From acbf58332f37936e20e7ff10a0cc3f450a736a00 Mon Sep 17 00:00:00 2001 From: "mkanat%kerio.com" <> Date: Thu, 17 Feb 2005 02:59:36 +0000 Subject: Bug 282128: query.cgi: Eliminate deprecated Bugzilla::DB routines Patch By Max Kanat-Alexander r=LpSolit, a=myk --- query.cgi | 47 +++++++++++++++++++++++++---------------------- 1 file changed, 25 insertions(+), 22 deletions(-) (limited to 'query.cgi') diff --git a/query.cgi b/query.cgi index 120dca05e..2715b5549 100755 --- a/query.cgi +++ b/query.cgi @@ -23,6 +23,7 @@ # Matthias Radestock # Gervase Markham # Byron Jones +# Max Kanat-Alexander use strict; use lib "."; @@ -54,6 +55,7 @@ use vars qw( ); my $cgi = Bugzilla->cgi; +my $dbh = Bugzilla->dbh; if (defined $::FORM{"GoAheadAndLogIn"}) { # We got here from a login page, probably from relogin.cgi. We better @@ -83,17 +85,20 @@ if ($userid) { foreach my $ref (@oldquerycookies) { my ($name, $cookiename, $value) = (@$ref); if ($value) { - my $qname = SqlQuote($name); - SendSQL("LOCK TABLES namedqueries WRITE"); - SendSQL("SELECT query FROM namedqueries " . - "WHERE userid = $userid AND name = $qname"); - my $query = FetchOneColumn(); + # If the query name contains invalid characters, don't import. + $name =~ /[<>&]/ && next; + trick_taint($name); + $dbh->do("LOCK TABLES namedqueries WRITE"); + my $query = $dbh->selectrow_array( + "SELECT query FROM namedqueries " . + "WHERE userid = ? AND name = ?", + undef, ($userid, $name)); if (!$query) { - SendSQL("INSERT INTO namedqueries " . + $dbh->do("INSERT INTO namedqueries " . "(userid, name, query) VALUES " . - "($userid, $qname, " . SqlQuote($value) . ")"); + "(?, ?, ?)", undef, ($userid, $name, $value)); } - SendSQL("UNLOCK TABLES"); + $dbh->do("UNLOCK TABLES"); } $cgi->send_cookie(-name => $cookiename, -expires => "Fri, 01-Jan-2038 00:00:00 GMT"); @@ -103,17 +108,19 @@ if ($userid) { if ($::FORM{'nukedefaultquery'}) { if ($userid) { - SendSQL("DELETE FROM namedqueries " . - "WHERE userid = $userid AND name = " . SqlQuote(DEFAULT_QUERY_NAME)); + $dbh->do("DELETE FROM namedqueries" . + " WHERE userid = ? AND name = ?", + undef, ($userid, DEFAULT_QUERY_NAME)); } $::buffer = ""; } my $userdefaultquery; if ($userid) { - SendSQL("SELECT query FROM namedqueries " . - "WHERE userid = $userid AND name = " . SqlQuote(DEFAULT_QUERY_NAME)); - $userdefaultquery = FetchOneColumn(); + $userdefaultquery = $dbh->selectrow_array( + "SELECT query FROM namedqueries " . + "WHERE userid = ? AND name = ?", + undef, ($userid, DEFAULT_QUERY_NAME)); } my %default; @@ -389,15 +396,11 @@ $default{'charts'} = \@charts; # Named queries if ($userid) { - my @namedqueries; - SendSQL("SELECT name FROM namedqueries " . - "WHERE userid = $userid AND name != " . SqlQuote(DEFAULT_QUERY_NAME) . - "ORDER BY name"); - while (MoreSQLData()) { - push(@namedqueries, FetchOneColumn()); - } - - $vars->{'namedqueries'} = \@namedqueries; + $vars->{'namedqueries'} = $dbh->selectcol_arrayref( + "SELECT name FROM namedqueries " . + "WHERE userid = ? AND name != ?" . + "ORDER BY name", + undef, ($userid, DEFAULT_QUERY_NAME)); } # Sort order -- cgit v1.2.3-24-g4f1b