summaryrefslogtreecommitdiffstats
path: root/web
diff options
context:
space:
mode:
Diffstat (limited to 'web')
-rw-r--r--web/lib/acctfuncs.inc.php229
-rw-r--r--web/lib/aur.inc.php154
-rw-r--r--web/lib/aurjson.class.php26
-rw-r--r--web/lib/cachefuncs.inc.php4
-rw-r--r--web/lib/config.inc.php.proto3
-rw-r--r--web/lib/pkgfuncs.inc.php302
-rw-r--r--web/lib/stats.inc.php4
-rw-r--r--web/lib/translator.inc.php6
-rw-r--r--web/template/account_search_results.php2
9 files changed, 350 insertions, 380 deletions
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index d58c759..54e8381 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -135,17 +135,16 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
# NOTE: a race condition exists here if we care...
#
$q = "SELECT COUNT(*) AS CNT FROM Users ";
- $q.= "WHERE Username = '".db_escape_string($U)."'";
+ $q.= "WHERE Username = " . $dbh->quote($U);
if ($TYPE == "edit") {
$q.= " AND ID != ".intval($UID);
}
- $result = db_query($q, $dbh);
- if ($result) {
- $row = mysql_fetch_array($result);
- if ($row[0]) {
- $error = __("The username, %s%s%s, is already in use.",
- "<b>", htmlspecialchars($U,ENT_QUOTES), "</b>");
- }
+ $result = $dbh->query($q);
+ $row = $result->fetch(PDO::FETCH_NUM);
+
+ if ($row[0]) {
+ $error = __("The username, %s%s%s, is already in use.",
+ "<b>", htmlspecialchars($U,ENT_QUOTES), "</b>");
}
}
if (!$error) {
@@ -153,17 +152,16 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
# NOTE: a race condition exists here if we care...
#
$q = "SELECT COUNT(*) AS CNT FROM Users ";
- $q.= "WHERE Email = '".db_escape_string($E)."'";
+ $q.= "WHERE Email = " . $dbh->quote($E);
if ($TYPE == "edit") {
$q.= " AND ID != ".intval($UID);
}
- $result = db_query($q, $dbh);
- if ($result) {
- $row = mysql_fetch_array($result);
- if ($row[0]) {
- $error = __("The address, %s%s%s, is already in use.",
- "<b>", htmlspecialchars($E,ENT_QUOTES), "</b>");
- }
+ $result = $dbh->query($q);
+ $row = $result->fetch(PDO::FETCH_NUM);
+
+ if ($row[0]) {
+ $error = __("The address, %s%s%s, is already in use.",
+ "<b>", htmlspecialchars($E,ENT_QUOTES), "</b>");
}
}
if ($error) {
@@ -175,16 +173,22 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
# no errors, go ahead and create the unprivileged user
$salt = generate_salt();
$P = salted_hash($P, $salt);
- $escaped = array_map('db_escape_string',
- array($U, $E, $P, $salt, $R, $L, $I, str_replace(" ", "", $K)));
- $q = "INSERT INTO Users (" .
- "AccountTypeID, Suspended, Username, Email, Passwd, Salt" .
- ", RealName, LangPreference, IRCNick, PGPKey) " .
- "VALUES (1, 0, '" . implode("', '", $escaped) . "')";
- $result = db_query($q, $dbh);
+ $U = $dbh->quote($U);
+ $E = $dbh->quote($E);
+ $P = $dbh->quote($P);
+ $salt = $dbh->quote($salt);
+ $R = $dbh->quote($R);
+ $L = $dbh->quote($L);
+ $I = $dbh->quote($I);
+ $K = $dbh->quote(str_replace(" ", "", $K));
+ $q = "INSERT INTO Users (AccountTypeID, Suspended, ";
+ $q.= "Username, Email, Passwd, Salt, RealName, ";
+ $q.= "LangPreference, IRCNick, PGPKey) VALUES (1, 0, ";
+ $q.= "$U, $E, $P, $salt, $R, $L, $I, $K)";
+ $result = $dbh->exec($q);
if (!$result) {
- print __("Error trying to create account, %s%s%s: %s.",
- "<b>", htmlspecialchars($U,ENT_QUOTES), "</b>", mysql_error($dbh));
+ print __("Error trying to create account, %s%s%s.",
+ "<b>", htmlspecialchars($U,ENT_QUOTES), "</b>");
} else {
# account created/modified, tell them so.
#
@@ -199,7 +203,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
# no errors, go ahead and modify the user account
$q = "UPDATE Users SET ";
- $q.= "Username = '".db_escape_string($U)."'";
+ $q.= "Username = " . $dbh->quote($U);
if ($T) {
$q.= ", AccountTypeID = ".intval($T);
}
@@ -208,21 +212,21 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
} else {
$q.= ", Suspended = 0";
}
- $q.= ", Email = '".db_escape_string($E)."'";
+ $q.= ", Email = " . $dbh->quote($E);
if ($P) {
$salt = generate_salt();
$hash = salted_hash($P, $salt);
$q .= ", Passwd = '$hash', Salt = '$salt'";
}
- $q.= ", RealName = '".db_escape_string($R)."'";
- $q.= ", LangPreference = '".db_escape_string($L)."'";
- $q.= ", IRCNick = '".db_escape_string($I)."'";
- $q.= ", PGPKey = '".db_escape_string(str_replace(" ", "", $K))."'";
+ $q.= ", RealName = " . $dbh->quote($R);
+ $q.= ", LangPreference = " . $dbh->quote($L);
+ $q.= ", IRCNick = " . $dbh->quote($I);
+ $q.= ", PGPKey = " . $dbh->quote(str_replace(" ", "", $K));
$q.= " WHERE ID = ".intval($UID);
- $result = db_query($q, $dbh);
+ $result = $dbh->exec($q);
if (!$result) {
- print __("Error trying to modify account, %s%s%s: %s.",
- "<b>", htmlspecialchars($U,ENT_QUOTES), "</b>", mysql_error($dbh));
+ print __("Error trying to modify account, %s%s%s.",
+ "<b>", htmlspecialchars($U,ENT_QUOTES), "</b>");
} else {
print __("The account, %s%s%s, has been successfully modified.",
"<b>", htmlspecialchars($U,ENT_QUOTES), "</b>");
@@ -265,6 +269,10 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="",
}
$search_vars = array();
+ if (!$dbh) {
+ $dbh = db_connect();
+ }
+
$q = "SELECT Users.*, AccountTypes.AccountType ";
$q.= "FROM Users, AccountTypes ";
$q.= "WHERE AccountTypes.ID = Users.AccountTypeID ";
@@ -283,23 +291,28 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="",
$search_vars[] = "S";
}
if ($U) {
- $q.= "AND Username LIKE '%".db_escape_like($U)."%' ";
+ $U = "%" . addcslashes($U, '%_') . "%";
+ $q.= "AND Username LIKE " . $dbh->quote($U) . " ";
$search_vars[] = "U";
}
if ($E) {
- $q.= "AND Email LIKE '%".db_escape_like($E)."%' ";
+ $E = "%" . addcslashes($E, '%_') . "%";
+ $q.= "AND Email LIKE " . $dbh->quote($E) . " ";
$search_vars[] = "E";
}
if ($R) {
- $q.= "AND RealName LIKE '%".db_escape_like($R)."%' ";
+ $R = "%" . addcslashes($R, '%_') . "%";
+ $q.= "AND RealName LIKE " . $dbh->quote($R) . " ";
$search_vars[] = "R";
}
if ($I) {
- $q.= "AND IRCNick LIKE '%".db_escape_like($I)."%' ";
+ $I = "%" . addcslashes($I, '%_') . "%";
+ $q.= "AND IRCNick LIKE " . $dbh->quote($I) . " ";
$search_vars[] = "I";
}
if ($K) {
- $q.= "AND PGPKey LIKE '%".db_escape_like(str_replace(" ", "", $K))."%' ";
+ $K = "%" . addcslashes(str_replace(" ", "", $K), '%_') . "%";
+ $q.= "AND PGPKey LIKE " . $dbh->quote($K) . " ";
$search_vars[] = "K";
}
switch ($SB) {
@@ -326,10 +339,9 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="",
$dbh = db_connect();
}
- $result = db_query($q, $dbh);
- $num_rows = mysql_num_rows($result);
+ $result = $dbh->query($q);
- while ($row = mysql_fetch_assoc($result)) {
+ while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
$userinfo[] = $row;
}
@@ -377,13 +389,13 @@ function try_login($dbh=NULL) {
$q.= "ON s.SessionID = q.SessionID ";
$q.= "WHERE s.UsersId = " . $userID . " ";
$q.= "AND q.SessionID IS NULL;";
- db_query($q, $dbh);
+ $dbh->query($q);
}
$new_sid = new_sid();
$q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS)"
." VALUES (" . $userID . ", '" . $new_sid . "', UNIX_TIMESTAMP())";
- $result = db_query($q, $dbh);
+ $result = $dbh->exec($q);
# Query will fail if $new_sid is not unique
if ($result) {
@@ -397,7 +409,7 @@ function try_login($dbh=NULL) {
if ($logged_in) {
$q = "UPDATE Users SET LastLogin = UNIX_TIMESTAMP() ";
$q.= "WHERE ID = '$userID'";
- db_query($q, $dbh);
+ $dbh->exec($q);
