kienan
/
AlternC
mirror of https://github.com/kienanstewart/AlternC.git
1
0
Fork 0
Code Issues Releases Wiki Activity

[wip] Passing mysql request params into array arguments for the query method (part 3)

This commit is contained in:
Emmanuel Monbroussou 2016-05-18 11:19:20 +02:00
parent 86e7bfb6b8
commit 61b07a257d
4 changed files with 64 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
bureau/class/m_mysql.php
View File

@ -288,7 +288,7 @@ class m_mysql {
}
//Grant the special user every rights.
if ($this->dbus->query("CREATE DATABASE ? ;", array($dbname)) {
if ($this->dbus->query("CREATE DATABASE ? ;", array($dbname))) {
$err->log("mysql", "add_db_succes", $dbn);
// Ok, database does not exist, quota is ok and dbname is compliant. Let's proceed
$db->query("INSERT INTO db (uid,login,pass,db,bck_mode) VALUES (?, ?, ?, ? ,0)", array($cuid, $myadm, $password, $dbname));
@ -437,7 +437,7 @@ class m_mysql {
// Update all the "pass" fields for this user :
$db->query("UPDATE db SET pass= ? WHERE uid= ?;", array($password, $cuid));
$this->dbus->query("SET PASSWORD FOR ? = PASSWORD(?);", array( $login . "@" . $this->dbus->Client, $password));
$this->dbus->query("SET PASSWORD FOR " .$login . "@" . $this->dbus->Client . " = PASSWORD(?);", array($password));
return true;
}
@ -472,13 +472,14 @@ class m_mysql {
$err->raise("mysql", _("The username can contain only letters and numbers."));
return false;
}
$db->query("select name from dbusers where name='" . $user . "' ;");
$db->query("select name from dbusers where name= ? ;", array($user));
if (!$db->num_rows()) {
$err->raise("mysql", _("Database user not found"));
return false;
}
// @TODO:EM: does this part have to be escaped?
# Protect database name if not wildcard
if ($base != '*') {
$base = "`" . $base . "`";
@ -555,6 +556,7 @@ class m_mysql {
* @access private
*/
function get_db_size($dbname) {
// @TODO:EM: does this part have to be escaped?
$this->dbus->query("SHOW TABLE STATUS FROM `$dbname`;");
$size = 0;
while ($this->dbus->next_record()) {
@ -576,9 +578,9 @@ class m_mysql {
$err->log("mysql", "get_userslist");
$c = array();
if (!$all) {
$db->query("SELECT name FROM dbusers WHERE uid='$cuid' and enable not in ('ADMIN','HIDDEN') ORDER BY name;");
$db->query("SELECT name FROM dbusers WHERE uid= ? and enable not in ('ADMIN','HIDDEN') ORDER BY name;", array($cuid));
} else {
$db->query("SELECT name FROM dbusers WHERE uid='$cuid' ORDER BY name;");
$db->query("SELECT name FROM dbusers WHERE uid= ? ORDER BY name;", array($cuid));
}
while ($db->next_record()) {
$pos = strpos($db->f("name"), "_");
@ -600,7 +602,7 @@ class m_mysql {
$dbu = $dbn;
$r = array();
$dbn = str_replace('_', '\_', $dbn);
$this->dbus->query("Select * from mysql.db where Db='" . $dbn . "' and User!='" . $cuid . "_myadm';");
$this->dbus->query("Select * from mysql.db where Db= ? and User!= ? ;", array($dbn, $cuid."_myadm"));
if (!$db->num_rows()) {
return $r;
@ -666,7 +668,7 @@ class m_mysql {
}
}
} //endwhile
if (!$db->query("SELECT name,password from dbusers where name='" . $dbu . "';")) {
if (!$db->query("SELECT name,password from dbusers where name= ? ;", array($dbu))) {
return $r;
}
@ -699,7 +701,6 @@ class m_mysql {
} else {
$user = $usern;
}
$pass = addslashes($password);
if (!$usern) {
$err->raise("mysql", _("The username is mandatory"));
@ -720,7 +721,7 @@ class m_mysql {
$err->raise("mysql", _("MySQL username cannot exceed %d characters"), $len);
return false;
}
$db->query("SELECT * FROM dbusers WHERE name='$user';");
$db->query("SELECT * FROM dbusers WHERE name= ? ;", array($user));
if ($db->num_rows()) {
$err->raise("mysql", _("The database user already exists"));
return false;
@ -738,7 +739,7 @@ class m_mysql {
}
// We add him to the user table
$db->query("INSERT INTO dbusers (uid,name,password,enable) VALUES($cuid,'$user','$password','ACTIVATED');");
$db->query("INSERT INTO dbusers (uid,name,password,enable) VALUES( ?, ?, ?, 'ACTIVATED');", array($cuid, $user, $password));
$this->grant("*", $user, "USAGE", $pass);
return true;
@ -752,14 +753,13 @@ class m_mysql {
* @param $password The password for this username
* @param $passconf The password confirmation
* @return boolean if the password has been changed in MySQL or FALSE if an error occurred
* @TODO:EM: is this correctly escaped ?
