external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Wrap mysql_real_escape_string() in a function

Browse source 
Wrap mysql_real_escape_string() in a wrapper function db_escape_string()
to ease porting to other databases, and as another step to pulling more
of the database code into a central location.

This is a rebased version of a patch by elij submitted about half a year
ago.

Thanks-to: elij <elij.mx@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Conflicts:

	web/lib/aur.inc.php
This commit is contained in:
Lukas Fleischer 2011-10-20 08:15:02 +02:00
parent e1687f1830
commit 10b6a8fff7
12 changed files with 67 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

26
web/lib/acctfuncs.inc.php
View file

@ -225,7 +225,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
# NOTE: a race condition exists here if we care...
#
$q = "SELECT COUNT(*) AS CNT FROM Users ";
$q.= "WHERE Username = '".mysql_real_escape_string($U)."'";
$q.= "WHERE Username = '".db_escape_string($U)."'";
if ($TYPE == "edit") {
$q.= " AND ID != ".intval($UID);
}
@ -243,7 +243,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
# NOTE: a race condition exists here if we care...
#
$q = "SELECT COUNT(*) AS CNT FROM Users ";
$q.= "WHERE Email = '".mysql_real_escape_string($E)."'";
$q.= "WHERE Email = '".db_escape_string($E)."'";
if ($TYPE == "edit") {
$q.= " AND ID != ".intval($UID);
}
@ -265,7 +265,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
# no errors, go ahead and create the unprivileged user
$salt = generate_salt();
$P = salted_hash($P, $salt);
$escaped = array_map('mysql_real_escape_string',
$escaped = array_map('db_escape_string',
array($U, $E, $P, $salt, $R, $L, $I));
$q = "INSERT INTO Users (" .
"AccountTypeID, Suspended, Username, Email, Passwd, Salt" .
@ -289,7 +289,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
# no errors, go ahead and modify the user account
$q = "UPDATE Users SET ";
$q.= "Username = '".mysql_real_escape_string($U)."'";
$q.= "Username = '".db_escape_string($U)."'";
if ($T) {
$q.= ", AccountTypeID = ".intval($T);
}
@ -298,15 +298,15 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
} else {
$q.= ", Suspended = 0";
}
$q.= ", Email = '".mysql_real_escape_string($E)."'";
$q.= ", Email = '".db_escape_string($E)."'";
if ($P) {
$salt = generate_salt();
$hash = salted_hash($P, $salt);
$q .= ", Passwd = '$hash', Salt = '$salt'";
}
$q.= ", RealName = '".mysql_real_escape_string($R)."'";
$q.= ", LangPreference = '".mysql_real_escape_string($L)."'";
$q.= ", IRCNick = '".mysql_real_escape_string($I)."'";
$q.= ", RealName = '".db_escape_string($R)."'";
$q.= ", LangPreference = '".db_escape_string($L)."'";
$q.= ", IRCNick = '".db_escape_string($I)."'";
$q.= " WHERE ID = ".intval($UID);
$result = db_query($q, $dbh);
if (!$result) {
@ -372,19 +372,19 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="",
$search_vars[] = "S";
}
if ($U) {
$q.= "AND Username LIKE '%".mysql_real_escape_string($U)."%' ";
$q.= "AND Username LIKE '%".db_escape_string($U)."%' ";
$search_vars[] = "U";
}
if ($E) {
$q.= "AND Email LIKE '%".mysql_real_escape_string($E)."%' ";
$q.= "AND Email LIKE '%".db_escape_string($E)."%' ";
$search_vars[] = "E";
}
if ($R) {
$q.= "AND RealName LIKE '%".mysql_real_escape_string($R)."%' ";
$q.= "AND RealName LIKE '%".db_escape_string($R)."%' ";
$search_vars[] = "R";
}
if ($I) {
$q.= "AND IRCNick LIKE '%".mysql_real_escape_string($I)."%' ";
$q.= "AND IRCNick LIKE '%".db_escape_string($I)."%' ";
$search_vars[] = "I";
}
switch ($SB) {
@ -716,7 +716,7 @@ function valid_user( $user )
if ( $user ) {
$dbh = db_connect();
$q = "SELECT ID FROM Users WHERE Username = '"
. mysql_real_escape_string($user). "'";
. db_escape_string($user). "'";
$result = db_query($q, $dbh);
# Is the username in the database?