# set our SID cookie
if (isset($_POST['remember_me']) &&
@@ -408,7 +420,7 @@ function try_login($dbh=NULL) {
# Set session for 30 days.
$q = "UPDATE Sessions SET LastUpdateTS = $cookie_time ";
$q.= "WHERE SessionID = '$new_sid'";
- db_query($q, $dbh);
+ $dbh->exec($q);
}
else
$cookie_time = 0;
@@ -472,13 +484,13 @@ function valid_user($user, $dbh=NULL) {
}
if ( $user ) {
- $q = "SELECT ID FROM Users WHERE Username = '"
- . db_escape_string($user). "'";
+ $q = "SELECT ID FROM Users ";
+ $q.= "WHERE Username = " . $dbh->quote($user);
- $result = db_query($q, $dbh);
+ $result = $dbh->query($q);
# Is the username in the database?
if ($result) {
- $row = mysql_fetch_row($result);
+ $row = $result->fetch(PDO::FETCH_NUM);
return $row[0];
}
}
@@ -490,10 +502,10 @@ function open_user_proposals($user, $dbh=NULL) {
if(!$dbh) {
$dbh = db_connect();
}
- $q = "SELECT * FROM TU_VoteInfo WHERE User = '" . db_escape_string($user) . "'";
- $q.= " AND End > UNIX_TIMESTAMP()";
- $result = db_query($q, $dbh);
- if (mysql_num_rows($result)) {
+ $q = "SELECT * FROM TU_VoteInfo WHERE User = " . $dbh->quote($user) . " ";
+ $q.= "AND End > UNIX_TIMESTAMP()";
+ $result = $dbh->query($q);
+ if ($result->fetchColumn()) {
return true;
}
else {
@@ -507,13 +519,12 @@ function add_tu_proposal($agenda, $user, $votelength, $submitteruid, $dbh=NULL)
if(!$dbh) {
$dbh = db_connect();
}
+
$q = "INSERT INTO TU_VoteInfo (Agenda, User, Submitted, End, SubmitterID) VALUES ";
- $q.= "('" . db_escape_string($agenda) . "', ";
- $q.= "'" . db_escape_string($user) . "', ";
- $q.= "UNIX_TIMESTAMP(), UNIX_TIMESTAMP() + " . db_escape_string($votelength);
+ $q.= "(" . $dbh->quote($agenda) . ", " . $dbh->quote($user) . ", ";
+ $q.= "UNIX_TIMESTAMP(), UNIX_TIMESTAMP() + " . $dbh->quote($votelength);
$q.= ", " . $submitteruid . ")";
- db_query($q, $dbh);
-
+ $result = $dbh->exec($q);
}
# Add a reset key for a specific user
@@ -524,7 +535,7 @@ function create_resetkey($resetkey, $uid, $dbh=NULL) {
$q = "UPDATE Users ";
$q.= "SET ResetKey = '" . $resetkey . "' ";
$q.= "WHERE ID = " . $uid;
- db_query($q, $dbh);
+ $dbh->exec($q);
}
# Change a password and save the salt only if reset key and email are correct
@@ -537,11 +548,11 @@ function password_reset($hash, $salt, $resetkey, $email, $dbh=NULL) {
$q.= "Salt = '$salt', ";
$q.= "ResetKey = '' ";
$q.= "WHERE ResetKey != '' ";
- $q.= "AND ResetKey = '".db_escape_string($resetkey)."' ";
- $q.= "AND Email = '".db_escape_string($email)."'";
- $result = db_query($q, $dbh);
+ $q.= "AND ResetKey = " . $dbh->quote($resetkey) . " ";
+ $q.= "AND Email = " . $dbh->quote($email);
+ $result = $dbh->exec($q);
- if (!mysql_affected_rows($dbh)) {
+ if (!$result) {
$error = __('Invalid e-mail and reset key combination.');
return $error;
} else {
@@ -569,25 +580,25 @@ function valid_passwd($userID, $passwd, $dbh=NULL) {
$salt = get_salt($userID);
if ($salt) {
# use salt
- $passwd_q = "SELECT ID FROM Users" .
- " WHERE ID = " . $userID . " AND Passwd = '" .
- salted_hash($passwd, $salt) . "'";
- $result = db_query($passwd_q, $dbh);
+ $q = "SELECT ID FROM Users ";
+ $q.= "WHERE ID = " . $userID . " ";
+ $q.= "AND Passwd = " . $dbh->quote(salted_hash($passwd, $salt));
+ $result = $dbh->query($q);
if ($result) {
- $passwd_result = mysql_fetch_row($result);
- if ($passwd_result[0]) {
+ $row = $result->fetch(PDO::FETCH_NUM);
+ if ($row[0]) {
return true;
}
}
} else {
# check without salt
- $nosalt_q = "SELECT ID FROM Users".
- " WHERE ID = " . $userID .
- " AND Passwd = '" . md5($passwd) . "'";
- $result = db_query($nosalt_q, $dbh);
+ $q = "SELECT ID FROM Users ";
+ $q.= "WHERE ID = " . $userID . " ";
+ $q.= "AND Passwd = " . $dbh->quote(md5($passwd));
+ $result = $dbh->query($q);
if ($result) {
- $nosalt_row = mysql_fetch_row($result);
- if ($nosalt_row[0]) {
+ $row = $result->fetch(PDO::FETCH_NUM);
+ if ($row[0]) {
# password correct, but salt it first
if (!save_salt($userID, $passwd)) {
trigger_error("Unable to salt user's password;" .
@@ -621,9 +632,9 @@ function user_suspended($id, $dbh=NULL) {
return false;
}
$q = "SELECT Suspended FROM Users WHERE ID = " . $id;
- $result = db_query($q, $dbh);
+ $result = $dbh->query($q);
if ($result) {
- $row = mysql_fetch_row($result);
+ $row = $result->fetch(PDO::FETCH_NUM);
if ($row[0]) {
return true;
}
@@ -639,7 +650,7 @@ function user_delete($id, $dbh=NULL) {
$dbh = db_connect();
}
$q = "DELETE FROM Users WHERE ID = " . $id;
- db_query($q, $dbh);
+ $dbh->query($q);
return;
}
@@ -652,9 +663,9 @@ function user_is_privileged($id, $dbh=NULL) {
$dbh = db_connect();
}
$q = "SELECT AccountTypeID FROM Users WHERE ID = " . $id;
- $result = db_query($q, $dbh);
+ $result = $dbh->query($q);
if ($result) {
- $row = mysql_fetch_row($result);
+ $row = $result->fetch(PDO::FETCH_NUM);
if($row[0] > 1) {
return $row[0];
}
@@ -669,9 +680,8 @@ function delete_session_id($sid, $dbh=NULL) {
$dbh = db_connect();
}
- $q = "DELETE FROM Sessions WHERE SessionID = '";
- $q.= db_escape_string($sid) . "'";
- db_query($q, $dbh);
+ $q = "DELETE FROM Sessions WHERE SessionID = " . $dbh->quote($sid);
+ $dbh->query($q);
