From fad9278013e9f453f8100bd1e37f973ea2872cb6 Mon Sep 17 00:00:00 2001 From: Chris Morgan Date: Tue, 4 Jul 2006 03:43:06 +0000 Subject: [PATCH] Stop using compile_update_string(). compile_update_string() can be passed a value that includes a character considered special by query_parameters(). We then use the output from compile_update_string() as a part of the first parameter to query_parameters(), the format string. Having extra special characters causes a token mismatch and query_parameters() will reject the queries entirely. Remove now unused compile_update_string(). --- include/application.php | 46 +++++++++++++++------------------------ include/bugs.php | 5 ++--- include/db.php | 29 ------------------------ include/distributions.php | 6 ++--- include/testResults.php | 37 ++++++++++++++++++++----------- 5 files changed, 46 insertions(+), 77 deletions(-) diff --git a/include/application.php b/include/application.php index 879e0ea..e032084 100644 --- a/include/application.php +++ b/include/application.php @@ -148,45 +148,40 @@ class Application { if ($this->sName && ($this->sName!=$oApp->sName)) { - $sUpdate = compile_update_string(array('appName' => $this->sName)); - if (!query_parameters("UPDATE appFamily SET ".$sUpdate." WHERE appId = '?'", - $this->iAppId)) + if (!query_parameters("UPDATE appFamily SET appName = '?' WHERE appId = '?'", + $this->sName, $this->iAppId)) return false; $sWhatChanged .= "Name was changed from ".$oApp->sName." to ".$this->sName.".\n\n"; } if ($this->sDescription && ($this->sDescription!=$oApp->sDescription)) { - $sUpdate = compile_update_string(array('description' => $this->sDescription)); - if (!query_parameters("UPDATE appFamily SET ".$sUpdate." WHERE appId = '?'", - $this->iAppId)) + if (!query_parameters("UPDATE appFamily SET description = '?' WHERE appId = '?'", + $this->sDescription, $this->iAppId)) return false; $sWhatChanged .= "Description was changed from\n ".$oApp->sDescription."\n to \n".$this->sDescription.".\n\n"; } if ($this->sKeywords && ($this->sKeywords!=$oApp->sKeywords)) { - $sUpdate = compile_update_string(array('keywords' => $this->sKeywords)); - if (!query_parameters("UPDATE appFamily SET ".$sUpdate." WHERE appId = '?'", - $this->iAppId)) + if (!query_parameters("UPDATE appFamily SET keywords = '?' WHERE appId = '?'", + $this->sKeywords, $this->iAppId)) return false; $sWhatChanged .= "Keywords were changed from\n ".$oApp->sKeywords."\n to \n".$this->sKeywords.".\n\n"; } if ($this->sWebpage && ($this->sWebpage!=$oApp->sWebpage)) { - $sUpdate = compile_update_string(array('webPage' => $this->sWebpage)); - if (!query_parameters("UPDATE appFamily SET ".$sUpdate." WHERE appId = '?'", - $this->iAppId)) + if (!query_parameters("UPDATE appFamily SET webPage = '?' WHERE appId = '?'", + $this->sWebPage, $this->iAppId)) return false; $sWhatChanged .= "Web page was changed from ".$oApp->sWebpage." to ".$this->sWebpage.".\n\n"; } if ($this->iVendorId && ($this->iVendorId!=$oApp->iVendorId)) { - $sUpdate = compile_update_string(array('vendorId' => $this->iVendorId)); - if (!query_parameters("UPDATE appFamily SET ".$sUpdate." WHERE appId = '?'", - $this->iAppId)) + if (!query_parameters("UPDATE appFamily SET vendorId = '?' WHERE appId = '?'", + $this->iVendorId, $this->iAppId)) return false; $oVendorBefore = new Vendor($oApp->iVendorId); $oVendorAfter = new Vendor($this->iVendorId); @@ -195,9 +190,8 @@ class Application { if ($this->iCatId && ($this->iCatId!=$oApp->iCatId)) { - $sUpdate = compile_update_string(array('catId' => $this->iCatId)); - if (!query_parameters("UPDATE appFamily SET ".$sUpdate." WHERE appId = '?'", - $this->iAppId)) + if (!query_parameters("UPDATE appFamily SET catId = '?' WHERE appId = '?'", + $this->iCatId, $this->iAppId)) return false; $oCatBefore = new Category($oApp->iCatId); $oCatAfter = new Category($this->iCatId); @@ -260,10 +254,8 @@ class Application { if(!$_SESSION['current']->canUnQueueApplication()) return; - $sUpdate = compile_update_string(array('queued' => "false", - 'keywords'=> str_replace(" *** ","",$this->sKeywords) )); - if(query_parameters("UPDATE appFamily SET ".$sUpdate." WHERE appId = '?'", - $this->iAppId)) + if(query_parameters("UPDATE appFamily SET queued = '?', keywords = '?' WHERE appId = '?'", + "false", str_replace(" *** ","",$this->sKeywords), $this->iAppId)) { $this->sQueued = 'false'; // we send an e-mail to intersted people @@ -281,9 +273,8 @@ class Application { if(!