claunia/qemudb
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use query_parameters() in SQL select, update and delete statements to protect against

Browse Source 
sql injection attacks
This commit is contained in:
Chris Morgan
2006-06-27 19:16:27 +00:00
committed by WineHQ
parent e6458694f4
commit e3f9e5371a
46 changed files with 602 additions and 484 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
addcomment.php
View File

@@ -58,7 +58,8 @@ else
if($aClean['thread'] > 0) if($aClean['thread'] > 0)
{ {
$hResult = query_appdb("SELECT * FROM appComments WHERE commentId = ".$aClean['thread']); $hResult = query_parameters("SELECT * FROM appComments WHERE commentId = '?'",
$aClean['thread']);
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
if($oRow) if($oRow)
{ {

4
admin/addAppNote.php
View File

@@ -18,8 +18,8 @@ $aClean['noteTitle'] = makeSafe($_REQUEST['noteTitle']);
$aClean['noteDesc'] = makeSafe($_REQUEST['noteDesc']); $aClean['noteDesc'] = makeSafe($_REQUEST['noteDesc']);
//FIXME: get rid of appId references everywhere, as version is enough. //FIXME: get rid of appId references everywhere, as version is enough.
$sQuery = "SELECT appId FROM appVersion WHERE versionId = '".$aClean['versionId']."'"; $sQuery = "SELECT appId FROM appVersion WHERE versionId = '?'";
$hResult = query_appdb($sQuery); $hResult = query_parameters($sQuery, $aClean['versionId']);
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
$appId = $oRow->appId; $appId = $oRow->appId;

14
admin/addCategory.php
View File

@@ -24,15 +24,15 @@ if($aClean['submit'])
} }
else else
{ {
apidb_header("Add Category"); apidb_header("Add Category");
$sQuery = "SELECT catId, catName FROM appCategory WHERE catId!='".$aClean['catId']."'"; $sQuery = "SELECT catId, catName FROM appCategory WHERE catId!='?'";
$hResult = query_appdb($sQuery); $hResult = query_parameters($sQuery, $aClean['catId']);
while($oRow = mysql_fetch_object($hResult)) while($oRow = mysql_fetch_object($hResult))
{ {
$aCatsIds[]=$oRow->catId; $aCatsIds[]=$oRow->catId;
$aCatsNames[]=$oRow->catName; $aCatsNames[]=$oRow->catName;
} }
echo "<form method=\"post\" action=\"addCategory.php\"> echo "<form method=\"post\" action=\"addCategory.php\">
<input type=\"hidden\" name=\"catId\" value=\"".$oCat->iCatId."\" /> <input type=\"hidden\" name=\"catId\" value=\"".$oCat->iCatId."\" />
<table border=\"0\" width=\"100%\" cellspacing=\"0\" cellpadding=\"2\"> <table border=\"0\" width=\"100%\" cellspacing=\"0\" cellpadding=\"2\">
<tr> <tr>

2
admin/adminAppDataQueue.php
View File

@@ -178,7 +178,7 @@ if (!$aClean['id'])
$statusMessage = "<p>The application data was successfully added into the database</p>\n"; $statusMessage = "<p>The application data was successfully added into the database</p>\n";
//delete the item from the queue //delete the item from the queue
query_appdb("DELETE from appData where id = ".$obj_row->id.";"); query_parameters("DELETE from appData where id = '?'", $obj_row->id);
//Send Status Email //Send Status Email
$oUser = new User($obj_row->userId); $oUser = new User($obj_row->userId);

20
admin/adminAppQueue.php
View File

@@ -54,7 +54,9 @@ function outputSearchTableForDuplicateFlagging($currentAppId, $hResult)
$bgcolor = ($c % 2) ? 'color0' : 'color1'; $bgcolor = ($c % 2) ? 'color0' : 'color1';
//count versions //count versions
$query = query_appdb("SELECT count(*) as versions FROM appVersion WHERE appId = $ob->appId AND versionName != 'NONAME'"); $query = query_parameters("SELECT count(*) as versions FROM appVersion WHERE ".
"appId = '?' AND versionName != 'NONAME'",
$ob->appId);
$y = mysql_fetch_object($query); $y = mysql_fetch_object($query);
//display row //display row
@@ -151,8 +153,7 @@ if ($aClean['sub'])
// if we are processing a queued application there MUST be an implicitly queued // if we are processing a queued application there MUST be an implicitly queued
// version to go along with it. // version to go along with it.
$sQuery = "Select versionId from appVersion where appId='".$aClean['appId']."';"; $hResult = query_parameters("SELECT versionId from appVersion where appId='?';", $aClean['appId']);
$hResult = query_appdb($sQuery);
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
$oVersion = new Version($oRow->versionId); $oVersion = new Version($oRow->versionId);
@@ -175,8 +176,8 @@ if ($aClean['sub'])
} }
// Get the Testing results if they exist // Get the Testing results if they exist
$sQuery = "Select testingId from testResults where versionId='".$oVersion->iVersionId."';";
$hResult = query_appdb($sQuery); $hResult = query_parameters("SELECT testingId from testResults where versionId='?'", $oVersion->iVersionId);
if($hResult) if($hResult)
{ {
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
@@ -234,7 +235,7 @@ if ($aClean['sub'])
{ {
if(is_numeric($aClean['versionIdMergeTo'])) if(is_numeric($aClean['versionIdMergeTo']))
{ {
// move this Test submission under the existing version // // move this Test submission under the existing version
$oTest->iVersionId = $aClean['versionIdMergeTo']; $oTest->iVersionId = $aClean['versionIdMergeTo'];
$oTest->update(); $oTest->update();
@@ -358,8 +359,8 @@ if ($aClean['sub'])
if(!$iVendorId) if(!$iVendorId)
{ {
$sVendor = get_vendor_from_keywords($oApp->sKeywords); $sVendor = get_vendor_from_keywords($oApp->sKeywords);
$sQuery = "SELECT vendorId FROM vendor WHERE vendorname = '".$sVendor."';"; $hResult = query_parameters("SELECT vendorId FROM vendor WHERE vendorname = '?'",
$hResult = query_appdb($sQuery); $sVendor);
if($hResult) if($hResult)
{ {
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
@@ -372,8 +373,7 @@ if ($aClean['sub'])
*/ */
if(!$iVendorId) if(!$iVendorId)
{ {
$sQuery = "select * from vendor where vendorname like '%".$sVendor."%';"; $hResult = query_parameters("SELECT * from vendor where vendorname like '%?%'", $sVendor);
$hResult = query_appdb($sQuery);
if($hResult) if($hResult)
{ {
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);

14
admin/adminBugs.php
View File

@@ -117,16 +117,6 @@ if ($aClean['sub'])
AND buglinks.versionId = appVersion.versionId AND buglinks.versionId = appVersion.versionId
AND buglinks.bug_id = ".BUGZILLA_DB.".bugs.bug_id"; AND buglinks.bug_id = ".BUGZILLA_DB.".bugs.bug_id";
} }
$sQuery = "SELECT appFamily.description as appDescription,
appFamily.appName as appName, appVersion.*,
buglinks.versionId as versionId,
buglinks.bug_id as bug_id,
buglinks.linkId as linkId,
buglinks.queued as queued,
bugs.*
FROM appFamily, appVersion, buglinks, bugs.bugs
".$sWhere."
ORDER BY buglinks.bug_id, appName, versionName";
$sQuery = "SELECT appFamily.description as appDescription, $sQuery = "SELECT appFamily.description as appDescription,
appFamily.appName as appName, appVersion.*, appFamily.appName as appName, appVersion.*,
buglinks.versionId as versionId, buglinks.versionId as versionId,
@@ -137,11 +127,11 @@ if ($aClean['sub'])
FROM appFamily, appVersion, buglinks, bugs.bugs FROM appFamily, appVersion, buglinks, bugs.bugs
".$sWhere." ".$sWhere."
ORDER BY buglinks.bug_id, appName, versionName ORDER BY buglinks.bug_id, appName, versionName
LIMIT ".$offset.", ".$ItemsPerPage.";"; LIMIT ".mysql_real_escape_string($offset).", ".mysql_real_escape_string($ItemsPerPage).";";
$c = 0; $c = 0;
if($hResult = query_appdb($sQuery)) if($hResult = query_parameters($sQuery))
{ {
while($oRow = mysql_fetch_object($hResult)) while($oRow = mysql_fetch_object($hResult))
{ {

8
admin/adminCommentView.php
View File

@@ -60,14 +60,14 @@ echo "</center>";
/* query for all of the commentId's, ordering by their time in reverse order */ /* query for all of the commentId's, ordering by their time in reverse order */
$offset = (($currentPage-1) * $ItemsPerPage); $offset = (($currentPage-1) * $ItemsPerPage);
$commentIds = query_appdb("SELECT commentId from appComments ORDER BY ". $commentIds = query_parameters("SELECT commentId from appComments ORDER BY ".
"appComments.time ASC LIMIT $offset, $ItemsPerPage;"); "appComments.time ASC LIMIT ?, ?", $offset, $ItemsPerPage);
while ($ob = mysql_fetch_object($commentIds)) while ($ob = mysql_fetch_object($commentIds))
{ {
$sQuery = "SELECT from_unixtime(unix_timestamp(time), \"%W %M %D %Y, %k:%i\") as time, ". $sQuery = "SELECT from_unixtime(unix_timestamp(time), \"%W %M %D %Y, %k:%i\") as time, ".
"commentId, parentId, versionId, userid, subject, body ". "commentId, parentId, versionId, userid, subject, body ".
"FROM appComments WHERE commentId = $ob->commentId;"; "FROM appComments WHERE commentId = '?'";
$hResult = query_appdb($sQuery); $hResult = query_parameters($sQuery, $ob->commentId);
/* call view_app_comment to display the comment */ /* call view_app_comment to display the comment */
$comment_ob = mysql_fetch_object($hResult); $comment_ob = mysql_fetch_object($hResult);
view_app_comment($comment_ob); view_app_comment($comment_ob);

11
admin/adminMaintainerQueue.php
View File

@@ -33,8 +33,8 @@ if ($aClean['sub'])
$sQuery = "SELECT queueId, appId, versionId,". $sQuery = "SELECT queueId, appId, versionId,".
"userId, maintainReason, superMaintainer,". "userId, maintainReason, superMaintainer,".
"UNIX_TIMESTAMP(submitTime) as submitTime ". "UNIX_TIMESTAMP(submitTime) as submitTime ".
"FROM appMaintainerQueue WHERE queueId = ".$aClean['queueId'].";"; "FROM appMaintainerQueue WHERE queueId = '?'";
$hResult = query_appdb($sQuery); $hResult = query_parameters($sQuery, $aClean['queueId']);
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
$oUser = new User($oRow->userId); $oUser = new User($oRow->userId);
mysql_free_result($hResult); mysql_free_result($hResult);
@@ -209,8 +209,9 @@ if ($aClean['sub'])
} }
//delete main item //delete main item
$sQuery = "DELETE from appMaintainerQueue where queueId = ".$aClean['queueId'].";"; $sQuery = "DELETE from appMaintainerQueue where queueId = '?'";
$hResult = query_appdb($sQuery,"unable to delete selected maintainer application"); $hResult = query_parameters($sQuery, $aClean['queueId']);
if(!$hResult) addmsg("unable to delete selected maintainer application", "red");
echo html_frame_start("Delete maintainer application",400,"",0); echo html_frame_start("Delete maintainer application",400,"",0);
if($hResult) if($hResult)
{ {
@@ -237,7 +238,7 @@ if ($aClean['sub'])
"superMaintainer,". "superMaintainer,".
"submitTime as submitTime ". "submitTime as submitTime ".
"from appMaintainerQueue;"; "from appMaintainerQueue;";
$hResult = query_appdb($sQuery); $hResult = query_parameters($sQuery);
if(!$hResult || !mysql_num_rows($hResult)) if(!$hResult || !mysql_num_rows($hResult))
{ {

6
admin/adminMaintainers.php
View File

@@ -28,8 +28,8 @@ if ($aClean['sub'])
{ {
if($aClean['sub'] == 'delete') if($aClean['sub'] == 'delete')
{ {
$sQuery = "DELETE FROM appMaintainers WHERE maintainerId = ".$aClean['maintainerId'].";"; $sQuery = "DELETE FROM appMaintainers WHERE maintainerId = '?'";
$hResult = query_appdb($sQuery); $hResult = query_parameters($sQuery, $aClean['maintainerId']);
echo html_frame_start("Delete maintainer: ".$aClean['maintainerId'],400,"",0); echo html_frame_start("Delete maintainer: ".$aClean['maintainerId'],400,"",0);
if($hResult) if($hResult)
{ {
@@ -44,7 +44,7 @@ if ($aClean['sub'])
// get available maintainers // get available maintainers
$sQuery = "SELECT * FROM appMaintainers, user_list where appMaintainers.userId = user_list.userid"; $sQuery = "SELECT * FROM appMaintainers, user_list where appMaintainers.userId = user_list.userid";
$sQuery.= " ORDER BY realname;"; $sQuery.= " ORDER BY realname;";
$hResult = query_appdb($sQuery); $hResult = query_parameters($sQuery);
if(!$hResult || !mysql_num_rows($hResult)) if(!$hResult || !mysql_num_rows($hResult))
{ {

6
admin/adminScreenshots.php
View File

@@ -50,7 +50,7 @@ apidb_header("Screenshots");
if($aClean['regenerate']) if($aClean['regenerate'])
{ {
$sQuery = "SELECT id FROM appData WHERE type = 'image'"; $sQuery = "SELECT id FROM appData WHERE type = 'image'";
$hResult = query_appdb($sQuery); $hResult = query_parameters($sQuery);
while($oRow = mysql_fetch_object($hResult)) while($oRow = mysql_fetch_object($hResult))
{ {
echo "REGENERATING IMAGE ".$oRow->id."<br/>"; echo "REGENERATING IMAGE ".$oRow->id."<br/>";
@@ -113,9 +113,9 @@ echo "</form>";
echo "</center>"; echo "</center>";
/* query for all of the Screenshots in assending order */ /* query for all of the Screenshots in assending order */
$Ids = query_appdb("SELECT * from appData $Ids = query_parameters("SELECT * from appData
WHERE type = 'image' WHERE type = 'image'
ORDER BY id ASC LIMIT $offset, $ItemsPerPage;"); ORDER BY id ASC LIMIT ?, ?", $offset, $ItemsPerPage);
$c = 1; $c = 1;
echo "<div align=center><table><tr>\n"; echo "<div align=center><table><tr>\n";
while ($oRow = mysql_fetch_object($Ids)) while ($oRow = mysql_fetch_object($Ids))

9
admin/adminUsers.php
View File

@@ -84,10 +84,11 @@ if($aClean['sSubmit'])
{ {
$sSearch = $aClean['sSearch']; $sSearch = $aClean['sSearch'];
$sQuery = "SELECT * FROM user_list $sQuery = "SELECT * FROM user_list
WHERE realname LIKE '%".$sSearch."%' OR email LIKE '%".$sSearch."%' WHERE realname LIKE '%?%' OR email LIKE '%?%'
ORDER BY ".$aClean['sOrderBy']." ORDER BY ?
LIMIT ".$aClean['iLimit']; LIMIT ?";
$hResult = query_appdb($sQuery); $hResult = query_parameters($sQuery, $sSearch, $sSearch, $aClean['sOrderBy'],
$aClean['iLimit']);
$i=0; $i=0;
while($hResult && $oRow = mysql_fetch_object($hResult)) while($hResult && $oRow = mysql_fetch_object($hResult))
{ {

3
admin/editAppFamily.php
View File

@@ -67,7 +67,8 @@ else
echo '<table border=0 cellpadding=6 cellspacing=0 width="100%">',"\n"; echo '<table border=0 cellpadding=6 cellspacing=0 width="100%">',"\n";
$i = 0; $i = 0;
$hResult = query_appdb("SELECT * FROM appData WHERE appId = $oApp->iAppId AND type = 'url' AND versionId = 0"); $hResult = query_parameters("SELECT * FROM appData WHERE appId = '?' AND type = 'url' AND versionId = 0",
$oApp->iAppId);
if($hResult && mysql_num_rows($hResult) > 0) if($hResult && mysql_num_rows($hResult) > 0)
{ {
echo '<tr><td class=color1><b>Delete</b></td><td class=color1>',"\n"; echo '<tr><td class=color1><b>Delete</b></td><td class=color1>',"\n";

3
admin/editAppVersion.php
View File

@@ -59,7 +59,8 @@ if(!empty($aClean['submit']))
echo '<table border=0 cellpadding=6 cellspacing=0 width="100%">',"\n"; echo '<table border=0 cellpadding=6 cellspacing=0 width="100%">',"\n";
$i = 0; $i = 0;
$hResult = query_appdb("SELECT * FROM appData WHERE versionId = ".$oVersion->iVersionId." AND type = 'url'"); $hResult = query_parameters("SELECT * FROM appData WHERE versionId = '?' AND type = 'url'",
$oVersion->iVersionId);
if($hResult && mysql_num_rows($hResult) > 0) if($hResult && mysql_num_rows($hResult) > 0)
{ {
echo '<tr><td class=color1><b>Delete</b></td><td class=color1>',"\n"; echo '<tr><td class=color1><b>Delete</b></td><td class=color1>',"\n";

10
admin/editBundle.php
View File

@@ -11,7 +11,7 @@ if(!$_SESSION['current']->hasPriv("admin"))
function build_app_list() function build_app_list()
{ {
$hResult = query_appdb("SELECT appId, appName FROM appFamily ORDER BY appName"); $hResult = query_parameters("SELECT appId, appName FROM appFamily ORDER BY appName");
echo "<select name=appId size=5 onChange='this.form.submit()'>\n"; echo "<select name=appId size=5 onChange='this.form.submit()'>\n";
while($oRow = mysql_fetch_object($hResult)) while($oRow = mysql_fetch_object($hResult))
@@ -25,7 +25,8 @@ if($_REQUEST['cmd'])
{ {
if($_REQUEST['cmd'] == "delete") if($_REQUEST['cmd'] == "delete")
{ {
$hResult = query_appdb("DELETE FROM appBundle WHERE appId =".$_REQUEST['appId']." AND bundleId =".$_REQUEST['bundleId']); $hResult = query_parameters("DELETE FROM appBundle WHERE appId ='?' AND bundleId = '?'",
$_REQUEST['appId'], $_REQUEST['bundleId']);
if($hResult) if($hResult)
addmsg("App deleted from bundle", "green"); addmsg("App deleted from bundle", "green");
else else
@@ -45,8 +46,9 @@ if($_REQUEST['cmd'])
apidb_header("Edit Application Bundle"); apidb_header("Edit Application Bundle");
$hResult = query_appdb("SELECT bundleId, appBundle.appId, appName FROM appBundle, appFamily ". $hResult = query_parameters("SELECT bundleId, appBundle.appId, appName FROM appBundle, appFamily ".
"WHERE bundleId = ".$_REQUEST['bundleId']." AND appFamily.appId = appBundle.appId"); "WHERE bundleId = '?' AND appFamily.appId = appBundle.appId",
$_REQUEST['bundleId']);
echo html_frame_start("Apps in this Bundle","300",'',0); echo html_frame_start("Apps in this Bundle","300",'',0);
echo "<table width='100%' border=0 cellpadding=3 cellspacing=0>\n\n"; echo "<table width='100%' border=0 cellpadding=3 cellspacing=0>\n\n";

