diff options
| author | canyonknight <canyonknight@gmail.com> | 2012-08-08 18:09:51 -0400 |
|---|---|---|
| committer | Lukas Fleischer <archlinux@cryptocrack.de> | 2012-09-18 00:58:46 +0200 |
| commit | e171f6f34eeacf35cf7142b4788d43e7d0978546 (patch) | |
| tree | 28ab4e0a631d0a16e5972490c0ed6cfbad8b8231 | |
| parent | b3393208fb00a00e77a475e8007168f266718ac5 (diff) | |
| download | aurweb-e171f6f34eeacf35cf7142b4788d43e7d0978546.tar.xz | |
Migrate all DB code to use PDO
All DB code currently uses the quickly aging mysql_* functions. These
functions are strongly discouraged and may eventually be deprecated.
Transition all code to utilize the PDO data access abstraction layer. PDO
allows for consistent query code across multiple databases. This could
potentially allow for someone to use a database other than MySQL with
minimal code changes.
All functions and behaviors are reproduced as faithfully as possible with
PDO equivalents and some changes in code.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
| -rw-r--r-- | INSTALL | 2 | ||||
| -rw-r--r-- | UPGRADING | 2 | ||||
| -rw-r--r-- | web/lib/acctfuncs.inc.php | 229 | ||||
| -rw-r--r-- | web/lib/aur.inc.php | 154 | ||||
| -rw-r--r-- | web/lib/aurjson.class.php | 26 | ||||
| -rw-r--r-- | web/lib/cachefuncs.inc.php | 4 | ||||
| -rw-r--r-- | web/lib/config.inc.php.proto | 3 | ||||
| -rw-r--r-- | web/lib/pkgfuncs.inc.php | 302 | ||||
| -rw-r--r-- | web/lib/stats.inc.php | 4 | ||||
| -rw-r--r-- | web/lib/translator.inc.php | 6 | ||||
| -rw-r--r-- | web/template/account_search_results.php | 2 |
11 files changed, 353 insertions, 381 deletions
@@ -45,7 +45,7 @@ Setup on Arch Linux: Make sure you have mysql and json enabled in PHP. - Edit php.ini and uncomment/add these lines: - extension=mysql.so + extension=pdo_mysql.so extension=json.so If those php extensions are separate packages on your system, install @@ -15,6 +15,8 @@ ALTER TABLE Users ADD COLUMN PGPKey VARCHAR(40) NULL DEFAULT NULL; 3. Update Archive_Tar to version greater than 1.3.7. +4. Enable the PDO MySQL extension (pdo_mysql.so) in "php.ini". + From 1.9.0 to 1.9.1 ------------------- diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index d58c759..54e8381 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -135,17 +135,16 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", # NOTE: a race condition exists here if we care... # $q = "SELECT COUNT(*) AS CNT FROM Users "; - $q.= "WHERE Username = '".db_escape_string($U)."'"; + $q.= "WHERE Username = " . $dbh->quote($U); if ($TYPE == "edit") { $q.= " AND ID != ".intval($UID); } - $result = db_query($q, $dbh); - if ($result) { - $row = mysql_fetch_array($result); - if ($row[0]) { - $error = __("The username, %s%s%s, is already in use.", - "<b>", htmlspecialchars($U,ENT_QUOTES), "</b>"); - } + $result = $dbh->query($q); + $row = $result->fetch(PDO::FETCH_NUM); + + if ($row[0]) { + $error = __("The username, %s%s%s, is already in use.", + "<b>", htmlspecialchars($U,ENT_QUOTES), "</b>"); } } if (!$error) { @@ -153,17 +152,16 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", # NOTE: a race condition exists here if we care... # $q = "SELECT COUNT(*) AS CNT FROM Users "; - $q.= "WHERE Email = '".db_escape_string($E)."'"; + $q.= "WHERE Email = " . $dbh->quote($E); if ($TYPE == "edit") { $q.= " AND ID != ".intval($UID); } - $result = db_query($q, $dbh); - if ($result) { - $row = mysql_fetch_array($result); - if ($row[0]) { - $error = __("The address, %s%s%s, is already in use.", - "<b>", htmlspecialchars($E,ENT_QUOTES), "</b>"); - } + $result = $dbh->query($q); + $row = $result->fetch(PDO::FETCH_NUM); + + if ($row[0]) { + $error = __("The address, %s%s%s, is already in use.", + "<b>", htmlspecialchars($E,ENT_QUOTES), "</b>"); } } if ($error) { @@ -175,16 +173,22 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", # no errors, go ahead and create the unprivileged user $salt = generate_salt(); $P = salted_hash($P, $salt); - $escaped = array_map('db_escape_string', - array($U, $E, $P, $salt, $R, $L, $I, str_replace(" ", "", $K))); - $q = "INSERT INTO Users (" . - "AccountTypeID, Suspended, Username, Email, Passwd, Salt" . - ", RealName, LangPreference, IRCNick, PGPKey) " . - "VALUES (1, 0, '" . implode("', '", $escaped) . "')"; - $result = db_query($q, $dbh); + $U = $dbh->quote($U); + $E = $dbh->quote($E); + $P = $dbh->quote($P); + $salt = $dbh->quote($salt); + $R = $dbh->quote($R); + $L = $dbh->quote($L); + $I = $dbh->quote($I); + $K = $dbh->quote(str_replace(" ", "", $K)); + $q = "INSERT INTO Users (AccountTypeID, Suspended, "; + $q.= "Username, Email, Passwd, Salt, RealName, "; + $q.= "LangPreference, IRCNick, PGPKey) VALUES (1, 0, "; + $q.= "$U, $E, $P, $salt, $R, $L, $I, $K)"; + $result = $dbh->exec($q); if (!$result) { - print __("Error trying to create account, %s%s%s: %s.", - "<b>", htmlspecialchars($U,ENT_QUOTES), "</b>", mysql_error($dbh)); + print __("Error trying to create account, %s%s%s.", + "<b>", htmlspecialchars($U,ENT_QUOTES), "</b>"); } else { # account created/modified, tell them so. # @@ -199,7 +203,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", # no errors, go ahead and modify the user account $q = "UPDATE Users SET "; - $q.= "Username = '".db_escape_string($U)."'"; + $q.= "Username = " . $dbh->quote($U); if ($T) { $q.= ", AccountTypeID = ".intval($T); } @@ -208,21 +212,21 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", } else { $q.= ", Suspended = 0"; } - $q.= ", Email = '".db_escape_string($E)."'"; + $q.= ", Email = " . $dbh->quote($E); if ($P) { $salt = generate_salt(); $hash = salted_hash($P, $salt); $q .= ", Passwd = '$hash', Salt = '$salt'"; } - $q.= ", RealName = '".db_escape_string($R)."'"; - $q.= ", LangPreference = '".db_escape_string($L)."'"; - $q.= ", IRCNick = '".db_escape_string($I)."'"; - $q.= ", PGPKey = '".db_escape_string(str_replace(" ", "", $K))."'"; + $q.= ", RealName = " . $dbh->quote($R); + $q.= ", LangPreference = " . $dbh->quote($L); + $q.= ", IRCNick = " . $dbh->quote($I); + $q.= ", PGPKey = " . $dbh->quote(str_replace(" ", "", $K)); $q.= " WHERE ID = ".intval($UID); - $result = db_query($q, $dbh); + $result = $dbh->exec($q); if (!$result) { - print __("Error trying to modify account, %s%s%s: %s.", - "<b>", htmlspecialchars($U,ENT_QUOTES), "</b>", mysql_error($dbh)); + print __("Error trying to modify account, %s%s%s.", + "<b>", htmlspecialchars($U,ENT_QUOTES), "</b>"); } else { print __("The account, %s%s%s, has been successfully modified.", "<b>", htmlspecialchars($U,ENT_QUOTES), "</b>"); @@ -265,6 +269,10 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="", } $search_vars = array(); + if (!$dbh) { + $dbh = db_connect(); + } + $q = "SELECT Users.