diff options
Diffstat (limited to 'web/lib')
| -rw-r--r-- | web/lib/acctfuncs.inc.php | 229 | ||||
| -rw-r--r-- | web/lib/aur.inc.php | 154 | ||||
| -rw-r--r-- | web/lib/aurjson.class.php | 26 | ||||
| -rw-r--r-- | web/lib/cachefuncs.inc.php | 4 | ||||
| -rw-r--r-- | web/lib/config.inc.php.proto | 3 | ||||
| -rw-r--r-- | web/lib/pkgfuncs.inc.php | 302 | ||||
| -rw-r--r-- | web/lib/stats.inc.php | 4 | ||||
| -rw-r--r-- | web/lib/translator.inc.php | 6 |
8 files changed, 349 insertions, 379 deletions
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index d58c7590..54e8381e 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -135,17 +135,16 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", # NOTE: a race condition exists here if we care... # $q = "SELECT COUNT(*) AS CNT FROM Users "; - $q.= "WHERE Username = '".db_escape_string($U)."'"; + $q.= "WHERE Username = " . $dbh->quote($U); if ($TYPE == "edit") { $q.= " AND ID != ".intval($UID); } - $result = db_query($q, $dbh); - if ($result) { - $row = mysql_fetch_array($result); - if ($row[0]) { - $error = __("The username, %s%s%s, is already in use.", - "<b>", htmlspecialchars($U,ENT_QUOTES), "</b>"); - } + $result = $dbh->query($q); + $row = $result->fetch(PDO::FETCH_NUM); + + if ($row[0]) { + $error = __("The username, %s%s%s, is already in use.", + "<b>", htmlspecialchars($U,ENT_QUOTES), "</b>"); } } if (!$error) { @@ -153,17 +152,16 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", # NOTE: a race condition exists here if we care... # $q = "SELECT COUNT(*) AS CNT FROM Users "; - $q.= "WHERE Email = '".db_escape_string($E)."'"; + $q.= "WHERE Email = " . $dbh->quote($E); if ($TYPE == "edit") { $q.= " AND ID != ".intval($UID); } - $result = db_query($q, $dbh); - if ($result) { - $row = mysql_fetch_array($result); - if ($row[0]) { - $error = __("The address, %s%s%s, is already in use.", - "<b>", htmlspecialchars($E,ENT_QUOTES), "</b>"); - } + $result = $dbh->query($q); + $row = $result->fetch(PDO::FETCH_NUM); + + if ($row[0]) { + $error = __("The address, %s%s%s, is already in use.", + "<b>", htmlspecialchars($E,ENT_QUOTES), "</b>"); } } if ($error) { @@ -175,16 +173,22 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", # no errors, go ahead and create the unprivileged user $salt = generate_salt(); $P = salted_hash($P, $salt); - $escaped = array_map('db_escape_string', - array($U, $E, $P, $salt, $R, $L, $I, str_replace(" ", "", $K))); - $q = "INSERT INTO Users (" . - "AccountTypeID, Suspended, Username, Email, Passwd, Salt" . - ", RealName, LangPreference, IRCNick, PGPKey) " . - "VALUES (1, 0, '" . implode("', '", $escaped) . "')"; - $result = db_query($q, $dbh); + $U = $dbh->quote($U); + $E = $dbh->quote($E); + $P = $dbh->quote($P); + $salt = $dbh->quote($salt); + $R = $dbh->quote($R); + $L = $dbh->quote($L); + $I = $dbh->quote($I); + $K = $dbh->quote(str_replace(" ", "", $K)); + $q = "INSERT INTO Users (AccountTypeID, Suspended, "; + $q.= "Username, Email, Passwd, Salt, RealName, "; + $q.= "LangPreference, IRCNick, PGPKey) VALUES (1, 0, "; + $q.= "$U, $E, $P, $salt, $R, $L, $I, $K)"; + $result = $dbh->exec($q); if (!$result) { - print __("Error trying to create account, %s%s%s: %s.", - "<b>", htmlspecialchars($U,ENT_QUOTES), "</b>", mysql_error($dbh)); + print __("Error trying to create account, %s%s%s.", + "<b>", htmlspecialchars($U,ENT_QUOTES), "</b>"); } else { # account created/modified, tell them so. # @@ -199,7 +203,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", # no errors, go ahead and modify the user account $q = "UPDATE Users SET "; - $q.= "Username = '".db_escape_string($U)."'"; + $q.= "Username = " . $dbh->quote($U); if ($T) { $q.= ", AccountTypeID = ".intval($T); } @@ -208,21 +212,21 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", } else { $q.= ", Suspended = 0"; } - $q.= ", Email = '".db_escape_string($E)."'"; + $q.= ", Email = " . $dbh->quote($E); if ($P) { $salt = generate_salt(); $hash = salted_hash($P, $salt); $q .= ", Passwd = '$hash', Salt = '$salt'"; } - $q.= ", RealName = '".db_escape_string($R)."'"; - $q.= ", LangPreference = '".db_escape_string($L)."'"; - $q.= ", IRCNick = '".db_escape_string($I)."'"; - $q.= ", PGPKey = '".db_escape_string(str_replace(" ", "", $K))."'"; + $q.= ", RealName = " . $dbh->quote($R); + $q.= ", LangPreference = " . $dbh->quote($L); + $q.= ", IRCNick = " . $dbh->quote($I); + $q.= ", PGPKey = " . $dbh->quote(str_replace(" ", "", $K)); $q.= " WHERE ID = ".intval($UID); - $result = db_query($q, $dbh); + $result = $dbh->exec($q); if (!$result) { - print __("Error trying to modify account, %s%s%s: %s.", - "<b>", htmlspecialchars($U,ENT_QUOTES), "</b>", mysql_error($dbh)); + print __("Error trying to modify account, %s%s%s.", + "<b>", htmlspecialchars($U,ENT_QUOTES), "</b>"); } else { print __("The account, %s%s%s, has been successfully modified.", "<b>", htmlspecialchars($U,ENT_QUOTES), "</b>"); @@ -265,6 +269,10 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="", } $search_vars = array(); + if (!$dbh) { + $dbh = db_connect(); + } + $q = "SELECT Users.*, AccountTypes.AccountType "; $q.= "FROM Users, AccountTypes "; $q.= "WHERE AccountTypes.ID = Users.AccountTypeID "; @@ -283,23 +291,28 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="", $search_vars[] = "S"; } if ($U) { - $q.= "AND Username LIKE '%".db_escape_like($U)."%' "; + $U = "%" . addcslashes($U, '%_') . "%"; + $q.= "AND Username LIKE " . $dbh->quote($U) . " "; $search_vars[] = "U"; } if ($E) { - $q.= "AND Email LIKE '%".db_escape_like($E)."%' "; + $E = "%" . addcslashes($E, '%_') . "%"; + $q.= "AND Email LIKE " . $dbh->quote($E) . " "; $search_vars[] = "E"; } if ($R) { - $q.= "AND RealName LIKE '%".db_escape_like($R)."%' "; + $R = "%" . addcslashes($R, '%_') . "%"; + $q.= "AND RealName LIKE " . $dbh->quote($R) . " "; $search_vars[] = "R"; } if ($I) { - $q.= "AND IRCNick LIKE '%".db_escape_like($I)."%' "; + $I = "%" . addcslashes($I, '%_') . "%"; + $q.= "AND IRCNick LIKE " . $dbh->quote($I) . " "; $search_vars[] = "I"; } if ($K) { - $q.= "AND PGPKey LIKE '%".db_escape_like(str_replace(" ", "", $K))."%' "; + $K = "%" . addcslashes(str_replace(" ", "", $K), '%_') . "%"; + $q.= "AND PGPKey LIKE " . $dbh->quote($K) . " "; $search_vars[] = "K"; } switch ($SB) { @@ -326,10 +339,9 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="", $dbh = db_connect(); } - $result = db_query($q, $dbh); - $num_rows = mysql_num_rows($result); + $result = $dbh->query($q); - while ($row = mysql_fetch_assoc($result)) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { $userinfo[] = $row; } @@ -377,13 +389,13 @@ function try_login($dbh=NULL) { $q.