysql", "updating password for »{$username}«");
219	219	db_query("UPDATE misc.mysql_accounts SET password=PASSWORD('$password') WHERE username='$username' AND useraccount=$uid;");
...	...	@@ -223,18 +223,18 @@ function set_mysql_password($username, $password)
223	223	function has_mysql_database($dbname)
224	224	{
225	225	$uid = $_SESSION['userinfo']['uid'];
226		- $dbname = mysql_real_escape_string($dbname);
	226	+ $dbname = db_escape_string($dbname);
227	227	$result = db_query("SELECT NULL FROM misc.mysql_database WHERE name='{$dbname}' AND useraccount='{$uid}' LIMIT 1;");
228		- return (mysql_num_rows($result) == 1);
	228	+ return ($result->rowCount() == 1);
229	229	}
230	230
231	231
232	232	function has_mysql_user($username)
233	233	{
234	234	$uid = $_SESSION['userinfo']['uid'];
235		- $userame = mysql_real_escape_string($username);
	235	+ $userame = db_escape_string($username);
236	236	$result = db_query("SELECT NULL FROM misc.mysql_accounts WHERE username='{$username}' AND useraccount='{$uid}' LIMIT 1;");
237		- return (mysql_num_rows($result) == 1);
	237	+ return ($result->rowCount() == 1);
238	238	}
239	239
240	240

...	...	@@ -16,14 +16,14 @@ Nevertheless, in case you use a significant part of this code, we ask (but not r
16	16
17	17	function set_newsletter_address($address) {
18	18	$cid = $_SESSION['customerinfo']['customerno'];
19		- $address = maybe_null(mysql_real_escape_string($address));
	19	+ $address = maybe_null(db_escape_string($address));
20	20	db_query("UPDATE kundendaten.kunden SET email_newsletter={$address} WHERE id={$cid}");
21	21	}
22	22
23	23	function get_newsletter_address() {
24	24	$cid = $_SESSION['customerinfo']['customerno'];
25	25	$result = db_query("SELECT email_newsletter FROM kundendaten.kunden WHERE id={$cid}");
26		- $r = mysql_fetch_assoc($result);
	26	+ $r = $result->fetch();
27	27	return $r['email_newsletter'];
28	28	}
29	29
...	...	@@ -32,7 +32,7 @@ function get_latest_news() {
32	32	$today = strftime('%Y-%m-%d');
33	33	$result = db_query("SELECT id, date, subject, content FROM misc.news WHERE date > '{$today}' - INTERVAL 1 YEAR ORDER BY date DESC");
34	34	$ret = array();
35		- while ($item = mysql_fetch_assoc($result)) {
	35	+ while ($item = $result->fetch()) {
36	36	$ret[] = $item;
37	37	}
38	38	DEBUG($ret);
...	...	@@ -43,7 +43,7 @@ function get_latest_news() {
43	43	function get_news_item($id) {
44	44	$id = (int) $id;
45	45	$result = db_query("SELECT date, subject, content FROM misc.news WHERE id={$id}");
46		- $ret = mysql_fetch_assoc($result);
	46	+ $ret = $result->fetch();
47	47	DEBUG($ret);
48	48	return $ret;
49	49	}

...	...	@@ -14,17 +14,16 @@ http://creativecommons.org/publicdomain/zero/1.0/
14	14	Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.
15	15	*/
16	16
17		-require_once('inc/db_connect.php');
18	17	require_once('mail.php');
19	18
20	19	function customer_with_email($email)
21	20	{
22		- $email = mysql_real_escape_string($email);
	21	+ $email = db_escape_string($email);
23	22	$result = db_query("SELECT id FROM kundendaten.kunden WHERE email='{$email}' OR email_rechnung='{$email}' OR email_extern='{$email}' LIMIT 1;");
24		- if (mysql_num_rows($result) == 0)
	23	+ if ($result->rowCount() == 0)
25	24	return NULL;
26	25	else
27		- return mysql_fetch_object($result)->id;
	26	+ return $result->fetch(PDO::FETCH_OBJ)->id;
28	27	}
29	28
30	29
...	...	@@ -38,11 +37,11 @@ function create_customer($data)
38	37	return NULL;
39	38	}
40	39
41		- $anrede = mysql_escape_string($data['anrede']);
42		- $firma = mysql_escape_string($data['firma']);
43		- $vorname = mysql_escape_string($data['vorname']);
44		- $nachname = mysql_escape_string($data['nachname']);
45		- $email = mysql_escape_string($data['email']);
	40	+ $anrede = db_escape_string($data['anrede']);
	41	+ $firma = db_escape_string($data['firma']);
	42	+ $vorname = db_escape_string($data['vorname']);
	43	+ $nachname = db_escape_string($data['nachname']);
	44	+ $email = db_escape_string($data['email']);
46	45
47	46	logger(LOG_INFO, 'modules/register/include/register', 'register', "Creating new account: {$anrede} / {$firma} / {$vorname} / {$nachname} / {$email}");
48	47
...	...	@@ -53,7 +52,7 @@ function create_customer($data)
53	52
54	53	db_query("BEGIN");
55	54	db_query("INSERT INTO kundendaten.kunden (firma, nachname, vorname, anrede, email, erstellungsdatum,status) VALUES ({$firma}, {$nachname}, {$vorname}, {$anrede}, {$email}, CURDATE(), 3)");
56		- $customerno = mysql_insert_id();
	55	+ $customerno = db_insert_id();
57	56	db_query("COMMIT");
58	57	return $customerno;
59	58

...	...	@@ -24,7 +24,7 @@ function list_system_users()
24	24	$result = db_query("SELECT uid,username FROM system.v_useraccounts ORDER BY username");
25	25
26	26	$ret = array();
27		- while ($item = mysql_fetch_object($result))
	27	+ while ($item = $result->fetch(PDO::FETCH_OBJ))
28	28	array_push($ret, $item);
29	29	return $ret;
30	30	}
...	...	@@ -37,7 +37,7 @@ function list_customers()
37	37	$result = db_query("SELECT id, IF(firma IS NULL, CONCAT_WS(' ', vorname, nachname), CONCAT(firma, ' (', CONCAT_WS(' ', vorname, nachname), ')')) AS name FROM kundendaten.kunden");
38	38
39	39	$ret = array();
40		- while ($item = mysql_fetch_object($result))
	40	+ while ($item = $result->fetch(PDO::FETCH_OBJ))
41	41	array_push($ret, $item);
42	42	return $ret;
43	43	}
...	...	@@ -45,7 +45,7 @@ function list_customers()
45	45
46	46	function find_customers($string)
47	47	{
48		- $string = mysql_real_escape_string(chop($string));
	48	+ $string = db_escape_string(chop($string));
49	49	$return = array();
50	50	$result = db_query("SELECT k.id FROM kundendaten.kunden AS k LEFT JOIN system.useraccounts AS u ON (k.id=u.kunde) WHERE ".
