Changeset 82 for branches/1.1dev/lib
- Timestamp:
- Apr 8, 2006 3:07:57 AM (18 years ago)
- Location:
- branches/1.1dev/lib
- Files:
-
- 8 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/1.1dev/lib/AuthSQL.inc.php
r81 r82 185 185 SELECT *, " . $this->_params['user_id_column'] . " AS user_id 186 186 FROM " . $this->_params['user_tbl'] . " 187 WHERE BINARY username = '" . addslashes($username) . "'188 AND BINARY userpass = '" . addslashes($this->encryptPassword($password)) . "'187 WHERE BINARY username = '" . mysql_real_escape_string($username) . "' 188 AND BINARY userpass = '" . mysql_real_escape_string($this->encryptPassword($password)) . "' 189 189 "); 190 190 … … 331 331 $qid = dbQuery(" 332 332 SELECT 1 FROM " . $this->_params['user_tbl'] . " 333 WHERE " . $this->_params['user_id_column'] . " = '" . addslashes($user_id) . "'333 WHERE " . $this->_params['user_id_column'] . " = '" . mysql_real_escape_string($user_id) . "' 334 334 AND DATE_ADD(last_login_datetime, INTERVAL '" . $this->_params['login_timeout'] . "' SECOND) > NOW() 335 335 AND DATE_ADD(last_access_datetime, INTERVAL '" . $this->_params['idle_timeout'] . "' SECOND) > NOW() … … 444 444 { 445 445 if ($this->getFeature('blocking')) { 446 if (strlen( addslashes($reason)) > 255) {446 if (strlen(mysql_real_escape_string($reason)) > 255) { 447 447 // blocked_reason field is varchar(255). 448 448 logMsg(sprintf('Blocked reason provided is greater than 255 characters: %s', $reason), LOG_WARNING, __FILE__, __LINE__); … … 454 454 UPDATE " . $this->_params['user_tbl'] . " SET 455 455 blocked = 'true', 456 blocked_reason = '" . addslashes($reason) . "'457 WHERE " . $this->_params['user_id_column'] . " = '" . addslashes($user_id) . "'456 blocked_reason = '" . mysql_real_escape_string($reason) . "' 457 WHERE " . $this->_params['user_id_column'] . " = '" . mysql_real_escape_string($user_id) . "' 458 458 "); 459 459 } … … 472 472 blocked = '', 473 473 blocked_reason = '' 474 WHERE " . $this->_params['user_id_column'] . " = '" . addslashes($user_id) . "'474 WHERE " . $this->_params['user_id_column'] . " = '" . mysql_real_escape_string($user_id) . "' 475 475 "); 476 476 } … … 486 486 function usernameExists($username) 487 487 { 488 $qid = dbQuery("SELECT 1 FROM " . $this->_params['user_tbl'] . " WHERE username = '" . addslashes($username) . "'");488 $qid = dbQuery("SELECT 1 FROM " . $this->_params['user_tbl'] . " WHERE username = '" . mysql_real_escape_string($username) . "'"); 489 489 return (mysql_num_rows($qid) > 0); 490 490 } … … 499 499 function getUsername($user_id) 500 500 { 501 $qid = dbQuery("SELECT " . $this->_params['username_column'] . " FROM " . $this->_params['user_tbl'] . " WHERE " . $this->_params['user_id_column'] . " = '" . addslashes($user_id) . "'");501 $qid = dbQuery("SELECT " . $this->_params['username_column'] . " FROM " . $this->_params['user_tbl'] . " WHERE " . $this->_params['user_id_column'] . " = '" . mysql_real_escape_string($user_id) . "'"); 502 502 if (list($username) = mysql_fetch_row($qid)) { 503 503 return $username; … … 577 577 dbQuery(" 578 578 UPDATE " . $this->_params['user_tbl'] . " 579 SET userpass = '" . addslashes($this->encryptPassword($password)) . "'580 WHERE " . $this->_params['user_id_column'] . " = '" . addslashes($user_id) . "'579 SET userpass = '" . mysql_real_escape_string($this->encryptPassword($password)) . "' 