Here is the new version. I've switched to the fully expanded method of
writing out the sql. This is the same format used by several db wrapper
libraries, in prepared sql statements and is the recommended style under
c#/.net for queries.
I've tested creating new users and distributions and submitting an
application.
Chris
On Friday 23 June 2006 1:05 am, Chris Morgan wrote:
> On Thursday 22 June 2006 10:21 pm, Tony Lambregts wrote:
> > Chris Morgan wrote:
> > > Change compile_insert_string() to compile_insert_array() and add a new
> > > first parameter of $sTable that represents the table you are building
> > > the insert statement for. The output of compile_insert_array() is
> > > passed to query_insert() to perform the insertion. Change all existing
> > > calls of compile_insert_string() to compile_insert_array() and specify
> > > the table as the first parameter. Make all instances of sql inserts
> > > that didn't use compile_insert_string() use compile_insert_array().
> > >
> > > The use of mysql_real_escape_string() inside of compile_insert_array()
> > > protects the insert statement from sql injection attacks.
> > >
> > > Chris
> >
> > Just a couple of nits
> >
> > This Could have been broken before but when I try to edit a bundle I
> > get: *Database Error!*
> > Query: SELECT bundleId, appBundle.appId, appName FROM appBundle,
> > appFamily WHERE bundleId = AND appFamily.appId = appBundle.appId
> > You have an error in your SQL syntax; check the manual that corresponds
> > to your MySQL server version for the right syntax to use near 'AND
> > appFamily.appId = appBundle.appId' at line 1
>
> This is fixed now. Was broken all the way back to the import into cvs :-)
>
> > This is probably broken from before (makesafe?) but I cannot create a
> > new distribution.
>
> Yes, makesafe changes broke this. Fixed now.
>
> > Here is a big one though. I cannot create a new account. I just get a
> > blank screen. This is .new see below
> >
> > You could have broken the patch in two IE:
> >
> > Change log: The use of mysql_real_escape_string() on inserts to protect
> > from sql injection attacks.
> >
> > Files changed:
> > include/application.php /
> > include/bugs.php /
> > include/category.php /
> > include/comment.php /
> > include/db.php /
> > include/distributions.php
> > include/monitor.php /
> > include/note.php /
> > include/screenshot.php
> > include/testResults.php /
> > include/url.php /
> > include/user.php /
> > include/util.php /
> > include/vendor.php /
> > include/version.php /
> >
> > Change log: Make all remaining instances of sql inserts use
> > compile_insert_array().
> >
> > Files changed:
> > maintainersubmit.php /
> > admin/adminAppDataQueue.php /
> > admin/editBundle.php /
> > include/appdb.php /
> > include/vote.php /
> >
> > I'm not say you should have just that it could have been done that way.
> >
> > You should include the "change log:" and "files changed:" to the patch
> > the files. "Changed files: really helps in that it gives you an
> > overview of the scope of the patch.
> >
> > > -----------------------------------------------------------------------
> > >-
> > >
> > > ? compile_insert_array.patch
> > > ? hits_table_alter
> > > ? injection_protect.patch
> > > ? injection_protect2.patch
> > > ? limittestresults.patch4
> > > ? vote_table_alter
> > > ? data/screenshots
> >
> > Last really trivial nit (these are not really part of the patch)
> >
> > > Index: include/user.php
> > > ===================================================================
> > > RCS file: /opt/cvs-commit/appdb/include/user.php,v
> > > retrieving revision 1.67
> > > diff -u -r1.67 user.php
> > > --- include/user.php 21 Jun 2006 01:04:13 -0000 1.67
> > > +++ include/user.php 22 Jun 2006 20:07:17 -0000
> > > @@ -83,14 +83,15 @@
> > > return false;
> > > } else
> > > {
> > > - $aInsert = compile_insert_string(array( 'realname' =>
> > > $sRealname,
> > > - 'email' =>
> > > $sEmail, -
> > > 'CVSrelease' => $sWineRelease ));
> > > + $aInsert = compile_insert_array("user_list",
> > > + array( 'realname' =>
> > > $sRealname,
> > > + 'email' =>
> > > $sEmail,
> > > + 'CVSrelease' =>
> > > $sWineRelease,
> > > + 'password' =>
> > > password($sPassword),
> > > + 'stamp' =>
> > > "NOW()",
> > > + 'created' =>
> > > "NOW()"));
> >
> > I remember fighting with this before. password() and NOW() cannot be
> > put into the array like this I do not have an easy answer for this at
> > all at this point
> >
> > > - $sFields = "({$aInsert['FIELDS']}, `password`, `stamp`,
> > > `created`)";
> > > - $sValues = "({$aInsert['VALUES']},
> > > password('".$sPassword."'), NOW(), NOW() )";
> > > -
> > > - query_appdb("INSERT INTO user_list $sFields VALUES
> > > $sValues", "Error while creating a new user.");
> > > + query_insert($aInsert, "Error while creating a new
> > > user.");
> > >
> > > $retval = $this->login($sEmail, $sPassword);
> > > $this->setPref("comments:mode", "threaded"); /* set the
> > > users default comments:mode to threaded */
> > > @@ -183,7 +184,11 @@
> > > return false;
> > >
> > > $hResult = query_appdb("DELETE FROM user_prefs WHERE userid =
> > > ".$this->iUserId." AND name = '$sKey'");
> > > - $hResult = query_appdb("INSERT INTO user_prefs
> > > VALUES(".$this->iUserId.", '$sKey', '$sValue')");
> > > + $aInsert = compile_insert_array("user_prefs",
> > > + array( 'userid' =>
> > > $this->iUserId,
> > > + 'name' => $sKey,
> > > + 'value' => $sValue));
> > > + $hResult = query_insert($aInsert);
> > > return $hResult;
> > > }
> >
> > Other than that its clean. We need to find a way of fixing new
> > accounts though.