*, AccountTypes.AccountType "; $q.= "FROM Users, AccountTypes "; $q.= "WHERE AccountTypes.ID = Users.AccountTypeID "; @@ -283,23 +291,28 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="", $search_vars[] = "S"; } if ($U) { - $q.= "AND Username LIKE '%".db_escape_like($U)."%' "; + $U = "%" . addcslashes($U, '%_') . "%"; + $q.= "AND Username LIKE " . $dbh->quote($U) . " "; $search_vars[] = "U"; } if ($E) { - $q.= "AND Email LIKE '%".db_escape_like($E)."%' "; + $E = "%" . addcslashes($E, '%_') . "%"; + $q.= "AND Email LIKE " . $dbh->quote($E) . " "; $search_vars[] = "E"; } if ($R) { - $q.= "AND RealName LIKE '%".db_escape_like($R)."%' "; + $R = "%" . addcslashes($R, '%_') . "%"; + $q.= "AND RealName LIKE " . $dbh->quote($R) . " "; $search_vars[] = "R"; } if ($I) { - $q.= "AND IRCNick LIKE '%".db_escape_like($I)."%' "; + $I = "%" . addcslashes($I, '%_') . "%"; + $q.= "AND IRCNick LIKE " . $dbh->quote($I) . " "; $search_vars[] = "I"; } if ($K) { - $q.= "AND PGPKey LIKE '%".db_escape_like(str_replace(" ", "", $K))."%' "; + $K = "%" . addcslashes(str_replace(" ", "", $K), '%_') . "%"; + $q.= "AND PGPKey LIKE " . $dbh->quote($K) . " "; $search_vars[] = "K"; } switch ($SB) { @@ -326,10 +339,9 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="", $dbh = db_connect(); } - $result = db_query($q, $dbh); - $num_rows = mysql_num_rows($result); + $result = $dbh->query($q); - while ($row = mysql_fetch_assoc($result)) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { $userinfo[] = $row; } @@ -377,13 +389,13 @@ function try_login($dbh=NULL) { $q.= "ON s.SessionID = q.SessionID "; $q.= "WHERE s.UsersId = " . $userID . " "; $q.= "AND q.SessionID IS NULL;"; - db_query($q, $dbh); + $dbh->query($q); } $new_sid = new_sid(); $q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS)" ." VALUES (" . $userID . ", '" . $new_sid . "', UNIX_TIMESTAMP())"; - $result = db_query($q, $dbh); + $result = $dbh->exec($q); # Query will fail if $new_sid is not unique if ($result) { @@ -397,7 +409,7 @@ function try_login($dbh=NULL) { if ($logged_in) { $q = "UPDATE Users SET LastLogin = UNIX_TIMESTAMP() "; $q.= "WHERE ID = '$userID'"; - db_query($q, $dbh); + $dbh->exec($q); # set our SID cookie if (isset($_POST['remember_me']) && @@ -408,7 +420,7 @@ function try_login($dbh=NULL) { # Set session for 30 days. $q = "UPDATE Sessions SET LastUpdateTS = $cookie_time "; $q.= "WHERE SessionID = '$new_sid'"; - db_query($q, $dbh); + $dbh->exec($q); } else $cookie_time = 0; @@ -472,13 +484,13 @@ function valid_user($user, $dbh=NULL) { } if ( $user ) { - $q = "SELECT ID FROM Users WHERE Username = '" - . db_escape_string($user). "'"; + $q = "SELECT ID FROM Users "; + $q.= "WHERE Username = " . $dbh->quote($user); - $result = db_query($q, $dbh); + $result = $dbh->query($q); # Is the username in the database? if ($result) { - $row = mysql_fetch_row($result); + $row = $result->fetch(PDO::FETCH_NUM); return $row[0]; } } @@ -490,10 +502,10 @@ function open_user_proposals($user, $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - $q = "SELECT * FROM TU_VoteInfo WHERE User = '" . db_escape_string($user) . "'"; - $q.= " AND End > UNIX_TIMESTAMP()"; - $result = db_query($q, $dbh); - if (mysql_num_rows($result)) { + $q = "SELECT * FROM TU_VoteInfo WHERE User = " . $dbh->quote($user) . " "; + $q.= "AND End > UNIX_TIMESTAMP()"; + $result = $dbh->query($q); + if ($result->fetchColumn()) { return true; } else { @@ -507,13 +519,12 @@ function add_tu_proposal($agenda, $user, $votelength, $submitteruid, $dbh=NULL) if(!$dbh) { $dbh = db_connect(); } + $q = "INSERT INTO TU_VoteInfo (Agenda, User, Submitted, End, SubmitterID) VALUES "; - $q.= "('" . db_escape_string($agenda) . "', "; - $q.= "'" . db_escape_string($user) . "', "; - $q.= "UNIX_TIMESTAMP(), UNIX_TIMESTAMP() + " . db_escape_string($votelength); + $q.= "(" . $dbh->quote($agenda) . ", " . $dbh->quote($user) . ", "; + $q.= "UNIX_TIMESTAMP(), UNIX_TIMESTAMP() + " . $dbh->quote($votelength); $q.= ", " . $submitteruid . ")"; - db_query($q, $dbh); - + $result = $dbh->exec($q); } # Add a reset key for a specific user @@ -524,7 +535,7 @@ function create_resetkey($resetkey, $uid, $dbh=NULL) { $q = "UPDATE Users "; $q.= "SET ResetKey = '" . $resetkey . "' "; $q.= "WHERE ID = " . $uid; - db_query($q, $dbh); + $dbh->exec($q); } # Change a password and save the salt only if reset key and email are correct @@ -537,11 +548,11 @@ function password_reset($hash, $salt, $resetkey, $email, $dbh=NULL) { $q.= "Salt = '$salt', "; $q.= "ResetKey = '' "; $q.= "WHERE ResetKey != '' "; - $q.= "AND ResetKey = '".db_escape_string($resetkey)."' "; - $q.= "AND Email = '".db_escape_string($email)."'"; - $result = db_query($q, $dbh); + $q.= "AND ResetKey = " . $dbh->quote($resetkey) . " "; + $q.= "AND Email = " . $dbh->quote($email); + $result = $dbh->exec($q); - if (!mysql_affected_rows($dbh)) { + if (!$result) { $error = __('Invalid e-mail and reset key combination.'); return $error; } else { @@ -569,25 +580,25 @@ function valid_passwd($userID, $passwd, $dbh=NULL) { $salt = get_salt($userID); if ($salt) { # use salt - $passwd_q = "SELECT ID FROM Users" . - " WHERE ID = " . $userID . " AND Passwd = '" . - salted_hash($passwd, $salt) . "'"; - $result = db_query($passwd_q, $dbh); + $q = "SELECT ID FROM Users "; + $q.= "WHERE ID = " . $userID . " "; + $q.= "AND Passwd = " . $dbh->quote(salted_hash($passwd, $salt)); + $result = $dbh->query($q); if ($result) { - $passwd_result = mysql_fetch_row($result); - if ($passwd_result[0]) { + $row = $result->fetch(PDO::FETCH_NUM); + if ($row[0]) { return true; } } } else { # check without salt - $nosalt_q = "SELECT ID FROM Users". - " WHERE ID = " . $userID . - " AND Passwd = '" . md5($passwd) . "'"; - $result = db_query($nosalt_q, $dbh); + $q = "SELECT ID FROM Users "; + $q.= "WHERE ID = " . $userID . " "; + $q.= "AND Passwd = " . $dbh->quote(md5($passwd)); + $result = $dbh->query($q); if ($result) { - $nosalt_row = mysql_fetch_row($result); - if ($nosalt_row[0]) { + $row = $result->fetch(PDO::FETCH_NUM); + if ($row[0]) { # password correct, but salt it first if (!save_salt($userID, $passwd)) { trigger_error("Unable to salt user's password;" . @@ -621,9 +632,9 @@ function user_suspended($id, $dbh=NULL) { return false; } $q = "SELECT Suspended FROM Users WHERE ID = " . $id; - $result = db_query($q, $dbh); + $result = $dbh->query($q); if ($result) { - $row = mysql_fetch_row($result); + $row = $result->fetch(PDO::FETCH_NUM); if ($row[0]) { return true; } @@ -639,7 +650,7 @@ function user_delete($id, $dbh=NULL) { $dbh = db_connect(); } $q = "DELETE FROM Users WHERE ID = " . $id; - db_query($q, $dbh); + $dbh->query($q); return; } @@ -652,9 +663,9 @@ function user_is_privileged($id, $dbh=NULL) { $dbh = db_connect(); } $q = "SELECT AccountTypeID FROM Users WHERE ID = " . $id; - $result = db_query($q, $dbh); + $result = $dbh->query($q); if ($result) { - $row = mysql_fetch_row($result); + $row = $result->fetch(PDO::FETCH_NUM); if($row[0] > 1) { return $row[0]; } @@ -669,9 +680,8 @@ function delete_session_id($sid, $dbh=NULL) { $dbh = db_connect(); } - $q = "DELETE FROM Sessions WHERE SessionID = '"; - $q.