51	51	"firma LIKE '%{$string}%' OR firma2 LIKE '%{$string}%' OR ".
...	...	@@ -55,14 +55,14 @@ function find_customers($string)
55	55	"notizen LIKE '%{$string}%' OR email_rechnung LIKE '%{$string}%' OR ".
56	56	"email LIKE '%{$string}%' OR email_extern LIKE '%{$string}%' OR u.name LIKE '%{$string}%' OR ".
57	57	"u.username LIKE '%{$string}%' OR k.id='{$string}' OR u.uid='{$string}';");
58		- while ($entry = mysql_fetch_assoc($result))
	58	+ while ($entry = $result->fetch())
59	59	$return[] = $entry['id'];
60	60
61	61	$result = db_query("SELECT kunde FROM kundendaten.domains WHERE kunde IS NOT NULL AND (
62	62	domainname LIKE '%{$string}%' OR CONCAT_WS('.', domainname, tld) LIKE '%{$string}%'
63	63	)");
64	64
65		- while ($entry = mysql_fetch_assoc($result))
	65	+ while ($entry = $result->fetch())
66	66	$return[] = $entry['kunde'];
67	67
68	68	return $return;
...	...	@@ -75,7 +75,7 @@ function find_users_for_customer($id)
75	75	$return = array();
76	76	$result = db_query("SELECT uid, username, name FROM system.useraccounts WHERE ".
77	77	"kunde='{$id}';");
78		- while ($entry = mysql_fetch_assoc($result))
	78	+ while ($entry = $result->fetch())
79	79	$return[] = $entry;
80	80
81	81	return $return;

...	...	@@ -25,7 +25,7 @@ function list_subusers()
25	25	$uid = (int) $_SESSION['userinfo']['uid'];
26	26	$result = db_query("SELECT id, username, modules FROM system.subusers WHERE uid={$uid}");
27	27	$subusers = array();
28		- while ($item = mysql_fetch_assoc($result))
	28	+ while ($item = $result->fetch())
29	29	{
30	30	$item['modules'] = explode(',', $item['modules']);
31	31	$subusers[] = $item;
...	...	@@ -40,7 +40,7 @@ function load_subuser($id) {
40	40	$uid = (int) $_SESSION['userinfo']['uid'];
41	41
42	42	$result = db_query("SELECT id, username, modules FROM system.subusers WHERE uid={$uid} AND id={$id}");
43		- $item = mysql_fetch_assoc($result);
	43	+ $item = $result->fetch();
44	44	$item['modules'] = explode(',', $item['modules']);
45	45	return $item;
46	46	}
...	...	@@ -79,7 +79,7 @@ function new_subuser($username, $requested_modules, $password)
79	79	{
80	80	$uid = (int) $_SESSION['userinfo']['uid'];
81	81
82		- $username = mysql_real_escape_string(filter_input_username($username));
	82	+ $username = db_escape_string(filter_input_username($username));
83	83	if (strpos($username, $_SESSION['userinfo']['username']) !== 0) {
84	84	// Username nicht enthalten (FALSE) oder nicht am Anfang (>0)
85	85	system_failure("Ungültiger Benutzername!");
...	...	@@ -100,7 +100,7 @@ function new_subuser($username, $requested_modules, $password)
100	100	if (count($modules) == 0) {
101	101	system_failure("Es sind (nach der Filterung) keine Module mehr übrig!");
102	102	}
103		- $modules = mysql_real_escape_string(implode(',', $modules));
	103	+ $modules = db_escape_string(implode(',', $modules));
104	104
105	105	$result = strong_password($password);
106	106	if ($result !== true) {
...	...	@@ -128,7 +128,7 @@ function edit_subuser($id, $username, $requested_modules, $password)
128	128	system_failure("Kann diesen Account nicht finden!");
129	129	}
130	130
131		- $username = mysql_real_escape_string(filter_input_username($username));
	131	+ $username = db_escape_string(filter_input_username($username));
132	132	if (strpos($username, $_SESSION['userinfo']['username']) !== 0) {
133	133	// Username nicht enthalten (FALSE) oder nicht am Anfang (>0)
134	134	system_failure("Ungültiger Benutzername!");
...	...	@@ -148,7 +148,7 @@ function edit_subuser($id, $username, $requested_modules, $password)
148	148	if (count($modules) == 0) {
149	149	system_failure("Es sind (nach der Filterung) keine Module mehr übrig!");
150	150	}
151		- $modules = mysql_real_escape_string(implode(',', $modules));
	151	+ $modules = db_escape_string(implode(',', $modules));
152	152
153	153	$pwchange = '';
154	154	if ($password) {

...	...	@@ -26,7 +26,7 @@ function user_certs()
26	26	$uid = (int) $_SESSION['userinfo']['uid'];
27	27	$result = db_query("SELECT id, valid_from, valid_until, subject, cn FROM vhosts.certs WHERE uid=${uid} ORDER BY cn");
28	28	$ret = array();
29		- while ($i = mysql_fetch_assoc($result))
	29	+ while ($i = $result->fetch())
30	30	$ret[] = $i;
31	31	DEBUG($ret);
32	32	return $ret;
...	...	@@ -37,7 +37,7 @@ function user_csr()
37	37	$uid = (int) $_SESSION['userinfo']['uid'];
38	38	$result = db_query("SELECT id, created, hostname, bits FROM vhosts.csr WHERE uid=${uid} ORDER BY hostname");
39	39	$ret = array();
40		- while ($i = mysql_fetch_assoc($result))
	40	+ while ($i = $result->fetch())
41	41	$ret[] = $i;
42	42	DEBUG($ret);
43	43	return $ret;
...	...	@@ -49,9 +49,9 @@ function cert_details($id)
49	49	$uid = (int) $_SESSION['userinfo']['uid'];
50	50
51	51	$result = db_query("SELECT id, lastchange, valid_from, valid_until, subject, cn, cert, `key` FROM vhosts.certs WHERE uid={$uid} AND id={$id}");