= "ON s.SessionID = q.SessionID "; $q.= "WHERE s.UsersId = " . $userID . " "; $q.= "AND q.SessionID IS NULL;"; - db_query($q, $dbh); + $dbh->query($q); } $new_sid = new_sid(); $q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS)" ." VALUES (" . $userID . ", '" . $new_sid . "', UNIX_TIMESTAMP())"; - $result = db_query($q, $dbh); + $result = $dbh->exec($q); # Query will fail if $new_sid is not unique if ($result) { @@ -397,7 +409,7 @@ function try_login($dbh=NULL) { if ($logged_in) { $q = "UPDATE Users SET LastLogin = UNIX_TIMESTAMP() "; $q.= "WHERE ID = '$userID'"; - db_query($q, $dbh); + $dbh->exec($q); # set our SID cookie if (isset($_POST['remember_me']) && @@ -408,7 +420,7 @@ function try_login($dbh=NULL) { # Set session for 30 days. $q = "UPDATE Sessions SET LastUpdateTS = $cookie_time "; $q.= "WHERE SessionID = '$new_sid'"; - db_query($q, $dbh); + $dbh->exec($q); } else $cookie_time = 0; @@ -472,13 +484,13 @@ function valid_user($user, $dbh=NULL) { } if ( $user ) { - $q = "SELECT ID FROM Users WHERE Username = '" - . db_escape_string($user). "'"; + $q = "SELECT ID FROM Users "; + $q.= "WHERE Username = " . $dbh->quote($user); - $result = db_query($q, $dbh); + $result = $dbh->query($q); # Is the username in the database? if ($result) { - $row = mysql_fetch_row($result); + $row = $result->fetch(PDO::FETCH_NUM); return $row[0]; } } @@ -490,10 +502,10 @@ function open_user_proposals($user, $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - $q = "SELECT * FROM TU_VoteInfo WHERE User = '" . db_escape_string($user) . "'"; - $q.= " AND End > UNIX_TIMESTAMP()"; - $result = db_query($q, $dbh); - if (mysql_num_rows($result)) { + $q = "SELECT * FROM TU_VoteInfo WHERE User = " . $dbh->quote($user) . " "; + $q.= "AND End > UNIX_TIMESTAMP()"; + $result = $dbh->query($q); + if ($result->fetchColumn()) { return true; } else { @@ -507,13 +519,12 @@ function add_tu_proposal($agenda, $user, $votelength, $submitteruid, $dbh=NULL) if(!$dbh) { $dbh = db_connect(); } + $q = "INSERT INTO TU_VoteInfo (Agenda, User, Submitted, End, SubmitterID) VALUES "; - $q.= "('" . db_escape_string($agenda) . "', "; - $q.= "'" . db_escape_string($user) . "', "; - $q.= "UNIX_TIMESTAMP(), UNIX_TIMESTAMP() + " . db_escape_string($votelength); + $q.= "(" . $dbh->quote($agenda) . ", " . $dbh->quote($user) . ", "; + $q.= "UNIX_TIMESTAMP(), UNIX_TIMESTAMP() + " . $dbh->quote($votelength); $q.= ", " . $submitteruid . ")"; - db_query($q, $dbh); - + $result = $dbh->exec($q); } # Add a reset key for a specific user @@ -524,7 +535,7 @@ function create_resetkey($resetkey, $uid, $dbh=NULL) { $q = "UPDATE Users "; $q.= "SET ResetKey = '" . $resetkey . "' "; $q.= "WHERE ID = " . $uid; - db_query($q, $dbh); + $dbh->exec($q); } # Change a password and save the salt only if reset key and email are correct @@ -537,11 +548,11 @@ function password_reset($hash, $salt, $resetkey, $email, $dbh=NULL) { $q.= "Salt = '$salt', "; $q.= "ResetKey = '' "; $q.= "WHERE ResetKey != '' "; - $q.= "AND ResetKey = '".db_escape_string($resetkey)."' "; - $q.= "AND Email = '".db_escape_string($email)."'"; - $result = db_query($q, $dbh); + $q.= "AND ResetKey = " . $dbh->quote($resetkey) . " "; + $q.= "AND Email = " . $dbh->quote($email); + $result = $dbh->exec($q); - if (!mysql_affected_rows($dbh)) { + if (!$result) { $error = __('Invalid e-mail and reset key combination.'); return $error; } else { @@ -569,25 +580,25 @@ function valid_passwd($userID, $passwd, $dbh=NULL) { $salt = get_salt($userID); if ($salt) { # use salt - $passwd_q = "SELECT ID FROM Users" . - " WHERE ID = " . $userID . " AND Passwd = '" . - salted_hash($passwd, $salt) . "'"; - $result = db_query($passwd_q, $dbh); + $q = "SELECT ID FROM Users "; + $q.= "WHERE ID = " . $userID . " "; + $q.= "AND Passwd = " . $dbh->quote(salted_hash($passwd, $salt)); + $result = $dbh->query($q); if ($result) { - $passwd_result = mysql_fetch_row($result); - if ($passwd_result[0]) { + $row = $result->fetch(PDO::FETCH_NUM); + if ($row[0]) { return true; } } } else { # check without salt - $nosalt_q = "SELECT ID FROM Users". - " WHERE ID = " . $userID . - " AND Passwd = '" . md5($passwd) . "'"; - $result = db_query($nosalt_q, $dbh); + $q = "SELECT ID FROM Users "; + $q.= "WHERE ID = " . $userID . " "; + $q.= "AND Passwd = " . $dbh->quote(md5($passwd)); + $result = $dbh->query($q); if ($result) { - $nosalt_row = mysql_fetch_row($result); - if ($nosalt_row[0]) { + $row = $result->fetch(PDO::FETCH_NUM); + if ($row[0]) { # password correct, but salt it first if (!save_salt($userID, $passwd)) { trigger_error("Unable to salt user's password;" . @@ -621,9 +632,9 @@ function user_suspended($id, $dbh=NULL) { return false; } $q = "SELECT Suspended FROM Users WHERE ID = " . $id; - $result = db_query($q, $dbh); + $result = $dbh->query($q); if ($result) { - $row = mysql_fetch_row($result); + $row = $result->fetch(PDO::FETCH_NUM); if ($row[0]) { return true; } @@ -639,7 +650,7 @@ function user_delete($id, $dbh=NULL) { $dbh = db_connect(); } $q = "DELETE FROM Users WHERE ID = " . $id; - db_query($q, $dbh); + $dbh->query($q); return; } @@ -652,9 +663,9 @@ function user_is_privileged($id, $dbh=NULL) { $dbh = db_connect(); } $q = "SELECT AccountTypeID FROM Users WHERE ID = " . $id; - $result = db_query($q, $dbh); + $result = $dbh->query($q); if ($result) { - $row = mysql_fetch_row($result); + $row = $result->fetch(PDO::FETCH_NUM); if($row[0] > 1) { return $row[0]; } @@ -669,9 +680,8 @@ function delete_session_id($sid, $dbh=NULL) { $dbh = db_connect(); } - $q = "DELETE FROM Sessions WHERE SessionID = '"; - $q.= db_escape_string($sid) . "'"; - db_query($q, $dbh); + $q = "DELETE FROM Sessions WHERE SessionID = " . $dbh->quote($sid); + $dbh->query($q); } # Clear out old expired sessions. @@ -683,7 +693,7 @@ function clear_expired_sessions($dbh=NULL) { } $q = "DELETE FROM Sessions WHERE LastUpdateTS < (UNIX_TIMESTAMP() - $LOGIN_TIMEOUT)"; - db_query($q, $dbh); + $dbh->query($q); return; } @@ -698,12 +708,12 @@ function account_details($uid, $username, $dbh=NULL) { if (!empty($uid)) { $q.= "AND Users.ID = ".intval($uid); } else { - $q.= "AND Users.Username = '".db_escape_string($username) . "'"; + $q.