2
admin/moveAppVersion.php
View File

@@ -55,7 +55,7 @@ if(!empty($aClean['action']))
// although this cheaper select leaves out all applications that lack versions // although this cheaper select leaves out all applications that lack versions
$sQuery = "select appName, appFamily.appId, versionName, versionId from appFamily left join appVersion "; $sQuery = "select appName, appFamily.appId, versionName, versionId from appFamily left join appVersion ";
$sQuery.= "on appVersion.appId = appFamily.appId ORDER BY appFamily.appName, appFamily.appId, appVersion.versionName;"; $sQuery.= "on appVersion.appId = appFamily.appId ORDER BY appFamily.appName, appFamily.appId, appVersion.versionName;";
$hResult = query_appdb($sQuery); $hResult = query_parameters($sQuery);
$currentAppId = 0; $currentAppId = 0;
while($oRow = mysql_fetch_object($hResult)) while($oRow = mysql_fetch_object($hResult))
{ {

7
appimage.php
View File

@@ -33,10 +33,9 @@ if ($aClean['REQUEST_METHOD']='HEAD')
errorpage("Bad parameter"); errorpage("Bad parameter");
exit; exit;
} }
$sQuery = "SELECT id, url FROM appData $hResult = query_parameters("SELECT id, url FROM appData
WHERE id = ".$iId." WHERE id = '?'
AND type = 'image' LIMIT 1"; AND type = 'image' LIMIT 1", $iId);
$hResult = query_appdb($sQuery);
$fImage = 0; $fImage = 0;
if($hResult) if($hResult)
{ {

16
appsubmit.php
View File

@@ -82,8 +82,8 @@ if ($aClean['sub'])
// version to go along with it. Find this version so we can display its information // version to go along with it. Find this version so we can display its information
// during application processing so the admin can make a better choice about // during application processing so the admin can make a better choice about
// whether to accept or reject the overall application // whether to accept or reject the overall application
$sQuery = "Select versionId from appVersion where appId='".$aClean['appId']."';"; $hResult = query_parameters("Select versionId from appVersion where appId='?'",
$hResult = query_appdb($sQuery); $aClean['appId']);
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
// make sure the user has permission to view this version // make sure the user has permission to view this version
@@ -123,8 +123,8 @@ if ($aClean['sub'])
} }
// Get the Testing results if they exist // Get the Testing results if they exist
$sQuery = "Select testingId from testResults where versionId='".$oVersion->iVersionId."';"; $hResult = query_parameters("Select testingId from testResults where versionId = '?'",
$hResult = query_appdb($sQuery); $oVersion->iVersionId);
if($hResult) if($hResult)
{ {
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
@@ -222,8 +222,8 @@ if ($aClean['sub'])
{ {
// get the queued versions that refers to the application entry we just removed // get the queued versions that refers to the application entry we just removed
// and delete them as we implicitly added a version entry when adding a new application // and delete them as we implicitly added a version entry when adding a new application
$sQuery = "SELECT versionId FROM appVersion WHERE appVersion.appId = '".$aClean['appId']."' AND appVersion.queued = 'rejected';"; $hResult = query_parameters("SELECT versionId FROM appVersion WHERE appVersion.appId = '?'
$hResult = query_appdb($sQuery); AND appVersion.queued = 'rejected';", $aClean['appId']);
if($hResult) if($hResult)
{ {
while($oRow = mysql_fetch_object($hResult)) while($oRow = mysql_fetch_object($hResult))
@@ -300,8 +300,8 @@ if ($aClean['sub'])
// try for a partial match // try for a partial match
if(!$iVendorId) if(!$iVendorId)
{ {
$sQuery = "select * from vendor where vendorname like '%".$aClean['appVendorName']."%';"; $hResult = query_parameters("select * from vendor where vendorname like '%?%'",
$hResult = query_appdb($sQuery); $aClean['appVendorName']);
if($hResult) if($hResult)
{ {
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);

7
appview.php
View File

@@ -44,11 +44,12 @@ function display_catpath($catId, $appId, $versionId = '')
/** /**
* display the SUB apps that belong to this app * display the SUB apps that belong to this app
*/ */
function display_bundle($appId) function display_bundle($iAppId)
{ {
$oApp = new Application($appId); $oApp = new Application($appId);
$hResult = query_appdb("SELECT appFamily.appId, appName, description FROM appBundle, appFamily ". $hResult = query_parameters("SELECT appFamily.appId, appName, description FROM appBundle, appFamily ".
"WHERE appFamily.queued='false' AND bundleId = $appId AND appBundle.appId = appFamily.appId"); "WHERE appFamily.queued='false' AND bundleId = '?' AND appBundle.appId = appFamily.appId",
$iAppId);
if(!$hResult || mysql_num_rows($hResult) == 0) if(!$hResult || mysql_num_rows($hResult) == 0)
{ {
return; // do nothing return; // do nothing

3
distributionView.php
View File

@@ -40,8 +40,7 @@ if(!$oDistribution->iDistributionId)
apidb_header("View Distributions"); apidb_header("View Distributions");
//get available Distributions //get available Distributions
$sQuery = "SELECT distributionId FROM distributions ORDER BY name, distributionId;"; $hResult = query_parameters("SELECT distributionId FROM distributions ORDER BY name, distributionId;");
$hResult = query_appdb($sQuery);
// show Distribution list // show Distribution list
echo html_frame_start("","90%","",0); echo html_frame_start("","90%","",0);

12
include/appdb.php
View File

@@ -4,11 +4,13 @@ function log_category_visit($catId)
{ {
global $REMOTE_ADDR; global $REMOTE_ADDR;
$result = query_appdb("SELECT * FROM catHitStats WHERE ip = '$REMOTE_ADDR' AND catId = $catId"); $result = query_parameters("SELECT * FROM catHitStats WHERE ip = '?' AND catId = '?'",
$REMOTE_ADDR, $catId);
if($result && mysql_num_rows($result) == 1) if($result && mysql_num_rows($result) == 1)
{ {
$stats = mysql_fetch_object($result); $stats = mysql_fetch_object($result);
query_appdb("UPDATE catHitStats SET count = count + 1 WHERE catHitId = $stats->catHitId"); query_parameters("UPDATE catHitStats SET count = count + 1 WHERE catHitId = '?'",
$stats->catHitId);
} else } else
{ {
query_parameters("INSERT INTO catHitStats (appHitId, time, ip, catId, count) ". query_parameters("INSERT INTO catHitStats (appHitId, time, ip, catId, count) ".
@@ -21,11 +23,13 @@ function log_application_visit($appId)
{ {
global $REMOTE_ADDR; global $REMOTE_ADDR;
$result = query_appdb("SELECT * FROM appHitStats WHERE ip = '$REMOTE_ADDR' AND appId = $appId"); $result = query_parameters("SELECT * FROM appHitStats WHERE ip = '?' AND appId = '?'",
$REMOTE_ADDR, $appId);
if($result && mysql_num_rows($result) == 1) if($result && mysql_num_rows($result) == 1)
{ {
$stats = mysql_fetch_object($result); $stats = mysql_fetch_object($result);
query_appdb("UPDATE appHitStats SET count = count + 1 WHERE appHitId = $stats->appHitId"); query_parameters("UPDATE appHitStats SET count = count + 1 WHERE appHitId = '?'",
$stats->appHitId);
} else } else
{ {
query_parameters("INSERT INTO appHitStats (appHitId, time, ip, appId, count) ". query_parameters("INSERT INTO appHitStats (appHitId, time, ip, appId, count) ".

58
include/application.php
View File

@@ -37,8 +37,8 @@ class Application {
/* fetch this applications information */ /* fetch this applications information */
$sQuery = "SELECT * $sQuery = "SELECT *
FROM appFamily FROM appFamily
WHERE appId = ".$iAppId; WHERE appId = '?'";
if($hResult = query_appdb($sQuery)) if($hResult = query_parameters($sQuery, $iAppId))
{ {
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
$this->iAppId = $iAppId; $this->iAppId = $iAppId;
@@ -62,14 +62,14 @@ class Application {
if($_SESSION['current']->hasPriv("admin")) if($_SESSION['current']->hasPriv("admin"))
{ {
$sQuery = "SELECT versionId FROM appVersion WHERE $sQuery = "SELECT versionId FROM appVersion WHERE
appId =".$this->iAppId; appId = '?'";
} else } else
{ {
$sQuery = "SELECT versionId FROM appVersion WHERE $sQuery = "SELECT versionId FROM appVersion WHERE
queued = 'false' AND queued = 'false' AND
appId =".$this->iAppId; appId = '?'";
} }
if($hResult = query_appdb($sQuery)) if($hResult = query_parameters($sQuery, $this->iAppId))
{ {
while($oRow = mysql_fetch_object($hResult)) while($oRow = mysql_fetch_object($hResult))
{ {
@@ -85,9 +85,9 @@ class Application {
$sQuery = "SELECT id $sQuery = "SELECT id
FROM appData FROM appData
WHERE type = 'url' WHERE type = 'url'
AND appId = ".$iAppId; AND appId = '?'";
if($hResult = query_appdb($sQuery)) if($hResult = query_parameters($sQuery, $iAppId))
{ {
while($oRow = mysql_fetch_object($hResult)) while($oRow = mysql_fetch_object($hResult))
{ {
@@ -149,7 +149,8 @@ class Application {
if ($this->sName && ($this->sName!=$oApp->sName)) if ($this->sName && ($this->sName!=$oApp->sName))
{ {
$sUpdate = compile_update_string(array('appName' => $this->sName)); $sUpdate = compile_update_string(array('appName' => $this->sName));
if (!query_appdb("UPDATE appFamily SET ".$sUpdate." WHERE appId = ".$this->iAppId)) if (!query_parameters("UPDATE appFamily SET ".$sUpdate." WHERE appId = '?'",
$this->iAppId))
return false; return false;
$sWhatChanged .= "Name was changed from ".$oApp->sName." to ".$this->sName.".\n\n"; $sWhatChanged .= "Name was changed from ".$oApp->sName." to ".$this->sName.".\n\n";
} }
@@ -157,7 +158,8 @@ class Application {
if ($this->sDescription && ($this->sDescription!=$oApp->sDescription)) if ($this->sDescription && ($this->sDescription!=$oApp->sDescription))
{ {
$sUpdate = compile_update_string(array('description' => $this->sDescription)); $sUpdate = compile_update_string(array('description' => $this->sDescription));
if (!query_appdb("UPDATE appFamily SET ".$sUpdate." WHERE appId = ".$this->iAppId)) if (!query_parameters("UPDATE appFamily SET ".$sUpdate." WHERE appId = '?'",
$this->iAppId))
return false; return false;
$sWhatChanged .= "Description was changed from\n ".$oApp->sDescription."\n to \n".$this->sDescription.".\n\n"; $sWhatChanged .= "Description was changed from\n ".$oApp->sDescription."\n to \n".$this->sDescription.".\n\n";
} }
@@ -165,7 +167,8 @@ class Application {
if ($this->sKeywords && ($this->sKeywords!=$oApp->sKeywords)) if ($this->sKeywords && ($this->sKeywords!=$oApp->sKeywords))
{ {
$sUpdate = compile_update_string(array('keywords' => $this->sKeywords)); $sUpdate = compile_update_string(array('keywords' => $this->sKeywords));
if (!query_appdb("UPDATE appFamily SET ".$sUpdate." WHERE appId = ".$this->iAppId)) if (!query_parameters("UPDATE appFamily SET ".$sUpdate." WHERE appId = '?'",
$this->iAppId))
return false; return false;
$sWhatChanged .= "Keywords were changed from\n ".$oApp->sKeywords."\n to \n".$this->sKeywords.".\n\n"; $sWhatChanged .= "Keywords were changed from\n ".$oApp->sKeywords."\n to \n".$this->sKeywords.".\n\n";
} }
@@ -173,7 +176,8 @@ class Application {
if ($this->sWebpage && ($this->sWebpage!=$oApp->sWebpage)) if ($this->sWebpage && ($this->sWebpage!=$oApp->sWebpage))
{ {
$sUpdate = compile_update_string(array('webPage' => $this->sWebpage)); $sUpdate = compile_update_string(array('webPage' => $this->sWebpage));
if (!query_appdb("UPDATE appFamily SET ".$sUpdate." WHERE appId = ".$this->iAppId)) if (!query_parameters("UPDATE appFamily SET ".$sUpdate." WHERE appId = '?'",
$this->iAppId))
return false; return false;
$sWhatChanged .= "Web page was changed from ".$oApp->sWebpage." to ".$this->sWebpage.".\n\n"; $sWhatChanged .= "Web page was changed from ".$oApp->sWebpage." to ".$this->sWebpage.".\n\n";
} }
@@ -181,7 +185,8 @@ class Application {
if ($this->iVendorId && ($this->iVendorId!=$oApp->iVendorId)) if ($this->iVendorId && ($this->iVendorId!=$oApp->iVendorId))
{ {
$sUpdate = compile_update_string(array('vendorId' => $this->iVendorId)); $sUpdate = compile_update_string(array('vendorId' => $this->iVendorId));
if (!query_appdb("UPDATE appFamily SET ".$sUpdate." WHERE appId = ".$this->iAppId)) if (!query_parameters("UPDATE appFamily SET ".$sUpdate." WHERE appId = '?'",
$this->iAppId))
return false; return false;
$oVendorBefore = new Vendor($oApp->iVendorId); $oVendorBefore = new Vendor($oApp->iVendorId);
$oVendorAfter = new Vendor($this->iVendorId); $oVendorAfter = new Vendor($this->iVendorId);
@@ -191,7 +196,8 @@ class Application {
if ($this->iCatId && ($this->iCatId!=$oApp->iCatId)) if ($this->iCatId && ($this->iCatId!=$oApp->iCatId))
{ {
$sUpdate = compile_update_string(array('catId' => $this->iCatId)); $sUpdate = compile_update_string(array('catId' => $this->iCatId));
if (!query_appdb("UPDATE appFamily SET ".$sUpdate." WHERE appId = ".$this->iAppId)) if (!query_parameters("UPDATE appFamily SET ".$sUpdate." WHERE appId = '?'",
$this->iAppId))
return false; return false;
$oCatBefore = new Category($oApp->iCatId); $oCatBefore = new Category($oApp->iCatId);
$oCatAfter = new Category($this->iCatId); $oCatAfter = new Category($this->iCatId);
@@ -225,16 +231,16 @@ class Application {
} }
// remove any supermaintainers for this application so we don't orphan them // remove any supermaintainers for this application so we don't orphan them
$sQuery = "DELETE from appMaintainers WHERE appId='".$this->iAppId."';"; $sQuery = "DELETE from appMaintainers WHERE appId='?'";
if(!($hResult = query_appdb($sQuery))) if(!($hResult = query_parameters($sQuery, $this->iAppId)))
{ {
addmsg("Error removing app maintainers for the deleted application!", "red"); addmsg("Error removing app maintainers for the deleted application!", "red");
} }
$sQuery = "DELETE FROM appFamily $sQuery = "DELETE FROM appFamily
WHERE appId = ".$this->iAppId." WHERE appId = '?'
LIMIT 1"; LIMIT 1";
if(!($hResult = query_appdb($sQuery))) if(!($hResult = query_parameters($sQuery, $this->iAppId)))
{ {
addmsg("Error deleting application!", "red"); addmsg("Error deleting application!", "red");
} }
@@ -256,7 +262,8 @@ class Application {
$sUpdate = compile_update_string(array('queued' => "false", $sUpdate = compile_update_string(array('queued' => "false",
'keywords'=> str_replace(" *** ","",$this->sKeywords) )); 'keywords'=> str_replace(" *** ","",$this->sKeywords) ));
if(query_appdb("UPDATE appFamily SET ".$sUpdate." WHERE appId = ".$this->iAppId)) if(query_parameters("UPDATE appFamily SET ".$sUpdate." WHERE appId = '?'",
$this->iAppId))
{ {
$this->sQueued = 'false'; $this->sQueued = 'false';
// we send an e-mail to intersted people // we send an e-mail to intersted people
@@ -275,7 +282,8 @@ class Application {
return false; return false;
$sUpdate = compile_update_string(array('queued' => "rejected")); $sUpdate = compile_update_string(array('queued' => "rejected"));
if(query_appdb("UPDATE appFamily SET ".$sUpdate." WHERE appId = ".$this->iAppId)) if(query_parameters("UPDATE appFamily SET ".$sUpdate." WHERE appId = '?'",
$this->iAppId))
{ {
$this->sQueued = 'rejected'; $this->sQueued = 'rejected';
// we send an e-mail to intersted people // we send an e-mail to intersted people
@@ -292,7 +300,8 @@ class Application {
return false; return false;
$sUpdate = compile_update_string(array('queued' => "true")); $sUpdate = compile_update_string(array('queued' => "true"));
if(query_appdb("UPDATE appFamily SET ".$sUpdate." WHERE appId = ".$this->iAppId)) if(query_parameters("UPDATE appFamily SET ".$sUpdate." WHERE appId = '?'",
$this->iAppId))
{ {
$this->sQueued = 'true'; $this->sQueued = 'true';
// we send an e-mail to intersted people // we send an e-mail to intersted people
@@ -559,7 +568,8 @@ class Application {
echo " <tr class=\"color1\"><td><b>URL</b></td><td>".$appLinkURL."</td></tr>\n"; echo " <tr class=\"color1\"><td><b>URL</b></td><td>".$appLinkURL."</td></tr>\n";
// optional links // optional links
$result = query_appdb("SELECT * FROM appData WHERE appId = ".$aClean['appId']." AND versionID = 0 AND type = 'url'"); $result = query_parameters("SELECT * FROM appData WHERE appId = '?' AND versionID = 0 AND type = 'url'",
$aClean['appId']);
if($result && mysql_num_rows($result) > 0) if($result && mysql_num_rows($result) > 0)
{ {
echo " <tr class=\"color1\"><td> <b>Links</b></td><td>\n"; echo " <tr class=\"color1\"><td> <b>Links</b></td><td>\n";
@@ -662,7 +672,8 @@ class Application {
function lookup_version_name($versionId) function lookup_version_name($versionId)
{ {
if(!$versionId) return null; if(!$versionId) return null;
$result = query_appdb("SELECT versionName FROM appVersion WHERE versionId = $versionId"); $result = query_parameters("SELECT versionName FROM appVersion WHERE versionId = '?'",
$versionId);
if(!$result || mysql_num_rows($result) != 1) if(!$result || mysql_num_rows($result) != 1)
return null; return null;
$ob = mysql_fetch_object($result); $ob = mysql_fetch_object($result);
@@ -673,7 +684,8 @@ function lookup_version_name($versionId)
function lookup_app_name($appId) function lookup_app_name($appId)
{ {
if(!$appId) return null; if(!$appId) return null;
$result = query_appdb("SELECT appName FROM appFamily WHERE appId = $appId"); $result = query_parameters("SELECT appName FROM appFamily WHERE appId = '?'",
$appId);
if(!$result || mysql_num_rows($result) != 1) if(!$result || mysql_num_rows($result) != 1)
return null; return null;
$ob = mysql_fetch_object($result); $ob = mysql_fetch_object($result);

