From 323d418f02074613241d65b9cabbfd65afea9abe Mon Sep 17 00:00:00 2001
From: Lukas Fleischer <archlinux@cryptocrack.de>
Date: Thu, 20 Oct 2011 08:15:02 +0200
Subject: Wrap mysql_real_escape_string() in a function

Wrap mysql_real_escape_string() in a wrapper function db_escape_string()
to ease porting to other databases, and as another step to pulling more
of the database code into a central location.

This is a rebased version of a patch by elij submitted about half a year
ago.

Thanks-to: elij <elij.mx@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
---
 web/html/account.php   |  2 +-
 web/html/addvote.php   | 10 +++++-----
 web/html/logout.php    |  2 +-
 web/html/passreset.php |  4 ++--
 web/html/pkgsubmit.php | 28 ++++++++++++++--------------
 web/html/voters.php    |  2 +-
 6 files changed, 24 insertions(+), 24 deletions(-)

(limited to 'web/html')

diff --git a/web/html/account.php b/web/html/account.php
index d42c61b6..d94d7119 100644
--- a/web/html/account.php
+++ b/web/html/account.php
@@ -111,7 +111,7 @@ if (isset($_COOKIE["AURSID"])) {
 			$q.= "WHERE AccountTypes.ID = Users.AccountTypeID ";
 			$q.= "AND Users.ID = Sessions.UsersID ";
 			$q.= "AND Sessions.SessionID = '";
-			$q.= mysql_real_escape_string($_COOKIE["AURSID"])."'";
+			$q.= db_escape_string($_COOKIE["AURSID"])."'";
 			$result = db_query($q, $dbh);
 			if (!mysql_num_rows($result)) {
 				print __("Could not retrieve information for the specified user.");
diff --git a/web/html/addvote.php b/web/html/addvote.php
index fe3037d5..f0e7d31a 100644
--- a/web/html/addvote.php
+++ b/web/html/addvote.php
@@ -20,7 +20,7 @@ if ($atype == "Trusted User" OR $atype == "Developer") {
 		$error = "";
 
 		if (!empty($_POST['user'])) {
-			$qcheck = "SELECT * FROM Users WHERE Username = '" . mysql_real_escape_string($_POST['user']) . "'";
+			$qcheck = "SELECT * FROM Users WHERE Username = '" . db_escape_string($_POST['user']) . "'";
 			$result = db_query($qcheck, $dbh);
 			if ($result) {
 				$check = mysql_num_rows($result);
@@ -32,7 +32,7 @@ if ($atype == "Trusted User" OR $atype == "Developer") {
 			if ($check == 0) {
 				$error.= __("Username does not exist.");
 			} else {
-				$qcheck = "SELECT * FROM TU_VoteInfo WHERE User = '" . mysql_real_escape_string($_POST['user']) . "'";
+				$qcheck = "SELECT * FROM TU_VoteInfo WHERE User = '" . db_escape_string($_POST['user']) . "'";
 				$qcheck.= " AND End > UNIX_TIMESTAMP()";
 				$result = db_query($qcheck, $dbh);
 				if ($result) {
@@ -67,9 +67,9 @@ if ($atype == "Trusted User" OR $atype == "Developer") {
 
 	if (!empty($_POST['addVote']) && empty($error)) {
 		$q = "INSERT INTO TU_VoteInfo (Agenda, User, Submitted, End, SubmitterID) VALUES ";
-		$q.= "('" . mysql_real_escape_string($_POST['agenda']) . "', ";
-		$q.= "'" . mysql_real_escape_string($_POST['user']) . "', ";
-		$q.= "UNIX_TIMESTAMP(), UNIX_TIMESTAMP() + " . mysql_real_escape_string($len);
+		$q.= "('" . db_escape_string($_POST['agenda']) . "', ";
+		$q.= "'" . db_escape_string($_POST['user']) . "', ";
+		$q.= "UNIX_TIMESTAMP(), UNIX_TIMESTAMP() + " . db_escape_string($len);
 		$q.= ", " . uid_from_sid($_COOKIE["AURSID"]) . ")";
 
 		db_query($q, $dbh);
diff --git a/web/html/logout.php b/web/html/logout.php
index 9d0e7a90..e51eeb92 100644
--- a/web/html/logout.php
+++ b/web/html/logout.php
@@ -12,7 +12,7 @@ include_once("acctfuncs.inc.php");         # access AUR common functions
 if (isset($_COOKIE["AURSID"])) {
 	$dbh = db_connect();
 	$q = "DELETE FROM Sessions WHERE SessionID = '";
-	$q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'";
+	$q.= db_escape_string($_COOKIE["AURSID"]) . "'";
 	db_query($q, $dbh);
 	# setting expiration to 1 means '1 second after midnight January 1, 1970'
 	setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true);
diff --git a/web/html/passreset.php b/web/html/passreset.php
index 01f32047..87be1b27 100644
--- a/web/html/passreset.php
+++ b/web/html/passreset.php
@@ -40,8 +40,8 @@ if (isset($_GET['resetkey'], $_POST['email'], $_POST['password'], $_POST['confir
 		      Salt = '$salt',
 		      ResetKey = ''
 		      WHERE ResetKey != ''
-		      AND ResetKey = '".mysql_real_escape_string($resetkey)."'
-		      AND Email = '".mysql_real_escape_string($email)."'";
+		      AND ResetKey = '".db_escape_string($resetkey)."'
+		      AND Email = '".db_escape_string($email)."'";
 		$result = db_query($q, $dbh);
 		if (!mysql_affected_rows($dbh)) {
 			$error = __('Invalid e-mail and reset key combination.');
diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php
index f715e15f..75a4b697 100644
--- a/web/html/pkgsubmit.php
+++ b/web/html/pkgsubmit.php
@@ -301,7 +301,7 @@ if ($uid):
 			$dbh = db_connect();
 			db_query("BEGIN", $dbh);
 
