claunia/qemudb
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use query_parameters() in SQL select, update and delete statements to protect against

Browse Source 
sql injection attacks
This commit is contained in:
Chris Morgan
2006-06-27 19:16:27 +00:00
committed by WineHQ
parent e6458694f4
commit e3f9e5371a
46 changed files with 602 additions and 484 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
addcomment.php
View File

@@ -58,7 +58,8 @@ else
if($aClean['thread'] > 0)
{
$hResult = query_appdb("SELECT * FROM appComments WHERE commentId = ".$aClean['thread']);
$hResult = query_parameters("SELECT * FROM appComments WHERE commentId = '?'",
$aClean['thread']);
$oRow = mysql_fetch_object($hResult);
if($oRow)
{

4
admin/addAppNote.php
View File

@@ -18,8 +18,8 @@ $aClean['noteTitle'] = makeSafe($_REQUEST['noteTitle']);
$aClean['noteDesc'] = makeSafe($_REQUEST['noteDesc']);
//FIXME: get rid of appId references everywhere, as version is enough.
$sQuery = "SELECT appId FROM appVersion WHERE versionId = '".$aClean['versionId']."'";
$hResult = query_appdb($sQuery);
$sQuery = "SELECT appId FROM appVersion WHERE versionId = '?'";
$hResult = query_parameters($sQuery, $aClean['versionId']);
$oRow = mysql_fetch_object($hResult);
$appId = $oRow->appId;

4
admin/addCategory.php
View File

@@ -25,8 +25,8 @@ if($aClean['submit'])
else
{
apidb_header("Add Category");
$sQuery = "SELECT catId, catName FROM appCategory WHERE catId!='".$aClean['catId']."'";
$hResult = query_appdb($sQuery);
$sQuery = "SELECT catId, catName FROM appCategory WHERE catId!='?'";
$hResult = query_parameters($sQuery, $aClean['catId']);
while($oRow = mysql_fetch_object($hResult))
{
$aCatsIds[]=$oRow->catId;

2
admin/adminAppDataQueue.php
View File

@@ -178,7 +178,7 @@ if (!$aClean['id'])
$statusMessage = "<p>The application data was successfully added into the database</p>\n";
//delete the item from the queue
query_appdb("DELETE from appData where id = ".$obj_row->id.";");
query_parameters("DELETE from appData where id = '?'", $obj_row->id);
//Send Status Email
$oUser = new User($obj_row->userId);

20
admin/adminAppQueue.php
View File

@@ -54,7 +54,9 @@ function outputSearchTableForDuplicateFlagging($currentAppId, $hResult)
$bgcolor = ($c % 2) ? 'color0' : 'color1';
//count versions
$query = query_appdb("SELECT count(*) as versions FROM appVersion WHERE appId = $ob->appId AND versionName != 'NONAME'");
$query = query_parameters("SELECT count(*) as versions FROM appVersion WHERE ".
"appId = '?' AND versionName != 'NONAME'",
$ob->appId);
$y = mysql_fetch_object($query);
//display row
@@ -151,8 +153,7 @@ if ($aClean['sub'])
// if we are processing a queued application there MUST be an implicitly queued
// version to go along with it.
$sQuery = "Select versionId from appVersion where appId='".$aClean['appId']."';";
$hResult = query_appdb($sQuery);
$hResult = query_parameters("SELECT versionId from appVersion where appId='?';", $aClean['appId']);
$oRow = mysql_fetch_object($hResult);
$oVersion = new Version($oRow->versionId);
@@ -175,8 +176,8 @@ if ($aClean['sub'])
}
// Get the Testing results if they exist
$sQuery = "Select testingId from testResults where versionId='".$oVersion->iVersionId."';";
$hResult = query_appdb($sQuery);
$hResult = query_parameters("SELECT testingId from testResults where versionId='?'", $oVersion->iVersionId);
if($hResult)
{
$oRow = mysql_fetch_object($hResult);
@@ -234,7 +235,7 @@ if ($aClean['sub'])
{
if(is_numeric($aClean['versionIdMergeTo']))
{
// move this Test submission under the existing version //
// move this Test submission under the existing version
$oTest->iVersionId = $aClean['versionIdMergeTo'];
$oTest->update();
@@ -358,8 +359,8 @@ if ($aClean['sub'])
if(!$iVendorId)
{
$sVendor = get_vendor_from_keywords($oApp->sKeywords);
$sQuery = "SELECT vendorId FROM vendor WHERE vendorname = '".$sVendor."';";
$hResult = query_appdb($sQuery);
$hResult = query_parameters("SELECT vendorId FROM vendor WHERE vendorname = '?'",
$sVendor);
if($hResult)
{
$oRow = mysql_fetch_object($hResult);
@@ -372,8 +373,7 @@ if ($aClean['sub'])
*/
if(!$iVendorId)
{
$sQuery = "select * from vendor where vendorname like '%".$sVendor."%';";
$hResult = query_appdb($sQuery);
$hResult = query_parameters("SELECT * from vendor where vendorname like '%?%'", $sVendor);
if($hResult)
{
$oRow = mysql_fetch_object($hResult);

14
admin/adminBugs.php
View File

@@ -117,16 +117,6 @@ if ($aClean['sub'])
AND buglinks.versionId = appVersion.versionId
AND buglinks.bug_id = ".BUGZILLA_DB.".bugs.bug_id";
}
$sQuery = "SELECT appFamily.description as appDescription,
appFamily.appName as appName, appVersion.*,
buglinks.versionId as versionId,
buglinks.bug_id as bug_id,
buglinks.linkId as linkId,
buglinks.queued as queued,
bugs.*
FROM appFamily, appVersion, buglinks, bugs.bugs
".$sWhere."
ORDER BY buglinks.bug_id, appName, versionName";
$sQuery = "SELECT appFamily.description as appDescription,
appFamily.appName as appName, appVersion.*,
buglinks.versionId as versionId,
@@ -137,11 +127,11 @@ if ($aClean['sub'])
FROM appFamily, appVersion, buglinks, bugs.bugs
".$sWhere."
ORDER BY buglinks.bug_id, appName, versionName
LIMIT ".$offset.", ".$ItemsPerPage.";";
LIMIT ".mysql_real_escape_string($offset).", ".mysql_real_escape_string($ItemsPerPage).";";
$c = 0;
if($hResult = query_appdb($sQuery))
if($hResult = query_parameters($sQuery))
{
while($oRow = mysql_fetch_object($hResult))
{

8
admin/adminCommentView.php
View File

@@ -60,14 +60,14 @@ echo "</center>";
/* query for all of the commentId's, ordering by their time in reverse order */
$offset = (($currentPage-1) * $ItemsPerPage);
$commentIds = query_appdb("SELECT commentId from appComments ORDER BY ".
"appComments.time ASC LIMIT $offset, $ItemsPerPage;");
$commentIds = query_parameters("SELECT commentId from appComments ORDER BY ".
"appComments.time ASC LIMIT ?, ?", $offset, $ItemsPerPage);
while ($ob = mysql_fetch_object($commentIds))
{
$sQuery = "SELECT from_unixtime(unix_timestamp(time), \"%W %M %D %Y, %k:%i\") as time, ".
"commentId, parentId, versionId, userid, subject, body ".
"FROM appComments WHERE commentId = $ob->commentId;";
$hResult = query_appdb($sQuery);
"FROM appComments WHERE commentId = '?'";
$hResult = query_parameters($sQuery, $ob->commentId);
/* call view_app_comment to display the comment */
$comment_ob = mysql_fetch_object($hResult);
view_app_comment($comment_ob);

11
admin/adminMaintainerQueue.php
View File

@@ -33,8 +33,8 @@ if ($aClean['sub'])
$sQuery = "SELECT queueId, appId, versionId,".
"userId, maintainReason, superMaintainer,".
"UNIX_TIMESTAMP(submitTime) as submitTime ".
"FROM appMaintainerQueue WHERE queueId = ".$aClean['queueId'].";";
$hResult = query_appdb($sQuery);
"FROM appMaintainerQueue WHERE queueId = '?'";
$hResult = query_parameters($sQuery, $aClean['queueId']);
$oRow = mysql_fetch_object($hResult);
$oUser = new User($oRow->userId);
mysql_free_result($hResult);
@@ -209,8 +209,9 @@ if ($aClean['sub'])
}
//delete main item
$sQuery = "DELETE from appMaintainerQueue where queueId = ".$aClean['queueId'].";";
$hResult = query_appdb($sQuery,"unable to delete selected maintainer application");
$sQuery = "DELETE from appMaintainerQueue where queueId = '?'";
$hResult = query_parameters($sQuery, $aClean['queueId']);
if(!$hResult) addmsg("unable to delete selected maintainer application", "red");
echo html_frame_start("Delete maintainer application",400,"",0);
if($hResult)
{
@@ -237,7 +238,7 @@ if ($aClean['sub'])
"superMaintainer,".
"submitTime as submitTime ".
"from appMaintainerQueue;";
$hResult = query_appdb($sQuery);
$hResult = query_parameters($sQuery);
if(!$hResult || !mysql_num_rows($hResult))
{

6
admin/adminMaintainers.php
View File

@@ -28,8 +28,8 @@ if ($aClean['sub'])
{
if($aClean['sub'] == 'delete')
{
$sQuery = "DELETE FROM appMaintainers WHERE maintainerId = ".$aClean['maintainerId'].";";
$hResult = query_appdb($sQuery);
$sQuery = "DELETE FROM appMaintainers WHERE maintainerId = '?'";
$hResult = query_parameters($sQuery, $aClean['maintainerId']);
echo html_frame_start("Delete maintainer: ".$aClean['maintainerId'],400,"",0);
if($hResult)
{
@@ -44,7 +44,7 @@ if ($aClean['sub'])
// get available maintainers
$sQuery = "SELECT * FROM appMaintainers, user_list where appMaintainers.userId = user_list.userid";
$sQuery.= " ORDER BY realname;";
$hResult = query_appdb($sQuery);
$hResult = query_parameters($sQuery);
if(!$hResult || !mysql_num_rows($hResult))
{

6
admin/adminScreenshots.php
View File

@@ -50,7 +50,7 @@ apidb_header("Screenshots");
if($aClean['regenerate'])
{
$sQuery = "SELECT id FROM appData WHERE type = 'image'";
$hResult = query_appdb($sQuery);
$hResult = query_parameters($sQuery);
while($oRow = mysql_fetch_object($hResult))
{
echo "REGENERATING IMAGE ".$oRow->id."<br/>";
@@ -113,9 +113,9 @@ echo "</form>";
echo "</center>";
/* query for all of the Screenshots in assending order */
$Ids = query_appdb("SELECT * from appData
$Ids = query_parameters("SELECT * from appData
WHERE type = 'image'
ORDER BY id ASC LIMIT $offset, $ItemsPerPage;");
ORDER BY id ASC LIMIT ?, ?", $offset, $ItemsPerPage);
$c = 1;
echo "<div align=center><table><tr>\n";
while ($oRow = mysql_fetch_object($Ids))

9
admin/adminUsers.php
View File

@@ -84,10 +84,11 @@ if($aClean['sSubmit'])
{
$sSearch = $aClean['sSearch'];
$sQuery = "SELECT * FROM user_list
WHERE realname LIKE '%".$sSearch."%' OR email LIKE '%".$sSearch."%'
ORDER BY ".$aClean['sOrderBy']."
LIMIT ".$aClean['iLimit'];
$hResult = query_appdb($sQuery);
WHERE realname LIKE '%?%' OR email LIKE '%?%'
ORDER BY ?
LIMIT ?";
$hResult = query_parameters($sQuery, $sSearch, $sSearch, $aClean['sOrderBy'],
$aClean['iLimit']);
$i=0;
while($hResult && $oRow = mysql_fetch_object($hResult))
{

3
admin/editAppFamily.php
View File

@@ -67,7 +67,8 @@ else
echo '<table border=0 cellpadding=6 cellspacing=0 width="100%">',"\n";
$i = 0;
$hResult = query_appdb("SELECT * FROM appData WHERE appId = $oApp->iAppId AND type = 'url' AND versionId = 0");
$hResult = query_parameters("SELECT * FROM appData WHERE appId = '?' AND type = 'url' AND versionId = 0",
$oApp->iAppId);
if($hResult && mysql_num_rows($hResult) > 0)
{
echo '<tr><td class=color1><b>Delete</b></td><td class=color1>',"\n";

3
admin/editAppVersion.php
View File

@@ -59,7 +59,8 @@ if(!empty($aClean['submit']))
echo '<table border=0 cellpadding=6 cellspacing=0 width="100%">',"\n";
$i = 0;
$hResult = query_appdb("SELECT * FROM appData WHERE versionId = ".$oVersion->iVersionId." AND type = 'url'");
$hResult = query_parameters("SELECT * FROM appData WHERE versionId = '?' AND type = 'url'",
$oVersion->iVersionId);
if($hResult && mysql_num_rows($hResult) > 0)
{
echo '<tr><td class=color1><b>Delete</b></td><td class=color1>',"\n";

10
admin/editBundle.php
View File

@@ -11,7 +11,7 @@ if(!$_SESSION['current']->hasPriv("admin"))
function build_app_list()
{
$hResult = query_appdb("SELECT appId, appName FROM appFamily ORDER BY appName");
$hResult = query_parameters("SELECT appId, appName FROM appFamily ORDER BY appName");
echo "<select name=appId size=5 onChange='this.form.submit()'>\n";
while($oRow = mysql_fetch_object($hResult))
@@ -25,7 +25,8 @@ if($_REQUEST['cmd'])
{
if($_REQUEST['cmd'] == "delete")
{
$hResult = query_appdb("DELETE FROM appBundle WHERE appId =".$_REQUEST['appId']." AND bundleId =".$_REQUEST['bundleId']);
$hResult = query_parameters("DELETE FROM appBundle WHERE appId ='?' AND bundleId = '?'",
$_REQUEST['appId'], $_REQUEST['bundleId']);
if($hResult)
addmsg("App deleted from bundle", "green");
else
@@ -45,8 +46,9 @@ if($_REQUEST['cmd'])
apidb_header("Edit Application Bundle");
$hResult = query_appdb("SELECT bundleId, appBundle.appId, appName FROM appBundle, appFamily ".
"WHERE bundleId = ".$_REQUEST['bundleId']." AND appFamily.appId = appBundle.appId");
$hResult = query_parameters("SELECT bundleId, appBundle.appId, appName FROM appBundle, appFamily ".
"WHERE bundleId = '?' AND appFamily.appId = appBundle.appId",
$_REQUEST['bundleId']);
echo html_frame_start("Apps in this Bundle","300",'',0);
echo "<table width='100%' border=0 cellpadding=3 cellspacing=0>\n\n";