= db_escape_string($sid) . "'"; - db_query($q, $dbh); + $q = "DELETE FROM Sessions WHERE SessionID = " . $dbh->quote($sid); + $dbh->query($q); } # Clear out old expired sessions. @@ -683,7 +693,7 @@ function clear_expired_sessions($dbh=NULL) { } $q = "DELETE FROM Sessions WHERE LastUpdateTS < (UNIX_TIMESTAMP() - $LOGIN_TIMEOUT)"; - db_query($q, $dbh); + $dbh->query($q); return; } @@ -698,12 +708,12 @@ function account_details($uid, $username, $dbh=NULL) { if (!empty($uid)) { $q.= "AND Users.ID = ".intval($uid); } else { - $q.= "AND Users.Username = '".db_escape_string($username) . "'"; + $q.= "AND Users.Username = " . $dbh->quote($username); } - $result = db_query($q, $dbh); + $result = $dbh->query($q); if ($result) { - $row = mysql_fetch_assoc($result); + $row = $result->fetch(PDO::FETCH_ASSOC); } return $row; @@ -717,12 +727,11 @@ function own_account_details($sid, $dbh=NULL) { $q.= "FROM Users, AccountTypes, Sessions "; $q.= "WHERE AccountTypes.ID = Users.AccountTypeID "; $q.= "AND Users.ID = Sessions.UsersID "; - $q.= "AND Sessions.SessionID = '"; - $q.= db_escape_string($sid)."'"; - $result = db_query($q, $dbh); + $q.= "AND Sessions.SessionID = " . $dbh->quote($sid); + $result = $dbh->query($q); if ($result) { - $row = mysql_fetch_assoc($result); + $row = $result->fetch(PDO::FETCH_ASSOC); } return $row; @@ -733,9 +742,10 @@ function tu_voted($voteid, $uid, $dbh=NULL) { $dbh = db_connect(); } - $q = "SELECT * FROM TU_Votes WHERE VoteID = " . intval($voteid) . " AND UserID = " . intval($uid); - $result = db_query($q, $dbh); - if (mysql_num_rows($result)) { + $q = "SELECT COUNT(*) FROM TU_Votes "; + $q.= "WHERE VoteID = " . intval($voteid) . " AND UserID = " . intval($uid); + $result = $dbh->query($q); + if ($result->fetchColumn() > 0) { return true; } else { @@ -749,10 +759,10 @@ function current_proposal_list($order, $dbh=NULL) { } $q = "SELECT * FROM TU_VoteInfo WHERE End > " . time() . " ORDER BY Submitted " . $order; - $result = db_query($q, $dbh); + $result = $dbh->query($q); $details = array(); - while ($row = mysql_fetch_assoc($result)) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { $details[] = $row; } @@ -765,10 +775,10 @@ function past_proposal_list($order, $lim, $dbh=NULL) { } $q = "SELECT * FROM TU_VoteInfo WHERE End < " . time() . " ORDER BY Submitted " . $order . $lim; - $result = db_query($q, $dbh); + $result = $dbh->query($q); $details = array(); - while ($row = mysql_fetch_assoc($result)) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { $details[] = $row; } @@ -781,8 +791,8 @@ function proposal_count($dbh=NULL) { } $q = "SELECT COUNT(*) FROM TU_VoteInfo"; - $result = db_query($q, $dbh); - $row = mysql_fetch_row($result); + $result = $dbh->query($q); + $row = $result->fetch(PDO::FETCH_NUM); return $row[0]; } @@ -795,8 +805,8 @@ function vote_details($voteid, $dbh=NULL) { $q = "SELECT * FROM TU_VoteInfo "; $q.= "WHERE ID = " . intval($voteid); - $result = db_query($q, $dbh); - $row = mysql_fetch_assoc($result); + $result = $dbh->query($q); + $row = $result->fetch(PDO::FETCH_ASSOC); return $row; } @@ -814,9 +824,9 @@ function voter_list($voteid, $dbh=NULL) { $q.= " AND tv.UserID = U.ID "; $q.= "ORDER BY Username"; - $result = db_query($q, $dbh); + $result = $dbh->query($q); if ($result) { - while ($row = mysql_fetch_assoc($result)) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { $whovoted.= '<a href="' . get_uri('/accounts/') . '?Action=AccountInfo&ID='.$row['UserID'].'">'.$row['Username'].'</a> '; } } @@ -828,10 +838,9 @@ function cast_proposal_vote($voteid, $uid, $vote, $newtotal, $dbh=NULL) { $dbh = db_connect(); } - $q = "UPDATE TU_VoteInfo SET " . $vote . " = " . ($newtotal) . " WHERE ID = " . $voteid; - db_query($q, $dbh); - - $q = "INSERT INTO TU_Votes (VoteID, UserID) VALUES (" . $voteid . ", " . $uid . ")"; - db_query($q, $dbh); + $q = "UPDATE TU_VoteInfo SET " . $vote . " = (" . $newtotal . ") WHERE ID = " . $voteid; + $result = $dbh->exec($q); + $q = "INSERT INTO TU_Votes (VoteID, UserID) VALUES (" . intval($voteid) . ", " . intval($uid) . ")"; + $result = $dbh->exec($q); } diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 6dcbb34..d26bdf2 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -30,14 +30,15 @@ function check_sid($dbh=NULL) { $dbh = db_connect(); } $q = "SELECT LastUpdateTS, UNIX_TIMESTAMP() FROM Sessions "; - $q.= "WHERE SessionID = '" . db_escape_string($_COOKIE["AURSID"]) . "'"; - $result = db_query($q, $dbh); - if (mysql_num_rows($result) == 0) { + $q.= "WHERE SessionID = " . $dbh->quote($_COOKIE["AURSID"]); + $result = $dbh->query($q); + $row = $result->fetch(PDO::FETCH_NUM); + + if (!$row[0]) { # Invalid SessionID - hacker alert! # $failed = 1; } else { - $row = mysql_fetch_row($result); $last_update = $row[0]; if ($last_update + $LOGIN_TIMEOUT <= $row[1]) { $failed = 2; @@ -68,8 +69,8 @@ function check_sid($dbh=NULL) { # overwritten. if ($last_update < time() + $LOGIN_TIMEOUT) { $q = "UPDATE Sessions SET LastUpdateTS = UNIX_TIMESTAMP() "; - $q.= "WHERE SessionID = '".db_escape_string($_COOKIE["AURSID"])."'"; - db_query($q, $dbh); + $q.= "WHERE SessionID = " . $dbh->quote($_COOKIE["AURSID"]); + $dbh->exec($q); } } } @@ -119,12 +120,12 @@ function username_from_id($id="", $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - $q = "SELECT Username FROM Users WHERE ID = " . db_escape_string($id); - $result = db_query($q, $dbh); + $q = "SELECT Username FROM Users WHERE ID = " . $dbh->quote($id); + $result = $dbh->query($q); if (!$result) { return "None"; } - $row = mysql_fetch_row($result); + $row = $result->fetch(PDO::FETCH_NUM); return $row[0]; } @@ -142,12 +143,12 @@ function username_from_sid($sid="", $dbh=NULL) { $q = "SELECT Username "; $q.= "FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; - $q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'"; - $result = db_query($q, $dbh); + $q.= "AND Sessions.SessionID = " . $dbh->quote($sid); + $result = $dbh->query($q); if (!$result) { return ""; } - $row = mysql_fetch_row($result); + $row = $result->fetch(PDO::FETCH_NUM); return $row[0]; } @@ -164,12 +165,12 @@ function email_from_sid($sid="", $dbh=NULL) { $q = "SELECT Email "; $q.= "FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; - $q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'"; - $result = db_query($q, $dbh); + $q.