* */
function change_user_password($usern, $password, $passconf) {
global $db, $err, $cuid, $admin;
$err->log("mysql", "change_user_pass", $usern);
$usern = trim($usern);
$user = addslashes($usern);
$pass = addslashes($password);
if ($password != $passconf || !$password) {
$err->raise("mysql", _("The passwords do not match"));
return false;
@ -771,8 +771,8 @@ class m_mysql {
return false; // The error has been raised by checkPolicy()
}
}
$this->dbus->query("SET PASSWORD FOR '" . $user . "'@'" . $this->dbus->Client . "' = PASSWORD('" . $pass . "');");
$db->query("UPDATE dbusers set password='" . $pass . "' where name='" . $usern . "' and uid=$cuid ;");
$this->dbus->query("SET PASSWORD FOR '" . addslashes($usern) . "'@'" . $this->dbus->Client . "' = PASSWORD(?);", array($pass));
$db->query("UPDATE dbusers set password= ? where name= ? and uid= ? ;", array($pass, $usern, $cuid));
return true;
}
@ -792,9 +792,9 @@ class m_mysql {
return false;
}
if (!$all) {
$db->query("SELECT name FROM dbusers WHERE name='" . $user . "' and enable not in ('ADMIN','HIDDEN');");
$db->query("SELECT name FROM dbusers WHERE name= ? and enable not in ('ADMIN','HIDDEN');", array($user));
} else {
$db->query("SELECT name FROM dbusers WHERE uid='" . $cuid . "' ;");
$db->query("SELECT name FROM dbusers WHERE uid= ? ;", array($cuid));
}
if (!$db->num_rows()) {
@ -805,12 +805,13 @@ class m_mysql {
$login = $db->f("name");
// Ok, database exists and dbname is compliant. Let's proceed
// @TODO:EM: is this correctly escaped ?