580 WHERE " . $this->_params['user_id_column'] . " = '" . mysql_real_escape_string($user_id) . "' 581 581 "); 582 582 } … … 600 600 $qid = dbQuery(" 601 601 SELECT * FROM " . $this->_params['user_tbl'] . " 602 WHERE " . $this->_params['user_id_column'] . " = '" . addslashes($user_id) . "'602 WHERE " . $this->_params['user_id_column'] . " = '" . mysql_real_escape_string($user_id) . "' 603 603 "); 604 604 $user_data = mysql_fetch_assoc($qid); … … 610 610 dbQuery(" 611 611 UPDATE " . $this->_params['user_tbl'] . " 612 SET userpass = '" . addslashes($this->encryptPassword($password)) . "'613 WHERE " . $this->_params['user_id_column'] . " = '" . addslashes($user_id) . "'612 SET userpass = '" . mysql_real_escape_string($this->encryptPassword($password)) . "' 613 WHERE " . $this->_params['user_id_column'] . " = '" . mysql_real_escape_string($user_id) . "' 614 614 "); 615 615 -
branches/1.1dev/lib/MySQLSessionHandler.inc.php
r81 r82 52 52 53 53 // Select the data belonging to session $session_id from the MySQL session table 54 $qid = mysql_query("SELECT session_data FROM " . $sess_mysql['table'] . " WHERE session_id = '" . addslashes($session_id) . "'", $sess_mysql['dbh']);54 $qid = mysql_query("SELECT session_data FROM " . $sess_mysql['table'] . " WHERE session_id = '" . mysql_real_escape_string($session_id) . "'", $sess_mysql['dbh']); 55 55 56 56 // Check for errors … … 75 75 76 76 // Write the serialized session data ($session_data) to the MySQL session table 77 mysql_query("REPLACE INTO " . $sess_mysql['table'] . "(session_id, session_data, last_access) VALUES ('" . addslashes($session_id) . "', '" . addslashes($session_data) . "', null)", $sess_mysql['dbh']);77 mysql_query("REPLACE INTO " . $sess_mysql['table'] . "(session_id, session_data, last_access) VALUES ('" . mysql_real_escape_string($session_id) . "', '" . mysql_real_escape_string($session_data) . "', null)", $sess_mysql['dbh']); 78 78 79 79 // Check for errors … … 91 91 92 92 // Delete from the MySQL table all data for the session $session_id 93 mysql_query("DELETE FROM " . $sess_mysql['table'] . " WHERE session_id = '" . addslashes($session_id) . "'", $sess_mysql['dbh']);93 mysql_query("DELETE FROM " . $sess_mysql['table'] . " WHERE session_id = '" . mysql_real_escape_string($session_id) . "'", $sess_mysql['dbh']); 94 94 95 95 // Check for errors -
branches/1.1dev/lib/NodeHeirarchy.inc.php
r81 r82 202 202 title 203 203 ) VALUES ( 204 '" . addslashes($parent['node_type']) . "',205 '" . addslashes($parent['node_id']) . "',206 '" . addslashes($child_type) . "',207 '" . addslashes($child_id) . "',208 " . (is_null($relationship_type) ? "NULL" : "'" . addslashes($relationship_type) . "'") . ",209 '" . addslashes($title) . "'204 '" . mysql_real_escape_string($parent['node_type']) . "', 205 '" . mysql_real_escape_string($parent['node_id']) . "', 206 '" . mysql_real_escape_string($child_type) . "', 207 '" . mysql_real_escape_string($child_id) . "', 208 " . (is_null($relationship_type) ? "NULL" : "'" . mysql_real_escape_string($relationship_type) . "'") . ", 209 '" . mysql_real_escape_string($title) . "' 210 210 ) 211 211 "); … … 250 250 dbQuery(" 251 251 DELETE FROM node_tbl 252 WHERE child_type = '" . addslashes($child_type) . "'253 AND child_id = '" . addslashes($child_id) . "'252 WHERE child_type = '" . mysql_real_escape_string($child_type) . "' 253 AND child_id = '" . mysql_real_escape_string($child_id) . "' 254 254 "); 255 255 logMsg(sprintf('deleteNode: Deleted node %s %s.', $child_type, $child_id), LOG_DEBUG, __FILE__, __LINE__); … … 316 316 $qid = dbQuery(" 317 317 SELECT title FROM node_tbl 318 WHERE child_type = '" . addslashes($child_type) . "'319 AND child_id = '" . addslashes($child_id) . "'320 AND relationship_type " . (is_null($relationship_type) ? "IS NULL" : "= '" . addslashes($relationship_type) . "'") . "318 WHERE child_type = '" . mysql_real_escape_string($child_type) . "' 319 AND child_id = '" . mysql_real_escape_string($child_id) . "' 320 AND relationship_type " . (is_null($relationship_type) ? "IS NULL" : "= '" . mysql_real_escape_string($relationship_type) . "'") . " 321 321 "); 322 322 list($title) = mysql_fetch_row($qid); … … 326 326 dbQuery(" 327 327 DELETE FROM node_tbl 328 WHERE child_type = '" . addslashes($child_type) . "'329 AND child_id = '" . addslashes($child_id) . "'330 AND relationship_type " . (is_null($relationship_type) ? "IS NULL" : "= '" . addslashes($relationship_type) . "'") . "328 WHERE child_type = '" . mysql_real_escape_string($child_type) . "' 329 AND child_id = '" . mysql_real_escape_string($child_id) . "' 330 AND relationship_type " . (is_null($relationship_type) ? "IS NULL" : "= '" . mysql_real_escape_string($relationship_type) . "'") . " 331 331 "); 332 332 logMsg(sprintf('moveNode: Deleted node %s %s.', $child_type, $child_id), LOG_DEBUG, __FILE__, __LINE__); … … 364 364 $type_constraint = array($type_constraint); 365 365 } 366 $in_clause = "AND parent_type IN ('" . join("','", array_map(' addslashes', $type_constraint)) . "')";366 $in_clause = "AND parent_type IN ('" . join("','", array_map('mysql_real_escape_string', $type_constraint)) . "')"; 367 367 } 368 368 … … 370 370 SELECT parent_type, parent_id 371 371 FROM node_tbl 372 WHERE child_type = '" . addslashes($child_type) . "'373 AND child_id = '" . addslashes($child_id) . "'372 WHERE child_type = '" . mysql_real_escape_string($child_type) . "' 373 AND child_id = '" . mysql_real_escape_string($child_id) . "' 374 374 $in_clause 375 " . addslashes($order) . "375 " . mysql_real_escape_string($order) . " 376 376 "); 377 377 … … 410 410 SELECT child_type, child_id, title, subnode_quantity 411 411 FROM node_tbl 412 WHERE child_type = '" . addslashes($child_type) . "'413 AND child_id = '" . addslashes($child_id) . "'412 WHERE child_type = '" . mysql_real_escape_string($child_type) . "' 413 AND child_id = '" . mysql_real_escape_string($child_id) . "' 414 414 "); 415 415 … … 453 453 $type_constraint = array($type_constraint); 454 454 } 455 $in_clause = "AND child_type IN ('" . join("','", array_map(' addslashes', $type_constraint)) . "')";455 $in_clause = "AND child_type IN ('" . join("','", array_map('mysql_real_escape_string', $type_constraint)) . "')"; 456 456 } 457 457 … … 459 459 SELECT * 460 460 FROM node_tbl 461 WHERE parent_type = '" . addslashes($child_type) . "'462 AND parent_id = '" . addslashes($child_id) . "'461 WHERE parent_type = '" . mysql_real_escape_string($child_type) . "' 462 AND parent_id = '" . mysql_real_escape_string($child_id) . "' 463 463 $in_clause 464 " . addslashes($order) . "464 " . mysql_real_escape_string($order) . " 465 465 "); 466 466 … … 502 502 $type_constraint = array($type_constraint); 503 503 } 504 $in_clause = "AND child_type IN ('" . join("','", array_map(' addslashes', $type_constraint)) . "')";504 $in_clause = "AND child_type IN ('" . join("','", array_map('mysql_real_escape_string', $type_constraint)) . "')"; 505 505 } 506 506 … … 508 508 SELECT COUNT(*) 509 509 FROM node_tbl 510 WHERE parent_type = '" . addslashes($child_type) . "'511 AND parent_id = '" . addslashes($child_id) . "'510 WHERE parent_type = '" . mysql_real_escape_string($child_type) . "' 511 AND parent_id = '" . mysql_real_escape_string($child_id) . "' 512 512 $in_clause 513 513 "); … … 590 590 SELECT parent_type, parent_id, child_type, child_id, title, subnode_quantity 591 591 FROM node_tbl 592 WHERE child_type = '" . addslashes($child_type) . "'593 AND child_id = '" . addslashes($child_id) . "'592 WHERE child_type = '" . mysql_real_escape_string($child_type) . "' 593 AND child_id = '" . mysql_real_escape_string($child_id) . "' 594 594 "); 595 595 while ($row = mysql_fetch_assoc($qid)) { … … 649 649 $qid = dbQuery(" 650 650 SELECT 1 FROM node_tbl 651 WHERE parent_type = '" . addslashes($parent_type) . "'652 AND parent_id = '" . addslashes($parent_id) . "'653 AND child_type = '" . addslashes($child_type) . "'654 AND child_id = '" . addslashes($child_id) . "'655 AND relationship_type " . (is_null($relationship_type) ? "IS NULL" : "= '" . addslashes($relationship_type) . "'") . "651 WHERE parent_type = '" . mysql_real_escape_string($parent_type) . "' 652 AND parent_id = '" . mysql_real_escape_string($parent_id) . "' 653 AND child_type = '" . mysql_real_escape_string($child_type) . "' 654 AND child_id = '" . mysql_real_escape_string($child_id) . "' 655 AND relationship_type " . (is_null($relationship_type) ? "IS NULL" : "= '" . mysql_real_escape_string($relationship_type) . "'") . " 656 656 "); 657 657 } else { 658 658 $qid = dbQuery(" 659 659 SELECT 1 FROM node_tbl 660 WHERE child_type = '" . addslashes($child_type) . "'661 AND child_id = '" . addslashes($child_id) . "'660 WHERE child_type = '" . mysql_real_escape_string($child_type) . "' 661 AND child_id = '" . mysql_real_escape_string($child_id) . "' 662 662 "); 663 663 } … … 781 781 dbQuery(" 782 782 UPDATE node_tbl 783 SET subnode_quantity = subnode_quantity + '" . addslashes($num_children) . "'784 WHERE child_type = '" . addslashes($child_type) . "'785 AND child_id = '" . addslashes($child_id) . "'783 SET subnode_quantity = subnode_quantity + '" . mysql_real_escape_string($num_children) . "' 784 WHERE child_type = '" . mysql_real_escape_string($child_type) . "' 785 AND child_id = '" . mysql_real_escape_string($child_id) . "' 786 786 ",false); 787 787 $qid = dbQuery(" 788 788 SELECT parent_type, parent_id 789 789 FROM node_tbl 790 WHERE child_type = '" . addslashes($child_type) . "'791 AND child_id = '" . addslashes($child_id) . "'790 WHERE child_type = '" . mysql_real_escape_string($child_type) . "' 791 AND child_id = '" . mysql_real_escape_string($child_id) . "' 792 792 ",false); 793 793 while ((list($parent_type, $parent_id) = mysql_fetch_row($qid)) && $parent_id > 0) { -
branches/1.1dev/lib/OrderStatus.inc.php