> >
> > --
> >
> > Tony Lambregts
>
> I've got a fix for this. The basic jist is to simply get rid of
> compile_insert_array() and use a fancier version of query_parameter() that
> uses pear db replacement operators. There isn't any other way to know
> whether any given variable should be surrounded with '' or not
> escaped(something else that is useful in certain cases apparently). Should
> have this change in place soon.
>
> Chris
? compile_insert_array.patch
? hits_table_alter
? injection_protect.patch
? injection_protect2.patch
? limittestresults.patch4
? query_parameters.patch
? vote_table_alter
? data/screenshots
Index: maintainersubmit.php
===================================================================
RCS file: /opt/cvs-commit/appdb/maintainersubmit.php,v
retrieving revision 1.23
diff -u -r1.23 maintainersubmit.php
--- maintainersubmit.php 17 Jun 2006 06:10:10 -0000 1.23
+++ maintainersubmit.php 23 Jun 2006 06:15:03 -0000
@@ -82,15 +82,14 @@
apidb_header("Submit Maintainer Request");
// add to queue
- $query = "INSERT INTO appMaintainerQueue VALUES (null, '".
- $aClean['appId']."', '".
- $aClean['versionId']."', '".
- addslashes($_SESSION['current']->iUserId)."', '".
- $aClean['maintainReason']."', '".
- $aClean['superMaintainer']."',".
- "NOW()".");";
+ $hResult = query_parameters("INSERT INTO appMaintainerQueue (queueId, appId, versionId, ".
+ "userId, maintainReason, superMaintainer, submitTime) ".
+ "VALUES (?, '?', '?', '?', '?', '?', ?)",
+ "null", $aClean['appId'], $aClean['versionId'],
+ $_SESSION['current']->iUserId, $aClean['maintainReason'],
+ $aClean['superMaintainer'], "NOW()");
- if (query_appdb($query))
+ if ($hResult)
{
echo "<p>Your maintainer request has been submitted for review. You should hear back\n";
echo "soon about the status of your submission</p>\n";
Index: admin/adminAppDataQueue.php
===================================================================
RCS file: /opt/cvs-commit/appdb/admin/adminAppDataQueue.php,v
retrieving revision 1.19
diff -u -r1.19 adminAppDataQueue.php
--- admin/adminAppDataQueue.php 17 Jun 2006 06:10:10 -0000 1.19
+++ admin/adminAppDataQueue.php 23 Jun 2006 06:15:03 -0000
@@ -168,10 +168,12 @@
$oScreenshot->unQueue();
}
elseif ($obj_row->type == "url")
- { // FIXME: use Link class
- $query = "INSERT INTO appData VALUES (null, ".$obj_row->versionId.", 'url', ".
- "'".$aClean['description']."', '".$obj_row->url."')";
- if (query_appdb($sQuery))
+ {
+ $hResult = query_parameters("INSERT INTO appData (id, appId, versionId, type, ".
+ "description, url) VALUES (?, '?', '?', '?', '?', '?')",
+ "null", $obj_row->appId, $obj_row->versionId,
+ "url", $aClean['description'], $obj_row->url);
+ if($hResult)
{
$statusMessage = "<p>The application data was successfully added into the database</p>\n";
Index: admin/editBundle.php
===================================================================
RCS file: /opt/cvs-commit/appdb/admin/editBundle.php,v
retrieving revision 1.8
diff -u -r1.8 editBundle.php
--- admin/editBundle.php 23 Jun 2006 03:42:08 -0000 1.8
+++ admin/editBundle.php 23 Jun 2006 06:15:03 -0000
@@ -33,7 +33,10 @@
}
if($_REQUEST['cmd'] == "add")
{
- $hResult = query_appdb("INSERT INTO appBundle VALUES (".$_REQUEST['bundleId'].", ".$_REQUEST['appId'].")");
+ $hResult = query_parameters("INSERT INTO appBundle (bundleId, appId) VALUES".
