From 10b6a8fff7e6d407421c74889455b969be7f867f Mon Sep 17 00:00:00 2001
From: Lukas Fleischer <archlinux@cryptocrack.de>
Date: Thu, 20 Oct 2011 08:15:02 +0200
Subject: Wrap mysql_real_escape_string() in a function

Wrap mysql_real_escape_string() in a wrapper function db_escape_string()
to ease porting to other databases, and as another step to pulling more
of the database code into a central location.

This is a rebased version of a patch by elij submitted about half a year
ago.

Thanks-to: elij <elij.mx@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Conflicts:

	web/lib/aur.inc.php
---
 web/lib/acctfuncs.inc.php | 26 +++++++++++++-------------
 web/lib/aur.inc.php       | 30 ++++++++++++++++++------------
 web/lib/aurjson.class.php |  8 ++++----
 web/lib/pkgfuncs.inc.php  | 12 ++++++------
 web/lib/stats.inc.php     |  2 +-
 5 files changed, 42 insertions(+), 36 deletions(-)

(limited to 'web/lib')

diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index 97fb69b9..91718748 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -225,7 +225,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
 		# NOTE: a race condition exists here if we care...
 		#
 		$q = "SELECT COUNT(*) AS CNT FROM Users ";
-		$q.= "WHERE Username = '".mysql_real_escape_string($U)."'";
+		$q.= "WHERE Username = '".db_escape_string($U)."'";
 		if ($TYPE == "edit") {
 			$q.= " AND ID != ".intval($UID);
 		}
@@ -243,7 +243,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
 		# NOTE: a race condition exists here if we care...
 		#
 		$q = "SELECT COUNT(*) AS CNT FROM Users ";
-		$q.= "WHERE Email = '".mysql_real_escape_string($E)."'";
+		$q.= "WHERE Email = '".db_escape_string($E)."'";
 		if ($TYPE == "edit") {
 			$q.= " AND ID != ".intval($UID);
 		}
@@ -265,7 +265,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
 			# no errors, go ahead and create the unprivileged user
 			$salt = generate_salt();
 			$P = salted_hash($P, $salt);
-			$escaped = array_map('mysql_real_escape_string',
+			$escaped = array_map('db_escape_string',
 				array($U, $E, $P, $salt, $R, $L, $I));
 			$q = "INSERT INTO Users (" .
 				"AccountTypeID, Suspended, Username, Email, Passwd, Salt" .
@@ -289,7 +289,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
 			# no errors, go ahead and modify the user account
 
 			$q = "UPDATE Users SET ";
-			$q.= "Username = '".mysql_real_escape_string($U)."'";
+			$q.= "Username = '".db_escape_string($U)."'";
 			if ($T) {
 				$q.= ", AccountTypeID = ".intval($T);
 			}
@@ -298,15 +298,15 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
 			} else {
 				$q.= ", Suspended = 0";
 			}
-			$q.= ", Email = '".mysql_real_escape_string($E)."'";
+			$q.= ", Email = '".db_escape_string($E)."'";
 			if ($P) {
 				$salt = generate_salt();
 				$hash = salted_hash($P, $salt);
 				$q .= ", Passwd = '$hash', Salt = '$salt'";
 			}
-			$q.= ", RealName = '".mysql_real_escape_string($R)."'";
-			$q.= ", LangPreference = '".mysql_real_escape_string($L)."'";
-			$q.= ", IRCNick = '".mysql_real_escape_string($I)."'";
+			$q.= ", RealName = '".db_escape_string($R)."'";
+			$q.= ", LangPreference = '".db_escape_string($L)."'";
+			$q.= ", IRCNick = '".db_escape_string($I)."'";
 			$q.= " WHERE ID = ".intval($UID);
 			$result = db_query($q, $dbh);
 			if (!$result) {
@@ -372,19 +372,19 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="",
 		$search_vars[] = "S";
 	}
 	if ($U) {
-		$q.= "AND Username LIKE '%".mysql_real_escape_string($U)."%' ";
+		$q.= "AND Username LIKE '%".db_escape_string($U)."%' ";
 		$search_vars[] = "U";
 	}
 	if ($E) {
-		$q.= "AND Email LIKE '%".mysql_real_escape_string($E)."%' ";
+		$q.= "AND Email LIKE '%".db_escape_string($E)."%' ";
 		$search_vars[] = "E";
 	}
 	if ($R) {
-		$q.= "AND RealName LIKE '%".mysql_real_escape_string($R)."%' ";
+		$q.= "AND RealName LIKE '%".db_escape_string($R)."%' ";
 		$search_vars[] = "R";
 	}
 	if ($I) {
-		$q.= "AND IRCNick LIKE '%".mysql_real_escape_string($I)."%' ";
+		$q.= "AND IRCNick LIKE '%".db_escape_string($I)."%' ";
 		$search_vars[] = "I";
 	}
 	switch ($SB) {
@@ -716,7 +716,7 @@ function valid_user( $user )
 	if ( $user ) {
 		$dbh = db_connect();
 		$q = "SELECT ID FROM Users WHERE Username = '"
-			. mysql_real_escape_string($user). "'";
+			. db_escape_string($user). "'";
 