52		- if (mysql_num_rows($result) != 1)
	52	+ if ($result->rowCount() != 1)
53	53	system_failure("Ungültiges Zertifikat #{$id}");
54		- return mysql_fetch_assoc($result);
	54	+ return $result->fetch();
55	55	}
56	56
57	57
...	...	@@ -61,9 +61,9 @@ function csr_details($id)
61	61	$uid = (int) $_SESSION['userinfo']['uid'];
62	62
63	63	$result = db_query("SELECT id, created, hostname, bits, `replace`, csr, `key` FROM vhosts.csr WHERE uid={$uid} AND id={$id}");
64		- if (mysql_num_rows($result) != 1)
	64	+ if ($result->rowCount() != 1)
65	65	system_failure("Ungültiger CSR");
66		- return mysql_fetch_assoc($result);
	66	+ return $result->fetch();
67	67	}
68	68
69	69
...	...	@@ -87,11 +87,11 @@ function get_chain($cert)
87	87	if (! isset($certdata['issuer']['CN'])) {
88	88	return NULL;
89	89	}
90		- $issuer = mysql_real_escape_string($certdata['issuer']['CN']);
	90	+ $issuer = db_escape_string($certdata['issuer']['CN']);
91	91	$result = db_query("SELECT id FROM vhosts.certchain WHERE cn='{$issuer}'");
92		- if (mysql_num_rows($result) > 0)
	92	+ if ($result->rowCount() > 0)
93	93	{
94		- $c = mysql_fetch_assoc($result);
	94	+ $c = $result->fetch();
95	95	//$chainfile = '/etc/apache2/certs/chains/'.$c['id'].'.pem';
96	96	DEBUG("identified fitting certificate chain #".$c['id']);
97	97	return $c['id'];
...	...	@@ -140,7 +140,7 @@ function validate_certificate($cert, $key)
140	140	if ($chain)
141	141	{
142	142	$result = db_query("SELECT content FROM vhosts.certchain WHERE id={$chain}");
143		- $tmp = mysql_fetch_assoc($result);
	143	+ $tmp = $result->fetch();
144	144	$chaincert = $tmp['content'];
145	145	$chainfile = tempnam(sys_get_temp_dir(), 'webinterface');
146	146	$f = fopen($chainfile, "w");
...	...	@@ -183,13 +183,13 @@ function save_cert($info, $cert, $key)
183	183	{
184	184	openssl_pkey_export($key, $key);
185	185	openssl_x509_export($cert, $cert);
186		- $subject = mysql_real_escape_string(filter_input_general($info['subject']));
187		- $cn = mysql_real_escape_string(filter_input_general($info['cn']));
188		- $valid_from = mysql_real_escape_string($info['valid_from']);
189		- $valid_until = mysql_real_escape_string($info['valid_until']);
	186	+ $subject = db_escape_string(filter_input_general($info['subject']));
	187	+ $cn = db_escape_string(filter_input_general($info['cn']));
	188	+ $valid_from = db_escape_string($info['valid_from']);
	189	+ $valid_until = db_escape_string($info['valid_until']);
190	190	$chain = maybe_null( get_chain($cert) );
191		- $cert = mysql_real_escape_string($cert);
192		- $key = mysql_real_escape_string($key);
	191	+ $cert = db_escape_string($cert);
	192	+ $key = db_escape_string($key);
193	193	$uid = (int) $_SESSION['userinfo']['uid'];
194	194
195	195	db_query("INSERT INTO vhosts.certs (uid, subject, cn, valid_from, valid_until, chain, cert, `key`) VALUES ({$uid}, '{$subject}', '{$cn}', '{$valid_from}', '{$valid_until}', {$chain}, '{$cert}', '{$key}')");
...	...	@@ -203,17 +203,17 @@ function refresh_cert($id, $info, $cert, $key = NULL)
203	203
204	204	$id = (int) $id;
205	205	$oldcert = cert_details($id);
206		- $cert = mysql_real_escape_string($cert);
207		- $subject = mysql_real_escape_string(filter_input_general($info['subject']));
208		- $cn = mysql_real_escape_string(filter_input_general($info['cn']));
	206	+ $cert = db_escape_string($cert);
	207	+ $subject = db_escape_string(filter_input_general($info['subject']));
	208	+ $cn = db_escape_string(filter_input_general($info['cn']));
209	209
210		- $valid_from = mysql_real_escape_string($info['valid_from']);
211		- $valid_until = mysql_real_escape_string($info['valid_until']);
	210	+ $valid_from = db_escape_string($info['valid_from']);
	211	+ $valid_until = db_escape_string($info['valid_until']);
212	212
213	213	$keyop = '';
214	214	if ($key) {
215	215	openssl_pkey_export($key, $key);
216		- $keyop = ", `key`='".mysql_real_escape_string($key)."'";
	216	+ $keyop = ", `key`='".db_escape_string($key)."'";
217	217	}
218	218	db_query("UPDATE vhosts.certs SET subject='{$subject}', cn='{$cn}', cert='{$cert}'{$keyop}, valid_from='{$valid_from}', valid_until='{$valid_until}', chain={$chain} WHERE id={$id} LIMIT 1");
219	219	}
...	...	@@ -304,11 +304,11 @@ function save_csr($cn, $bits, $replace=NULL)
304	304	list($csr, $key) = create_csr($cn, $bits);
305	305
306	306	$uid = (int) $_SESSION['userinfo']['uid'];
307		- $cn = mysql_real_escape_string(filter_input_hostname($cn, true));
	307	+ $cn = db_escape_string(filter_input_hostname($cn, true));
308	308	$bits = (int) $bits;
309	309	$replace = ($replace ? (int) $replace : 'NULL');
310		- $csr = mysql_real_escape_string($csr);
311		- $key = mysql_real_escape_string($key);
	310	+ $csr = db_escape_string($csr);
	311	+ $key = db_escape_string($key);
312	312	db_query("INSERT INTO vhosts.csr (uid, hostname, bits, `replace`, csr, `key`) VALUES ({$uid}, '{$cn}', {$bits}, {$replace}, '{$csr}', '{$key}')");