= "AND Sessions.SessionID = " . $dbh->quote($sid); + $result = $dbh->query($q); if (!$result) { return ""; } - $row = mysql_fetch_row($result); + $row = $result->fetch(PDO::FETCH_NUM); return $row[0]; } @@ -188,12 +189,12 @@ function account_from_sid($sid="", $dbh=NULL) { $q.= "FROM Users, AccountTypes, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; $q.= "AND AccountTypes.ID = Users.AccountTypeID "; - $q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'"; - $result = db_query($q, $dbh); + $q.= "AND Sessions.SessionID = " . $dbh->quote($sid); + $result = $dbh->query($q); if (!$result) { return ""; } - $row = mysql_fetch_row($result); + $row = $result->fetch(PDO::FETCH_NUM); return $row[0]; } @@ -210,12 +211,12 @@ function uid_from_sid($sid="", $dbh=NULL) { $q = "SELECT Users.ID "; $q.= "FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; - $q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'"; - $result = db_query($q, $dbh); + $q.= "AND Sessions.SessionID = " . $dbh->quote($sid); + $result = $dbh->query($q); if (!$result) { return 0; } - $row = mysql_fetch_row($result); + $row = $result->fetch(PDO::FETCH_NUM); return $row[0]; } @@ -223,66 +224,16 @@ function uid_from_sid($sid="", $dbh=NULL) { # connect to the database # function db_connect() { - $handle = mysql_connect(AUR_db_host, AUR_db_user, AUR_db_pass); - if (!$handle) { - die("Error connecting to AUR database: " . mysql_error()); - } - - mysql_select_db(AUR_db_name, $handle) or - die("Error selecting AUR database: " . mysql_error()); - - db_query("SET NAMES 'utf8' COLLATE 'utf8_general_ci';", $handle); - - return $handle; -} - -# Escape strings for SQL query usage. -# Wraps the database driver's provided method (for convenience and porting). -function db_escape_string($string) { - return mysql_real_escape_string($string); -} - -# Escape strings for usage in SQL LIKE operators. -function db_escape_like($string) { - return addcslashes(mysql_real_escape_string($string), '%_'); -} - -# disconnect from the database -# this won't normally be needed as PHP/reference counting will take care of -# closing the connection once it is no longer referenced -# -function db_disconnect($db_handle="") { - if ($db_handle) { - mysql_close($db_handle); - return TRUE; + try { + $dbh = new PDO(AUR_db_DSN_prefix . ":" . AUR_db_host . ";dbname=" . AUR_db_name, AUR_db_user, AUR_db_pass); } - return FALSE; -} - -# wrapper function around db_query in case we want to put -# query logging/debugging in. -# -function db_query($query="", $db_handle="") { - if (!$query) { - return FALSE; + catch (PDOException $e) { + echo "Error - Could not connect to AUR database: " . $e->getMessage(); } - if (!$db_handle) { - die("DB handle was not provided to db_query"); - } - - if (defined('SQL_DEBUG') && SQL_DEBUG == 1) { - $bt = debug_backtrace(); - error_log("DEBUG: ".$bt[0]['file'].":".$bt[0]['line']." query: $query\n"); - } + $dbh->exec("SET NAMES 'utf8' COLLATE 'utf8_general_ci';"); - $result = @mysql_query($query, $db_handle); - if (!$result) { - $bt = debug_backtrace(); - error_log("ERROR: near ".$bt[0]['file'].":".$bt[0]['line']." in query: $query\n -> ".mysql_error($db_handle)); - } - - return $result; + return $dbh; } # common header @@ -313,10 +264,13 @@ function can_submit_pkg($name="", $sid="", $dbh=NULL) { $dbh = db_connect(); } $q = "SELECT MaintainerUID "; - $q.= "FROM Packages WHERE Name = '".db_escape_string($name)."'"; - $result = db_query($q, $dbh); - if (mysql_num_rows($result) == 0) {return 1;} - $row = mysql_fetch_row($result); + $q.= "FROM Packages WHERE Name = " . $dbh->quote($name); + $result = $dbh->query($q); + $row = $result->fetch(PDO::FETCH_NUM); + + if (!$row[0]) { + return 1; + } $my_uid = uid_from_sid($sid, $dbh); if ($row[0] === NULL || $row[0] == $my_uid) { @@ -385,13 +339,12 @@ function uid_from_username($username="", $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - $q = "SELECT ID FROM Users WHERE Username = '".db_escape_string($username) - ."'"; - $result = db_query($q, $dbh); + $q = "SELECT ID FROM Users WHERE Username = " . $dbh->quote($username); + $result = $dbh->query($q); if (!$result) { return "None"; } - $row = mysql_fetch_row($result); + $row = $result->fetch(PDO::FETCH_NUM); return $row[0]; } @@ -405,13 +358,12 @@ function uid_from_email($email="", $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - $q = "SELECT ID FROM Users WHERE Email = '".db_escape_string($email) - ."'"; - $result = db_query($q, $dbh); + $q = "SELECT ID FROM Users WHERE Email = " . $dbh->quote($email); + $result = $dbh->query($q); if (!$result) { return "None"; } - $row = mysql_fetch_row($result); + $row = $result->fetch(PDO::FETCH_NUM); return $row[0]; } @@ -461,11 +413,11 @@ function get_salt($user_id, $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - $salt_q = "SELECT Salt FROM Users WHERE ID = " . $user_id; - $result = db_query($salt_q, $dbh); + $q = "SELECT Salt FROM Users WHERE ID = " . $user_id; + $result = $dbh->query($q); if ($result) { - $salt_row = mysql_fetch_row($result); - return $salt_row[0]; + $row = $result->fetch(PDO::FETCH_NUM); + return $row[0]; } return; } @@ -476,9 +428,9 @@ function save_salt($user_id, $passwd, $dbh=NULL) { } $salt = generate_salt(); $hash = salted_hash($passwd, $salt); - $salting_q = "UPDATE Users SET Salt = '" . $salt . "', " . - "Passwd = '" . $hash . "' WHERE ID = " . $user_id; - return db_query($salting_q, $dbh); + $q = "UPDATE Users SET Salt = " . $dbh->quote($salt) . ", "; + $q.= "Passwd = " . $dbh->quote($hash) . " WHERE ID = " . $user_id; + $result = $dbh->exec($q); } function generate_salt() { @@ -519,21 +471,21 @@ function begin_atomic_commit($dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - db_query("BEGIN", $dbh); + $dbh->beginTransaction(); } function end_atomic_commit($dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - db_query("COMMIT", $dbh); + $dbh->commit(); } function last_insert_id($dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - return mysql_insert_id($dbh); + return $dbh->lastInsertId(); } function latest_pkgs($numpkgs, $dbh=NULL) { @@ -544,10 +496,10 @@ function latest_pkgs($numpkgs, $dbh=NULL) { $q = "SELECT * FROM Packages "; $q.= "ORDER BY SubmittedTS DESC "; $q.