 		$result = db_query($q, $dbh);
 		# Is the username in the database?
diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php
index f4326974..51c1eff7 100644
--- a/web/lib/aur.inc.php
+++ b/web/lib/aur.inc.php
@@ -29,7 +29,7 @@ function check_sid($dbh=NULL) {
 			$dbh = db_connect();
 		}
 		$q = "SELECT LastUpdateTS, UNIX_TIMESTAMP() FROM Sessions ";
-		$q.= "WHERE SessionID = '" . mysql_real_escape_string($_COOKIE["AURSID"]) . "'";
+		$q.= "WHERE SessionID = '" . db_escape_string($_COOKIE["AURSID"]) . "'";
 		$result = db_query($q, $dbh);
 		if (mysql_num_rows($result) == 0) {
 			# Invalid SessionID - hacker alert!
@@ -53,7 +53,7 @@ function check_sid($dbh=NULL) {
 			# session id timeout was reached and they must login again.
 			#
 			$q = "DELETE FROM Sessions WHERE SessionID = '";
-			$q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'";
+			$q.= db_escape_string($_COOKIE["AURSID"]) . "'";
 			db_query($q, $dbh);
 
 			setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true);
@@ -69,7 +69,7 @@ function check_sid($dbh=NULL) {
 			# overwritten.
 			if ($last_update < time() + $LOGIN_TIMEOUT) {
 				$q = "UPDATE Sessions SET LastUpdateTS = UNIX_TIMESTAMP() ";
-				$q.= "WHERE SessionID = '".mysql_real_escape_string($_COOKIE["AURSID"])."'";
+				$q.= "WHERE SessionID = '".db_escape_string($_COOKIE["AURSID"])."'";
 				db_query($q, $dbh);
 			}
 		}
@@ -106,7 +106,7 @@ function username_from_id($id="", $dbh=NULL) {
 	if(!$dbh) {
 		$dbh = db_connect();
 	}
-	$q = "SELECT Username FROM Users WHERE ID = " . mysql_real_escape_string($id);
+	$q = "SELECT Username FROM Users WHERE ID = " . db_escape_string($id);
 	$result = db_query($q, $dbh);
 	if (!$result) {
 		return "None";
@@ -129,7 +129,7 @@ function username_from_sid($sid="", $dbh=NULL) {
 	$q = "SELECT Username ";
 	$q.= "FROM Users, Sessions ";
 	$q.= "WHERE Users.ID = Sessions.UsersID ";
-	$q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'";
+	$q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'";
 	$result = db_query($q, $dbh);
 	if (!$result) {
 		return "";
@@ -151,7 +151,7 @@ function email_from_sid($sid="", $dbh=NULL) {
 	$q = "SELECT Email ";
 	$q.= "FROM Users, Sessions ";
 	$q.= "WHERE Users.ID = Sessions.UsersID ";
-	$q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'";
+	$q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'";
 	$result = db_query($q, $dbh);
 	if (!$result) {
 		return "";
@@ -175,7 +175,7 @@ function account_from_sid($sid="", $dbh=NULL) {
 	$q.= "FROM Users, AccountTypes, Sessions ";
 	$q.= "WHERE Users.ID = Sessions.UsersID ";
 	$q.= "AND AccountTypes.ID = Users.AccountTypeID ";
-	$q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'";
+	$q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'";
 	$result = db_query($q, $dbh);
 	if (!$result) {
 		return "";
@@ -197,7 +197,7 @@ function uid_from_sid($sid="", $dbh=NULL) {
 	$q = "SELECT Users.ID ";
 	$q.= "FROM Users, Sessions ";
 	$q.= "WHERE Users.ID = Sessions.UsersID ";
-	$q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'";
+	$q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'";
 	$result = db_query($q, $dbh);
 	if (!$result) {
 		return 0;
@@ -223,6 +223,12 @@ function db_connect() {
 	return $handle;
 }
 