= "AND Users.Username = " . $dbh->quote($username); } - $result = db_query($q, $dbh); + $result = $dbh->query($q); if ($result) { - $row = mysql_fetch_assoc($result); + $row = $result->fetch(PDO::FETCH_ASSOC); } return $row; @@ -717,12 +727,11 @@ function own_account_details($sid, $dbh=NULL) { $q.= "FROM Users, AccountTypes, Sessions "; $q.= "WHERE AccountTypes.ID = Users.AccountTypeID "; $q.= "AND Users.ID = Sessions.UsersID "; - $q.= "AND Sessions.SessionID = '"; - $q.= db_escape_string($sid)."'"; - $result = db_query($q, $dbh); + $q.= "AND Sessions.SessionID = " . $dbh->quote($sid); + $result = $dbh->query($q); if ($result) { - $row = mysql_fetch_assoc($result); + $row = $result->fetch(PDO::FETCH_ASSOC); } return $row; @@ -733,9 +742,10 @@ function tu_voted($voteid, $uid, $dbh=NULL) { $dbh = db_connect(); } - $q = "SELECT * FROM TU_Votes WHERE VoteID = " . intval($voteid) . " AND UserID = " . intval($uid); - $result = db_query($q, $dbh); - if (mysql_num_rows($result)) { + $q = "SELECT COUNT(*) FROM TU_Votes "; + $q.= "WHERE VoteID = " . intval($voteid) . " AND UserID = " . intval($uid); + $result = $dbh->query($q); + if ($result->fetchColumn() > 0) { return true; } else { @@ -749,10 +759,10 @@ function current_proposal_list($order, $dbh=NULL) { } $q = "SELECT * FROM TU_VoteInfo WHERE End > " . time() . " ORDER BY Submitted " . $order; - $result = db_query($q, $dbh); + $result = $dbh->query($q); $details = array(); - while ($row = mysql_fetch_assoc($result)) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { $details[] = $row; } @@ -765,10 +775,10 @@ function past_proposal_list($order, $lim, $dbh=NULL) { } $q = "SELECT * FROM TU_VoteInfo WHERE End < " . time() . " ORDER BY Submitted " . $order . $lim; - $result = db_query($q, $dbh); + $result = $dbh->query($q); $details = array(); - while ($row = mysql_fetch_assoc($result)) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { $details[] = $row; } @@ -781,8 +791,8 @@ function proposal_count($dbh=NULL) { } $q = "SELECT COUNT(*) FROM TU_VoteInfo"; - $result = db_query($q, $dbh); - $row = mysql_fetch_row($result); + $result = $dbh->query($q); + $row = $result->fetch(PDO::FETCH_NUM); return $row[0]; } @@ -795,8 +805,8 @@ function vote_details($voteid, $dbh=NULL) { $q = "SELECT * FROM TU_VoteInfo "; $q.= "WHERE ID = " . intval($voteid); - $result = db_query($q, $dbh); - $row = mysql_fetch_assoc($result); + $result = $dbh->query($q); + $row = $result->fetch(PDO::FETCH_ASSOC); return $row; } @@ -814,9 +824,9 @@ function voter_list($voteid, $dbh=NULL) { $q.= " AND tv.UserID = U.ID "; $q.= "ORDER BY Username"; - $result = db_query($q, $dbh); + $result = $dbh->query($q); if ($result) { - while ($row = mysql_fetch_assoc($result)) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { $whovoted.= '<a href="' . get_uri('/accounts/') . '?Action=AccountInfo&ID='.$row['UserID'].'">'.$row['Username'].'</a> '; } } @@ -828,10 +838,9 @@ function cast_proposal_vote($voteid, $uid, $vote, $newtotal, $dbh=NULL) { $dbh = db_connect(); } - $q = "UPDATE TU_VoteInfo SET " . $vote . " = " . ($newtotal) . " WHERE ID = " . $voteid; - db_query($q, $dbh); - - $q = "INSERT INTO TU_Votes (VoteID, UserID) VALUES (" . $voteid . ", " . $uid . ")"; - db_query($q, $dbh); + $q = "UPDATE TU_VoteInfo SET " . $vote . " = (" . $newtotal . ") WHERE ID = " . $voteid; + $result = $dbh->exec($q); + $q = "INSERT INTO TU_Votes (VoteID, UserID) VALUES (" . intval($voteid) . ", " . intval($uid) . ")"; + $result = $dbh->exec($q); } diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 6dcbb34d..d26bdf2e 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -30,14 +30,15 @@ function check_sid($dbh=NULL) { $dbh = db_connect(); } $q = "SELECT LastUpdateTS, UNIX_TIMESTAMP() FROM Sessions "; - $q.= "WHERE SessionID = '" . db_escape_string($_COOKIE["AURSID"]) . "'"; - $result = db_query($q, $dbh); - if (mysql_num_rows($result) == 0) { + $q.= "WHERE SessionID = " . $dbh->quote($_COOKIE["AURSID"]); + $result = $dbh->query($q); + $row = $result->fetch(PDO::FETCH_NUM); + + if (!$row[0]) { # Invalid SessionID - hacker alert! # $failed = 1; } else { - $row = mysql_fetch_row($result); $last_update = $row[0]; if ($last_update + $LOGIN_TIMEOUT <= $row[1]) { $failed = 2; @@ -68,8 +69,8 @@ function check_sid($dbh=NULL) { # overwritten. if ($last_update < time() + $LOGIN_TIMEOUT) { $q = "UPDATE Sessions SET LastUpdateTS = UNIX_TIMESTAMP() "; - $q.= "WHERE SessionID = '".db_escape_string($_COOKIE["AURSID"])."'"; - db_query($q, $dbh); + $q.= "WHERE SessionID = " . $dbh->quote($_COOKIE["AURSID"]); + $dbh->exec($q); } } } @@ -119,12 +120,12 @@ function username_from_id($id="", $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - $q = "SELECT Username FROM Users WHERE ID = " . db_escape_string($id); - $result = db_query($q, $dbh); + $q = "SELECT Username FROM Users WHERE ID = " . $dbh->quote($id); + $result = $dbh->query($q); if (!$result) { return "None"; } - $row = mysql_fetch_row($result); + $row = $result->fetch(PDO::FETCH_NUM); return $row[0]; } @@ -142,12 +143,12 @@ function username_from_sid($sid="", $dbh=NULL) { $q = "SELECT Username "; $q.= "FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; - $q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'"; - $result = db_query($q, $dbh); + $q.= "AND Sessions.SessionID = " . $dbh->quote($sid); + $result = $dbh->query($q); if (!$result) { return ""; } - $row = mysql_fetch_row($result); + $row = $result->fetch(PDO::FETCH_NUM); return $row[0]; } @@ -164,12 +165,12 @@ function email_from_sid($sid="", $dbh=NULL) { $q = "SELECT Email "; $q.= "FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; - $q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'"; - $result = db_query($q, $dbh); + $q.= "AND Sessions.SessionID = " . $dbh->quote($sid); + $result = $dbh->query($q); if (!$result) { return ""; } - $row = mysql_fetch_row($result); + $row = $result->fetch(PDO::FETCH_NUM); return $row[0]; } @@ -188,12 +189,12 @@ function account_from_sid($sid="", $dbh=NULL) { $q.= "FROM Users, AccountTypes, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; $q.= "AND AccountTypes.ID = Users.AccountTypeID "; - $q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'"; - $result = db_query($q, $dbh); + $q.= "AND Sessions.SessionID = " . $dbh->quote($sid); + $result = $dbh->query($q); if (!$result) { return ""; } - $row = mysql_fetch_row($result); + $row = $result->fetch(PDO::FETCH_NUM); return $row[0]; } @@ -210,12 +211,12 @@ function uid_from_sid($sid="", $dbh=NULL) { $q = "SELECT Users.ID "; $q.