2
admin/moveAppVersion.php
View File

@@ -55,7 +55,7 @@ if(!empty($aClean['action']))
// although this cheaper select leaves out all applications that lack versions
$sQuery = "select appName, appFamily.appId, versionName, versionId from appFamily left join appVersion ";
$sQuery.= "on appVersion.appId = appFamily.appId ORDER BY appFamily.appName, appFamily.appId, appVersion.versionName;";
$hResult = query_appdb($sQuery);
$hResult = query_parameters($sQuery);
$currentAppId = 0;
while($oRow = mysql_fetch_object($hResult))
{

7
appimage.php
View File

@@ -33,10 +33,9 @@ if ($aClean['REQUEST_METHOD']='HEAD')
errorpage("Bad parameter");
exit;
}
$sQuery = "SELECT id, url FROM appData
WHERE id = ".$iId."
AND type = 'image' LIMIT 1";
$hResult = query_appdb($sQuery);
$hResult = query_parameters("SELECT id, url FROM appData
WHERE id = '?'
AND type = 'image' LIMIT 1", $iId);
$fImage = 0;
if($hResult)
{

16
appsubmit.php
View File

@@ -82,8 +82,8 @@ if ($aClean['sub'])
// version to go along with it. Find this version so we can display its information
// during application processing so the admin can make a better choice about
// whether to accept or reject the overall application
$sQuery = "Select versionId from appVersion where appId='".$aClean['appId']."';";
$hResult = query_appdb($sQuery);
$hResult = query_parameters("Select versionId from appVersion where appId='?'",
$aClean['appId']);
$oRow = mysql_fetch_object($hResult);
// make sure the user has permission to view this version
@@ -123,8 +123,8 @@ if ($aClean['sub'])
}
// Get the Testing results if they exist
$sQuery = "Select testingId from testResults where versionId='".$oVersion->iVersionId."';";
$hResult = query_appdb($sQuery);
$hResult = query_parameters("Select testingId from testResults where versionId = '?'",
$oVersion->iVersionId);
if($hResult)
{
$oRow = mysql_fetch_object($hResult);
@@ -222,8 +222,8 @@ if ($aClean['sub'])
{
// get the queued versions that refers to the application entry we just removed
// and delete them as we implicitly added a version entry when adding a new application
$sQuery = "SELECT versionId FROM appVersion WHERE appVersion.appId = '".$aClean['appId']."' AND appVersion.queued = 'rejected';";
$hResult = query_appdb($sQuery);
$hResult = query_parameters("SELECT versionId FROM appVersion WHERE appVersion.appId = '?'
AND appVersion.queued = 'rejected';", $aClean['appId']);
if($hResult)
{
while($oRow = mysql_fetch_object($hResult))
@@ -300,8 +300,8 @@ if ($aClean['sub'])
// try for a partial match
if(!$iVendorId)
{
$sQuery = "select * from vendor where vendorname like '%".$aClean['appVendorName']."%';";
$hResult = query_appdb($sQuery);
$hResult = query_parameters("select * from vendor where vendorname like '%?%'",
$aClean['appVendorName']);
if($hResult)
{
$oRow = mysql_fetch_object($hResult);

7
appview.php
View File

@@ -44,11 +44,12 @@ function display_catpath($catId, $appId, $versionId = '')
/**
* display the SUB apps that belong to this app
*/
function display_bundle($appId)
function display_bundle($iAppId)
{
$oApp = new Application($appId);
$hResult = query_appdb("SELECT appFamily.appId, appName, description FROM appBundle, appFamily ".
"WHERE appFamily.queued='false' AND bundleId = $appId AND appBundle.appId = appFamily.appId");
$hResult = query_parameters("SELECT appFamily.appId, appName, description FROM appBundle, appFamily ".
"WHERE appFamily.queued='false' AND bundleId = '?' AND appBundle.appId = appFamily.appId",
$iAppId);
if(!$hResult || mysql_num_rows($hResult) == 0)
{
return; // do nothing

3
distributionView.php
View File

@@ -40,8 +40,7 @@ if(!$oDistribution->iDistributionId)
apidb_header("View Distributions");
//get available Distributions
$sQuery = "SELECT distributionId FROM distributions ORDER BY name, distributionId;";
$hResult = query_appdb($sQuery);
$hResult = query_parameters("SELECT distributionId FROM distributions ORDER BY name, distributionId;");
// show Distribution list
echo html_frame_start("","90%","",0);

12
include/appdb.php
View File

@@ -4,11 +4,13 @@ function log_category_visit($catId)
{
global $REMOTE_ADDR;
$result = query_appdb("SELECT * FROM catHitStats WHERE ip = '$REMOTE_ADDR' AND catId = $catId");
$result = query_parameters("SELECT * FROM catHitStats WHERE ip = '?' AND catId = '?'",
$REMOTE_ADDR, $catId);
if($result && mysql_num_rows($result) == 1)
{
$stats = mysql_fetch_object($result);
query_appdb("UPDATE catHitStats SET count = count + 1 WHERE catHitId = $stats->catHitId");
query_parameters("UPDATE catHitStats SET count = count + 1 WHERE catHitId = '?'",
$stats->catHitId);
} else
{
query_parameters("INSERT INTO catHitStats (appHitId, time, ip, catId, count) ".
@@ -21,11 +23,13 @@ function log_application_visit($appId)
{
global $REMOTE_ADDR;
$result = query_appdb("SELECT * FROM appHitStats WHERE ip = '$REMOTE_ADDR' AND appId = $appId");
$result = query_parameters("SELECT * FROM appHitStats WHERE ip = '?' AND appId = '?'",
$REMOTE_ADDR, $appId);
if($result && mysql_num_rows($result) == 1)
{
$stats = mysql_fetch_object($result);
query_appdb("UPDATE appHitStats SET count = count + 1 WHERE appHitId = $stats->appHitId");
query_parameters("UPDATE appHitStats SET count = count + 1 WHERE appHitId = '?'",
$stats->appHitId);
} else
{
query_parameters("INSERT INTO appHitStats (appHitId, time, ip, appId, count) ".

58
include/application.php
View File

@@ -37,8 +37,8 @@ class Application {
/* fetch this applications information */
$sQuery = "SELECT *
FROM appFamily
WHERE appId = ".$iAppId;
if($hResult = query_appdb($sQuery))
WHERE appId = '?'";
if($hResult = query_parameters($sQuery, $iAppId))
{
$oRow = mysql_fetch_object($hResult);
$this->iAppId = $iAppId;
@@ -62,14 +62,14 @@ class Application {
if($_SESSION['current']->hasPriv("admin"))
{
$sQuery = "SELECT versionId FROM appVersion WHERE
appId =".$this->iAppId;
appId = '?'";
} else
{
$sQuery = "SELECT versionId FROM appVersion WHERE
queued = 'false' AND
appId =".$this->iAppId;
appId = '?'";
}
if($hResult = query_appdb($sQuery))
if($hResult = query_parameters($sQuery, $this->iAppId))
{
while($oRow = mysql_fetch_object($hResult))
{
@@ -85,9 +85,9 @@ class Application {
$sQuery = "SELECT id
FROM appData
WHERE type = 'url'
AND appId = ".$iAppId;
AND appId = '?'";
if($hResult = query_appdb($sQuery))
if($hResult = query_parameters($sQuery, $iAppId))
{
while($oRow = mysql_fetch_object($hResult))
{
@@ -149,7 +149,8 @@ class Application {
if ($this->sName && ($this->sName!=$oApp->sName))
{
$sUpdate = compile_update_string(array('appName' => $this->sName));
if (!query_appdb("UPDATE appFamily SET ".$sUpdate." WHERE appId = ".$this->iAppId))
if (!query_parameters("UPDATE appFamily SET ".$sUpdate." WHERE appId = '?'",
$this->iAppId))
return false;
$sWhatChanged .= "Name was changed from ".$oApp->sName." to ".$this->sName.".\n\n";
}
@@ -157,7 +158,8 @@ class Application {
if ($this->sDescription && ($this->sDescription!=$oApp->sDescription))
{
$sUpdate = compile_update_string(array('description' => $this->sDescription));
if (!query_appdb("UPDATE appFamily SET ".$sUpdate." WHERE appId = ".$this->iAppId))
if (!query_parameters("UPDATE appFamily SET ".$sUpdate." WHERE appId = '?'",
$this->iAppId))
return false;
$sWhatChanged .= "Description was changed from\n ".$oApp->sDescription."\n to \n".$this->sDescription.".\n\n";
}
@@ -165,7 +167,8 @@ class Application {
if ($this->sKeywords && ($this->sKeywords!=$oApp->sKeywords))
{
$sUpdate = compile_update_string(array('keywords' => $this->sKeywords));
if (!query_appdb("UPDATE appFamily SET ".$sUpdate." WHERE appId = ".$this->iAppId))
if (!query_parameters("UPDATE appFamily SET ".$sUpdate." WHERE appId = '?'",
$this->iAppId))
return false;
$sWhatChanged .= "Keywords were changed from\n ".$oApp->sKeywords."\n to \n".$this->sKeywords.".\n\n";
}
@@ -173,7 +176,8 @@ class Application {
if ($this->sWebpage && ($this->sWebpage!=$oApp->sWebpage))
{
$sUpdate = compile_update_string(array('webPage' => $this->sWebpage));
if (!query_appdb("UPDATE appFamily SET ".$sUpdate." WHERE appId = ".$this->iAppId))
if (!query_parameters("UPDATE appFamily SET ".$sUpdate." WHERE appId = '?'",
$this->iAppId))
return false;
$sWhatChanged .= "Web page was changed from ".$oApp->sWebpage." to ".$this->sWebpage.".\n\n";
}
@@ -181,7 +185,8 @@ class Application {
if ($this->iVendorId && ($this->iVendorId!=$oApp->iVendorId))
{
$sUpdate = compile_update_string(array('vendorId' => $this->iVendorId));
if (!query_appdb("UPDATE appFamily SET ".$sUpdate." WHERE appId = ".$this->iAppId))
if (!query_parameters("UPDATE appFamily SET ".$sUpdate." WHERE appId = '?'",
$this->iAppId))
return false;
$oVendorBefore = new Vendor($oApp->iVendorId);
$oVendorAfter = new Vendor($this->iVendorId);
@@ -191,7 +196,8 @@ class Application {
if ($this->iCatId && ($this->iCatId!=$oApp->iCatId))
{
$sUpdate = compile_update_string(array('catId' => $this->iCatId));
if (!query_appdb("UPDATE appFamily SET ".$sUpdate." WHERE appId = ".$this->iAppId))
if (!query_parameters("UPDATE appFamily SET ".$sUpdate." WHERE appId = '?'",
$this->iAppId))
return false;
$oCatBefore = new Category($oApp->iCatId);
$oCatAfter = new Category($this->iCatId);
@@ -225,16 +231,16 @@ class Application {
}
// remove any supermaintainers for this application so we don't orphan them
$sQuery = "DELETE from appMaintainers WHERE appId='".$this->iAppId."';";
if(!($hResult = query_appdb($sQuery)))
$sQuery = "DELETE from appMaintainers WHERE appId='?'";
if(!($hResult = query_parameters($sQuery, $this->iAppId)))
{
addmsg("Error removing app maintainers for the deleted application!", "red");
}
$sQuery = "DELETE FROM appFamily
WHERE appId = ".$this->iAppId."
WHERE appId = '?'
LIMIT 1";
if(!($hResult = query_appdb($sQuery)))
if(!($hResult = query_parameters($sQuery, $this->iAppId)))
{
addmsg("Error deleting application!", "red");
}
@@ -256,7 +262,8 @@ class Application {
$sUpdate = compile_update_string(array('queued' => "false",
'keywords'=> str_replace(" *** ","",$this->sKeywords) ));
if(query_appdb("UPDATE appFamily SET ".$sUpdate." WHERE appId = ".$this->iAppId))
if(query_parameters("UPDATE appFamily SET ".$sUpdate." WHERE appId = '?'",
$this->iAppId))
{
$this->sQueued = 'false';
// we send an e-mail to intersted people
@@ -275,7 +282,8 @@ class Application {
return false;
$sUpdate = compile_update_string(array('queued' => "rejected"));
if(query_appdb("UPDATE appFamily SET ".$sUpdate." WHERE appId = ".$this->iAppId))
if(query_parameters("UPDATE appFamily SET ".$sUpdate." WHERE appId = '?'",
$this->iAppId))
{
$this->sQueued = 'rejected';
// we send an e-mail to intersted people
@@ -292,7 +300,8 @@ class Application {
return false;
$sUpdate = compile_update_string(array('queued' => "true"));
if(query_appdb("UPDATE appFamily SET ".$sUpdate." WHERE appId = ".$this->iAppId))
if(query_parameters("UPDATE appFamily SET ".$sUpdate." WHERE appId = '?'",
$this->iAppId))
{
$this->sQueued = 'true';
// we send an e-mail to intersted people
@@ -559,7 +568,8 @@ class Application {
echo " <tr class=\"color1\"><td><b>URL</b></td><td>".$appLinkURL."</td></tr>\n";
// optional links
$result = query_appdb("SELECT * FROM appData WHERE appId = ".$aClean['appId']." AND versionID = 0 AND type = 'url'");
$result = query_parameters("SELECT * FROM appData WHERE appId = '?' AND versionID = 0 AND type = 'url'",
$aClean['appId']);
if($result && mysql_num_rows($result) > 0)
{
echo " <tr class=\"color1\"><td> <b>Links</b></td><td>\n";
@@ -662,7 +672,8 @@ class Application {
function lookup_version_name($versionId)
{
if(!$versionId) return null;
$result = query_appdb("SELECT versionName FROM appVersion WHERE versionId = $versionId");
$result = query_parameters("SELECT versionName FROM appVersion WHERE versionId = '?'",
$versionId);
if(!$result || mysql_num_rows($result) != 1)
return null;
$ob = mysql_fetch_object($result);
@@ -673,7 +684,8 @@ function lookup_version_name($versionId)
function lookup_app_name($appId)
{
if(!$appId) return null;
$result = query_appdb("SELECT appName FROM appFamily WHERE appId = $appId");
$result = query_parameters("SELECT appName FROM appFamily WHERE appId = '?'",
$appId);
if(!$result || mysql_num_rows($result) != 1)
return null;
$ob = mysql_fetch_object($result);

