Browse code

Weitere Prepared-Statements

Bernd Wurst authored on04/02/2014 14:37:35
Showing5 changed files
... ...
@@ -39,9 +39,8 @@ function prepare_cert($cert)
39 39
 
40 40
 function get_logins_by_cert($cert) 
41 41
 {
42
-	$cert = db_escape_string(prepare_cert($cert));
43
-	$query = "SELECT type,username,startpage FROM system.clientcert WHERE cert='{$cert}'";
44
-	$result = db_query($query);
42
+	$cert = prepare_cert($cert);
43
+	$result = db_query("SELECT type,username,startpage FROM system.clientcert WHERE cert=?", array($cert));
45 44
 	if ($result->rowCount() < 1)
46 45
 		return NULL;
47 46
 	else {
... ...
@@ -39,9 +39,8 @@ function prepare_cert($cert)
39 39
 
40 40
 function get_logins_by_cert($cert) 
41 41
 {
42
-	$cert = db_escape_string(prepare_cert($cert));
43
-	$query = "SELECT type,username,startpage FROM system.clientcert WHERE cert='{$cert}'";
44
-	$result = db_query($query);
42
+	$cert = prepare_cert($cert);
43
+	$result = db_query("SELECT type,username,startpage FROM system.clientcert WHERE cert=?", array($cert));
45 44
 	if ($result->rowCount() < 1)
46 45
 		return NULL;
47 46
 	else {
... ...
@@ -63,6 +63,9 @@ function strong_password($password)
63 63
 
64 64
 function filter_input_general( $input )
65 65
 {
66
+  if ($input === NULL) {
67
+    return NULL;
68
+  }
66 69
   return htmlspecialchars(iconv('UTF-8', 'UTF-8', $input), ENT_QUOTES, 'UTF-8');
67 70
 }
68 71
 
... ...
@@ -21,14 +21,13 @@ require_once("inc/debug.php");
21 21
 function customer_may_have_useraccounts()
22 22
 {
23 23
   $customerno = (int) $_SESSION['customerinfo']['customerno'];
24
-  $result = db_query("SELECT COUNT(*) FROM system.useraccounts WHERE kunde={$customerno}");
24
+  $result = db_query("SELECT COUNT(*) FROM system.useraccounts WHERE kunde=?", array($customerno));
25 25
   return ($result->rowCount() > 0);
26 26
 }
27 27
 
28 28
 function customer_useraccount($uid) {
29
-  $uid = (int) $uid;
30
-  $customerno = (int) $_SESSION['customerinfo']['customerno'];
31
-  $result = db_query("SELECT 1 FROM system.useraccounts WHERE kunde={$customerno} AND uid={$uid} AND kundenaccount=1");
29
+  $args = array(":uid" => $uid, ":customerno" => $_SESSION['customerinfo']['customerno']);
30
+  $result = db_query("SELECT 1 FROM system.useraccounts WHERE kunde=:customerno AND uid=:uid AND kundenaccount=1", $args);
32 31
   return $result->rowCount() > 0;
33 32
 }
34 33
 
