diff options
| author | elij <elij.mx@gmail.com> | 2011-05-12 01:17:12 +0200 |
|---|---|---|
| committer | Lukas Fleischer <archlinux@cryptocrack.de> | 2011-05-17 10:43:42 +0200 |
| commit | 0898f1447a2d6bdc893f55f4718f867734841361 (patch) | |
| tree | 22ab9736ad4b92af12daeb3a5215b126c3a8c22c /web/lib/acctfuncs.inc | |
| parent | d38f3460e55ad4e8486c63902f3b581684d6f188 (diff) | |
| download | aur-0898f1447a2d6bdc893f55f4718f867734841361.tar.gz aur-0898f1447a2d6bdc893f55f4718f867734841361.tar.xz | |
test return value from db_query before assuming it is valid
make the sql query form consistent in usage by cleaning up instances
where db_query's result was not inspected before attempting to fetch row
data from the handle
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Diffstat (limited to 'web/lib/acctfuncs.inc')
| -rw-r--r-- | web/lib/acctfuncs.inc | 59 |
1 files changed, 35 insertions, 24 deletions
diff --git a/web/lib/acctfuncs.inc b/web/lib/acctfuncs.inc index 8ffa2f71..5bcff8b5 100644 --- a/web/lib/acctfuncs.inc +++ b/web/lib/acctfuncs.inc @@ -197,7 +197,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", } if (!$error && !valid_username($U) && !user_is_privileged($editor_user)) - $error = __("The username is invalid.") . "<ul>\n" + $error = __("The username is invalid.") . "<ul>\n" ."<li>" . __("It must be between %s and %s characters long", USERNAME_MIN_LEN, USERNAME_MAX_LEN ) . "</li>" @@ -718,11 +718,11 @@ function valid_user( $user ) $q = "SELECT ID FROM Users WHERE Username = '" . mysql_real_escape_string($user). "'"; - $result = mysql_fetch_row(db_query($q, $dbh)); - + $result = db_query($q, $dbh); # Is the username in the database? - if ($result[0]) { - return $result[0]; + if ($result) { + $row = mysql_fetch_row($result); + return $row[0]; } } return; @@ -751,25 +751,30 @@ function valid_passwd( $userID, $passwd ) $passwd_q = "SELECT ID FROM Users" . " WHERE ID = " . $userID . " AND Passwd = '" . salted_hash($passwd, $salt) . "'"; - $passwd_result = mysql_fetch_row(db_query($passwd_q, $dbh)); - if ($passwd_result[0]) { - return true; + $result = db_query($passwd_q, $dbh); + if ($result) { + $passwd_result = mysql_fetch_row($result); + if ($passwd_result[0]) { + return true; + } } } else { # check without salt $nosalt_q = "SELECT ID FROM Users". " WHERE ID = " . $userID . " AND Passwd = '" . md5($passwd) . "'"; - $nosalt_result = mysql_fetch_row(db_query($nosalt_q, $dbh)); - if ($nosalt_result[0]) { - # password correct, but salt it first - if (!save_salt($userID, $passwd)) { - trigger_error("Unable to salt user's password;" . - " ID " . $userID, E_USER_WARNING); - return false; + $result = db_query($nosalt_q, $dbh); + if ($result) { + $nosalt_row = mysql_fetch_row($result); + if ($nosalt_row[0]) { + # password correct, but salt it first + if (!save_salt($userID, $passwd)) { + trigger_error("Unable to salt user's password;" . + " ID " . $userID, E_USER_WARNING); + return false; + } + return true; } - - return true; } } } @@ -783,9 +788,12 @@ function user_suspended( $id ) { $dbh = db_connect(); $q = "SELECT Suspended FROM Users WHERE ID = " . $id; - $result = mysql_fetch_row(db_query($q, $dbh)); - if ($result[0] == 1 ) { - return true; + $result = db_query($q, $dbh); + if ($result) { + $row = mysql_fetch_row($result); + if ($result[0] == 1 ) { + return true; + } } return false; } @@ -797,7 +805,7 @@ function user_delete( $id ) { $dbh = db_connect(); $q = "DELETE FROM Users WHERE ID = " . $id; - $result = mysql_fetch_row(db_query($q, $dbh)); + db_query($q, $dbh); return; } @@ -809,9 +817,12 @@ function user_is_privileged( $id ) { $dbh = db_connect(); $q = "SELECT AccountTypeID FROM Users WHERE ID = " . $id; - $result = mysql_fetch_row(db_query($q, $dbh)); - if( $result[0] > 1) { - return $result[0]; + $result = db_query($q, $dbh); + if ($result) { + $row = mysql_fetch_row($result); + if( $result[0] > 1) { + return $result[0]; + } } return 0; |