diff options
author | Lukas Fleischer <archlinux@cryptocrack.de> | 2011-10-20 08:15:02 +0200 |
---|---|---|
committer | Lukas Fleischer <archlinux@cryptocrack.de> | 2011-10-24 17:57:54 +0200 |
commit | 323d418f02074613241d65b9cabbfd65afea9abe (patch) | |
tree | afa3290e6d2d0ad04955e3e9331b885587e7e1f6 /web/lib/acctfuncs.inc.php | |
parent | 54d5dcc6e87732f89e6346eb35e30837a23a32b3 (diff) | |
download | aur-323d418f02074613241d65b9cabbfd65afea9abe.tar.gz aur-323d418f02074613241d65b9cabbfd65afea9abe.tar.xz |
Wrap mysql_real_escape_string() in a function
Wrap mysql_real_escape_string() in a wrapper function db_escape_string()
to ease porting to other databases, and as another step to pulling more
of the database code into a central location.
This is a rebased version of a patch by elij submitted about half a year
ago.
Thanks-to: elij <elij.mx@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Diffstat (limited to 'web/lib/acctfuncs.inc.php')
-rw-r--r-- | web/lib/acctfuncs.inc.php | 26 |
1 files changed, 13 insertions, 13 deletions
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 94e2e72b..8b562592 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -226,7 +226,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", # NOTE: a race condition exists here if we care... # $q = "SELECT COUNT(*) AS CNT FROM Users "; - $q.= "WHERE Username = '".mysql_real_escape_string($U)."'"; + $q.= "WHERE Username = '".db_escape_string($U)."'"; if ($TYPE == "edit") { $q.= " AND ID != ".intval($UID); } @@ -244,7 +244,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", # NOTE: a race condition exists here if we care... # $q = "SELECT COUNT(*) AS CNT FROM Users "; - $q.= "WHERE Email = '".mysql_real_escape_string($E)."'"; + $q.= "WHERE Email = '".db_escape_string($E)."'"; if ($TYPE == "edit") { $q.= " AND ID != ".intval($UID); } @@ -266,7 +266,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", # no errors, go ahead and create the unprivileged user $salt = generate_salt(); $P = salted_hash($P, $salt); - $escaped = array_map('mysql_real_escape_string', + $escaped = array_map('db_escape_string', array($U, $E, $P, $salt, $R, $L, $I)); $q = "INSERT INTO Users (" . "AccountTypeID, Suspended, Username, Email, Passwd, Salt" . @@ -290,7 +290,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", # no errors, go ahead and modify the user account $q = "UPDATE Users SET "; - $q.= "Username = '".mysql_real_escape_string($U)."'"; + $q.= "Username = '".db_escape_string($U)."'"; if ($T) { $q.= ", AccountTypeID = ".intval($T); } @@ -299,15 +299,15 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", } else { $q.= ", Suspended = 0"; } - $q.= ", Email = '".mysql_real_escape_string($E)."'"; + $q.= ", Email = '".db_escape_string($E)."'"; if ($P) { $salt = generate_salt(); $hash = salted_hash($P, $salt); $q .= ", Passwd = '$hash', Salt = '$salt'"; } - $q.= ", RealName = '".mysql_real_escape_string($R)."'"; - $q.= ", LangPreference = '".mysql_real_escape_string($L)."'"; - $q.= ", IRCNick = '".mysql_real_escape_string($I)."'"; + $q.= ", RealName = '".db_escape_string($R)."'"; + $q.= ", LangPreference = '".db_escape_string($L)."'"; + $q.= ", IRCNick = '".db_escape_string($I)."'"; $q.= " WHERE ID = ".intval($UID); $result = db_query($q, $dbh); if (!$result) { @@ -373,19 +373,19 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="", $search_vars[] = "S"; } if ($U) { - $q.= "AND Username LIKE '%".mysql_real_escape_string($U)."%' "; + $q.= "AND Username LIKE '%".db_escape_string($U)."%' "; $search_vars[] = "U"; } if ($E) { - $q.= "AND Email LIKE '%".mysql_real_escape_string($E)."%' "; + $q.= "AND Email LIKE '%".db_escape_string($E)."%' "; $search_vars[] = "E"; } if ($R) { - $q.= "AND RealName LIKE '%".mysql_real_escape_string($R)."%' "; + $q.= "AND RealName LIKE '%".db_escape_string($R)."%' "; $search_vars[] = "R"; } if ($I) { - $q.= "AND IRCNick LIKE '%".mysql_real_escape_string($I)."%' "; + $q.= "AND IRCNick LIKE '%".db_escape_string($I)."%' "; $search_vars[] = "I"; } switch ($SB) { @@ -720,7 +720,7 @@ function valid_user( $user, $dbh ) /* if ( $user = valid_username($user) ) { */ if ( $user ) { $q = "SELECT ID FROM Users WHERE Username = '" - . mysql_real_escape_string($user). "'"; + . db_escape_string($user). "'"; $result = db_query($q, $dbh); # Is the username in the database? |