+ "('?', '?')",
+ $_REQUEST['bundleId'],
+ $_REQUEST['appId']);
if($hResult)
addmsg("App $appId added to Bundle".$_REQUEST['bundleId'], "green");
}
Index: include/appdb.php
===================================================================
RCS file: /opt/cvs-commit/appdb/include/appdb.php,v
retrieving revision 1.4
diff -u -r1.4 appdb.php
--- include/appdb.php 11 Jan 2005 00:26:05 -0000 1.4
+++ include/appdb.php 23 Jun 2006 06:15:03 -0000
@@ -11,7 +11,9 @@
query_appdb("UPDATE catHitStats SET count = count + 1 WHERE catHitId = $stats->catHitId");
} else
{
- query_appdb("INSERT INTO catHitStats VALUES(null, null, '$REMOTE_ADDR', $catId, 1)");
+ query_parameters("INSERT INTO catHitStats (appHitId, time, ip, catId, count) ".
+ "VALUES (?, ?, '?', '?', '?')",
+ "null", "null", $REMOTE_ADDR, $catId, "1");
}
}
@@ -26,7 +28,9 @@
query_appdb("UPDATE appHitStats SET count = count + 1 WHERE appHitId = $stats->appHitId");
} else
{
- query_appdb("INSERT INTO appHitStats VALUES(null, null, '$REMOTE_ADDR', $appId, 1)");
+ query_parameters("INSERT INTO appHitStats (appHitId, time, ip, appId, count) ".
+ "VALUES (?, ?, '?', '?', '?')",
+ "null", "null", $REMOTE_ADDR, $appId, "1");
}
}
Index: include/application.php
===================================================================
RCS file: /opt/cvs-commit/appdb/include/application.php,v
retrieving revision 1.46
diff -u -r1.46 application.php
--- include/application.php 17 Jun 2006 06:10:10 -0000 1.46
+++ include/application.php 23 Jun 2006 06:15:03 -0000
@@ -111,18 +111,13 @@
else
$this->sQueued = 'false';
- $aInsert = compile_insert_string(array( 'appName' => $this->sName,
- 'description'=> $this->sDescription,
- 'keywords' => $this->sKeywords,
- 'webPage' => $this->sWebpage,
- 'vendorId' => $this->iVendorId,
- 'catId' => $this->iCatId,
- 'submitterId'=> $_SESSION['current']->iUserId,
- 'queued' => $this->sQueued));
- $sFields = "({$aInsert['FIELDS']})";
- $sValues = "({$aInsert['VALUES']})";
-
- if(query_appdb("INSERT INTO appFamily $sFields VALUES $sValues", "Error while creating a new application."))
+ $hResult = query_parameters("INSERT INTO appFamily (appName, description, keywords, ".
+ "webPage, vendorId, catId, submitterId, queued) VALUES (".
+ "'?', '?', '?', '?', '?', '?', '?', '?')",
+ $this->sName, $this->sDescription, $this->sKeywords,
+ $this->sWebpage, $this->iVendorId, $this->iCatId,
+ $_SESSION['current']->iUserId, $this->sQueued);
+ if($hResult)
{
$this->iAppId = mysql_insert_id();
$this->application($this->iAppId);
@@ -130,6 +125,7 @@
return true;
} else
{
+ addmsg("Error while creating a new application.", "red");
return false;
}
}
Index: include/bugs.php
===================================================================
RCS file: /opt/cvs-commit/appdb/include/bugs.php,v
retrieving revision 1.7
diff -u -r1.7 bugs.php
--- include/bugs.php 17 Jun 2006 06:10:10 -0000 1.7
+++ include/bugs.php 23 Jun 2006 06:15:03 -0000
@@ -113,13 +113,11 @@
/* passed the checks so lets insert the puppy! */
- $aInsert = compile_insert_string(array( 'versionId' => $iVersionId,
- 'bug_id' => $iBug_id,
- 'queued' => $this->bQueued?"true":"false",
- 'submitterId' => $_SESSION['current']->iUserId ));
- $sFields = "({$aInsert['FIELDS']})";
- $sValues = "({$aInsert['VALUES']})";
- if(query_appdb("INSERT INTO buglinks $sFields VALUES $sValues", "Error while creating a new Bug link."))
+ $hResult = query_parameters("INSERT INTO buglinks (versionId, bug_id, queued, submitterId) ".