$this->dbus->query("REVOKE ALL PRIVILEGES ON *.* FROM '" . $user . "'@'" . $this->dbus->Client . "';");
$this->dbus->query("DELETE FROM mysql.db WHERE User='" . $user . "' AND Host='" . $this->dbus->Client . "';");
$this->dbus->query("DELETE FROM mysql.user WHERE User='" . $user . "' AND Host='" . $this->dbus->Client . "';");
$this->dbus->query("DELETE FROM mysql.db WHERE User= ? AND Host= ? ;", array($user, $this->dbus->Client));
$this->dbus->query("DELETE FROM mysql.user WHERE User= ? AND Host= ? ;", array($user, $this->dbus->Client));
$this->dbus->query("FLUSH PRIVILEGES");
$db->query("DELETE FROM dbusers WHERE uid='$cuid' AND name='" . $user . "';");
$db->query("DELETE FROM dbusers WHERE uid= ? AND name= ? ;", array($cuid, $user));
return true;
}
@ -824,7 +825,7 @@ class m_mysql {
function get_user_dblist($user) {
global $db, $err;
$this->dbus->query("SELECT * FROM mysql.user WHERE User='" . $user . "' AND Host='" . $this->dbus->Client . "';");
$this->dbus->query("SELECT * FROM mysql.user WHERE User= ? AND Host= ? ;", array($user, $this->dbus->Client));
if (!$this->dbus->next_record()) {
$err->raise('mysql', _("This user does not exist in the MySQL/User database"));
return false;
@ -836,10 +837,10 @@ class m_mysql {
foreach ($dblist as $tab) {
$pos = strpos($tab['db'], "_");
if ($pos === false) {
$this->dbus->query("SELECT * FROM mysql.db WHERE User='" . $user . "' AND Host='" . $this->dbus->Client . "' AND Db='" . $tab["db"] . "';");
$this->dbus->query("SELECT * FROM mysql.db WHERE User= ? AND Host= ? AND Db= ? ;", array($user, $this->dbus->Client, $tab["db"]));
} else {
$dbname = str_replace('_', '\_', $tab['db']);
$this->dbus->query("SELECT * FROM mysql.db WHERE User='" . $user . "' AND Host='" . $this->dbus->Client . "' AND Db='" . $dbname . "';");
$this->dbus->query("SELECT * FROM mysql.db WHERE User= ? AND Host= ? AND Db= ? ;", array($user, $this->dbus->Client, $dbname) );
}
if ($this->dbus->next_record()) {
$r[] = array("db" => $tab["db"], "select" => $this->dbus->f("Select_priv"), "insert" => $this->dbus->f("Insert_priv"), "update" => $this->dbus->f("Update_priv"), "delete" => $this->dbus->f("Delete_priv"), "create" => $this->dbus->f("Create_priv"), "drop" => $this->dbus->f("Drop_priv"), "references" => $this->dbus->f("References_priv"), "index" => $this->dbus->f("Index_priv"), "alter" => $this->dbus->f("Alter_priv"), "create_tmp" => $this->dbus->f("Create_tmp_table_priv"), "lock" => $this->dbus->f("Lock_tables_priv"),
@ -872,8 +873,6 @@ class m_mysql {
global $err;
$err->log("mysql", "set_user_rights");
$usern = addslashes($user);
$dbname = addslashes($dbn);
$dbname = str_replace('_', '\_', $dbname);
// On genere les droits en fonction du tableau de droits
$strrights = "";
@ -937,7 +936,12 @@ class m_mysql {
}
// We reset all user rights on this DB :
$this->dbus->query("SELECT * FROM mysql.db WHERE User = '$usern' AND Db = '$dbname';");
$this->dbus->query("SELECT * FROM mysql.db WHERE User = ? AND Db = ?;", array($usern, $dbname));
// @TODO:EM: This has to be verified, and maybe we should use another way to escape those requests