= "FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; - $q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'"; - $result = db_query($q, $dbh); + $q.= "AND Sessions.SessionID = " . $dbh->quote($sid); + $result = $dbh->query($q); if (!$result) { return 0; } - $row = mysql_fetch_row($result); + $row = $result->fetch(PDO::FETCH_NUM); return $row[0]; } @@ -223,66 +224,16 @@ function uid_from_sid($sid="", $dbh=NULL) { # connect to the database # function db_connect() { - $handle = mysql_connect(AUR_db_host, AUR_db_user, AUR_db_pass); - if (!$handle) { - die("Error connecting to AUR database: " . mysql_error()); - } - - mysql_select_db(AUR_db_name, $handle) or - die("Error selecting AUR database: " . mysql_error()); - - db_query("SET NAMES 'utf8' COLLATE 'utf8_general_ci';", $handle); - - return $handle; -} - -# Escape strings for SQL query usage. -# Wraps the database driver's provided method (for convenience and porting). -function db_escape_string($string) { - return mysql_real_escape_string($string); -} - -# Escape strings for usage in SQL LIKE operators. -function db_escape_like($string) { - return addcslashes(mysql_real_escape_string($string), '%_'); -} - -# disconnect from the database -# this won't normally be needed as PHP/reference counting will take care of -# closing the connection once it is no longer referenced -# -function db_disconnect($db_handle="") { - if ($db_handle) { - mysql_close($db_handle); - return TRUE; + try { + $dbh = new PDO(AUR_db_DSN_prefix . ":" . AUR_db_host . ";dbname=" . AUR_db_name, AUR_db_user, AUR_db_pass); } - return FALSE; -} - -# wrapper function around db_query in case we want to put -# query logging/debugging in. -# -function db_query($query="", $db_handle="") { - if (!$query) { - return FALSE; + catch (PDOException $e) { + echo "Error - Could not connect to AUR database: " . $e->getMessage(); } - if (!$db_handle) { - die("DB handle was not provided to db_query"); - } - - if (defined('SQL_DEBUG') && SQL_DEBUG == 1) { - $bt = debug_backtrace(); - error_log("DEBUG: ".$bt[0]['file'].":".$bt[0]['line']." query: $query\n"); - } + $dbh->exec("SET NAMES 'utf8' COLLATE 'utf8_general_ci';"); - $result = @mysql_query($query, $db_handle); - if (!$result) { - $bt = debug_backtrace(); - error_log("ERROR: near ".$bt[0]['file'].":".$bt[0]['line']." in query: $query\n -> ".mysql_error($db_handle)); - } - - return $result; + return $dbh; } # common header @@ -313,10 +264,13 @@ function can_submit_pkg($name="", $sid="", $dbh=NULL) { $dbh = db_connect(); } $q = "SELECT MaintainerUID "; - $q.= "FROM Packages WHERE Name = '".db_escape_string($name)."'"; - $result = db_query($q, $dbh); - if (mysql_num_rows($result) == 0) {return 1;} - $row = mysql_fetch_row($result); + $q.= "FROM Packages WHERE Name = " . $dbh->quote($name); + $result = $dbh->query($q); + $row = $result->fetch(PDO::FETCH_NUM); + + if (!$row[0]) { + return 1; + } $my_uid = uid_from_sid($sid, $dbh); if ($row[0] === NULL || $row[0] == $my_uid) { @@ -385,13 +339,12 @@ function uid_from_username($username="", $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - $q = "SELECT ID FROM Users WHERE Username = '".db_escape_string($username) - ."'"; - $result = db_query($q, $dbh); + $q = "SELECT ID FROM Users WHERE Username = " . $dbh->quote($username); + $result = $dbh->query($q); if (!$result) { return "None"; } - $row = mysql_fetch_row($result); + $row = $result->fetch(PDO::FETCH_NUM); return $row[0]; } @@ -405,13 +358,12 @@ function uid_from_email($email="", $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - $q = "SELECT ID FROM Users WHERE Email = '".db_escape_string($email) - ."'"; - $result = db_query($q, $dbh); + $q = "SELECT ID FROM Users WHERE Email = " . $dbh->quote($email); + $result = $dbh->query($q); if (!$result) { return "None"; } - $row = mysql_fetch_row($result); + $row = $result->fetch(PDO::FETCH_NUM); return $row[0]; } @@ -461,11 +413,11 @@ function get_salt($user_id, $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - $salt_q = "SELECT Salt FROM Users WHERE ID = " . $user_id; - $result = db_query($salt_q, $dbh); + $q = "SELECT Salt FROM Users WHERE ID = " . $user_id; + $result = $dbh->query($q); if ($result) { - $salt_row = mysql_fetch_row($result); - return $salt_row[0]; + $row = $result->fetch(PDO::FETCH_NUM); + return $row[0]; } return; } @@ -476,9 +428,9 @@ function save_salt($user_id, $passwd, $dbh=NULL) { } $salt = generate_salt(); $hash = salted_hash($passwd, $salt); - $salting_q = "UPDATE Users SET Salt = '" . $salt . "', " . - "Passwd = '" . $hash . "' WHERE ID = " . $user_id; - return db_query($salting_q, $dbh); + $q = "UPDATE Users SET Salt = " . $dbh->quote($salt) . ", "; + $q.= "Passwd = " . $dbh->quote($hash) . " WHERE ID = " . $user_id; + $result = $dbh->exec($q); } function generate_salt() { @@ -519,21 +471,21 @@ function begin_atomic_commit($dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - db_query("BEGIN", $dbh); + $dbh->beginTransaction(); } function end_atomic_commit($dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - db_query("COMMIT", $dbh); + $dbh->commit(); } function last_insert_id($dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - return mysql_insert_id($dbh); + return $dbh->lastInsertId(); } function latest_pkgs($numpkgs, $dbh=NULL) { @@ -544,10 +496,10 @@ function latest_pkgs($numpkgs, $dbh=NULL) { $q = "SELECT * FROM Packages "; $q.= "ORDER BY SubmittedTS DESC "; $q.= "LIMIT " .intval($numpkgs); - $result = db_query($q, $dbh); + $result = $dbh->query($q); if ($result) { - while ($row = mysql_fetch_assoc($result)) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { $packages[] = $row; } } diff --git a/web/lib/aurjson.class.php b/web/lib/aurjson.class.php index c1b079a4..fbdc7118 100644 --- a/web/lib/aurjson.class.php +++ b/web/lib/aurjson.class.php @@ -122,12 +122,13 @@ class AurJSON { "FROM Packages LEFT JOIN Users " . "ON Packages.MaintainerUID = Users.ID " . "WHERE ${where_condition}"; - $result = db_query($query, $this->dbh); + $result = $this->dbh->query($query); - $resultcount = mysql_num_rows($result); - if ( $result && $resultcount > 0 ) { + if ($result) { + $resultcount = 0; $search_data = array(); - while ( $row = mysql_fetch_assoc($result) ) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { + $resultcount++; $name = $row['Name']; $row['URLPath'] = URL_DIR . substr($name, 0, 2) . "/" . $name . "/" . $name . ".tar.gz"; @@ -148,7 +149,6 @@ class AurJSON { } } - mysql_free_result($result); return $this->json_results($type, $resultcount, $search_data); } else { @@ -178,8 +178,7 @@ class AurJSON { if (is_numeric($arg)) { $id_args[] = intval($arg); } else { - $escaped = db_escape_string($arg, $this->dbh); - $name_args[] = "'" . $escaped . "'"; + $name_args[] = $this->dbh->quote($arg); } } @@ -196,10 +195,10 @@ class AurJSON { return $this->json_error('Query arg too small'); } - $keyword_string = db_escape_like($keyword_string, $this->dbh); + $keyword_string = $this->dbh->quote("%" . addcslashes($keyword_string, '%_') . "%"); - $where_condition = "( Name LIKE '%{$keyword_string}%' OR " . - "Description LIKE '%{$keyword_string}%' )"; + $where_condition = "(Name LIKE {$keyword_string} OR "; + $where_condition.