21
include/bugs.php
View File

@@ -31,8 +31,8 @@ class Bug {
$sQuery = "SELECT buglinks.*, appVersion.appId AS appId
FROM buglinks, appVersion
WHERE buglinks.versionId = appVersion.versionId
AND linkid = ".$iLinkId;
if($hResult = query_appdb($sQuery))
AND linkid = '?'";
if($hResult = query_parameters($sQuery, $iLinkId))
{
$oRow = mysql_fetch_object($hResult);
$this->iLinkId = $iLinkId;
@@ -98,8 +98,8 @@ class Bug {
$sQuery = "SELECT *
FROM buglinks
WHERE versionId = ".$iVersionId;
if($hResult = query_appdb($sQuery,"looking for duplicates"))
WHERE versionId = '?'";
if($hResult = query_parameters($sQuery, $iVersionId))
{
while($oRow = mysql_fetch_object($hResult))
{
@@ -126,9 +126,9 @@ class Bug {
$sQuery = "SELECT buglinks.*, appVersion.appId AS appId
FROM buglinks, appVersion
WHERE buglinks.versionId = appVersion.versionId
AND buglinks.versionId = ".$iVersionId."
AND buglinks.bug_id = ".$iBug_id;
if($hResult = query_appdb($sQuery))
AND buglinks.versionId = '?'
AND buglinks.bug_id = '?'";
if($hResult = query_parameters($sQuery, $iVersionId, $iBug_id))
{
$oRow = mysql_fetch_object($hResult);
$this->bug($oRow->linkId);
@@ -152,8 +152,8 @@ class Bug {
function delete($bSilent=false)
{
$sQuery = "DELETE FROM buglinks
WHERE linkId = ".$this->iLinkId;
if($hResult = query_appdb($sQuery))
WHERE linkId = '?'";
if($hResult = query_parameters($sQuery, $this->iLinkId))
{
if(!$bSilent)
$this->SendNotificationMail(true);
@@ -176,7 +176,8 @@ class Bug {
return false;
$sUpdate = compile_update_string(array('queued' => "false"));
if(query_appdb("UPDATE buglinks SET ".$sUpdate." WHERE linkId=".$this->iLinkId))
if(query_parameters("UPDATE buglinks SET ".$sUpdate." WHERE linkId='?'",
$this->iLinkId))
{
$this->bQueued = false;
// we send an e-mail to intersted people

28
include/category.php
View File

@@ -28,8 +28,8 @@ class Category {
*/
$sQuery = "SELECT *
FROM appCategory
WHERE catId = ".$iCatId." ORDER BY catName;";
if($hResult = query_appdb($sQuery))
WHERE catId = '?' ORDER BY catName;";
if($hResult = query_parameters($sQuery, $iCatId))
{
$oRow = mysql_fetch_object($hResult);
$this->iCatId = $iCatId;
@@ -44,9 +44,9 @@ class Category {
*/
$sQuery = "SELECT appId
FROM appFamily
WHERE catId = ".$iCatId."
WHERE catId = '?'
AND queued = 'false' ORDER BY appName";
if($hResult = query_appdb($sQuery))
if($hResult = query_parameters($sQuery, $iCatId))
{
while($oRow = mysql_fetch_object($hResult))
{
@@ -59,8 +59,8 @@ class Category {
*/
$sQuery = "SELECT catId
FROM appCategory
WHERE catParent = ".$iCatId." ORDER BY catName;";
if($hResult = query_appdb($sQuery))
WHERE catParent = '?' ORDER BY catName;";
if($hResult = query_parameters($sQuery, $iCatId))
{
while($oRow = mysql_fetch_object($hResult))
{
@@ -104,21 +104,24 @@ class Category {
if($sName)
{
if (!query_appdb("UPDATE appCategory SET catName = '".$sName."' WHERE catId = ".$this->iCatId))
if (!query_parameters("UPDATE appCategory SET catName = '?' WHERE catId = '?'",
$sName, $this->iCatId))
return false;
$this->sName = $sName;
}
if($sDescription)
{
if (!query_appdb("UPDATE appCategory SET catDescription = '".$sDescription."' WHERE catId = ".$this->iCatId))
if (!query_parameters("UPDATE appCategory SET catDescription = '?' WHERE catId = '?'",
$sDescription, $this->iCatId))
return false;
$this->sDescription = $sDescription;
}
if($iParentId)
{
if (!query_appdb("UPDATE appCategory SET catParent = '".$iParentId."' WHERE catId = ".$this->iCatId))
if (!query_parameters("UPDATE appCategory SET catParent = '?' WHERE catId = '?'",
$iParentId, $this->iCatId))
return false;
$this->iParentId = $iParentId;
}
@@ -141,9 +144,9 @@ class Category {
} else
{
$sQuery = "DELETE FROM appCategory
WHERE catId = ".$this->iCatId."
WHERE catId = '?'
LIMIT 1";
query_appdb($sQuery);
query_parameters($sQuery, $this->iCatId);
addmsg("The category has been deleted.", "green");
}
@@ -162,7 +165,8 @@ class Category {
$iCatId = $this->iCatId;
while($iCatId != 0)
{
$result = query_appdb("SELECT catName, catId, catParent FROM appCategory WHERE catId = $iCatId");
$result = query_parameters("SELECT catName, catId, catParent FROM appCategory WHERE catId = '?'",
$iCatId);
if(!$result || mysql_num_rows($result) != 1)
break;
$cat = mysql_fetch_object($result);

27
include/comment.php
View File

@@ -30,8 +30,8 @@ class Comment {
$sQuery = "SELECT appComments.*, appVersion.appId AS appId
FROM appComments, appVersion
WHERE appComments.versionId = appVersion.versionId
AND commentId = '".$iCommentId."'";
$hResult = query_appdb($sQuery);
AND commentId = '?'";
$hResult = query_parameters($sQuery, $iCommentId);
$oRow = mysql_fetch_object($hResult);
$this->iCommentId = $oRow->commentId;
$this->iParentId = $oRow->parentId;
@@ -114,14 +114,16 @@ class Comment {
{
if ($iParentId)
{
if (!query_appdb("UPDATE appComments SET parentId = '".$iParentId."' WHERE commentId = ".$this->iCommentId))
if (!query_parameters("UPDATE appComments SET parentId = '?' WHERE commentId = '?'",
$iParentId, $this->iCommentId))
return false;
$this->iParentId = $iParentId;
}
if ($iVersionId)
{
if (!query_appdb("UPDATE appComments SET versionId = '".$iVersionId."' WHERE commentId = ".$this->iCommentId))
if (!query_parameters("UPDATE appComments SET versionId = '?' WHERE commentId = '?'",
$iVersionId, $this->iCommentId))
return false;
$this->iVersionId = $iVersionId;
// FIXME: we need to refetch $this->iAppId.
@@ -129,14 +131,16 @@ class Comment {
if ($sSubject)
{
if (!query_appdb("UPDATE appComments SET subject = '".$sSubject."' WHERE commentId = ".$this->iCommentId))
if (!query_parameters("UPDATE appComments SET subject = '?' WHERE commentId = '?'",
$sSubject, $this->iCommentId))
return false;
$this->sSubject = $sSubject;
}
if ($sBody)
{
if (!query_appdb("UPDATE appComments SET body = '".$sBody."' WHERE commentId = ".$this->iCommentId))
if (!query_parameters("UPDATE appComments SET body = '?' WHERE commentId = '?'",
$sBody, $this->iCommentId))
return false;
$this->sBody = $sBody;
}
@@ -151,11 +155,12 @@ class Comment {
*/
function delete($sReason=null)
{
$hResult = query_appdb("DELETE FROM appComments WHERE commentId = '".$this->iCommentId."'");
$hResult = query_parameters("DELETE FROM appComments WHERE commentId = '?'", $this->iCommentId);
if ($hResult)
{
/* fixup the child comments so the parentId points to a valid parent comment */
$hResult = query_appdb("UPDATE appComments set parentId = '".$this->iParentId."' WHERE parentId = '".$this->iCommentId."'");
$hResult = query_parameters("UPDATE appComments set parentId = '?' WHERE parentId = '?'",
$this->iParentId, $this->iCommentId);
$sEmail = get_notify_email_address_list($this->iAppId, $this->iVersionId);
$sEmail .= $this->oOwner->sEmail;
if($sEmail)
@@ -264,6 +269,10 @@ function view_app_comment($oRow)
*/
function grab_comments($versionId, $parentId = -1)
{
/* escape input so we can use query_appdb() without concern */
$versionId = mysql_real_escape_string($versionId);
$parentId = mysql_real_escape_string($parentId);
$extra = "";
if($parentId != -1)
$extra = "AND parentId = $parentId ";
@@ -374,7 +383,7 @@ function view_app_comments($versionId, $threadId = 0)
$aClean['mode'] = makeSafe($_REQUEST['mode']);
// count posts
$hResult = query_appdb("SELECT commentId FROM appComments WHERE versionId = $versionId");
$hResult = query_parameters("SELECT commentId FROM appComments WHERE versionId = '?'", $versionId);
$messageCount = mysql_num_rows($hResult);
//start comment format table

13
include/db.php
View File

@@ -119,13 +119,22 @@ function query_error($sQuery, $sComment="")
* Returns a string ready to be put in a query like this
* $sQuery = "UPDATE `foo` $sReturn";
*
* Values are addslashes()'d.
* Values are mysql_real_escape_string()'ed.
*/
function compile_update_string($aData)
{
global $hAppdbLink;
if(!is_resource($hAppdbLink))
{
// The last argument makes sure we are really opening a new connection
$hAppdbLink = mysql_connect(APPS_DBHOST, APPS_DBUSER, APPS_DBPASS,true);
mysql_select_db(APPS_DB, $hAppdbLink);
}
foreach ($aData as $k => $v)
{
$return .= "`$k`='".addslashes($v)."',";
$return .= "`$k`='".mysql_real_escape_string($v)."',";
}
$return = preg_replace( "/,$/" , "" , $return );

73
include/distributions.php
View File

@@ -28,8 +28,8 @@ class distribution{
{
$sQuery = "SELECT *
FROM distributions
WHERE distributionId = ".$iDistributionId;
if($hResult = query_appdb($sQuery))
WHERE distributionId = '?'";
if($hResult = query_parameters($sQuery, $iDistributionId))
{
$oRow = mysql_fetch_object($hResult);
$this->iDistributionId = $iDistributionId;
@@ -50,7 +50,7 @@ class distribution{
{
$sQuery = "SELECT testingId
FROM testResults
WHERE distributionId = ".$iDistributionId;
WHERE distributionId = '?'";
} else /* only let users view test results that aren't queued and for apps that */
/* aren't queued or versions that aren't queued */
{
@@ -61,10 +61,10 @@ class distribution{
appFamily.appId = appVersion.appId AND
appFamily.queued = 'false' AND
appVersion.queued = 'false' AND
distributionId = ".$iDistributionId;
distributionId = '?'";
}
if($hResult = query_appdb($sQuery))
if($hResult = query_parameters($sQuery, $iDistributionId))
{
while($oRow = mysql_fetch_object($hResult))
{
@@ -80,8 +80,8 @@ class distribution{
//Let's not create a duplicate
$sQuery = "SELECT *
FROM distributions
WHERE name LIKE '".$this->sName."'";
$hDuplicate = query_appdb($sQuery, "checking distributions");
WHERE name LIKE '?'";
$hDuplicate = query_parameters($sQuery, $this->sName);
if(!mysql_num_rows($hDuplicate) == 0)
{
addmsg("There was an existing Distribution called ".$this->sName.".", "red");
@@ -125,14 +125,17 @@ class distribution{
}
$sUpdate = compile_update_string(array( 'name' => $this->sName,
'url' => $this->sUrl ));
if(query_appdb("UPDATE distributions SET ".$sUpdate." WHERE distributionId = ".$this->iDistributionId, "Error while updating Distribution."))
if(query_parameters("UPDATE distributions SET ".$sUpdate." WHERE distributionId = '?'",
$this->iDistributionId))
{
$this->SendNotificationMail("edit");
return true;
}
else
} else
{
addmsg("Error while updating Distribution", "red");
return false;
}
}
// Delete Distributution.
function delete($bSilent=false)
@@ -145,9 +148,9 @@ class distribution{
}
// now delete the Distribution
$sQuery = "DELETE FROM distributions
WHERE distributionId = ".$this->iDistributionId."
WHERE distributionId = '?'
LIMIT 1";
if(!($hResult = query_appdb($sQuery)))
if(!($hResult = query_parameters($sQuery, $this->iDistributionId)))
{
addmsg("Error removing the Distribution!", "red");
}
@@ -165,20 +168,25 @@ class distribution{
// is the current user allowed to move this Distribution?
if(!$_SESSION['current']->hasPriv("admin"))
{
return;
return false;
}
// If we are not in the queue, we can't move the Distribution out of the queue.
if(!$this->sQueued == 'true')
return false;
$sUpdate = compile_update_string(array('queued' => "false"));
if(query_appdb("UPDATE distribution SET ".$sUpdate." WHERE distributionId = ".$this->iDistributionId, "Error while unqueuing Distribution."))
if(query_parameters("UPDATE distribution SET queued = '?' WHERE distributionId = '?'",
"false", $this->iDistributionId))
{
$this->sQueued = 'false';
// we send an e-mail to intersted people
$this->mailSubmitter("unQueue");
$this->SendNotificationMail();
return true;
} else
{
addmsg("Error while unqueueing Distribution", "red");
return false;
}
}
@@ -187,15 +195,15 @@ class distribution{
// is the current user allowed to reject this Distribution?
if(!$_SESSION['current']->hasPriv("admin"))
{
return;
return false;
}
// If we are not in the queue, we can't move the Distribution out of the queue.
if(!$this->sQueued == 'true')
return false;
$sUpdate = compile_update_string(array('queued' => "rejected"));
if(query_appdb("UPDATE distribution SET ".$sUpdate." WHERE distributionId = ".$this->iDistributionId, "Error while rejecting Distribution."))
if(query_parameters("UPDATE distribution SET queued = '?' WHERE distributionId = '?'",
"rejected", $this->iDistributionId))
{
$this->sQueued = 'rejected';
// we send an e-mail to intersted people
@@ -205,6 +213,11 @@ class distribution{
$this->SendNotificationMail("reject");
}
// the Distribution data has been rejected
return true;
} else
{
addmsg("Error while rejecting Distribution", "red");
return false;
}
}
@@ -214,12 +227,14 @@ class distribution{
if(!$_SESSION['current']->hasPriv("admin") &&
!($_SESSION['current']->iUserId == $this->iSubmitterId))
{
return;
return false;
}
$sUpdate = compile_update_string(array('queued' => "true"));
if(query_appdb("UPDATE testResults SET ".$sUpdate." WHERE testingId = ".$this->iTestingId))
if(query_appdb("UPDATE distribution SET ".$sUpdate." WHERE distributionId = ".$this->iDistributionId, "Error while requeueing Distribution."))
if(query_parameters("UPDATE testResults SET queued = '?' WHERE testingId = '?'",
"true", $this->iTestingId))
{
if(query_parameters("UPDATE distribution SET queued = '?' WHERE distributionId = '?'",
"true", $this->iDistributionId))
{
$this->sQueued = 'true';
// we send an e-mail to intersted people
@@ -227,9 +242,16 @@ class distribution{
// the testing data has been resubmitted
addmsg("The Distribution has been resubmitted", "green");
return true;
}
}
/* something has failed if we fell through to this point without */
/* returning */
addmsg("Error requeueing Distribution", "red");
return false;
}
function mailSubmitter($sAction="add")
{
@@ -378,8 +400,7 @@ class distribution{
function make_distribution_list($varname, $cvalue)
{
$sQuery = "SELECT name, distributionId FROM distributions ORDER BY name";
$hResult = query_appdb($sQuery);
$hResult = query_parameters($sQuery);
if(!$hResult) return;
echo "<select name='$varname'>\n";
@@ -396,7 +417,7 @@ function make_distribution_list($varname, $cvalue)
/* Get the total number of Distributions in the database */
function getNumberOfDistributions()
{
$hResult = query_appdb("SELECT count(*) as num_dists FROM distributions");
$hResult = query_parameters("SELECT count(*) as num_dists FROM distributions");
if($hResult)
{
$oRow = mysql_fetch_object($hResult);
@@ -408,7 +429,7 @@ function getNumberOfDistributions()
/* Get the number of Queued Distributions in the database */
function getNumberOfQueuedDistributions()
{
$hResult = query_appdb("SELECT count(*) as num_dists FROM distributions WHERE queued='true';");
$hResult = query_parameters("SELECT count(*) as num_dists FROM distributions WHERE queued='true';");
if($hResult)
{
$oRow = mysql_fetch_object($hResult);

