claunia/qemudb
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Protect against sql injection attacks in sql INSERT statements

Browse Source
This commit is contained in:
Chris Morgan
2006-06-24 04:20:32 +00:00
committed by WineHQ
parent c31173ef9e
commit fb0f3b5dd3
20 changed files with 208 additions and 180 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
admin/adminAppDataQueue.php
View File

@@ -168,10 +168,12 @@ if (!$aClean['id'])
$oScreenshot->unQueue(); $oScreenshot->unQueue();
} }
elseif ($obj_row->type == "url") elseif ($obj_row->type == "url")
{ // FIXME: use Link class {
$query = "INSERT INTO appData VALUES (null, ".$obj_row->versionId.", 'url', ". $hResult = query_parameters("INSERT INTO appData (id, appId, versionId, type, ".
"'".$aClean['description']."', '".$obj_row->url."')"; "description, url) VALUES (?, '?', '?', '?', '?', '?')",
if (query_appdb($sQuery)) "null", $obj_row->appId, $obj_row->versionId,
"url", $aClean['description'], $obj_row->url);
if($hResult)
{ {
$statusMessage = "<p>The application data was successfully added into the database</p>\n"; $statusMessage = "<p>The application data was successfully added into the database</p>\n";

5
admin/editBundle.php
View File

@@ -33,7 +33,10 @@ if($_REQUEST['cmd'])
} }
if($_REQUEST['cmd'] == "add") if($_REQUEST['cmd'] == "add")
{ {
$hResult = query_appdb("INSERT INTO appBundle VALUES (".$_REQUEST['bundleId'].", ".$_REQUEST['appId'].")"); $hResult = query_parameters("INSERT INTO appBundle (bundleId, appId) VALUES".
"('?', '?')",
$_REQUEST['bundleId'],
$_REQUEST['appId']);
if($hResult) if($hResult)
addmsg("App $appId added to Bundle".$_REQUEST['bundleId'], "green"); addmsg("App $appId added to Bundle".$_REQUEST['bundleId'], "green");
} }

8
include/appdb.php
View File

@@ -11,7 +11,9 @@ function log_category_visit($catId)
query_appdb("UPDATE catHitStats SET count = count + 1 WHERE catHitId = $stats->catHitId"); query_appdb("UPDATE catHitStats SET count = count + 1 WHERE catHitId = $stats->catHitId");
} else } else
{ {
query_appdb("INSERT INTO catHitStats VALUES(null, null, '$REMOTE_ADDR', $catId, 1)"); query_parameters("INSERT INTO catHitStats (appHitId, time, ip, catId, count) ".
"VALUES (?, ?, '?', '?', '?')",
"null", "null", $REMOTE_ADDR, $catId, "1");
} }
} }
@@ -26,7 +28,9 @@ function log_application_visit($appId)
query_appdb("UPDATE appHitStats SET count = count + 1 WHERE appHitId = $stats->appHitId"); query_appdb("UPDATE appHitStats SET count = count + 1 WHERE appHitId = $stats->appHitId");
} else } else
{ {
query_appdb("INSERT INTO appHitStats VALUES(null, null, '$REMOTE_ADDR', $appId, 1)"); query_parameters("INSERT INTO appHitStats (appHitId, time, ip, appId, count) ".
"VALUES (?, ?, '?', '?', '?')",
"null", "null", $REMOTE_ADDR, $appId, "1");
} }
} }