= "Description LIKE {$keyword_string})"; return $this->process_query('search', $where_condition); } @@ -217,8 +216,7 @@ class AurJSON { $where_condition = "Packages.ID={$pqdata}"; } else { - $where_condition = sprintf("Name=\"%s\"", - db_escape_string($pqdata, $this->dbh)); + $where_condition = sprintf("Name=%s", $this->dbh->quote($pqdata)); } return $this->process_query('info', $where_condition); } @@ -260,9 +258,9 @@ class AurJSON { * @return mixed Returns an array of value data containing the package data **/ private function msearch($maintainer) { - $maintainer = db_escape_string($maintainer, $this->dbh); + $maintainer = $this->dbh->quote($maintainer); - $where_condition = "Users.Username = '{$maintainer}'"; + $where_condition = "Users.Username = {$maintainer}"; return $this->process_query('msearch', $where_condition); } diff --git a/web/lib/cachefuncs.inc.php b/web/lib/cachefuncs.inc.php index 3485b013..f109bcff 100644 --- a/web/lib/cachefuncs.inc.php +++ b/web/lib/cachefuncs.inc.php @@ -71,8 +71,8 @@ function db_cache_value($dbq, $dbh, $key, $ttl=600) { $status = false; $value = get_cache_value($key, $status); if (!$status) { - $result = db_query($dbq, $dbh); - $row = mysql_fetch_row($result); + $result = $dbh->query($dbq); + $row = $result->fetch(PDO::FETCH_NUM); $value = $row[0]; set_cache_value($key, $value, $ttl); } diff --git a/web/lib/config.inc.php.proto b/web/lib/config.inc.php.proto index fee1022a..3c7df195 100644 --- a/web/lib/config.inc.php.proto +++ b/web/lib/config.inc.php.proto @@ -2,7 +2,8 @@ # NOTE: modify these variables if your MySQL setup is different -define( "AUR_db_host", "localhost:/var/run/mysqld/mysqld.sock" ); +define( "AUR_db_DSN_prefix", "mysql" ); +define( "AUR_db_host", "unix_socket=/var/run/mysqld/mysqld.sock" ); define( "AUR_db_name", "AUR" ); define( "AUR_db_user", "aur" ); define( "AUR_db_pass", "aur" ); diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php index c592e393..6cdab0fc 100644 --- a/web/lib/pkgfuncs.inc.php +++ b/web/lib/pkgfuncs.inc.php @@ -16,9 +16,9 @@ function canDeleteComment($comment_id=0, $atype="", $uid=0, $dbh=NULL) { $q.= "FROM PackageComments "; $q.= "WHERE ID = " . intval($comment_id); $q.= " AND UsersID = " . $uid; - $result = db_query($q, $dbh); + $result = $dbh->query($q); if ($result != NULL) { - $row = mysql_fetch_assoc($result); + $row = $result->fetch(PDO::FETCH_ASSOC); if ($row['CNT'] > 0) { return TRUE; } @@ -83,9 +83,9 @@ function pkgCategories($dbh=NULL) { } $q = "SELECT * FROM PackageCategories WHERE ID != 1 "; $q.= "ORDER BY Category ASC"; - $result = db_query($q, $dbh); + $result = $dbh->query($q); if ($result) { - while ($row = mysql_fetch_row($result)) { + while ($row = $result->fetch(PDO::FETCH_NUM)) { $cats[$row[0]] = $row[1]; } } @@ -100,10 +100,12 @@ function pkgid_from_name($name="", $dbh=NULL) { $dbh = db_connect(); } $q = "SELECT ID FROM Packages "; - $q.= "WHERE Name = '".db_escape_string($name)."' "; - $result = db_query($q, $dbh); - if (!$result) {return NULL;} - $row = mysql_fetch_row($result); + $q.= "WHERE Name = " . $dbh->quote($name); + $result = $dbh->query($q); + if (!$result) { + return; + } + $row = $result->fetch(PDO::FETCH_NUM); return $row[0]; } @@ -120,9 +122,11 @@ function package_dependencies($pkgid, $dbh=NULL) { $q.= "LEFT JOIN Packages p ON pd.DepName = p.Name "; $q.= "WHERE pd.PackageID = ". $pkgid . " "; $q.= "ORDER BY pd.DepName"; - $result = db_query($q, $dbh); - if (!$result) {return array();} - while ($row = mysql_fetch_row($result)) { + $result = $dbh->query($q); + if (!$result) { + return array(); + } + while ($row = $result->fetch(PDO::FETCH_NUM)) { $deps[] = $row; } } @@ -137,11 +141,11 @@ function package_required($name="", $dbh=NULL) { } $q = "SELECT p.Name, PackageID FROM PackageDepends pd "; $q.= "JOIN Packages p ON pd.PackageID = p.ID "; - $q.= "WHERE DepName = '".db_escape_string($name)."' "; + $q.= "WHERE DepName = " . $dbh->quote($name) . " "; $q.= "ORDER BY p.Name"; - $result = db_query($q, $dbh); + $result = $dbh->query($q); if (!$result) {return array();} - while ($row = mysql_fetch_row($result)) { + while ($row = $result->fetch(PDO::FETCH_NUM)) { $deps[] = $row; } } @@ -150,6 +154,10 @@ function package_required($name="", $dbh=NULL) { # Return the number of comments for a specified package function package_comments_count($pkgid, $dbh=NULL) { + if (!$dbh) { + $dbh = db_connect(); + } + $pkgid = intval($pkgid); if ($pkgid > 0) { if(!$dbh) { @@ -159,13 +167,14 @@ function package_comments_count($pkgid, $dbh=NULL) { $q.= "WHERE PackageID = " . $pkgid; $q.= " AND DelUsersID IS NULL"; } - $result = db_query($q, $dbh); + $result = $dbh->query($q); if (!$result) { return; } - return mysql_result($result, 0); + $row = $result->fetch(PDO::FETCH_NUM); + return $row[0]; } # Return an array of package comments @@ -187,13 +196,13 @@ function package_comments($pkgid, $dbh=NULL) { $q.= " LIMIT 10"; } - $result = db_query($q, $dbh); + $result = $dbh->query($q); if (!$result) { return; } - while ($row = mysql_fetch_assoc($result)) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { $comments[] = $row; } } @@ -207,32 +216,31 @@ function add_package_comment($pkgid, $uid, $comment, $dbh=NULL) { $dbh = db_connect(); } - $q = 'INSERT INTO PackageComments '; - $q.= '(PackageID, UsersID, Comments, CommentTS) VALUES ('; - $q.= intval($pkgid) . ', ' . $uid . ', '; - $q.= "'" . db_escape_string($comment) . "', "; - $q.= 'UNIX_TIMESTAMP())'; - db_query($q, $dbh); + $q = "INSERT INTO PackageComments "; + $q.= "(PackageID, UsersID, Comments, CommentTS) VALUES ("; + $q.= intval($pkgid) . ", " . $uid . ", "; + $q.= $dbh->quote($comment) . ", UNIX_TIMESTAMP())"; + $dbh->exec($q); # Send email notifications - $q = 'SELECT CommentNotify.