18
include/incl.php
View File

@@ -228,14 +228,20 @@ function addmsg($text, $color = "black")
{
global $hAppdbLink;
if(!is_resource($hAppdbLink))
{
// The last argument makes sure we are really opening a new connection
$hAppdbLink = mysql_connect(APPS_DBHOST, APPS_DBUSER, APPS_DBPASS,true);
mysql_select_db(APPS_DB, $hAppdbLink);
}
if($color)
$text = "<font color='$color'> $text </font>\n";
$text = addslashes($text);
$sQuery = "INSERT INTO sessionMessages VALUES (null, null, '".session_id()."', '$text')";
if (!mysql_query($sQuery,$hAppdbLink))
$sQuery = "INSERT INTO sessionMessages VALUES (null, null, '?', '?')";
if (!query_parameters($sQuery, session_id(), $text))
{
echo "An error has occurred in addmsg(): ".mysql_error($hAppdbLink);
echo "An error has occurred in addmsg()";
echo $text;
}
}
@@ -247,7 +253,7 @@ function addmsg($text, $color = "black")
*/
function dumpmsgbuffer()
{
$hResult = query_appdb("SELECT * FROM sessionMessages WHERE sessionId = '".session_id()."'");
$hResult = query_parameters("SELECT * FROM sessionMessages WHERE sessionId = '?'", session_id());
if(!$hResult)
return;
@@ -259,7 +265,7 @@ function dumpmsgbuffer()
echo "<br>\n";
}
query_appdb("DELETE FROM sessionMessages WHERE sessionId = '".session_id()."'");
query_parameters("DELETE FROM sessionMessages WHERE sessionId = '?'", session_id());
}
/**

12
include/maintainer.php
View File

@@ -9,9 +9,9 @@
function getAppsFromUserId($userId)
{
/* retrieve the list of application and order them by application name */
$hResult = query_appdb("SELECT appMaintainers.appId, versionId, superMaintainer, appName FROM ".
$hResult = query_parameters("SELECT appMaintainers.appId, versionId, superMaintainer, appName FROM ".
"appFamily, appMaintainers WHERE appFamily.appId = appMaintainers.appId ".
"AND userId = '$userId' ORDER BY appName");
"AND userId = '?' ORDER BY appName", $userId);
if(!$hResult || mysql_num_rows($hResult) == 0)
return;
@@ -38,8 +38,8 @@ function getMaintainersUserIdsFromAppIdVersionId($versionId)
return $retval;
$sQuery = "SELECT userId FROM ".
"appMaintainers WHERE versionId = '$versionId';";
$hResult = query_appdb($sQuery);
"appMaintainers WHERE versionId = '?';";
$hResult = query_parameters($sQuery, $versionId);
$c = 0;
while($oRow = mysql_fetch_object($hResult))
{
@@ -56,9 +56,9 @@ function getMaintainersUserIdsFromAppIdVersionId($versionId)
function getSuperMaintainersUserIdsFromAppId($appId)
{
$sQuery = "SELECT userId FROM ".
"appMaintainers WHERE appId = '$appId' " .
"appMaintainers WHERE appId = '?' " .
"AND superMaintainer = '1';";
$hResult = query_appdb($sQuery);
$hResult = query_parameters($sQuery, $appId);
$retval = array();
$c = 0;
while($oRow = mysql_fetch_object($hResult))

2
include/monitor.php
View File

@@ -85,7 +85,7 @@ class Monitor {
*/
function delete($bSilent=false)
{
$hResult = query_appdb("DELETE FROM appMonitors WHERE monitorId = '".$this->iMonitorId."'");
$hResult = query_parameters("DELETE FROM appMonitors WHERE monitorId = '?'", $this->iMonitorId);
if(!$bSilent)
$this->SendNotificationMail("delete");
}

18
include/note.php
View File

@@ -30,8 +30,8 @@ class Note {
$sQuery = "SELECT appNotes.*, appVersion.appId AS appId
FROM appNotes, appVersion
WHERE appNotes.versionId = appVersion.versionId
AND noteId = '".$iNoteId."'";
$hResult = query_appdb($sQuery);
AND noteId = '?'";
$hResult = query_parameters($sQuery, $iNoteId);
$oRow = mysql_fetch_object($hResult);
$this->iNoteId = $oRow->noteId;
$this->iAppId = $oRow->appId;
@@ -78,8 +78,8 @@ class Note {
if ($sTitle && $sTitle!=$this->sTitle)
{
$sUpdate = compile_update_string(array('noteTitle' => $sTitle));
if (!query_appdb("UPDATE appNotes SET ".$sUpdate." WHERE noteId = ".$this->iNoteId))
if (!query_parameters("UPDATE appNotes SET noteTitle = '?' WHERE noteId = '?'",
$sTitle, $this->iNoteId))
return false;
$sWhatChanged .= "Title was changed from ".$this->sTitle." to ".$sTitle.".\n\n";
$this->sTitle = $sTitle;
@@ -87,8 +87,8 @@ class Note {
if ($sDescription && $sDescription!=$this->sDescription)
{
$sUpdate = compile_update_string(array('noteDesc' => $sDescription));
if (!query_appdb("UPDATE appNotes SET ".$sUpdate." WHERE noteId = ".$this->iNoteId))
if (!query_parameters("UPDATE appNotes SET noteDesc = '?' WHERE noteId = '?'",
$sDescription, $this->iNoteId))
return false;
$sWhatChanged .= "Description was changed from\n ".$this->sDescription."\n to \n".$sDescription.".\n\n";
$this->sDescription = $sDescription;
@@ -96,8 +96,8 @@ class Note {
if ($iVersionId && $iVersionId!=$this->iVersionId)
{
$sUpdate = compile_update_string(array('versionId' => $iVersionId));
if (!query_appdb("UPDATE appNotes SET ".$sUpdate." WHERE noteId = ".$this->iNoteId))
if (!query_parameters("UPDATE appNotes SET versionId = '?' WHERE noteId = '?'",
$iVersionId, $this->iNoteId))
return false;
$oVersionBefore = new Version($this->iVersionId);
$oVersionAfter = new Version($iVersionId);
@@ -117,7 +117,7 @@ class Note {
*/
function delete($bSilent=false)
{
$hResult = query_appdb("DELETE FROM appNotes WHERE noteId = '".$this->iNoteId."'");
$hResult = query_parameters("DELETE FROM appNotes WHERE noteId = '?'", $this->iNoteId);
if(!$bSilent)
$this->SendNotificationMail("delete");
}

63
include/screenshot.php
View File

@@ -32,12 +32,12 @@ class Screenshot {
// we are working on an existing screenshot
if(is_numeric($iScreenshotId))
{
$sQuery = "SELECT appData.*, appVersion.appId AS appId
$hResult = query_parameters("SELECT appData.*, appVersion.appId AS appId
FROM appData, appVersion
WHERE appData.versionId = appVersion.versionId
AND id = ".$iScreenshotId."
AND type = 'image'";
if($hResult = query_appdb($sQuery))
AND id = '?'
AND type = 'image'", $iScreenshotId);
if($hResult)
{
$oRow = mysql_fetch_object($hResult);
$this->iScreenshotId = $iScreenshotId;
@@ -86,8 +86,8 @@ class Screenshot {
addmsg("Unable to move screenshot from '".$hFile['tmp_name']."' to '".$moveToPath."'", "red");
$sQuery = "DELETE
FROM appData
WHERE id = '".$this->iScreenshotId."'";
query_appdb($sQuery);
WHERE id = '?'";
query_parameters($sQuery, $this->iScreenshotId);
return false;
} else // we managed to copy the file, now we have to process the image
{
@@ -96,16 +96,16 @@ class Screenshot {
{
// we have to update the entry now that we know its name
$sQuery = "UPDATE appData
SET url = '".$this->iScreenshotId."'
WHERE id = '".$this->iScreenshotId."'";
if (!query_appdb($sQuery)) return false;
SET url = '?'
WHERE id = '?'";
if (!query_parameters($sQuery, $this->iScreenshotId, $this->iScreenshotId)) return false;
} else
{
addmsg("Unable to generate image or thumbnail. The file format might not be recognized. Please use PNG or JPEG only.","red");
$sQuery = "DELETE
FROM appData
WHERE id = '".$this->iScreenshotId."'";
query_appdb($sQuery);
WHERE id = '?'";
query_parameters($sQuery, $this->iScreenshotId);
return false;
}
@@ -155,8 +155,8 @@ class Screenshot {
if(!$this->bQueued)
return false;
$sUpdate = compile_update_string(array('queued' => "false"));
if(query_appdb("UPDATE appData SET ".$sUpdate." WHERE id=".$this->iScreenshotId))
if(query_parameters("UPDATE appData SET queued = '?' WHERE id='?'",
"false", $this->iScreenshotId))
{
$this->bQueued = false;
// we send an e-mail to intersted people
@@ -185,8 +185,8 @@ class Screenshot {
*/
function setDescription($sDescription)
{
$sQuery = "UPDATE id SET description = '".$sDescription."' WHERE id = ".$this->iScreenshotId." AND type = 'image'";
if($hResult = query_appdb($sQuery))
if($hResult = query_parameters("UPDATE id SET description = '?' WHERE id = '?' AND type = 'image'",
$sDescription, $this->iScreenshotId))
$this->sDescription = $sDescription;
}
@@ -310,21 +310,21 @@ function get_screenshot_img($iAppId = null, $iVersionId = null, $bFormatting = t
// we want a random screenshots for this app
if($iAppId && !$iVersionId)
{
$hResult = query_appdb("SELECT appData.*, RAND() AS rand
$hResult = query_parameters("SELECT appData.*, RAND() AS rand
FROM appData, appVersion
WHERE appData.versionId = appVersion.versionId
AND appVersion.appId = $iAppId
AND appVersion.appId = '?'
AND type = 'image'
AND appData.queued = 'false'
ORDER BY rand");
ORDER BY rand", $iAppId);
} else if ($iVersionId) // we want a random screenshot for this version
{
$hResult = query_appdb("SELECT *, RAND() AS rand
$hResult = query_parameters("SELECT *, RAND() AS rand
FROM appData
WHERE versionId = $iVersionId
WHERE versionId = '?'
AND type = 'image'
AND queued = 'false'
ORDER BY rand");
ORDER BY rand", $iVersionId);
}
if($bFormatting)
@@ -373,33 +373,32 @@ function get_screenshots($iAppId = null, $iVersionId = null, $bQueued = "false")
*/
if($iAppId && !$iVersionId)
{
$sQuery = "SELECT appData.*, appVersion.appId as appId
$hResult = query_parameters("SELECT appData.*, appVersion.appId as appId
FROM appData, appVersion
WHERE appVersion.versionId = appData.versionId
AND type = 'image'
AND appVersion.appId = ".$iAppId."
AND appData.queued = '".$bQueued."'";
AND appVersion.appId = '?'
AND appData.queued = '?'", $iAppId, $bQueued);
}
/*
* We want all screenshots for this version.
*/
else if ($iVersionId)
{
$sQuery = "SELECT appData.*, appVersion.appId as appId
$hResult = query_parameters("SELECT appData.*, appVersion.appId as appId
FROM appData, appVersion
WHERE appVersion.versionId = appData.versionId
AND type = 'image'
AND appData.versionId = ".$iVersionId."
AND appData.queued = '".$bQueued."'";
}
if($sQuery)
AND appData.versionId = '?'
AND appData.queued = '?'", $iVersionId, $bQueued);
} else
{
$hResult = query_appdb($sQuery);
return $hResult;
}
return false;
}
return $hResult;
}
function get_thumbnail($id)
{
$oScreenshot = new Screenshot($id);

9
include/session.php
View File

@@ -66,7 +66,7 @@ class session
// read session
function _read ($key)
{
$result = query_appdb("SELECT data FROM session_list WHERE session_id = '".$key."'");
$result = query_parameters("SELECT data FROM session_list WHERE session_id = '?'", $key);
if (!$result) { return null; }
$r = mysql_fetch_object($result);
return $r->data;
@@ -79,21 +79,22 @@ class session
if(isset($GLOBALS['msg_buffer']))
$messages = implode("|", $GLOBALS['msg_buffer']);
query_appdb("REPLACE session_list VALUES ('$key', '".$_SESSION['current']->iUserId."', '".get_remote()."', '".addslashes($value)."', '$messages', NOW())");
query_parameters("REPLACE session_list VALUES ('?', '?', '?', '?', '?', ?)",
$key, $_SESSION['current']->iUserId, get_remote(), $value, $messages, "NOW()");
return true;
}
// delete current session
function _destroy ($key)
{
query_appdb("DELETE FROM session_list WHERE session_id = '$key'");
query_parameters("DELETE FROM session_list WHERE session_id = '?'", $key);
return true;
}
// clear old sessions (moved into a separate cron process)
function _gc ($maxlifetime)
{
query_appdb("DELETE FROM session_list WHERE to_days(now()) - to_days(stamp) >= 7");
query_parameters("DELETE FROM session_list WHERE to_days(now()) - to_days(stamp) >= 7");
return true;
}

6
include/tableve.php
View File

@@ -173,7 +173,8 @@ class TableVE {
function make_option_list($varname, $cvalue, $table, $idField, $nameField, $where = "")
{
$hResult = query_appdb("SELECT $idField, $nameField FROM $table $where ORDER BY $nameField");
$hResult = query_parameters("SELECT ?, ? FROM ? ? ORDER BY '?'",
$idField, $nameField, $table, $where, $nameField);
if(!$hResult)
return; // Oops
@@ -442,7 +443,8 @@ class TableVE {
if(ereg("^impl_.+$", $table))
{
$value = $fieldnames["apiid"][$i];
query_appdb("UPDATE $table SET lastmodby = ".$_SESSION['current']->userid." WHERE apiid = $value");
query_parameters("UPDATE ? SET lastmodby = '?' WHERE apiid = '?'",
$table, $_SESSION['current']->iUserId, $value);
}
}
}