313	313	$id = mysql_insert_id();
314	314	return $id;

...	...	@@ -27,14 +27,14 @@ function traffic_month($vhost_id)
27	27	{
28	28	$vhost_id = (int) $vhost_id;
29	29	$result = db_query("SELECT sum(mb_in+mb_out) as mb FROM vhosts.traffic where date > CURDATE() - INTERVAL 1 MONTH AND vhost_id = {$vhost_id}");
30		- $data = mysql_fetch_assoc($result);
	30	+ $data = $result->fetch();
31	31	return $data['mb'];
32	32	}
33	33
34	34	function autoipv6_address($vhost_id, $mode = 1)
35	35	{
36	36	$result = db_query("SELECT uid, v6_prefix FROM vhosts.v_vhost LEFT JOIN system.servers ON (servers.hostname = server) WHERE v_vhost.id={$vhost_id}");
37		- $data = mysql_fetch_assoc($result);
	37	+ $data = $result->fetch();
38	38	if (!$data['v6_prefix'])
39	39	{
40	40	warning("IPv6-Adresse nicht verfügbar, Server unterstützt kein IPv6");
...	...	@@ -55,7 +55,7 @@ function list_vhosts()
55	55	$uid = (int) $_SESSION['userinfo']['uid'];
56	56	$result = db_query("SELECT vh.id,fqdn,domain,docroot,docroot_is_default,php,cgi,vh.certid AS cert, vh.ssl, vh.options,logtype,errorlog,IF(dav.id IS NULL OR dav.type='svn', 0, 1) AS is_dav,IF(dav.id IS NULL OR dav.type='dav', 0, 1) AS is_svn, IF(webapps.id IS NULL, 0, 1) AS is_webapp, stats FROM vhosts.v_vhost AS vh LEFT JOIN vhosts.dav ON (dav.vhost=vh.id) LEFT JOIN vhosts.webapps ON (webapps.vhost = vh.id) WHERE uid={$uid} ORDER BY domain,hostname");
57	57	$ret = array();
58		- while ($item = mysql_fetch_assoc($result))
	58	+ while ($item = $result->fetch())
59	59	array_push($ret, $item);
60	60	return $ret;
61	61	}
...	...	@@ -63,9 +63,9 @@ function list_vhosts()
63	63	function ipv6_possible($server)
64	64	{
65	65	$serverid = (int) $server;
66		- $servername = mysql_real_escape_string($server);
	66	+ $servername = db_escape_string($server);
67	67	$result = db_query("SELECT v6_prefix FROM system.servers WHERE id={$serverid} OR hostname='{$servername}'");
68		- $line = mysql_fetch_assoc($result);
	68	+ $line = $result->fetch();
69	69	DEBUG("Server {$server} is v6-capable: ". ($line['v6_prefix'] != NULL));
70	70	return ($line['v6_prefix'] != NULL);
71	71	}
...	...	@@ -143,10 +143,10 @@ function get_vhost_details($id)
143	143	$id = (int) $id;
144	144	$uid = (int) $_SESSION['userinfo']['uid'];
145	145	$result = db_query("SELECT vh.*,IF(dav.id IS NULL OR dav.type='svn', 0, 1) AS is_dav,IF(dav.id IS NULL OR dav.type='dav', 0, 1) AS is_svn, IF(webapps.id IS NULL, 0, 1) AS is_webapp FROM vhosts.v_vhost AS vh LEFT JOIN vhosts.dav ON (dav.vhost=vh.id) LEFT JOIN vhosts.webapps ON (webapps.vhost = vh.id) WHERE uid={$uid} AND vh.id={$id}");
146		- if (mysql_num_rows($result) != 1)
	146	+ if ($result->rowCount() != 1)
147	147	system_failure('Interner Fehler beim Auslesen der Daten');
148	148
149		- $ret = mysql_fetch_assoc($result);
	149	+ $ret = $result->fetch();
150	150
151	151	if ($ret['hsts'] === NULL) {
152	152	DEBUG('HSTS: '.$ret['hsts']);
...	...	@@ -162,7 +162,7 @@ function get_aliases($vhost)
162	162	{
163	163	$result = db_query("SELECT id,fqdn,options FROM vhosts.v_alias WHERE vhost={$vhost}");
164	164	$ret = array();
165		- while ($item = mysql_fetch_assoc($result)) {
	165	+ while ($item = $result->fetch()) {
166	166	array_push($ret, $item);
167	167	}
168	168	return $ret;
...	...	@@ -192,7 +192,7 @@ function list_available_webapps()
192	192	{
193	193	$result = db_query("SELECT id,displayname FROM vhosts.global_webapps");
194	194	$ret = array();
195		- while ($item = mysql_fetch_assoc($result))
	195	+ while ($item = $result->fetch())
196	196	array_push($ret, $item);
197	197	return $ret;
198	198	}
...	...	@@ -248,9 +248,9 @@ function make_webapp_vhost($id, $webapp)
248	248	if ($id == 0)
249	249	system_failure("id == 0");
250	250	$result = db_query("SELECT displayname FROM vhosts.global_webapps WHERE id={$webapp};");
251		- if (mysql_num_rows($result) == 0)
	251	+ if ($result->rowCount() == 0)
252	252	system_failure("webapp-id invalid");
253		- $webapp_name = mysql_fetch_object($result)->displayname;
	253	+ $webapp_name = $result->fetch(PDO::FETCH_OBJ)->displayname;
254	254	logger(LOG_INFO, 'modules/vhosts/include/vhosts', 'vhosts', 'Setting up webapp '.$webapp_name.' on vhost #'.$id);
255	255	db_query("REPLACE INTO vhosts.webapps (vhost, webapp) VALUES ({$id}, {$webapp})");
256	256	mail('webapps-setup@schokokeks.org', 'setup', 'setup');
...	...	@@ -261,7 +261,7 @@ function check_hostname_collision($hostname, $domain)
261	261	{
262	262	$uid = (int) $_SESSION['userinfo']['uid'];
263	263	# Neuer vhost => Prüfe Duplikat
264		- $hostnamecheck = "hostname='".mysql_real_escape_string($hostname)."'";
	264	+ $hostnamecheck = "hostname='".db_escape_string($hostname)."'";
265	265	if (! $hostname) {
266	266	$hostnamecheck = "hostname IS NULL";
267	267	}
...	...	@@ -270,15 +270,15 @@ function check_hostname_collision($hostname, $domain)