+ "VALUES('?', '?', '?', '?')",
+ $iVersionId, $iBug_id, $this->bQueued?"true":"false",
+ $_SESSION['current']->iUserId);
+ if($hResult)
{
/* The following should work but it does not! */
$this->iLinkId = mysql_insert_id();
@@ -141,6 +139,7 @@
return true;
}else
{
+ addmsg("Error while creating a new Bug link.", "red");
return false;
}
}
Index: include/category.php
===================================================================
RCS file: /opt/cvs-commit/appdb/include/category.php,v
retrieving revision 1.16
diff -u -r1.16 category.php
--- include/category.php 26 Oct 2005 02:09:49 -0000 1.16
+++ include/category.php 23 Jun 2006 06:15:04 -0000
@@ -76,20 +76,20 @@
*/
function create($sName=null, $sDescription=null, $iParentId=null)
{
- $aInsert = compile_insert_string(array( 'catName'=> $sName,
- 'catDescription' => $sDescription,
- 'catParent' => $iParentId ));
- $sFields = "({$aInsert['FIELDS']})";
- $sValues = "({$aInsert['VALUES']})";
-
- if(query_appdb("INSERT INTO appCategory $sFields VALUES $sValues", "Error while creating a new vendor."))
+ $hResult = query_parameters("INSERT INTO appCategory (catName, catDescription, catParent) ".
+ "VALUES('?', '?', '?')",
+ $sName, $sDescription, $iParentId);
+ if($hResult)
{
$this->iCatId = mysql_insert_id();
$this->category($this->iCatId);
return true;
}
else
+ {
+ addmsg("Error while creating a new vendor.", "red");
return false;
+ }
}
Index: include/comment.php
===================================================================
RCS file: /opt/cvs-commit/appdb/include/comment.php,v
retrieving revision 1.18
diff -u -r1.18 comment.php
--- include/comment.php 21 Jun 2006 01:04:12 -0000 1.18
+++ include/comment.php 23 Jun 2006 06:15:04 -0000
@@ -53,15 +53,12 @@
*/
function create($sSubject, $sBody, $iParentId=null, $iVersionId)
{
- $aInsert = compile_insert_string(array( 'parentId' => $iParentId,
- 'versionId' => $iVersionId,
- 'subject' => $sSubject,
- 'body' => $sBody ));
+ $hResult = query_parameters("INSERT INTO appComments (parentId, versionId, subject, ".
+ "body, userId, time, hostname) VALUES ('?', '?', '?', '?', '?', ?, '?')",
+ $iParentId, $iVersionId, $sSubject, $sBody, $_SESSION['current']->iUserId,
+ "NOW()", get_remote());
- $sFields = "({$aInsert['FIELDS']}, `userId`, `time`, `hostname`)";
- $sValues = "({$aInsert['VALUES']}, ".$_SESSION['current']->iUserId.", NOW(), '".get_remote()."')";
-
- if(query_appdb("INSERT INTO appComments $sFields VALUES $sValues", "Error while creating a new comment."))
+ if($hResult)
{
$this->comment(mysql_insert_id());
$sEmail = get_notify_email_address_list($this->iAppId, $this->iVersionId);
@@ -101,7 +98,10 @@
return true;
}
else
+ {
+ addmsg("Error while creating a new comment", "red");
return false;
+ }
}
Index: include/db.php
===================================================================
RCS file: /opt/cvs-commit/appdb/include/db.php,v
retrieving revision 1.13
diff -u -r1.13 db.php
--- include/db.php 1 Aug 2005 20:53:44 -0000 1.13
+++ include/db.php 23 Jun 2006 06:15:04 -0000
@@ -18,6 +18,68 @@
return $hResult;
}
+/*
+ * Wildcard Rules
+ * SCALAR (?) => 'original string quoted'
+ * OPAQUE (&) => 'string from file quoted'
+ * MISC (~) => original string (left 'as-is')
+ *
+ * NOTE: These rules convienently match those for Pear DB
+ *
+ * MySQL Prepare Function
+ * By: Kage (Alex)
+ * [EMAIL PROTECTED]
+ * http://us3.php.net/manual/en/function.mysql-query.php#53400
+ *
+ * Modified by CMM 20060622
+ *
+ * Values are mysql_real_escape_string()'d to prevent against injection attacks
+ * See http://php.net/mysql_real_escape_string for more information about why this is the case
+ *
+ */
+function query_parameters()
+{
+ global $hAppdbLink;
+
+ if(!is_resource($hAppdbLink))
+ {
+ // The last argument makes sure we are really opening a new connection
+ $hAppdbLink = mysql_connect(APPS_DBHOST, APPS_DBUSER, APPS_DBPASS,true);
+ mysql_select_db(APPS_DB, $hAppdbLink);
+ }
+
+ $data = func_get_args();
+ $query = $data[0];
+ $tokens = split("[\&\?\~]", $query);
+ $preparedquery = $tokens[0];
+ $count = strlen($tokens[0]);
+
+ for ($i=1; $i < count($tokens); $i++)
+ {
+ $char = substr($query, $count, 1);
+ $count += (strlen($tokens[$i])+1);
+ if ($char == "&")
+ {
+ $fp = @fopen($data[$i], 'r');
+ $pdata = "";
+ if ($fp)
+ {
+ while (($buf = fread($fp, 4096)) != false)
+ {
+ $pdata .= $buf;
+ }
+ fclose($fp);
+ }
+ } else
+ {
+ $pdata = &$data[$i];
+ }
+ $preparedquery .= ($char != "~" ? mysql_real_escape_string($pdata) : $pdata);
+ $preparedquery .= $tokens[$i];
+ }
+
+ return query_appdb($preparedquery);
+}
function query_bugzilladb($sQuery,$sComment="")
{
@@ -50,31 +112,6 @@
* Expects an array in this form:
* $aFoo['field'] = 'value';
*
-* Returns an array ready to be put in a query like this
-* $sQuery = "INSERT INTO `foo` {$aReturn['FIELDS']} VALUES {$aReturn['VALUES']}";
-*
-* Values are addslashes()'d.