$this->sQueued == 'true') return false; - $sUpdate = compile_update_string(array('queued' => "rejected")); - if(query_parameters("UPDATE appFamily SET ".$sUpdate." WHERE appId = '?'", - $this->iAppId)) + if(query_parameters("UPDATE appFamily SET queued = '?' WHERE appId = '?'", + "rejected", $this->iAppId)) { $this->sQueued = 'rejected'; // we send an e-mail to intersted people @@ -299,9 +290,8 @@ class Application { if(!$_SESSION['current']->canRequeueApplication($this)) return false; - $sUpdate = compile_update_string(array('queued' => "true")); - if(query_parameters("UPDATE appFamily SET ".$sUpdate." WHERE appId = '?'", - $this->iAppId)) + if(query_parameters("UPDATE appFamily SET queued = '?' WHERE appId = '?'", + "true", $this->iAppId)) { $this->sQueued = 'true'; // we send an e-mail to intersted people diff --git a/include/bugs.php b/include/bugs.php index de2a665..120464a 100644 --- a/include/bugs.php +++ b/include/bugs.php @@ -175,9 +175,8 @@ class Bug { if(!$this->bQueued) return false; - $sUpdate = compile_update_string(array('queued' => "false")); - if(query_parameters("UPDATE buglinks SET ".$sUpdate." WHERE linkId='?'", - $this->iLinkId)) + if(query_parameters("UPDATE buglinks SET queued = '?' WHERE linkId='?'", + "false", $this->iLinkId)) { $this->bQueued = false; // we send an e-mail to intersted people diff --git a/include/db.php b/include/db.php index 835bc2a..d6d6e77 100644 --- a/include/db.php +++ b/include/db.php @@ -112,33 +112,4 @@ function query_error($sQuery, $sComment="") addmsg($sStatusMessage, "red"); } -/** -* Expects an array in this form: -* $aFoo['field'] = 'value'; -* -* Returns a string ready to be put in a query like this -* $sQuery = "UPDATE `foo` $sReturn"; -* -* Values are mysql_real_escape_string()'ed. -*/ -function compile_update_string($aData) -{ - global $hAppdbLink; - - if(!is_resource($hAppdbLink)) - { - // The last argument makes sure we are really opening a new connection - $hAppdbLink = mysql_connect(APPS_DBHOST, APPS_DBUSER, APPS_DBPASS,true); - mysql_select_db(APPS_DB, $hAppdbLink); - } - - foreach ($aData as $k => $v) - { - $return .= "`$k`='".mysql_real_escape_string($v)."',"; - } - - $return = preg_replace( "/,$/" , "" , $return ); - - return $return; -} ?> diff --git a/include/distributions.php b/include/distributions.php index 81422ac..159f9bf 100644 --- a/include/distributions.php +++ b/include/distributions.php @@ -123,10 +123,8 @@ class distribution{ { return; } - $sUpdate = compile_update_string(array( 'name' => $this->sName, - 'url' => $this->sUrl )); - if(query_parameters("UPDATE distributions SET ".$sUpdate." WHERE distributionId = '?'", - $this->iDistributionId)) + if(query_parameters("UPDATE distributions SET name = '?', url = '?' WHERE distributionId = '?'", + $this->sName, $this->sUrl, $this->iDistributionId)) { $this->SendNotificationMail("edit"); return true; diff --git a/include/testResults.php b/include/testResults.php index b9e26df..d40362b 100644 --- a/include/testResults.php +++ b/include/testResults.php @@ -106,19 +106,30 @@ class testData{ return; } - $sUpdate = compile_update_string(array( 'versionId' => $this->iVersionId, - 'whatWorks' => $this->sWhatWorks, - 'whatDoesnt' => $this->sWhatDoesnt, - 'whatNotTested' => $this->sWhatNotTested, - 'testedDate' => $this->sTestedDate, - 'distributionId' => $this->iDistributionId, - 'testedRelease' => $this->sTestedRelease, - 'installs' => $this->sInstalls, - 'runs' => $this->sRuns, - 'testedRating' => $this->sTestedRating, - 'comments' => $this->sComments)); - - if(query_parameters("UPDATE testResults SET ".$sUpdate." WHERE testingId = '?'", + if(query_parameters("UPDATE testResults SET + versionId = '?', + whatWorks = '?', + whatDoesnt = '?', + whatNotTested = '?', + testedDate = '?', + distributionId = '?', + testedRelease = '?', + installs = '?', + runs = '?', + testedRating = '?', + comments = '?' + WHERE testingId = '?'", + $this->iVersionId, + $this->sWhatWorks, + $this->sWhatDoesnt, + $this->sWhatNotTested, + $this->sTestedDate, + $this->iDistributionId, + $this->sTestedRelease, + $this->sInstalls, + $this->sRuns, + $this->sTestedRating, + $this->sComments, $this->iTestingId)) { if(!$bSilent)