= "LIMIT " .intval($numpkgs); - $result = db_query($q, $dbh); + $result = $dbh->query($q); if ($result) { - while ($row = mysql_fetch_assoc($result)) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { $packages[] = $row; } } diff --git a/web/lib/aurjson.class.php b/web/lib/aurjson.class.php index c1b079a..fbdc711 100644 --- a/web/lib/aurjson.class.php +++ b/web/lib/aurjson.class.php @@ -122,12 +122,13 @@ class AurJSON { "FROM Packages LEFT JOIN Users " . "ON Packages.MaintainerUID = Users.ID " . "WHERE ${where_condition}"; - $result = db_query($query, $this->dbh); + $result = $this->dbh->query($query); - $resultcount = mysql_num_rows($result); - if ( $result && $resultcount > 0 ) { + if ($result) { + $resultcount = 0; $search_data = array(); - while ( $row = mysql_fetch_assoc($result) ) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { + $resultcount++; $name = $row['Name']; $row['URLPath'] = URL_DIR . substr($name, 0, 2) . "/" . $name . "/" . $name . ".tar.gz"; @@ -148,7 +149,6 @@ class AurJSON { } } - mysql_free_result($result); return $this->json_results($type, $resultcount, $search_data); } else { @@ -178,8 +178,7 @@ class AurJSON { if (is_numeric($arg)) { $id_args[] = intval($arg); } else { - $escaped = db_escape_string($arg, $this->dbh); - $name_args[] = "'" . $escaped . "'"; + $name_args[] = $this->dbh->quote($arg); } } @@ -196,10 +195,10 @@ class AurJSON { return $this->json_error('Query arg too small'); } - $keyword_string = db_escape_like($keyword_string, $this->dbh); + $keyword_string = $this->dbh->quote("%" . addcslashes($keyword_string, '%_') . "%"); - $where_condition = "( Name LIKE '%{$keyword_string}%' OR " . - "Description LIKE '%{$keyword_string}%' )"; + $where_condition = "(Name LIKE {$keyword_string} OR "; + $where_condition.= "Description LIKE {$keyword_string})"; return $this->process_query('search', $where_condition); } @@ -217,8 +216,7 @@ class AurJSON { $where_condition = "Packages.ID={$pqdata}"; } else { - $where_condition = sprintf("Name=\"%s\"", - db_escape_string($pqdata, $this->dbh)); + $where_condition = sprintf("Name=%s", $this->dbh->quote($pqdata)); } return $this->process_query('info', $where_condition); } @@ -260,9 +258,9 @@ class AurJSON { * @return mixed Returns an array of value data containing the package data **/ private function msearch($maintainer) { - $maintainer = db_escape_string($maintainer, $this->dbh); + $maintainer = $this->dbh->quote($maintainer); - $where_condition = "Users.Username = '{$maintainer}'"; + $where_condition = "Users.Username = {$maintainer}"; return $this->process_query('msearch', $where_condition); } diff --git a/web/lib/cachefuncs.inc.php b/web/lib/cachefuncs.inc.php index 3485b01..f109bcf 100644 --- a/web/lib/cachefuncs.inc.php +++ b/web/lib/cachefuncs.inc.php @@ -71,8 +71,8 @@ function db_cache_value($dbq, $dbh, $key, $ttl=600) { $status = false; $value = get_cache_value($key, $status); if (!$status) { - $result = db_query($dbq, $dbh); - $row = mysql_fetch_row($result); + $result = $dbh->query($dbq); + $row = $result->fetch(PDO::FETCH_NUM); $value = $row[0]; set_cache_value($key, $value, $ttl); } diff --git a/web/lib/config.inc.php.proto b/web/lib/config.inc.php.proto index fee1022..3c7df19 100644 --- a/web/lib/config.inc.php.proto +++ b/web/lib/config.inc.php.proto @@ -2,7 +2,8 @@ # NOTE: modify these variables if your MySQL setup is different -define( "AUR_db_host", "localhost:/var/run/mysqld/mysqld.sock" ); +define( "AUR_db_DSN_prefix", "mysql" ); +define( "AUR_db_host", "unix_socket=/var/run/mysqld/mysqld.sock" ); define( "AUR_db_name", "AUR" ); define( "AUR_db_user", "aur" ); define( "AUR_db_pass", "aur" ); diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php index c592e39..6cdab0f 100644 --- a/web/lib/pkgfuncs.inc.php +++ b/web/lib/pkgfuncs.inc.php @@ -16,9 +16,9 @@ function canDeleteComment($comment_id=0, $atype="", $uid=0, $dbh=NULL) { $q.= "FROM PackageComments "; $q.= "WHERE ID = " . intval($comment_id); $q.= " AND UsersID = " . $uid; - $result = db_query($q, $dbh); + $result = $dbh->query($q); if ($result != NULL) { - $row = mysql_fetch_assoc($result); + $row = $result->fetch(PDO::FETCH_ASSOC); if ($row['CNT'] > 0) { return TRUE; } @@ -83,9 +83,9 @@ function pkgCategories($dbh=NULL) { } $q = "SELECT * FROM PackageCategories WHERE ID != 1 "; $q.= "ORDER BY Category ASC"; - $result = db_query($q, $dbh); + $result = $dbh->query($q); if ($result) { - while ($row = mysql_fetch_row($result)) { + while ($row = $result->fetch(PDO::FETCH_NUM)) { $cats[$row[0]] = $row[1]; } } @@ -100,10 +100,12 @@ function pkgid_from_name($name="", $dbh=NULL) { $dbh = db_connect(); } $q = "SELECT ID FROM Packages "; - $q.= "WHERE Name = '".db_escape_string($name)."' "; - $result = db_query($q, $dbh); - if (!$result) {return NULL;} - $row = mysql_fetch_row($result); + $q.= "WHERE Name = " . $dbh->quote($name); + $result = $dbh->query($q); + if (!$result) { + return; + } + $row = $result->fetch(PDO::FETCH_NUM); return $row[0]; } @@ -120,9 +122,11 @@ function package_dependencies($pkgid, $dbh=NULL) { $q.= "LEFT JOIN Packages p ON pd.DepName = p.Name "; $q.= "WHERE pd.PackageID = ". $pkgid . " "; $q.= "ORDER BY pd.DepName"; - $result = db_query($q, $dbh); - if (!$result) {return array();} - while ($row = mysql_fetch_row($result)) { + $result = $dbh->query($q); + if (!$result) { + return array(); + } + while ($row = $result->fetch(PDO::FETCH_NUM)) { $deps[] = $row; } } @@ -137,11 +141,11 @@ function package_required($name="", $dbh=NULL) { } $q = "SELECT p.Name, PackageID FROM PackageDepends pd "; $q.= "JOIN Packages p ON pd.PackageID = p.ID "; - $q.= "WHERE DepName = '".db_escape_string($name)."' "; + $q.= "WHERE DepName = " . $dbh->quote($name) . " "; $q.= "ORDER BY p.Name"; - $result = db_query($q, $dbh); + $result = $dbh->query($q); if (!$result) {return array();} - while ($row = mysql_fetch_row($result)) { + while ($row = $result->fetch(PDO::FETCH_NUM)) { $deps[] = $row; } } @@ -150,6 +154,10 @@ function package_required($name="", $dbh=NULL) { # Return the number of comments for a specified package function package_comments_count($pkgid, $dbh=NULL) { + if (!$dbh) { + $dbh = db_connect(); + } + $pkgid = intval($pkgid); if ($pkgid > 0) { if(!$dbh) { @@ -159,13 +167,14 @@ function package_comments_count($pkgid, $dbh=NULL) { $q.= "WHERE PackageID = " . $pkgid; $q.= " AND DelUsersID IS NULL"; } - $result = db_query($q, $dbh); + $result = $dbh->query($q); if (!$result) { return; } - return mysql_result($result, 0); + $row = $result->fetch(PDO::FETCH_NUM); + return $row[0]; } # Return an array of package comments @@ -187,13 +196,13 @@ function package_comments($pkgid, $dbh=NULL) { $q.= " LIMIT 10"; } - $result = db_query($q, $dbh); + $result = $dbh->query($q); if (!$result) { return; } - while ($row = mysql_fetch_assoc($result)) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { $comments[] = $row; } } @@ -207,32 +216,31 @@ function add_package_comment($pkgid, $uid, $comment, $dbh=NULL) { $dbh = db_connect(); } - $q = 'INSERT INTO PackageComments '; - $q.= '(PackageID, UsersID, Comments, CommentTS) VALUES ('; - $q.= intval($pkgid) . ', ' . $uid . ', '; - $q.