$usern = addslashes($user);
$dbname = addslashes($dbn);
if ($this->dbus->num_rows()) {
$this->dbus->query("REVOKE ALL PRIVILEGES ON `$dbname`.* FROM '$usern'@'" . $this->dbus->Client . "';");
}
@ -999,7 +1003,7 @@ class m_mysql {
global $db, $err, $cuid, $mem;
$err->log("mysql", "alternc_add_member");
//checking for the phpmyadmin user
$db->query("SELECT name,password FROM dbusers WHERE uid=$cuid AND Type='ADMIN';");
$db->query("SELECT name,password FROM dbusers WHERE uid= ? AND Type='ADMIN';", array($cuid));
if ($db->num_rows()) {
$myadm = $db->f("name");
$password = $db->f("password");
@ -1009,7 +1013,7 @@ class m_mysql {
}
$db->query("INSERT INTO dbusers (uid,name,password,enable) VALUES ('$cuid','$myadm','$password','ADMIN');");
$db->query("INSERT INTO dbusers (uid,name,password,enable) VALUES (?, ?, ?, 'ADMIN');", array($cuid, $myadm, $password));
return true;
}
@ -1061,7 +1065,7 @@ class m_mysql {
//TODO don't work with separated sql server for dbusers
global $db, $err, $cuid;
$err->log("mysql", "export");
$db->query("SELECT login, pass, db, bck_mode, bck_dir, bck_history, bck_gzip FROM db WHERE uid='$cuid';");
$db->query("SELECT login, pass, db, bck_mode, bck_dir, bck_history, bck_gzip FROM db WHERE uid= ? ;", array($cuid));
$str = "";
if ($db->next_record()) {
$str.=" <sql>\n";
@ -1093,7 +1097,7 @@ class m_mysql {
function alternc_export_data($dir) {
global $db, $err, $cuid;
$err->log("mysql", "export_data");
$db->query("SELECT db.login, db.pass, db.db, dbusers.name FROM db,dbusers WHERE db.uid='$cuid' AND dbusers.uid=db.uid;");
$db->query("SELECT db.login, db.pass, db.db, dbusers.name FROM db,dbusers WHERE db.uid= ? AND dbusers.uid=db.uid;", array($cuid));
$dir.="sql/";
if (!is_dir($dir)) {
if (!mkdir($dir)) {
@ -1133,6 +1137,7 @@ class m_mysql {
$this->dbus->query("show databases;");
$res = array();
//@TODO: this has to be done in another way
while ($this->dbus->next_record()) {
$dbname = $this->dbus->f("Database");
$c = mysql_query("SHOW TABLE STATUS FROM $dbname;");

20
bureau/class/m_piwik.php
View File

@ -77,7 +77,7 @@ class m_piwik {
*/
function hook_quota_get() {
global $db, $cuid;
$db->query("SELECT COUNT(id) AS nb FROM piwik_users WHERE uid='$cuid'");
$db->query("SELECT COUNT(id) AS nb FROM piwik_users WHERE uid= ? ;", array($cuid));
$q=Array("name"=>"piwik", "description"=>_("Statistics through Piwik accounts"), "used"=>0);
if ($db->next_record()) {
$q['used']=$db->f('nb');
@ -110,7 +110,7 @@ class m_piwik {
if ($api_data->result === 'success') {
$user = $this->get_user($user_login);
$user_creation_date = $user->date_registered;
return $db->query("INSERT INTO piwik_users (uid, login, created_date) VALUES ('$cuid', '$user_login', '$user_creation_date')");
return $db->query("INSERT INTO piwik_users (uid, login, created_date) VALUES ( ?, ?, ?,);", array($cuid, $user_login, $user_creation_date));
}
} else { // api_data = false -> error is already filled
return FALSE;
@ -169,7 +169,7 @@ class m_piwik {
global $db, $cuid;
static $alternc_users = array();
$db->query("SELECT login FROM piwik_users WHERE uid='$cuid'");