21
include/bugs.php
View File

@@ -31,8 +31,8 @@ class Bug {
$sQuery = "SELECT buglinks.*, appVersion.appId AS appId $sQuery = "SELECT buglinks.*, appVersion.appId AS appId
FROM buglinks, appVersion FROM buglinks, appVersion
WHERE buglinks.versionId = appVersion.versionId WHERE buglinks.versionId = appVersion.versionId
AND linkid = ".$iLinkId; AND linkid = '?'";
if($hResult = query_appdb($sQuery)) if($hResult = query_parameters($sQuery, $iLinkId))
{ {
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
$this->iLinkId = $iLinkId; $this->iLinkId = $iLinkId;
@@ -98,8 +98,8 @@ class Bug {
$sQuery = "SELECT * $sQuery = "SELECT *
FROM buglinks FROM buglinks
WHERE versionId = ".$iVersionId; WHERE versionId = '?'";
if($hResult = query_appdb($sQuery,"looking for duplicates")) if($hResult = query_parameters($sQuery, $iVersionId))
{ {
while($oRow = mysql_fetch_object($hResult)) while($oRow = mysql_fetch_object($hResult))
{ {
@@ -126,9 +126,9 @@ class Bug {
$sQuery = "SELECT buglinks.*, appVersion.appId AS appId $sQuery = "SELECT buglinks.*, appVersion.appId AS appId
FROM buglinks, appVersion FROM buglinks, appVersion
WHERE buglinks.versionId = appVersion.versionId WHERE buglinks.versionId = appVersion.versionId
AND buglinks.versionId = ".$iVersionId." AND buglinks.versionId = '?'
AND buglinks.bug_id = ".$iBug_id; AND buglinks.bug_id = '?'";
if($hResult = query_appdb($sQuery)) if($hResult = query_parameters($sQuery, $iVersionId, $iBug_id))
{ {
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
$this->bug($oRow->linkId); $this->bug($oRow->linkId);
@@ -152,8 +152,8 @@ class Bug {
function delete($bSilent=false) function delete($bSilent=false)
{ {
$sQuery = "DELETE FROM buglinks $sQuery = "DELETE FROM buglinks
WHERE linkId = ".$this->iLinkId; WHERE linkId = '?'";
if($hResult = query_appdb($sQuery)) if($hResult = query_parameters($sQuery, $this->iLinkId))
{ {
if(!$bSilent) if(!$bSilent)
$this->SendNotificationMail(true); $this->SendNotificationMail(true);
@@ -176,7 +176,8 @@ class Bug {
return false; return false;
$sUpdate = compile_update_string(array('queued' => "false")); $sUpdate = compile_update_string(array('queued' => "false"));
if(query_appdb("UPDATE buglinks SET ".$sUpdate." WHERE linkId=".$this->iLinkId)) if(query_parameters("UPDATE buglinks SET ".$sUpdate." WHERE linkId='?'",
$this->iLinkId))
{ {
$this->bQueued = false; $this->bQueued = false;
// we send an e-mail to intersted people // we send an e-mail to intersted people

28
include/category.php
View File

@@ -28,8 +28,8 @@ class Category {
*/ */
$sQuery = "SELECT * $sQuery = "SELECT *
FROM appCategory FROM appCategory
WHERE catId = ".$iCatId." ORDER BY catName;"; WHERE catId = '?' ORDER BY catName;";
if($hResult = query_appdb($sQuery)) if($hResult = query_parameters($sQuery, $iCatId))
{ {
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
$this->iCatId = $iCatId; $this->iCatId = $iCatId;
@@ -44,9 +44,9 @@ class Category {
*/ */
$sQuery = "SELECT appId $sQuery = "SELECT appId
FROM appFamily FROM appFamily
WHERE catId = ".$iCatId." WHERE catId = '?'
AND queued = 'false' ORDER BY appName"; AND queued = 'false' ORDER BY appName";
if($hResult = query_appdb($sQuery)) if($hResult = query_parameters($sQuery, $iCatId))
{ {
while($oRow = mysql_fetch_object($hResult)) while($oRow = mysql_fetch_object($hResult))
{ {
@@ -59,8 +59,8 @@ class Category {
*/ */
$sQuery = "SELECT catId $sQuery = "SELECT catId
FROM appCategory FROM appCategory
WHERE catParent = ".$iCatId." ORDER BY catName;"; WHERE catParent = '?' ORDER BY catName;";
if($hResult = query_appdb($sQuery)) if($hResult = query_parameters($sQuery, $iCatId))
{ {
while($oRow = mysql_fetch_object($hResult)) while($oRow = mysql_fetch_object($hResult))
{ {
@@ -104,21 +104,24 @@ class Category {
if($sName) if($sName)
{ {
if (!query_appdb("UPDATE appCategory SET catName = '".$sName."' WHERE catId = ".$this->iCatId)) if (!query_parameters("UPDATE appCategory SET catName = '?' WHERE catId = '?'",
$sName, $this->iCatId))
return false; return false;
$this->sName = $sName; $this->sName = $sName;
} }
if($sDescription) if($sDescription)
{ {
if (!query_appdb("UPDATE appCategory SET catDescription = '".$sDescription."' WHERE catId = ".$this->iCatId)) if (!query_parameters("UPDATE appCategory SET catDescription = '?' WHERE catId = '?'",
$sDescription, $this->iCatId))
return false; return false;
$this->sDescription = $sDescription; $this->sDescription = $sDescription;
} }
if($iParentId) if($iParentId)
{ {
if (!query_appdb("UPDATE appCategory SET catParent = '".$iParentId."' WHERE catId = ".$this->iCatId)) if (!query_parameters("UPDATE appCategory SET catParent = '?' WHERE catId = '?'",
$iParentId, $this->iCatId))
return false; return false;
$this->iParentId = $iParentId; $this->iParentId = $iParentId;
} }
@@ -141,9 +144,9 @@ class Category {
} else } else
{ {
$sQuery = "DELETE FROM appCategory $sQuery = "DELETE FROM appCategory
WHERE catId = ".$this->iCatId." WHERE catId = '?'
LIMIT 1"; LIMIT 1";
query_appdb($sQuery); query_parameters($sQuery, $this->iCatId);
addmsg("The category has been deleted.", "green"); addmsg("The category has been deleted.", "green");
} }
@@ -162,7 +165,8 @@ class Category {
$iCatId = $this->iCatId; $iCatId = $this->iCatId;
while($iCatId != 0) while($iCatId != 0)
{ {
$result = query_appdb("SELECT catName, catId, catParent FROM appCategory WHERE catId = $iCatId"); $result = query_parameters("SELECT catName, catId, catParent FROM appCategory WHERE catId = '?'",
$iCatId);
if(!$result || mysql_num_rows($result) != 1) if(!$result || mysql_num_rows($result) != 1)
break; break;
$cat = mysql_fetch_object($result); $cat = mysql_fetch_object($result);

27
include/comment.php
View File

@@ -30,8 +30,8 @@ class Comment {
$sQuery = "SELECT appComments.*, appVersion.appId AS appId $sQuery = "SELECT appComments.*, appVersion.appId AS appId
FROM appComments, appVersion FROM appComments, appVersion
WHERE appComments.versionId = appVersion.versionId WHERE appComments.versionId = appVersion.versionId
AND commentId = '".$iCommentId."'"; AND commentId = '?'";
$hResult = query_appdb($sQuery); $hResult = query_parameters($sQuery, $iCommentId);
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
$this->iCommentId = $oRow->commentId; $this->iCommentId = $oRow->commentId;
$this->iParentId = $oRow->parentId; $this->iParentId = $oRow->parentId;
@@ -114,14 +114,16 @@ class Comment {
{ {
if ($iParentId) if ($iParentId)
{ {
if (!query_appdb("UPDATE appComments SET parentId = '".$iParentId."' WHERE commentId = ".$this->iCommentId)) if (!query_parameters("UPDATE appComments SET parentId = '?' WHERE commentId = '?'",
$iParentId, $this->iCommentId))
return false; return false;
$this->iParentId = $iParentId; $this->iParentId = $iParentId;
} }
if ($iVersionId) if ($iVersionId)
{ {
if (!query_appdb("UPDATE appComments SET versionId = '".$iVersionId."' WHERE commentId = ".$this->iCommentId)) if (!query_parameters("UPDATE appComments SET versionId = '?' WHERE commentId = '?'",
$iVersionId, $this->iCommentId))
return false; return false;
$this->iVersionId = $iVersionId; $this->iVersionId = $iVersionId;
// FIXME: we need to refetch $this->iAppId. // FIXME: we need to refetch $this->iAppId.
@@ -129,14 +131,16 @@ class Comment {
if ($sSubject) if ($sSubject)
{ {
if (!query_appdb("UPDATE appComments SET subject = '".$sSubject."' WHERE commentId = ".$this->iCommentId)) if (!query_parameters("UPDATE appComments SET subject = '?' WHERE commentId = '?'",
$sSubject, $this->iCommentId))
return false; return false;
$this->sSubject = $sSubject; $this->sSubject = $sSubject;
} }
if ($sBody) if ($sBody)
{ {
if (!query_appdb("UPDATE appComments SET body = '".$sBody."' WHERE commentId = ".$this->iCommentId)) if (!query_parameters("UPDATE appComments SET body = '?' WHERE commentId = '?'",
$sBody, $this->iCommentId))
return false; return false;
$this->sBody = $sBody; $this->sBody = $sBody;
} }
@@ -151,11 +155,12 @@ class Comment {
*/ */
function delete($sReason=null) function delete($sReason=null)
{ {
$hResult = query_appdb("DELETE FROM appComments WHERE commentId = '".$this->iCommentId."'"); $hResult = query_parameters("DELETE FROM appComments WHERE commentId = '?'", $this->iCommentId);
if ($hResult) if ($hResult)
{ {
/* fixup the child comments so the parentId points to a valid parent comment */ /* fixup the child comments so the parentId points to a valid parent comment */
$hResult = query_appdb("UPDATE appComments set parentId = '".$this->iParentId."' WHERE parentId = '".$this->iCommentId."'"); $hResult = query_parameters("UPDATE appComments set parentId = '?' WHERE parentId = '?'",
$this->iParentId, $this->iCommentId);
$sEmail = get_notify_email_address_list($this->iAppId, $this->iVersionId); $sEmail = get_notify_email_address_list($this->iAppId, $this->iVersionId);
$sEmail .= $this->oOwner->sEmail; $sEmail .= $this->oOwner->sEmail;
if($sEmail) if($sEmail)
@@ -264,6 +269,10 @@ function view_app_comment($oRow)
*/ */
function grab_comments($versionId, $parentId = -1) function grab_comments($versionId, $parentId = -1)
{ {
/* escape input so we can use query_appdb() without concern */
$versionId = mysql_real_escape_string($versionId);
$parentId = mysql_real_escape_string($parentId);
$extra = ""; $extra = "";
if($parentId != -1) if($parentId != -1)
$extra = "AND parentId = $parentId "; $extra = "AND parentId = $parentId ";
@@ -374,7 +383,7 @@ function view_app_comments($versionId, $threadId = 0)
$aClean['mode'] = makeSafe($_REQUEST['mode']); $aClean['mode'] = makeSafe($_REQUEST['mode']);
// count posts // count posts
$hResult = query_appdb("SELECT commentId FROM appComments WHERE versionId = $versionId"); $hResult = query_parameters("SELECT commentId FROM appComments WHERE versionId = '?'", $versionId);
$messageCount = mysql_num_rows($hResult); $messageCount = mysql_num_rows($hResult);
//start comment format table //start comment format table

13
include/db.php
View File

@@ -119,13 +119,22 @@ function query_error($sQuery, $sComment="")
* Returns a string ready to be put in a query like this * Returns a string ready to be put in a query like this
* $sQuery = "UPDATE `foo` $sReturn"; * $sQuery = "UPDATE `foo` $sReturn";
* *
* Values are addslashes()'d. * Values are mysql_real_escape_string()'ed.
*/ */
function compile_update_string($aData) function compile_update_string($aData)
{ {
global $hAppdbLink;
if(!is_resource($hAppdbLink))
{
// The last argument makes sure we are really opening a new connection
$hAppdbLink = mysql_connect(APPS_DBHOST, APPS_DBUSER, APPS_DBPASS,true);
mysql_select_db(APPS_DB, $hAppdbLink);
}
foreach ($aData as $k => $v) foreach ($aData as $k => $v)
{ {
$return .= "`$k`='".addslashes($v)."',"; $return .= "`$k`='".mysql_real_escape_string($v)."',";
} }
$return = preg_replace( "/,$/" , "" , $return ); $return = preg_replace( "/,$/" , "" , $return );

73
include/distributions.php
View File

@@ -28,8 +28,8 @@ class distribution{
{ {
$sQuery = "SELECT * $sQuery = "SELECT *
FROM distributions FROM distributions
WHERE distributionId = ".$iDistributionId; WHERE distributionId = '?'";
if($hResult = query_appdb($sQuery)) if($hResult = query_parameters($sQuery, $iDistributionId))
{ {
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
$this->iDistributionId = $iDistributionId; $this->iDistributionId = $iDistributionId;
@@ -50,7 +50,7 @@ class distribution{
{ {
$sQuery = "SELECT testingId $sQuery = "SELECT testingId
FROM testResults FROM testResults
WHERE distributionId = ".$iDistributionId; WHERE distributionId = '?'";
} else /* only let users view test results that aren't queued and for apps that */ } else /* only let users view test results that aren't queued and for apps that */
/* aren't queued or versions that aren't queued */ /* aren't queued or versions that aren't queued */
{ {
@@ -61,10 +61,10 @@ class distribution{
appFamily.appId = appVersion.appId AND appFamily.appId = appVersion.appId AND
appFamily.queued = 'false' AND appFamily.queued = 'false' AND
appVersion.queued = 'false' AND appVersion.queued = 'false' AND
distributionId = ".$iDistributionId; distributionId = '?'";
} }
if($hResult = query_appdb($sQuery)) if($hResult = query_parameters($sQuery, $iDistributionId))
{ {
while($oRow = mysql_fetch_object($hResult)) while($oRow = mysql_fetch_object($hResult))
{ {
@@ -80,8 +80,8 @@ class distribution{
//Let's not create a duplicate //Let's not create a duplicate
$sQuery = "SELECT * $sQuery = "SELECT *
FROM distributions FROM distributions
WHERE name LIKE '".$this->sName."'"; WHERE name LIKE '?'";
$hDuplicate = query_appdb($sQuery, "checking distributions"); $hDuplicate = query_parameters($sQuery, $this->sName);
if(!mysql_num_rows($hDuplicate) == 0) if(!mysql_num_rows($hDuplicate) == 0)
{ {
addmsg("There was an existing Distribution called ".$this->sName.".", "red"); addmsg("There was an existing Distribution called ".$this->sName.".", "red");
@@ -125,14 +125,17 @@ class distribution{
} }
$sUpdate = compile_update_string(array( 'name' => $this->sName, $sUpdate = compile_update_string(array( 'name' => $this->sName,
'url' => $this->sUrl )); 'url' => $this->sUrl ));
if(query_appdb("UPDATE distributions SET ".$sUpdate." WHERE distributionId = ".$this->iDistributionId, "Error while updating Distribution.")) if(query_parameters("UPDATE distributions SET ".$sUpdate." WHERE distributionId = '?'",
$this->iDistributionId))
{ {
$this->SendNotificationMail("edit"); $this->SendNotificationMail("edit");
return true; return true;
} } else
else {
addmsg("Error while updating Distribution", "red");
return false; return false;
} }
}
// Delete Distributution. // Delete Distributution.
function delete($bSilent=false) function delete($bSilent=false)
@@ -145,9 +148,9 @@ class distribution{
} }
// now delete the Distribution // now delete the Distribution
$sQuery = "DELETE FROM distributions $sQuery = "DELETE FROM distributions
WHERE distributionId = ".$this->iDistributionId." WHERE distributionId = '?'
LIMIT 1"; LIMIT 1";
if(!($hResult = query_appdb($sQuery))) if(!($hResult = query_parameters($sQuery, $this->iDistributionId)))
{ {
addmsg("Error removing the Distribution!", "red"); addmsg("Error removing the Distribution!", "red");
} }
@@ -165,20 +168,25 @@ class distribution{
// is the current user allowed to move this Distribution? // is the current user allowed to move this Distribution?
if(!$_SESSION['current']->hasPriv("admin")) if(!$_SESSION['current']->hasPriv("admin"))
{ {
return; return false;
} }
// If we are not in the queue, we can't move the Distribution out of the queue. // If we are not in the queue, we can't move the Distribution out of the queue.
if(!$this->sQueued == 'true') if(!$this->sQueued == 'true')
return false; return false;
$sUpdate = compile_update_string(array('queued' => "false")); if(query_parameters("UPDATE distribution SET queued = '?' WHERE distributionId = '?'",
if(query_appdb("UPDATE distribution SET ".$sUpdate." WHERE distributionId = ".$this->iDistributionId, "Error while unqueuing Distribution.")) "false", $this->iDistributionId))
{ {
$this->sQueued = 'false'; $this->sQueued = 'false';
// we send an e-mail to intersted people // we send an e-mail to intersted people
$this->mailSubmitter("unQueue"); $this->mailSubmitter("unQueue");
$this->SendNotificationMail(); $this->SendNotificationMail();
return true;
} else
{
addmsg("Error while unqueueing Distribution", "red");
return false;
} }
} }
@@ -187,15 +195,15 @@ class distribution{
// is the current user allowed to reject this Distribution? // is the current user allowed to reject this Distribution?
if(!$_SESSION['current']->hasPriv("admin")) if(!$_SESSION['current']->hasPriv("admin"))
{ {
return; return false;
} }
// If we are not in the queue, we can't move the Distribution out of the queue. // If we are not in the queue, we can't move the Distribution out of the queue.
if(!$this->sQueued == 'true') if(!$this->sQueued == 'true')
return false; return false;
$sUpdate = compile_update_string(array('queued' => "rejected")); if(query_parameters("UPDATE distribution SET queued = '?' WHERE distributionId = '?'",
if(query_appdb("UPDATE distribution SET ".$sUpdate." WHERE distributionId = ".$this->iDistributionId, "Error while rejecting Distribution.")) "rejected", $this->iDistributionId))
{ {
$this->sQueued = 'rejected'; $this->sQueued = 'rejected';
// we send an e-mail to intersted people // we send an e-mail to intersted people
@@ -205,6 +213,11 @@ class distribution{
$this->SendNotificationMail("reject"); $this->SendNotificationMail("reject");
} }
// the Distribution data has been rejected // the Distribution data has been rejected
return true;
} else
{
addmsg("Error while rejecting Distribution", "red");
return false;
} }
} }
@@ -214,12 +227,14 @@ class distribution{
if(!$_SESSION['current']->hasPriv("admin") && if(!$_SESSION['current']->hasPriv("admin") &&
!($_SESSION['current']->iUserId == $this->iSubmitterId)) !($_SESSION['current']->iUserId == $this->iSubmitterId))
{ {
return; return false;
} }
$sUpdate = compile_update_string(array('queued' => "true")); if(query_parameters("UPDATE testResults SET queued = '?' WHERE testingId = '?'",
if(query_appdb("UPDATE testResults SET ".$sUpdate." WHERE testingId = ".$this->iTestingId)) "true", $this->iTestingId))
if(query_appdb("UPDATE distribution SET ".$sUpdate." WHERE distributionId = ".$this->iDistributionId, "Error while requeueing Distribution.")) {
if(query_parameters("UPDATE distribution SET queued = '?' WHERE distributionId = '?'",
"true", $this->iDistributionId))
{ {
$this->sQueued = 'true'; $this->sQueued = 'true';
// we send an e-mail to intersted people // we send an e-mail to intersted people
@@ -227,9 +242,16 @@ class distribution{
// the testing data has been resubmitted // the testing data has been resubmitted
addmsg("The Distribution has been resubmitted", "green"); addmsg("The Distribution has been resubmitted", "green");
return true;
} }
} }
/* something has failed if we fell through to this point without */
/* returning */
addmsg("Error requeueing Distribution", "red");
return false;
}
function mailSubmitter($sAction="add") function mailSubmitter($sAction="add")
{ {
@@ -378,8 +400,7 @@ class distribution{
function make_distribution_list($varname, $cvalue) function make_distribution_list($varname, $cvalue)
{ {
$sQuery = "SELECT name, distributionId FROM distributions ORDER BY name"; $sQuery = "SELECT name, distributionId FROM distributions ORDER BY name";
$hResult = query_parameters($sQuery);
$hResult = query_appdb($sQuery);
if(!$hResult) return; if(!$hResult) return;
echo "<select name='$varname'>\n"; echo "<select name='$varname'>\n";
@@ -396,7 +417,7 @@ function make_distribution_list($varname, $cvalue)
/* Get the total number of Distributions in the database */ /* Get the total number of Distributions in the database */
function getNumberOfDistributions() function getNumberOfDistributions()
{ {
$hResult = query_appdb("SELECT count(*) as num_dists FROM distributions"); $hResult = query_parameters("SELECT count(*) as num_dists FROM distributions");
if($hResult) if($hResult)
{ {
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
@@ -408,7 +429,7 @@ function getNumberOfDistributions()
/* Get the number of Queued Distributions in the database */ /* Get the number of Queued Distributions in the database */
function getNumberOfQueuedDistributions() function getNumberOfQueuedDistributions()
{ {
$hResult = query_appdb("SELECT count(*) as num_dists FROM distributions WHERE queued='true';"); $hResult = query_parameters("SELECT count(*) as num_dists FROM distributions WHERE queued='true';");
if($hResult) if($hResult)
{ {
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);

