summaryrefslogtreecommitdiffstats
path: root/web/lib/acctfuncs.inc.php
diff options
context:
space:
mode:
authorLukas Fleischer <archlinux@cryptocrack.de>2011-10-20 08:15:02 +0200
committerLukas Fleischer <archlinux@cryptocrack.de>2011-10-24 17:57:54 +0200
commit323d418f02074613241d65b9cabbfd65afea9abe (patch)
treeafa3290e6d2d0ad04955e3e9331b885587e7e1f6 /web/lib/acctfuncs.inc.php
parent54d5dcc6e87732f89e6346eb35e30837a23a32b3 (diff)
downloadaurweb-323d418f02074613241d65b9cabbfd65afea9abe.tar.xz
Wrap mysql_real_escape_string() in a function
Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Diffstat (limited to 'web/lib/acctfuncs.inc.php')
-rw-r--r--web/lib/acctfuncs.inc.php26
1 files changed, 13 insertions, 13 deletions
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index 94e2e72..8b56259 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -226,7 +226,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
# NOTE: a race condition exists here if we care...
#
$q = "SELECT COUNT(*) AS CNT FROM Users ";
- $q.= "WHERE Username = '".mysql_real_escape_string($U)."'";
+ $q.= "WHERE Username = '".db_escape_string($U)."'";
if ($TYPE == "edit") {
$q.= " AND ID != ".intval($UID);
}
@@ -244,7 +244,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
# NOTE: a race condition exists here if we care...
#
$q = "SELECT COUNT(*) AS CNT FROM Users ";
- $q.= "WHERE Email = '".mysql_real_escape_string($E)."'";
+ $q.= "WHERE Email = '".db_escape_string($E)."'";
if ($TYPE == "edit") {
$q.= " AND ID != ".intval($UID);
}
@@ -266,7 +266,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
# no errors, go ahead and create the unprivileged user
$salt = generate_salt();
$P = salted_hash($P, $salt);
- $escaped = array_map('mysql_real_escape_string',
+ $escaped = array_map('db_escape_string',
array($U, $E, $P, $salt, $R, $L, $I));
$q = "INSERT INTO Users (" .
"AccountTypeID, Suspended, Username, Email, Passwd, Salt" .
@@ -290,7 +290,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
# no errors, go ahead and modify the user account
$q = "UPDATE Users SET ";
- $q.= "Username = '".mysql_real_escape_string($U)."'";
+ $q.= "Username = '".db_escape_string($U)."'";
if ($T) {
$q.= ", AccountTypeID = ".intval($T);
}
@@ -299,15 +299,15 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
} else {
$q.= ", Suspended = 0";
}
- $q.= ", Email = '".mysql_real_escape_string($E)."'";
+ $q.= ", Email = '".db_escape_string($E)."'";
if ($P) {
$salt = generate_salt();
$hash = salted_hash($P, $salt);
$q .= ", Passwd = '$hash', Salt = '$salt'";
}
- $q.= ", RealName = '".mysql_real_escape_string($R)."'";
- $q.= ", LangPreference = '".mysql_real_escape_string($L)."'";
- $q.= ", IRCNick = '".mysql_real_escape_string($I)."'";
+ $q.= ", RealName = '".db_escape_string($R)."'";
+ $q.= ", LangPreference = '".db_escape_string($L)."'";
+ $q.= ", IRCNick = '".db_escape_string($I)."'";
$q.= " WHERE ID = ".intval($UID);
$result = db_query($q, $dbh);
if (!$result) {
@@ -373,19 +373,19 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="",
$search_vars[] = "S";
}
if ($U) {
- $q.= "AND Username LIKE '%".mysql_real_escape_string($U)."%' ";
+ $q.= "AND Username LIKE '%".db_escape_string($U)."%' ";
$search_vars[] = "U";
}
if ($E) {
- $q.= "AND Email LIKE '%".mysql_real_escape_string($E)."%' ";
+ $q.= "AND Email LIKE '%".db_escape_string($E)."%' ";
$search_vars[] = "E";
}
if ($R) {
- $q.= "AND RealName LIKE '%".mysql_real_escape_string($R)."%' ";
+ $q.= "AND RealName LIKE '%".db_escape_string($R)."%' ";
$search_vars[] = "R";
}
if ($I) {
- $q.= "AND IRCNick LIKE '%".mysql_real_escape_string($I)."%' ";
+ $q.= "AND IRCNick LIKE '%".db_escape_string($I)."%' ";
$search_vars[] = "I";
}
switch ($SB) {
@@ -720,7 +720,7 @@ function valid_user( $user, $dbh )
/* if ( $user = valid_username($user) ) { */
if ( $user ) {
$q = "SELECT ID FROM Users WHERE Username = '"
- . mysql_real_escape_string($user). "'";
+ . db_escape_string($user). "'";
$result = db_query($q, $dbh);
# Is the username in the database?