59
include/testResults.php
View File

@@ -4,7 +4,7 @@
/*****************************************/
require_once(BASE."include/distributions.php");
require_once(BASE."include/util.php");
// Testing class for handling Testing History.
// Class for handling Testing History.
class testData{
var $iTestingId;
@@ -34,8 +34,8 @@ class testData{
{
$sQuery = "SELECT *
FROM testResults
WHERE testingId = ".$iTestingId;
if($hResult = query_appdb($sQuery))
WHERE testingId = '?'";
if($hResult = query_parameters($sQuery, $iTestingId))
{
$oRow = mysql_fetch_object($hResult);
$this->iTestingId = $iTestingId;
@@ -118,15 +118,19 @@ class testData{
'testedRating' => $this->sTestedRating,
'comments' => $this->sComments));
if(query_appdb("UPDATE testResults SET ".$sUpdate." WHERE testingId = ".$this->iTestingId, "Error while updating test results."))
if(query_parameters("UPDATE testResults SET ".$sUpdate." WHERE testingId = '?'",
$this->iTestingId))
{
if(!$bSilent)
$this->SendNotificationMail();
return true;
}
else
{
addmsg("Error while updating test results", "red");
return false;
}
}
// Delete testing results.
function delete($bSilent=false)
@@ -141,9 +145,9 @@ class testData{
}
// now delete the testing data
$sQuery = "DELETE FROM testResults
WHERE testingId = ".$this->iTestingId."
WHERE testingId = '?'
LIMIT 1";
if(!($hResult = query_appdb($sQuery)))
if(!($hResult = query_parameters($sQuery, $this->iTestingId)))
{
addmsg("Error removing the deleted testing data!", "red");
}
@@ -170,8 +174,8 @@ class testData{
if(!$this->sQueued == 'true')
return false;
$sUpdate = compile_update_string(array('queued' => "false"));
if(query_appdb("UPDATE testResults SET ".$sUpdate." WHERE testingId = ".$this->iTestingId))
if(query_parameters("UPDATE testResults SET queued = '?' WHERE testingId = '?'",
"false", $this->iTestingId))
{
$this->sQueued = 'false';
// we send an e-mail to intersted people
@@ -194,8 +198,8 @@ class testData{
if(!$this->sQueued == 'true')
return false;
$sUpdate = compile_update_string(array('queued' => "rejected"));
if(query_appdb("UPDATE testResults SET ".$sUpdate." WHERE testingId = ".$this->iTestingId))
if(query_parameters("UPDATE testResults SET queued = '?' WHERE testingId = '?'",
"rejected", $this->iTestingId))
{
$this->sQueued = 'rejected';
// we send an e-mail to intersted people
@@ -215,8 +219,8 @@ class testData{
return;
}
$sUpdate = compile_update_string(array('queued' => "true"));
if(query_appdb("UPDATE testResults SET ".$sUpdate." WHERE testingId = ".$this->iTestingId))
if(query_parameters("UPDATE testResults SET queued = '?' WHERE testingId = '?'",
"true", $this->iTestingId))
{
$this->sQueued = 'true';
// we send an e-mail to intersted people
@@ -333,15 +337,17 @@ class testData{
function ShowTestResult($iCurrentTest,$iVersionId)
{
$hResult = query_appdb("SELECT *
$hResult = query_parameters("SELECT *
FROM testResults
WHERE testingId = '".$iCurrentTest."';");
WHERE testingId = '?'",
$iCurrentTest);
if(!$hResult || mysql_num_rows($hResult) == 0)
{
$hResult = query_appdb("SELECT *
$hResult = query_parameters("SELECT *
FROM testResults
WHERE versionId = '".$iVersionId."'
ORDER BY testedDate DESC ;");
WHERE versionId = '?'
ORDER BY testedDate DESC ;",
$iVersionId);
if(!$hResult || mysql_num_rows($hResult) == 0)
return false;
}
@@ -358,6 +364,12 @@ class testData{
// Show the Test results for a application version
function ShowVersionsTestingTable($iVersionId, $iCurrentTest, $link, $iDisplayLimit)
{
/* escape input parameters */
$iVersionId = mysql_real_escape_string($iVersionId);
$iCurrentTest = mysql_real_escape_string($iCurrentTest);
$link = mysql_real_escape_string($link);
$iDisplayLimit = mysql_real_escape_string($iDisplayLimit);
$aClean = array(); //array of filtered user input
$aClean['showAll'] = makeSafe($_REQUEST['showAll']);
@@ -592,17 +604,18 @@ class testData{
{
if($_SESSION['current']->hasPriv("admin"))
{
$hResult = query_appdb("SELECT *
$hResult = query_parameters("SELECT *
FROM testResults
WHERE queued = '".$sQueued."';");
WHERE queued = '?'", $sQueued);
if(!$hResult || mysql_num_rows($hResult) == 0)
return;
} else
{
$hResult = query_appdb("SELECT *
$hResult = query_parameters("SELECT *
FROM testResults
WHERE queued = '".$sQueued."'
AND submitterId = ".$_SESSION['current']->iUserId.";");
WHERE queued = '?'
AND submitterId = '?'",
$sQueued, $_SESSION['current']->iUserId);
if(!$hResult || mysql_num_rows($hResult) == 0)
return;
}
@@ -665,7 +678,7 @@ function getNumberOfQueuedTests()
and appVersion.queued='false'
and testResults.queued='true';";
$hResult = query_appdb($sQuery);
$hResult = query_parameters($sQuery);
if($hResult)
{
$row = mysql_fetch_object($hResult);

28
include/url.php
View File

@@ -29,8 +29,8 @@ class Url {
$sQuery = "SELECT appData.*
FROM appData
WHERE type = 'url'
AND id = ".$iUrlId;
if($hResult = query_appdb($sQuery))
AND id = '?'";
if($hResult = query_parameters($sQuery, $iUrlId))
{
$oRow = mysql_fetch_object($hResult);
$this->iUrlId = $iUrlId;
@@ -88,10 +88,10 @@ class Url {
function delete($bSilent=false)
{
$sQuery = "DELETE FROM appData
WHERE id = ".$this->iUrlId."
WHERE id = '?'
AND type = 'url'
LIMIT 1";
if($hResult = query_appdb($sQuery))
if($hResult = query_parameters($sQuery, $this->iUrlId))
{
if(!$bSilent)
$this->SendNotificationMail(true);
@@ -112,8 +112,8 @@ class Url {
if(!$this->bQueued)
return false;
$sUpdate = compile_update_string(array('queued' => "false"));
if(query_appdb("UPDATE appData SET ".$sUpdate." WHERE id=".$this->iUrlId))
if(query_parameters("UPDATE appData SET queued = '?' WHERE id='?'",
"false", $this->iUrlId))
{
// we send an e-mail to intersted people
$this->mailSubmitter();
@@ -134,8 +134,8 @@ class Url {
if ($sDescription && $sDescription!=$this->sDescription)
{
$sUpdate = compile_update_string(array('description' => $sDescription));
if (!query_appdb("UPDATE appData SET ".$sUpdate." WHERE id = ".$this->iUrlId))
if (!query_parameters("UPDATE appData SET description = '?' WHERE id = '?'",
$sDescription, $this->iUrlId))
return false;
$sWhatChanged .= "Description was changed from\n ".$this->sDescription."\n to \n".$sDescription.".\n\n";
$this->sDescription = $sDescription;
@@ -143,8 +143,8 @@ class Url {
if ($sUrl && $sUrl!=$this->sUrl)
{
$sUpdate = compile_update_string(array('noteDesc' => $sDescription));
if (!query_appdb("UPDATE appData SET ".$sUpdate." WHERE id = ".$this->iUrlId))
if (!query_parameters("UPDATE appData SET noteDesc = '?' WHERE id = '?'",
$sDescription, $this->iUrlId))
return false;
$sWhatChanged .= "Url was changed from ".$this->sUrl." to ".$sUrl.".\n\n";
$this->sUrl = $sUrl;
@@ -152,8 +152,8 @@ class Url {
if ($iVersionId && $iVersionId!=$this->iVersionId)
{
$sUpdate = compile_update_string(array('versionId' => $iVersionId));
if (!query_appdb("UPDATE appData SET ".$sUpdate." WHERE id = ".$this->iUrlId))
if (!query_parameters("UPDATE appData SET versionId = '?' WHERE id = '?'",
$iVersionId, $this->iUrlId))
return false;
$oVersionBefore = new Version($this->iVersionId);
$oVersionAfter = new Version($iVersionId);
@@ -164,8 +164,8 @@ class Url {
if ($iAppId && $iAppId!=$this->iAppId)
{
$sUpdate = compile_update_string(array('appId' => $iAppId));
if (!query_appdb("UPDATE appData SET ".$sUpdate." WHERE id = ".$this->iUrlId))
if (!query_parameters("UPDATE appData SET appId = '?' WHERE id = '?'",
$iAppId, $this->iUrlId))
return false;
$oAppBefore = new Application($this->iAppId);
$oAppAfter = new Application($iAppId);