18
include/incl.php
View File

@@ -228,14 +228,20 @@ function addmsg($text, $color = "black")
{ {
global $hAppdbLink; global $hAppdbLink;
if(!is_resource($hAppdbLink))
{
// The last argument makes sure we are really opening a new connection
$hAppdbLink = mysql_connect(APPS_DBHOST, APPS_DBUSER, APPS_DBPASS,true);
mysql_select_db(APPS_DB, $hAppdbLink);
}
if($color) if($color)
$text = "<font color='$color'> $text </font>\n"; $text = "<font color='$color'> $text </font>\n";
$text = addslashes($text); $sQuery = "INSERT INTO sessionMessages VALUES (null, null, '?', '?')";
$sQuery = "INSERT INTO sessionMessages VALUES (null, null, '".session_id()."', '$text')"; if (!query_parameters($sQuery, session_id(), $text))
if (!mysql_query($sQuery,$hAppdbLink))
{ {
echo "An error has occurred in addmsg(): ".mysql_error($hAppdbLink); echo "An error has occurred in addmsg()";
echo $text; echo $text;
} }
} }
@@ -247,7 +253,7 @@ function addmsg($text, $color = "black")
*/ */
function dumpmsgbuffer() function dumpmsgbuffer()
{ {
$hResult = query_appdb("SELECT * FROM sessionMessages WHERE sessionId = '".session_id()."'"); $hResult = query_parameters("SELECT * FROM sessionMessages WHERE sessionId = '?'", session_id());
if(!$hResult) if(!$hResult)
return; return;
@@ -259,7 +265,7 @@ function dumpmsgbuffer()
echo "<br>\n"; echo "<br>\n";
} }
query_appdb("DELETE FROM sessionMessages WHERE sessionId = '".session_id()."'"); query_parameters("DELETE FROM sessionMessages WHERE sessionId = '?'", session_id());
} }
/** /**

12
include/maintainer.php
View File

@@ -9,9 +9,9 @@
function getAppsFromUserId($userId) function getAppsFromUserId($userId)
{ {
/* retrieve the list of application and order them by application name */ /* retrieve the list of application and order them by application name */
$hResult = query_appdb("SELECT appMaintainers.appId, versionId, superMaintainer, appName FROM ". $hResult = query_parameters("SELECT appMaintainers.appId, versionId, superMaintainer, appName FROM ".
"appFamily, appMaintainers WHERE appFamily.appId = appMaintainers.appId ". "appFamily, appMaintainers WHERE appFamily.appId = appMaintainers.appId ".
"AND userId = '$userId' ORDER BY appName"); "AND userId = '?' ORDER BY appName", $userId);
if(!$hResult || mysql_num_rows($hResult) == 0) if(!$hResult || mysql_num_rows($hResult) == 0)
return; return;
@@ -38,8 +38,8 @@ function getMaintainersUserIdsFromAppIdVersionId($versionId)
return $retval; return $retval;
$sQuery = "SELECT userId FROM ". $sQuery = "SELECT userId FROM ".
"appMaintainers WHERE versionId = '$versionId';"; "appMaintainers WHERE versionId = '?';";
$hResult = query_appdb($sQuery); $hResult = query_parameters($sQuery, $versionId);
$c = 0; $c = 0;
while($oRow = mysql_fetch_object($hResult)) while($oRow = mysql_fetch_object($hResult))
{ {
@@ -56,9 +56,9 @@ function getMaintainersUserIdsFromAppIdVersionId($versionId)
function getSuperMaintainersUserIdsFromAppId($appId) function getSuperMaintainersUserIdsFromAppId($appId)
{ {
$sQuery = "SELECT userId FROM ". $sQuery = "SELECT userId FROM ".
"appMaintainers WHERE appId = '$appId' " . "appMaintainers WHERE appId = '?' " .
"AND superMaintainer = '1';"; "AND superMaintainer = '1';";
$hResult = query_appdb($sQuery); $hResult = query_parameters($sQuery, $appId);
$retval = array(); $retval = array();
$c = 0; $c = 0;
while($oRow = mysql_fetch_object($hResult)) while($oRow = mysql_fetch_object($hResult))

2
include/monitor.php
View File

@@ -85,7 +85,7 @@ class Monitor {
*/ */
function delete($bSilent=false) function delete($bSilent=false)
{ {
$hResult = query_appdb("DELETE FROM appMonitors WHERE monitorId = '".$this->iMonitorId."'"); $hResult = query_parameters("DELETE FROM appMonitors WHERE monitorId = '?'", $this->iMonitorId);
if(!$bSilent) if(!$bSilent)
$this->SendNotificationMail("delete"); $this->SendNotificationMail("delete");
} }

18
include/note.php
View File

@@ -30,8 +30,8 @@ class Note {
$sQuery = "SELECT appNotes.*, appVersion.appId AS appId $sQuery = "SELECT appNotes.*, appVersion.appId AS appId
FROM appNotes, appVersion FROM appNotes, appVersion
WHERE appNotes.versionId = appVersion.versionId WHERE appNotes.versionId = appVersion.versionId
AND noteId = '".$iNoteId."'"; AND noteId = '?'";
$hResult = query_appdb($sQuery); $hResult = query_parameters($sQuery, $iNoteId);
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
$this->iNoteId = $oRow->noteId; $this->iNoteId = $oRow->noteId;
$this->iAppId = $oRow->appId; $this->iAppId = $oRow->appId;
@@ -78,8 +78,8 @@ class Note {
if ($sTitle && $sTitle!=$this->sTitle) if ($sTitle && $sTitle!=$this->sTitle)
{ {
$sUpdate = compile_update_string(array('noteTitle' => $sTitle)); if (!query_parameters("UPDATE appNotes SET noteTitle = '?' WHERE noteId = '?'",
if (!query_appdb("UPDATE appNotes SET ".$sUpdate." WHERE noteId = ".$this->iNoteId)) $sTitle, $this->iNoteId))
return false; return false;
$sWhatChanged .= "Title was changed from ".$this->sTitle." to ".$sTitle.".\n\n"; $sWhatChanged .= "Title was changed from ".$this->sTitle." to ".$sTitle.".\n\n";
$this->sTitle = $sTitle; $this->sTitle = $sTitle;
@@ -87,8 +87,8 @@ class Note {
if ($sDescription && $sDescription!=$this->sDescription) if ($sDescription && $sDescription!=$this->sDescription)
{ {
$sUpdate = compile_update_string(array('noteDesc' => $sDescription)); if (!query_parameters("UPDATE appNotes SET noteDesc = '?' WHERE noteId = '?'",
if (!query_appdb("UPDATE appNotes SET ".$sUpdate." WHERE noteId = ".$this->iNoteId)) $sDescription, $this->iNoteId))
return false; return false;
$sWhatChanged .= "Description was changed from\n ".$this->sDescription."\n to \n".$sDescription.".\n\n"; $sWhatChanged .= "Description was changed from\n ".$this->sDescription."\n to \n".$sDescription.".\n\n";
$this->sDescription = $sDescription; $this->sDescription = $sDescription;
@@ -96,8 +96,8 @@ class Note {
if ($iVersionId && $iVersionId!=$this->iVersionId) if ($iVersionId && $iVersionId!=$this->iVersionId)
{ {
$sUpdate = compile_update_string(array('versionId' => $iVersionId)); if (!query_parameters("UPDATE appNotes SET versionId = '?' WHERE noteId = '?'",
if (!query_appdb("UPDATE appNotes SET ".$sUpdate." WHERE noteId = ".$this->iNoteId)) $iVersionId, $this->iNoteId))
return false; return false;
$oVersionBefore = new Version($this->iVersionId); $oVersionBefore = new Version($this->iVersionId);
$oVersionAfter = new Version($iVersionId); $oVersionAfter = new Version($iVersionId);
@@ -117,7 +117,7 @@ class Note {
*/ */
function delete($bSilent=false) function delete($bSilent=false)
{ {
$hResult = query_appdb("DELETE FROM appNotes WHERE noteId = '".$this->iNoteId."'"); $hResult = query_parameters("DELETE FROM appNotes WHERE noteId = '?'", $this->iNoteId);
if(!$bSilent) if(!$bSilent)
$this->SendNotificationMail("delete"); $this->SendNotificationMail("delete");
} }

63
include/screenshot.php
View File

@@ -32,12 +32,12 @@ class Screenshot {
// we are working on an existing screenshot // we are working on an existing screenshot
if(is_numeric($iScreenshotId)) if(is_numeric($iScreenshotId))
{ {
$sQuery = "SELECT appData.*, appVersion.appId AS appId $hResult = query_parameters("SELECT appData.*, appVersion.appId AS appId
FROM appData, appVersion FROM appData, appVersion
WHERE appData.versionId = appVersion.versionId WHERE appData.versionId = appVersion.versionId
AND id = ".$iScreenshotId." AND id = '?'
AND type = 'image'"; AND type = 'image'", $iScreenshotId);
if($hResult = query_appdb($sQuery)) if($hResult)
{ {
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
$this->iScreenshotId = $iScreenshotId; $this->iScreenshotId = $iScreenshotId;
@@ -86,8 +86,8 @@ class Screenshot {
addmsg("Unable to move screenshot from '".$hFile['tmp_name']."' to '".$moveToPath."'", "red"); addmsg("Unable to move screenshot from '".$hFile['tmp_name']."' to '".$moveToPath."'", "red");
$sQuery = "DELETE $sQuery = "DELETE
FROM appData FROM appData
WHERE id = '".$this->iScreenshotId."'"; WHERE id = '?'";
query_appdb($sQuery); query_parameters($sQuery, $this->iScreenshotId);
return false; return false;
} else // we managed to copy the file, now we have to process the image } else // we managed to copy the file, now we have to process the image
{ {
@@ -96,16 +96,16 @@ class Screenshot {
{ {
// we have to update the entry now that we know its name // we have to update the entry now that we know its name
$sQuery = "UPDATE appData $sQuery = "UPDATE appData
SET url = '".$this->iScreenshotId."' SET url = '?'
WHERE id = '".$this->iScreenshotId."'"; WHERE id = '?'";
if (!query_appdb($sQuery)) return false; if (!query_parameters($sQuery, $this->iScreenshotId, $this->iScreenshotId)) return false;
} else } else
{ {
addmsg("Unable to generate image or thumbnail. The file format might not be recognized. Please use PNG or JPEG only.","red"); addmsg("Unable to generate image or thumbnail. The file format might not be recognized. Please use PNG or JPEG only.","red");
$sQuery = "DELETE $sQuery = "DELETE
FROM appData FROM appData
WHERE id = '".$this->iScreenshotId."'"; WHERE id = '?'";
query_appdb($sQuery); query_parameters($sQuery, $this->iScreenshotId);
return false; return false;
} }
@@ -155,8 +155,8 @@ class Screenshot {
if(!$this->bQueued) if(!$this->bQueued)
return false; return false;
$sUpdate = compile_update_string(array('queued' => "false")); if(query_parameters("UPDATE appData SET queued = '?' WHERE id='?'",
if(query_appdb("UPDATE appData SET ".$sUpdate." WHERE id=".$this->iScreenshotId)) "false", $this->iScreenshotId))
{ {
$this->bQueued = false; $this->bQueued = false;
// we send an e-mail to intersted people // we send an e-mail to intersted people
@@ -185,8 +185,8 @@ class Screenshot {
*/ */
function setDescription($sDescription) function setDescription($sDescription)
{ {
$sQuery = "UPDATE id SET description = '".$sDescription."' WHERE id = ".$this->iScreenshotId." AND type = 'image'"; if($hResult = query_parameters("UPDATE id SET description = '?' WHERE id = '?' AND type = 'image'",
if($hResult = query_appdb($sQuery)) $sDescription, $this->iScreenshotId))
$this->sDescription = $sDescription; $this->sDescription = $sDescription;
} }
@@ -310,21 +310,21 @@ function get_screenshot_img($iAppId = null, $iVersionId = null, $bFormatting = t
// we want a random screenshots for this app // we want a random screenshots for this app
if($iAppId && !$iVersionId) if($iAppId && !$iVersionId)
{ {
$hResult = query_appdb("SELECT appData.*, RAND() AS rand $hResult = query_parameters("SELECT appData.*, RAND() AS rand
FROM appData, appVersion FROM appData, appVersion
WHERE appData.versionId = appVersion.versionId WHERE appData.versionId = appVersion.versionId
AND appVersion.appId = $iAppId AND appVersion.appId = '?'
AND type = 'image' AND type = 'image'
AND appData.queued = 'false' AND appData.queued = 'false'
ORDER BY rand"); ORDER BY rand", $iAppId);
} else if ($iVersionId) // we want a random screenshot for this version } else if ($iVersionId) // we want a random screenshot for this version
{ {
$hResult = query_appdb("SELECT *, RAND() AS rand $hResult = query_parameters("SELECT *, RAND() AS rand
FROM appData FROM appData
WHERE versionId = $iVersionId WHERE versionId = '?'
AND type = 'image' AND type = 'image'
AND queued = 'false' AND queued = 'false'
ORDER BY rand"); ORDER BY rand", $iVersionId);
} }
if($bFormatting) if($bFormatting)
@@ -373,31 +373,30 @@ function get_screenshots($iAppId = null, $iVersionId = null, $bQueued = "false")
*/ */
if($iAppId && !$iVersionId) if($iAppId && !$iVersionId)
{ {
$sQuery = "SELECT appData.*, appVersion.appId as appId $hResult = query_parameters("SELECT appData.*, appVersion.appId as appId
FROM appData, appVersion FROM appData, appVersion
WHERE appVersion.versionId = appData.versionId WHERE appVersion.versionId = appData.versionId
AND type = 'image' AND type = 'image'
AND appVersion.appId = ".$iAppId." AND appVersion.appId = '?'
AND appData.queued = '".$bQueued."'"; AND appData.queued = '?'", $iAppId, $bQueued);
} }
/* /*
* We want all screenshots for this version. * We want all screenshots for this version.
*/ */
else if ($iVersionId) else if ($iVersionId)
{ {
$sQuery = "SELECT appData.*, appVersion.appId as appId $hResult = query_parameters("SELECT appData.*, appVersion.appId as appId
FROM appData, appVersion FROM appData, appVersion
WHERE appVersion.versionId = appData.versionId WHERE appVersion.versionId = appData.versionId
AND type = 'image' AND type = 'image'
AND appData.versionId = ".$iVersionId." AND appData.versionId = '?'
AND appData.queued = '".$bQueued."'"; AND appData.queued = '?'", $iVersionId, $bQueued);
} } else
if($sQuery)
{ {
$hResult = query_appdb($sQuery);
return $hResult;
}
return false; return false;
}
return $hResult;
} }
function get_thumbnail($id) function get_thumbnail($id)

9
include/session.php
View File

@@ -66,7 +66,7 @@ class session
// read session // read session
function _read ($key) function _read ($key)
{ {
$result = query_appdb("SELECT data FROM session_list WHERE session_id = '".$key."'"); $result = query_parameters("SELECT data FROM session_list WHERE session_id = '?'", $key);
if (!$result) { return null; } if (!$result) { return null; }
$r = mysql_fetch_object($result); $r = mysql_fetch_object($result);
return $r->data; return $r->data;
@@ -79,21 +79,22 @@ class session
if(isset($GLOBALS['msg_buffer'])) if(isset($GLOBALS['msg_buffer']))
$messages = implode("|", $GLOBALS['msg_buffer']); $messages = implode("|", $GLOBALS['msg_buffer']);
query_appdb("REPLACE session_list VALUES ('$key', '".$_SESSION['current']->iUserId."', '".get_remote()."', '".addslashes($value)."', '$messages', NOW())"); query_parameters("REPLACE session_list VALUES ('?', '?', '?', '?', '?', ?)",
$key, $_SESSION['current']->iUserId, get_remote(), $value, $messages, "NOW()");
return true; return true;
} }
// delete current session // delete current session
function _destroy ($key) function _destroy ($key)
{ {
query_appdb("DELETE FROM session_list WHERE session_id = '$key'"); query_parameters("DELETE FROM session_list WHERE session_id = '?'", $key);
return true; return true;
} }
// clear old sessions (moved into a separate cron process) // clear old sessions (moved into a separate cron process)
function _gc ($maxlifetime) function _gc ($maxlifetime)
{ {
query_appdb("DELETE FROM session_list WHERE to_days(now()) - to_days(stamp) >= 7"); query_parameters("DELETE FROM session_list WHERE to_days(now()) - to_days(stamp) >= 7");
return true; return true;
} }