r81 r82 18 18 { 19 19 if ($status != '') { 20 $whereclause = 'WHERE status = ' . addslashes($status);20 $whereclause = 'WHERE status = ' . mysql_real_escape_string($status); 21 21 } else { 22 22 $whereclause = ''; … … 52 52 global $CFG, $_SESSION; 53 53 54 $qid = dbQuery("SELECT status, email, first_name, last_name FROM order_tbl WHERE order_id = " . addslashes($order_id));54 $qid = dbQuery("SELECT status, email, first_name, last_name FROM order_tbl WHERE order_id = " . mysql_real_escape_string($order_id)); 55 55 if (mysql_num_rows($qid) == 1) { 56 56 /* The order exists, we contine. */ … … 105 105 /* Otherwise we assume everything was updated okay and that 106 106 * we have a valid new status and so proceed updating the orders table. */ 107 dbQuery("UPDATE order_tbl SET status = " . addslashes($db_update) . " WHERE order_id = " . addslashes($order_id));107 dbQuery("UPDATE order_tbl SET status = " . mysql_real_escape_string($db_update) . " WHERE order_id = " . mysql_real_escape_string($order_id)); 108 108 109 109 if ($email_user == true) { … … 111 111 112 112 /* Query to load the details of this order. */ 113 $qid_order = dbQuery("SELECT * FROM order_tbl WHERE order_id = " . addslashes($order_id));113 $qid_order = dbQuery("SELECT * FROM order_tbl WHERE order_id = " . mysql_real_escape_string($order_id)); 114 114 $order = mysql_fetch_assoc($qid_order); 115 115 … … 129 129 LEFT JOIN product_tbl p 130 130 ON (oi.product_id = p.product_id) 131 WHERE oi.order_id = " . addslashes($order_id) . "131 WHERE oi.order_id = " . mysql_real_escape_string($order_id) . " 132 132 "); 133 133 $item_num = 0; … … 214 214 { 215 215 if ($polarity == '+' || $polarity == '-') { 216 $qid = dbQuery("SELECT product_id, qty as order_qty FROM order_items_tbl WHERE order_id = " . addslashes($order_id));216 $qid = dbQuery("SELECT product_id, qty as order_qty FROM order_items_tbl WHERE order_id = " . mysql_real_escape_string($order_id)); 217 217 /* First we make sure each item is in stock in adequate quantities. */ 218 218 while ($order_item = mysql_fetch_assoc($qid)) { -
branches/1.1dev/lib/PageNumbers.inc.php
r81 r82 197 197 { 198 198 if (is_numeric($this->first_item) && is_numeric($this->_per_page)) { 199 return ' LIMIT ' . addslashes($this->first_item) . ', ' . addslashes($this->_per_page) . ' ';199 return ' LIMIT ' . mysql_real_escape_string($this->first_item) . ', ' . mysql_real_escape_string($this->_per_page) . ' '; 200 200 } else { 201 201 logMsg(sprintf('Could not find SQL to LIMIT by %s %s.', $this->first_item, $this->_per_page), LOG_WARNING, __FILE__, __LINE__); -
branches/1.1dev/lib/RecordLock.inc.php
r81 r82 45 45 $qid = dbQuery(" 46 46 SELECT * FROM lock_tbl 47 WHERE lock_id = '" . addslashes($record_table_or_lock_id) . "'47 WHERE lock_id = '" . mysql_real_escape_string($record_table_or_lock_id) . "' 48 48 "); 49 49 } else { … … 51 51 $qid = dbQuery(" 52 52 SELECT * FROM lock_tbl 53 WHERE record_table = '" . addslashes($record_table_or_lock_id) . "'54 AND record_key = '" . addslashes($record_key) . "'55 AND record_val = '" . addslashes($record_val) . "'53 WHERE record_table = '" . mysql_real_escape_string($record_table_or_lock_id) . "' 54 AND record_key = '" . mysql_real_escape_string($record_key) . "' 55 AND record_val = '" . mysql_real_escape_string($record_val) . "' 56 56 "); 57 57 } 58 58 if ($this->data = mysql_fetch_assoc($qid)) { 59 59 // This could be integrated into the above query, but with the new auth system, this will be a $auth-> method call. 60 // $qid = dbQuery("SELECT username FROM admin_tbl WHERE