210
include/user.php
View File

@@ -37,8 +37,8 @@ class User {
{
$sQuery = "SELECT *
FROM user_list
WHERE userId = '".$iUserId."'";
$hResult = query_appdb($sQuery);
WHERE userId = '?'";
$hResult = query_parameters($sQuery, $iUserId);
$oRow = mysql_fetch_object($hResult);
$this->iUserId = $oRow->userid;
$this->sEmail = $oRow->email;
@@ -59,9 +59,10 @@ class User {
{
$sQuery = "SELECT *
FROM user_list
WHERE email = '".addslashes($sEmail)."'
AND password = password('".addslashes($sPassword)."')";
$hResult = query_appdb($sQuery);
WHERE email = '?'
AND password = password('?')";
$hResult = query_parameters($sQuery, $sEmail, $sPassword);
$oRow = mysql_fetch_object($hResult);
$this->iUserId = $oRow->userid;
$this->sEmail = $oRow->email;
@@ -72,7 +73,8 @@ class User {
if($this->isLoggedIn())
{
// Update timestamp and clear the inactivity flag if it was set
query_appdb("UPDATE user_list SET stamp=NOW(), inactivity_warned='false' WHERE userid=".$this->iUserId);
query_parameters("UPDATE user_list SET stamp = ?, inactivity_warned = '?' WHERE userid='?'",
"NOW()", "false", $this->iUserId);
return SUCCESS;
}
return USER_LOGIN_FAILED;
@@ -123,21 +125,25 @@ class User {
addMsg("An account with this e-mail exists already.","red");
return USER_UPDATE_FAILED_EMAIL_EXISTS;
}
if (!query_appdb("UPDATE user_list SET email = '".addslashes($this->sEmail)."' WHERE userid = ".$this->iUserId))
if (!query_parameters("UPDATE user_list SET email = '?' WHERE userid = '?'",
$this->sEmail, $this->iUserId))
return USER_UPDATE_FAILED;
}
if ($this->sRealname && ($this->sRealname != $oUser->sRealname))
{
if (!query_appdb("UPDATE user_list SET realname = '".addslashes($this->sRealname)."' WHERE userid = ".$this->iUserId))
if (!query_parameters("UPDATE user_list SET realname = '?' WHERE userid = '?'",
$this->sRealname, $this->iUserId))
return USER_UPDATE_FAILED;
}
if ($this->sWineRelease && ($this->sWineRelease != $oUser->sWineRelease))
{
if (!query_appdb("UPDATE user_list SET CVSrelease = '".addslashes($this->sWineRelease)."' WHERE userid = ".$this->iUserId))
if (!query_parameters("UPDATE user_list SET CVSrelease = '?' WHERE userid = '?'",
$this->sWineRelease, $this->iUserId))
return USER_UPDATE_FAILED;
}
return SUCCESS;
}
@@ -152,7 +158,8 @@ class User {
{
if($sPassword)
{
if (query_appdb("UPDATE user_list SET password = password('$sPassword') WHERE userid = ".$this->iUserId))
if (query_parameters("UPDATE user_list SET password = password('?') WHERE userid = '?'",
$sPassword, $this->iUserId))
return true;
}
@@ -167,12 +174,12 @@ class User {
function delete()
{
if(!$this->isLoggedIn()) return false;
$hResult2 = query_appdb("DELETE FROM user_privs WHERE userid = '".$this->iUserId."'");
$hResult3 = query_appdb("DELETE FROM user_prefs WHERE userid = '".$this->iUserId."'");
$hResult4 = query_appdb("DELETE FROM appVotes WHERE userid = '".$this->iUserId."'");
$hResult5 = query_appdb("DELETE FROM appMaintainers WHERE userid = '".$this->iUserId."'");
$hResult6 = query_appdb("DELETE FROM appComments WHERE userId = '".$this->iUserId."'");
return($hResult = query_appdb("DELETE FROM user_list WHERE userid = '".$this->iUserId."'"));
$hResult2 = query_parameters("DELETE FROM user_privs WHERE userid = '?'", $this->iUserId);
$hResult3 = query_parameters("DELETE FROM user_prefs WHERE userid = '?'", $this->iUserId);
$hResult4 = query_parameters("DELETE FROM appVotes WHERE userid = '?'", $this->iUserId);
$hResult5 = query_parameters("DELETE FROM appMaintainers WHERE userid = '?'", $this->iUserId);
$hResult6 = query_parameters("DELETE FROM appComments WHERE userId = '?'", $this->iUserId);
return($hResult = query_parameters("DELETE FROM user_list WHERE userid = '?'", $this->iUserId));
}
@@ -184,7 +191,8 @@ class User {
if(!$this->isLoggedIn() || !$sKey)
return $sDef;
$hResult = query_appdb("SELECT * FROM user_prefs WHERE userid = ".$this->iUserId." AND name = '$sKey'");
$hResult = query_parameters("SELECT * FROM user_prefs WHERE userid = '?' AND name = '?'",
$this->iUserId, $sKey);
if(!$hResult || mysql_num_rows($hResult) == 0)
return $sDef;
$ob = mysql_fetch_object($hResult);
@@ -200,7 +208,8 @@ class User {
if(!$this->isLoggedIn() || !$sKey || !$sValue)
return false;
$hResult = query_appdb("DELETE FROM user_prefs WHERE userid = ".$this->iUserId." AND name = '$sKey'");
$hResult = query_parameters("DELETE FROM user_prefs WHERE userid = '?' AND name = '?'",
$this->iUserId, $sKey);
$hResult = query_parameters("INSERT INTO user_prefs (userid, name, value) VALUES".
"('?', '?', '?')", $this->iUserId, $sKey, $sValue);
return $hResult;
@@ -215,7 +224,8 @@ class User {
if(!$this->isLoggedIn() || !$sPriv)
return false;
$hResult = query_appdb("SELECT * FROM user_privs WHERE userid = ".$this->iUserId." AND priv = '".$sPriv."'");
$hResult = query_parameters("SELECT * FROM user_privs WHERE userid = '?' AND priv = '?'",
$this->iUserId, $sPriv);
if(!$hResult)
return false;
return mysql_num_rows($hResult);
@@ -237,14 +247,16 @@ class User {
/* otherwise check if we maintain this specific version */
if($iVersionId)
{
$sQuery = "SELECT * FROM appMaintainers WHERE userid = '".$this->iUserId."' AND versionId = '$iVersionId'";
$sQuery = "SELECT * FROM appMaintainers WHERE userid = '?' AND versionId = '?'";
$hResult = query_parameters($sQuery, $this->iUserId, $iVersionId);
} else // are we maintaining any version ?
{
$sQuery = "SELECT * FROM appMaintainers WHERE userid = '".$this->iUserId."'";
$sQuery = "SELECT * FROM appMaintainers WHERE userid = '?'";
$hResult = query_parameters($sQuery, $this->iUserId);
}
$hResult = query_appdb($sQuery);
if(!$hResult)
return false;
return mysql_num_rows($hResult);
}
@@ -258,12 +270,13 @@ class User {
if($iAppId)
{
$sQuery = "SELECT * FROM appMaintainers WHERE userid = '$this->iUserId' AND appId = '$iAppId' AND superMaintainer = '1'";
$sQuery = "SELECT * FROM appMaintainers WHERE userid = '?' AND appId = '?' AND superMaintainer = '1'";
$hResult = query_parameters($sQuery, $this->iUserId, $iAppId);
} else /* are we super maintainer of any applications? */
{
$sQuery = "SELECT * FROM appMaintainers WHERE userid = '$this->iUserId' AND superMaintainer = '1'";
$sQuery = "SELECT * FROM appMaintainers WHERE userid = '?' AND superMaintainer = '1'";
$hResult = query_parameters($sQuery, $this->iUserId);
}
$hResult = query_appdb($sQuery);
if(!$hResult)
return false;
return mysql_num_rows($hResult);
@@ -273,8 +286,8 @@ class User {
{
if(!$this->isLoggedIn()) return 0;
$sQuery = "SELECT count(*) as cnt from appMaintainers WHERE userid = '$this->iUserId' AND superMaintainer = '$bSuperMaintainer'";
$hResult = query_appdb($sQuery);
$sQuery = "SELECT count(*) as cnt from appMaintainers WHERE userid = '?' AND superMaintainer = '?'";
$hResult = query_parameters($sQuery, $this->iUserId, $bSuperMaintainer);
if(!$hResult)
return 0;
$ob = mysql_fetch_object($hResult);
@@ -308,7 +321,7 @@ class User {
$statusMessage = "<p>The maintainer was successfully added into the database</p>\n";
//delete the item from the queue
query_appdb("DELETE from appMaintainerQueue where queueId = ".$iQueueId.";");
query_parameters("DELETE from appMaintainerQueue where queueId = '?'", $iQueueId);
$oApp = new Application($iAppId);
$oVersion = new Version($iVersionId);
//Send Status Email
@@ -326,7 +339,7 @@ class User {
} else
{
//delete the item from the queue
query_appdb("DELETE from appMaintainerQueue where queueId = ".$iQueueId.";");
query_parameters("DELETE from appMaintainerQueue where queueId = '?'", $iQueueId);
if($this->isSuperMaintainer($iAppId) && !$bSuperMaintainer)
$statusMessage = "<p>User is already a super maintainer of this application</p>\n";
@@ -345,23 +358,22 @@ class User {
if($iAppId && ($iVersionId == null))
{
$superMaintainer = 1;
$sQuery = "DELETE FROM appMaintainers WHERE userId = ".$this->iUserId.
" AND appId = ".$iAppId." AND superMaintainer = ".$superMaintainer.";";
$hResult = query_parameters("DELETE FROM appMaintainers WHERE userId = '?'
AND appId = '?' AND superMaintainer = '?'",
$this->iUserId, $iAppId, $superMaintainer);
} else if($iAppId && $iVersionId) /* remove a normal maintainer */
{
$superMaintainer = 0;
$sQuery = "DELETE FROM appMaintainers WHERE userId = ".$this->iUserId.
" AND appId = ".$iAppId." AND versionId = ".$iVersionId." AND superMaintainer = ".$superMaintainer.";";
$hResult = query_parameters("DELETE FROM appMaintainers WHERE userId = '?'
AND appId = '?' AND versionId = '?' AND superMaintainer = '?'",
$this->iUserId, $iAppId, $iVersionId, $superMaintainer);
} else if(($iAppId == null) && ($iVersionId == null)) /* remove all maintainership by this user */
{
$sQuery = "DELETE FROM appMaintainers WHERE userId = ".$this->iUserId.";";
$hResult = query_parameters("DELETE FROM appMaintainers WHERE userId = '?'", $this->iUserId);
}
if($sQuery)
{
if($hResult = query_appdb($sQuery))
if($hResult)
return true;
}
return false;
}
@@ -374,7 +386,7 @@ class User {
return 0;
$sQuery = "SELECT count(*) as queued_apps FROM appFamily WHERE queued='true'";
$hResult = query_appdb($sQuery);
$hResult = query_parameters($sQuery);
$oRow = mysql_fetch_object($hResult);
return $oRow->queued_apps;
}
@@ -383,16 +395,16 @@ class User {
{
if($this->hasPriv("admin"))
{
$sQuery = "SELECT count(*) as queued_versions FROM appVersion WHERE queued='true'";
$hResult = query_parameters("SELECT count(*) as queued_versions FROM appVersion WHERE queued='true'");
} else
{
/* find all queued versions of applications that the user is a super maintainer of */
$sQuery = "SELECT count(*) as queued_versions FROM appVersion, appMaintainers
$hResult = query_parameters("SELECT count(*) as queued_versions FROM appVersion, appMaintainers
WHERE queued='true' AND appMaintainers.superMaintainer ='1'
AND appVersion.appId = appMaintainers.appId
AND appMaintainers.userId ='".$this->iUserId."';";
AND appMaintainers.userId ='?'", $this->iUserId);
}
$hResult = query_appdb($sQuery);
$oRow = mysql_fetch_object($hResult);
/* we don't want to count the versions that are implicit in the applications */
@@ -428,8 +440,9 @@ class User {
if(!$this->isLoggedIn() || !$sPriv)
return false;
$hRresult = query_appdb("DELETE FROM user_privs WHERE userid = $this->iUserId AND priv = '$sPriv'");
return $hRresult;
$hResult = query_parameters("DELETE FROM user_privs WHERE userid = '?' AND priv = '?'",
$this->iUserId, $sPriv);
return $hResult;
}
@@ -466,6 +479,12 @@ class User {
*/
function getAppDataQuery($iAppDataId, $queryQueuedCount, $queryQueued)
{
/* escape all of the input variables */
/* code is too complex to easily use query_parameters() */
$iAppDataId = mysql_real_escape_string($iAppDataId);
$queryQueuedCount = mysql_real_escape_string($queryQueuedCount);
$queryQueued = mysql_real_escape_string($queryQueued);
/* either look for queued app data entries */
/* or ones that match the given id */
if($queryQueuedCount)
@@ -503,7 +522,7 @@ class User {
AND (appMaintainers.superMaintainer = '0'))
)
AND appData.versionId = appVersion.versionId
AND appMaintainers.userId = '".$this->iUserId."'
AND appMaintainers.userId = '".mysql_real_escape_string($this->iUserId)."'
".$additionalTerms.";";
}
@@ -518,9 +537,8 @@ class User {
if(!$_SESSION['current']->canDeleteAppDataId($iAppDataId))
return false;
$sQuery = "DELETE from appData where id = ".$iAppDataId."
LIMIT 1;";
$hResult = query_appdb($sQuery);
$hResult = query_parameters("DELETE from appData where id = '?' LIMIT 1",
$iAppDataId);
if($hResult)
return true;
@@ -532,6 +550,9 @@ class User {
*/
function getAppQueueQuery($queryAppFamily)
{
/* escape input as we can't easily use query_parameters() */
$queryAppFamily = mysql_real_escape_string($queryAppFamily);
if($this->hasPriv("admin"))
{
if($queryAppFamily)
@@ -551,7 +572,7 @@ class User {
WHERE queued = 'true'
AND appFamily.appId = appMaintainers.appId
AND appMaintainers.superMaintainer = '1'
AND appMaintainers.userId = '".$this->iUserId."';";
AND appMaintainers.userId = '".mysql_real_escape_string($this->iUserId)."';";
} else
{
$sQuery = "SELECT appVersion.versionId FROM appVersion, appFamily, appMaintainers
@@ -559,7 +580,7 @@ class User {
AND appFamily.queued = 'false' AND appVersion.queued = 'true'
AND appFamily.appId = appMaintainers.appId
AND appMaintainers.superMaintainer = '1'
AND appMaintainers.userId = '".$this->iUserId."';";
AND appMaintainers.userId = '".mysql_real_escape_string($this->iUserId)."';";
}
}
@@ -568,6 +589,9 @@ class User {
function getAppRejectQueueQuery($queryAppFamily)
{
/* escape input as we can't easily use query_parameters() */
$queryAppFamily = mysql_real_escape_string($queryAppFamily);
if($this->hasPriv("admin"))
{
if($queryAppFamily)
@@ -585,13 +609,13 @@ class User {
{
$sQuery = "SELECT appFamily.appId FROM appFamily
WHERE queued = 'rejected'
AND appFamily.submitterId = '".$this->iUserId."';";
AND appFamily.submitterId = '".mysql_real_escape_string($this->iUserId)."';";
} else
{
$sQuery = "SELECT appVersion.versionId FROM appVersion, appFamily
WHERE appFamily.appId = appVersion.appId
AND appFamily.queued = 'false' AND appVersion.queued = 'rejected'
AND appVersion.submitterId = '".$this->iUserId."';";
AND appVersion.submitterId = '".mysql_real_escape_string($this->iUserId)."';";
}
}
@@ -600,11 +624,12 @@ class User {
function getAllRejectedApps()
{
$hResult = query_appdb("SELECT appVersion.versionId, appFamily.appId
$hResult = query_parameters("SELECT appVersion.versionId, appFamily.appId
FROM appVersion, appFamily
WHERE appFamily.appId = appVersion.appId
AND (appFamily.queued = 'rejected' OR appVersion.queued = 'rejected')
AND appVersion.submitterId = '".$this->iUserId."';");
AND appVersion.submitterId = '?'",
$this->iUserId);
if(!$hResult || mysql_num_rows($hResult) == 0)
return;
@@ -622,10 +647,10 @@ class User {
function isAppSubmitter($iAppId)
{
$sQuery = "SELECT appId FROM appFamily
WHERE submitterId = '".$this->iUserId."'
AND appId = '".$iAppId."';";
$hResult = query_appdb($sQuery);
$hResult = query_parameters("SELECT appId FROM appFamily
WHERE submitterId = '?'
AND appId = '?'",
$this->iUserId, $iAppId);
if(mysql_num_rows($hResult))
return true;
else
@@ -634,11 +659,11 @@ class User {
function isVersionSubmitter($iVersionId)
{
$sQuery = "SELECT appVersion.versionId FROM appVersion, appFamily
$hResult = query_parameters("SELECT appVersion.versionId FROM appVersion, appFamily
WHERE appFamily.appId = appVersion.appId
AND appVersion.submitterId = '".$this->iUserId."'
AND appVersion.versionId = '".$iVersionId."';";
$hResult = query_appdb($sQuery);
AND appVersion.submitterId = '?'
AND appVersion.versionId = '?'",
$this->iUserId, $iVersionId);
if(mysql_num_rows($hResult))
return true;
else
@@ -649,18 +674,18 @@ class User {
/* otherwise we return false */
function hasDataAssociated()
{
$sQuery = "SELECT count(userId) as c FROM appComments WHERE userId = $this->iUserId";
$hResult = query_appdb($sQuery);
$hResult = query_parameters("SELECT count(userId) as c FROM appComments WHERE userId = '?'",
$this->iUserId);
$ob = mysql_fetch_object($hResult);
if($ob->c != 0) return true;
$sQuery = "SELECT count(userId) as c FROM appMaintainers WHERE userId = $this->iUserId";
$hResult = query_appdb($sQuery);
$hResult = query_parameters("SELECT count(userId) as c FROM appMaintainers WHERE userId = '?'",
$this->iUserId);
$ob = mysql_fetch_object($hResult);
if($ob->c != 0) return true;
$sQuery = "SELECT count(userId) as c FROM appVotes WHERE userId = $this->iUserId";
$hResult = query_appdb($sQuery);
$hResult = query_parameters("SELECT count(userId) as c FROM appVotes WHERE userId = '?'",
$this->iUserId);
$ob = mysql_fetch_object($hResult);
if($ob->c != 0) return true;
@@ -693,8 +718,8 @@ class User {
mail_appdb($this->sEmail, $sSubject, $sMsg);
/* mark this user as being inactive and set the appropriate timestamp */
$sQuery = "update user_list set inactivity_warned='true', inactivity_warn_stamp=NOW() where userid=".$this->iUserId;
query_appdb($sQuery);
$sQuery = "update user_list set inactivity_warned='true', inactivity_warn_stamp=NOW() where userid='?'";
query_parameters($sQuery, $this->iUserId);
return true;
}
@@ -1032,23 +1057,25 @@ function get_notify_email_address_list($iAppId = null, $iVersionId = null)
*/
if($iVersionId)
{
$sQuery = "SELECT appMaintainers.userId
$hResult = query_parameters("SELECT appMaintainers.userId
FROM appMaintainers, appVersion
WHERE appVersion.appId = appMaintainers.appId
AND appVersion.versionId = '".$iVersionId."'";
AND appVersion.versionId = '?'",
$iVersionId);
}
/*
* If versionId was not supplied we fetch supermaintainers of application and maintainer of all versions.
*/
elseif($iAppId)
{
$sQuery = "SELECT userId
$hResult = query_parameters("SELECT userId
FROM appMaintainers
WHERE appId = '".$iAppId."'";
WHERE appId = '?'",
$iAppId);
}
if($sQuery)
if($hResult)
{
$hResult = query_appdb($sQuery);
if(mysql_num_rows($hResult) > 0)
{
while($oRow = mysql_fetch_object($hResult))
@@ -1067,23 +1094,24 @@ function get_notify_email_address_list($iAppId = null, $iVersionId = null)
*/
if($iVersionId)
{
$sQuery = "SELECT appMonitors.userId
$hResult = query_parameters("SELECT appMonitors.userId
FROM appMonitors, appVersion
WHERE appVersion.appId = appMonitors.appId
AND appVersion.versionId = '".$iVersionId."'";
AND appVersion.versionId = '?'",
$iVersionId);
}
/*
* If versionId was not supplied we fetch superMonitors of application and Monitors of all versions.
*/
elseif($iAppId)
{
$sQuery = "SELECT userId
$hResult = query_parameters("SELECT userId
FROM appMonitors
WHERE appId = '".$iAppId."'";
WHERE appId = '?'",
$iAppId);
}
if($sQuery)
if($hResult)
{
$hResult = query_appdb($sQuery);
if(mysql_num_rows($hResult) > 0)
{
while($oRow = mysql_fetch_object($hResult))
@@ -1097,7 +1125,7 @@ function get_notify_email_address_list($iAppId = null, $iVersionId = null)
/*
* Retrieve administrators.
*/
$hResult = query_appdb("SELECT * FROM user_privs WHERE priv = 'admin'");
$hResult = query_parameters("SELECT * FROM user_privs WHERE priv = 'admin'");
if(mysql_num_rows($hResult) > 0)
{
while($oRow = mysql_fetch_object($hResult))
@@ -1128,7 +1156,7 @@ function get_notify_email_address_list($iAppId = null, $iVersionId = null)
*/
function get_number_of_users()
{
$hResult = query_appdb("SELECT count(*) as num_users FROM user_list;");
$hResult = query_parameters("SELECT count(*) as num_users FROM user_list;");
$oRow = mysql_fetch_object($hResult);
return $oRow->num_users;
}
@@ -1139,7 +1167,8 @@ function get_number_of_users()
*/
function get_active_users_within_days($days)
{
$hResult = query_appdb("SELECT count(*) as num_users FROM user_list WHERE stamp >= DATE_SUB(CURDATE(), interval $days day);");
$hResult = query_parameters("SELECT count(*) as num_users FROM user_list WHERE stamp >= DATE_SUB(CURDATE(), interval '?' day);",
$days);
$oRow = mysql_fetch_object($hResult);
return $oRow->num_users;
}
@@ -1152,8 +1181,7 @@ function get_active_users_within_days($days)
function get_inactive_users_pending_deletion()
{
/* retrieve the number of users that have been warned and are pending deletion */
$sQuery = "select count(*) as count from user_list where inactivity_warned = 'true'";
$hResult = query_appdb($sQuery);
$hResult = query_parameters("select count(*) as count from user_list where inactivity_warned = 'true'");
$oRow = mysql_fetch_object($hResult);
return $oRow->count;
}
@@ -1164,10 +1192,12 @@ function get_inactive_users_pending_deletion()
*/
function user_exists($sEmail)
{
$hResult = query_appdb("SELECT userid FROM user_list WHERE email = '$sEmail'");
$hResult = query_parameters("SELECT userid FROM user_list WHERE email = '?'",
$sEmail);
if(!$hResult || mysql_num_rows($hResult) != 1)
{
return 0;
else
} else
{
$oRow = mysql_fetch_object($hResult);
return $oRow->userid;