+# Escape strings for SQL query usage.
+# Wraps the database driver's provided method (for convenience and porting).
+function db_escape_string($string) {
+	return mysql_real_escape_string($string);
+}
+
 # disconnect from the database
 # this won't normally be needed as PHP/reference counting will take care of
 # closing the connection once it is no longer referenced
@@ -290,7 +296,7 @@ function set_lang($dbh=NULL) {
 		$q = "SELECT LangPreference FROM Users, Sessions ";
 		$q.= "WHERE Users.ID = Sessions.UsersID ";
 		$q.= "AND Sessions.SessionID = '";
-		$q.= mysql_real_escape_string($_COOKIE["AURSID"])."'";
+		$q.= db_escape_string($_COOKIE["AURSID"])."'";
 		$result = db_query($q, $dbh);
 
 		if ($result) {
@@ -355,7 +361,7 @@ function can_submit_pkg($name="", $sid="", $dbh=NULL) {
 		$dbh = db_connect();
 	}
 	$q = "SELECT MaintainerUID ";
-	$q.= "FROM Packages WHERE Name = '".mysql_real_escape_string($name)."'";
+	$q.= "FROM Packages WHERE Name = '".db_escape_string($name)."'";
 	$result = db_query($q, $dbh);
 	if (mysql_num_rows($result) == 0) {return 1;}
 	$row = mysql_fetch_row($result);
@@ -428,7 +434,7 @@ function uid_from_username($username="", $dbh=NULL)
 	if(!$dbh) {
 		$dbh = db_connect();
 	}
-	$q = "SELECT ID FROM Users WHERE Username = '".mysql_real_escape_string($username)
+	$q = "SELECT ID FROM Users WHERE Username = '".db_escape_string($username)
 				."'";
 	$result = db_query($q, $dbh);
 	if (!$result) {
@@ -449,7 +455,7 @@ function uid_from_email($email="", $dbh=NULL)
 	if(!$dbh) {
 		$dbh = db_connect();
 	}
-	$q = "SELECT ID FROM Users WHERE Email = '".mysql_real_escape_string($email)
+	$q = "SELECT ID FROM Users WHERE Email = '".db_escape_string($email)
 				."'";
 	$result = db_query($q, $dbh);
 	if (!$result) {
diff --git a/web/lib/aurjson.class.php b/web/lib/aurjson.class.php
index b5963595..edd6872e 100644
--- a/web/lib/aurjson.class.php
+++ b/web/lib/aurjson.class.php
@@ -166,7 +166,7 @@ class AurJSON {
             if (is_numeric($arg)) {
                 $id_args[] = intval($arg);
             } else {
-                $escaped = mysql_real_escape_string($arg, $this->dbh);
+                $escaped = db_escape_string($arg, $this->dbh);
                 $name_args[] = "'" . $escaped . "'";
             }
         }
@@ -184,7 +184,7 @@ class AurJSON {
             return $this->json_error('Query arg too small');
         }
 
-        $keyword_string = mysql_real_escape_string($keyword_string, $this->dbh);
+        $keyword_string = db_escape_string($keyword_string, $this->dbh);
         $keyword_string = addcslashes($keyword_string, '%_');
 
         $where_condition = "( Name LIKE '%{$keyword_string}%' OR " .
@@ -207,7 +207,7 @@ class AurJSON {
         }
         else {
             $where_condition = sprintf("Name=\"%s\"",
-                mysql_real_escape_string($pqdata, $this->dbh));
+                db_escape_string($pqdata, $this->dbh));
         }
         return $this->process_query('info', $where_condition);
     }
@@ -249,7 +249,7 @@ class AurJSON {
      * @return mixed Returns an array of value data containing the package data
      **/
     private function msearch($maintainer) {
-        $maintainer = mysql_real_escape_string($maintainer, $this->dbh);
+        $maintainer = db_escape_string($maintainer, $this->dbh);
 
