external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Applied a patch from Loui to fix session removal.

Browse source 
- Replaced all occurences of mysql_escape_string()
  with mysql_real_escape_string().
This commit is contained in:
swiergot 2007-09-20 15:33:04 +00:00
parent 9ab02ad6a7
commit 0b92839bee
8 changed files with 71 additions and 71 deletions
Download patch file Download diff file Expand all files Collapse all files

2
web/html/account.php
View file

@ -106,7 +106,7 @@ if (isset($_COOKIE["AURSID"])) {
$q.= "WHERE AccountTypes.ID = Users.AccountTypeID ";
$q.= "AND Users.ID = Sessions.UsersID ";
$q.= "AND Sessions.SessionID = '";
$q.= mysql_escape_string($_COOKIE["AURSID"])."'";
$q.= mysql_real_escape_string($_COOKIE["AURSID"])."'";
$result = db_query($q, $dbh);
if (!mysql_num_rows($result)) {
print __("Could not retrieve information for the specified user.");

4
web/html/index.php
View file

@ -28,8 +28,8 @@ if (isset($_REQUEST["user"]) || isset($_REQUEST["pass"])) {
$_REQUEST["pass"] = md5($_REQUEST["pass"]);
$dbh = db_connect();
$q = "SELECT ID, Suspended FROM Users ";
$q.= "WHERE Username = '" . mysql_escape_string($_REQUEST["user"]) . "' ";
$q.= "AND Passwd = '" . mysql_escape_string($_REQUEST["pass"]) . "'";
$q.= "WHERE Username = '" . mysql_real_escape_string($_REQUEST["user"]) . "' ";
$q.= "AND Passwd = '" . mysql_real_escape_string($_REQUEST["pass"]) . "'";
$result = db_query($q, $dbh);
if (!$result) {
$login_error = __("Error looking up username, %s.",

4
web/html/logout.php
View file

@ -11,9 +11,9 @@ set_lang(); # this sets up the visitor's language
# sending any HTML output.
#
if (isset($_COOKIE["AURSID"])) {
$q = "DELETE FROM Sessions WHERE SessionID = '";
$q.= mysql_escape_string($_COOKIE["AURSID"]) . "'";
$dbh = db_connect();
$q = "DELETE FROM Sessions WHERE SessionID = '";
$q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'";
db_query($q, $dbh);
setcookie("AURSID", "", time() - (60*60*24*30), "/");
setcookie("AURLANG", "", time() - (60*60*24*30), "/");

2
web/html/pkgedit.php
View file

@ -73,7 +73,7 @@ if ($_REQUEST["add_Comment"]) {
$q = "INSERT INTO PackageComments ";
$q.= "(PackageID, UsersID, Comments, CommentTS) VALUES (";
$q.= intval($_REQUEST["ID"]).", ".uid_from_sid($_COOKIE["AURSID"]) . ", ";
$q.= "'".mysql_escape_string($_REQUEST["comment"])."', ";
$q.= "'".mysql_real_escape_string($_REQUEST["comment"])."', ";
$q.= "UNIX_TIMESTAMP())";
db_query($q, $dbh);
print __("Comment has been added.")."<br />&nbsp;<br />\n";