*, Users.Email '; - $q.= 'FROM CommentNotify, Users '; - $q.= 'WHERE Users.ID = CommentNotify.UserID '; - $q.= 'AND CommentNotify.UserID != ' . $uid . ' '; - $q.= 'AND CommentNotify.PkgID = ' . intval($pkgid); - $result = db_query($q, $dbh); + $q = "SELECT CommentNotify.*, Users.Email "; + $q.= "FROM CommentNotify, Users "; + $q.= "WHERE Users.ID = CommentNotify.UserID "; + $q.= "AND CommentNotify.UserID != " . $uid . " "; + $q.= "AND CommentNotify.PkgID = " . intval($pkgid); + $result = $dbh->query($q); $bcc = array(); - if (mysql_num_rows($result)) { - while ($row = mysql_fetch_assoc($result)) { + if ($result) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { array_push($bcc, $row['Email']); } - $q = 'SELECT Packages.* '; - $q.= 'FROM Packages '; - $q.= 'WHERE Packages.ID = ' . intval($pkgid); - $result = db_query($q, $dbh); - $row = mysql_fetch_assoc($result); + $q = "SELECT Packages.* "; + $q.= "FROM Packages "; + $q.= "WHERE Packages.ID = " . intval($pkgid); + $result = $dbh->query($q); + $row = $result->fetch(PDO::FETCH_ASSOC); # TODO: native language emails for users, based on their prefs # Simply making these strings translatable won't work, users would be @@ -261,9 +269,11 @@ function package_sources($pkgid, $dbh=NULL) { $q = "SELECT Source FROM PackageSources "; $q.= "WHERE PackageID = " . $pkgid; $q.= " ORDER BY Source"; - $result = db_query($q, $dbh); - if (!$result) {return array();} - while ($row = mysql_fetch_row($result)) { + $result = $dbh->query($q); + if (!$result) { + return array(); + } + while ($row = $result->fetch(PDO::FETCH_NUM)) { $sources[] = $row[0]; } } @@ -283,10 +293,10 @@ function pkgvotes_from_sid($sid="", $dbh=NULL) { $q.= "FROM PackageVotes, Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; $q.= "AND Users.ID = PackageVotes.UsersID "; - $q.= "AND Sessions.SessionID = '".db_escape_string($sid)."'"; - $result = db_query($q, $dbh); + $q.= "AND Sessions.SessionID = " . $dbh->quote($sid); + $result = $dbh->query($q); if ($result) { - while ($row = mysql_fetch_row($result)) { + while ($row = $result->fetch(PDO::FETCH_NUM)) { $pkgs[$row[0]] = 1; } } @@ -306,10 +316,10 @@ function pkgnotify_from_sid($sid="", $dbh=NULL) { $q.= "FROM CommentNotify, Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; $q.= "AND Users.ID = CommentNotify.UserID "; - $q.= "AND Sessions.SessionID = '".db_escape_string($sid)."'"; - $result = db_query($q, $dbh); + $q.= "AND Sessions.SessionID = " . $dbh->quote($sid); + $result = $dbh->query($q); if ($result) { - while ($row = mysql_fetch_row($result)) { + while ($row = $result->fetch(PDO::FETCH_NUM)) { $pkgs[$row[0]] = 1; } } @@ -325,11 +335,11 @@ function pkgname_from_id($pkgids, $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - $q = "SELECT Name FROM Packages WHERE ID IN (" . - implode(",", $pkgids) . ")"; - $result = db_query($q, $dbh); - if (mysql_num_rows($result) > 0) { - while ($row = mysql_fetch_assoc($result)) { + $q = "SELECT Name FROM Packages WHERE ID IN ("; + $q.= implode(",", $pkgids) . ")"; + $result = $dbh->query($q); + if ($result) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { $names[] = $row['Name']; } } @@ -340,11 +350,11 @@ function pkgname_from_id($pkgids, $dbh=NULL) { $dbh = db_connect(); } $q = "SELECT Name FROM Packages WHERE ID = " . $pkgids; - $result = db_query($q, $dbh); - if (mysql_num_rows($result) > 0) { - $name = mysql_result($result, 0); + $result = $dbh->query($q); + if ($result) { + $name = $result->fetch(PDO::FETCH_NUM); } - return $name; + return $name[0]; } else { return NULL; @@ -357,11 +367,12 @@ function pkgname_is_blacklisted($name, $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - $q = "SELECT COUNT(*) FROM PackageBlacklist WHERE Name = '" . db_escape_string($name) . "'"; - $result = db_query($q, $dbh); + $q = "SELECT COUNT(*) FROM PackageBlacklist "; + $q.= "WHERE Name = " . $dbh->quote($name); + $result = $dbh->query($q); if (!$result) return false; - return (mysql_result($result, 0) > 0); + return ($result->fetch(PDO::FETCH_NUM) > 0); } # display package details @@ -378,13 +389,13 @@ function package_details($id=0, $SID="", $dbh=NULL) { $q.= "FROM Packages,PackageCategories "; $q.= "WHERE Packages.CategoryID = PackageCategories.ID "; $q.= "AND Packages.ID = " . intval($id); - $results = db_query($q, $dbh); + $result = $dbh->query($q); - if (!$results) { + if (!$result) { print "<p>" . __("Error retrieving package details.") . "</p>\n"; } else { - $row = mysql_fetch_assoc($results); + $row = $result->fetch(PDO::FETCH_ASSOC); if (empty($row)) { print "<p>" . __("Package details could not be found.") . "</p>\n"; @@ -532,7 +543,7 @@ function pkg_search_page($SID="", $dbh=NULL) { if (isset($_GET['K'])) { # Search by maintainer if (isset($_GET["SeB"]) && $_GET["SeB"] == "m") { - $q_where .= "AND Users.Username = '".db_escape_string($_GET['K'])."' "; + $q_where .= "AND Users.Username = " . $dbh->quote($_GET['K']) . " "; } # Search by submitter elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "s") { @@ -540,16 +551,18 @@ function pkg_search_page($SID="", $dbh=NULL) { } # Search by name elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "n") { - $q_where .= "AND (Name LIKE '%".db_escape_like($_GET['K'])."%') "; + $K = "%" . addcslashes($_GET['K'], '%_') . "%"; + $q_where .= "AND (Name LIKE " . $dbh->quote($K) . ") "; } # Search by name (exact match) elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "x") { - $q_where .= "AND (Name = '".db_escape_string($_GET['K'])."') "; + $q_where .= "AND (Name = " . $dbh->quote($_GET['K']) . ") "; } # Search by name and description (Default) else { - $q_where .= "AND (Name LIKE '%".db_escape_like($_GET['K'])."%' OR "; - $q_where .= "Description LIKE '%".db_escape_like($_GET['K'])."%') "; + $K = "%" . addcslashes($_GET['K'], '%_') . "%"; + $q_where .= "AND (Name LIKE " . $dbh->quote($K) . " OR "; + $q_where .= "Description LIKE " . $dbh->quote($K) . ") "; } } @@ -602,10 +615,11 @@ function pkg_search_page($SID="", $dbh=NULL) { $q = $q_select . $q_from . $q_from_extra . $q_where . $q_sort . $q_limit; $q_total = "SELECT COUNT(*) " . $q_from . $q_where; - $result = db_query($q, $dbh); - $result_t = db_query($q_total, $dbh); + $result = $dbh->query($q); + $result_t = $dbh->query($q_total); if ($result_t) { - $total = mysql_result($result_t, 0); + $row = $result_t->fetch(PDO::FETCH_NUM); + $total = $row[0]; } else { $total = 0; @@ -657,8 +671,10 @@ function pkg_search_page($SID="", $dbh=NULL) { include('pkg_search_form.php'); - while ($row = mysql_fetch_assoc($result)) { - $searchresults[] = $row; + if ($result) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { + $searchresults[] = $row; + } } include('pkg_search_results.php'); @@ -732,7 +748,7 @@ function pkg_flag ($atype, $ids, $action=true, $dbh=NULL) { $q.