diff options
Diffstat (limited to 'post_bug.cgi')
-rwxr-xr-x | post_bug.cgi | 153 |
1 files changed, 93 insertions, 60 deletions
diff --git a/post_bug.cgi b/post_bug.cgi index 4fb66d316..ec684b247 100755 --- a/post_bug.cgi +++ b/post_bug.cgi @@ -145,14 +145,14 @@ if (Param("commentoncreate") && !trim($cgi->param('comment'))) { # If bug_file_loc is "http://", the default, use an empty value instead. $cgi->param('bug_file_loc', '') if $cgi->param('bug_file_loc') eq 'http://'; -my $sql_product = SqlQuote($cgi->param('product')); -my $sql_component = SqlQuote($cgi->param('component')); # Default assignee is the component owner. if (!UserInGroup("editbugs") || $cgi->param('assigned_to') eq "") { - SendSQL("SELECT initialowner FROM components " . - "WHERE id = $component_id"); - $cgi->param(-name => 'assigned_to', -value => FetchOneColumn()); + my $initialowner = $dbh->selectrow_array(q{SELECT initialowner + FROM components + WHERE id = ?}, + undef, $component_id); + $cgi->param(-name => 'assigned_to', -value => $initialowner); } else { $cgi->param(-name => 'assigned_to', -value => DBNameToIdAndCheck(trim($cgi->param('assigned_to')))); @@ -177,9 +177,10 @@ if (Param("useqacontact")) { my $qa_contact; if (!UserInGroup("editbugs") || !defined $cgi->param('qa_contact') || trim($cgi->param('qa_contact')) eq "") { - SendSQL("SELECT initialqacontact FROM components " . - "WHERE id = $component_id"); - $qa_contact = FetchOneColumn(); + ($qa_contact) = $dbh->selectrow_array(q{SELECT initialqacontact + FROM components + WHERE id = ?}, + undef, $component_id); } else { $qa_contact = DBNameToIdAndCheck(trim($cgi->param('qa_contact'))); } @@ -198,15 +199,24 @@ if (UserInGroup("editbugs") || UserInGroup("canconfirm")) { } else { # Default to UNCONFIRMED if we are using it, NEW otherwise $cgi->param(-name => 'bug_status', -value => 'UNCONFIRMED'); - SendSQL("SELECT votestoconfirm FROM products WHERE id = $product_id"); - if (!FetchOneColumn()) { + my $votestoconfirm = $dbh->selectrow_array(q{SELECT votestoconfirm + FROM products + WHERE id = ?}, + undef, $product_id); + + if (!$votestoconfirm) { $cgi->param(-name => 'bug_status', -value => "NEW"); } } +trick_taint($product); + if (!defined $cgi->param('target_milestone')) { - SendSQL("SELECT defaultmilestone FROM products WHERE name=$sql_product"); - $cgi->param(-name => 'target_milestone', -value => FetchOneColumn()); + my $defaultmilestone = $dbh->selectrow_array(q{SELECT defaultmilestone + FROM products + WHERE name = ?}, + undef, $product); + $cgi->param(-name => 'target_milestone', -value => $defaultmilestone); } if (!Param('letsubmitterchoosepriority')) { @@ -329,53 +339,67 @@ if (UserInGroup("editbugs")) { } # get current time -SendSQL("SELECT NOW()"); -my $timestamp = FetchOneColumn(); -my $sql_timestamp = SqlQuote($timestamp); +my $timestamp = $dbh->selectrow_array(q{SELECT NOW()}); # Build up SQL string to add bug. # creation_ts will only be set when all other fields are defined. -my $sql = "INSERT INTO bugs " . - "(" . join(",", @used_fields) . ", reporter, delta_ts, " . - "estimated_time, remaining_time, deadline) " . - "VALUES ("; + +my @fields_values; foreach my $field (@used_fields) { - $sql .