-			$q = "SELECT * FROM Packages WHERE Name = '" . mysql_real_escape_string($new_pkgbuild['pkgname']) . "'";
+			$q = "SELECT * FROM Packages WHERE Name = '" . db_escape_string($new_pkgbuild['pkgname']) . "'";
 			$result = db_query($q, $dbh);
 			$pdata = mysql_fetch_assoc($result);
 
@@ -346,11 +346,11 @@ if ($uid):
 
 				# Update package data
 				$q = sprintf("UPDATE Packages SET ModifiedTS = UNIX_TIMESTAMP(), Name = '%s', Version = '%s', License = '%s', Description = '%s', URL = '%s', OutOfDateTS = NULL, MaintainerUID = %d WHERE ID = %d",
-					mysql_real_escape_string($new_pkgbuild['pkgname']),
-					mysql_real_escape_string($pkg_version),
-					mysql_real_escape_string($new_pkgbuild['license']),
-					mysql_real_escape_string($new_pkgbuild['pkgdesc']),
-					mysql_real_escape_string($new_pkgbuild['url']),
+					db_escape_string($new_pkgbuild['pkgname']),
+					db_escape_string($pkg_version),
+					db_escape_string($new_pkgbuild['license']),
+					db_escape_string($new_pkgbuild['pkgdesc']),
+					db_escape_string($new_pkgbuild['url']),
 					$uid,
 					$packageID);
 
@@ -359,12 +359,12 @@ if ($uid):
 			} else {
 				# This is a brand new package
 				$q = sprintf("INSERT INTO Packages (Name, License, Version, CategoryID, Description, URL, SubmittedTS, ModifiedTS, SubmitterUID, MaintainerUID) VALUES ('%s', '%s', '%s', %d, '%s', '%s', UNIX_TIMESTAMP(), UNIX_TIMESTAMP(), %d, %d)",
-					mysql_real_escape_string($new_pkgbuild['pkgname']),
-					mysql_real_escape_string($new_pkgbuild['license']),
-					mysql_real_escape_string($pkg_version),
+					db_escape_string($new_pkgbuild['pkgname']),
+					db_escape_string($new_pkgbuild['license']),
+					db_escape_string($pkg_version),
 					$category_id,
-					mysql_real_escape_string($new_pkgbuild['pkgdesc']),
-					mysql_real_escape_string($new_pkgbuild['url']),
+					db_escape_string($new_pkgbuild['pkgdesc']),
+					db_escape_string($new_pkgbuild['url']),
 					$uid,
 					$uid);
 
@@ -389,8 +389,8 @@ if ($uid):
 
 					$q = sprintf("INSERT INTO PackageDepends (PackageID, DepName, DepCondition) VALUES (%d, '%s', '%s')",
 						$packageID,
-						mysql_real_escape_string($deppkgname),
-						mysql_real_escape_string($depcondition));
+						db_escape_string($deppkgname),
+						db_escape_string($depcondition));
 
 					db_query($q, $dbh);
 				}
@@ -401,7 +401,7 @@ if ($uid):
 			foreach ($sources as $src) {
 				if ($src != "" ) {
 					$q = "INSERT INTO PackageSources (PackageID, Source) VALUES (";
-					$q .= $packageID . ", '" . mysql_real_escape_string($src) . "')";
+					$q .= $packageID . ", '" . db_escape_string($src) . "')";
 					db_query($q, $dbh);
 				}
 			}
diff --git a/web/html/voters.php b/web/html/voters.php
index aa2aa50c..02abe290 100644
--- a/web/html/voters.php
+++ b/web/html/voters.php
@@ -5,7 +5,7 @@ include('pkgfuncs.inc.php');
 
 function getvotes($pkgid) {
 	$dbh = db_connect();
-	$pkgid = mysql_real_escape_string($pkgid);
+	$pkgid = db_escape_string($pkgid);
 
 	$result = db_query("SELECT UsersID,Username FROM PackageVotes LEFT JOIN Users on (UsersID = ID) WHERE PackageID = $pkgid ORDER BY Username", $dbh);
 	return $result;
-- 
cgit v1.2.3-24-g4f1b