diff options
author | Lukas Fleischer <archlinux@cryptocrack.de> | 2011-10-20 08:15:02 +0200 |
---|---|---|
committer | Lukas Fleischer <archlinux@cryptocrack.de> | 2011-10-24 17:57:54 +0200 |
commit | 323d418f02074613241d65b9cabbfd65afea9abe (patch) | |
tree | afa3290e6d2d0ad04955e3e9331b885587e7e1f6 /web/lib/aur.inc.php | |
parent | 54d5dcc6e87732f89e6346eb35e30837a23a32b3 (diff) | |
download | aur-323d418f02074613241d65b9cabbfd65afea9abe.tar.gz aur-323d418f02074613241d65b9cabbfd65afea9abe.tar.xz |
Wrap mysql_real_escape_string() in a function
Wrap mysql_real_escape_string() in a wrapper function db_escape_string()
to ease porting to other databases, and as another step to pulling more
of the database code into a central location.
This is a rebased version of a patch by elij submitted about half a year
ago.
Thanks-to: elij <elij.mx@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Diffstat (limited to 'web/lib/aur.inc.php')
-rw-r--r-- | web/lib/aur.inc.php | 29 |
1 files changed, 17 insertions, 12 deletions
diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index ae22bd97..e4e1cb57 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -29,7 +29,7 @@ function check_sid($dbh=NULL) { $dbh = db_connect(); } $q = "SELECT LastUpdateTS, UNIX_TIMESTAMP() FROM Sessions "; - $q.= "WHERE SessionID = '" . mysql_real_escape_string($_COOKIE["AURSID"]) . "'"; + $q.= "WHERE SessionID = '" . db_escape_string($_COOKIE["AURSID"]) . "'"; $result = db_query($q, $dbh); if (mysql_num_rows($result) == 0) { # Invalid SessionID - hacker alert! @@ -53,7 +53,7 @@ function check_sid($dbh=NULL) { # session id timeout was reached and they must login again. # $q = "DELETE FROM Sessions WHERE SessionID = '"; - $q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'"; + $q.= db_escape_string($_COOKIE["AURSID"]) . "'"; db_query($q, $dbh); setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true); @@ -69,7 +69,7 @@ function check_sid($dbh=NULL) { # overwritten. if ($last_update < time() + $LOGIN_TIMEOUT) { $q = "UPDATE Sessions SET LastUpdateTS = UNIX_TIMESTAMP() "; - $q.= "WHERE SessionID = '".mysql_real_escape_string($_COOKIE["AURSID"])."'"; + $q.= "WHERE SessionID = '".db_escape_string($_COOKIE["AURSID"])."'"; db_query($q, $dbh); } } @@ -106,7 +106,7 @@ function username_from_id($id="", $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - $q = "SELECT Username FROM Users WHERE ID = " . mysql_real_escape_string($id); + $q = "SELECT Username FROM Users WHERE ID = " . db_escape_string($id); $result = db_query($q, $dbh); if (!$result) { return "None"; @@ -129,7 +129,7 @@ function username_from_sid($sid="", $dbh=NULL) { $q = "SELECT Username "; $q.= "FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; - $q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'"; + $q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'"; $result = db_query($q, $dbh); if (!$result) { return ""; @@ -151,7 +151,7 @@ function email_from_sid($sid="", $dbh=NULL) { $q = "SELECT Email "; $q.= "FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; - $q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'"; + $q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'"; $result = db_query($q, $dbh); if (!$result) { return ""; @@ -175,7 +175,7 @@ function account_from_sid($sid="", $dbh=NULL) { $q.= "FROM Users, AccountTypes, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; $q.= "AND AccountTypes.ID = Users.AccountTypeID "; - $q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'"; + $q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'"; $result = db_query($q, $dbh); if (!$result) { return ""; @@ -197,7 +197,7 @@ function uid_from_sid($sid="", $dbh=NULL) { $q = "SELECT Users.ID "; $q.= "FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; - $q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'"; + $q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'"; $result = db_query($q, $dbh); if (!$result) { return 0; @@ -223,6 +223,12 @@ function db_connect() { return $handle; } +# Escape strings for SQL query usage. +# Wraps the database driver's provided method (for convenience and porting). +function db_escape_string($string) { + return mysql_real_escape_string($string); +} + # disconnect from the database # this won't normally be needed as PHP/reference counting will take care of # closing the connection once it is no longer referenced @@ -261,7 +267,6 @@ function db_query($query="", $db_handle="") { return $result; } - # common header # function html_header($title="") { @@ -299,7 +304,7 @@ function can_submit_pkg($name="", $sid="", $dbh=NULL) { $dbh = db_connect(); } $q = "SELECT MaintainerUID "; - $q.= "FROM Packages WHERE Name = '".mysql_real_escape_string($name)."'"; + $q.= "FROM Packages WHERE Name = '".db_escape_string($name)."'"; $result = db_query($q, $dbh); if (mysql_num_rows($result) == 0) {return 1;} $row = mysql_fetch_row($result); @@ -372,7 +377,7 @@ function uid_from_username($username="", $dbh=NULL) if(!$dbh) { $dbh = db_connect(); } - $q = "SELECT ID FROM Users WHERE Username = '".mysql_real_escape_string($username) + $q = "SELECT ID FROM Users WHERE Username = '".db_escape_string($username) ."'"; $result = db_query($q, $dbh); if (!$result) { @@ -393,7 +398,7 @@ function uid_from_email($email="", $dbh=NULL) if(!$dbh) { $dbh = db_connect(); } - $q = "SELECT ID FROM Users WHERE Email = '".mysql_real_escape_string($email) + $q = "SELECT ID FROM Users WHERE Email = '".db_escape_string($email) ."'"; $result = db_query($q, $dbh); if (!$result) { |