46
web/html/pkgsubmit.php
View file

@ -374,7 +374,7 @@ if ($_COOKIE["AURSID"]) {
# purged.
#
$q = "SELECT * FROM Packages ";
$q.= "WHERE Name = '".mysql_escape_string($new_pkgbuild['pkgname'])."'";
$q.= "WHERE Name = '".mysql_real_escape_string($new_pkgbuild['pkgname'])."'";
$result = db_query($q, $dbh);
$pdata = mysql_fetch_assoc($result);
@ -402,13 +402,13 @@ if ($_COOKIE["AURSID"]) {
} else {
$q.="ModifiedTS = UNIX_TIMESTAMP(), ";
}
$q.="Name='".mysql_escape_string($new_pkgbuild['pkgname'])."', ";
$q.="Version='".mysql_escape_string($new_pkgbuild['pkgver'])."-".
mysql_escape_string($new_pkgbuild['pkgrel'])."',";
$q.="CategoryID=".mysql_escape_string($_REQUEST['category']).", ";
$q.="License='".mysql_escape_string($new_pkgbuild['license'])."', ";
$q.="Description='".mysql_escape_string($new_pkgbuild['pkgdesc'])."', ";
$q.="URL='".mysql_escape_string($new_pkgbuild['url'])."', ";
$q.="Name='".mysql_real_escape_string($new_pkgbuild['pkgname'])."', ";
$q.="Version='".mysql_real_escape_string($new_pkgbuild['pkgver'])."-".
mysql_real_escape_string($new_pkgbuild['pkgrel'])."',";
$q.="CategoryID=".mysql_real_escape_string($_REQUEST['category']).", ";
$q.="License='".mysql_real_escape_string($new_pkgbuild['license'])."', ";
$q.="Description='".mysql_real_escape_string($new_pkgbuild['pkgdesc'])."', ";
$q.="URL='".mysql_real_escape_string($new_pkgbuild['url'])."', ";
$q.="LocationID=2, ";
if (account_from_sid($_COOKIE["AURSID"]) == "Trusted User" || account_from_sid($_COOKIE["AURSID"]) == "Developer") {
$q.="Safe=1, VerifiedBy=".uid_from_sid($_COOKIE["AURSID"]).", ";
@ -416,9 +416,9 @@ if ($_COOKIE["AURSID"]) {
$q.="Safe=0, ";
}
$fspath=$INCOMING_DIR.$pkg_name."/".$_FILES["pfile"]["name"];
$q.="FSPath='".mysql_escape_string($fspath)."', ";
$q.="FSPath='".mysql_real_escape_string($fspath)."', ";
$urlpath=$URL_DIR.$pkg_name."/".$_FILES["pfile"]["name"];
$q.="URLPath='".mysql_escape_string($urlpath)."' ";
$q.="URLPath='".mysql_real_escape_string($urlpath)."' ";
$q.="WHERE ID = " . $pdata["ID"];
$result = db_query($q, $dbh);
@ -461,7 +461,7 @@ if ($_COOKIE["AURSID"]) {
$sources = explode(" ", $new_pkgbuild['source']);
while (list($k, $v) = each($sources)) {
$q = "INSERT INTO PackageSources (PackageID, Source) VALUES (";
$q .= $pdata["ID"].", '".mysql_escape_string($v)."')";
$q .= $pdata["ID"].", '".mysql_real_escape_string($v)."')";
db_query($q, $dbh);
}
@ -470,7 +470,7 @@ if ($_COOKIE["AURSID"]) {
$q = "INSERT INTO PackageComments ";
$q.= "(PackageID, UsersID, Comments, CommentTS) VALUES (";
$q.= $pdata["ID"] . ", " . uid_from_sid($_COOKIE['AURSID']);
$q.= ", '" . mysql_escape_string($_REQUEST["comments"]);
$q.= ", '" . mysql_real_escape_string($_REQUEST["comments"]);
$q.= "', UNIX_TIMESTAMP())";
db_query($q);
@ -484,13 +484,13 @@ if ($_COOKIE["AURSID"]) {
}
$q.= " SubmittedTS, SubmitterUID, MaintainerUID, FSPath, URLPath) ";
$q.= "VALUES ('";
$q.= mysql_escape_string($new_pkgbuild['pkgname'])."', '";
$q.= mysql_escape_string($new_pkgbuild['license'])."', '";
$q.= mysql_escape_string($new_pkgbuild['pkgver'])."-".
mysql_escape_string($new_pkgbuild['pkgrel'])."', ";
$q.= mysql_escape_string($_REQUEST['category']).", '";
$q.= mysql_escape_string($new_pkgbuild['pkgdesc'])."', '";
$q.= mysql_escape_string($new_pkgbuild['url']);
$q.= mysql_real_escape_string($new_pkgbuild['pkgname'])."', '";
$q.= mysql_real_escape_string($new_pkgbuild['license'])."', '";
$q.= mysql_real_escape_string($new_pkgbuild['pkgver'])."-".
mysql_real_escape_string($new_pkgbuild['pkgrel'])."', ";
$q.= mysql_real_escape_string($_REQUEST['category']).", '";
$q.= mysql_real_escape_string($new_pkgbuild['pkgdesc'])."', '";
$q.= mysql_real_escape_string($new_pkgbuild['url']);
$q.= "', 2, ";
if (account_from_sid($_COOKIE["AURSID"]) == "Trusted User" || account_from_sid($_COOKIE["AURSID"]) == "Developer") {
$q.= "1, ".uid_from_sid($_COOKIE["AURSID"]).", ";
@ -499,9 +499,9 @@ if ($_COOKIE["AURSID"]) {
$q.= uid_from_sid($_COOKIE["AURSID"]).", ";
$q.= uid_from_sid($_COOKIE["AURSID"]).", '";
$fspath=$INCOMING_DIR.$pkg_name."/".$_FILES["pfile"]["name"];
$q.= mysql_escape_string($fspath)."', '";
$q.= mysql_real_escape_string($fspath)."', '";
$urlpath=$URL_DIR.$pkg_name."/".$_FILES["pfile"]["name"];
$q.= mysql_escape_string($urlpath)."')";
$q.= mysql_real_escape_string($urlpath)."')";
$result = db_query($q, $dbh);
# print $result . "<br>";
@ -539,7 +539,7 @@ if ($_COOKIE["AURSID"]) {
$sources = explode(" ", $new_pkgbuild['source']);
while (list($k, $v) = each($sources)) {
$q = "INSERT INTO PackageSources (PackageID, Source) VALUES (";
$q .= $packageID.", '".mysql_escape_string($v)."')";
$q .= $packageID.", '".mysql_real_escape_string($v)."')";
db_query($q, $dbh);
}
@ -548,7 +548,7 @@ if ($_COOKIE["AURSID"]) {
$q = "INSERT INTO PackageComments ";
$q.= "(PackageID, UsersID, Comments, CommentTS) VALUES (";
$q.= $packageID . ", " . uid_from_sid($_COOKIE["AURSID"]) . ", '";
$q.= mysql_escape_string($_REQUEST["comments"]);
$q.= mysql_real_escape_string($_REQUEST["comments"]);
$q.= "', UNIX_TIMESTAMP())";
db_query($q, $dbh);
}