64
include/util.php
View File

@@ -164,7 +164,7 @@ function make_maintainer_rating_list($varname, $cvalue)
function getQueuedMaintainerCount()
{
$sQuery = "SELECT count(*) as queued_maintainers FROM appMaintainerQueue";
$hResult = query_appdb($sQuery);
$hResult = query_parameters($sQuery);
$oRow = mysql_fetch_object($hResult);
return $oRow->queued_maintainers;
}
@@ -173,7 +173,7 @@ function getQueuedMaintainerCount()
function getMaintainerCount()
{
$sQuery = "SELECT count(*) as maintainers FROM appMaintainers";
$hResult = query_appdb($sQuery);
$hResult = query_parameters($sQuery);
$oRow = mysql_fetch_object($hResult);
return $oRow->maintainers;
}
@@ -182,7 +182,7 @@ function getMaintainerCount()
function getVendorCount()
{
$sQuery = "SELECT count(*) as vendors FROM vendor";
$hResult = query_appdb($sQuery);
$hResult = query_parameters($sQuery);
$oRow = mysql_fetch_object($hResult);
return $oRow->vendors;
}
@@ -190,7 +190,7 @@ function getVendorCount()
/* Get the number of users in the database */
function getNumberOfComments()
{
$hResult = query_appdb("SELECT count(*) as num_comments FROM appComments;");
$hResult = query_parameters("SELECT count(*) as num_comments FROM appComments;");
$oRow = mysql_fetch_object($hResult);
return $oRow->num_comments;
}
@@ -198,7 +198,7 @@ function getNumberOfComments()
/* Get the number of versions in the database */
function getNumberOfVersions()
{
$hResult = query_appdb("SELECT count(versionId) as num_versions FROM appVersion WHERE versionName != 'NONAME';");
$hResult = query_parameters("SELECT count(versionId) as num_versions FROM appVersion WHERE versionName != 'NONAME';");
$oRow = mysql_fetch_object($hResult);
return $oRow->num_versions;
}
@@ -206,14 +206,14 @@ function getNumberOfVersions()
/* Get the number of maintainers in the database */
function getNumberOfMaintainers()
{
$hResult = query_appdb("SELECT DISTINCT userId FROM appMaintainers;");
$hResult = query_parameters("SELECT DISTINCT userId FROM appMaintainers;");
return mysql_num_rows($hResult);
}
/* Get the number of app familes in the database */
function getNumberOfAppFamilies()
{
$hResult = query_appdb("SELECT count(*) as num_appfamilies FROM appFamily;");
$hResult = query_parameters("SELECT count(*) as num_appfamilies FROM appFamily;");
$oRow = mysql_fetch_object($hResult);
return $oRow->num_appfamilies;
}
@@ -221,7 +221,7 @@ function getNumberOfAppFamilies()
/* Get the number of images in the database */
function getNumberOfImages()
{
$hResult = query_appdb("SELECT count(*) as num_images FROM appData WHERE type='image';");
$hResult = query_parameters("SELECT count(*) as num_images FROM appData WHERE type='image';");
$oRow = mysql_fetch_object($hResult);
return $oRow->num_images;
}
@@ -229,7 +229,7 @@ function getNumberOfImages()
/* Get the number of queued bug links in the database */
function getNumberOfQueuedBugLinks()
{
$hResult = query_appdb("SELECT count(*) as num_buglinks FROM buglinks WHERE queued='true';");
$hResult = query_parameters("SELECT count(*) as num_buglinks FROM buglinks WHERE queued='true';");
if($hResult)
{
$oRow = mysql_fetch_object($hResult);
@@ -241,7 +241,7 @@ function getNumberOfQueuedBugLinks()
/* Get the number of bug links in the database */
function getNumberOfBugLinks()
{
$hResult = query_appdb("SELECT count(*) as num_buglinks FROM buglinks;");
$hResult = query_parameters("SELECT count(*) as num_buglinks FROM buglinks;");
if($hResult)
{
$oRow = mysql_fetch_object($hResult);
@@ -252,8 +252,9 @@ function getNumberOfBugLinks()
function lookupVendorName($vendorId)
{
$sResult = query_appdb("SELECT * FROM vendor ".
"WHERE vendorId = ".$vendorId);
$sResult = query_parameters("SELECT * FROM vendor ".
"WHERE vendorId = '?'",
$vendorId);
if(!$sResult || mysql_num_rows($sResult) != 1)
return "Unknown vendor";
@@ -278,18 +279,22 @@ function outputTopXRow($oRow)
/* Output the rows for the Top-X tables on the main page */
function outputTopXRowAppsFromRating($rating, $num_apps)
{
/* clean the input values so we can continue to use query_appdb() */
$rating = mysql_real_escape_string($rating);
$num_apps = mysql_real_escape_string($num_apps);
/* list of appIds we've already output, so we don't output */
/* them again when filling in any empty spots in the list */
$appIdArray = array();
$sQuery = "SELECT appVotes.appId AS appId, appVersion.versionId, COUNT( appVotes.appId ) AS c
FROM appVotes, appVersion
WHERE appVersion.maintainer_rating = '$rating'
WHERE appVersion.maintainer_rating = '?'
AND appVersion.appId = appVotes.appId
GROUP BY appVotes.appId
ORDER BY c DESC
LIMIT $num_apps";
$hResult = query_appdb($sQuery);
LIMIT ?";
$hResult = query_parameters($sQuery, $rating, $num_apps);
$num_apps-=mysql_num_rows($hResult); /* take away the rows we are outputting here */
while($oRow = mysql_fetch_object($hResult))
{
@@ -409,9 +414,9 @@ function searchForApplication($search_words)
/* search parameters */
foreach ($split_words as $key=>$value)
{
$sQuery = "SELECT vendorId from vendor where vendorName LIKE '%".addslashes($value)."%'
OR vendorURL LIKE '%".addslashes($value)."%'";
$hResult = query_appdb($sQuery);
$sQuery = "SELECT vendorId from vendor where vendorName LIKE '%?%'
OR vendorURL LIKE '%?%'";
$hResult = query_parameters($sQuery, $value, $value);
while($oRow = mysql_fetch_object($hResult))
{
array_push($vendorIdArray, $oRow->vendorId);
@@ -424,13 +429,13 @@ function searchForApplication($search_words)
WHERE appName != 'NONAME'
AND appFamily.vendorId = vendor.vendorId
AND queued = 'false'
AND (appName LIKE '%".addslashes($search_words)."%'
OR keywords LIKE '%".addslashes($search_words)."%'";
AND (appName LIKE '%".mysql_real_escape_string($search_words)."%'
OR keywords LIKE '%".mysql_real_escape_string($search_words)."%'";
/* append to the query any vendors that we matched with */
foreach($vendorIdArray as $key=>$value)
{
$sQuery.=" OR appFamily.vendorId=$value";
$sQuery.=" OR appFamily.vendorId=".mysql_real_escape_string($value);
}
$sQuery.=" ) ORDER BY appName";
@@ -459,7 +464,7 @@ function searchForApplicationFuzzy($search_words, $minMatchingPercent)
$sQuery = "SELECT appName, appId FROM appFamily WHERE queued = 'false'";
foreach ($excludeAppIdArray as $key=>$value)
{
$sQuery.=" AND appId != '$value'";
$sQuery.=" AND appId != '".mysql_real_escape_string($value)."'";
}
$sQuery.=";";
@@ -488,11 +493,11 @@ function searchForApplicationFuzzy($search_words, $minMatchingPercent)
{
if($firstEntry == true)
{
$sQuery.="appId='$value'";
$sQuery.="appId='".mysql_real_escape_string($value)."'";
$firstEntry = false;
} else
{
$sQuery.=" OR appId='$value'";
$sQuery.=" OR appId='".mysql_real_escape_string($value)."'";
}
}
$sQuery.=" ORDER BY appName;";
@@ -530,7 +535,8 @@ function outputSearchTableForhResult($search_words, $hResult)
$bgcolor = ($c % 2) ? 'color0' : 'color1';
//count versions
$hResult2 = query_appdb("SELECT count(*) as versions FROM appVersion WHERE appId = $oRow->appId AND versionName != 'NONAME' and queued = 'false'");
$hResult2 = query_parameters("SELECT count(*) as versions FROM appVersion WHERE appId = '?' AND versionName != 'NONAME' and queued = 'false'",
$oRow->appId);
$y = mysql_fetch_object($hResult2);
//display row
@@ -609,7 +615,7 @@ function process_app_version_changes($isVersion)
if ($_REQUEST['adelete'][$i] == "on")
{
$hResult = query_appdb("DELETE FROM appData WHERE id = '{$_REQUEST['aId'][$i]}'");
$hResult = query_parameters("DELETE FROM appData WHERE id = '?'", $_REQUEST['aId'][$i]);
if($hResult)
{
@@ -627,9 +633,9 @@ function process_app_version_changes($isVersion)
addmsg("The URL or description was blank. URL not changed in the database", "red");
else
{
$sUpdate = compile_update_string( array( 'description' => $_REQUEST['adescription'][$i],
'url' => $_REQUEST['aURL'][$i]));
if (query_appdb("UPDATE appData SET $sUpdate WHERE id = '{$_REQUEST['aId'][$i]}'"))
if (query_parameters("UPDATE appData SET description = '?', url = '?' WHERE id = '?'",
$_REQUEST['adescription'][$i], $_REQUEST['aURL'][$i],
$_REQUEST['aId'][$i]))
{
addmsg("<p><b>Successfully updated ".$_REQUEST['aOldDesc'][$i]." (".$_REQUEST['aOldURL'][$i].")</b></p>\n",'green');
$sWhatChanged .= "Changed Url: Old Description: ".stripslashes($_REQUEST['aOldDesc'][$i])."\n";

20
include/vendor.php
View File

@@ -25,8 +25,8 @@ class Vendor {
*/
$sQuery = "SELECT *
FROM vendor
WHERE vendorId = ".$iVendorId;
if($hResult = query_appdb($sQuery))
WHERE vendorId = '?'";
if($hResult = query_parameters($sQuery, $iVendorId))
{
$oRow = mysql_fetch_object($hResult);
$this->iVendorId = $iVendorId;
@@ -39,8 +39,8 @@ class Vendor {
*/
$sQuery = "SELECT appId
FROM appFamily
WHERE vendorId = ".$iVendorId;
if($hResult = query_appdb($sQuery))
WHERE vendorId = '?'";
if($hResult = query_parameters($sQuery, $iVendorId))
{
while($oRow = mysql_fetch_object($hResult))
{
@@ -83,14 +83,16 @@ class Vendor {
if($sName)
{
if (!query_appdb("UPDATE vendor SET vendorName = '".$sName."' WHERE vendorId = ".$this->iVendorId))
if (!query_parameters("UPDATE vendor SET vendorName = '?' WHERE vendorId = '?'",
$sName, $this->iVendorId))
return false;
$this->sName = $sName;
}
if($sWebpage)
{
if (!query_appdb("UPDATE vendor SET vendorURL = '".$sWebpage."' WHERE vendorId = ".$this->iVendorId))
if (!query_parameters("UPDATE vendor SET vendorURL = '?' WHERE vendorId = '?'",
$sWebpage, $this->iVendorId))
return false;
$this->sWebpage = $sWebpage;
}
@@ -109,9 +111,9 @@ class Vendor {
} else
{
$sQuery = "DELETE FROM vendor
WHERE vendorId = ".$this->iVendorId."
WHERE vendorId = '?'
LIMIT 1";
query_appdb($sQuery);
query_parameters($sQuery, $this->iVendorId);
addmsg("The vendor has been deleted.", "green");
}
}
@@ -139,7 +141,7 @@ class Vendor {
/* Get the total number of Vendors in the database */
function getNumberOfVendors()
{
$hResult = query_appdb("SELECT count(*) as num_vendors FROM vendor");
$hResult = query_parameters("SELECT count(*) as num_vendors FROM vendor");
if($hResult)
{
$oRow = mysql_fetch_object($hResult);