270	270	$domaincheck = "domain IS NULL AND user={$uid}";
271	271	}
272	272	$result = db_query("SELECT id FROM vhosts.vhost WHERE {$hostnamecheck} AND {$domaincheck}");
273		- if (mysql_num_rows($result) > 0) {
	273	+ if ($result->rowCount() > 0) {
274	274	system_failure('Eine Konfiguration mit diesem Namen gibt es bereits.');
275	275	}
276	276	if ($domain == -1) {
277	277	return ;
278	278	}
279	279	$result = db_query("SELECT id, vhost FROM vhosts.alias WHERE {$hostnamecheck} AND {$domaincheck}");
280		- if (mysql_num_rows($result) > 0) {
281		- $data = mysql_fetch_assoc($result);
	280	+ if ($result->rowCount() > 0) {
	281	+ $data = $result->fetch();
282	282	$vh = get_vhost_details($data['vhost']);
283	283	system_failure('Dieser Hostname ist bereits als Alias für »'.$vh['fqdn'].'« eingerichtet');
284	284	}
...	...	@@ -328,7 +328,7 @@ function save_vhost($vhost)
328	328	if (! $vhost['options']) $vhost['options']='nodocroot';
329	329	else $vhost['options']+=",nodocroot";
330	330	}
331		- $options = mysql_real_escape_string( $vhost['options'] );
	331	+ $options = db_escape_string( $vhost['options'] );
332	332
333	333	$cert = 0;
334	334	$certs = user_certs();
...	...	@@ -383,10 +383,10 @@ function get_alias_details($id)
383	383	$uid = (int) $_SESSION['userinfo']['uid'];
384	384	$result = db_query("SELECT * FROM vhosts.v_alias WHERE id={$id}");
385	385
386		- if (mysql_num_rows($result) != 1)
	386	+ if ($result->rowCount() != 1)
387	387	system_failure('Interner Fehler beim Auslesen der Alias-Daten');
388	388
389		- $alias = mysql_fetch_assoc($result);
	389	+ $alias = $result->fetch();
390	390
391	391	if ($alias['domain_id'] == NULL) {
392	392	$alias['domain_id'] = -1;
...	...	@@ -420,7 +420,7 @@ function save_alias($alias)
420	420	if ($alias['domain_id'] == -1)
421	421	$domain = 'NULL';
422	422	$vhost = get_vhost_details( (int) $alias['vhost']);
423		- $options = mysql_real_escape_string( $alias['options'] );
	423	+ $options = db_escape_string( $alias['options'] );
424	424	if ($id == 0) {
425	425	logger(LOG_INFO, 'modules/vhosts/include/vhosts', 'aliases', 'Creating alias '.$alias['hostname'].'.'.$alias['domain'].' for VHost '.$vhost['id']);
426	426	db_query("INSERT INTO vhosts.alias (hostname, domain, vhost, options) VALUES ({$hostname}, {$domain}, {$vhost['id']}, '{$options}')");
...	...	@@ -437,7 +437,7 @@ function available_suexec_users()
437	437	$uid = (int) $_SESSION['userinfo']['uid'];
438	438	$result = db_query("SELECT uid, username FROM vhosts.available_users LEFT JOIN vhosts.v_useraccounts ON (uid = suexec_user) WHERE mainuser={$uid}");
439	439	$ret = array();
440		- while ($i = mysql_fetch_assoc($result))
	440	+ while ($i = $result->fetch())
441	441	$ret[] = $i;
442	442	DEBUG('available suexec-users:');
443	443	DEBUG($ret);
...	...	@@ -451,7 +451,7 @@ function user_ipaddrs()
451	451	$uid = (int) $_SESSION['userinfo']['uid'];
452	452	$result = db_query("SELECT ipaddr FROM vhosts.ipaddr_available WHERE uid={$uid}");
453	453	$ret = array();
454		- while ($i = mysql_fetch_assoc($result))
	454	+ while ($i = $result->fetch())
455	455	{
456	456	$ret[] = $i['ipaddr'];
457	457	}

...	...	@@ -33,7 +33,7 @@ if (isset($_POST['freq']) && in_array($_POST['freq'],array("day","week","month")
33	33	}
34	34
35	35	$result = db_query("SELECT freq FROM qatools.v_freewvs WHERE uid={$uid};");
36		-$result=mysql_fetch_assoc($result);
	36	+$result=$result->fetch();
37	37	$freq=$result['freq'];
38	38
39	39	headline('Überprüfung Ihrer Web-Anwendungen auf Sicherheitslücken');

...	...	@@ -22,17 +22,17 @@ function load_results()
22	22	$uid = (int) $_SESSION['userinfo']['uid'];
23	23	$result = db_query("SELECT directory, docroot, lastcheck, appname, version, state, safeversion, vulninfo FROM qatools.freewvs_results WHERE uid={$uid}");
24	24	$ret = array();
25		- while ($line = mysql_fetch_assoc($result)) {
	25	+ while ($line = $result->fetch()) {
26	26	array_push($ret, $line);
27	27	}
28	28	return $ret;
29	29	}
30	30
31	31	function get_upgradeinstructions($appname) {
32		- $appname = mysql_real_escape_string($appname);
	32	+ $appname = db_escape_string($appname);
33	33	$result = db_query("SELECT url FROM qatools.freewvs_upgradeinstructions WHERE appname='{$appname}' LIMIT 1");
34		- if (mysql_num_rows($result) > 0) {
35		- $tmp = mysql_fetch_array($result);
	34	+ if ($result->rowCount() > 0) {
	35	+ $tmp = $result->fetch();
36	36	return $tmp[0];
37	37	}
38	38	return NULL;

...	...	@@ -20,11 +20,11 @@ function create_new_webapp($appname, $directory, $url, $data)
20	20	{
21	21	if (directory_in_use($directory))
22	22	system_failure('Sie haben erst kürzlich eine Anwendung in diesem Verzeichnis installieren lassen. Aus Sicherheitsgründen können Sie in diesem Verzeichnis am selben Tag nicht schon wieder eine Anwendung installieren.');
23		- $username = mysql_real_escape_string($_SESSION['userinfo']['username']);