}
# Clear out old expired sessions.
@@ -683,7 +693,7 @@ function clear_expired_sessions($dbh=NULL) {
}
$q = "DELETE FROM Sessions WHERE LastUpdateTS < (UNIX_TIMESTAMP() - $LOGIN_TIMEOUT)";
- db_query($q, $dbh);
+ $dbh->query($q);
return;
}
@@ -698,12 +708,12 @@ function account_details($uid, $username, $dbh=NULL) {
if (!empty($uid)) {
$q.= "AND Users.ID = ".intval($uid);
} else {
- $q.= "AND Users.Username = '".db_escape_string($username) . "'";
+ $q.= "AND Users.Username = " . $dbh->quote($username);
}
- $result = db_query($q, $dbh);
+ $result = $dbh->query($q);
if ($result) {
- $row = mysql_fetch_assoc($result);
+ $row = $result->fetch(PDO::FETCH_ASSOC);
}
return $row;
@@ -717,12 +727,11 @@ function own_account_details($sid, $dbh=NULL) {
$q.= "FROM Users, AccountTypes, Sessions ";
$q.= "WHERE AccountTypes.ID = Users.AccountTypeID ";
$q.= "AND Users.ID = Sessions.UsersID ";
- $q.= "AND Sessions.SessionID = '";
- $q.= db_escape_string($sid)."'";
- $result = db_query($q, $dbh);
+ $q.= "AND Sessions.SessionID = " . $dbh->quote($sid);
+ $result = $dbh->query($q);
if ($result) {
- $row = mysql_fetch_assoc($result);
+ $row = $result->fetch(PDO::FETCH_ASSOC);
}
return $row;
@@ -733,9 +742,10 @@ function tu_voted($voteid, $uid, $dbh=NULL) {
$dbh = db_connect();
}
- $q = "SELECT * FROM TU_Votes WHERE VoteID = " . intval($voteid) . " AND UserID = " . intval($uid);
- $result = db_query($q, $dbh);
- if (mysql_num_rows($result)) {
+ $q = "SELECT COUNT(*) FROM TU_Votes ";
+ $q.= "WHERE VoteID = " . intval($voteid) . " AND UserID = " . intval($uid);
+ $result = $dbh->query($q);
+ if ($result->fetchColumn() > 0) {
return true;
}
else {
@@ -749,10 +759,10 @@ function current_proposal_list($order, $dbh=NULL) {
}
$q = "SELECT * FROM TU_VoteInfo WHERE End > " . time() . " ORDER BY Submitted " . $order;
- $result = db_query($q, $dbh);
+ $result = $dbh->query($q);
$details = array();
- while ($row = mysql_fetch_assoc($result)) {
+ while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
$details[] = $row;
}
@@ -765,10 +775,10 @@ function past_proposal_list($order, $lim, $dbh=NULL) {
}
$q = "SELECT * FROM TU_VoteInfo WHERE End < " . time() . " ORDER BY Submitted " . $order . $lim;
- $result = db_query($q, $dbh);
+ $result = $dbh->query($q);
$details = array();
- while ($row = mysql_fetch_assoc($result)) {
+ while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
$details[] = $row;
}
@@ -781,8 +791,8 @@ function proposal_count($dbh=NULL) {
}
$q = "SELECT COUNT(*) FROM TU_VoteInfo";
- $result = db_query($q, $dbh);
- $row = mysql_fetch_row($result);
+ $result = $dbh->query($q);
+ $row = $result->fetch(PDO::FETCH_NUM);
return $row[0];
}
@@ -795,8 +805,8 @@ function vote_details($voteid, $dbh=NULL) {
$q = "SELECT * FROM TU_VoteInfo ";
$q.= "WHERE ID = " . intval($voteid);
- $result = db_query($q, $dbh);
- $row = mysql_fetch_assoc($result);
+ $result = $dbh->query($q);
+ $row = $result->fetch(PDO::FETCH_ASSOC);
return $row;
}
@@ -814,9 +824,9 @@ function voter_list($voteid, $dbh=NULL) {
$q.= " AND tv.UserID = U.ID ";
$q.= "ORDER BY Username";
- $result = db_query($q, $dbh);
+ $result = $dbh->query($q);
if ($result) {
- while ($row = mysql_fetch_assoc($result)) {
+ while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
$whovoted.= '<a href="' . get_uri('/accounts/') . '?Action=AccountInfo&amp;ID='.$row['UserID'].'">'.$row['Username'].'</a> ';
}
}
@@ -828,10 +838,9 @@ function cast_proposal_vote($voteid, $uid, $vote, $newtotal, $dbh=NULL) {
$dbh = db_connect();
}
- $q = "UPDATE TU_VoteInfo SET " . $vote . " = " . ($newtotal) . " WHERE ID = " . $voteid;
- db_query($q, $dbh);
-
- $q = "INSERT INTO TU_Votes (VoteID, UserID) VALUES (" . $voteid . ", " . $uid . ")";
- db_query($q, $dbh);
+ $q = "UPDATE TU_VoteInfo SET " . $vote . " = (" . $newtotal . ") WHERE ID = " . $voteid;
+ $result = $dbh->exec($q);
+ $q = "INSERT INTO TU_Votes (VoteID, UserID) VALUES (" . intval($voteid) . ", " . intval($uid) . ")";
+ $result = $dbh->exec($q);
}
diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php
index 6dcbb34..d26bdf2 100644
--- a/web/lib/aur.inc.php
+++ b/web/lib/aur.inc.php
@@ -30,14 +30,15 @@ function check_sid($dbh=NULL) {
$dbh = db_connect();
}
$q = "SELECT LastUpdateTS, UNIX_TIMESTAMP() FROM Sessions ";
- $q.= "WHERE SessionID = '" . db_escape_string($_COOKIE["AURSID"]) . "'";
- $result = db_query($q, $dbh);
- if (mysql_num_rows($result) == 0) {
+ $q.= "WHERE SessionID = " . $dbh->quote($_COOKIE["AURSID"]);
+ $result = $dbh->query($q);
+ $row = $result->fetch(PDO::FETCH_NUM);
+
+ if (!$row[0]) {
# Invalid SessionID - hacker alert!
#
$failed = 1;
} else {
- $row = mysql_fetch_row($result);
$last_update = $row[0];
if ($last_update + $LOGIN_TIMEOUT <= $row[1]) {
$failed = 2;
@@ -68,8 +69,8 @@ function check_sid($dbh=NULL) {
# overwritten.
if ($last_update < time() + $LOGIN_TIMEOUT) {
$q = "UPDATE Sessions SET LastUpdateTS = UNIX_TIMESTAMP() ";
- $q.= "WHERE SessionID = '".db_escape_string($_COOKIE["AURSID"])."'";
- db_query($q, $dbh);
+ $q.= "WHERE SessionID = " . $dbh->quote($_COOKIE["AURSID"]);
+ $dbh->exec($q);
}
}
}
@@ -119,12 +120,12 @@ function username_from_id($id="", $dbh=NULL) {
if(!$dbh) {
$dbh = db_connect();
}
- $q = "SELECT Username FROM Users WHERE ID = " . db_escape_string($id);
- $result = db_query($q, $dbh);
+ $q = "SELECT Username FROM Users WHERE ID = " . $dbh->quote($id);
+ $result = $dbh->query($q);
if (!$result) {
return "None";
}
- $row = mysql_fetch_row($result);
+ $row = $result->fetch(PDO::FETCH_NUM);
return $row[0];
}
@@ -142,12 +143,12 @@ function username_from_sid($sid="", $dbh=NULL) {
$q = "SELECT Username ";
$q.= "FROM Users, Sessions ";
$q.= "WHERE Users.ID = Sessions.UsersID ";
- $q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'";
- $result = db_query($q, $dbh);
+ $q.= "AND Sessions.SessionID = " . $dbh->quote($sid);
+ $result = $dbh->query($q);
if (!$result) {
return "";
}
- $row = mysql_fetch_row($result);
+ $row = $result->fetch(PDO::FETCH_NUM);
return $row[0];
}
@@ -164,12 +165,12 @@ function email_from_sid($sid="", $dbh=NULL) {
$q = "SELECT Email ";
$q.= "FROM Users, Sessions ";
$q.= "WHERE Users.ID = Sessions.UsersID ";
- $q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'";
- $result = db_query($q, $dbh);
+ $q.= "AND Sessions.SessionID = " . $dbh->quote($sid);
+ $result = $dbh->query($q);
if (!$result) {
return "";
}
- $row = mysql_fetch_row($result);
+ $row = $result->fetch(PDO::FETCH_NUM);
return $row[0];
}
@@ -188,12 +189,12 @@ function account_from_sid($sid="", $dbh=NULL) {
$q.= "FROM Users, AccountTypes, Sessions ";
$q.= "WHERE Users.ID = Sessions.UsersID ";
$q.= "AND AccountTypes.ID = Users.AccountTypeID ";
- $q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'";
- $result = db_query($q, $dbh);
+ $q.= "AND Sessions.SessionID = " . $dbh->quote($sid);
+ $result = $dbh->query($q);
if (!$result) {
return "";
}
- $row = mysql_fetch_row($result);
+ $row = $result->fetch(PDO::FETCH_NUM);
return $row[0];
}
@@ -210,12 +211,12 @@ function uid_from_sid($sid="", $dbh=NULL) {
$q = "SELECT Users.ID ";
$q.= "FROM Users, Sessions ";
$q.= "WHERE Users.ID = Sessions.UsersID ";
- $q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'";
- $result = db_query($q, $dbh);
+ $q.= "AND Sessions.SessionID = " . $dbh->quote($sid);
+ $result = $dbh->query($q);
if (!$result) {
return 0;
}
- $row = mysql_fetch_row($result);
+ $row = $result->fetch(PDO::FETCH_NUM);
return $row[0];
}
@@ -223,66 +224,16 @@ function uid_from_sid($sid="", $dbh=NULL) {
# connect to the database
#
function db_connect() {
- $handle = mysql_connect(AUR_db_host, AUR_db_user, AUR_db_pass);
- if (!$handle) {
- die("Error connecting to AUR database: " . mysql_error());
- }
-
- mysql_select_db(AUR_db_name, $handle) or
- die("Error selecting AUR database: " . mysql_error());
-
- db_query("SET NAMES 'utf8' COLLATE 'utf8_general_ci';", $handle);
-
- return $handle;
-}
-
-# Escape strings for SQL query usage.