20
include/application.php
View File

@@ -111,18 +111,13 @@ class Application {
else else
$this->sQueued = 'false'; $this->sQueued = 'false';
$aInsert = compile_insert_string(array( 'appName' => $this->sName, $hResult = query_parameters("INSERT INTO appFamily (appName, description, keywords, ".
'description'=> $this->sDescription, "webPage, vendorId, catId, submitterId, queued) VALUES (".
'keywords' => $this->sKeywords, "'?', '?', '?', '?', '?', '?', '?', '?')",
'webPage' => $this->sWebpage, $this->sName, $this->sDescription, $this->sKeywords,
'vendorId' => $this->iVendorId, $this->sWebpage, $this->iVendorId, $this->iCatId,
'catId' => $this->iCatId, $_SESSION['current']->iUserId, $this->sQueued);
'submitterId'=> $_SESSION['current']->iUserId, if($hResult)
'queued' => $this->sQueued));
$sFields = "({$aInsert['FIELDS']})";
$sValues = "({$aInsert['VALUES']})";
if(query_appdb("INSERT INTO appFamily $sFields VALUES $sValues", "Error while creating a new application."))
{ {
$this->iAppId = mysql_insert_id(); $this->iAppId = mysql_insert_id();
$this->application($this->iAppId); $this->application($this->iAppId);
@@ -130,6 +125,7 @@ class Application {
return true; return true;
} else } else
{ {
addmsg("Error while creating a new application.", "red");
return false; return false;
} }
} }

13
include/bugs.php
View File

@@ -113,13 +113,11 @@ class Bug {
/* passed the checks so lets insert the puppy! */ /* passed the checks so lets insert the puppy! */
$aInsert = compile_insert_string(array( 'versionId' => $iVersionId, $hResult = query_parameters("INSERT INTO buglinks (versionId, bug_id, queued, submitterId) ".
'bug_id' => $iBug_id, "VALUES('?', '?', '?', '?')",
'queued' => $this->bQueued?"true":"false", $iVersionId, $iBug_id, $this->bQueued?"true":"false",
'submitterId' => $_SESSION['current']->iUserId )); $_SESSION['current']->iUserId);
$sFields = "({$aInsert['FIELDS']})"; if($hResult)
$sValues = "({$aInsert['VALUES']})";
if(query_appdb("INSERT INTO buglinks $sFields VALUES $sValues", "Error while creating a new Bug link."))
{ {
/* The following should work but it does not! */ /* The following should work but it does not! */
$this->iLinkId = mysql_insert_id(); $this->iLinkId = mysql_insert_id();
@@ -141,6 +139,7 @@ class Bug {
return true; return true;
}else }else
{ {
addmsg("Error while creating a new Bug link.", "red");
return false; return false;
} }
} }

14
include/category.php
View File

@@ -76,21 +76,21 @@ class Category {
*/ */
function create($sName=null, $sDescription=null, $iParentId=null) function create($sName=null, $sDescription=null, $iParentId=null)
{ {
$aInsert = compile_insert_string(array( 'catName'=> $sName, $hResult = query_parameters("INSERT INTO appCategory (catName, catDescription, catParent) ".
'catDescription' => $sDescription, "VALUES('?', '?', '?')",
'catParent' => $iParentId )); $sName, $sDescription, $iParentId);
$sFields = "({$aInsert['FIELDS']})"; if($hResult)
$sValues = "({$aInsert['VALUES']})";
if(query_appdb("INSERT INTO appCategory $sFields VALUES $sValues", "Error while creating a new vendor."))
{ {
$this->iCatId = mysql_insert_id(); $this->iCatId = mysql_insert_id();
$this->category($this->iCatId); $this->category($this->iCatId);
return true; return true;
} }
else else
{
addmsg("Error while creating a new vendor.", "red");
return false; return false;
} }
}
/** /**