24		- $appname = mysql_real_escape_string($appname);
25		- $directory = mysql_real_escape_string($directory);
26		- $url = mysql_real_escape_string($url);
27		- $data = mysql_real_escape_string($data);
	23	+ $username = db_escape_string($_SESSION['userinfo']['username']);
	24	+ $appname = db_escape_string($appname);
	25	+ $directory = db_escape_string($directory);
	26	+ $url = db_escape_string($url);
	27	+ $data = db_escape_string($data);
28	28	db_query("INSERT INTO vhosts.webapp_installer (appname, directory, url, state, username, data) VALUES ('{$appname}', '{$directory}', '{$url}', 'new', '{$username}', '{$data}')");
29	29	}
30	30
...	...	@@ -33,18 +33,18 @@ function request_update($appname, $directory, $url)
33	33	{
34	34	if (directory_in_use($directory))
35	35	system_failure('Sie haben erst kürzlich eine Anwendung in diesem Verzeichnis installieren lassen oder ein Update in diesem Verzeichnis angefordert. Bitte warten Sie bis diese Aktion durchgeführt wurde.');
36		- $username = mysql_real_escape_string($_SESSION['userinfo']['username']);
37		- $appname = mysql_real_escape_string($appname);
38		- $directory = mysql_real_escape_string($directory);
39		- $url = maybe_null(mysql_real_escape_string($url));
	36	+ $username = db_escape_string($_SESSION['userinfo']['username']);
	37	+ $appname = db_escape_string($appname);
	38	+ $directory = db_escape_string($directory);
	39	+ $url = maybe_null(db_escape_string($url));
40	40	db_query("INSERT INTO vhosts.webapp_installer (appname, directory, url, state, username) VALUES ('{$appname}', '{$directory}', {$url}, 'old', '{$username}')");
41	41	}
42	42
43	43	function directory_in_use($directory)
44	44	{
45		- $directory = mysql_real_escape_string($directory);
	45	+ $directory = db_escape_string($directory);
46	46	$result = db_query("SELECT id FROM vhosts.webapp_installer WHERE (state IN ('new','old') OR DATE(lastchange)=CURDATE()) AND directory='{$directory}'");
47		- if (mysql_num_rows($result) > 0)
	47	+ if ($result->rowCount() > 0)
48	48	return true;
49	49	return false;
50	50	}
...	...	@@ -101,15 +101,15 @@ function get_url_for_dir($docroot, $cutoff = '')
101	101	{
102	102	if (substr($docroot, -1) == '/')
103	103	$docroot = substr($docroot, 0, -1);
104		- $docroot = mysql_real_escape_string($docroot);
	104	+ $docroot = db_escape_string($docroot);
105	105	$result = db_query("SELECT `ssl`, IF(FIND_IN_SET('aliaswww', options), CONCAT('www.',fqdn), fqdn) AS fqdn FROM vhosts.v_vhost WHERE docroot IN ('{$docroot}', '{$docroot}/') LIMIT 1");
106		- if (mysql_num_rows($result) < 1)
	106	+ if ($result->rowCount() < 1)
107	107	{
108	108	if (!strstr($docroot, '/'))
109	109	return NULL;
110	110	return get_url_for_dir(substr($docroot, 0, strrpos($docroot, '/')), substr($docroot, strrpos($docroot, '/')).$cutoff);
111	111	}
112		- $tmp = mysql_fetch_assoc($result);
	112	+ $tmp = $result->fetch();
113	113	$prefix = 'http://';
114	114	if ($tmp['ssl'] == 'forward' \|\| $tmp['ssl'] == 'https')
115	115	$prefix = 'https://';
...	...	@@ -122,7 +122,7 @@ function create_webapp_mysqldb($application, $sitename)
122	122	// dependet auf das mysql-modul
123	123	require_once('modules/mysql/include/mysql.php');
124	124
125		- $username = mysql_real_escape_string($_SESSION['userinfo']['username']);
	125	+ $username = db_escape_string($_SESSION['userinfo']['username']);
126	126	$description = "Automatisch erzeugte Datenbank für {$application} ({$sitename})";
127	127
128	128	// zuerst versuchen wir username_webappname. Wenn das nicht klappt, dann wird hochgezählt

...	...	@@ -16,10 +16,10 @@ Nevertheless, in case you use a significant part of this code, we ask (but not r
16	16
17	17	function account_has_totp($username)
18	18	{
19		- $username = mysql_real_escape_string($username);
	19	+ $username = db_escape_string($username);
20	20	$result = db_query("SELECT id FROM mail.webmail_totp WHERE email='{$username}'");
21		- if (mysql_num_rows($result) > 0) {
22		- $tmp = mysql_fetch_assoc($result);
	21	+ if ($result->rowCount() > 0) {
	22	+ $tmp = $result->fetch();
23	23	$id = $tmp['id'];
24	24	return $id;
25	25	} else {
...	...	@@ -31,13 +31,13 @@ function account_has_totp($username)
31	31
32	32	function validate_password($username, $password)
33	33	{
34		- $username = mysql_real_escape_string($username);
	34	+ $username = db_escape_string($username);
35	35	$result = db_query("SELECT account, cryptpass FROM mail.courier_mailaccounts WHERE account='{$username}' UNION SELECT account, cryptpass FROM mail.courier_virtual_accounts WHERE account='{$username}'");
36		- if (mysql_num_rows($result) != 1) {
	36	+ if ($result->rowCount() != 1) {
37	37	// Kein Account mit dem Namen oder Name nicht eindeutig
38	38	return false;
39	39	}
40		- $account = mysql_fetch_assoc($result);
	40	+ $account = $result->fetch();
41	41	return (crypt($password, $account['cryptpass']) == $account['cryptpass']);