-*/
-
-function compile_insert_string($aData)
-{
- foreach ($aData as $k => $v)
- {
- $field_names .= "`$k`,";
- $field_values .= "'".addslashes($v)."',";
- }
-
- // Get rid of the end ,
- $field_names = preg_replace( "/,$/" , "" , $field_names );
- $field_values = preg_replace( "/,$/" , "" , $field_values );
-
- return array('FIELDS' => $field_names, 'VALUES' => $field_values);
-}
-
-/**
-* Expects an array in this form:
-* $aFoo['field'] = 'value';
-*
* Returns a string ready to be put in a query like this
* $sQuery = "UPDATE `foo` $sReturn";
*
Index: include/distributions.php
===================================================================
RCS file: /opt/cvs-commit/appdb/include/distributions.php,v
retrieving revision 1.4
diff -u -r1.4 distributions.php
--- include/distributions.php 21 Jun 2006 01:04:13 -0000 1.4
+++ include/distributions.php 23 Jun 2006 06:15:04 -0000
@@ -96,14 +96,11 @@
else
$this->sQueued = 'false';
- $aInsert = compile_insert_string(array( 'name' => $this->sName,
- 'url' => $this->sUrl,
- 'submitterId' => $_SESSION['current']->iUserId,
- 'queued' => $this->sQueued ));
- $sFields = "({$aInsert['FIELDS']})";
- $sValues = "({$aInsert['VALUES']})";
-
- if(query_appdb("INSERT INTO distributions $sFields VALUES $sValues", "Error while creating Distribution."))
+ $hResult = query_parameters("INSERT INTO distributions (name, url, submitterId, queued) ".
+ "VALUES ('?', '?', '?', '?')",
+ $this->sName, $this->sUrl, $_SESSION['current']->iUserId,
+ $this->sQueued);
+ if($hResult)
{
$this->iDistributionId = mysql_insert_id();
$this->distribution($this->iDistributionId);
@@ -111,7 +108,10 @@
return true;
}
else
+ {
+ addmsg("Error while creating Distribution.", "red");
return false;
+ }
}
// Update Distribution.
Index: include/monitor.php
===================================================================
RCS file: /opt/cvs-commit/appdb/include/monitor.php,v
retrieving revision 1.2
diff -u -r1.2 monitor.php
--- include/monitor.php 29 Oct 2005 04:41:10 -0000 1.2
+++ include/monitor.php 23 Jun 2006 06:15:04 -0000
@@ -61,21 +61,21 @@
*/
function create($iUserId, $iAppId=0, $iVersionId=0)
{
- $aInsert = compile_insert_string(array( 'versionId' => $iVersionId,
- 'appId' => $iAppId,
- 'userId' => $iUserId ));
+ $hResult = query_parameters("INSERT INTO appMonitors (versionId, appId, userId) ".
+ "VALUES ('?', '?', '?')",
+ $iVersionId, $iAppId, $iUserId);
- $sFields = "({$aInsert['FIELDS']})";
- $sValues = "({$aInsert['VALUES']})";
- if(query_appdb("INSERT INTO appMonitors $sFields VALUES $sValues", "Error while creating a new Monitor."))
+ if($hResult)
{
$this->Monitor(mysql_insert_id());
$sWhatChanged = "New monitor\n\n";
$this->SendNotificationMail("add", $sWhatChanged);
return true;
- }
- else
+ } else
+ {
+ addmsg("Error while creating a new Monitor.", "red");
return false;
+ }
}
Index: include/note.php
===================================================================
RCS file: /opt/cvs-commit/appdb/include/note.php,v
retrieving revision 1.7
diff -u -r1.7 note.php
--- include/note.php 17 Jun 2006 06:10:10 -0000 1.7
+++ include/note.php 23 Jun 2006 06:15:04 -0000
@@ -49,14 +49,11 @@
*/
function create($sTitle, $sDescription, $iVersionId)
{
- $aInsert = compile_insert_string(array( 'versionId' => $iVersionId,
- 'noteTitle' => $sTitle,
- 'noteDesc' => $sDescription ));
+ $hResult = query_parameters("INSERT INTO appNotes (versionId, noteTitle, noteDesc) ".