         $where_condition = "Users.Username = '{$maintainer}'";
 
diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php
index 3e89fa35..b078c48a 100644
--- a/web/lib/pkgfuncs.inc.php
+++ b/web/lib/pkgfuncs.inc.php
@@ -100,7 +100,7 @@ function pkgid_from_name($name="", $dbh=NULL) {
 		$dbh = db_connect();
 	}
 	$q = "SELECT ID FROM Packages ";
-	$q.= "WHERE Name = '".mysql_real_escape_string($name)."' ";
+	$q.= "WHERE Name = '".db_escape_string($name)."' ";
 	$result = db_query($q, $dbh);
 	if (!$result) {return NULL;}
 	$row = mysql_fetch_row($result);
@@ -137,7 +137,7 @@ function package_required($name="", $dbh=NULL) {
 		}
 		$q = "SELECT p.Name, PackageID FROM PackageDepends pd ";
 		$q.= "JOIN Packages p ON pd.PackageID = p.ID ";
-		$q.= "WHERE DepName = '".mysql_real_escape_string($name)."' ";
+		$q.= "WHERE DepName = '".db_escape_string($name)."' ";
 		$q.= "ORDER BY p.Name";
 		$result = db_query($q, $dbh);
 		if (!$result) {return array();}
@@ -234,7 +234,7 @@ function pkgvotes_from_sid($sid="", $dbh=NULL) {
 	$q.= "FROM PackageVotes, Users, Sessions ";
 	$q.= "WHERE Users.ID = Sessions.UsersID ";
 	$q.= "AND Users.ID = PackageVotes.UsersID ";
-	$q.= "AND Sessions.SessionID = '".mysql_real_escape_string($sid)."'";
+	$q.= "AND Sessions.SessionID = '".db_escape_string($sid)."'";
 	$result = db_query($q, $dbh);
 	if ($result) {
 		while ($row = mysql_fetch_row($result)) {
@@ -257,7 +257,7 @@ function pkgnotify_from_sid($sid="", $dbh=NULL) {
 	$q.= "FROM CommentNotify, Users, Sessions ";
 	$q.= "WHERE Users.ID = Sessions.UsersID ";
 	$q.= "AND Users.ID = CommentNotify.UserID ";
-	$q.= "AND Sessions.SessionID = '".mysql_real_escape_string($sid)."'";
+	$q.= "AND Sessions.SessionID = '".db_escape_string($sid)."'";
 	$result = db_query($q, $dbh);
 	if ($result) {
 		while ($row = mysql_fetch_row($result)) {
@@ -291,7 +291,7 @@ function pkgname_is_blacklisted($name, $dbh=NULL) {
 	if(!$dbh) {
 		$dbh = db_connect();
 	}
-	$q = "SELECT COUNT(*) FROM PackageBlacklist WHERE Name = '" . mysql_real_escape_string($name) . "'";
+	$q = "SELECT COUNT(*) FROM PackageBlacklist WHERE Name = '" . db_escape_string($name) . "'";
 	$result = db_query($q, $dbh);
 
 	if (!$result) return false;
@@ -457,7 +457,7 @@ function pkg_search_page($SID="", $dbh=NULL) {
 	}
 
 	if (isset($_GET['K'])) {
-		$_GET['K'] = mysql_real_escape_string(trim($_GET['K']));
+		$_GET['K'] = db_escape_string(trim($_GET['K']));
 
 		# Search by maintainer
 		if (isset($_GET["SeB"]) && $_GET["SeB"] == "m") {
diff --git a/web/lib/stats.inc.php b/web/lib/stats.inc.php
index 2690a5cb..8f0f7707 100644
--- a/web/lib/stats.inc.php
+++ b/web/lib/stats.inc.php
@@ -20,7 +20,7 @@ function updates_table($dbh)
 
 function user_table($user, $dbh)
 {
-	$escuser = mysql_real_escape_string($user);
+	$escuser = db_escape_string($user);
 	$base_q = "SELECT count(*) FROM Packages,Users WHERE Packages.MaintainerUID = Users.ID AND Users.Username='" . $escuser . "'";
 
 	$maintainer_unsupported_count = db_cache_value($base_q, $dbh,
-- 
cgit v1.2.3-24-g4f1b