6
include/tableve.php
View File

@@ -173,7 +173,8 @@ class TableVE {
function make_option_list($varname, $cvalue, $table, $idField, $nameField, $where = "") function make_option_list($varname, $cvalue, $table, $idField, $nameField, $where = "")
{ {
$hResult = query_appdb("SELECT $idField, $nameField FROM $table $where ORDER BY $nameField"); $hResult = query_parameters("SELECT ?, ? FROM ? ? ORDER BY '?'",
$idField, $nameField, $table, $where, $nameField);
if(!$hResult) if(!$hResult)
return; // Oops return; // Oops
@@ -442,7 +443,8 @@ class TableVE {
if(ereg("^impl_.+$", $table)) if(ereg("^impl_.+$", $table))
{ {
$value = $fieldnames["apiid"][$i]; $value = $fieldnames["apiid"][$i];
query_appdb("UPDATE $table SET lastmodby = ".$_SESSION['current']->userid." WHERE apiid = $value"); query_parameters("UPDATE ? SET lastmodby = '?' WHERE apiid = '?'",
$table, $_SESSION['current']->iUserId, $value);
} }
} }
} }

59
include/testResults.php
View File

@@ -4,7 +4,7 @@
/*****************************************/ /*****************************************/
require_once(BASE."include/distributions.php"); require_once(BASE."include/distributions.php");
require_once(BASE."include/util.php"); require_once(BASE."include/util.php");
// Testing class for handling Testing History. // Class for handling Testing History.
class testData{ class testData{
var $iTestingId; var $iTestingId;
@@ -34,8 +34,8 @@ class testData{
{ {
$sQuery = "SELECT * $sQuery = "SELECT *
FROM testResults FROM testResults
WHERE testingId = ".$iTestingId; WHERE testingId = '?'";
if($hResult = query_appdb($sQuery)) if($hResult = query_parameters($sQuery, $iTestingId))
{ {
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
$this->iTestingId = $iTestingId; $this->iTestingId = $iTestingId;
@@ -118,15 +118,19 @@ class testData{
'testedRating' => $this->sTestedRating, 'testedRating' => $this->sTestedRating,
'comments' => $this->sComments)); 'comments' => $this->sComments));
if(query_appdb("UPDATE testResults SET ".$sUpdate." WHERE testingId = ".$this->iTestingId, "Error while updating test results.")) if(query_parameters("UPDATE testResults SET ".$sUpdate." WHERE testingId = '?'",
$this->iTestingId))
{ {
if(!$bSilent) if(!$bSilent)
$this->SendNotificationMail(); $this->SendNotificationMail();
return true; return true;
} }
else else
{
addmsg("Error while updating test results", "red");
return false; return false;
} }
}
// Delete testing results. // Delete testing results.
function delete($bSilent=false) function delete($bSilent=false)
@@ -141,9 +145,9 @@ class testData{
} }
// now delete the testing data // now delete the testing data
$sQuery = "DELETE FROM testResults $sQuery = "DELETE FROM testResults
WHERE testingId = ".$this->iTestingId." WHERE testingId = '?'
LIMIT 1"; LIMIT 1";
if(!($hResult = query_appdb($sQuery))) if(!($hResult = query_parameters($sQuery, $this->iTestingId)))
{ {
addmsg("Error removing the deleted testing data!", "red"); addmsg("Error removing the deleted testing data!", "red");
} }
@@ -170,8 +174,8 @@ class testData{
if(!$this->sQueued == 'true') if(!$this->sQueued == 'true')
return false; return false;
$sUpdate = compile_update_string(array('queued' => "false")); if(query_parameters("UPDATE testResults SET queued = '?' WHERE testingId = '?'",
if(query_appdb("UPDATE testResults SET ".$sUpdate." WHERE testingId = ".$this->iTestingId)) "false", $this->iTestingId))
{ {
$this->sQueued = 'false'; $this->sQueued = 'false';
// we send an e-mail to intersted people // we send an e-mail to intersted people
@@ -194,8 +198,8 @@ class testData{
if(!$this->sQueued == 'true') if(!$this->sQueued == 'true')
return false; return false;
$sUpdate = compile_update_string(array('queued' => "rejected")); if(query_parameters("UPDATE testResults SET queued = '?' WHERE testingId = '?'",
if(query_appdb("UPDATE testResults SET ".$sUpdate." WHERE testingId = ".$this->iTestingId)) "rejected", $this->iTestingId))
{ {
$this->sQueued = 'rejected'; $this->sQueued = 'rejected';
// we send an e-mail to intersted people // we send an e-mail to intersted people
@@ -215,8 +219,8 @@ class testData{
return; return;
} }
$sUpdate = compile_update_string(array('queued' => "true")); if(query_parameters("UPDATE testResults SET queued = '?' WHERE testingId = '?'",
if(query_appdb("UPDATE testResults SET ".$sUpdate." WHERE testingId = ".$this->iTestingId)) "true", $this->iTestingId))
{ {
$this->sQueued = 'true'; $this->sQueued = 'true';
// we send an e-mail to intersted people // we send an e-mail to intersted people
@@ -333,15 +337,17 @@ class testData{
function ShowTestResult($iCurrentTest,$iVersionId) function ShowTestResult($iCurrentTest,$iVersionId)
{ {
$hResult = query_appdb("SELECT * $hResult = query_parameters("SELECT *
FROM testResults FROM testResults
WHERE testingId = '".$iCurrentTest."';"); WHERE testingId = '?'",
$iCurrentTest);
if(!$hResult || mysql_num_rows($hResult) == 0) if(!$hResult || mysql_num_rows($hResult) == 0)
{ {
$hResult = query_appdb("SELECT * $hResult = query_parameters("SELECT *
FROM testResults FROM testResults
WHERE versionId = '".$iVersionId."' WHERE versionId = '?'
ORDER BY testedDate DESC ;"); ORDER BY testedDate DESC ;",
$iVersionId);
if(!$hResult || mysql_num_rows($hResult) == 0) if(!$hResult || mysql_num_rows($hResult) == 0)
return false; return false;
} }
@@ -358,6 +364,12 @@ class testData{
// Show the Test results for a application version // Show the Test results for a application version
function ShowVersionsTestingTable($iVersionId, $iCurrentTest, $link, $iDisplayLimit) function ShowVersionsTestingTable($iVersionId, $iCurrentTest, $link, $iDisplayLimit)
{ {
/* escape input parameters */
$iVersionId = mysql_real_escape_string($iVersionId);
$iCurrentTest = mysql_real_escape_string($iCurrentTest);
$link = mysql_real_escape_string($link);
$iDisplayLimit = mysql_real_escape_string($iDisplayLimit);
$aClean = array(); //array of filtered user input $aClean = array(); //array of filtered user input
$aClean['showAll'] = makeSafe($_REQUEST['showAll']); $aClean['showAll'] = makeSafe($_REQUEST['showAll']);
@@ -592,17 +604,18 @@ class testData{
{ {
if($_SESSION['current']->hasPriv("admin")) if($_SESSION['current']->hasPriv("admin"))
{ {
$hResult = query_appdb("SELECT * $hResult = query_parameters("SELECT *
FROM testResults FROM testResults
WHERE queued = '".$sQueued."';"); WHERE queued = '?'", $sQueued);
if(!$hResult || mysql_num_rows($hResult) == 0) if(!$hResult || mysql_num_rows($hResult) == 0)
return; return;
} else } else
{ {
$hResult = query_appdb("SELECT * $hResult = query_parameters("SELECT *
FROM testResults FROM testResults
WHERE queued = '".$sQueued."' WHERE queued = '?'
AND submitterId = ".$_SESSION['current']->iUserId.";"); AND submitterId = '?'",
$sQueued, $_SESSION['current']->iUserId);
if(!$hResult || mysql_num_rows($hResult) == 0) if(!$hResult || mysql_num_rows($hResult) == 0)
return; return;
} }
@@ -665,7 +678,7 @@ function getNumberOfQueuedTests()
and appVersion.queued='false' and appVersion.queued='false'
and testResults.queued='true';"; and testResults.queued='true';";
$hResult = query_appdb($sQuery); $hResult = query_parameters($sQuery);
if($hResult) if($hResult)
{ {
$row = mysql_fetch_object($hResult); $row = mysql_fetch_object($hResult);

28
include/url.php
View File

@@ -29,8 +29,8 @@ class Url {
$sQuery = "SELECT appData.* $sQuery = "SELECT appData.*
FROM appData FROM appData
WHERE type = 'url' WHERE type = 'url'
AND id = ".$iUrlId; AND id = '?'";
if($hResult = query_appdb($sQuery)) if($hResult = query_parameters($sQuery, $iUrlId))
{ {
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
$this->iUrlId = $iUrlId; $this->iUrlId = $iUrlId;
@@ -88,10 +88,10 @@ class Url {
function delete($bSilent=false) function delete($bSilent=false)
{ {
$sQuery = "DELETE FROM appData $sQuery = "DELETE FROM appData
WHERE id = ".$this->iUrlId." WHERE id = '?'
AND type = 'url' AND type = 'url'
LIMIT 1"; LIMIT 1";
if($hResult = query_appdb($sQuery)) if($hResult = query_parameters($sQuery, $this->iUrlId))
{ {
if(!$bSilent) if(!$bSilent)
$this->SendNotificationMail(true); $this->SendNotificationMail(true);
@@ -112,8 +112,8 @@ class Url {
if(!$this->bQueued) if(!$this->bQueued)
return false; return false;
$sUpdate = compile_update_string(array('queued' => "false")); if(query_parameters("UPDATE appData SET queued = '?' WHERE id='?'",
if(query_appdb("UPDATE appData SET ".$sUpdate." WHERE id=".$this->iUrlId)) "false", $this->iUrlId))
{ {
// we send an e-mail to intersted people // we send an e-mail to intersted people
$this->mailSubmitter(); $this->mailSubmitter();
@@ -134,8 +134,8 @@ class Url {
if ($sDescription && $sDescription!=$this->sDescription) if ($sDescription && $sDescription!=$this->sDescription)
{ {
$sUpdate = compile_update_string(array('description' => $sDescription)); if (!query_parameters("UPDATE appData SET description = '?' WHERE id = '?'",
if (!query_appdb("UPDATE appData SET ".$sUpdate." WHERE id = ".$this->iUrlId)) $sDescription, $this->iUrlId))
return false; return false;
$sWhatChanged .= "Description was changed from\n ".$this->sDescription."\n to \n".$sDescription.".\n\n"; $sWhatChanged .= "Description was changed from\n ".$this->sDescription."\n to \n".$sDescription.".\n\n";
$this->sDescription = $sDescription; $this->sDescription = $sDescription;
@@ -143,8 +143,8 @@ class Url {
if ($sUrl && $sUrl!=$this->sUrl) if ($sUrl && $sUrl!=$this->sUrl)
{ {
$sUpdate = compile_update_string(array('noteDesc' => $sDescription)); if (!query_parameters("UPDATE appData SET noteDesc = '?' WHERE id = '?'",
if (!query_appdb("UPDATE appData SET ".$sUpdate." WHERE id = ".$this->iUrlId)) $sDescription, $this->iUrlId))
return false; return false;
$sWhatChanged .= "Url was changed from ".$this->sUrl." to ".$sUrl.".\n\n"; $sWhatChanged .= "Url was changed from ".$this->sUrl." to ".$sUrl.".\n\n";
$this->sUrl = $sUrl; $this->sUrl = $sUrl;
@@ -152,8 +152,8 @@ class Url {
if ($iVersionId && $iVersionId!=$this->iVersionId) if ($iVersionId && $iVersionId!=$this->iVersionId)
{ {
$sUpdate = compile_update_string(array('versionId' => $iVersionId)); if (!query_parameters("UPDATE appData SET versionId = '?' WHERE id = '?'",
if (!query_appdb("UPDATE appData SET ".$sUpdate." WHERE id = ".$this->iUrlId)) $iVersionId, $this->iUrlId))
return false; return false;
$oVersionBefore = new Version($this->iVersionId); $oVersionBefore = new Version($this->iVersionId);
$oVersionAfter = new Version($iVersionId); $oVersionAfter = new Version($iVersionId);
@@ -164,8 +164,8 @@ class Url {
if ($iAppId && $iAppId!=$this->iAppId) if ($iAppId && $iAppId!=$this->iAppId)
{ {
$sUpdate = compile_update_string(array('appId' => $iAppId)); if (!query_parameters("UPDATE appData SET appId = '?' WHERE id = '?'",
if (!query_appdb("UPDATE appData SET ".$sUpdate." WHERE id = ".$this->iUrlId)) $iAppId, $this->iUrlId))
return false; return false;
$oAppBefore = new Application($this->iAppId); $oAppBefore = new Application($this->iAppId);
$oAppAfter = new Application($iAppId); $oAppAfter = new Application($iAppId);

