Wrap mysql_real_escape_string() in a function

Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2025-02-03 10:43:03 +01:00 · 2011-10-20 08:15:02 +02:00 · 2011-10-20 08:15:02 +02:00 · 323d418f02
commit 323d418f02
parent 54d5dcc6e8
12 changed files with 66 additions and 61 deletions
--- a/web/lib/aur.inc.php
+++ b/web/lib/aur.inc.php
@ -29,7 +29,7 @@ function check_sid($dbh=NULL) {
 			$dbh = db_connect();
 		}
 		$q = "SELECT LastUpdateTS, UNIX_TIMESTAMP() FROM Sessions ";
-		$q.= "WHERE SessionID = '" . mysql_real_escape_string($_COOKIE["AURSID"]) . "'";
+		$q.= "WHERE SessionID = '" . db_escape_string($_COOKIE["AURSID"]) . "'";
 		$result = db_query($q, $dbh);
 		if (mysql_num_rows($result) == 0) {
 			# Invalid SessionID - hacker alert!
@ -53,7 +53,7 @@ function check_sid($dbh=NULL) {
 			# session id timeout was reached and they must login again.
 			#
 			$q = "DELETE FROM Sessions WHERE SessionID = '";
-			$q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'";
+			$q.= db_escape_string($_COOKIE["AURSID"]) . "'";
 			db_query($q, $dbh);

 			setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true);
@ -69,7 +69,7 @@ function check_sid($dbh=NULL) {
 			# overwritten.
 			if ($last_update < time() + $LOGIN_TIMEOUT) {
 				$q = "UPDATE Sessions SET LastUpdateTS = UNIX_TIMESTAMP() ";
-				$q.= "WHERE SessionID = '".mysql_real_escape_string($_COOKIE["AURSID"])."'";
+				$q.= "WHERE SessionID = '".db_escape_string($_COOKIE["AURSID"])."'";
 				db_query($q, $dbh);
 			}
 		}
@ -106,7 +106,7 @@ function username_from_id($id="", $dbh=NULL) {
 	if(!$dbh) {
 		$dbh = db_connect();
 	}
-	$q = "SELECT Username FROM Users WHERE ID = " . mysql_real_escape_string($id);
+	$q = "SELECT Username FROM Users WHERE ID = " . db_escape_string($id);
 	$result = db_query($q, $dbh);
 	if (!$result) {
 		return "None";
@ -129,7 +129,7 @@ function username_from_sid($sid="", $dbh=NULL) {
 	$q = "SELECT Username ";
 	$q.= "FROM Users, Sessions ";
 	$q.= "WHERE Users.ID = Sessions.UsersID ";
-	$q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'";
+	$q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'";
 	$result = db_query($q, $dbh);
 	if (!$result) {
 		return "";
@ -151,7 +151,7 @@ function email_from_sid($sid="", $dbh=NULL) {
 	$q = "SELECT Email ";
 	$q.= "FROM Users, Sessions ";
 	$q.= "WHERE Users.ID = Sessions.UsersID ";
-	$q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'";
+	$q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'";
 	$result = db_query($q, $dbh);
 	if (!$result) {
 		return "";
@ -175,7 +175,7 @@ function account_from_sid($sid="", $dbh=NULL) {
 	$q.= "FROM Users, AccountTypes, Sessions ";
 	$q.= "WHERE Users.ID = Sessions.UsersID ";
 	$q.= "AND AccountTypes.ID = Users.AccountTypeID ";
-	$q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'";
+	$q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'";
 	$result = db_query($q, $dbh);
 	if (!$result) {
 		return "";
@ -197,7 +197,7 @@ function uid_from_sid($sid="", $dbh=NULL) {
 	$q = "SELECT Users.ID ";
 	$q.= "FROM Users, Sessions ";
 	$q.= "WHERE Users.ID = Sessions.UsersID ";
-	$q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'";
+	$q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'";
 	$result = db_query($q, $dbh);
 	if (!$result) {
 		return 0;
@ -223,6 +223,12 @@ function db_connect() {
 	return $handle;
 }

+# Escape strings for SQL query usage.
+# Wraps the database driver's provided method (for convenience and porting).
+function db_escape_string($string) {
+	return mysql_real_escape_string($string);
+}
+
 # disconnect from the database
 # this won't normally be needed as PHP/reference counting will take care of
 # closing the connection once it is no longer referenced
@ -261,7 +267,6 @@ function db_query($query="", $db_handle="") {
 	return $result;
 }

-
 # common header
 #
 function html_header($title="") {
@ -299,7 +304,7 @@ function can_submit_pkg($name="", $sid="", $dbh=NULL) {
 		$dbh = db_connect();
 	}
 	$q = "SELECT MaintainerUID ";
-	$q.= "FROM Packages WHERE Name = '".mysql_real_escape_string($name)."'";
+	$q.= "FROM Packages WHERE Name = '".db_escape_string($name)."'";
 	$result = db_query($q, $dbh);
 	if (mysql_num_rows($result) == 0) {return 1;}
 	$row = mysql_fetch_row($result);
@ -372,7 +377,7 @@ function uid_from_username($username="", $dbh=NULL)
 	if(!$dbh) {
 		$dbh = db_connect();
 	}
-	$q = "SELECT ID FROM Users WHERE Username = '".mysql_real_escape_string($username)
+	$q = "SELECT ID FROM Users WHERE Username = '".db_escape_string($username)
 				."'";
 	$result = db_query($q, $dbh);
 	if (!$result) {
@ -393,7 +398,7 @@ function uid_from_email($email="", $dbh=NULL)
 	if(!$dbh) {
 		$dbh = db_connect();
 	}
-	$q = "SELECT ID FROM Users WHERE Email = '".mysql_real_escape_string($email)
+	$q = "SELECT ID FROM Users WHERE Email = '".db_escape_string($email)
 				."'";
 	$result = db_query($q, $dbh);
 	if (!$result) {