-# Wraps the database driver's provided method (for convenience and porting).
-function db_escape_string($string) {
- return mysql_real_escape_string($string);
-}
-
-# Escape strings for usage in SQL LIKE operators.
-function db_escape_like($string) {
- return addcslashes(mysql_real_escape_string($string), '%_');
-}
-
-# disconnect from the database
-# this won't normally be needed as PHP/reference counting will take care of
-# closing the connection once it is no longer referenced
-#
-function db_disconnect($db_handle="") {
- if ($db_handle) {
- mysql_close($db_handle);
- return TRUE;
+ try {
+ $dbh = new PDO(AUR_db_DSN_prefix . ":" . AUR_db_host . ";dbname=" . AUR_db_name, AUR_db_user, AUR_db_pass);
}
- return FALSE;
-}
-
-# wrapper function around db_query in case we want to put
-# query logging/debugging in.
-#
-function db_query($query="", $db_handle="") {
- if (!$query) {
- return FALSE;
+ catch (PDOException $e) {
+ echo "Error - Could not connect to AUR database: " . $e->getMessage();
}
- if (!$db_handle) {
- die("DB handle was not provided to db_query");
- }
-
- if (defined('SQL_DEBUG') && SQL_DEBUG == 1) {
- $bt = debug_backtrace();
- error_log("DEBUG: ".$bt[0]['file'].":".$bt[0]['line']." query: $query\n");
- }
+ $dbh->exec("SET NAMES 'utf8' COLLATE 'utf8_general_ci';");
- $result = @mysql_query($query, $db_handle);
- if (!$result) {
- $bt = debug_backtrace();
- error_log("ERROR: near ".$bt[0]['file'].":".$bt[0]['line']." in query: $query\n -> ".mysql_error($db_handle));
- }
-
- return $result;
+ return $dbh;
}
# common header
@@ -313,10 +264,13 @@ function can_submit_pkg($name="", $sid="", $dbh=NULL) {
$dbh = db_connect();
}
$q = "SELECT MaintainerUID ";
- $q.= "FROM Packages WHERE Name = '".db_escape_string($name)."'";
- $result = db_query($q, $dbh);
- if (mysql_num_rows($result) == 0) {return 1;}
- $row = mysql_fetch_row($result);
+ $q.= "FROM Packages WHERE Name = " . $dbh->quote($name);
+ $result = $dbh->query($q);
+ $row = $result->fetch(PDO::FETCH_NUM);
+
+ if (!$row[0]) {
+ return 1;
+ }
$my_uid = uid_from_sid($sid, $dbh);
if ($row[0] === NULL || $row[0] == $my_uid) {
@@ -385,13 +339,12 @@ function uid_from_username($username="", $dbh=NULL) {
if(!$dbh) {
$dbh = db_connect();
}
- $q = "SELECT ID FROM Users WHERE Username = '".db_escape_string($username)
- ."'";
- $result = db_query($q, $dbh);
+ $q = "SELECT ID FROM Users WHERE Username = " . $dbh->quote($username);
+ $result = $dbh->query($q);
if (!$result) {
return "None";
}
- $row = mysql_fetch_row($result);
+ $row = $result->fetch(PDO::FETCH_NUM);
return $row[0];
}
@@ -405,13 +358,12 @@ function uid_from_email($email="", $dbh=NULL) {
if(!$dbh) {
$dbh = db_connect();
}
- $q = "SELECT ID FROM Users WHERE Email = '".db_escape_string($email)
- ."'";
- $result = db_query($q, $dbh);
+ $q = "SELECT ID FROM Users WHERE Email = " . $dbh->quote($email);
+ $result = $dbh->query($q);
if (!$result) {
return "None";
}
- $row = mysql_fetch_row($result);
+ $row = $result->fetch(PDO::FETCH_NUM);
return $row[0];
}
@@ -461,11 +413,11 @@ function get_salt($user_id, $dbh=NULL) {
if(!$dbh) {
$dbh = db_connect();
}
- $salt_q = "SELECT Salt FROM Users WHERE ID = " . $user_id;
- $result = db_query($salt_q, $dbh);
+ $q = "SELECT Salt FROM Users WHERE ID = " . $user_id;
+ $result = $dbh->query($q);
if ($result) {
- $salt_row = mysql_fetch_row($result);
- return $salt_row[0];
+ $row = $result->fetch(PDO::FETCH_NUM);
+ return $row[0];
}
return;
}
@@ -476,9 +428,9 @@ function save_salt($user_id, $passwd, $dbh=NULL) {
}
$salt = generate_salt();
$hash = salted_hash($passwd, $salt);
- $salting_q = "UPDATE Users SET Salt = '" . $salt . "', " .
- "Passwd = '" . $hash . "' WHERE ID = " . $user_id;
- return db_query($salting_q, $dbh);
+ $q = "UPDATE Users SET Salt = " . $dbh->quote($salt) . ", ";
+ $q.= "Passwd = " . $dbh->quote($hash) . " WHERE ID = " . $user_id;
+ $result = $dbh->exec($q);
}
function generate_salt() {
@@ -519,21 +471,21 @@ function begin_atomic_commit($dbh=NULL) {
if(!$dbh) {
$dbh = db_connect();
}
- db_query("BEGIN", $dbh);
+ $dbh->beginTransaction();
}
function end_atomic_commit($dbh=NULL) {
if(!$dbh) {
$dbh = db_connect();
}
- db_query("COMMIT", $dbh);
+ $dbh->commit();
}
function last_insert_id($dbh=NULL) {
if(!$dbh) {
$dbh = db_connect();
}
- return mysql_insert_id($dbh);
+ return $dbh->lastInsertId();
}
function latest_pkgs($numpkgs, $dbh=NULL) {
@@ -544,10 +496,10 @@ function latest_pkgs($numpkgs, $dbh=NULL) {
$q = "SELECT * FROM Packages ";
$q.= "ORDER BY SubmittedTS DESC ";
$q.= "LIMIT " .intval($numpkgs);
- $result = db_query($q, $dbh);
+ $result = $dbh->query($q);
if ($result) {
- while ($row = mysql_fetch_assoc($result)) {
+ while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
$packages[] = $row;
}
}
diff --git a/web/lib/aurjson.class.php b/web/lib/aurjson.class.php
index c1b079a..fbdc711 100644
--- a/web/lib/aurjson.class.php
+++ b/web/lib/aurjson.class.php
@@ -122,12 +122,13 @@ class AurJSON {
"FROM Packages LEFT JOIN Users " .
"ON Packages.MaintainerUID = Users.ID " .
"WHERE ${where_condition}";
- $result = db_query($query, $this->dbh);
+ $result = $this->dbh->query($query);
- $resultcount = mysql_num_rows($result);
- if ( $result && $resultcount > 0 ) {
+ if ($result) {
+ $resultcount = 0;
$search_data = array();
- while ( $row = mysql_fetch_assoc($result) ) {
+ while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
+ $resultcount++;
$name = $row['Name'];
$row['URLPath'] = URL_DIR . substr($name, 0, 2) . "/" . $name . "/" . $name . ".tar.gz";
@@ -148,7 +149,6 @@ class AurJSON {
}
}
- mysql_free_result($result);
return $this->json_results($type, $resultcount, $search_data);
}
else {
@@ -178,8 +178,7 @@ class AurJSON {
if (is_numeric($arg)) {
$id_args[] = intval($arg);
} else {
- $escaped = db_escape_string($arg, $this->dbh);
- $name_args[] = "'" . $escaped . "'";
+ $name_args[] = $this->dbh->quote($arg);
}
}
@@ -196,10 +195,10 @@ class AurJSON {
return $this->json_error('Query arg too small');
}
- $keyword_string = db_escape_like($keyword_string, $this->dbh);
+ $keyword_string = $this->dbh->quote("%" . addcslashes($keyword_string, '%_') . "%");
- $where_condition = "( Name LIKE '%{$keyword_string}%' OR " .