42	42	}
43	43
...	...	@@ -87,9 +87,9 @@ function decode_webmail_password($crypted, $webmailpw)
87	87
88	88
89	89	function get_imap_password($username, $webmailpass) {
90		- $username = mysql_real_escape_string($username);
	90	+ $username = db_escape_string($username);
91	91	$result = db_query("SELECT webmailpass FROM mail.webmail_totp WHERE email='{$username}'");
92		- $tmp = mysql_fetch_assoc($result);
	92	+ $tmp = $result->fetch();
93	93
94	94	$crypted = $tmp['webmailpass'];
95	95
...	...	@@ -107,7 +107,7 @@ function check_webmail_password($username, $webmailpass)
107	107
108	108	function generate_secret($username)
109	109	{
110		- $username = mysql_real_escape_string($username);
	110	+ $username = db_escape_string($username);
111	111	require_once('external/googleauthenticator/GoogleAuthenticator.php');
112	112	$ga = new PHPGangsta_GoogleAuthenticator();
113	113
...	...	@@ -120,9 +120,9 @@ function generate_secret($username)
120	120
121	121	function check_locked($username)
122	122	{
123		- $username = mysql_real_escape_string($username);
	123	+ $username = db_escape_string($username);
124	124	$result = db_query("SELECT 1 FROM mail.webmail_totp WHERE unlock_timestamp IS NOT NULL and unlock_timestamp > NOW() AND email='{$username}'");
125		- return (mysql_num_rows($result) > 0);
	125	+ return ($result->rowCount() > 0);
126	126	}
127	127
128	128	function check_totp($username, $code) {
...	...	@@ -131,10 +131,10 @@ function check_totp($username, $code) {
131	131	return false;
132	132	}
133	133
134		- $username = mysql_real_escape_string($username);
	134	+ $username = db_escape_string($username);
135	135
136	136	$result = db_query("SELECT totp_secret, failures FROM mail.webmail_totp WHERE email='{$username}' AND (unlock_timestamp IS NULL OR unlock_timestamp <= NOW())");
137		- $tmp = mysql_fetch_assoc($result);
	137	+ $tmp = $result->fetch();
138	138	$secret = $tmp['totp_secret'];
139	139
140	140	require_once('external/googleauthenticator/GoogleAuthenticator.php');
...	...	@@ -197,7 +197,7 @@ function accountname($id)
197	197	$id = (int) $id;
198	198	$uid = (int) $_SESSION['userinfo']['uid'];
199	199	$result = db_query("SELECT email FROM mail.webmail_totp WHERE id={$id} AND useraccount={$uid}");
200		- if ($tmp = mysql_fetch_assoc($result)) {
	200	+ if ($tmp = $result->fetch()) {
201	201	return $tmp['email'];
202	202	}
203	203	}
...	...	@@ -214,17 +214,17 @@ function delete_totp($id)
214	214
215	215	function blacklist_token($email, $token)
216	216	{
217		- $email = mysql_real_escape_string($email);
218		- $token = mysql_real_escape_string($token);
	217	+ $email = db_escape_string($email);
	218	+ $token = db_escape_string($token);
219	219	db_query("INSERT INTO mail.webmail_totp_blacklist (timestamp, email, token) VALUES (NOW(), '{$email}', '{$token}')");
220	220	}
221	221
222	222	function check_blacklist($email, $token)
223	223	{
224		- $email = mysql_real_escape_string($email);
225		- $token = mysql_real_escape_string($token);
	224	+ $email = db_escape_string($email);
	225	+ $token = db_escape_string($token);
226	226	db_query("DELETE FROM mail.webmail_totp_blacklist WHERE timestamp < NOW() - INTERVAL 10 MINUTE");
227	227	$result = db_query("SELECT id FROM mail.webmail_totp_blacklist WHERE email='{$email}' AND token='{$token}'");
228		- return (mysql_num_rows($result) > 0);
	228	+ return ($result->rowCount() > 0);
229	229	}
230	230

...	...	@@ -18,7 +18,6 @@ require_once('inc/base.php');
18	18	require_once('inc/debug.php');
19	19	require_once('inc/error.php');
20	20
21		-require_once('inc/db_connect.php');
22	21
23	22	define('ROLE_ANONYMOUS', 0);
24	23	define('ROLE_MAILACCOUNT', 1);
...	...	@@ -33,16 +32,16 @@ define('ROLE_SUBUSER', 32);
33	32
34	33	function find_role($login, $password, $i_am_admin = False)
35	34	{
36		- $login = mysql_real_escape_string($login);
	35	+ $login = db_escape_string($login);
37	36	// Domain-Admin? <not implemented>
38	37	// System-User?
39	38	$uid = (int) $login;
40	39	if ($uid == 0)
41	40	$uid = 'NULL';
42	41	$result = db_query("SELECT username, passwort AS password, kundenaccount AS `primary`, status, ((SELECT acc.uid FROM system.v_useraccounts AS acc LEFT JOIN system.gruppenzugehoerigkeit USING (uid) LEFT JOIN system.gruppen AS g ON (g.gid=gruppenzugehoerigkeit.gid) WHERE g.name='admin' AND acc.uid=u.uid) IS NOT NULL) AS admin FROM system.v_useraccounts AS u LEFT JOIN system.passwoerter USING(uid) WHERE u.uid={$uid} OR username='{$login}' LIMIT 1;");
43		- if (@mysql_num_rows($result) > 0)
	42	+ if (@$result->rowCount() > 0)
44	43	{
45		- $entry = mysql_fetch_object($result);
	44	+ $entry = $result->fetch(PDO::FETCH_OBJ);
46	45	if (strcasecmp($entry->username, $login) == 0 && $entry->username != $login) {
47	46	// MySQL matched (warum auch immer) ohne Beachtung der Schreibweise. Wir wollen aber case-sensitive sein.