$db->query("SELECT login FROM piwik_users WHERE uid= ?;", array($cuid));
while ($db->next_record())
array_push($alternc_users, $db->f('login'));
@ -180,13 +180,13 @@ class m_piwik {
function user_delete($piwik_user_login) {
global $db, $cuid, $err;
$db->query("SELECT created_date, COUNT(id) AS cnt FROM piwik_users WHERE uid='$cuid' AND login='$piwik_user_login'");
$db->query("SELECT created_date, COUNT(id) AS cnt FROM piwik_users WHERE uid= ? AND login= ? ", array($cuid, $piwik_user_login));
$db->next_record();
if ($db->f('cnt') == 1) {
$api_data = $this->call_privileged_page('API', 'UsersManager.deleteUser', array('userLogin' => $piwik_user_login));
if ($api_data->result == 'success') {
return $db->query("DELETE FROM piwik_users WHERE uid='$cuid' AND login='$piwik_user_login'");
return $db->query("DELETE FROM piwik_users WHERE uid= ? AND login= ? ;", array($cuid, $piwik_user_login));
}
else {
return FALSE;
@ -200,7 +200,7 @@ class m_piwik {
function users_list() {
global $db, $cuid;
$db->query("SELECT login FROM piwik_users WHERE uid = '$cuid'");
$db->query("SELECT login FROM piwik_users WHERE uid = ?;", array($cuid));
if ($db->num_rows() == 0)
return array();
$users = '';
@ -277,7 +277,7 @@ class m_piwik {
global $db, $cuid;
static $alternc_sites = array();
$db->query("SELECT piwik_id AS site_id FROM piwik_sites WHERE uid='$cuid'");
$db->query("SELECT piwik_id AS site_id FROM piwik_sites WHERE uid= ? ;", array($cuid));
while ($db->next_record())
array_push($alternc_sites, $db->f('site_id'));
@ -294,7 +294,7 @@ class m_piwik {
global $db, $cuid;
$urls = is_array($urls) ? implode(',', $urls) : $urls;
$api_data = $this->call_privileged_page('API', 'SitesManager.addSite', array('siteName' => $siteName, 'urls' => $urls));
$db->query("INSERT INTO piwik_sites set uid='$cuid', piwik_id='{$api_data->value}'");
$db->query("INSERT INTO piwik_sites set uid= ? , piwik_id= ? ", array($cuid, $api_data->value));
return TRUE;
}
@ -304,13 +304,13 @@ class m_piwik {
function site_delete($site_id) {
global $db, $cuid, $err;
$db->query("SELECT COUNT(id) AS cnt FROM piwik_sites WHERE uid='$cuid' AND piwik_id='$site_id'");
$db->query("SELECT COUNT(id) AS cnt FROM piwik_sites WHERE uid= ? AND piwik_id= ? ;", array($cuid, $site_id));
$db->next_record();
if ($db->f('cnt') == 1) {
$api_data = $this->call_privileged_page('API', 'SitesManager.deleteSite', array('idSite' => $site_id));
if ($api_data->result == 'success') {
return $db->query("DELETE FROM piwik_sites where uid='$cuid' AND piwik_id='$site_id' LIMIT 1");
return $db->query("DELETE FROM piwik_sites where uid= ? AND piwik_id= ? LIMIT 1", array($cuid, $site_id));
} else {
return FALSE;
}

24
bureau/class/m_quota.php
View File

@ -157,7 +157,7 @@ class m_quota {
$type = $quota->listtype();
foreach ($type as $t) {
foreach ($qt as $q => $vv) {
$db->query("INSERT IGNORE defquotas (value,quota,type) VALUES (0,'$q','$t');");
$db->query("INSERT IGNORE defquotas (value,quota,type) VALUES (0, ?, ?);", array($q, $t));
}
}
return true;
@ -212,7 +212,7 @@ class m_quota {
}
// Get the allowed quota from database.