- "Description LIKE '%{$keyword_string}%' )";
+ $where_condition = "(Name LIKE {$keyword_string} OR ";
+ $where_condition.= "Description LIKE {$keyword_string})";
return $this->process_query('search', $where_condition);
}
@@ -217,8 +216,7 @@ class AurJSON {
$where_condition = "Packages.ID={$pqdata}";
}
else {
- $where_condition = sprintf("Name=\"%s\"",
- db_escape_string($pqdata, $this->dbh));
+ $where_condition = sprintf("Name=%s", $this->dbh->quote($pqdata));
}
return $this->process_query('info', $where_condition);
}
@@ -260,9 +258,9 @@ class AurJSON {
* @return mixed Returns an array of value data containing the package data
**/
private function msearch($maintainer) {
- $maintainer = db_escape_string($maintainer, $this->dbh);
+ $maintainer = $this->dbh->quote($maintainer);
- $where_condition = "Users.Username = '{$maintainer}'";
+ $where_condition = "Users.Username = {$maintainer}";
return $this->process_query('msearch', $where_condition);
}
diff --git a/web/lib/cachefuncs.inc.php b/web/lib/cachefuncs.inc.php
index 3485b01..f109bcf 100644
--- a/web/lib/cachefuncs.inc.php
+++ b/web/lib/cachefuncs.inc.php
@@ -71,8 +71,8 @@ function db_cache_value($dbq, $dbh, $key, $ttl=600) {
$status = false;
$value = get_cache_value($key, $status);
if (!$status) {
- $result = db_query($dbq, $dbh);
- $row = mysql_fetch_row($result);
+ $result = $dbh->query($dbq);
+ $row = $result->fetch(PDO::FETCH_NUM);
$value = $row[0];
set_cache_value($key, $value, $ttl);
}
diff --git a/web/lib/config.inc.php.proto b/web/lib/config.inc.php.proto
index fee1022..3c7df19 100644
--- a/web/lib/config.inc.php.proto
+++ b/web/lib/config.inc.php.proto
@@ -2,7 +2,8 @@
# NOTE: modify these variables if your MySQL setup is different
-define( "AUR_db_host", "localhost:/var/run/mysqld/mysqld.sock" );
+define( "AUR_db_DSN_prefix", "mysql" );
+define( "AUR_db_host", "unix_socket=/var/run/mysqld/mysqld.sock" );
define( "AUR_db_name", "AUR" );
define( "AUR_db_user", "aur" );
define( "AUR_db_pass", "aur" );
diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php
index c592e39..6cdab0f 100644
--- a/web/lib/pkgfuncs.inc.php
+++ b/web/lib/pkgfuncs.inc.php
@@ -16,9 +16,9 @@ function canDeleteComment($comment_id=0, $atype="", $uid=0, $dbh=NULL) {
$q.= "FROM PackageComments ";
$q.= "WHERE ID = " . intval($comment_id);
$q.= " AND UsersID = " . $uid;
- $result = db_query($q, $dbh);
+ $result = $dbh->query($q);
if ($result != NULL) {
- $row = mysql_fetch_assoc($result);
+ $row = $result->fetch(PDO::FETCH_ASSOC);
if ($row['CNT'] > 0) {
return TRUE;
}
@@ -83,9 +83,9 @@ function pkgCategories($dbh=NULL) {
}
$q = "SELECT * FROM PackageCategories WHERE ID != 1 ";
$q.= "ORDER BY Category ASC";
- $result = db_query($q, $dbh);
+ $result = $dbh->query($q);
if ($result) {
- while ($row = mysql_fetch_row($result)) {
+ while ($row = $result->fetch(PDO::FETCH_NUM)) {
$cats[$row[0]] = $row[1];
}
}
@@ -100,10 +100,12 @@ function pkgid_from_name($name="", $dbh=NULL) {
$dbh = db_connect();
}
$q = "SELECT ID FROM Packages ";
- $q.= "WHERE Name = '".db_escape_string($name)."' ";
- $result = db_query($q, $dbh);
- if (!$result) {return NULL;}
- $row = mysql_fetch_row($result);
+ $q.= "WHERE Name = " . $dbh->quote($name);
+ $result = $dbh->query($q);
+ if (!$result) {
+ return;
+ }
+ $row = $result->fetch(PDO::FETCH_NUM);
return $row[0];
}
@@ -120,9 +122,11 @@ function package_dependencies($pkgid, $dbh=NULL) {
$q.= "LEFT JOIN Packages p ON pd.DepName = p.Name ";
$q.= "WHERE pd.PackageID = ". $pkgid . " ";
$q.= "ORDER BY pd.DepName";
- $result = db_query($q, $dbh);
- if (!$result) {return array();}
- while ($row = mysql_fetch_row($result)) {
+ $result = $dbh->query($q);
+ if (!$result) {
+ return array();
+ }
+ while ($row = $result->fetch(PDO::FETCH_NUM)) {
$deps[] = $row;
}
}
@@ -137,11 +141,11 @@ function package_required($name="", $dbh=NULL) {
}
$q = "SELECT p.Name, PackageID FROM PackageDepends pd ";
$q.= "JOIN Packages p ON pd.PackageID = p.ID ";
- $q.= "WHERE DepName = '".db_escape_string($name)."' ";
+ $q.= "WHERE DepName = " . $dbh->quote($name) . " ";
$q.= "ORDER BY p.Name";
- $result = db_query($q, $dbh);
+ $result = $dbh->query($q);
if (!$result) {return array();}
- while ($row = mysql_fetch_row($result)) {
+ while ($row = $result->fetch(PDO::FETCH_NUM)) {
$deps[] = $row;
}
}
@@ -150,6 +154,10 @@ function package_required($name="", $dbh=NULL) {
# Return the number of comments for a specified package
function package_comments_count($pkgid, $dbh=NULL) {
+ if (!$dbh) {
+ $dbh = db_connect();
+ }
+
$pkgid = intval($pkgid);
if ($pkgid > 0) {
if(!$dbh) {
@@ -159,13 +167,14 @@ function package_comments_count($pkgid, $dbh=NULL) {
$q.= "WHERE PackageID = " . $pkgid;
$q.= " AND DelUsersID IS NULL";
}
- $result = db_query($q, $dbh);
+ $result = $dbh->query($q);
if (!$result) {
return;
}
- return mysql_result($result, 0);
+ $row = $result->fetch(PDO::FETCH_NUM);
+ return $row[0];
}
# Return an array of package comments
@@ -187,13 +196,13 @@ function package_comments($pkgid, $dbh=NULL) {
$q.= " LIMIT 10";
}
- $result = db_query($q, $dbh);
+ $result = $dbh->query($q);
if (!$result) {
return;
}
- while ($row = mysql_fetch_assoc($result)) {
+ while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
$comments[] = $row;
}
}
@@ -207,32 +216,31 @@ function add_package_comment($pkgid, $uid, $comment, $dbh=NULL) {
$dbh = db_connect();
}
- $q = 'INSERT INTO PackageComments ';
- $q.= '(PackageID, UsersID, Comments, CommentTS) VALUES (';
- $q.= intval($pkgid) . ', ' . $uid . ', ';
- $q.= "'" . db_escape_string($comment) . "', ";
- $q.= 'UNIX_TIMESTAMP())';
- db_query($q, $dbh);
+ $q = "INSERT INTO PackageComments ";
+ $q.= "(PackageID, UsersID, Comments, CommentTS) VALUES (";
+ $q.= intval($pkgid) . ", " . $uid . ", ";
+ $q.= $dbh->quote($comment) . ", UNIX_TIMESTAMP())";
+ $dbh->exec($q);
# Send email notifications
- $q = 'SELECT CommentNotify.*, Users.Email ';
- $q.= 'FROM CommentNotify, Users ';
- $q.= 'WHERE Users.ID = CommentNotify.UserID ';
- $q.= 'AND CommentNotify.UserID != ' . $uid . ' ';
- $q.= 'AND CommentNotify.PkgID = ' . intval($pkgid);
- $result = db_query($q, $dbh);
+ $q = "SELECT CommentNotify.*, Users.Email ";