= "AND MaintainerUID = " . uid_from_sid($_COOKIE["AURSID"], $dbh); } - db_query($q, $dbh); + $dbh->exec($q); if ($action) { # Notify of flagging by email @@ -744,9 +760,9 @@ function pkg_flag ($atype, $ids, $action=true, $dbh=NULL) { $q.= "WHERE Packages.ID IN (" . implode(",", $ids) .") "; $q.= "AND Users.ID = Packages.MaintainerUID "; $q.= "AND Users.ID != " . $f_uid; - $result = db_query($q, $dbh); - if (mysql_num_rows($result)) { - while ($row = mysql_fetch_assoc($result)) { + $result = $dbh->query($q); + if ($result) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { # construct email $body = "Your package " . $row['Name'] . " has been flagged out of date by " . $f_name . " [1]. You may view your package at:\n" . $AUR_LOCATION . "/" . get_pkg_uri($row['Name']) . "\n\n[1] - " . $AUR_LOCATION . "/" . get_uri('/accounts/') . "?Action=AccountInfo&ID=" . $f_uid; $body = wordwrap($body, 70); @@ -797,15 +813,15 @@ function pkg_delete ($atype, $ids, $mergepkgid, $dbh=NULL) { # Send email notifications foreach ($ids as $pkgid) { - $q = 'SELECT CommentNotify.*, Users.Email '; - $q.= 'FROM CommentNotify, Users '; - $q.= 'WHERE Users.ID = CommentNotify.UserID '; - $q.= 'AND CommentNotify.UserID != ' . uid_from_sid($_COOKIE['AURSID']) . ' '; - $q.= 'AND CommentNotify.PkgID = ' . $pkgid; - $result = db_query($q, $dbh); + $q = "SELECT CommentNotify.*, Users.Email "; + $q.= "FROM CommentNotify, Users "; + $q.= "WHERE Users.ID = CommentNotify.UserID "; + $q.= "AND CommentNotify.UserID != " . uid_from_sid($_COOKIE['AURSID']) . " "; + $q.= "AND CommentNotify.PkgID = " . $pkgid; + $result = $dbh->query($q); $bcc = array(); - while ($row = mysql_fetch_assoc($result)) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { array_push($bcc, $row['Email']); } if (!empty($bcc)) { @@ -834,7 +850,7 @@ function pkg_delete ($atype, $ids, $mergepkgid, $dbh=NULL) { $q = "UPDATE PackageComments "; $q.= "SET PackageID = " . intval($mergepkgid) . " "; $q.= "WHERE PackageID IN (" . implode(",", $ids) . ")"; - db_query($q, $dbh); + $dbh->exec($q); /* Merge votes */ foreach ($ids as $pkgid) { @@ -846,18 +862,18 @@ function pkg_delete ($atype, $ids, $mergepkgid, $dbh=NULL) { $q.= "FROM PackageVotes "; $q.= "WHERE PackageID = " . intval($mergepkgid); $q.= ") temp)"; - db_query($q, $dbh); + $dbh->exec($q); } $q = "UPDATE Packages "; $q.= "SET NumVotes = (SELECT COUNT(*) FROM PackageVotes "; $q.= "WHERE PackageID = " . intval($mergepkgid) . ") "; $q.= "WHERE ID = " . intval($mergepkgid); - db_query($q, $dbh); + $dbh->exec($q); } $q = "DELETE FROM Packages WHERE ID IN (" . implode(",", $ids) . ")"; - $result = db_query($q, $dbh); + $result = $dbh->exec($q); return __("The selected packages have been deleted."); } @@ -912,7 +928,7 @@ function pkg_adopt ($atype, $ids, $action=true, $dbh=NULL) { $q.= "AND $field = " . uid_from_sid($_COOKIE["AURSID"], $dbh); } - db_query($q, $dbh); + $dbh->exec($q); if ($action) { pkg_notify(account_from_sid($_COOKIE["AURSID"], $dbh), $ids, $dbh); @@ -985,7 +1001,7 @@ function pkg_vote ($atype, $ids, $action=true, $dbh=NULL) { $q = "UPDATE Packages SET NumVotes = NumVotes $op 1 "; $q.= "WHERE ID IN ($vote_ids)"; - db_query($q, $dbh); + $dbh->exec($q); if ($action) { $q = "INSERT INTO PackageVotes (UsersID, PackageID) VALUES "; @@ -995,13 +1011,12 @@ function pkg_vote ($atype, $ids, $action=true, $dbh=NULL) { $q.= "AND PackageID IN ($vote_ids)"; } - db_query($q, $dbh); + $dbh->exec($q); if ($action) { $q = "UPDATE Users SET LastVoted = UNIX_TIMESTAMP() "; $q.= "WHERE ID = $uid"; - - db_query($q, $dbh); + $dbh->exec($q); } if ($action) { @@ -1017,19 +1032,17 @@ function getvotes($pkgid, $dbh=NULL) { $dbh = db_connect(); } - $pkgid = db_escape_string($pkgid); - $q = "SELECT UsersID,Username FROM PackageVotes "; $q.= "LEFT JOIN Users on (UsersID = ID) "; - $q.= "WHERE PackageID = ". $pkgid . " "; + $q.= "WHERE PackageID = ". $dbh->quote($pkgid) . " "; $q.= "ORDER BY Username"; - $result = db_query($q, $dbh); + $result = $dbh->query($q); if (!$result) { return; } - while ($row = mysql_fetch_assoc($result)) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { $votes[] = $row; } @@ -1042,13 +1055,11 @@ function user_voted($uid, $pkgid, $dbh=NULL) { $dbh = db_connect(); } - $uid = db_escape_string($uid); - $pkgid = db_escape_string($pkgid); + $q = "SELECT * FROM PackageVotes WHERE UsersID = ". $dbh->quote($uid); + $q.= " AND PackageID = " . $dbh->quote($pkgid); + $result = $dbh->query($q); - $q = "SELECT * FROM PackageVotes WHERE UsersID = ". $uid; - $q.= " AND PackageID = ".$pkgid; - $result = db_query($q, $dbh); - if (mysql_num_rows($result)) { + if ($result->fetch(PDO::FETCH_NUM)) { return true; } else { @@ -1062,13 +1073,11 @@ function user_notify($uid, $pkgid, $dbh=NULL) { $dbh = db_connect(); } - $uid = db_escape_string($uid); - $pkgid = db_escape_string($pkgid); + $q = "SELECT * FROM CommentNotify WHERE UserID = " . $dbh->quote($uid); + $q.= " AND PkgID = " . $dbh->quote($pkgid); + $result = $dbh->query($q); - $q = "SELECT * FROM CommentNotify WHERE UserID = ". $uid; - $q.= " AND PkgID = ".$pkgid; - $result = db_query($q, $dbh); - if (mysql_num_rows($result)) { + if ($result->fetch(PDO::FETCH_NUM)) { return true; } else { @@ -1107,9 +1116,10 @@ function pkg_notify ($atype, $ids, $action=true, $dbh=NULL) { # format in which it's sent requires this. foreach ($ids as $pid) { $q = "SELECT Name FROM Packages WHERE ID = $pid"; - $result = db_query($q, $dbh); + $result = $dbh->query($q); if ($result) { - $pkgname = mysql_result($result , 0); + $row = $result->fetch(PDO::FETCH_NUM); + $pkgname = $row[0]; } else { $pkgname = ''; @@ -1126,10 +1136,10 @@ function pkg_notify ($atype, $ids, $action=true, $dbh=NULL) { $q .= " AND PkgID = $pid"; # Notification already added. Don't add again. - $result = db_query($q, $dbh); - if (!mysql_num_rows($result)) { + $result = $dbh->query($q); + if (!$result) { $q = "INSERT INTO CommentNotify (PkgID, UserID) VALUES ($pid, $uid)"; - db_query($q, $dbh); + $dbh->exec($q); } $output .= $pkgname; @@ -1137,7 +1147,7 @@ function pkg_notify ($atype, $ids, $action=true, $dbh=NULL) { else { $q = "DELETE FROM CommentNotify WHERE PkgID = $pid"; $q .