78
include/version.php
View File

@@ -47,8 +47,8 @@ class Version {
{
$sQuery = "SELECT *
FROM appVersion
WHERE versionId = ".$iVersionId;
if($hResult = query_appdb($sQuery))
WHERE versionId = '?'";
if($hResult = query_parameters($sQuery, $iVersionId))
{
$oRow = mysql_fetch_object($hResult);
$this->iVersionId = $iVersionId;
@@ -73,8 +73,8 @@ class Version {
$this->aNotesIds = array();
$sQuery = "SELECT noteId
FROM appNotes
WHERE versionId = ".$iVersionId;
if($hResult = query_appdb($sQuery))
WHERE versionId = '?'";
if($hResult = query_parameters($sQuery, $iVersionId))
{
while($oRow = mysql_fetch_object($hResult))
{
@@ -88,8 +88,8 @@ class Version {
$this->aCommentsIds = array();
$sQuery = "SELECT commentId
FROM appComments
WHERE versionId = ".$iVersionId;
if($hResult = query_appdb($sQuery))
WHERE versionId = '?'";
if($hResult = query_parameters($sQuery, $iVersionId))
{
while($oRow = mysql_fetch_object($hResult))
{
@@ -105,9 +105,9 @@ class Version {
$this->aUrlsIds = array();
$sQuery = "SELECT id, type
FROM appData
WHERE versionId = ".$iVersionId;
WHERE versionId = '?'";
if($hResult = query_appdb($sQuery))
if($hResult = query_parameters($sQuery, $iVersionId))
{
while($oRow = mysql_fetch_object($hResult))
{
@@ -124,9 +124,9 @@ class Version {
$this->aBuglinkIds = array();
$sQuery = "SELECT *
FROM buglinks
WHERE versionId = ".$iVersionId."
WHERE versionId = '?'
ORDER BY bug_id";
if($hResult = query_appdb($sQuery))
if($hResult = query_parameters($sQuery, $iVersionId))
{
while($oRow = mysql_fetch_object($hResult))
{
@@ -140,9 +140,9 @@ class Version {
$this->aTestingIds = array();
$sQuery = "SELECT *
FROM testResults
WHERE versionId = ".$iVersionId."
WHERE versionId = '?'
ORDER BY testingId";
if($hResult = query_appdb($sQuery))
if($hResult = query_parameters($sQuery, $iVersionId))
{
while($oRow = mysql_fetch_object($hResult))
{
@@ -156,9 +156,9 @@ class Version {
$this->aMonitorIds = array();
$sQuery = "SELECT *
FROM appMonitors
WHERE versionId = ".$iVersionId."
WHERE versionId = '?'
ORDER BY monitorId";
if($hResult = query_appdb($sQuery))
if($hResult = query_parameters($sQuery, $iVersionId))
{
while($oRow = mysql_fetch_object($hResult))
{
@@ -218,16 +218,16 @@ class Version {
if ($this->sName && ($this->sName!=$oVersion->sName))
{
$sUpdate = compile_update_string(array('versionName' => $this->sName));
if (!query_appdb("UPDATE appVersion SET ".$sUpdate." WHERE versionId = ".$this->iVersionId))
if (!query_parameters("UPDATE appVersion SET versionName = '?' WHERE versionId = '?'",
$this->sName, $this->iVersionId))
return false;
$sWhatChanged .= "Name was changed from:\n\t'".$oVersion->sName."'\nto:\n\t'".$this->sName."'\n\n";
}
if ($this->sDescription && ($this->sDescription!=$oVersion->sDescription))
{
$sUpdate = compile_update_string(array('description' => $this->sDescription));
if (!query_appdb("UPDATE appVersion SET ".$sUpdate." WHERE versionId = ".$this->iVersionId))
if (!query_parameters("UPDATE appVersion SET description = '?' WHERE versionId = '?'",
$this->sDescription, $this->iVersionId))
return false;
if($oVersion->sDescription != "")
@@ -238,8 +238,8 @@ class Version {
if ($this->sTestedRelease && ($this->sTestedRelease!=$oVersion->sTestedRelease))
{
$sUpdate = compile_update_string(array('maintainer_release' => $this->sTestedRelease));
if (!query_appdb("UPDATE appVersion SET ".$sUpdate." WHERE versionId = ".$this->iVersionId))
if (!query_parameters("UPDATE appVersion SET maintainer_release = '?' WHERE versionId = '?'",
$this->sTestedRelease, $this->iVersionId))
return false;
if($oVersion->sTestedRelease != "")
@@ -250,8 +250,8 @@ class Version {
if ($this->sTestedRating && ($this->sTestedRating!=$oVersion->sTestedRating))
{
$sUpdate = compile_update_string(array('maintainer_rating' => $this->sTestedRating));
if (!query_appdb("UPDATE appVersion SET ".$sUpdate." WHERE versionId = ".$this->iVersionId))
if (!query_parameters("UPDATE appVersion SET maintainer_rating = '?' WHERE versionId = '?'",
$this->sTestedRating, $this->iVersionId))
return false;
if($this->sTestedRating != "")
@@ -262,8 +262,8 @@ class Version {
if ($this->iAppId && ($this->iAppId!=$oVersion->iAppId))
{
$sUpdate = compile_update_string(array('appId' => $this->iAppId));
if (!query_appdb("UPDATE appVersion SET ".$sUpdate." WHERE versionId = ".$this->iVersionId))
if (!query_parameters("UPDATE appVersion SET appId = '?' WHERE versionId = '?'",
$this->iAppId, $this->iVersionId))
return false;
$oAppBefore = new Application($oVersion->iAppId);
$oAppAfter = new Application($this->iAppId);
@@ -324,17 +324,17 @@ class Version {
}
// remove any maintainers for this version so we don't orphan them
$sQuery = "DELETE from appMaintainers WHERE versionId='".$this->iVersionId."';";
if(!($hResult = query_appdb($sQuery)))
$hResult = query_parameters("DELETE from appMaintainers WHERE versionId='?'", $this->iVersionId);
if(!$hResult)
{
addmsg("Error removing version maintainers for the deleted version!", "red");
}
/* now delete the version */
$sQuery = "DELETE FROM appVersion
WHERE versionId = ".$this->iVersionId."
LIMIT 1";
if(!($hResult = query_appdb($sQuery)))
$hResult = query_parameters("DELETE FROM appVersion
WHERE versionId = '?'
LIMIT 1", $this->iVersionId);
if(!$hResult)
{
addmsg("Error removing the deleted version!", "red");
}
@@ -360,8 +360,8 @@ class Version {
if(!$this->sQueued == 'true')
return false;
$sUpdate = compile_update_string(array('queued' => "false"));
if(query_appdb("UPDATE appVersion SET ".$sUpdate." WHERE versionId = ".$this->iVersionId))
if(query_parameters("UPDATE appVersion SET queued = '?' WHERE versionId = '?'",
"false", $this->iVersionId))
{
$this->sQueued = 'false';
// we send an e-mail to intersted people
@@ -379,8 +379,8 @@ class Version {
if(!$this->sQueued == 'true')
return false;
$sUpdate = compile_update_string(array('queued' => "rejected"));
if(query_appdb("UPDATE appVersion SET ".$sUpdate." WHERE versionId = ".$this->iVersionId))
if(query_parameters("UPDATE appVersion SET queued = '?' WHERE versionId = '?'",
"rejected", $this->iVersionId))
{
$this->sQueued = 'rejected';
// we send an e-mail to intersted people
@@ -399,8 +399,8 @@ class Version {
if(!$_SESSION['current']->canRequeueVersion($this))
return;
$sUpdate = compile_update_string(array('queued' => "true"));
if(query_appdb("UPDATE appVersion SET ".$sUpdate." WHERE versionId = ".$this->iVersionId))
if(query_parameters("UPDATE appVersion SET queued = '?' WHERE versionId = '?'",
"true", $this->iVersionId))
{
$this->sQueued = 'true';
// we send an e-mail to intersted people
@@ -662,7 +662,8 @@ class Version {
echo " <tr class=\"color1\"><td><b>URL</b></td><td>".$appLinkURL."</td></tr>\n";
// links
$result = query_appdb("SELECT * FROM appData WHERE versionID = ".$this->iVersionId." AND type = 'url'");
$result = query_parameters("SELECT * FROM appData WHERE versionID = '?' AND type = 'url'",
$this->iVersionId);
if($result && mysql_num_rows($result) > 0)
{
echo " <tr class=\"color1\"><td><b>Links</b></td><td>\n";
@@ -826,7 +827,8 @@ class Version {
view_version_bugs($this->iVersionId, $this->aBuglinkIds);
$rNotes = query_appdb("SELECT * FROM appNotes WHERE versionId = ".$this->iVersionId);
$rNotes = query_parameters("SELECT * FROM appNotes WHERE versionId = '?'",
$this->iVersionId);
while( $oNote = mysql_fetch_object($rNotes) )
{

17
include/vote.php
View File

@@ -17,7 +17,8 @@ function vote_count($appId, $userId = null)
else
return 0;
}
$hResult = query_appdb("SELECT * FROM appVotes WHERE appId = $appId AND userId = $userId");
$hResult = query_parameters("SELECT * FROM appVotes WHERE appId = '?' AND userId = '?'",
$appId, $userId);
return mysql_num_rows($hResult);
}
@@ -34,7 +35,7 @@ function vote_count_user_total($userId = null)
else
return 0;
}
$hResult = query_appdb("SELECT * FROM appVotes WHERE userId = $userId");
$hResult = query_parameters("SELECT * FROM appVotes WHERE userId = '?'", $userId);
return mysql_num_rows($hResult);
}
@@ -44,7 +45,7 @@ function vote_count_user_total($userId = null)
*/
function vote_count_app_total($appId)
{
$hResult = query_appdb("SELECT * FROM appVotes WHERE appId = $appId");
$hResult = query_parameters("SELECT * FROM appVotes WHERE appId = '?'", $appId);
return mysql_num_rows($hResult);
}
@@ -86,8 +87,8 @@ function vote_remove($slot, $userId = null)
return;
}
$sQuery="DELETE FROM appVotes WHERE userId = $userId AND slot = $slot";
query_appdb($sQuery);
$sQuery = "DELETE FROM appVotes WHERE userId = '?' AND slot = '?'";
query_parameters($sQuery, $userId, $slot);
}
@@ -100,7 +101,7 @@ function vote_get_user_votes($userId = null)
if(!$userId)
return array();
}
$hResult = query_appdb("SELECT * FROM appVotes WHERE userId = $userId");
$hResult = query_parameters("SELECT * FROM appVotes WHERE userId = '?'", $userId);
if(!$hResult)
return array();
@@ -196,8 +197,8 @@ function is_vote_in_slot($slot, $userId = null)
return;
}
$sQuery="SELECT COUNT(*) as count from appVotes WHERE userId = '".$userId."' AND slot = '".$slot."';";
if($hResult = query_appdb($sQuery))
$sQuery = "SELECT COUNT(*) as count from appVotes WHERE userId = '?' AND slot = '?'";
if($hResult = query_parameters($sQuery, $userId, $slot))
{
$oRow = mysql_fetch_object($hResult);
if($oRow->count != 0)

2
index.php
View File

@@ -63,7 +63,7 @@ If you have screenshots or links to contribute, please browse the database and u
"FROM appVotes, appFamily ".
"WHERE appVotes.appId = appFamily.appId ".
"GROUP BY appId ORDER BY count DESC LIMIT 1";
$hResult = query_appdb($voteQuery);
$hResult = query_parameters($voteQuery);
$oRow = mysql_fetch_object($hResult);
$voteAppId = $oRow->appId;

2
preferences.php
View File

@@ -54,7 +54,7 @@ if($_SESSION['current']->hasPriv("admin") &&
function build_prefs_list()
{
global $oUser;
$hResult = query_appdb("SELECT * FROM prefs_list ORDER BY id");
$hResult = query_parameters("SELECT * FROM prefs_list ORDER BY id");
while($hResult && $r = mysql_fetch_object($hResult))
{
//skip admin options

3
vendorview.php
View File

@@ -73,8 +73,7 @@ else
apidb_header("View Vendors");
//get available vendors
$sQuery = "SELECT vendorId FROM vendor ORDER BY vendorName, vendorId;";
$hResult = query_appdb($sQuery);
$hResult = query_parameters("SELECT vendorId FROM vendor ORDER BY vendorName, vendorId;");
// show vendorlist
echo "<table width='100%' border=0 cellpadding=3 cellspacing=0>\n\n";

5
viewScreenshots.php
View File

@@ -64,9 +64,10 @@ echo "</form>";
echo "</center>";
/* query for all of the Screenshots in assending order */
$Ids = query_appdb("SELECT * from appData
$Ids = query_parameters("SELECT * from appData
WHERE type = 'image'
ORDER BY id ASC LIMIT $offset, $ItemsPerPage;");
ORDER BY id ASC LIMIT ?, ?",
$offset, $ItemsPerPage);
$c = 1;
echo "<div align=center><table><tr>\n";
while ($oRow = mysql_fetch_object($Ids))

8
viewbugs.php
View File

@@ -29,17 +29,17 @@ if( !is_numeric($aClean['bug_id']))
echo '</tr>',"\n";
$sQuery = "SELECT appFamily.description as appDescription,
$hResult = query_parameters("SELECT appFamily.description as appDescription,
appFamily.appName as appName,
appVersion.*, buglinks.versionId as versionId
FROM appFamily, appVersion, buglinks
WHERE appFamily.appId = appVersion.appId
and buglinks.versionId = appVersion.versionId
AND buglinks.bug_id = ".$aClean['bug_id']."
ORDER BY versionName";
AND buglinks.bug_id = '?'
ORDER BY versionName", $aClean['bug_id']);
$c = 0;
if($hResult = query_appdb($sQuery))
if($hResult)
{
while($oRow = mysql_fetch_object($hResult))
{

18
votestats.php
View File

@@ -66,8 +66,8 @@ if($catId != 0)
do
{
$catQuery = "SELECT appCategory.catName, appCategory.catParent ".
"FROM appCategory WHERE appCategory.catId = '$currentCatId';";
$hResult = query_appdb($catQuery);
"FROM appCategory WHERE appCategory.catId = '?'";
$hResult = query_parameters($catQuery, $currentCatId);
if($hResult)
{
@@ -142,10 +142,10 @@ echo '<br />';
if(strcasecmp($categoryId, "any") == 0)
{
/* leave out the appFamily.catId = '$categoryId' */
$sVoteQuery = "SELECT appVotes.appId, appName, count(userId) as count ".
$hResult = query_parameters("SELECT appVotes.appId, appName, count(userId) as count ".
"FROM appVotes, appFamily ".
"WHERE appVotes.appId = appFamily.appId ".
"GROUP BY appId ORDER BY count DESC LIMIT $topNumber";
"GROUP BY appId ORDER BY count DESC LIMIT ?", $topNumber);
} else
{
/* Display all application for a given category (including sub categories)
@@ -156,19 +156,19 @@ if(strcasecmp($categoryId, "any") == 0)
c.catId =29
OR c.catParent =29)*/
$sVoteQuery = "SELECT v.appId, f.appName, count( v.appId ) AS count
$hResult = query_parameters("SELECT v.appId, f.appName, count( v.appId ) AS count
FROM appFamily AS f, appCategory AS c, appVotes AS v
WHERE v.appId = f.appId
AND f.catId = c.catId
AND (
c.catId = '$categoryId'
OR c.catParent = '$categoryId'
c.catId = '?'
OR c.catParent = '?'
)
GROUP BY appId
ORDER BY count DESC LIMIT $topNumber";
ORDER BY count DESC LIMIT ?", $categoryId, $categoryId, $topNumber);
}
if($hResult = query_appdb($sVoteQuery))
if($hResult)
{
echo html_frame_start("", "90%", '', 0);
echo html_table_begin("width='100%' align=center");