+ $q.= "FROM CommentNotify, Users ";
+ $q.= "WHERE Users.ID = CommentNotify.UserID ";
+ $q.= "AND CommentNotify.UserID != " . $uid . " ";
+ $q.= "AND CommentNotify.PkgID = " . intval($pkgid);
+ $result = $dbh->query($q);
$bcc = array();
- if (mysql_num_rows($result)) {
- while ($row = mysql_fetch_assoc($result)) {
+ if ($result) {
+ while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
array_push($bcc, $row['Email']);
}
- $q = 'SELECT Packages.* ';
- $q.= 'FROM Packages ';
- $q.= 'WHERE Packages.ID = ' . intval($pkgid);
- $result = db_query($q, $dbh);
- $row = mysql_fetch_assoc($result);
+ $q = "SELECT Packages.* ";
+ $q.= "FROM Packages ";
+ $q.= "WHERE Packages.ID = " . intval($pkgid);
+ $result = $dbh->query($q);
+ $row = $result->fetch(PDO::FETCH_ASSOC);
# TODO: native language emails for users, based on their prefs
# Simply making these strings translatable won't work, users would be
@@ -261,9 +269,11 @@ function package_sources($pkgid, $dbh=NULL) {
$q = "SELECT Source FROM PackageSources ";
$q.= "WHERE PackageID = " . $pkgid;
$q.= " ORDER BY Source";
- $result = db_query($q, $dbh);
- if (!$result) {return array();}
- while ($row = mysql_fetch_row($result)) {
+ $result = $dbh->query($q);
+ if (!$result) {
+ return array();
+ }
+ while ($row = $result->fetch(PDO::FETCH_NUM)) {
$sources[] = $row[0];
}
}
@@ -283,10 +293,10 @@ function pkgvotes_from_sid($sid="", $dbh=NULL) {
$q.= "FROM PackageVotes, Users, Sessions ";
$q.= "WHERE Users.ID = Sessions.UsersID ";
$q.= "AND Users.ID = PackageVotes.UsersID ";
- $q.= "AND Sessions.SessionID = '".db_escape_string($sid)."'";
- $result = db_query($q, $dbh);
+ $q.= "AND Sessions.SessionID = " . $dbh->quote($sid);
+ $result = $dbh->query($q);
if ($result) {
- while ($row = mysql_fetch_row($result)) {
+ while ($row = $result->fetch(PDO::FETCH_NUM)) {
$pkgs[$row[0]] = 1;
}
}
@@ -306,10 +316,10 @@ function pkgnotify_from_sid($sid="", $dbh=NULL) {
$q.= "FROM CommentNotify, Users, Sessions ";
$q.= "WHERE Users.ID = Sessions.UsersID ";
$q.= "AND Users.ID = CommentNotify.UserID ";
- $q.= "AND Sessions.SessionID = '".db_escape_string($sid)."'";
- $result = db_query($q, $dbh);
+ $q.= "AND Sessions.SessionID = " . $dbh->quote($sid);
+ $result = $dbh->query($q);
if ($result) {
- while ($row = mysql_fetch_row($result)) {
+ while ($row = $result->fetch(PDO::FETCH_NUM)) {
$pkgs[$row[0]] = 1;
}
}
@@ -325,11 +335,11 @@ function pkgname_from_id($pkgids, $dbh=NULL) {
if(!$dbh) {
$dbh = db_connect();
}
- $q = "SELECT Name FROM Packages WHERE ID IN (" .
- implode(",", $pkgids) . ")";
- $result = db_query($q, $dbh);
- if (mysql_num_rows($result) > 0) {
- while ($row = mysql_fetch_assoc($result)) {
+ $q = "SELECT Name FROM Packages WHERE ID IN (";
+ $q.= implode(",", $pkgids) . ")";
+ $result = $dbh->query($q);
+ if ($result) {
+ while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
$names[] = $row['Name'];
}
}
@@ -340,11 +350,11 @@ function pkgname_from_id($pkgids, $dbh=NULL) {
$dbh = db_connect();
}
$q = "SELECT Name FROM Packages WHERE ID = " . $pkgids;
- $result = db_query($q, $dbh);
- if (mysql_num_rows($result) > 0) {
- $name = mysql_result($result, 0);
+ $result = $dbh->query($q);
+ if ($result) {
+ $name = $result->fetch(PDO::FETCH_NUM);
}
- return $name;
+ return $name[0];
}
else {
return NULL;
@@ -357,11 +367,12 @@ function pkgname_is_blacklisted($name, $dbh=NULL) {
if(!$dbh) {
$dbh = db_connect();
}
- $q = "SELECT COUNT(*) FROM PackageBlacklist WHERE Name = '" . db_escape_string($name) . "'";
- $result = db_query($q, $dbh);
+ $q = "SELECT COUNT(*) FROM PackageBlacklist ";
+ $q.= "WHERE Name = " . $dbh->quote($name);
+ $result = $dbh->query($q);
if (!$result) return false;
- return (mysql_result($result, 0) > 0);
+ return ($result->fetch(PDO::FETCH_NUM) > 0);
}
# display package details
@@ -378,13 +389,13 @@ function package_details($id=0, $SID="", $dbh=NULL) {
$q.= "FROM Packages,PackageCategories ";
$q.= "WHERE Packages.CategoryID = PackageCategories.ID ";
$q.= "AND Packages.ID = " . intval($id);
- $results = db_query($q, $dbh);
+ $result = $dbh->query($q);
- if (!$results) {
+ if (!$result) {
print "<p>" . __("Error retrieving package details.") . "</p>\n";
}
else {
- $row = mysql_fetch_assoc($results);
+ $row = $result->fetch(PDO::FETCH_ASSOC);
if (empty($row)) {
print "<p>" . __("Package details could not be found.") . "</p>\n";
@@ -532,7 +543,7 @@ function pkg_search_page($SID="", $dbh=NULL) {
if (isset($_GET['K'])) {
# Search by maintainer
if (isset($_GET["SeB"]) && $_GET["SeB"] == "m") {
- $q_where .= "AND Users.Username = '".db_escape_string($_GET['K'])."' ";
+ $q_where .= "AND Users.Username = " . $dbh->quote($_GET['K']) . " ";
}
# Search by submitter
elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "s") {
@@ -540,16 +551,18 @@ function pkg_search_page($SID="", $dbh=NULL) {
}
# Search by name
elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "n") {
- $q_where .= "AND (Name LIKE '%".db_escape_like($_GET['K'])."%') ";
+ $K = "%" . addcslashes($_GET['K'], '%_') . "%";
+ $q_where .= "AND (Name LIKE " . $dbh->quote($K) . ") ";
}
# Search by name (exact match)
elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "x") {
- $q_where .= "AND (Name = '".db_escape_string($_GET['K'])."') ";
+ $q_where .= "AND (Name = " . $dbh->quote($_GET['K']) . ") ";
}
# Search by name and description (Default)
else {
- $q_where .= "AND (Name LIKE '%".db_escape_like($_GET['K'])."%' OR ";
- $q_where .= "Description LIKE '%".db_escape_like($_GET['K'])."%') ";
+ $K = "%" . addcslashes($_GET['K'], '%_') . "%";
+ $q_where .= "AND (Name LIKE " . $dbh->quote($K) . " OR ";
+ $q_where .= "Description LIKE " . $dbh->quote($K) . ") ";
}
}
@@ -602,10 +615,11 @@ function pkg_search_page($SID="", $dbh=NULL) {
$q = $q_select . $q_from . $q_from_extra . $q_where . $q_sort . $q_limit;
$q_total = "SELECT COUNT(*) " . $q_from . $q_where;
- $result = db_query($q, $dbh);
- $result_t = db_query($q_total, $dbh);
+ $result = $dbh->query($q);
+ $result_t = $dbh->query($q_total);
if ($result_t) {
- $total = mysql_result($result_t, 0);
+ $row = $result_t->fetch(PDO::FETCH_NUM);
+ $total = $row[0];
}
else {
$total = 0;
