Wrap mysql_real_escape_string() in a function

Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Conflicts: web/lib/aur.inc.php
2025-02-03 10:43:03 +01:00 · 2011-10-20 08:15:02 +02:00 · 2011-10-20 08:15:02 +02:00 · 10b6a8fff7
commit 10b6a8fff7
parent e1687f1830
12 changed files with 67 additions and 61 deletions
--- a/web/lib/aur.inc.php
+++ b/web/lib/aur.inc.php
@ -29,7 +29,7 @@ function check_sid($dbh=NULL) {
 			$dbh = db_connect();
 		}
 		$q = "SELECT LastUpdateTS, UNIX_TIMESTAMP() FROM Sessions ";
-		$q.= "WHERE SessionID = '" . mysql_real_escape_string($_COOKIE["AURSID"]) . "'";
+		$q.= "WHERE SessionID = '" . db_escape_string($_COOKIE["AURSID"]) . "'";
 		$result = db_query($q, $dbh);
 		if (mysql_num_rows($result) == 0) {
 			# Invalid SessionID - hacker alert!
@ -53,7 +53,7 @@ function check_sid($dbh=NULL) {
 			# session id timeout was reached and they must login again.
 			#
 			$q = "DELETE FROM Sessions WHERE SessionID = '";
-			$q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'";
+			$q.= db_escape_string($_COOKIE["AURSID"]) . "'";
 			db_query($q, $dbh);

 			setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true);
@ -69,7 +69,7 @@ function check_sid($dbh=NULL) {
 			# overwritten.
 			if ($last_update < time() + $LOGIN_TIMEOUT) {
 				$q = "UPDATE Sessions SET LastUpdateTS = UNIX_TIMESTAMP() ";
-				$q.= "WHERE SessionID = '".mysql_real_escape_string($_COOKIE["AURSID"])."'";
+				$q.= "WHERE SessionID = '".db_escape_string($_COOKIE["AURSID"])."'";
 				db_query($q, $dbh);
 			}
 		}
@ -106,7 +106,7 @@ function username_from_id($id="", $dbh=NULL) {
 	if(!$dbh) {
 		$dbh = db_connect();
 	}
-	$q = "SELECT Username FROM Users WHERE ID = " . mysql_real_escape_string($id);
+	$q = "SELECT Username FROM Users WHERE ID = " . db_escape_string($id);
 	$result = db_query($q, $dbh);
 	if (!$result) {
 		return "None";
@ -129,7 +129,7 @@ function username_from_sid($sid="", $dbh=NULL) {
 	$q = "SELECT Username ";
 	$q.= "FROM Users, Sessions ";
 	$q.= "WHERE Users.ID = Sessions.UsersID ";
-	$q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'";
+	$q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'";
 	$result = db_query($q, $dbh);
 	if (!$result) {
 		return "";
@ -151,7 +151,7 @@ function email_from_sid($sid="", $dbh=NULL) {
 	$q = "SELECT Email ";
 	$q.= "FROM Users, Sessions ";
 	$q.= "WHERE Users.ID = Sessions.UsersID ";
-	$q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'";
+	$q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'";
 	$result = db_query($q, $dbh);
 	if (!$result) {
 		return "";
@ -175,7 +175,7 @@ function account_from_sid($sid="", $dbh=NULL) {
 	$q.= "FROM Users, AccountTypes, Sessions ";
 	$q.= "WHERE Users.ID = Sessions.UsersID ";
 	$q.= "AND AccountTypes.ID = Users.AccountTypeID ";
-	$q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'";
+	$q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'";
 	$result = db_query($q, $dbh);
 	if (!$result) {
 		return "";
@ -197,7 +197,7 @@ function uid_from_sid($sid="", $dbh=NULL) {
 	$q = "SELECT Users.ID ";
 	$q.= "FROM Users, Sessions ";
 	$q.= "WHERE Users.ID = Sessions.UsersID ";
-	$q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'";
+	$q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'";
 	$result = db_query($q, $dbh);
 	if (!$result) {
 		return 0;
@ -223,6 +223,12 @@ function db_connect() {
 	return $handle;
 }

+# Escape strings for SQL query usage.
+# Wraps the database driver's provided method (for convenience and porting).
+function db_escape_string($string) {
+	return mysql_real_escape_string($string);
+}
+
 # disconnect from the database
 # this won't normally be needed as PHP/reference counting will take care of
 # closing the connection once it is no longer referenced
@ -290,7 +296,7 @@ function set_lang($dbh=NULL) {
 		$q = "SELECT LangPreference FROM Users, Sessions ";
 		$q.= "WHERE Users.ID = Sessions.UsersID ";
 		$q.= "AND Sessions.SessionID = '";
-		$q.= mysql_real_escape_string($_COOKIE["AURSID"])."'";
+		$q.= db_escape_string($_COOKIE["AURSID"])."'";
 		$result = db_query($q, $dbh);

 		if ($result) {
@ -355,7 +361,7 @@ function can_submit_pkg($name="", $sid="", $dbh=NULL) {
 		$dbh = db_connect();
 	}
 	$q = "SELECT MaintainerUID ";
-	$q.= "FROM Packages WHERE Name = '".mysql_real_escape_string($name)."'";
+	$q.= "FROM Packages WHERE Name = '".db_escape_string($name)."'";
 	$result = db_query($q, $dbh);
 	if (mysql_num_rows($result) == 0) {return 1;}
 	$row = mysql_fetch_row($result);
@ -428,7 +434,7 @@ function uid_from_username($username="", $dbh=NULL)
 	if(!$dbh) {
 		$dbh = db_connect();
 	}
-	$q = "SELECT ID FROM Users WHERE Username = '".mysql_real_escape_string($username)
+	$q = "SELECT ID FROM Users WHERE Username = '".db_escape_string($username)
 				."'";
 	$result = db_query($q, $dbh);
 	if (!$result) {
@ -449,7 +455,7 @@ function uid_from_email($email="", $dbh=NULL)
 	if(!$dbh) {
 		$dbh = db_connect();
 	}
-	$q = "SELECT ID FROM Users WHERE Email = '".mysql_real_escape_string($email)
+	$q = "SELECT ID FROM Users WHERE Email = '".db_escape_string($email)
 				."'";
 	$result = db_query($q, $dbh);
 	if (!$result) {