48	47	logger(LOG_WARNING, "session/checkuser", "login", "denying login to wrong cased username »{$login}«.");
...	...	@@ -72,7 +71,7 @@ function find_role($login, $password, $i_am_admin = False)
72	71	$result = db_query("SELECT passwort AS password FROM kundendaten.kunden WHERE status=0 AND id={$customerno} AND passwort='{$pass}';");
73	72	if ($i_am_admin)
74	73	$result = db_query("SELECT passwort AS password FROM kundendaten.kunden WHERE status=0 AND id={$customerno}");
75		- if (@mysql_num_rows($result) > 0)
	74	+ if (@$result->rowCount() > 0)
76	75	{
77	76	return ROLE_CUSTOMER;
78	77	}
...	...	@@ -80,9 +79,9 @@ function find_role($login, $password, $i_am_admin = False)
80	79	// Sub-User
81	80
82	81	$result = db_query("SELECT password FROM system.subusers WHERE username='{$login}'");
83		- if (@mysql_num_rows($result) > 0)
	82	+ if (@$result->rowCount() > 0)
84	83	{
85		- $entry = mysql_fetch_object($result);
	84	+ $entry = $result->fetch(PDO::FETCH_OBJ);
86	85	$db_password = $entry->password;
87	86	// SHA1 für alte Subuser (kaylee), SHA256 für neue Subuser
88	87	if (hash("sha1", $password) == $db_password \|\| hash("sha256", $password) == $db_password \|\| $i_am_admin)
...	...	@@ -113,9 +112,9 @@ function find_role($login, $password, $i_am_admin = False)
113	112	}
114	113	}
115	114	$result = db_query("SELECT cryptpass FROM mail.courier_mailaccounts WHERE account='{$account}' LIMIT 1;");
116		- if (@mysql_num_rows($result) > 0)
	115	+ if (@$result->rowCount() > 0)
117	116	{
118		- $entry = mysql_fetch_object($result);
	117	+ $entry = $result->fetch(PDO::FETCH_OBJ);
119	118	$db_password = $entry->cryptpass;
120	119	$hash = crypt($password, $db_password);
121	120	if ($hash == $db_password \|\| $i_am_admin)
...	...	@@ -129,9 +128,9 @@ function find_role($login, $password, $i_am_admin = False)
129	128	// virtueller Mail-Account
130	129	$account = $login;
131	130	$result = db_query("SELECT cryptpass FROM mail.courier_virtual_accounts WHERE account='{$account}' LIMIT 1;");
132		- if (@mysql_num_rows($result) > 0)
	131	+ if (@$result->rowCount() > 0)
133	132	{
134		- $entry = mysql_fetch_object($result);
	133	+ $entry = $result->fetch(PDO::FETCH_OBJ);
135	134	$db_password = $entry->cryptpass;
136	135	$hash = crypt($password, $db_password);
137	136	if ($hash == $db_password \|\| $i_am_admin)
...	...	@@ -162,13 +161,13 @@ function get_customer_info($customer)
162	161	}
163	162	else
164	163	{
165		- $username = mysql_real_escape_string($customer);
	164	+ $username = db_escape_string($customer);
166	165	DEBUG('looking up customer info for username '.$username);
167	166	$result = db_query("SELECT id, anrede, firma, CONCAT_WS(' ', vorname, nachname) AS name, COALESCE(email,email_rechnung,email_extern) AS email FROM kundendaten.kunden AS k JOIN system.v_useraccounts AS u ON (u.kunde=k.id) WHERE u.username='{$username}'");
168	167	}
169		- if (@mysql_num_rows($result) == 0)
	168	+ if (@$result->rowCount() == 0)
170	169	system_failure("Konnte Kundendaten nicht auslesen!");
171		- $data = mysql_fetch_assoc($result);
	170	+ $data = $result->fetch();
172	171	DEBUG($data);
173	172	$ret['customerno'] = $data['id'];
174	173	$ret['title'] = $data['anrede'];
...	...	@@ -183,12 +182,12 @@ function get_customer_info($customer)
183	182	function get_subuser_info($username)
184	183	{
185	184	$result = db_query("SELECT uid, modules FROM system.subusers WHERE username='{$username}'");
186		- if (mysql_num_rows($result) < 1)
	185	+ if ($result->rowCount() < 1)
187	186	{
188	187	logger(LOG_ERR, "session/checkuser", "login", "error reading subuser's data: »{$username}«");
189	188	system_failure('Das Auslesen Ihrer Benutzerdaten ist fehlgeschlagen. Bitte melden Sie dies einem Administrator');
190	189	}
191		- $data = mysql_fetch_assoc($result);
	190	+ $data = $result->fetch();
192	191	$userinfo = get_user_info($data['uid']);
193	192	$userinfo['modules'] = $data['modules'];
194	193	return $userinfo;
...	...	@@ -197,15 +196,15 @@ function get_subuser_info($username)
197	196
198	197	function get_user_info($username)
199	198	{
200		- $username = mysql_real_escape_string($username);
	199	+ $username = db_escape_string($username);
201	200	$result = db_query("SELECT kunde AS customerno, username, uid, homedir, name, server
202	201	FROM system.v_useraccounts WHERE username='{$username}' OR uid='{$username}' LIMIT 1");
203		- if (mysql_num_rows($result) < 1)
	202	+ if ($result->rowCount() < 1)
204	203	{
205	204	logger(LOG_ERR, "session/checkuser", "login", "error reading user's data: »{$username}«");
206	205	system_failure('Das Auslesen Ihrer Benutzerdaten ist fehlgeschlagen. Bitte melden Sie dies einem Administrator');
207	206	}
208		- $val = @mysql_fetch_object($result);
	207	+ $val = @$result->fetch(PDO::FETCH_OBJ);
209	208	return array(
210	209	'username' => $val->username,
211	210	'customerno' => $val->customerno,
...	...	@@ -239,7 +238,7 @@ function set_customer_password($customerno, $newpass)
239	238
240	239	function set_subuser_password($subuser, $newpass)
241	240	{
242		- $subuser = mysql_real_escape_string($subuser);
	241	+ $subuser = db_escape_string($subuser);
243	242	$uid = (int) $_SESSION['userinfo']['uid'];
244	243	$newpass = sha1($newpass);
245	244	db_query("UPDATE system.subusers SET password='$newpass' WHERE username='{$subuser}' AND uid={$uid}");
...	...	@@ -269,20 +268,20 @@ function set_systemuser_password($uid, $newpass)
269	268	function user_for_mailaccount($account)
270	269	{
271	270	$result = db_query("SELECT uid FROM mail.courier_mailaccounts WHERE account='{$account}' LIMIT 1;");
272		- if (mysql_num_rows($result) != 1) {
	271	+ if ($result->rowCount() != 1) {
273	272	system_failure('Diese Adresse ist herrenlos?!');
274	273	}
275		- $tmp = mysql_fetch_assoc($result);
	274	+ $tmp = $result->fetch();
276	275	return $tmp['uid'];
277	276	}
278	277
279	278	function user_for_vmail_account($account)
280	279	{
281	280	$result = db_query("SELECT useraccount FROM mail.v_vmail_accounts WHERE CONCAT_WS('@', local, domainname)='{$account}' LIMIT 1;");
282		- if (mysql_num_rows($result) != 1) {
	281	+ if ($result->rowCount() != 1) {
283	282	system_failure('Diese Adresse ist herrenlos?!');
284	283	}
285		- $tmp = mysql_fetch_assoc($result);
	284	+ $tmp = $result->fetch();
286	285	return $tmp['useraccount'];
287	286	}
288	287
...	...	@@ -300,7 +299,7 @@ function setup_session($role, $useridentity)
300	299	$_SESSION['role'] = ROLE_SYSTEMUSER \| ROLE_SUBUSER;
301	300	$_SESSION['subuser'] = $useridentity;
302	301	$data = db_query("SELECT kundenaccount FROM system.useraccounts WHERE username='{$info['username']}'");
303		- if ($entry = mysql_fetch_assoc($data)) {
	302	+ if ($entry = $data->fetch) {
304	303	if ($entry['kundenaccount'] == 1) {
305	304	$customer = get_customer_info($_SESSION['userinfo']['username']);
306	305	$_SESSION['customerinfo'] = $customer;
307	306