= "'" . db_escape_string($comment) . "', "; - $q.= 'UNIX_TIMESTAMP())'; - db_query($q, $dbh); + $q = "INSERT INTO PackageComments "; + $q.= "(PackageID, UsersID, Comments, CommentTS) VALUES ("; + $q.= intval($pkgid) . ", " . $uid . ", "; + $q.= $dbh->quote($comment) . ", UNIX_TIMESTAMP())"; + $dbh->exec($q); # Send email notifications - $q = 'SELECT CommentNotify.*, Users.Email '; - $q.= 'FROM CommentNotify, Users '; - $q.= 'WHERE Users.ID = CommentNotify.UserID '; - $q.= 'AND CommentNotify.UserID != ' . $uid . ' '; - $q.= 'AND CommentNotify.PkgID = ' . intval($pkgid); - $result = db_query($q, $dbh); + $q = "SELECT CommentNotify.*, Users.Email "; + $q.= "FROM CommentNotify, Users "; + $q.= "WHERE Users.ID = CommentNotify.UserID "; + $q.= "AND CommentNotify.UserID != " . $uid . " "; + $q.= "AND CommentNotify.PkgID = " . intval($pkgid); + $result = $dbh->query($q); $bcc = array(); - if (mysql_num_rows($result)) { - while ($row = mysql_fetch_assoc($result)) { + if ($result) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { array_push($bcc, $row['Email']); } - $q = 'SELECT Packages.* '; - $q.= 'FROM Packages '; - $q.= 'WHERE Packages.ID = ' . intval($pkgid); - $result = db_query($q, $dbh); - $row = mysql_fetch_assoc($result); + $q = "SELECT Packages.* "; + $q.= "FROM Packages "; + $q.= "WHERE Packages.ID = " . intval($pkgid); + $result = $dbh->query($q); + $row = $result->fetch(PDO::FETCH_ASSOC); # TODO: native language emails for users, based on their prefs # Simply making these strings translatable won't work, users would be @@ -261,9 +269,11 @@ function package_sources($pkgid, $dbh=NULL) { $q = "SELECT Source FROM PackageSources "; $q.= "WHERE PackageID = " . $pkgid; $q.= " ORDER BY Source"; - $result = db_query($q, $dbh); - if (!$result) {return array();} - while ($row = mysql_fetch_row($result)) { + $result = $dbh->query($q); + if (!$result) { + return array(); + } + while ($row = $result->fetch(PDO::FETCH_NUM)) { $sources[] = $row[0]; } } @@ -283,10 +293,10 @@ function pkgvotes_from_sid($sid="", $dbh=NULL) { $q.= "FROM PackageVotes, Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; $q.= "AND Users.ID = PackageVotes.UsersID "; - $q.= "AND Sessions.SessionID = '".db_escape_string($sid)."'"; - $result = db_query($q, $dbh); + $q.= "AND Sessions.SessionID = " . $dbh->quote($sid); + $result = $dbh->query($q); if ($result) { - while ($row = mysql_fetch_row($result)) { + while ($row = $result->fetch(PDO::FETCH_NUM)) { $pkgs[$row[0]] = 1; } } @@ -306,10 +316,10 @@ function pkgnotify_from_sid($sid="", $dbh=NULL) { $q.= "FROM CommentNotify, Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; $q.= "AND Users.ID = CommentNotify.UserID "; - $q.= "AND Sessions.SessionID = '".db_escape_string($sid)."'"; - $result = db_query($q, $dbh); + $q.= "AND Sessions.SessionID = " . $dbh->quote($sid); + $result = $dbh->query($q); if ($result) { - while ($row = mysql_fetch_row($result)) { + while ($row = $result->fetch(PDO::FETCH_NUM)) { $pkgs[$row[0]] = 1; } } @@ -325,11 +335,11 @@ function pkgname_from_id($pkgids, $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - $q = "SELECT Name FROM Packages WHERE ID IN (" . - implode(",", $pkgids) . ")"; - $result = db_query($q, $dbh); - if (mysql_num_rows($result) > 0) { - while ($row = mysql_fetch_assoc($result)) { + $q = "SELECT Name FROM Packages WHERE ID IN ("; + $q.= implode(",", $pkgids) . ")"; + $result = $dbh->query($q); + if ($result) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { $names[] = $row['Name']; } } @@ -340,11 +350,11 @@ function pkgname_from_id($pkgids, $dbh=NULL) { $dbh = db_connect(); } $q = "SELECT Name FROM Packages WHERE ID = " . $pkgids; - $result = db_query($q, $dbh); - if (mysql_num_rows($result) > 0) { - $name = mysql_result($result, 0); + $result = $dbh->query($q); + if ($result) { + $name = $result->fetch(PDO::FETCH_NUM); } - return $name; + return $name[0]; } else { return NULL; @@ -357,11 +367,12 @@ function pkgname_is_blacklisted($name, $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - $q = "SELECT COUNT(*) FROM PackageBlacklist WHERE Name = '" . db_escape_string($name) . "'"; - $result = db_query($q, $dbh); + $q = "SELECT COUNT(*) FROM PackageBlacklist "; + $q.= "WHERE Name = " . $dbh->quote($name); + $result = $dbh->query($q); if (!$result) return false; - return (mysql_result($result, 0) > 0); + return ($result->fetch(PDO::FETCH_NUM) > 0); } # display package details @@ -378,13 +389,13 @@ function package_details($id=0, $SID="", $dbh=NULL) { $q.= "FROM Packages,PackageCategories "; $q.= "WHERE Packages.CategoryID = PackageCategories.ID "; $q.= "AND Packages.ID = " . intval($id); - $results = db_query($q, $dbh); + $result = $dbh->query($q); - if (!$results) { + if (!$result) { print "<p>" . __("Error retrieving package details.") . "</p>\n"; } else { - $row = mysql_fetch_assoc($results); + $row = $result->fetch(PDO::FETCH_ASSOC); if (empty($row)) { print "<p>" . __("Package details could not be found.") . "</p>\n"; @@ -532,7 +543,7 @@ function pkg_search_page($SID="", $dbh=NULL) { if (isset($_GET['K'])) { # Search by maintainer if (isset($_GET["SeB"]) && $_GET["SeB"] == "m") { - $q_where .= "AND Users.Username = '".db_escape_string($_GET['K'])."' "; + $q_where .= "AND Users.Username = " . $dbh->quote($_GET['K']) . " "; } # Search by submitter elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "s") { @@ -540,16 +551,18 @@ function pkg_search_page($SID="", $dbh=NULL) { } # Search by name elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "n") { - $q_where .= "AND (Name LIKE '%".db_escape_like($_GET['K'])."%') "; + $K = "%" . addcslashes($_GET['K'], '%_') . "%"; + $q_where .= "AND (Name LIKE " . $dbh->quote($K) . ") "; } # Search by name (exact match) elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "x") { - $q_where .= "AND (Name = '".db_escape_string($_GET['K'])."') "; + $q_where .= "AND (Name = " . $dbh->quote($_GET['K']) . ") "; } # Search by name and description (Default) else { - $q_where .= "AND (Name LIKE '%".db_escape_like($_GET['K'])."%' OR "; - $q_where .= "Description LIKE '%".db_escape_like($_GET['K'])."%') "; + $K = "%" . addcslashes($_GET['K'], '%_') . "%"; + $q_where .= "AND (Name LIKE " . $dbh->quote($K) . " OR "; + $q_where .