summaryrefslogtreecommitdiffstats
path: root/web/lib/aur.inc.php
diff options
context:
space:
mode:
Diffstat (limited to 'web/lib/aur.inc.php')
-rw-r--r--web/lib/aur.inc.php29
1 files changed, 17 insertions, 12 deletions
diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php
index ae22bd9..e4e1cb5 100644
--- a/web/lib/aur.inc.php
+++ b/web/lib/aur.inc.php
@@ -29,7 +29,7 @@ function check_sid($dbh=NULL) {
$dbh = db_connect();
}
$q = "SELECT LastUpdateTS, UNIX_TIMESTAMP() FROM Sessions ";
- $q.= "WHERE SessionID = '" . mysql_real_escape_string($_COOKIE["AURSID"]) . "'";
+ $q.= "WHERE SessionID = '" . db_escape_string($_COOKIE["AURSID"]) . "'";
$result = db_query($q, $dbh);
if (mysql_num_rows($result) == 0) {
# Invalid SessionID - hacker alert!
@@ -53,7 +53,7 @@ function check_sid($dbh=NULL) {
# session id timeout was reached and they must login again.
#
$q = "DELETE FROM Sessions WHERE SessionID = '";
- $q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'";
+ $q.= db_escape_string($_COOKIE["AURSID"]) . "'";
db_query($q, $dbh);
setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true);
@@ -69,7 +69,7 @@ function check_sid($dbh=NULL) {
# overwritten.
if ($last_update < time() + $LOGIN_TIMEOUT) {
$q = "UPDATE Sessions SET LastUpdateTS = UNIX_TIMESTAMP() ";
- $q.= "WHERE SessionID = '".mysql_real_escape_string($_COOKIE["AURSID"])."'";
+ $q.= "WHERE SessionID = '".db_escape_string($_COOKIE["AURSID"])."'";
db_query($q, $dbh);
}
}
@@ -106,7 +106,7 @@ function username_from_id($id="", $dbh=NULL) {
if(!$dbh) {
$dbh = db_connect();
}
- $q = "SELECT Username FROM Users WHERE ID = " . mysql_real_escape_string($id);
+ $q = "SELECT Username FROM Users WHERE ID = " . db_escape_string($id);
$result = db_query($q, $dbh);
if (!$result) {
return "None";
@@ -129,7 +129,7 @@ function username_from_sid($sid="", $dbh=NULL) {
$q = "SELECT Username ";
$q.= "FROM Users, Sessions ";
$q.= "WHERE Users.ID = Sessions.UsersID ";
- $q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'";
+ $q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'";
$result = db_query($q, $dbh);
if (!$result) {
return "";
@@ -151,7 +151,7 @@ function email_from_sid($sid="", $dbh=NULL) {
$q = "SELECT Email ";
$q.= "FROM Users, Sessions ";
$q.= "WHERE Users.ID = Sessions.UsersID ";
- $q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'";
+ $q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'";
$result = db_query($q, $dbh);
if (!$result) {
return "";
@@ -175,7 +175,7 @@ function account_from_sid($sid="", $dbh=NULL) {
$q.= "FROM Users, AccountTypes, Sessions ";
$q.= "WHERE Users.ID = Sessions.UsersID ";
$q.= "AND AccountTypes.ID = Users.AccountTypeID ";
- $q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'";
+ $q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'";
$result = db_query($q, $dbh);
if (!$result) {
return "";
@@ -197,7 +197,7 @@ function uid_from_sid($sid="", $dbh=NULL) {
$q = "SELECT Users.ID ";
$q.= "FROM Users, Sessions ";
$q.= "WHERE Users.ID = Sessions.UsersID ";
- $q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'";
+ $q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'";
$result = db_query($q, $dbh);
if (!$result) {
return 0;
@@ -223,6 +223,12 @@ function db_connect() {
return $handle;
}
+# Escape strings for SQL query usage.
+# Wraps the database driver's provided method (for convenience and porting).
+function db_escape_string($string) {
+ return mysql_real_escape_string($string);
+}
+
# disconnect from the database
# this won't normally be needed as PHP/reference counting will take care of
# closing the connection once it is no longer referenced
@@ -261,7 +267,6 @@ function db_query($query="", $db_handle="") {
return $result;
}
-
# common header
#
function html_header($title="") {
@@ -299,7 +304,7 @@ function can_submit_pkg($name="", $sid="", $dbh=NULL) {
$dbh = db_connect();
}
$q = "SELECT MaintainerUID ";
- $q.= "FROM Packages WHERE Name = '".mysql_real_escape_string($name)."'";
+ $q.= "FROM Packages WHERE Name = '".db_escape_string($name)."'";
$result = db_query($q, $dbh);
if (mysql_num_rows($result) == 0) {return 1;}
$row = mysql_fetch_row($result);
@@ -372,7 +377,7 @@ function uid_from_username($username="", $dbh=NULL)
if(!$dbh) {
$dbh = db_connect();
}
- $q = "SELECT ID FROM Users WHERE Username = '".mysql_real_escape_string($username)
+ $q = "SELECT ID FROM Users WHERE Username = '".db_escape_string($username)
."'";
$result = db_query($q, $dbh);
if (!$result) {
@@ -393,7 +398,7 @@ function uid_from_email($email="", $dbh=NULL)
if(!$dbh) {
$dbh = db_connect();
}
- $q = "SELECT ID FROM Users WHERE Email = '".mysql_real_escape_string($email)
+ $q = "SELECT ID FROM Users WHERE Email = '".db_escape_string($email)
."'";
$result = db_query($q, $dbh);
if (!$result) {