... ...
@@ -37,7 +36,7 @@ function primary_useraccount()
37 36
   if (! ($_SESSION['role'] & ROLE_SYSTEMUSER))
38 37
     return NULL;
39 38
   $customerno = (int) $_SESSION['customerinfo']['customerno'];
40
-  $result = db_query("SELECT MIN(uid) AS uid FROM system.useraccounts WHERE kunde={$customerno}");
39
+  $result = db_query("SELECT MIN(uid) AS uid FROM system.useraccounts WHERE kunde=?", array($customerno));
41 40
   $uid = $result->fetch(PDO::FETCH_OBJ)->uid;
42 41
   DEBUG("primary useraccount: {$uid}");
43 42
   return $uid;
... ...
@@ -60,7 +59,7 @@ function available_shells()
60 59
 function list_useraccounts()
61 60
 {
62 61
   $customerno = (int) $_SESSION['customerinfo']['customerno'];
63
-  $result = db_query("SELECT uid,username,name,erstellungsdatum,quota,shell FROM system.useraccounts WHERE kunde={$customerno}");
62
+  $result = db_query("SELECT uid,username,name,erstellungsdatum,quota,shell FROM system.useraccounts WHERE kunde=?", array($customerno));
64 63
   $ret = array();
65 64
   while ($item = $result->fetch())
66 65
   {
... ...
@@ -77,7 +76,8 @@ function get_account_details($uid, $customerno=0)
77 76
   $customerno = (int) $customerno;
78 77
   if ($customerno == 0)
79 78
     $customerno = $_SESSION['customerinfo']['customerno'];
80
-  $result = db_query("SELECT uid,username,name,shell,quota,erstellungsdatum FROM system.useraccounts WHERE kunde={$customerno} AND uid={$uid}");
79
+  $args = array(":uid" => $uid, ":customerno" => $customerno);
80
+  $result = db_query("SELECT uid,username,name,shell,quota,erstellungsdatum FROM system.useraccounts WHERE kunde=:customerno AND uid=:uid", $args);
81 81
   if ($result->rowCount() == 0)
82 82
     system_failure("Cannot find the requestes useraccount (for this customer).");
83 83
   return $result->fetch();
... ...
@@ -86,7 +86,7 @@ function get_account_details($uid, $customerno=0)
86 86
 function get_used_quota($uid)
87 87
 {
88 88
   $uid = (int) $uid;
89
-  $result = db_query("SELECT s.hostname AS server, systemquota, systemquota_used, mailquota, mailquota_used FROM system.v_quota AS q LEFT JOIN system.servers AS s ON (s.id=q.server) WHERE uid='{$uid}'");
89
+  $result = db_query("SELECT s.hostname AS server, systemquota, systemquota_used, mailquota, mailquota_used FROM system.v_quota AS q LEFT JOIN system.servers AS s ON (s.id=q.server) WHERE uid=?", array($uid));
90 90
   $ret = array();
91 91
   while ($line = $result->fetch())
92 92
     $ret[] = $line;
... ...
@@ -97,26 +97,30 @@ function get_used_quota($uid)
97 97
 
98 98
 function set_account_details($account)
99 99
 {
100
-  $uid = (int) $account['uid'];
101 100
   $customerno = NULL;
102 101
   if ($_SESSION['role'] & ROLE_CUSTOMER)
103 102
     $customerno = (int) $_SESSION['customerinfo']['customerno'];
104 103
   else
105 104
     $customerno = (int) $_SESSION['userinfo']['customerno'];
106 105
 
107
-  $fullname = maybe_null(db_escape_string(filter_input_general($account['name'])));
108
-  $shell = db_escape_string(filter_input_general($account['shell']));
109
-  $quota = (int) $account['quota'];
106
+  if ($account['name'] == '') {
107
+    $account['name'] = NULL;
108
+  }  
109
+  $args = array(":fullname" => filter_input_general($account['name']),
110
+                ":shell" => filter_input_general($account['shell']),
111
+                ":quota" => $account['quota'],
112
+                ":uid" => $account['uid'],
113
+                ":customerno" => $customerno);
110 114
 
111
-  db_query("UPDATE system.useraccounts SET name={$fullname}, quota={$quota}, shell='{$shell}' WHERE kunde={$customerno} AND uid={$uid}");
112
-  logger(LOG_INFO, "modules/systemuser/include/useraccounts", "systemuser", "updated details for uid {$uid}");
115
+  db_query("UPDATE system.useraccounts SET name=:fullname, quota=:quota, shell=:shell WHERE kunde=:customerno AND uid=:uid", $args);
116
+  logger(LOG_INFO, "modules/systemuser/include/useraccounts", "systemuser", "updated details for uid {$args[":uid"]}");
113 117
 
114 118
 }
115 119
 
116 120
 function get_customer_quota()
117 121
 {
118 122
   $cid = (int) $_SESSION['customerinfo']['customerno'];
119
-  $result = db_query("SELECT SUM(u.quota) AS assigned, cq.quota AS max FROM system.customerquota AS cq INNER JOIN system.useraccounts AS u ON (u.kunde=cq.cid) WHERE cq.cid={$cid}");
123
+  $result = db_query("SELECT SUM(u.quota) AS assigned, cq.quota AS max FROM system.customerquota AS cq INNER JOIN system.useraccounts AS u ON (u.kunde=cq.cid) WHERE cq.cid=?", array($cid));
120 124
   $ret = $result->fetch();
121 125
   DEBUG($ret);
122 126
   return $ret;
... ...
@@ -29,7 +29,6 @@ function load_results()
29 29
 }
30 30
 
31 31
 function get_upgradeinstructions($appname) {
32
-  $appname = db_escape_string($appname);
33 32
   $result = db_query("SELECT url FROM qatools.freewvs_upgradeinstructions WHERE appname=?", array($appname));
34 33
   if ($result->rowCount() > 0) {
35 34
     $tmp = $result->fetch();