+ "VALUES('?', '?', '?')",
+ $iVersionId, $sTitle, $sDescription);
- $sFields = "({$aInsert['FIELDS']})";
- $sValues = "({$aInsert['VALUES']})";
-
- if(query_appdb("INSERT INTO appNotes $sFields VALUES $sValues", "Error while creating a new note."))
+ if($hResult)
{
$this->note(mysql_insert_id());
$sWhatChanged = "Description is:\n".$sDescription.".\n\n";
@@ -64,7 +61,10 @@
return true;
}
else
+ {
+ addmsg("Error while creating a new note.", "red");
return false;
+ }
}
Index: include/screenshot.php
===================================================================
RCS file: /opt/cvs-commit/appdb/include/screenshot.php,v
retrieving revision 1.36
diff -u -r1.36 screenshot.php
--- include/screenshot.php 22 Jun 2006 21:41:41 -0000 1.36
+++ include/screenshot.php 23 Jun 2006 06:15:05 -0000
@@ -70,15 +70,11 @@
$this->bQueued = false;
}
- $aInsert = compile_insert_string(array( 'versionId' => $iVersionId,
- 'type' => "image",
- 'description' => $sDescription,
- 'queued' => $this->bQueued?"true":"false",
- 'submitterId' => $_SESSION['current']->iUserId ));
- $sFields = "({$aInsert['FIELDS']})";
- $sValues = "({$aInsert['VALUES']})";
-
- if(query_appdb("INSERT INTO appData $sFields VALUES $sValues", "Error while creating a new screenshot."))
+ $hResult = query_parameters("INSERT INTO appData (versionId, type, description, queued, submitterId) ".
+ "VALUES('?', '?', '?', '?', '?')",
+ $iVersionId, "image", $sDescription, $this->bQueued?"true":"false",
+ $_SESSION['current']->iUserId);
+ if($hResult)
{
$this->iScreenshotId = mysql_insert_id();
@@ -120,7 +116,10 @@
return true;
}
else
+ {
+ addmsg("Error while creating a new screenshot.", "red");
return false;
+ }
}
Index: include/testResults.php
===================================================================
RCS file: /opt/cvs-commit/appdb/include/testResults.php,v
retrieving revision 1.17
diff -u -r1.17 testResults.php
--- include/testResults.php 17 Jun 2006 06:12:28 -0000 1.17
+++ include/testResults.php 23 Jun 2006 06:15:05 -0000
@@ -69,23 +69,18 @@
else
$this->sQueued = 'false';
- $aInsert = compile_insert_string(array( 'versionId' => $this->iVersionId,
- 'whatWorks' => $this->sWhatWorks,
- 'whatDoesnt' => $this->sWhatDoesnt,
- 'whatNotTested' => $this->sWhatNotTested,
- 'testedDate' => $this->sTestedDate,
- 'distributionId' => $this->iDistributionId,
- 'testedRelease' => $this->sTestedRelease,
- 'installs' => $this->sInstalls,
- 'runs' => $this->sRuns,
- 'testedRating' => $this->sTestedRating,
- 'comments' => $this->sComments,
- 'submitterId' => $_SESSION['current']->iUserId,
- 'queued' => $this->sQueued ));
- $sFields = "({$aInsert['FIELDS']})";
- $sValues = "({$aInsert['VALUES']})";
- if(query_appdb("INSERT INTO testResults $sFields VALUES $sValues", "Error while creating test results."))
+ $hResult = query_parameters("INSERT INTO testResults (versionId, whatWorks, whatDoesnt,".
+ "whatNotTested, testedDate, distributionId, testedRelease,".
+ "installs, runs, testedRating, comments, submitterId, queued)".
+ " VALUES('?', '?', '?', '?', '?', '?', '?', '?', '?', '?', '?',".
+ "'?', '?')",
+ $this->iVersionId, $this->sWhatWorks, $this->sWhatDoesnt,
+ $this->sWhatNotTested, $this->sTestedDate, $this->iDistributionId,
+ $this->sTestedRelease, $this->sInstalls, $this->sRuns,
+ $this->sTestedRating, $this->sComments, $_SESSION['current']->iUserId,
+ $this->sQueued);
+ if($hResult)
{
$this->iTestingId = mysql_insert_id();
$this->testData($this->iTestingId);
@@ -93,7 +88,10 @@
return true;
}
else
+ {
+ addmsg("Error while creating test results.", "red");
return false;
+ }
}
// Update Test Results.