$db->query("select name, total from quotas where uid='$cuid';");
$db->query("select name, total from quotas where uid= ? ;", array($cuid));
while ($db->next_record()) {
$this->quotas[$db->f('name')]['t'] = $db->f('total');
}
@ -255,11 +255,11 @@ class m_quota {
}
}
// We check that this ressource exists for this client :
$db->query("SELECT * FROM quotas WHERE uid='$cuid' AND name='$ressource'");
$db->query("SELECT * FROM quotas WHERE uid= ? AND name= ? ", array($cuid, $ressource));
if ($db->num_rows()) {
$db->query("UPDATE quotas SET total='$size' WHERE uid='$cuid' AND name='$ressource';");
$db->query("UPDATE quotas SET total= e WHERE uid= ? AND name= ?;", array($size, $cuid, $ressource));
} else {
$db->query("INSERT INTO quotas (uid,name,total) VALUES ('$cuid','$ressource','$size');");
$db->query("INSERT INTO quotas (uid,name,total) VALUES (?, ?, ?);", array($cuid, $ressource, $size));
}
return true;
}
@ -272,7 +272,7 @@ class m_quota {
function delquotas() {
global $db, $err, $cuid;
$err->log("quota", "delquota");
$db->query("DELETE FROM quotas WHERE uid='$cuid';");
$db->query("DELETE FROM quotas WHERE uid= ?;", array($cuid));
return true;
}
@ -309,7 +309,7 @@ class m_quota {
foreach ($newq as $type => $quotas) {
foreach ($quotas as $qname => $value) {
if (array_key_exists($qname, $qlist)) {
if (!$db->query("REPLACE INTO defquotas (value,quota,type) VALUES ($value,'$qname','$type');")) {
if (!$db->query("REPLACE INTO defquotas (value,quota,type) VALUES ( ?, ?, ?); ", array($value, $qname, $type))) {
return false;
}
}
@ -336,7 +336,7 @@ class m_quota {
return false;
}
while (list($key, $val) = each($qlist)) {
if (!$db->query("INSERT IGNORE INTO defquotas (quota,type) VALUES('$key', '$type');") || $db->affected_rows() == 0) {
if (!$db->query("INSERT IGNORE INTO defquotas (quota,type) VALUES(?, ?);", array($key, $type)) || $db->affected_rows() == 0) {
return false;
}
}
@ -367,8 +367,8 @@ class m_quota {
function deltype($type) {
global $db;
if ($db->query("UPDATE membres SET type='default' WHERE type='$type'") &&
$db->query("DELETE FROM defquotas WHERE type='$type'")) {
if ($db->query("UPDATE membres SET type='default' WHERE type= ? ;", array($type)) &&
$db->query("DELETE FROM defquotas WHERE type= ?;", array($type))) {
return true;
} else {
return false;
@ -390,12 +390,12 @@ class m_quota {
if (!$db->next_record()) {
$this->addtype('default');
}
$db->query("SELECT type FROM membres WHERE uid='$cuid'");
$db->query("SELECT type FROM membres WHERE uid= ?;", array($cuid));
$db->next_record();
$t = $db->f("type");
foreach ($ql as $res => $val) {
$db->query("SELECT value FROM defquotas WHERE quota='$res' AND type='$t'");
$db->query("SELECT value FROM defquotas WHERE quota= ? AND type= ? ;", array($res, $t));
$q = $db->next_record() ? $db->f("value") : 0;
$this->setquota($res, $q);
}

11
bureau/class/variables.php
View File

@ -128,11 +128,14 @@ function variable_set($name, $value, $comment = null) {
if (!array_key_exists($name, $conf) || $value != $conf[$name]) {
$conf[$name] = $value;
if (empty($comment)) {
$query = "INSERT INTO variable (name, value) values ('" . $name . "', '" . addslashes($value2) . "') on duplicate key update name='" . $name . "', value='" . addslashes($value2) . "';";
$query = "INSERT INTO variable (name, value) values ( ?, ?) on duplicate key update name= ?, value= ? ;";
$query_args = array($name, $value2, $name, $value2);
} else {
$query = "INSERT INTO variable (name, value, comment) values ('" . $name . "', '" . addslashes($value2) . "', '$comment') on duplicate key update name='" . $name . "', value='" . addslashes($value2) . "', comment='" . addslashes($comment) . "';";
$query = "INSERT INTO variable (name, value, comment) values ( ?, ?, ?) on duplicate key update name= ?, value= ?, comment= ? ;";
$query_args = array($name, $value2, $comment, $name, $value2, $comment);
}
$db->query($query);
$db->query($query, $query_args);
$hooks->invoke("hook_variable_set", array("name" => $name, "old" => $previous, "new" => $value));
}
}
@ -145,7 +148,7 @@ function variable_set($name, $value, $comment = null) {
*/
function variable_del($name) {
global $conf, $db;
$db->query("DELETE FROM `variable` WHERE name = '" . $name . "'");
$db->query("DELETE FROM `variable` WHERE name = ?;", array($name));
unset($conf[$name]);
}