= SqlQuote($cgi->param($field)) . ","; + my $value = $cgi->param($field); + trick_taint($value); + push (@fields_values, $value); } +my $sql_used_fields = join(", ", @used_fields); +my $sql_placeholders = "?, " x scalar(@used_fields); + +my $query = qq{INSERT INTO bugs ($sql_used_fields, reporter, delta_ts, + estimated_time, remaining_time, deadline) + VALUES ($sql_placeholders ?, ?, ?, ?, ?)}; + $comment =~ s/\r\n?/\n/g; # Get rid of \r. $comment = trim($comment); # If comment is all whitespace, it'll be null at this point. That's # OK except for the fact that it causes e-mail to be suppressed. $comment = $comment ? $comment : " "; -$sql .= $user->id . ", $sql_timestamp, "; +push (@fields_values, $user->id); +push (@fields_values, $timestamp); + +my $est_time = 0; +my $deadline; # Time Tracking if (UserInGroup(Param("timetrackinggroup")) && defined $cgi->param('estimated_time')) { - my $est_time = $cgi->param('estimated_time'); + $est_time = $cgi->param('estimated_time'); Bugzilla::Bug::ValidateTime($est_time, 'estimated_time'); - $sql .= SqlQuote($est_time) . "," . SqlQuote($est_time) . ","; -} else { - $sql .= "0, 0, "; + trick_taint($est_time); + } +push (@fields_values, $est_time, $est_time); + if ((UserInGroup(Param("timetrackinggroup"))) && ($cgi->param('deadline'))) { validate_date($cgi->param('deadline')) || ThrowUserError('illegal_date', {date => $cgi->param('deadline'), format => 'YYYY-MM-DD'}); - $sql .= SqlQuote($cgi->param('deadline')); -} else { - $sql .= "NULL"; + $deadline = $cgi->param('deadline'); + trick_taint($deadline); } -$sql .= ")"; +push (@fields_values, $deadline); # Groups my @groupstoadd = (); +my $sth_othercontrol = $dbh->prepare(q{SELECT othercontrol + FROM group_control_map + WHERE group_id = ? + AND product_id = ?}); + foreach my $b (grep(/^bit-\d*$/, $cgi->param())) { if ($cgi->param($b)) { my $v = substr($b, 4); @@ -391,9 +415,8 @@ foreach my $b (grep(/^bit-\d*$/, $cgi->param())) { } my ($permit) = $user->in_group_id($v); if (!$permit) { - SendSQL("SELECT othercontrol FROM group_control_map - WHERE group_id = $v AND product_id = $product_id"); - my ($othercontrol) = FetchSQLData(); + my $othercontrol = $dbh->selectrow_array($sth_othercontrol, + undef, ($v, $product_id)); $permit = (($othercontrol == CONTROLMAPSHOWN) || ($othercontrol == CONTROLMAPDEFAULT)); } @@ -403,13 +426,19 @@ foreach my $b (grep(/^bit-\d*$/, $cgi->param())) { } } -SendSQL("SELECT DISTINCT groups.id, groups.name, " . - "membercontrol, othercontrol, description " . - "FROM groups LEFT JOIN group_control_map " . - "ON group_id = id AND product_id = $product_id " . - " WHERE isbuggroup != 0 AND isactive != 0 ORDER BY description"); -while (MoreSQLData()) { - my ($id, $groupname, $membercontrol, $othercontrol ) = FetchSQLData(); +my $groups = $dbh->selectall_arrayref(q{ + SELECT DISTINCT groups.id, groups.name, membercontrol, + othercontrol, description + FROM groups + LEFT JOIN group_control_map + ON group_id = id + AND product_id = ? + WHERE isbuggroup != 0 + AND isactive != 0 + ORDER BY description}, undef, $product_id); + +foreach