@@ -657,8 +671,10 @@ function pkg_search_page($SID="", $dbh=NULL) {
include('pkg_search_form.php');
- while ($row = mysql_fetch_assoc($result)) {
- $searchresults[] = $row;
+ if ($result) {
+ while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
+ $searchresults[] = $row;
+ }
}
include('pkg_search_results.php');
@@ -732,7 +748,7 @@ function pkg_flag ($atype, $ids, $action=true, $dbh=NULL) {
$q.= "AND MaintainerUID = " . uid_from_sid($_COOKIE["AURSID"], $dbh);
}
- db_query($q, $dbh);
+ $dbh->exec($q);
if ($action) {
# Notify of flagging by email
@@ -744,9 +760,9 @@ function pkg_flag ($atype, $ids, $action=true, $dbh=NULL) {
$q.= "WHERE Packages.ID IN (" . implode(",", $ids) .") ";
$q.= "AND Users.ID = Packages.MaintainerUID ";
$q.= "AND Users.ID != " . $f_uid;
- $result = db_query($q, $dbh);
- if (mysql_num_rows($result)) {
- while ($row = mysql_fetch_assoc($result)) {
+ $result = $dbh->query($q);
+ if ($result) {
+ while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
# construct email
$body = "Your package " . $row['Name'] . " has been flagged out of date by " . $f_name . " [1]. You may view your package at:\n" . $AUR_LOCATION . "/" . get_pkg_uri($row['Name']) . "\n\n[1] - " . $AUR_LOCATION . "/" . get_uri('/accounts/') . "?Action=AccountInfo&ID=" . $f_uid;
$body = wordwrap($body, 70);
@@ -797,15 +813,15 @@ function pkg_delete ($atype, $ids, $mergepkgid, $dbh=NULL) {
# Send email notifications
foreach ($ids as $pkgid) {
- $q = 'SELECT CommentNotify.*, Users.Email ';
- $q.= 'FROM CommentNotify, Users ';
- $q.= 'WHERE Users.ID = CommentNotify.UserID ';
- $q.= 'AND CommentNotify.UserID != ' . uid_from_sid($_COOKIE['AURSID']) . ' ';
- $q.= 'AND CommentNotify.PkgID = ' . $pkgid;
- $result = db_query($q, $dbh);
+ $q = "SELECT CommentNotify.*, Users.Email ";
+ $q.= "FROM CommentNotify, Users ";
+ $q.= "WHERE Users.ID = CommentNotify.UserID ";
+ $q.= "AND CommentNotify.UserID != " . uid_from_sid($_COOKIE['AURSID']) . " ";
+ $q.= "AND CommentNotify.PkgID = " . $pkgid;
+ $result = $dbh->query($q);
$bcc = array();
- while ($row = mysql_fetch_assoc($result)) {
+ while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
array_push($bcc, $row['Email']);
}
if (!empty($bcc)) {
@@ -834,7 +850,7 @@ function pkg_delete ($atype, $ids, $mergepkgid, $dbh=NULL) {
$q = "UPDATE PackageComments ";
$q.= "SET PackageID = " . intval($mergepkgid) . " ";
$q.= "WHERE PackageID IN (" . implode(",", $ids) . ")";
- db_query($q, $dbh);
+ $dbh->exec($q);
/* Merge votes */
foreach ($ids as $pkgid) {
@@ -846,18 +862,18 @@ function pkg_delete ($atype, $ids, $mergepkgid, $dbh=NULL) {
$q.= "FROM PackageVotes ";
$q.= "WHERE PackageID = " . intval($mergepkgid);
$q.= ") temp)";
- db_query($q, $dbh);
+ $dbh->exec($q);
}
$q = "UPDATE Packages ";
$q.= "SET NumVotes = (SELECT COUNT(*) FROM PackageVotes ";
$q.= "WHERE PackageID = " . intval($mergepkgid) . ") ";
$q.= "WHERE ID = " . intval($mergepkgid);
- db_query($q, $dbh);
+ $dbh->exec($q);
}
$q = "DELETE FROM Packages WHERE ID IN (" . implode(",", $ids) . ")";
- $result = db_query($q, $dbh);
+ $result = $dbh->exec($q);
return __("The selected packages have been deleted.");
}
@@ -912,7 +928,7 @@ function pkg_adopt ($atype, $ids, $action=true, $dbh=NULL) {
$q.= "AND $field = " . uid_from_sid($_COOKIE["AURSID"], $dbh);
}
- db_query($q, $dbh);
+ $dbh->exec($q);
if ($action) {
pkg_notify(account_from_sid($_COOKIE["AURSID"], $dbh), $ids, $dbh);
@@ -985,7 +1001,7 @@ function pkg_vote ($atype, $ids, $action=true, $dbh=NULL) {
$q = "UPDATE Packages SET NumVotes = NumVotes $op 1 ";
$q.= "WHERE ID IN ($vote_ids)";
- db_query($q, $dbh);
+ $dbh->exec($q);
if ($action) {
$q = "INSERT INTO PackageVotes (UsersID, PackageID) VALUES ";
@@ -995,13 +1011,12 @@ function pkg_vote ($atype, $ids, $action=true, $dbh=NULL) {
$q.= "AND PackageID IN ($vote_ids)";
}
- db_query($q, $dbh);
+ $dbh->exec($q);
if ($action) {
$q = "UPDATE Users SET LastVoted = UNIX_TIMESTAMP() ";
$q.= "WHERE ID = $uid";
-
- db_query($q, $dbh);
+ $dbh->exec($q);
}
if ($action) {
@@ -1017,19 +1032,17 @@ function getvotes($pkgid, $dbh=NULL) {
$dbh = db_connect();
}
- $pkgid = db_escape_string($pkgid);
-
$q = "SELECT UsersID,Username FROM PackageVotes ";
$q.= "LEFT JOIN Users on (UsersID = ID) ";
- $q.= "WHERE PackageID = ". $pkgid . " ";
+ $q.= "WHERE PackageID = ". $dbh->quote($pkgid) . " ";
$q.= "ORDER BY Username";
- $result = db_query($q, $dbh);
+ $result = $dbh->query($q);
if (!$result) {
return;
}
- while ($row = mysql_fetch_assoc($result)) {
+ while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
$votes[] = $row;
}
@@ -1042,13 +1055,11 @@ function user_voted($uid, $pkgid, $dbh=NULL) {
$dbh = db_connect();
}
- $uid = db_escape_string($uid);
- $pkgid = db_escape_string($pkgid);
+ $q = "SELECT * FROM PackageVotes WHERE UsersID = ". $dbh->quote($uid);
+ $q.= " AND PackageID = " . $dbh->quote($pkgid);
+ $result = $dbh->query($q);
- $q = "SELECT * FROM PackageVotes WHERE UsersID = ". $uid;
- $q.= " AND PackageID = ".$pkgid;
- $result = db_query($q, $dbh);
- if (mysql_num_rows($result)) {
+ if ($result->fetch(PDO::FETCH_NUM)) {
return true;
}
else {
@@ -1062,13 +1073,11 @@ function user_notify($uid, $pkgid, $dbh=NULL) {
$dbh = db_connect();
}
- $uid = db_escape_string($uid);
- $pkgid = db_escape_string($pkgid);
+ $q = "SELECT * FROM CommentNotify WHERE UserID = " . $dbh->quote($uid);
+ $q.= " AND PkgID = " . $dbh->quote($pkgid);
+ $result = $dbh->query($q);
- $q = "SELECT * FROM CommentNotify WHERE UserID = ". $uid;
- $q.= " AND PkgID = ".$pkgid;
- $result = db_query($q, $dbh);
- if (mysql_num_rows($result)) {
+ if ($result->fetch(PDO::FETCH_NUM)) {
return true;
}
else {
@@ -1107,9 +1116,10 @@ function pkg_notify ($atype, $ids, $action=true, $dbh=NULL) {
# format in which it's sent requires this.
foreach ($ids as $pid) {
$q = "SELECT Name FROM Packages WHERE ID = $pid";
- $result = db_query($q, $dbh);
+ $result = $dbh->query($q);
if ($result) {
- $pkgname = mysql_result($result , 0);
+ $row = $result->fetch(PDO::FETCH_NUM);
+ $pkgname = $row[0];
}
else {
$pkgname = '';
@@ -1126,10 +1136,10 @@ function pkg_notify ($atype, $ids, $action=true, $dbh=NULL) {
$q .= " AND PkgID = $pid";