210
include/user.php
View File

@@ -37,8 +37,8 @@ class User {
{ {
$sQuery = "SELECT * $sQuery = "SELECT *
FROM user_list FROM user_list
WHERE userId = '".$iUserId."'"; WHERE userId = '?'";
$hResult = query_appdb($sQuery); $hResult = query_parameters($sQuery, $iUserId);
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
$this->iUserId = $oRow->userid; $this->iUserId = $oRow->userid;
$this->sEmail = $oRow->email; $this->sEmail = $oRow->email;
@@ -59,9 +59,10 @@ class User {
{ {
$sQuery = "SELECT * $sQuery = "SELECT *
FROM user_list FROM user_list
WHERE email = '".addslashes($sEmail)."' WHERE email = '?'
AND password = password('".addslashes($sPassword)."')"; AND password = password('?')";
$hResult = query_appdb($sQuery); $hResult = query_parameters($sQuery, $sEmail, $sPassword);
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
$this->iUserId = $oRow->userid; $this->iUserId = $oRow->userid;
$this->sEmail = $oRow->email; $this->sEmail = $oRow->email;
@@ -72,7 +73,8 @@ class User {
if($this->isLoggedIn()) if($this->isLoggedIn())
{ {
// Update timestamp and clear the inactivity flag if it was set // Update timestamp and clear the inactivity flag if it was set
query_appdb("UPDATE user_list SET stamp=NOW(), inactivity_warned='false' WHERE userid=".$this->iUserId); query_parameters("UPDATE user_list SET stamp = ?, inactivity_warned = '?' WHERE userid='?'",
"NOW()", "false", $this->iUserId);
return SUCCESS; return SUCCESS;
} }
return USER_LOGIN_FAILED; return USER_LOGIN_FAILED;
@@ -123,21 +125,25 @@ class User {
addMsg("An account with this e-mail exists already.","red"); addMsg("An account with this e-mail exists already.","red");
return USER_UPDATE_FAILED_EMAIL_EXISTS; return USER_UPDATE_FAILED_EMAIL_EXISTS;
} }
if (!query_appdb("UPDATE user_list SET email = '".addslashes($this->sEmail)."' WHERE userid = ".$this->iUserId)) if (!query_parameters("UPDATE user_list SET email = '?' WHERE userid = '?'",
$this->sEmail, $this->iUserId))
return USER_UPDATE_FAILED; return USER_UPDATE_FAILED;
} }
if ($this->sRealname && ($this->sRealname != $oUser->sRealname)) if ($this->sRealname && ($this->sRealname != $oUser->sRealname))
{ {
if (!query_appdb("UPDATE user_list SET realname = '".addslashes($this->sRealname)."' WHERE userid = ".$this->iUserId)) if (!query_parameters("UPDATE user_list SET realname = '?' WHERE userid = '?'",
$this->sRealname, $this->iUserId))
return USER_UPDATE_FAILED; return USER_UPDATE_FAILED;
} }
if ($this->sWineRelease && ($this->sWineRelease != $oUser->sWineRelease)) if ($this->sWineRelease && ($this->sWineRelease != $oUser->sWineRelease))
{ {
if (!query_appdb("UPDATE user_list SET CVSrelease = '".addslashes($this->sWineRelease)."' WHERE userid = ".$this->iUserId)) if (!query_parameters("UPDATE user_list SET CVSrelease = '?' WHERE userid = '?'",
$this->sWineRelease, $this->iUserId))
return USER_UPDATE_FAILED; return USER_UPDATE_FAILED;
} }
return SUCCESS; return SUCCESS;
} }
@@ -152,7 +158,8 @@ class User {
{ {
if($sPassword) if($sPassword)
{ {
if (query_appdb("UPDATE user_list SET password = password('$sPassword') WHERE userid = ".$this->iUserId)) if (query_parameters("UPDATE user_list SET password = password('?') WHERE userid = '?'",
$sPassword, $this->iUserId))
return true; return true;
} }
@@ -167,12 +174,12 @@ class User {
function delete() function delete()
{ {
if(!$this->isLoggedIn()) return false; if(!$this->isLoggedIn()) return false;
$hResult2 = query_appdb("DELETE FROM user_privs WHERE userid = '".$this->iUserId."'"); $hResult2 = query_parameters("DELETE FROM user_privs WHERE userid = '?'", $this->iUserId);
$hResult3 = query_appdb("DELETE FROM user_prefs WHERE userid = '".$this->iUserId."'"); $hResult3 = query_parameters("DELETE FROM user_prefs WHERE userid = '?'", $this->iUserId);
$hResult4 = query_appdb("DELETE FROM appVotes WHERE userid = '".$this->iUserId."'"); $hResult4 = query_parameters("DELETE FROM appVotes WHERE userid = '?'", $this->iUserId);
$hResult5 = query_appdb("DELETE FROM appMaintainers WHERE userid = '".$this->iUserId."'"); $hResult5 = query_parameters("DELETE FROM appMaintainers WHERE userid = '?'", $this->iUserId);
$hResult6 = query_appdb("DELETE FROM appComments WHERE userId = '".$this->iUserId."'"); $hResult6 = query_parameters("DELETE FROM appComments WHERE userId = '?'", $this->iUserId);
return($hResult = query_appdb("DELETE FROM user_list WHERE userid = '".$this->iUserId."'")); return($hResult = query_parameters("DELETE FROM user_list WHERE userid = '?'", $this->iUserId));
} }
@@ -184,7 +191,8 @@ class User {
if(!$this->isLoggedIn() || !$sKey) if(!$this->isLoggedIn() || !$sKey)
return $sDef; return $sDef;
$hResult = query_appdb("SELECT * FROM user_prefs WHERE userid = ".$this->iUserId." AND name = '$sKey'"); $hResult = query_parameters("SELECT * FROM user_prefs WHERE userid = '?' AND name = '?'",
$this->iUserId, $sKey);
if(!$hResult || mysql_num_rows($hResult) == 0) if(!$hResult || mysql_num_rows($hResult) == 0)
return $sDef; return $sDef;
$ob = mysql_fetch_object($hResult); $ob = mysql_fetch_object($hResult);
@@ -200,7 +208,8 @@ class User {
if(!$this->isLoggedIn() || !$sKey || !$sValue) if(!$this->isLoggedIn() || !$sKey || !$sValue)
return false; return false;
$hResult = query_appdb("DELETE FROM user_prefs WHERE userid = ".$this->iUserId." AND name = '$sKey'"); $hResult = query_parameters("DELETE FROM user_prefs WHERE userid = '?' AND name = '?'",
$this->iUserId, $sKey);
$hResult = query_parameters("INSERT INTO user_prefs (userid, name, value) VALUES". $hResult = query_parameters("INSERT INTO user_prefs (userid, name, value) VALUES".
"('?', '?', '?')", $this->iUserId, $sKey, $sValue); "('?', '?', '?')", $this->iUserId, $sKey, $sValue);
return $hResult; return $hResult;
@@ -215,7 +224,8 @@ class User {
if(!$this->isLoggedIn() || !$sPriv) if(!$this->isLoggedIn() || !$sPriv)
return false; return false;
$hResult = query_appdb("SELECT * FROM user_privs WHERE userid = ".$this->iUserId." AND priv = '".$sPriv."'"); $hResult = query_parameters("SELECT * FROM user_privs WHERE userid = '?' AND priv = '?'",
$this->iUserId, $sPriv);
if(!$hResult) if(!$hResult)
return false; return false;
return mysql_num_rows($hResult); return mysql_num_rows($hResult);
@@ -237,14 +247,16 @@ class User {
/* otherwise check if we maintain this specific version */ /* otherwise check if we maintain this specific version */
if($iVersionId) if($iVersionId)
{ {
$sQuery = "SELECT * FROM appMaintainers WHERE userid = '".$this->iUserId."' AND versionId = '$iVersionId'"; $sQuery = "SELECT * FROM appMaintainers WHERE userid = '?' AND versionId = '?'";
$hResult = query_parameters($sQuery, $this->iUserId, $iVersionId);
} else // are we maintaining any version ? } else // are we maintaining any version ?
{ {
$sQuery = "SELECT * FROM appMaintainers WHERE userid = '".$this->iUserId."'"; $sQuery = "SELECT * FROM appMaintainers WHERE userid = '?'";
$hResult = query_parameters($sQuery, $this->iUserId);
} }
$hResult = query_appdb($sQuery);
if(!$hResult) if(!$hResult)
return false; return false;
return mysql_num_rows($hResult); return mysql_num_rows($hResult);
} }
@@ -258,12 +270,13 @@ class User {
if($iAppId) if($iAppId)
{ {
$sQuery = "SELECT * FROM appMaintainers WHERE userid = '$this->iUserId' AND appId = '$iAppId' AND superMaintainer = '1'"; $sQuery = "SELECT * FROM appMaintainers WHERE userid = '?' AND appId = '?' AND superMaintainer = '1'";
$hResult = query_parameters($sQuery, $this->iUserId, $iAppId);
} else /* are we super maintainer of any applications? */ } else /* are we super maintainer of any applications? */
{ {
$sQuery = "SELECT * FROM appMaintainers WHERE userid = '$this->iUserId' AND superMaintainer = '1'"; $sQuery = "SELECT * FROM appMaintainers WHERE userid = '?' AND superMaintainer = '1'";
$hResult = query_parameters($sQuery, $this->iUserId);
} }
$hResult = query_appdb($sQuery);
if(!$hResult) if(!$hResult)
return false; return false;
return mysql_num_rows($hResult); return mysql_num_rows($hResult);
@@ -273,8 +286,8 @@ class User {
{ {
if(!$this->isLoggedIn()) return 0; if(!$this->isLoggedIn()) return 0;
$sQuery = "SELECT count(*) as cnt from appMaintainers WHERE userid = '$this->iUserId' AND superMaintainer = '$bSuperMaintainer'"; $sQuery = "SELECT count(*) as cnt from appMaintainers WHERE userid = '?' AND superMaintainer = '?'";
$hResult = query_appdb($sQuery); $hResult = query_parameters($sQuery, $this->iUserId, $bSuperMaintainer);
if(!$hResult) if(!$hResult)
return 0; return 0;
$ob = mysql_fetch_object($hResult); $ob = mysql_fetch_object($hResult);
@@ -308,7 +321,7 @@ class User {
$statusMessage = "<p>The maintainer was successfully added into the database</p>\n"; $statusMessage = "<p>The maintainer was successfully added into the database</p>\n";
//delete the item from the queue //delete the item from the queue
query_appdb("DELETE from appMaintainerQueue where queueId = ".$iQueueId.";"); query_parameters("DELETE from appMaintainerQueue where queueId = '?'", $iQueueId);
$oApp = new Application($iAppId); $oApp = new Application($iAppId);
$oVersion = new Version($iVersionId); $oVersion = new Version($iVersionId);
//Send Status Email //Send Status Email
@@ -326,7 +339,7 @@ class User {
} else } else
{ {
//delete the item from the queue //delete the item from the queue
query_appdb("DELETE from appMaintainerQueue where queueId = ".$iQueueId.";"); query_parameters("DELETE from appMaintainerQueue where queueId = '?'", $iQueueId);
if($this->isSuperMaintainer($iAppId) && !$bSuperMaintainer) if($this->isSuperMaintainer($iAppId) && !$bSuperMaintainer)
$statusMessage = "<p>User is already a super maintainer of this application</p>\n"; $statusMessage = "<p>User is already a super maintainer of this application</p>\n";
@@ -345,23 +358,22 @@ class User {
if($iAppId && ($iVersionId == null)) if($iAppId && ($iVersionId == null))
{ {
$superMaintainer = 1; $superMaintainer = 1;
$sQuery = "DELETE FROM appMaintainers WHERE userId = ".$this->iUserId. $hResult = query_parameters("DELETE FROM appMaintainers WHERE userId = '?'
" AND appId = ".$iAppId." AND superMaintainer = ".$superMaintainer.";"; AND appId = '?' AND superMaintainer = '?'",
$this->iUserId, $iAppId, $superMaintainer);
} else if($iAppId && $iVersionId) /* remove a normal maintainer */ } else if($iAppId && $iVersionId) /* remove a normal maintainer */
{ {
$superMaintainer = 0; $superMaintainer = 0;
$sQuery = "DELETE FROM appMaintainers WHERE userId = ".$this->iUserId. $hResult = query_parameters("DELETE FROM appMaintainers WHERE userId = '?'
" AND appId = ".$iAppId." AND versionId = ".$iVersionId." AND superMaintainer = ".$superMaintainer.";"; AND appId = '?' AND versionId = '?' AND superMaintainer = '?'",
$this->iUserId, $iAppId, $iVersionId, $superMaintainer);
} else if(($iAppId == null) && ($iVersionId == null)) /* remove all maintainership by this user */ } else if(($iAppId == null) && ($iVersionId == null)) /* remove all maintainership by this user */
{ {
$sQuery = "DELETE FROM appMaintainers WHERE userId = ".$this->iUserId.";"; $hResult = query_parameters("DELETE FROM appMaintainers WHERE userId = '?'", $this->iUserId);
} }
if($sQuery) if($hResult)
{
if($hResult = query_appdb($sQuery))
return true; return true;
}
return false; return false;
} }
@@ -374,7 +386,7 @@ class User {
return 0; return 0;
$sQuery = "SELECT count(*) as queued_apps FROM appFamily WHERE queued='true'"; $sQuery = "SELECT count(*) as queued_apps FROM appFamily WHERE queued='true'";
$hResult = query_appdb($sQuery); $hResult = query_parameters($sQuery);
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
return $oRow->queued_apps; return $oRow->queued_apps;
} }
@@ -383,16 +395,16 @@ class User {
{ {
if($this->hasPriv("admin")) if($this->hasPriv("admin"))
{ {
$sQuery = "SELECT count(*) as queued_versions FROM appVersion WHERE queued='true'"; $hResult = query_parameters("SELECT count(*) as queued_versions FROM appVersion WHERE queued='true'");
} else } else
{ {
/* find all queued versions of applications that the user is a super maintainer of */ /* find all queued versions of applications that the user is a super maintainer of */
$sQuery = "SELECT count(*) as queued_versions FROM appVersion, appMaintainers $hResult = query_parameters("SELECT count(*) as queued_versions FROM appVersion, appMaintainers
WHERE queued='true' AND appMaintainers.superMaintainer ='1' WHERE queued='true' AND appMaintainers.superMaintainer ='1'
AND appVersion.appId = appMaintainers.appId AND appVersion.appId = appMaintainers.appId
AND appMaintainers.userId ='".$this->iUserId."';"; AND appMaintainers.userId ='?'", $this->iUserId);
} }
$hResult = query_appdb($sQuery);
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
/* we don't want to count the versions that are implicit in the applications */ /* we don't want to count the versions that are implicit in the applications */
@@ -428,8 +440,9 @@ class User {
if(!$this->isLoggedIn() || !$sPriv) if(!$this->isLoggedIn() || !$sPriv)
return false; return false;
$hRresult = query_appdb("DELETE FROM user_privs WHERE userid = $this->iUserId AND priv = '$sPriv'"); $hResult = query_parameters("DELETE FROM user_privs WHERE userid = '?' AND priv = '?'",
return $hRresult; $this->iUserId, $sPriv);
return $hResult;
} }
@@ -466,6 +479,12 @@ class User {
*/ */
function getAppDataQuery($iAppDataId, $queryQueuedCount, $queryQueued) function getAppDataQuery($iAppDataId, $queryQueuedCount, $queryQueued)
{ {
/* escape all of the input variables */
/* code is too complex to easily use query_parameters() */
$iAppDataId = mysql_real_escape_string($iAppDataId);
$queryQueuedCount = mysql_real_escape_string($queryQueuedCount);
$queryQueued = mysql_real_escape_string($queryQueued);
/* either look for queued app data entries */ /* either look for queued app data entries */
/* or ones that match the given id */ /* or ones that match the given id */
if($queryQueuedCount) if($queryQueuedCount)
@@ -503,7 +522,7 @@ class User {
AND (appMaintainers.superMaintainer = '0')) AND (appMaintainers.superMaintainer = '0'))
) )
AND appData.versionId = appVersion.versionId AND appData.versionId = appVersion.versionId
AND appMaintainers.userId = '".$this->iUserId."' AND appMaintainers.userId = '".mysql_real_escape_string($this->iUserId)."'
".$additionalTerms.";"; ".$additionalTerms.";";
} }
@@ -518,9 +537,8 @@ class User {
if(!$_SESSION['current']->canDeleteAppDataId($iAppDataId)) if(!$_SESSION['current']->canDeleteAppDataId($iAppDataId))
return false; return false;
$sQuery = "DELETE from appData where id = ".$iAppDataId." $hResult = query_parameters("DELETE from appData where id = '?' LIMIT 1",
LIMIT 1;"; $iAppDataId);
$hResult = query_appdb($sQuery);
if($hResult) if($hResult)
return true; return true;
@@ -532,6 +550,9 @@ class User {
*/ */
function getAppQueueQuery($queryAppFamily) function getAppQueueQuery($queryAppFamily)
{ {
/* escape input as we can't easily use query_parameters() */
$queryAppFamily = mysql_real_escape_string($queryAppFamily);
if($this->hasPriv("admin")) if($this->hasPriv("admin"))
{ {
if($queryAppFamily) if($queryAppFamily)
@@ -551,7 +572,7 @@ class User {
WHERE queued = 'true' WHERE queued = 'true'
AND appFamily.appId = appMaintainers.appId AND appFamily.appId = appMaintainers.appId
AND appMaintainers.superMaintainer = '1' AND appMaintainers.superMaintainer = '1'
AND appMaintainers.userId = '".$this->iUserId."';"; AND appMaintainers.userId = '".mysql_real_escape_string($this->iUserId)."';";
} else } else
{ {
$sQuery = "SELECT appVersion.versionId FROM appVersion, appFamily, appMaintainers $sQuery = "SELECT appVersion.versionId FROM appVersion, appFamily, appMaintainers
@@ -559,7 +580,7 @@ class User {
AND appFamily.queued = 'false' AND appVersion.queued = 'true' AND appFamily.queued = 'false' AND appVersion.queued = 'true'
AND appFamily.appId = appMaintainers.appId AND appFamily.appId = appMaintainers.appId
AND appMaintainers.superMaintainer = '1' AND appMaintainers.superMaintainer = '1'
AND appMaintainers.userId = '".$this->iUserId."';"; AND appMaintainers.userId = '".mysql_real_escape_string($this->iUserId)."';";
} }
} }
@@ -568,6 +589,9 @@ class User {
function getAppRejectQueueQuery($queryAppFamily) function getAppRejectQueueQuery($queryAppFamily)
{ {
/* escape input as we can't easily use query_parameters() */
$queryAppFamily = mysql_real_escape_string($queryAppFamily);
if($this->hasPriv("admin")) if($this->hasPriv("admin"))
{ {
if($queryAppFamily) if($queryAppFamily)
@@ -585,13 +609,13 @@ class User {
{ {
$sQuery = "SELECT appFamily.appId FROM appFamily $sQuery = "SELECT appFamily.appId FROM appFamily
WHERE queued = 'rejected' WHERE queued = 'rejected'
AND appFamily.submitterId = '".$this->iUserId."';"; AND appFamily.submitterId = '".mysql_real_escape_string($this->iUserId)."';";
} else } else
{ {
$sQuery = "SELECT appVersion.versionId FROM appVersion, appFamily $sQuery = "SELECT appVersion.versionId FROM appVersion, appFamily
WHERE appFamily.appId = appVersion.appId WHERE appFamily.appId = appVersion.appId
AND appFamily.queued = 'false' AND appVersion.queued = 'rejected' AND appFamily.queued = 'false' AND appVersion.queued = 'rejected'
AND appVersion.submitterId = '".$this->iUserId."';"; AND appVersion.submitterId = '".mysql_real_escape_string($this->iUserId)."';";
} }
} }
@@ -600,11 +624,12 @@ class User {
function getAllRejectedApps() function getAllRejectedApps()
{ {
$hResult = query_appdb("SELECT appVersion.versionId, appFamily.appId $hResult = query_parameters("SELECT appVersion.versionId, appFamily.appId
FROM appVersion, appFamily FROM appVersion, appFamily
WHERE appFamily.appId = appVersion.appId WHERE appFamily.appId = appVersion.appId
AND (appFamily.queued = 'rejected' OR appVersion.queued = 'rejected') AND (appFamily.queued = 'rejected' OR appVersion.queued = 'rejected')
AND appVersion.submitterId = '".$this->iUserId."';"); AND appVersion.submitterId = '?'",
$this->iUserId);
if(!$hResult || mysql_num_rows($hResult) == 0) if(!$hResult || mysql_num_rows($hResult) == 0)
return; return;
@@ -622,10 +647,10 @@ class User {
function isAppSubmitter($iAppId) function isAppSubmitter($iAppId)
{ {
$sQuery = "SELECT appId FROM appFamily $hResult = query_parameters("SELECT appId FROM appFamily
WHERE submitterId = '".$this->iUserId."' WHERE submitterId = '?'
AND appId = '".$iAppId."';"; AND appId = '?'",
$hResult = query_appdb($sQuery); $this->iUserId, $iAppId);
if(mysql_num_rows($hResult)) if(mysql_num_rows($hResult))
return true; return true;
else else
@@ -634,11 +659,11 @@ class User {
function isVersionSubmitter($iVersionId) function isVersionSubmitter($iVersionId)
{ {
$sQuery = "SELECT appVersion.versionId FROM appVersion, appFamily $hResult = query_parameters("SELECT appVersion.versionId FROM appVersion, appFamily
WHERE appFamily.appId = appVersion.appId WHERE appFamily.appId = appVersion.appId
AND appVersion.submitterId = '".$this->iUserId."' AND appVersion.submitterId = '?'
AND appVersion.versionId = '".$iVersionId."';"; AND appVersion.versionId = '?'",
$hResult = query_appdb($sQuery); $this->iUserId, $iVersionId);
if(mysql_num_rows($hResult)) if(mysql_num_rows($hResult))
return true; return true;
else else
@@ -649,18 +674,18 @@ class User {
/* otherwise we return false */ /* otherwise we return false */
function hasDataAssociated() function hasDataAssociated()
{ {
$sQuery = "SELECT count(userId) as c FROM appComments WHERE userId = $this->iUserId"; $hResult = query_parameters("SELECT count(userId) as c FROM appComments WHERE userId = '?'",
$hResult = query_appdb($sQuery); $this->iUserId);
$ob = mysql_fetch_object($hResult); $ob = mysql_fetch_object($hResult);
if($ob->c != 0) return true; if($ob->c != 0) return true;
$sQuery = "SELECT count(userId) as c FROM appMaintainers WHERE userId = $this->iUserId"; $hResult = query_parameters("SELECT count(userId) as c FROM appMaintainers WHERE userId = '?'",
$hResult = query_appdb($sQuery); $this->iUserId);
$ob = mysql_fetch_object($hResult); $ob = mysql_fetch_object($hResult);
if($ob->c != 0) return true; if($ob->c != 0) return true;
$sQuery = "SELECT count(userId) as c FROM appVotes WHERE userId = $this->iUserId"; $hResult = query_parameters("SELECT count(userId) as c FROM appVotes WHERE userId = '?'",
$hResult = query_appdb($sQuery); $this->iUserId);
$ob = mysql_fetch_object($hResult); $ob = mysql_fetch_object($hResult);
if($ob->c != 0) return true; if($ob->c != 0) return true;
@@ -693,8 +718,8 @@ class User {
mail_appdb($this->sEmail, $sSubject, $sMsg); mail_appdb($this->sEmail, $sSubject, $sMsg);
/* mark this user as being inactive and set the appropriate timestamp */ /* mark this user as being inactive and set the appropriate timestamp */
$sQuery = "update user_list set inactivity_warned='true', inactivity_warn_stamp=NOW() where userid=".$this->iUserId; $sQuery = "update user_list set inactivity_warned='true', inactivity_warn_stamp=NOW() where userid='?'";
query_appdb($sQuery); query_parameters($sQuery, $this->iUserId);
return true; return true;
} }
@@ -1032,23 +1057,25 @@ function get_notify_email_address_list($iAppId = null, $iVersionId = null)
*/ */
if($iVersionId) if($iVersionId)
{ {
$sQuery = "SELECT appMaintainers.userId $hResult = query_parameters("SELECT appMaintainers.userId
FROM appMaintainers, appVersion FROM appMaintainers, appVersion
WHERE appVersion.appId = appMaintainers.appId WHERE appVersion.appId = appMaintainers.appId
AND appVersion.versionId = '".$iVersionId."'"; AND appVersion.versionId = '?'",
$iVersionId);
} }
/* /*
* If versionId was not supplied we fetch supermaintainers of application and maintainer of all versions. * If versionId was not supplied we fetch supermaintainers of application and maintainer of all versions.
*/ */
elseif($iAppId) elseif($iAppId)
{ {
$sQuery = "SELECT userId $hResult = query_parameters("SELECT userId
FROM appMaintainers FROM appMaintainers
WHERE appId = '".$iAppId."'"; WHERE appId = '?'",
$iAppId);
} }
if($sQuery)
if($hResult)
{ {
$hResult = query_appdb($sQuery);
if(mysql_num_rows($hResult) > 0) if(mysql_num_rows($hResult) > 0)
{ {
while($oRow = mysql_fetch_object($hResult)) while($oRow = mysql_fetch_object($hResult))
@@ -1067,23 +1094,24 @@ function get_notify_email_address_list($iAppId = null, $iVersionId = null)
*/ */
if($iVersionId) if($iVersionId)
{ {
$sQuery = "SELECT appMonitors.userId $hResult = query_parameters("SELECT appMonitors.userId
FROM appMonitors, appVersion FROM appMonitors, appVersion
WHERE appVersion.appId = appMonitors.appId WHERE appVersion.appId = appMonitors.appId
AND appVersion.versionId = '".$iVersionId."'"; AND appVersion.versionId = '?'",
$iVersionId);
} }
/* /*
* If versionId was not supplied we fetch superMonitors of application and Monitors of all versions. * If versionId was not supplied we fetch superMonitors of application and Monitors of all versions.
*/ */
elseif($iAppId) elseif($iAppId)
{ {
$sQuery = "SELECT userId $hResult = query_parameters("SELECT userId
FROM appMonitors FROM appMonitors
WHERE appId = '".$iAppId."'"; WHERE appId = '?'",
$iAppId);
} }
if($sQuery) if($hResult)
{ {
$hResult = query_appdb($sQuery);
if(mysql_num_rows($hResult) > 0) if(mysql_num_rows($hResult) > 0)
{ {
while($oRow = mysql_fetch_object($hResult)) while($oRow = mysql_fetch_object($hResult))
@@ -1097,7 +1125,7 @@ function get_notify_email_address_list($iAppId = null, $iVersionId = null)
/* /*
* Retrieve administrators. * Retrieve administrators.
*/ */
$hResult = query_appdb("SELECT * FROM user_privs WHERE priv = 'admin'"); $hResult = query_parameters("SELECT * FROM user_privs WHERE priv = 'admin'");
if(mysql_num_rows($hResult) > 0) if(mysql_num_rows($hResult) > 0)
{ {
while($oRow = mysql_fetch_object($hResult)) while($oRow = mysql_fetch_object($hResult))
@@ -1128,7 +1156,7 @@ function get_notify_email_address_list($iAppId = null, $iVersionId = null)
*/ */
function get_number_of_users() function get_number_of_users()
{ {
$hResult = query_appdb("SELECT count(*) as num_users FROM user_list;"); $hResult = query_parameters("SELECT count(*) as num_users FROM user_list;");
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
return $oRow->num_users; return $oRow->num_users;
} }
@@ -1139,7 +1167,8 @@ function get_number_of_users()
*/ */
function get_active_users_within_days($days) function get_active_users_within_days($days)
{ {
$hResult = query_appdb("SELECT count(*) as num_users FROM user_list WHERE stamp >= DATE_SUB(CURDATE(), interval $days day);"); $hResult = query_parameters("SELECT count(*) as num_users FROM user_list WHERE stamp >= DATE_SUB(CURDATE(), interval '?' day);",
$days);
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
return $oRow->num_users; return $oRow->num_users;
} }
@@ -1152,8 +1181,7 @@ function get_active_users_within_days($days)
function get_inactive_users_pending_deletion() function get_inactive_users_pending_deletion()
{ {
/* retrieve the number of users that have been warned and are pending deletion */ /* retrieve the number of users that have been warned and are pending deletion */
$sQuery = "select count(*) as count from user_list where inactivity_warned = 'true'"; $hResult = query_parameters("select count(*) as count from user_list where inactivity_warned = 'true'");
$hResult = query_appdb($sQuery);
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
return $oRow->count; return $oRow->count;
} }
@@ -1164,10 +1192,12 @@ function get_inactive_users_pending_deletion()
*/ */
function user_exists($sEmail) function user_exists($sEmail)
{ {
$hResult = query_appdb("SELECT userid FROM user_list WHERE email = '$sEmail'"); $hResult = query_parameters("SELECT userid FROM user_list WHERE email = '?'",
$sEmail);
if(!$hResult || mysql_num_rows($hResult) != 1) if(!$hResult || mysql_num_rows($hResult) != 1)
{
return 0; return 0;
else } else
{ {
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
return $oRow->userid; return $oRow->userid;