= "Description LIKE " . $dbh->quote($K) . ") "; } } @@ -602,10 +615,11 @@ function pkg_search_page($SID="", $dbh=NULL) { $q = $q_select . $q_from . $q_from_extra . $q_where . $q_sort . $q_limit; $q_total = "SELECT COUNT(*) " . $q_from . $q_where; - $result = db_query($q, $dbh); - $result_t = db_query($q_total, $dbh); + $result = $dbh->query($q); + $result_t = $dbh->query($q_total); if ($result_t) { - $total = mysql_result($result_t, 0); + $row = $result_t->fetch(PDO::FETCH_NUM); + $total = $row[0]; } else { $total = 0; @@ -657,8 +671,10 @@ function pkg_search_page($SID="", $dbh=NULL) { include('pkg_search_form.php'); - while ($row = mysql_fetch_assoc($result)) { - $searchresults[] = $row; + if ($result) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { + $searchresults[] = $row; + } } include('pkg_search_results.php'); @@ -732,7 +748,7 @@ function pkg_flag ($atype, $ids, $action=true, $dbh=NULL) { $q.= "AND MaintainerUID = " . uid_from_sid($_COOKIE["AURSID"], $dbh); } - db_query($q, $dbh); + $dbh->exec($q); if ($action) { # Notify of flagging by email @@ -744,9 +760,9 @@ function pkg_flag ($atype, $ids, $action=true, $dbh=NULL) { $q.= "WHERE Packages.ID IN (" . implode(",", $ids) .") "; $q.= "AND Users.ID = Packages.MaintainerUID "; $q.= "AND Users.ID != " . $f_uid; - $result = db_query($q, $dbh); - if (mysql_num_rows($result)) { - while ($row = mysql_fetch_assoc($result)) { + $result = $dbh->query($q); + if ($result) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { # construct email $body = "Your package " . $row['Name'] . " has been flagged out of date by " . $f_name . " [1]. You may view your package at:\n" . $AUR_LOCATION . "/" . get_pkg_uri($row['Name']) . "\n\n[1] - " . $AUR_LOCATION . "/" . get_uri('/accounts/') . "?Action=AccountInfo&ID=" . $f_uid; $body = wordwrap($body, 70); @@ -797,15 +813,15 @@ function pkg_delete ($atype, $ids, $mergepkgid, $dbh=NULL) { # Send email notifications foreach ($ids as $pkgid) { - $q = 'SELECT CommentNotify.*, Users.Email '; - $q.= 'FROM CommentNotify, Users '; - $q.= 'WHERE Users.ID = CommentNotify.UserID '; - $q.= 'AND CommentNotify.UserID != ' . uid_from_sid($_COOKIE['AURSID']) . ' '; - $q.= 'AND CommentNotify.PkgID = ' . $pkgid; - $result = db_query($q, $dbh); + $q = "SELECT CommentNotify.*, Users.Email "; + $q.= "FROM CommentNotify, Users "; + $q.= "WHERE Users.ID = CommentNotify.UserID "; + $q.= "AND CommentNotify.UserID != " . uid_from_sid($_COOKIE['AURSID']) . " "; + $q.= "AND CommentNotify.PkgID = " . $pkgid; + $result = $dbh->query($q); $bcc = array(); - while ($row = mysql_fetch_assoc($result)) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { array_push($bcc, $row['Email']); } if (!empty($bcc)) { @@ -834,7 +850,7 @@ function pkg_delete ($atype, $ids, $mergepkgid, $dbh=NULL) { $q = "UPDATE PackageComments "; $q.= "SET PackageID = " . intval($mergepkgid) . " "; $q.= "WHERE PackageID IN (" . implode(",", $ids) . ")"; - db_query($q, $dbh); + $dbh->exec($q); /* Merge votes */ foreach ($ids as $pkgid) { @@ -846,18 +862,18 @@ function pkg_delete ($atype, $ids, $mergepkgid, $dbh=NULL) { $q.= "FROM PackageVotes "; $q.= "WHERE PackageID = " . intval($mergepkgid); $q.= ") temp)"; - db_query($q, $dbh); + $dbh->exec($q); } $q = "UPDATE Packages "; $q.= "SET NumVotes = (SELECT COUNT(*) FROM PackageVotes "; $q.= "WHERE PackageID = " . intval($mergepkgid) . ") "; $q.= "WHERE ID = " . intval($mergepkgid); - db_query($q, $dbh); + $dbh->exec($q); } $q = "DELETE FROM Packages WHERE ID IN (" . implode(",", $ids) . ")"; - $result = db_query($q, $dbh); + $result = $dbh->exec($q); return __("The selected packages have been deleted."); } @@ -912,7 +928,7 @@ function pkg_adopt ($atype, $ids, $action=true, $dbh=NULL) { $q.= "AND $field = " . uid_from_sid($_COOKIE["AURSID"], $dbh); } - db_query($q, $dbh); + $dbh->exec($q); if ($action) { pkg_notify(account_from_sid($_COOKIE["AURSID"], $dbh), $ids, $dbh); @@ -985,7 +1001,7 @@ function pkg_vote ($atype, $ids, $action=true, $dbh=NULL) { $q = "UPDATE Packages SET NumVotes = NumVotes $op 1 "; $q.= "WHERE ID IN ($vote_ids)"; - db_query($q, $dbh); + $dbh->exec($q); if ($action) { $q = "INSERT INTO PackageVotes (UsersID, PackageID) VALUES "; @@ -995,13 +1011,12 @@ function pkg_vote ($atype, $ids, $action=true, $dbh=NULL) { $q.= "AND PackageID IN ($vote_ids)"; } - db_query($q, $dbh); + $dbh->exec($q); if ($action) { $q = "UPDATE Users SET LastVoted = UNIX_TIMESTAMP() "; $q.= "WHERE ID = $uid"; - - db_query($q, $dbh); + $dbh->exec($q); } if ($action) { @@ -1017,19 +1032,17 @@ function getvotes($pkgid, $dbh=NULL) { $dbh = db_connect(); } - $pkgid = db_escape_string($pkgid); - $q = "SELECT UsersID,Username FROM PackageVotes "; $q.= "LEFT JOIN Users on (UsersID = ID) "; - $q.= "WHERE PackageID = ". $pkgid . " "; + $q.= "WHERE PackageID = ". $dbh->quote($pkgid) . " "; $q.= "ORDER BY Username"; - $result = db_query($q, $dbh); + $result = $dbh->query($q); if (!$result) { return; } - while ($row = mysql_fetch_assoc($result)) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { $votes[] = $row; } @@ -1042,13 +1055,11 @@ function user_voted($uid, $pkgid, $dbh=NULL) { $dbh = db_connect(); } - $uid = db_escape_string($uid); - $pkgid = db_escape_string($pkgid); + $q = "SELECT * FROM PackageVotes WHERE UsersID = ". $dbh->quote($uid); + $q.= " AND PackageID = " . $dbh->quote($pkgid); + $result = $dbh->query($q); - $q = "SELECT * FROM PackageVotes WHERE UsersID = ". $uid; - $q.= " AND PackageID = ".$pkgid; - $result = db_query($q, $dbh); - if (mysql_num_rows($result)) { + if ($result->fetch(PDO::FETCH_NUM)) { return true; } else { @@ -1062,13 +1073,11 @@ function user_notify($uid, $pkgid, $dbh=NULL) { $dbh = db_connect(); } - $uid = db_escape_string($uid); - $pkgid = db_escape_string($pkgid); + $q = "SELECT * FROM CommentNotify WHERE UserID = " . $dbh->quote($uid); + $q.= " AND PkgID = " . $dbh->quote($pkgid); + $result = $dbh->query($q); - $q = "SELECT * FROM CommentNotify WHERE UserID = ". $uid; - $q.= " AND PkgID = ".$pkgid; - $result = db_query($q, $dbh); - if (mysql_num_rows($result)) { + if ($result->fetch(PDO::FETCH_NUM)) { return true; } else { @@ -1107,9 +1116,10 @@ function pkg_notify ($atype, $ids, $action=true, $dbh=NULL) { # format in which it's sent requires this. foreach ($ids as $pid) { $q = "SELECT Name FROM Packages WHERE ID = $pid"; - $result = db_query($q, $dbh); + $result = $dbh->query($q); if ($result) { - $pkgname = mysql_result($result , 0); + $row = $result->fetch(PDO::FETCH_NUM); + $pkgname = $row[0]; } else { $pkgname = ''; @@ -1126,10 +1136,10 @@ function pkg_notify ($atype, $ids, $action=true, $dbh=NULL) { $q .= " AND PkgID = $pid"; # Notification already added. Don't add again. - $result = db_query($q, $dbh); - if (!mysql_num_rows($result)) { + $result = $dbh->query($q); + if (!$result) { $q = "INSERT INTO CommentNotify (PkgID, UserID) VALUES ($pid, $uid)"; - db_query($q, $dbh); + $dbh->exec($q); } $output .= $pkgname; @@ -1137,7 +1147,7 @@ function pkg_notify ($atype, $ids, $action=true, $dbh=NULL) { else { $q = "DELETE FROM CommentNotify WHERE PkgID = $pid"; $q .= " AND UserID = $uid"; - db_query($q, $dbh); + $dbh->exec($q); $output .