Index: include/url.php
===================================================================
RCS file: /opt/cvs-commit/appdb/include/url.php,v
retrieving revision 1.3
diff -u -r1.3 url.php
--- include/url.php 17 Jun 2006 06:10:10 -0000 1.3
+++ include/url.php 23 Jun 2006 06:15:05 -0000
@@ -62,16 +62,11 @@
$this->bQueued = true;
}
- $aInsert = compile_insert_string(array( 'appId' => $iAppId,
- 'versionId' => $iVersionId,
- 'type' => "url",
- 'description' => $sDescription,
- 'queued' => $this->bQueued,
- 'submitterId' => $_SESSION['current']->iUserId ));
- $sFields = "({$aInsert['FIELDS']})";
- $sValues = "({$aInsert['VALUES']})";
-
- if(query_appdb("INSERT INTO appData $sFields VALUES $sValues", "Error while creating a new url."))
+ $hResult = query_parameters("INSERT INTO appData (appId, versionId, type, description,".
+ "queued, submitterId) VALUES ('?', '?', '?', '?', '?', '?')",
+ $iAppId, $iVersionId, "url", $sDescription, $this->bQueued,
+ $_SESSION['current']->iUserId);
+ if($hResult)
{
$this->iUrlId = mysql_insert_id();
$this->url($this->iUrlId,$this->bQueued);
@@ -79,7 +74,10 @@
return true;
}
else
+ {
+ addmsg("Error while creating a new url.", "red");
return false;
+ }
}
Index: include/user.php
===================================================================
RCS file: /opt/cvs-commit/appdb/include/user.php,v
retrieving revision 1.67
diff -u -r1.67 user.php
--- include/user.php 21 Jun 2006 01:04:13 -0000 1.67
+++ include/user.php 23 Jun 2006 06:15:06 -0000
@@ -83,14 +83,11 @@
return false;
} else
{
- $aInsert = compile_insert_string(array( 'realname' => $sRealname,
- 'email' => $sEmail,
- 'CVSrelease' => $sWineRelease ));
+ $hResult = query_parameters("INSERT INTO user_list (realname, email, CVSrelease, password, stamp,".
+ "created) VALUES ('?', '?', '?', password('?'), ?, ?)",
+ $sRealname, $sEmail, $sWineRelease, $sPassword, "NOW()", "NOW()");
- $sFields = "({$aInsert['FIELDS']}, `password`, `stamp`, `created`)";
- $sValues = "({$aInsert['VALUES']}, password('".$sPassword."'), NOW(), NOW() )";
-
- query_appdb("INSERT INTO user_list $sFields VALUES $sValues", "Error while creating a new user.");
+ if(!$hResult) addMsg("Error while creating a new user.", "red");
$retval = $this->login($sEmail, $sPassword);
$this->setPref("comments:mode", "threaded"); /* set the users default comments:mode to threaded */
@@ -183,7 +180,8 @@
return false;
$hResult = query_appdb("DELETE FROM user_prefs WHERE userid = ".$this->iUserId." AND name = '$sKey'");
- $hResult = query_appdb("INSERT INTO user_prefs VALUES(".$this->iUserId.", '$sKey', '$sValue')");
+ $hResult = query_parameters("INSERT INTO user_prefs (userid, name, value) VALUES".
+ "('?', '?', '?')", $this->iUserId, $sKey, $sValue);
return $hResult;
}
@@ -278,15 +276,13 @@
if(!$this->isSuperMaintainer($iAppId) &&
((!$bSuperMaintainer && !$this->isMaintainer($iVersionId)) | $bSuperMaintainer))
{
- // insert the new entry into the maintainers list
- $sQuery = "INSERT into appMaintainers VALUES(null,".
- "$iAppId,".
- "$iVersionId,".
- "$this->iUserId,".
- "$bSuperMaintainer,".
- "NOW());";
-
- if (query_appdb($sQuery))
+ // insert the new entry into the maintainers list
+ $hResult = query_parameters("INSERT INTO appMaintainers (maintainerId, appId,".
+ "versionId, userId, superMaintainer, submitTime) ".
+ "VALUES (?, '?', '?', '?', '?', ?)",
+ "null", $iAppId, $iVersionId, $this->iUserId,
+ $bSuperMaintainer, "NOW()");
+ if($hResult)
{
$statusMessage = "<p>The maintainer was successfully added into the database</p>\n";
@@ -400,7 +396,8 @@
if($this->hasPriv($sPriv))
return true;
- $hResult = query_appdb("INSERT INTO user_privs VALUES ($this->iUserId, '$sPriv')");
+ $hResult = query_parameters("INSERT INTO user_privs (userid, priv) VALUES".
+ " ('?', '?')", $this->iUserId, $sPriv);
return $hResult;
}
Index: include/util.php
===================================================================
RCS file: /opt/cvs-commit/appdb/include/util.php,v
retrieving revision 1.58
diff -u -r1.58 util.php
--- include/util.php 23 Jun 2006 04:11:50 -0000 1.58
+++ include/util.php 23 Jun 2006 06:15:07 -0000
@@ -580,24 +580,20 @@
if($isVersion)
{
- $aInsert = compile_insert_string( array('versionId' => $_REQUEST['versionId'],
- 'type' => 'url',
- 'description' => $_REQUEST['url_desc'],
- 'url' => $_REQUEST['url']));
+ $hResult = query_parameters("INSERT INTO appData (versionId, type, description, url) ".