admin_id = '" . addslashes($this->data['set_by_admin_id']) . "'");60 // $qid = dbQuery("SELECT username FROM admin_tbl WHERE admin_id = '" . mysql_real_escape_string($this->data['set_by_admin_id']) . "'"); 61 61 // list($this->data['editor']) = mysql_fetch_row($qid); 62 62 $this->data['editor'] = $this->_auth->getUsername($this->data['set_by_admin_id']); … … 86 86 { 87 87 if (isset($this->data['lock_id'])) { 88 $qid = dbQuery("SELECT * FROM lock_tbl WHERE lock_id = '" . addslashes($this->data['lock_id']) . "'");88 $qid = dbQuery("SELECT * FROM lock_tbl WHERE lock_id = '" . mysql_real_escape_string($this->data['lock_id']) . "'"); 89 89 if ($lock = mysql_fetch_assoc($qid)) { 90 90 return ($lock['set_by_admin_id'] == $this->_auth->getVal('user_id')); … … 112 112 dbQuery(" 113 113 DELETE FROM lock_tbl 114 WHERE record_table = '" . addslashes($record_table) . "'115 AND record_key = '" . addslashes($record_key) . "'116 AND record_val = '" . addslashes($record_val) . "'114 WHERE record_table = '" . mysql_real_escape_string($record_table) . "' 115 AND record_key = '" . mysql_real_escape_string($record_key) . "' 116 AND record_val = '" . mysql_real_escape_string($record_val) . "' 117 117 "); 118 118 … … 127 127 lock_datetime 128 128 ) VALUES ( 129 '" . addslashes($record_table) . "',130 '" . addslashes($record_key) . "',131 '" . addslashes($record_val) . "',132 '" . addslashes($title) . "',133 '" . addslashes($this->_auth->getVal('user_id')) . "',129 '" . mysql_real_escape_string($record_table) . "', 130 '" . mysql_real_escape_string($record_key) . "', 131 '" . mysql_real_escape_string($record_val) . "', 132 '" . mysql_real_escape_string($title) . "', 133 '" . mysql_real_escape_string($this->_auth->getVal('user_id')) . "', 134 134 NOW() 135 135 ) … … 151 151 dbQuery(" 152 152 DELETE FROM lock_tbl 153 WHERE lock_id = '" . addslashes($this->data['lock_id']) . "'153 WHERE lock_id = '" . mysql_real_escape_string($this->data['lock_id']) . "' 154 154 "); 155 155 } … … 162 162 if (isset($user_id)) { 163 163 // Delete specific user's locks. 164 dbQuery("DELETE FROM lock_tbl WHERE set_by_admin_id = '" . addslashes($user_id) . "'");164 dbQuery("DELETE FROM lock_tbl WHERE set_by_admin_id = '" . mysql_real_escape_string($user_id) . "'"); 165 165 logMsg(sprintf('Record locks owned by %s %s have been deleted', $this->_auth->getVal('auth_name'), $this->_auth->getUsername($user_id)), LOG_INFO, __FILE__, __LINE__); 166 166 } else { -
branches/1.1dev/lib/SortOrder.inc.php
r81 r82 149 149 150 150 if (!empty($this->_columns[strtolower($this->sort_by)][strtolower(strtolower($this->order))])) { 151 return ' ORDER BY ' . addslashes($this->_columns[strtolower($this->sort_by)][strtolower(strtolower($this->order))]);151 return ' ORDER BY ' . mysql_real_escape_string($this->_columns[strtolower($this->sort_by)][strtolower(strtolower($this->order))]); 152 152 } else { 153 153 logMsg(sprintf('Could not find SQL to sort by %s %s.', $this->sort_by, $this->order), LOG_WARNING, __FILE__, __LINE__); -
branches/1.1dev/lib/Utilities.inc.php
r81 r82 487 487 { 488 488 if (is_array($array) && !empty($array)) { 489 return join(',', array_map(' addslashes', array_keys($array)));489 return join(',', array_map('mysql_real_escape_string', array_keys($array))); 490 490 } 491 491 }
Note: See TracChangeset
for help on using the changeset viewer.