= $pkgname; } @@ -1181,7 +1191,7 @@ function pkg_delete_comment($atype, $dbh=NULL) { $q = "UPDATE PackageComments "; $q.= "SET DelUsersID = ".$uid." "; $q.= "WHERE ID = ".intval($comment_id); - db_query($q, $dbh); + $dbh->exec($q); return __("Comment has been deleted."); } else { return __("You are not allowed to delete this comment."); @@ -1226,21 +1236,21 @@ function pkg_change_category($atype, $dbh=NULL) { $q = "SELECT Packages.MaintainerUID "; $q.= "FROM Packages "; $q.= "WHERE Packages.ID = ".$pid; - $result = db_query($q, $dbh); + $result = $dbh->query($q); if ($result) { - $pkg = mysql_fetch_assoc($result); + $row = $result->fetch(PDO::FETCH_ASSOC); } else { return __("You are not allowed to change this package category."); } $uid = uid_from_sid($_COOKIE["AURSID"], $dbh); - if ($uid == $pkg["MaintainerUID"] || + if ($uid == $row["MaintainerUID"] || ($atype == "Developer" || $atype == "Trusted User")) { $q = "UPDATE Packages "; $q.= "SET CategoryID = ".intval($category_id)." "; $q.= "WHERE ID = ".intval($pid); - db_query($q, $dbh); + $dbh->exec($q); return __("Package category changed."); } else { return __("You are not allowed to change this package category."); @@ -1251,29 +1261,29 @@ function pkgdetails_by_pkgname($pkgname, $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - $q = "SELECT * FROM Packages WHERE Name = '" . db_escape_string($pkgname) . "'"; - $result = db_query($q, $dbh); + $q = "SELECT * FROM Packages WHERE Name = " . $dbh->quote($pkgname); + $result = $dbh->query($q); if ($result) { - $pdata = mysql_fetch_assoc($result); + $row = $result->fetch(PDO::FETCH_ASSOC); } - return $pdata; + return $row; } function new_pkgdetails($pkgname, $license, $pkgver, $category_id, $pkgdesc, $pkgurl, $uid, $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - $q = sprintf("INSERT INTO Packages (Name, License, Version, CategoryID, Description, URL, SubmittedTS, ModifiedTS, SubmitterUID, MaintainerUID) VALUES ('%s', '%s', '%s', %d, '%s', '%s', UNIX_TIMESTAMP(), UNIX_TIMESTAMP(), %d, %d)", - db_escape_string($pkgname), - db_escape_string($license), - db_escape_string($pkgver), + $q = sprintf("INSERT INTO Packages (Name, License, Version, CategoryID, Description, URL, SubmittedTS, ModifiedTS, SubmitterUID, MaintainerUID) VALUES (%s, %s, %s, %d, %s, %s, UNIX_TIMESTAMP(), UNIX_TIMESTAMP(), %d, %d)", + $dbh->quote($pkgname), + $dbh->quote($license), + $dbh->quote($pkgver), $category_id, - db_escape_string($pkgdesc), - db_escape_string($pkgurl), + $dbh->quote($pkgdesc), + $dbh->quote($pkgurl), $uid, $uid); - db_query($q, $dbh); + $dbh->exec($q); } function update_pkgdetails($pkgname, $license, $pkgver, $pkgdesc, $pkgurl, $uid, $pkgid, $dbh=NULL) { @@ -1281,28 +1291,28 @@ function update_pkgdetails($pkgname, $license, $pkgver, $pkgdesc, $pkgurl, $uid, $dbh = db_connect(); } # This is an overwrite of an existing package - $q = sprintf("UPDATE Packages SET ModifiedTS = UNIX_TIMESTAMP(), Name = '%s', Version = '%s', License = '%s', Description = '%s', URL = '%s', OutOfDateTS = NULL, MaintainerUID = %d WHERE ID = %d", - db_escape_string($pkgname), - db_escape_string($pkgver), - db_escape_string($license), - db_escape_string($pkgdesc), - db_escape_string($pkgurl), + $q = sprintf("UPDATE Packages SET ModifiedTS = UNIX_TIMESTAMP(), Name = %s, Version = %s, License = %s, Description = %s, URL = %s, OutOfDateTS = NULL, MaintainerUID = %d WHERE ID = %d", + $dbh->quote($pkgname), + $dbh->quote($pkgver), + $dbh->quote($license), + $dbh->quote($pkgdesc), + $dbh->quote($pkgurl), $uid, $pkgid); - db_query($q, $dbh); + $dbh->exec($q); } function add_pkg_dep($pkgid, $depname, $depcondition, $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - $q = sprintf("INSERT INTO PackageDepends (PackageID, DepName, DepCondition) VALUES (%d, '%s', '%s')", + $q = sprintf("INSERT INTO PackageDepends (PackageID, DepName, DepCondition) VALUES (%d, %s, %s)", $pkgid, - db_escape_string($depname), - db_escape_string($depcondition)); + $dbh->quote($depname), + $dbh->quote($depcondition)); - db_query($q, $dbh); + $dbh->exec($q); } function add_pkg_src($pkgid, $pkgsrc, $dbh=NULL) { @@ -1310,9 +1320,9 @@ function add_pkg_src($pkgid, $pkgsrc, $dbh=NULL) { $dbh = db_connect(); } $q = "INSERT INTO PackageSources (PackageID, Source) VALUES ("; - $q .= $pkgid . ", '" . db_escape_string($pkgsrc) . "')"; + $q .= $pkgid . ", " . $dbh->quote($pkgsrc) . ")"; - db_query($q, $dbh); + $dbh->exec($q); } function update_pkg_category($pkgid, $category_id, $dbh=NULL) { @@ -1323,7 +1333,7 @@ function update_pkg_category($pkgid, $category_id, $dbh=NULL) { $category_id, $pkgid); - db_query($q, $dbh); + $dbh->exec($q); } function remove_pkg_deps($pkgid, $dbh=NULL) { @@ -1332,7 +1342,7 @@ function remove_pkg_deps($pkgid, $dbh=NULL) { } $q = "DELETE FROM PackageDepends WHERE PackageID = " . $pkgid; - db_query($q, $dbh); + $dbh->exec($q); } function remove_pkg_sources($pkgid, $dbh=NULL) { @@ -1341,5 +1351,5 @@ function remove_pkg_sources($pkgid, $dbh=NULL) { } $q = "DELETE FROM PackageSources WHERE PackageID = " . $pkgid; - db_query($q, $dbh); + $dbh->exec($q); } diff --git a/web/lib/stats.inc.php b/web/lib/stats.inc.php index 2828dc9..2c26d43 100644 --- a/web/lib/stats.inc.php +++ b/web/lib/stats.inc.php @@ -6,10 +6,10 @@ function updates_table($dbh) { $key = 'recent_updates'; if(!($newest_packages = get_cache_value($key))) { $q = 'SELECT * FROM Packages ORDER BY ModifiedTS DESC LIMIT 10'; - $result = db_query($q, $dbh); + $result = $dbh->query($q); $newest_packages = new ArrayObject(); - while ($row = mysql_fetch_assoc($result)) { + while ($row = $result->fetch(PDO::FETCH_ASSOC)) { $newest_packages->append($row); } set_cache_value($key, $newest_packages); diff --git a/web/lib/translator.inc.php b/web/lib/translator.inc.php index f269b93..382160c 100644 --- a/web/lib/translator.inc.php +++ b/web/lib/translator.inc.php @@ -96,11 +96,11 @@ function set_lang($dbh=NULL) { $q = "SELECT LangPreference FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; $q.= "AND Sessions.SessionID = '"; - $q.= mysql_real_escape_string($_COOKIE["AURSID"])."'"; - $result = db_query($q, $dbh); + $q.= $dbh->quote($_COOKIE["AURSID"]); + $result = $dbh->query($q); if ($result) { - $row = mysql_fetch_array($result); + $row = $result->fetchAll(); $LANG = $row[0]; } $update_cookie = 1; diff --git a/web/template/account_search_results.php b/web/template/account_search_results.php index cc2a1c2..61887a3 100644 --- a/web/template/account_search_results.php +++ b/web/template/account_search_results.php @@ -2,7 +2,7 @@ if (!$result): print __("No results matched your search criteria."); else: - if ($num_rows): + if ($result): ?> <table class="results"> <thead> |