64
include/util.php
View File

@@ -164,7 +164,7 @@ function make_maintainer_rating_list($varname, $cvalue)
function getQueuedMaintainerCount() function getQueuedMaintainerCount()
{ {
$sQuery = "SELECT count(*) as queued_maintainers FROM appMaintainerQueue"; $sQuery = "SELECT count(*) as queued_maintainers FROM appMaintainerQueue";
$hResult = query_appdb($sQuery); $hResult = query_parameters($sQuery);
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
return $oRow->queued_maintainers; return $oRow->queued_maintainers;
} }
@@ -173,7 +173,7 @@ function getQueuedMaintainerCount()
function getMaintainerCount() function getMaintainerCount()
{ {
$sQuery = "SELECT count(*) as maintainers FROM appMaintainers"; $sQuery = "SELECT count(*) as maintainers FROM appMaintainers";
$hResult = query_appdb($sQuery); $hResult = query_parameters($sQuery);
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
return $oRow->maintainers; return $oRow->maintainers;
} }
@@ -182,7 +182,7 @@ function getMaintainerCount()
function getVendorCount() function getVendorCount()
{ {
$sQuery = "SELECT count(*) as vendors FROM vendor"; $sQuery = "SELECT count(*) as vendors FROM vendor";
$hResult = query_appdb($sQuery); $hResult = query_parameters($sQuery);
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
return $oRow->vendors; return $oRow->vendors;
} }
@@ -190,7 +190,7 @@ function getVendorCount()
/* Get the number of users in the database */ /* Get the number of users in the database */
function getNumberOfComments() function getNumberOfComments()
{ {
$hResult = query_appdb("SELECT count(*) as num_comments FROM appComments;"); $hResult = query_parameters("SELECT count(*) as num_comments FROM appComments;");
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
return $oRow->num_comments; return $oRow->num_comments;
} }
@@ -198,7 +198,7 @@ function getNumberOfComments()
/* Get the number of versions in the database */ /* Get the number of versions in the database */
function getNumberOfVersions() function getNumberOfVersions()
{ {
$hResult = query_appdb("SELECT count(versionId) as num_versions FROM appVersion WHERE versionName != 'NONAME';"); $hResult = query_parameters("SELECT count(versionId) as num_versions FROM appVersion WHERE versionName != 'NONAME';");
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
return $oRow->num_versions; return $oRow->num_versions;
} }
@@ -206,14 +206,14 @@ function getNumberOfVersions()
/* Get the number of maintainers in the database */ /* Get the number of maintainers in the database */
function getNumberOfMaintainers() function getNumberOfMaintainers()
{ {
$hResult = query_appdb("SELECT DISTINCT userId FROM appMaintainers;"); $hResult = query_parameters("SELECT DISTINCT userId FROM appMaintainers;");
return mysql_num_rows($hResult); return mysql_num_rows($hResult);
} }
/* Get the number of app familes in the database */ /* Get the number of app familes in the database */
function getNumberOfAppFamilies() function getNumberOfAppFamilies()
{ {
$hResult = query_appdb("SELECT count(*) as num_appfamilies FROM appFamily;"); $hResult = query_parameters("SELECT count(*) as num_appfamilies FROM appFamily;");
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
return $oRow->num_appfamilies; return $oRow->num_appfamilies;
} }
@@ -221,7 +221,7 @@ function getNumberOfAppFamilies()
/* Get the number of images in the database */ /* Get the number of images in the database */
function getNumberOfImages() function getNumberOfImages()
{ {
$hResult = query_appdb("SELECT count(*) as num_images FROM appData WHERE type='image';"); $hResult = query_parameters("SELECT count(*) as num_images FROM appData WHERE type='image';");
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
return $oRow->num_images; return $oRow->num_images;
} }
@@ -229,7 +229,7 @@ function getNumberOfImages()
/* Get the number of queued bug links in the database */ /* Get the number of queued bug links in the database */
function getNumberOfQueuedBugLinks() function getNumberOfQueuedBugLinks()
{ {
$hResult = query_appdb("SELECT count(*) as num_buglinks FROM buglinks WHERE queued='true';"); $hResult = query_parameters("SELECT count(*) as num_buglinks FROM buglinks WHERE queued='true';");
if($hResult) if($hResult)
{ {
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
@@ -241,7 +241,7 @@ function getNumberOfQueuedBugLinks()
/* Get the number of bug links in the database */ /* Get the number of bug links in the database */
function getNumberOfBugLinks() function getNumberOfBugLinks()
{ {
$hResult = query_appdb("SELECT count(*) as num_buglinks FROM buglinks;"); $hResult = query_parameters("SELECT count(*) as num_buglinks FROM buglinks;");
if($hResult) if($hResult)
{ {
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
@@ -252,8 +252,9 @@ function getNumberOfBugLinks()
function lookupVendorName($vendorId) function lookupVendorName($vendorId)
{ {
$sResult = query_appdb("SELECT * FROM vendor ". $sResult = query_parameters("SELECT * FROM vendor ".
"WHERE vendorId = ".$vendorId); "WHERE vendorId = '?'",
$vendorId);
if(!$sResult || mysql_num_rows($sResult) != 1) if(!$sResult || mysql_num_rows($sResult) != 1)
return "Unknown vendor"; return "Unknown vendor";
@@ -278,18 +279,22 @@ function outputTopXRow($oRow)
/* Output the rows for the Top-X tables on the main page */ /* Output the rows for the Top-X tables on the main page */
function outputTopXRowAppsFromRating($rating, $num_apps) function outputTopXRowAppsFromRating($rating, $num_apps)
{ {
/* clean the input values so we can continue to use query_appdb() */
$rating = mysql_real_escape_string($rating);
$num_apps = mysql_real_escape_string($num_apps);
/* list of appIds we've already output, so we don't output */ /* list of appIds we've already output, so we don't output */
/* them again when filling in any empty spots in the list */ /* them again when filling in any empty spots in the list */
$appIdArray = array(); $appIdArray = array();
$sQuery = "SELECT appVotes.appId AS appId, appVersion.versionId, COUNT( appVotes.appId ) AS c $sQuery = "SELECT appVotes.appId AS appId, appVersion.versionId, COUNT( appVotes.appId ) AS c
FROM appVotes, appVersion FROM appVotes, appVersion
WHERE appVersion.maintainer_rating = '$rating' WHERE appVersion.maintainer_rating = '?'
AND appVersion.appId = appVotes.appId AND appVersion.appId = appVotes.appId
GROUP BY appVotes.appId GROUP BY appVotes.appId
ORDER BY c DESC ORDER BY c DESC
LIMIT $num_apps"; LIMIT ?";
$hResult = query_appdb($sQuery); $hResult = query_parameters($sQuery, $rating, $num_apps);
$num_apps-=mysql_num_rows($hResult); /* take away the rows we are outputting here */ $num_apps-=mysql_num_rows($hResult); /* take away the rows we are outputting here */
while($oRow = mysql_fetch_object($hResult)) while($oRow = mysql_fetch_object($hResult))
{ {
@@ -409,9 +414,9 @@ function searchForApplication($search_words)
/* search parameters */ /* search parameters */
foreach ($split_words as $key=>$value) foreach ($split_words as $key=>$value)
{ {
$sQuery = "SELECT vendorId from vendor where vendorName LIKE '%".addslashes($value)."%' $sQuery = "SELECT vendorId from vendor where vendorName LIKE '%?%'
OR vendorURL LIKE '%".addslashes($value)."%'"; OR vendorURL LIKE '%?%'";
$hResult = query_appdb($sQuery); $hResult = query_parameters($sQuery, $value, $value);
while($oRow = mysql_fetch_object($hResult)) while($oRow = mysql_fetch_object($hResult))
{ {
array_push($vendorIdArray, $oRow->vendorId); array_push($vendorIdArray, $oRow->vendorId);
@@ -424,13 +429,13 @@ function searchForApplication($search_words)
WHERE appName != 'NONAME' WHERE appName != 'NONAME'
AND appFamily.vendorId = vendor.vendorId AND appFamily.vendorId = vendor.vendorId
AND queued = 'false' AND queued = 'false'
AND (appName LIKE '%".addslashes($search_words)."%' AND (appName LIKE '%".mysql_real_escape_string($search_words)."%'
OR keywords LIKE '%".addslashes($search_words)."%'"; OR keywords LIKE '%".mysql_real_escape_string($search_words)."%'";
/* append to the query any vendors that we matched with */ /* append to the query any vendors that we matched with */
foreach($vendorIdArray as $key=>$value) foreach($vendorIdArray as $key=>$value)
{ {
$sQuery.=" OR appFamily.vendorId=$value"; $sQuery.=" OR appFamily.vendorId=".mysql_real_escape_string($value);
} }
$sQuery.=" ) ORDER BY appName"; $sQuery.=" ) ORDER BY appName";
@@ -459,7 +464,7 @@ function searchForApplicationFuzzy($search_words, $minMatchingPercent)
$sQuery = "SELECT appName, appId FROM appFamily WHERE queued = 'false'"; $sQuery = "SELECT appName, appId FROM appFamily WHERE queued = 'false'";
foreach ($excludeAppIdArray as $key=>$value) foreach ($excludeAppIdArray as $key=>$value)
{ {
$sQuery.=" AND appId != '$value'"; $sQuery.=" AND appId != '".mysql_real_escape_string($value)."'";
} }
$sQuery.=";"; $sQuery.=";";
@@ -488,11 +493,11 @@ function searchForApplicationFuzzy($search_words, $minMatchingPercent)
{ {
if($firstEntry == true) if($firstEntry == true)
{ {
$sQuery.="appId='$value'"; $sQuery.="appId='".mysql_real_escape_string($value)."'";
$firstEntry = false; $firstEntry = false;
} else } else
{ {
$sQuery.=" OR appId='$value'"; $sQuery.=" OR appId='".mysql_real_escape_string($value)."'";
} }
} }
$sQuery.=" ORDER BY appName;"; $sQuery.=" ORDER BY appName;";
@@ -530,7 +535,8 @@ function outputSearchTableForhResult($search_words, $hResult)
$bgcolor = ($c % 2) ? 'color0' : 'color1'; $bgcolor = ($c % 2) ? 'color0' : 'color1';
//count versions //count versions
$hResult2 = query_appdb("SELECT count(*) as versions FROM appVersion WHERE appId = $oRow->appId AND versionName != 'NONAME' and queued = 'false'"); $hResult2 = query_parameters("SELECT count(*) as versions FROM appVersion WHERE appId = '?' AND versionName != 'NONAME' and queued = 'false'",
$oRow->appId);
$y = mysql_fetch_object($hResult2); $y = mysql_fetch_object($hResult2);
//display row //display row
@@ -609,7 +615,7 @@ function process_app_version_changes($isVersion)
if ($_REQUEST['adelete'][$i] == "on") if ($_REQUEST['adelete'][$i] == "on")
{ {
$hResult = query_appdb("DELETE FROM appData WHERE id = '{$_REQUEST['aId'][$i]}'"); $hResult = query_parameters("DELETE FROM appData WHERE id = '?'", $_REQUEST['aId'][$i]);
if($hResult) if($hResult)
{ {
@@ -627,9 +633,9 @@ function process_app_version_changes($isVersion)
addmsg("The URL or description was blank. URL not changed in the database", "red"); addmsg("The URL or description was blank. URL not changed in the database", "red");
else else
{ {
$sUpdate = compile_update_string( array( 'description' => $_REQUEST['adescription'][$i], if (query_parameters("UPDATE appData SET description = '?', url = '?' WHERE id = '?'",
'url' => $_REQUEST['aURL'][$i])); $_REQUEST['adescription'][$i], $_REQUEST['aURL'][$i],
if (query_appdb("UPDATE appData SET $sUpdate WHERE id = '{$_REQUEST['aId'][$i]}'")) $_REQUEST['aId'][$i]))
{ {
addmsg("<p><b>Successfully updated ".$_REQUEST['aOldDesc'][$i]." (".$_REQUEST['aOldURL'][$i].")</b></p>\n",'green'); addmsg("<p><b>Successfully updated ".$_REQUEST['aOldDesc'][$i]." (".$_REQUEST['aOldURL'][$i].")</b></p>\n",'green');
$sWhatChanged .= "Changed Url: Old Description: ".stripslashes($_REQUEST['aOldDesc'][$i])."\n"; $sWhatChanged .= "Changed Url: Old Description: ".stripslashes($_REQUEST['aOldDesc'][$i])."\n";

20
include/vendor.php
View File

@@ -25,8 +25,8 @@ class Vendor {
*/ */
$sQuery = "SELECT * $sQuery = "SELECT *
FROM vendor FROM vendor
WHERE vendorId = ".$iVendorId; WHERE vendorId = '?'";
if($hResult = query_appdb($sQuery)) if($hResult = query_parameters($sQuery, $iVendorId))
{ {
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
$this->iVendorId = $iVendorId; $this->iVendorId = $iVendorId;
@@ -39,8 +39,8 @@ class Vendor {
*/ */
$sQuery = "SELECT appId $sQuery = "SELECT appId
FROM appFamily FROM appFamily
WHERE vendorId = ".$iVendorId; WHERE vendorId = '?'";
if($hResult = query_appdb($sQuery)) if($hResult = query_parameters($sQuery, $iVendorId))
{ {
while($oRow = mysql_fetch_object($hResult)) while($oRow = mysql_fetch_object($hResult))
{ {
@@ -83,14 +83,16 @@ class Vendor {
if($sName) if($sName)
{ {
if (!query_appdb("UPDATE vendor SET vendorName = '".$sName."' WHERE vendorId = ".$this->iVendorId)) if (!query_parameters("UPDATE vendor SET vendorName = '?' WHERE vendorId = '?'",
$sName, $this->iVendorId))
return false; return false;
$this->sName = $sName; $this->sName = $sName;
} }
if($sWebpage) if($sWebpage)
{ {
if (!query_appdb("UPDATE vendor SET vendorURL = '".$sWebpage."' WHERE vendorId = ".$this->iVendorId)) if (!query_parameters("UPDATE vendor SET vendorURL = '?' WHERE vendorId = '?'",
$sWebpage, $this->iVendorId))
return false; return false;
$this->sWebpage = $sWebpage; $this->sWebpage = $sWebpage;
} }
@@ -109,9 +111,9 @@ class Vendor {
} else } else
{ {
$sQuery = "DELETE FROM vendor $sQuery = "DELETE FROM vendor
WHERE vendorId = ".$this->iVendorId." WHERE vendorId = '?'
LIMIT 1"; LIMIT 1";
query_appdb($sQuery); query_parameters($sQuery, $this->iVendorId);
addmsg("The vendor has been deleted.", "green"); addmsg("The vendor has been deleted.", "green");
} }
} }
@@ -139,7 +141,7 @@ class Vendor {
/* Get the total number of Vendors in the database */ /* Get the total number of Vendors in the database */
function getNumberOfVendors() function getNumberOfVendors()
{ {
$hResult = query_appdb("SELECT count(*) as num_vendors FROM vendor"); $hResult = query_parameters("SELECT count(*) as num_vendors FROM vendor");
if($hResult) if($hResult)
{ {
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);

