summaryrefslogtreecommitdiffstats
path: root/web
diff options
context:
space:
mode:
authorDan McGee <dan@archlinux.org>2011-03-01 18:24:29 +0100
committerLukas Fleischer <archlinux@cryptocrack.de>2011-03-04 10:29:15 +0100
commitbbc90846f5f40dff92eca7ffafbcf6daa98956e3 (patch)
tree0d5520e016370bf4ebac5781e554a41368e85ad3 /web
parent0e304107677cbcd9aa73500d3e5f5fda692a260e (diff)
downloadaur-bbc90846f5f40dff92eca7ffafbcf6daa98956e3.tar.gz
aur-bbc90846f5f40dff92eca7ffafbcf6daa98956e3.tar.xz
Ensure all package ID values are coerced to integers
We don't need mysql_real_escape_string(), we need valid integer conversions. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Diffstat (limited to 'web')
-rw-r--r--web/lib/pkgfuncs.inc40
1 files changed, 22 insertions, 18 deletions
diff --git a/web/lib/pkgfuncs.inc b/web/lib/pkgfuncs.inc
index 20e3880f..1be503ae 100644
--- a/web/lib/pkgfuncs.inc
+++ b/web/lib/pkgfuncs.inc
@@ -110,11 +110,12 @@ function package_exists($name="") {
#
function package_dependencies($pkgid=0) {
$deps = array();
- if ($pkgid) {
+ $pkgid = intval($pkgid);
+ if ($pkgid > 0) {
$dbh = db_connect();
$q = "SELECT DepPkgID, Name, DummyPkg, DepCondition FROM PackageDepends, Packages ";
$q.= "WHERE PackageDepends.DepPkgID = Packages.ID ";
- $q.= "AND PackageDepends.PackageID = ".mysql_real_escape_string($pkgid);
+ $q.= "AND PackageDepends.PackageID = ". $pkgid;
$q.= " ORDER BY Name";
$result = db_query($q, $dbh);
if (!$result) {return array();}
@@ -127,12 +128,12 @@ function package_dependencies($pkgid=0) {
function package_required($pkgid=0) {
$deps = array();
- if ($pkgid) {
+ $pkgid = intval($pkgid);
+ if ($pkgid > 0) {
$dbh = db_connect();
$q = "SELECT PackageID, Name, DummyPkg from PackageDepends, Packages ";
$q.= "WHERE PackageDepends.PackageID = Packages.ID ";
- $q.= "AND PackageDepends.DepPkgID = ";
- $q.= mysql_real_escape_string($pkgid);
+ $q.= "AND PackageDepends.DepPkgID = ". $pkgid;
$q.= " ORDER BY Name";
$result = db_query($q, $dbh);
if (!$result) {return array();}
@@ -177,10 +178,11 @@ function create_dummy($pname="", $sid="") {
# Return the number of comments for a specified package
function package_comments_count($pkgid = 0) {
- if ($pkgid) {
+ $pkgid = intval($pkgid);
+ if ($pkgid > 0) {
$dbh = db_connect();
$q = "SELECT COUNT(*) FROM PackageComments ";
- $q.= "WHERE PackageID = " . mysql_real_escape_string($pkgid);
+ $q.= "WHERE PackageID = " . $pkgid;
$q.= " AND DelUsersID IS NULL";
}
$result = db_query($q, $dbh);
@@ -195,12 +197,13 @@ function package_comments_count($pkgid = 0) {
# Return an array of package comments
function package_comments($pkgid = 0) {
$comments = array();
- if ($pkgid) {
+ $pkgid = intval($pkgid);
+ if ($pkgid > 0) {
$dbh = db_connect();
$q = "SELECT PackageComments.ID, UserName, UsersID, Comments, CommentTS ";
$q.= "FROM PackageComments, Users ";
$q.= "WHERE PackageComments.UsersID = Users.ID";
- $q.= " AND PackageID = ".mysql_real_escape_string($pkgid);
+ $q.= " AND PackageID = " . $pkgid;
$q.= " AND DelUsersID IS NULL"; # only display non-deleted comments
$q.= " ORDER BY CommentTS DESC";
@@ -225,10 +228,11 @@ function package_comments($pkgid = 0) {
#
function package_sources($pkgid=0) {
$sources = array();
- if ($pkgid) {
+ $pkgid = intval($pkgid);
+ if ($pkgid > 0) {
$dbh = db_connect();
$q = "SELECT Source FROM PackageSources ";
- $q.= "WHERE PackageID = ".mysql_real_escape_string($pkgid);
+ $q.= "WHERE PackageID = " . $pkgid;
$q.= " ORDER BY Source";
$result = db_query($q, $dbh);
if (!$result) {return array();}
@@ -283,19 +287,19 @@ function pkgnotify_from_sid($sid="") {
# get name of package based on pkgid
#
-function pkgname_from_id($id="") {
- if (!empty($id)) {
+function pkgname_from_id($pkgid=0) {
+ $pkgid = intval($pkgid);
+ if ($pkgid > 0) {
$dbh = db_connect();
- $id = intval($id);
- $q = "SELECT Name FROM Packages WHERE ID = " . mysql_real_escape_string($id);
+ $q = "SELECT Name FROM Packages WHERE ID = " . $pkgid;
$result = db_query($q, $dbh);
if (mysql_num_rows($result) > 0) {
- $id = mysql_result($result, 0);
+ $name = mysql_result($result, 0);
} else {
- $id = "";
+ $name = "";
}
}
- return $id;
+ return $name;
}
# Check if a package name is blacklisted.