= " AND UserID = $uid"; - db_query($q, $dbh); + $dbh->exec($q); $output .= $pkgname; } @@ -1181,7 +1191,7 @@ function pkg_delete_comment($atype, $dbh=NULL) { $q = "UPDATE PackageComments "; $q.= "SET DelUsersID = ".$uid." "; $q.= "WHERE ID = ".intval($comment_id); - db_query($q, $dbh); + $dbh->exec($q); return __("Comment has been deleted."); } else { return __("You are not allowed to delete this comment."); @@ -1226,21 +1236,21 @@ function pkg_change_category($atype, $dbh=NULL) { $q = "SELECT Packages.MaintainerUID "; $q.= "FROM Packages "; $q.= "WHERE Packages.ID = ".$pid; - $result = db_query($q, $dbh); + $result = $dbh->query($q); if ($result) { - $pkg = mysql_fetch_assoc($result); + $row = $result->fetch(PDO::FETCH_ASSOC); } else { return __("You are not allowed to change this package category."); } $uid = uid_from_sid($_COOKIE["AURSID"], $dbh); - if ($uid == $pkg["MaintainerUID"] || + if ($uid == $row["MaintainerUID"] || ($atype == "Developer" || $atype == "Trusted User")) { $q = "UPDATE Packages "; $q.= "SET CategoryID = ".intval($category_id)." "; $q.= "WHERE ID = ".intval($pid); - db_query($q, $dbh); + $dbh->exec($q); return __("Package category changed."); } else { return __("You are not allowed to change this package category."); @@ -1251,29 +1261,29 @@ function pkgdetails_by_pkgname($pkgname, $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - $q = "SELECT * FROM Packages WHERE Name = '" . db_escape_string($pkgname) . "'"; - $result = db_query($q, $dbh); + $q = "SELECT * FROM Packages WHERE Name = " . $dbh->quote($pkgname); + $result = $dbh->query($q); if ($result) { - $pdata = mysql_fetch_assoc($result); + $row = $result->fetch(PDO::FETCH_ASSOC); } - return $pdata; + return $row; } function new_pkgdetails($pkgname, $license, $pkgver, $category_id, $pkgdesc, $pkgurl, $uid, $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - $q = sprintf("INSERT INTO Packages (Name, License, Version, CategoryID, Description, URL, SubmittedTS, ModifiedTS, SubmitterUID, MaintainerUID) VALUES ('%s', '%s', '%s', %d, '%s', '%s', UNIX_TIMESTAMP(), UNIX_TIMESTAMP(), %d, %d)", - db_escape_string($pkgname), - db_escape_string($license), - db_escape_string($pkgver), + $q = sprintf("INSERT INTO Packages (Name, License, Version, CategoryID, Description, URL, SubmittedTS, ModifiedTS, SubmitterUID, MaintainerUID) VALUES (%s, %s, %s, %d, %s, %s, UNIX_TIMESTAMP(), UNIX_TIMESTAMP(), %d, %d)", + $dbh->quote($pkgname), + $dbh->quote($license), + $dbh->quote($pkgver), $category_id, - db_escape_string($pkgdesc), - db_escape_string($pkgurl), + $dbh->quote($pkgdesc), + $dbh->quote($pkgurl), $uid, $uid); - db_query($q, $dbh); + $dbh->exec($q); } function update_pkgdetails($pkgname, $license, $pkgver, $pkgdesc, $pkgurl, $uid, $pkgid, $dbh=NULL) { @@ -1281,28 +1291,28 @@ function update_pkgdetails($pkgname, $license, $pkgver, $pkgdesc, $pkgurl, $uid, $dbh = db_connect(); } # This is an overwrite of an existing package - $q = sprintf("UPDATE Packages SET ModifiedTS = UNIX_TIMESTAMP(), Name = '%s', Version = '%s', License = '%s', Description = '%s', URL = '%s', OutOfDateTS = NULL, MaintainerUID = %d WHERE ID = %d", - db_escape_string($pkgname), - db_escape_string($pkgver), - db_escape_string($license), - db_escape_string($pkgdesc), - db_escape_string($pkgurl), + $q = sprintf("UPDATE Packages SET ModifiedTS = UNIX_TIMESTAMP(), Name = %s, Version = %s, License = %s, Description = %s, URL = %s, OutOfDateTS = NULL, MaintainerUID = %d WHERE ID = %d", + $dbh->quote($pkgname), + $dbh->quote($pkgver), + $dbh->quote($license), + $dbh->quote($pkgdesc), + $dbh->quote($pkgurl), $uid, $pkgid); - db_query($q, $dbh); + $dbh->exec($q); } function add_pkg_dep($pkgid, $depname, $depcondition, $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - $q = sprintf("INSERT INTO PackageDepends (PackageID, DepName, DepCondition) VALUES (%d, '%s', '%s')", + $q = sprintf("INSERT INTO PackageDepends (PackageID, DepName, DepCondition) VALUES (%d, %s, %s)", $pkgid, - db_escape_string($depname), - db_escape_string($depcondition)); + $dbh->quote($depname), + $dbh->quote($depcondition)); - db_query($q, $dbh); + $dbh->exec($q); } function add_pkg_src($pkgid, $pkgsrc, $dbh=NULL) { @@ -1310,9 +1320,9 @@ function add_pkg_src($pkgid, $pkgsrc, $dbh=NULL) { $dbh = db_connect(); } $q = "INSERT INTO PackageSources (PackageID, Source) VALUES ("; - $q .= $pkgid . ", '" . db_escape_string($pkgsrc) . "')"; + $q .= $pkgid . ", " . $dbh->quote($pkgsrc) . ")"; - db_query($q, $dbh); + $dbh->exec($q); } function update_pkg_category($pkgid, $category_id, $dbh=NULL) { @@ -1323,7 +1333,7 @@ function update_pkg_category($pkgid, $category_id, $dbh=NULL) { $category_id, $pkgid); - db_query($q, $dbh); + $dbh->exec($q); } function remove_pkg_deps($pkgid, $dbh=NULL) { @@ -1332,7 +1342,7 @@ function remove_pkg_deps($pkgid, $dbh=NULL) { } $q = "DELETE FROM PackageDepends WHERE PackageID = " . $pkgid; - db_query($q, $dbh); + $dbh->exec($q); } function remove_pkg_sources($pkgid, $dbh=NULL) { @@ -1341,5 +1351,5 @@ function remove_pkg_sources($pkgid, $dbh=NULL) { } $q = "DELETE FROM PackageSources WHERE PackageID = " . $pkgid; - db_query($q, $dbh); + $dbh->exec($q); } diff --git a/web/lib/stats.inc.php b/web/lib/stats.inc.php index 2828dc92..2c26d43e 100644 --- a/web/lib/stats.inc.php +++ b/web/lib/stats.inc.php @@ -6,10 +6,10 @@ function updates_table($dbh) { $key = 'recent_updates'; if(!($newest_packages = get_cache_value($key))) { $q = 'SELECT * FROM Packages ORDER BY ModifiedTS DESC LIMIT 10'; - $result = db_query($q, $dbh); + $result = $dbh->query($q); $newest_packages = new ArrayObject(); - while ($row = mysql_fetch_assoc($result)) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { $newest_packages->append($row); } set_cache_value($key, $newest_packages); diff --git a/web/lib/translator.inc.php b/web/lib/translator.inc.php index f269b937..382160cc 100644 --- a/web/lib/translator.inc.php +++ b/web/lib/translator.inc.php @@ -96,11 +96,11 @@ function set_lang($dbh=NULL) { $q = "SELECT LangPreference FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; $q.= "AND Sessions.SessionID = '"; - $q.= mysql_real_escape_string($_COOKIE["AURSID"])."'"; - $result = db_query($q, $dbh); + $q.= $dbh->quote($_COOKIE["AURSID"]); + $result = $dbh->query($q); if ($result) { - $row = mysql_fetch_array($result); + $row = $result->fetchAll(); $LANG = $row[0]; } $update_cookie = 1; |