# Notification already added. Don't add again.
- $result = db_query($q, $dbh);
- if (!mysql_num_rows($result)) {
+ $result = $dbh->query($q);
+ if (!$result) {
$q = "INSERT INTO CommentNotify (PkgID, UserID) VALUES ($pid, $uid)";
- db_query($q, $dbh);
+ $dbh->exec($q);
}
$output .= $pkgname;
@@ -1137,7 +1147,7 @@ function pkg_notify ($atype, $ids, $action=true, $dbh=NULL) {
else {
$q = "DELETE FROM CommentNotify WHERE PkgID = $pid";
$q .= " AND UserID = $uid";
- db_query($q, $dbh);
+ $dbh->exec($q);
$output .= $pkgname;
}
@@ -1181,7 +1191,7 @@ function pkg_delete_comment($atype, $dbh=NULL) {
$q = "UPDATE PackageComments ";
$q.= "SET DelUsersID = ".$uid." ";
$q.= "WHERE ID = ".intval($comment_id);
- db_query($q, $dbh);
+ $dbh->exec($q);
return __("Comment has been deleted.");
} else {
return __("You are not allowed to delete this comment.");
@@ -1226,21 +1236,21 @@ function pkg_change_category($atype, $dbh=NULL) {
$q = "SELECT Packages.MaintainerUID ";
$q.= "FROM Packages ";
$q.= "WHERE Packages.ID = ".$pid;
- $result = db_query($q, $dbh);
+ $result = $dbh->query($q);
if ($result) {
- $pkg = mysql_fetch_assoc($result);
+ $row = $result->fetch(PDO::FETCH_ASSOC);
}
else {
return __("You are not allowed to change this package category.");
}
$uid = uid_from_sid($_COOKIE["AURSID"], $dbh);
- if ($uid == $pkg["MaintainerUID"] ||
+ if ($uid == $row["MaintainerUID"] ||
($atype == "Developer" || $atype == "Trusted User")) {
$q = "UPDATE Packages ";
$q.= "SET CategoryID = ".intval($category_id)." ";
$q.= "WHERE ID = ".intval($pid);
- db_query($q, $dbh);
+ $dbh->exec($q);
return __("Package category changed.");
} else {
return __("You are not allowed to change this package category.");
@@ -1251,29 +1261,29 @@ function pkgdetails_by_pkgname($pkgname, $dbh=NULL) {
if(!$dbh) {
$dbh = db_connect();
}
- $q = "SELECT * FROM Packages WHERE Name = '" . db_escape_string($pkgname) . "'";
- $result = db_query($q, $dbh);
+ $q = "SELECT * FROM Packages WHERE Name = " . $dbh->quote($pkgname);
+ $result = $dbh->query($q);
if ($result) {
- $pdata = mysql_fetch_assoc($result);
+ $row = $result->fetch(PDO::FETCH_ASSOC);
}
- return $pdata;
+ return $row;
}
function new_pkgdetails($pkgname, $license, $pkgver, $category_id, $pkgdesc, $pkgurl, $uid, $dbh=NULL) {
if(!$dbh) {
$dbh = db_connect();
}
- $q = sprintf("INSERT INTO Packages (Name, License, Version, CategoryID, Description, URL, SubmittedTS, ModifiedTS, SubmitterUID, MaintainerUID) VALUES ('%s', '%s', '%s', %d, '%s', '%s', UNIX_TIMESTAMP(), UNIX_TIMESTAMP(), %d, %d)",
- db_escape_string($pkgname),
- db_escape_string($license),
- db_escape_string($pkgver),
+ $q = sprintf("INSERT INTO Packages (Name, License, Version, CategoryID, Description, URL, SubmittedTS, ModifiedTS, SubmitterUID, MaintainerUID) VALUES (%s, %s, %s, %d, %s, %s, UNIX_TIMESTAMP(), UNIX_TIMESTAMP(), %d, %d)",
+ $dbh->quote($pkgname),
+ $dbh->quote($license),
+ $dbh->quote($pkgver),
$category_id,
- db_escape_string($pkgdesc),
- db_escape_string($pkgurl),
+ $dbh->quote($pkgdesc),
+ $dbh->quote($pkgurl),
$uid,
$uid);
- db_query($q, $dbh);
+ $dbh->exec($q);
}
function update_pkgdetails($pkgname, $license, $pkgver, $pkgdesc, $pkgurl, $uid, $pkgid, $dbh=NULL) {
@@ -1281,28 +1291,28 @@ function update_pkgdetails($pkgname, $license, $pkgver, $pkgdesc, $pkgurl, $uid,
$dbh = db_connect();
}
# This is an overwrite of an existing package
- $q = sprintf("UPDATE Packages SET ModifiedTS = UNIX_TIMESTAMP(), Name = '%s', Version = '%s', License = '%s', Description = '%s', URL = '%s', OutOfDateTS = NULL, MaintainerUID = %d WHERE ID = %d",
- db_escape_string($pkgname),
- db_escape_string($pkgver),
- db_escape_string($license),
- db_escape_string($pkgdesc),
- db_escape_string($pkgurl),
+ $q = sprintf("UPDATE Packages SET ModifiedTS = UNIX_TIMESTAMP(), Name = %s, Version = %s, License = %s, Description = %s, URL = %s, OutOfDateTS = NULL, MaintainerUID = %d WHERE ID = %d",
+ $dbh->quote($pkgname),
+ $dbh->quote($pkgver),
+ $dbh->quote($license),
+ $dbh->quote($pkgdesc),
+ $dbh->quote($pkgurl),
$uid,
$pkgid);
- db_query($q, $dbh);
+ $dbh->exec($q);
}
function add_pkg_dep($pkgid, $depname, $depcondition, $dbh=NULL) {
if(!$dbh) {
$dbh = db_connect();
}
- $q = sprintf("INSERT INTO PackageDepends (PackageID, DepName, DepCondition) VALUES (%d, '%s', '%s')",
+ $q = sprintf("INSERT INTO PackageDepends (PackageID, DepName, DepCondition) VALUES (%d, %s, %s)",
$pkgid,
- db_escape_string($depname),
- db_escape_string($depcondition));
+ $dbh->quote($depname),
+ $dbh->quote($depcondition));
- db_query($q, $dbh);
+ $dbh->exec($q);
}
function add_pkg_src($pkgid, $pkgsrc, $dbh=NULL) {
@@ -1310,9 +1320,9 @@ function add_pkg_src($pkgid, $pkgsrc, $dbh=NULL) {
$dbh = db_connect();
}
$q = "INSERT INTO PackageSources (PackageID, Source) VALUES (";
- $q .= $pkgid . ", '" . db_escape_string($pkgsrc) . "')";
+ $q .= $pkgid . ", " . $dbh->quote($pkgsrc) . ")";
- db_query($q, $dbh);
+ $dbh->exec($q);
}
function update_pkg_category($pkgid, $category_id, $dbh=NULL) {
@@ -1323,7 +1333,7 @@ function update_pkg_category($pkgid, $category_id, $dbh=NULL) {
$category_id,
$pkgid);
- db_query($q, $dbh);
+ $dbh->exec($q);
}
function remove_pkg_deps($pkgid, $dbh=NULL) {
@@ -1332,7 +1342,7 @@ function remove_pkg_deps($pkgid, $dbh=NULL) {
}
$q = "DELETE FROM PackageDepends WHERE PackageID = " . $pkgid;
- db_query($q, $dbh);
+ $dbh->exec($q);
}
function remove_pkg_sources($pkgid, $dbh=NULL) {
@@ -1341,5 +1351,5 @@ function remove_pkg_sources($pkgid, $dbh=NULL) {
}
$q = "DELETE FROM PackageSources WHERE PackageID = " . $pkgid;
- db_query($q, $dbh);
+ $dbh->exec($q);
}
diff --git a/web/lib/stats.inc.php b/web/lib/stats.inc.php
index 2828dc9..2c26d43 100644
--- a/web/lib/stats.inc.php
+++ b/web/lib/stats.inc.php
@@ -6,10 +6,10 @@ function updates_table($dbh) {
$key = 'recent_updates';
if(!($newest_packages = get_cache_value($key))) {
$q = 'SELECT * FROM Packages ORDER BY ModifiedTS DESC LIMIT 10';
- $result = db_query($q, $dbh);
+ $result = $dbh->query($q);
$newest_packages = new ArrayObject();
- while ($row = mysql_fetch_assoc($result)) {
+ while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
$newest_packages->append($row);
}
set_cache_value($key, $newest_packages);
diff --git a/web/lib/translator.inc.php b/web/lib/translator.inc.php
index f269b93..382160c 100644
--- a/web/lib/translator.inc.php
+++ b/web/lib/translator.inc.php
@@ -96,11 +96,11 @@ function set_lang($dbh=NULL) {
$q = "SELECT LangPreference FROM Users, Sessions ";
$q.= "WHERE Users.ID = Sessions.UsersID ";
$q.= "AND Sessions.SessionID = '";
- $q.= mysql_real_escape_string($_COOKIE["AURSID"])."'";
- $result = db_query($q, $dbh);
+ $q.= $dbh->quote($_COOKIE["AURSID"]);
+ $result = $dbh->query($q);
if ($result) {
- $row = mysql_fetch_array($result);
+ $row = $result->fetchAll();
$LANG = $row[0];
}
$update_cookie = 1;
diff --git a/web/template/account_search_results.php b/web/template/account_search_results.php
index cc2a1c2..61887a3 100644
--- a/web/template/account_search_results.php
+++ b/web/template/account_search_results.php
@@ -2,7 +2,7 @@
if (!$result):
print __("No results matched your search criteria.");
else:
- if ($num_rows):
+ if ($result):
?>
<table class="results">
<thead>