78
include/version.php
View File

@@ -47,8 +47,8 @@ class Version {
{ {
$sQuery = "SELECT * $sQuery = "SELECT *
FROM appVersion FROM appVersion
WHERE versionId = ".$iVersionId; WHERE versionId = '?'";
if($hResult = query_appdb($sQuery)) if($hResult = query_parameters($sQuery, $iVersionId))
{ {
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
$this->iVersionId = $iVersionId; $this->iVersionId = $iVersionId;
@@ -73,8 +73,8 @@ class Version {
$this->aNotesIds = array(); $this->aNotesIds = array();
$sQuery = "SELECT noteId $sQuery = "SELECT noteId
FROM appNotes FROM appNotes
WHERE versionId = ".$iVersionId; WHERE versionId = '?'";
if($hResult = query_appdb($sQuery)) if($hResult = query_parameters($sQuery, $iVersionId))
{ {
while($oRow = mysql_fetch_object($hResult)) while($oRow = mysql_fetch_object($hResult))
{ {
@@ -88,8 +88,8 @@ class Version {
$this->aCommentsIds = array(); $this->aCommentsIds = array();
$sQuery = "SELECT commentId $sQuery = "SELECT commentId
FROM appComments FROM appComments
WHERE versionId = ".$iVersionId; WHERE versionId = '?'";
if($hResult = query_appdb($sQuery)) if($hResult = query_parameters($sQuery, $iVersionId))
{ {
while($oRow = mysql_fetch_object($hResult)) while($oRow = mysql_fetch_object($hResult))
{ {
@@ -105,9 +105,9 @@ class Version {
$this->aUrlsIds = array(); $this->aUrlsIds = array();
$sQuery = "SELECT id, type $sQuery = "SELECT id, type
FROM appData FROM appData
WHERE versionId = ".$iVersionId; WHERE versionId = '?'";
if($hResult = query_appdb($sQuery)) if($hResult = query_parameters($sQuery, $iVersionId))
{ {
while($oRow = mysql_fetch_object($hResult)) while($oRow = mysql_fetch_object($hResult))
{ {
@@ -124,9 +124,9 @@ class Version {
$this->aBuglinkIds = array(); $this->aBuglinkIds = array();
$sQuery = "SELECT * $sQuery = "SELECT *
FROM buglinks FROM buglinks
WHERE versionId = ".$iVersionId." WHERE versionId = '?'
ORDER BY bug_id"; ORDER BY bug_id";
if($hResult = query_appdb($sQuery)) if($hResult = query_parameters($sQuery, $iVersionId))
{ {
while($oRow = mysql_fetch_object($hResult)) while($oRow = mysql_fetch_object($hResult))
{ {
@@ -140,9 +140,9 @@ class Version {
$this->aTestingIds = array(); $this->aTestingIds = array();
$sQuery = "SELECT * $sQuery = "SELECT *
FROM testResults FROM testResults
WHERE versionId = ".$iVersionId." WHERE versionId = '?'
ORDER BY testingId"; ORDER BY testingId";
if($hResult = query_appdb($sQuery)) if($hResult = query_parameters($sQuery, $iVersionId))
{ {
while($oRow = mysql_fetch_object($hResult)) while($oRow = mysql_fetch_object($hResult))
{ {
@@ -156,9 +156,9 @@ class Version {
$this->aMonitorIds = array(); $this->aMonitorIds = array();
$sQuery = "SELECT * $sQuery = "SELECT *
FROM appMonitors FROM appMonitors
WHERE versionId = ".$iVersionId." WHERE versionId = '?'
ORDER BY monitorId"; ORDER BY monitorId";
if($hResult = query_appdb($sQuery)) if($hResult = query_parameters($sQuery, $iVersionId))
{ {
while($oRow = mysql_fetch_object($hResult)) while($oRow = mysql_fetch_object($hResult))
{ {
@@ -218,16 +218,16 @@ class Version {
if ($this->sName && ($this->sName!=$oVersion->sName)) if ($this->sName && ($this->sName!=$oVersion->sName))
{ {
$sUpdate = compile_update_string(array('versionName' => $this->sName)); if (!query_parameters("UPDATE appVersion SET versionName = '?' WHERE versionId = '?'",
if (!query_appdb("UPDATE appVersion SET ".$sUpdate." WHERE versionId = ".$this->iVersionId)) $this->sName, $this->iVersionId))
return false; return false;
$sWhatChanged .= "Name was changed from:\n\t'".$oVersion->sName."'\nto:\n\t'".$this->sName."'\n\n"; $sWhatChanged .= "Name was changed from:\n\t'".$oVersion->sName."'\nto:\n\t'".$this->sName."'\n\n";
} }
if ($this->sDescription && ($this->sDescription!=$oVersion->sDescription)) if ($this->sDescription && ($this->sDescription!=$oVersion->sDescription))
{ {
$sUpdate = compile_update_string(array('description' => $this->sDescription)); if (!query_parameters("UPDATE appVersion SET description = '?' WHERE versionId = '?'",
if (!query_appdb("UPDATE appVersion SET ".$sUpdate." WHERE versionId = ".$this->iVersionId)) $this->sDescription, $this->iVersionId))
return false; return false;
if($oVersion->sDescription != "") if($oVersion->sDescription != "")
@@ -238,8 +238,8 @@ class Version {
if ($this->sTestedRelease && ($this->sTestedRelease!=$oVersion->sTestedRelease)) if ($this->sTestedRelease && ($this->sTestedRelease!=$oVersion->sTestedRelease))
{ {
$sUpdate = compile_update_string(array('maintainer_release' => $this->sTestedRelease)); if (!query_parameters("UPDATE appVersion SET maintainer_release = '?' WHERE versionId = '?'",
if (!query_appdb("UPDATE appVersion SET ".$sUpdate." WHERE versionId = ".$this->iVersionId)) $this->sTestedRelease, $this->iVersionId))
return false; return false;
if($oVersion->sTestedRelease != "") if($oVersion->sTestedRelease != "")
@@ -250,8 +250,8 @@ class Version {
if ($this->sTestedRating && ($this->sTestedRating!=$oVersion->sTestedRating)) if ($this->sTestedRating && ($this->sTestedRating!=$oVersion->sTestedRating))
{ {
$sUpdate = compile_update_string(array('maintainer_rating' => $this->sTestedRating)); if (!query_parameters("UPDATE appVersion SET maintainer_rating = '?' WHERE versionId = '?'",
if (!query_appdb("UPDATE appVersion SET ".$sUpdate." WHERE versionId = ".$this->iVersionId)) $this->sTestedRating, $this->iVersionId))
return false; return false;
if($this->sTestedRating != "") if($this->sTestedRating != "")
@@ -262,8 +262,8 @@ class Version {
if ($this->iAppId && ($this->iAppId!=$oVersion->iAppId)) if ($this->iAppId && ($this->iAppId!=$oVersion->iAppId))
{ {
$sUpdate = compile_update_string(array('appId' => $this->iAppId)); if (!query_parameters("UPDATE appVersion SET appId = '?' WHERE versionId = '?'",
if (!query_appdb("UPDATE appVersion SET ".$sUpdate." WHERE versionId = ".$this->iVersionId)) $this->iAppId, $this->iVersionId))
return false; return false;
$oAppBefore = new Application($oVersion->iAppId); $oAppBefore = new Application($oVersion->iAppId);
$oAppAfter = new Application($this->iAppId); $oAppAfter = new Application($this->iAppId);
@@ -324,17 +324,17 @@ class Version {
} }
// remove any maintainers for this version so we don't orphan them // remove any maintainers for this version so we don't orphan them
$sQuery = "DELETE from appMaintainers WHERE versionId='".$this->iVersionId."';"; $hResult = query_parameters("DELETE from appMaintainers WHERE versionId='?'", $this->iVersionId);
if(!($hResult = query_appdb($sQuery))) if(!$hResult)
{ {
addmsg("Error removing version maintainers for the deleted version!", "red"); addmsg("Error removing version maintainers for the deleted version!", "red");
} }
/* now delete the version */ /* now delete the version */
$sQuery = "DELETE FROM appVersion $hResult = query_parameters("DELETE FROM appVersion
WHERE versionId = ".$this->iVersionId." WHERE versionId = '?'
LIMIT 1"; LIMIT 1", $this->iVersionId);
if(!($hResult = query_appdb($sQuery))) if(!$hResult)
{ {
addmsg("Error removing the deleted version!", "red"); addmsg("Error removing the deleted version!", "red");
} }
@@ -360,8 +360,8 @@ class Version {
if(!$this->sQueued == 'true') if(!$this->sQueued == 'true')
return false; return false;
$sUpdate = compile_update_string(array('queued' => "false")); if(query_parameters("UPDATE appVersion SET queued = '?' WHERE versionId = '?'",
if(query_appdb("UPDATE appVersion SET ".$sUpdate." WHERE versionId = ".$this->iVersionId)) "false", $this->iVersionId))
{ {
$this->sQueued = 'false'; $this->sQueued = 'false';
// we send an e-mail to intersted people // we send an e-mail to intersted people
@@ -379,8 +379,8 @@ class Version {
if(!$this->sQueued == 'true') if(!$this->sQueued == 'true')
return false; return false;
$sUpdate = compile_update_string(array('queued' => "rejected")); if(query_parameters("UPDATE appVersion SET queued = '?' WHERE versionId = '?'",
if(query_appdb("UPDATE appVersion SET ".$sUpdate." WHERE versionId = ".$this->iVersionId)) "rejected", $this->iVersionId))
{ {
$this->sQueued = 'rejected'; $this->sQueued = 'rejected';
// we send an e-mail to intersted people // we send an e-mail to intersted people
@@ -399,8 +399,8 @@ class Version {
if(!$_SESSION['current']->canRequeueVersion($this)) if(!$_SESSION['current']->canRequeueVersion($this))
return; return;
$sUpdate = compile_update_string(array('queued' => "true")); if(query_parameters("UPDATE appVersion SET queued = '?' WHERE versionId = '?'",
if(query_appdb("UPDATE appVersion SET ".$sUpdate." WHERE versionId = ".$this->iVersionId)) "true", $this->iVersionId))
{ {
$this->sQueued = 'true'; $this->sQueued = 'true';
// we send an e-mail to intersted people // we send an e-mail to intersted people
@@ -662,7 +662,8 @@ class Version {
echo " <tr class=\"color1\"><td><b>URL</b></td><td>".$appLinkURL."</td></tr>\n"; echo " <tr class=\"color1\"><td><b>URL</b></td><td>".$appLinkURL."</td></tr>\n";
// links // links
$result = query_appdb("SELECT * FROM appData WHERE versionID = ".$this->iVersionId." AND type = 'url'"); $result = query_parameters("SELECT * FROM appData WHERE versionID = '?' AND type = 'url'",
$this->iVersionId);
if($result && mysql_num_rows($result) > 0) if($result && mysql_num_rows($result) > 0)
{ {
echo " <tr class=\"color1\"><td><b>Links</b></td><td>\n"; echo " <tr class=\"color1\"><td><b>Links</b></td><td>\n";
@@ -826,7 +827,8 @@ class Version {
view_version_bugs($this->iVersionId, $this->aBuglinkIds); view_version_bugs($this->iVersionId, $this->aBuglinkIds);
$rNotes = query_appdb("SELECT * FROM appNotes WHERE versionId = ".$this->iVersionId); $rNotes = query_parameters("SELECT * FROM appNotes WHERE versionId = '?'",
$this->iVersionId);
while( $oNote = mysql_fetch_object($rNotes) ) while( $oNote = mysql_fetch_object($rNotes) )
{ {

17
include/vote.php
View File

@@ -17,7 +17,8 @@ function vote_count($appId, $userId = null)
else else
return 0; return 0;
} }
$hResult = query_appdb("SELECT * FROM appVotes WHERE appId = $appId AND userId = $userId"); $hResult = query_parameters("SELECT * FROM appVotes WHERE appId = '?' AND userId = '?'",
$appId, $userId);
return mysql_num_rows($hResult); return mysql_num_rows($hResult);
} }
@@ -34,7 +35,7 @@ function vote_count_user_total($userId = null)
else else
return 0; return 0;
} }
$hResult = query_appdb("SELECT * FROM appVotes WHERE userId = $userId"); $hResult = query_parameters("SELECT * FROM appVotes WHERE userId = '?'", $userId);
return mysql_num_rows($hResult); return mysql_num_rows($hResult);
} }
@@ -44,7 +45,7 @@ function vote_count_user_total($userId = null)
*/ */
function vote_count_app_total($appId) function vote_count_app_total($appId)
{ {
$hResult = query_appdb("SELECT * FROM appVotes WHERE appId = $appId"); $hResult = query_parameters("SELECT * FROM appVotes WHERE appId = '?'", $appId);
return mysql_num_rows($hResult); return mysql_num_rows($hResult);
} }
@@ -86,8 +87,8 @@ function vote_remove($slot, $userId = null)
return; return;
} }
$sQuery="DELETE FROM appVotes WHERE userId = $userId AND slot = $slot"; $sQuery = "DELETE FROM appVotes WHERE userId = '?' AND slot = '?'";
query_appdb($sQuery); query_parameters($sQuery, $userId, $slot);
} }
@@ -100,7 +101,7 @@ function vote_get_user_votes($userId = null)
if(!$userId) if(!$userId)
return array(); return array();
} }
$hResult = query_appdb("SELECT * FROM appVotes WHERE userId = $userId"); $hResult = query_parameters("SELECT * FROM appVotes WHERE userId = '?'", $userId);
if(!$hResult) if(!$hResult)
return array(); return array();
@@ -196,8 +197,8 @@ function is_vote_in_slot($slot, $userId = null)
return; return;
} }
$sQuery="SELECT COUNT(*) as count from appVotes WHERE userId = '".$userId."' AND slot = '".$slot."';"; $sQuery = "SELECT COUNT(*) as count from appVotes WHERE userId = '?' AND slot = '?'";
if($hResult = query_appdb($sQuery)) if($hResult = query_parameters($sQuery, $userId, $slot))
{ {
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
if($oRow->count != 0) if($oRow->count != 0)

2
index.php
View File

@@ -63,7 +63,7 @@ If you have screenshots or links to contribute, please browse the database and u
"FROM appVotes, appFamily ". "FROM appVotes, appFamily ".
"WHERE appVotes.appId = appFamily.appId ". "WHERE appVotes.appId = appFamily.appId ".
"GROUP BY appId ORDER BY count DESC LIMIT 1"; "GROUP BY appId ORDER BY count DESC LIMIT 1";
$hResult = query_appdb($voteQuery); $hResult = query_parameters($voteQuery);
$oRow = mysql_fetch_object($hResult); $oRow = mysql_fetch_object($hResult);
$voteAppId = $oRow->appId; $voteAppId = $oRow->appId;

2
preferences.php
View File

@@ -54,7 +54,7 @@ if($_SESSION['current']->hasPriv("admin") &&
function build_prefs_list() function build_prefs_list()
{ {
global $oUser; global $oUser;
$hResult = query_appdb("SELECT * FROM prefs_list ORDER BY id"); $hResult = query_parameters("SELECT * FROM prefs_list ORDER BY id");
while($hResult && $r = mysql_fetch_object($hResult)) while($hResult && $r = mysql_fetch_object($hResult))
{ {
//skip admin options //skip admin options

3
vendorview.php
View File

@@ -73,8 +73,7 @@ else
apidb_header("View Vendors"); apidb_header("View Vendors");
//get available vendors //get available vendors
$sQuery = "SELECT vendorId FROM vendor ORDER BY vendorName, vendorId;"; $hResult = query_parameters("SELECT vendorId FROM vendor ORDER BY vendorName, vendorId;");
$hResult = query_appdb($sQuery);
// show vendorlist // show vendorlist
echo "<table width='100%' border=0 cellpadding=3 cellspacing=0>\n\n"; echo "<table width='100%' border=0 cellpadding=3 cellspacing=0>\n\n";

5
viewScreenshots.php
View File

@@ -64,9 +64,10 @@ echo "</form>";
echo "</center>"; echo "</center>";
/* query for all of the Screenshots in assending order */ /* query for all of the Screenshots in assending order */
$Ids = query_appdb("SELECT * from appData $Ids = query_parameters("SELECT * from appData
WHERE type = 'image' WHERE type = 'image'
ORDER BY id ASC LIMIT $offset, $ItemsPerPage;"); ORDER BY id ASC LIMIT ?, ?",
$offset, $ItemsPerPage);
$c = 1; $c = 1;
echo "<div align=center><table><tr>\n"; echo "<div align=center><table><tr>\n";
while ($oRow = mysql_fetch_object($Ids)) while ($oRow = mysql_fetch_object($Ids))

8
viewbugs.php
View File

@@ -29,17 +29,17 @@ if( !is_numeric($aClean['bug_id']))
echo '</tr>',"\n"; echo '</tr>',"\n";
$sQuery = "SELECT appFamily.description as appDescription, $hResult = query_parameters("SELECT appFamily.description as appDescription,
appFamily.appName as appName, appFamily.appName as appName,
appVersion.*, buglinks.versionId as versionId appVersion.*, buglinks.versionId as versionId
FROM appFamily, appVersion, buglinks FROM appFamily, appVersion, buglinks
WHERE appFamily.appId = appVersion.appId WHERE appFamily.appId = appVersion.appId
and buglinks.versionId = appVersion.versionId and buglinks.versionId = appVersion.versionId
AND buglinks.bug_id = ".$aClean['bug_id']." AND buglinks.bug_id = '?'
ORDER BY versionName"; ORDER BY versionName", $aClean['bug_id']);
$c = 0; $c = 0;
if($hResult = query_appdb($sQuery)) if($hResult)
{ {
while($oRow = mysql_fetch_object($hResult)) while($oRow = mysql_fetch_object($hResult))
{ {

18
votestats.php
View File

@@ -66,8 +66,8 @@ if($catId != 0)
do do
{ {
$catQuery = "SELECT appCategory.catName, appCategory.catParent ". $catQuery = "SELECT appCategory.catName, appCategory.catParent ".
"FROM appCategory WHERE appCategory.catId = '$currentCatId';"; "FROM appCategory WHERE appCategory.catId = '?'";
$hResult = query_appdb($catQuery); $hResult = query_parameters($catQuery, $currentCatId);
if($hResult) if($hResult)
{ {
@@ -142,10 +142,10 @@ echo '<br />';
if(strcasecmp($categoryId, "any") == 0) if(strcasecmp($categoryId, "any") == 0)
{ {
/* leave out the appFamily.catId = '$categoryId' */ /* leave out the appFamily.catId = '$categoryId' */
$sVoteQuery = "SELECT appVotes.appId, appName, count(userId) as count ". $hResult = query_parameters("SELECT appVotes.appId, appName, count(userId) as count ".
"FROM appVotes, appFamily ". "FROM appVotes, appFamily ".
"WHERE appVotes.appId = appFamily.appId ". "WHERE appVotes.appId = appFamily.appId ".
"GROUP BY appId ORDER BY count DESC LIMIT $topNumber"; "GROUP BY appId ORDER BY count DESC LIMIT ?", $topNumber);
} else } else
{ {
/* Display all application for a given category (including sub categories) /* Display all application for a given category (including sub categories)
@@ -156,19 +156,19 @@ if(strcasecmp($categoryId, "any") == 0)
c.catId =29 c.catId =29
OR c.catParent =29)*/ OR c.catParent =29)*/
$sVoteQuery = "SELECT v.appId, f.appName, count( v.appId ) AS count $hResult = query_parameters("SELECT v.appId, f.appName, count( v.appId ) AS count
FROM appFamily AS f, appCategory AS c, appVotes AS v FROM appFamily AS f, appCategory AS c, appVotes AS v
WHERE v.appId = f.appId WHERE v.appId = f.appId
AND f.catId = c.catId AND f.catId = c.catId
AND ( AND (
c.catId = '$categoryId' c.catId = '?'
OR c.catParent = '$categoryId' OR c.catParent = '?'
) )
GROUP BY appId GROUP BY appId
ORDER BY count DESC LIMIT $topNumber"; ORDER BY count DESC LIMIT ?", $categoryId, $categoryId, $topNumber);
} }
if($hResult = query_appdb($sVoteQuery)) if($hResult)
{ {
echo html_frame_start("", "90%", '', 0); echo html_frame_start("", "90%", '', 0);
echo html_table_begin("width='100%' align=center"); echo html_table_begin("width='100%' align=center");