my $group (@$groups) { + my ($id, $groupname, $membercontrol, $othercontrol) = @$group; $membercontrol ||= 0; $othercontrol ||= 0; # Add groups required @@ -428,15 +457,16 @@ $dbh->bz_lock_tables('bugs WRITE', 'bug_group_map WRITE', 'longdescs WRITE', 'user_group_map READ', 'group_group_map READ', 'keyworddefs READ', 'fielddefs READ'); -SendSQL($sql); +$dbh->do($query, undef, @fields_values); # Get the bug ID back. my $id = $dbh->bz_last_key('bugs', 'bug_id'); # Add the group restrictions +my $sth_addgroup = $dbh->prepare(q{ + INSERT INTO bug_group_map (bug_id, group_id) VALUES (?, ?)}); foreach my $grouptoadd (@groupstoadd) { - SendSQL("INSERT INTO bug_group_map (bug_id, group_id) - VALUES ($id, $grouptoadd)"); + $sth_addgroup->execute($id, $grouptoadd); } # Add the initial comment, allowing for the fact that it may be private @@ -445,40 +475,43 @@ if (Param("insidergroup") && UserInGroup(Param("insidergroup"))) { $privacy = $cgi->param('commentprivacy') ? 1 : 0; } -SendSQL("INSERT INTO longdescs (bug_id, who, bug_when, thetext, isprivate) - VALUES ($id, " . SqlQuote($user->id) . ", $sql_timestamp, " . - SqlQuote($comment) . ", $privacy)"); +trick_taint($comment); +$dbh->do(q{INSERT INTO longdescs (bug_id, who, bug_when, thetext,isprivate) + VALUES (?, ?, ?, ?, ?)}, undef, ($id, $user->id, $timestamp, + $comment, $privacy)); # Insert the cclist into the database +my $sth_cclist = $dbh->prepare(q{INSERT INTO cc (bug_id, who) VALUES (?,?)}); foreach my $ccid (keys(%ccids)) { - SendSQL("INSERT INTO cc (bug_id, who) VALUES ($id, $ccid)"); + $sth_cclist->execute($id, $ccid); } my @all_deps; +my $sth_addkeyword = $dbh->prepare(q{ + INSERT INTO keywords (bug_id, keywordid) VALUES (?, ?)}); if (UserInGroup("editbugs")) { foreach my $keyword (@keywordlist) { - SendSQL("INSERT INTO keywords (bug_id, keywordid) - VALUES ($id, $keyword)"); + $sth_addkeyword->execute($id, $keyword); } if (@keywordlist) { # Make sure that we have the correct case for the kw - SendSQL("SELECT name FROM keyworddefs WHERE id IN ( " . - join(',', @keywordlist) . ")"); - my @list; - while (MoreSQLData()) { - push (@list, FetchOneColumn()); - } - SendSQL("UPDATE bugs SET delta_ts = $sql_timestamp," . - " keywords = " . SqlQuote(join(', ', @list)) . - " WHERE bug_id = $id"); + my $kw_ids = join(', ', @keywordlist); + my $list = $dbh->selectcol_arrayref(q{ + SELECT name + FROM keyworddefs + WHERE id IN ($kw_ids)}); + my $kw_list = join(', ', @$list); + $dbh->do(q{UPDATE bugs + SET delta_ts = ?, keywords = ? + WHERE bug_id = ?}, undef, ($timestamp, $kw_list, $id)); } if ($cgi->param('dependson') || $cgi->param('blocked')) { foreach my $pair (["blocked", "dependson"], ["dependson", "blocked"]) { my ($me, $target) = @{$pair}; - + my $sth_dep = $dbh->prepare(qq{ + INSERT INTO dependencies ($me, $target) VALUES (?, ?)}); foreach my $i (@{$deps{$target}}) { - SendSQL("INSERT INTO dependencies ($me, $target) values " . - "($id, $i)"); + $sth_dep->execute($id, $i); push(@all_deps, $i); # list for mailing dependent bugs # Log the activity for the other bug: LogActivityEntry($i, $me, "", $id, $user->id, $timestamp); |