+ "VALUES ('?', '?', '?', '?')",
+ $_REQUEST['versionId'], "url", $_REQUEST['url_desc'],
+ $_REQUEST['url']);
} else
{
- $aInsert = compile_insert_string( array( 'appId' => $_REQUEST['appId'],
- 'type' => 'url',
- 'description' => $_REQUEST['url_desc'],
- 'url' => $_REQUEST['url']));
+ $hResult = query_parameters("INSERT INTO appData (appId, type, description, url) ".
+ "VALUES ('?', '?', '?', '?')",
+ $_REQUEST['appId'], "url", $_REQUEST['url_desc'],
+ $_REQUEST['url']);
}
- $sQuery = "INSERT INTO appData ({$aInsert['FIELDS']}) VALUES ({$aInsert['VALUES']})";
-
- if($_SESSION['current']->showDebuggingInfos()) { echo "<p align=center><b>query:</b> $sQuery </p>"; }
-
- if (query_appdb($sQuery))
+ if ($hResult)
{
addmsg("The URL was successfully added into the database", "green");
$sWhatChanged .= " Added Url: Description: ".stripslashes($_REQUEST['url_desc'])."\n";
Index: include/vendor.php
===================================================================
RCS file: /opt/cvs-commit/appdb/include/vendor.php,v
retrieving revision 1.6
diff -u -r1.6 vendor.php
--- include/vendor.php 21 Jun 2006 01:04:13 -0000 1.6
+++ include/vendor.php 23 Jun 2006 06:15:07 -0000
@@ -56,19 +56,19 @@
*/
function create($sName=null, $sWebpage=null)
{
- $aInsert = compile_insert_string(array( 'vendorName'=> $sName,
- 'vendorURL' => $sWebpage ));
- $sFields = "({$aInsert['FIELDS']})";
- $sValues = "({$aInsert['VALUES']})";
-
- if(query_appdb("INSERT INTO vendor $sFields VALUES $sValues", "Error while creating a new vendor."))
+ $hResult = query_parameters("INSERT INTO vendor (vendorName, vendorURL) ".
+ "VALUES ('?', '?')", $sName, $sWebpage);
+ if($hResult)
{
$this->iVendorId = mysql_insert_id();
$this->vendor($this->iVendorId);
return true;
}
else
+ {
+ addmsg("Error while creating a new vendor.", "red");
return false;
+ }
}
Index: include/version.php
===================================================================
RCS file: /opt/cvs-commit/appdb/include/version.php,v
retrieving revision 1.54
diff -u -r1.54 version.php
--- include/version.php 20 Jun 2006 22:58:58 -0000 1.54
+++ include/version.php 23 Jun 2006 06:15:07 -0000
@@ -182,17 +182,14 @@
else
$this->sQueued = 'false';
- $aInsert = compile_insert_string(array( 'versionName' => $this->sName,
- 'description' => $this->sDescription,
- 'maintainer_release'=> $this->sTestedRelease,
- 'maintainer_rating' => $this->sTestedRating,
- 'appId' => $this->iAppId,
- 'submitterId' => $_SESSION['current']->iUserId,
- 'queued' => $this->sQueued ));
- $sFields = "({$aInsert['FIELDS']})";
- $sValues = "({$aInsert['VALUES']})";
+ $hResult = query_parameters("INSERT INTO appVersion (versionName, description, maintainer_release,".
+ "maintainer_rating, appId, submitterId, queued) VALUES ".
+ "('?', '?', '?', '?', '?', '?', '?')",
+ $this->sName, $this->sDescription, $this->sTestedRelease,
+ $this->sTestedRating, $this->iAppId, $_SESSION['current']->iUserId,
+ $this->sQueued);
- if(query_appdb("INSERT INTO appVersion $sFields VALUES $sValues", "Error while creating a new version."))
+ if($hResult)
{
$this->iVersionId = mysql_insert_id();
$this->Version($this->iVersionId);
@@ -201,6 +198,7 @@
}
else
{
+ addmsg("Error while creating a new version", "red");
return false;
}
}
Index: include/vote.php
===================================================================
RCS file: /opt/cvs-commit/appdb/include/vote.php,v
retrieving revision 1.14
diff -u -r1.14 vote.php
--- include/vote.php 21 Jun 2006 01:04:13 -0000 1.14
+++ include/vote.php 23 Jun 2006 06:15:07 -0000
@@ -66,7 +66,9 @@
return;
vote_remove($slot, $userId);
- query_appdb("INSERT INTO appVotes VALUES (null, null, $appId, $userId, $slot)");
+
+ query_parameters("INSERT INTO appVotes (id, time, appId, userId, slot)
+ VALUES (?, ?, '?', '?', '?')", "null", "null", $appId, $userId, $slot);
}