16
include/comment.php
View File

@@ -53,15 +53,12 @@ class Comment {
*/ */
function create($sSubject, $sBody, $iParentId=null, $iVersionId) function create($sSubject, $sBody, $iParentId=null, $iVersionId)
{ {
$aInsert = compile_insert_string(array( 'parentId' => $iParentId, $hResult = query_parameters("INSERT INTO appComments (parentId, versionId, subject, ".
'versionId' => $iVersionId, "body, userId, time, hostname) VALUES ('?', '?', '?', '?', '?', ?, '?')",
'subject' => $sSubject, $iParentId, $iVersionId, $sSubject, $sBody, $_SESSION['current']->iUserId,
'body' => $sBody )); "NOW()", get_remote());
$sFields = "({$aInsert['FIELDS']}, `userId`, `time`, `hostname`)"; if($hResult)
$sValues = "({$aInsert['VALUES']}, ".$_SESSION['current']->iUserId.", NOW(), '".get_remote()."')";
if(query_appdb("INSERT INTO appComments $sFields VALUES $sValues", "Error while creating a new comment."))
{ {
$this->comment(mysql_insert_id()); $this->comment(mysql_insert_id());
$sEmail = get_notify_email_address_list($this->iAppId, $this->iVersionId); $sEmail = get_notify_email_address_list($this->iAppId, $this->iVersionId);
@@ -101,8 +98,11 @@ class Comment {
return true; return true;
} }
else else
{
addmsg("Error while creating a new comment", "red");
return false; return false;
} }
}
/** /**

87
include/db.php
View File

@@ -18,6 +18,68 @@ function query_appdb($sQuery,$sComment="")
return $hResult; return $hResult;
} }
/*
* Wildcard Rules
* SCALAR (?) => 'original string quoted'
* OPAQUE (&) => 'string from file quoted'
* MISC (~) => original string (left 'as-is')
*
* NOTE: These rules convienently match those for Pear DB
*
* MySQL Prepare Function
* By: Kage (Alex)
* KageKonjou@GMail.com
* http://us3.php.net/manual/en/function.mysql-query.php#53400
*
* Modified by CMM 20060622
*
* Values are mysql_real_escape_string()'d to prevent against injection attacks
* See http://php.net/mysql_real_escape_string for more information about why this is the case
*
*/
function query_parameters()
{
global $hAppdbLink;
if(!is_resource($hAppdbLink))
{
// The last argument makes sure we are really opening a new connection
$hAppdbLink = mysql_connect(APPS_DBHOST, APPS_DBUSER, APPS_DBPASS,true);
mysql_select_db(APPS_DB, $hAppdbLink);
}
$data = func_get_args();
$query = $data[0];
$tokens = split("[\&\?\~]", $query);
$preparedquery = $tokens[0];
$count = strlen($tokens[0]);
for ($i=1; $i < count($tokens); $i++)
{
$char = substr($query, $count, 1);
$count += (strlen($tokens[$i])+1);
if ($char == "&")
{
$fp = @fopen($data[$i], 'r');
$pdata = "";
if ($fp)
{
while (($buf = fread($fp, 4096)) != false)
{
$pdata .= $buf;
}
fclose($fp);
}
} else
{
$pdata = &$data[$i];
}
$preparedquery .= ($char != "~" ? mysql_real_escape_string($pdata) : $pdata);
$preparedquery .= $tokens[$i];
}
return query_appdb($preparedquery);
}
function query_bugzilladb($sQuery,$sComment="") function query_bugzilladb($sQuery,$sComment="")
{ {
@@ -46,31 +108,6 @@ function query_error($sQuery, $sComment="")
addmsg($sStatusMessage, "red"); addmsg($sStatusMessage, "red");
} }
/**
* Expects an array in this form:
* $aFoo['field'] = 'value';
*
* Returns an array ready to be put in a query like this
* $sQuery = "INSERT INTO `foo` {$aReturn['FIELDS']} VALUES {$aReturn['VALUES']}";
*
* Values are addslashes()'d.
*/
function compile_insert_string($aData)
{
foreach ($aData as $k => $v)
{
$field_names .= "`$k`,";
$field_values .= "'".addslashes($v)."',";
}
// Get rid of the end ,
$field_names = preg_replace( "/,$/" , "" , $field_names );
$field_values = preg_replace( "/,$/" , "" , $field_values );
return array('FIELDS' => $field_names, 'VALUES' => $field_values);
}
/** /**
* Expects an array in this form: * Expects an array in this form:
* $aFoo['field'] = 'value'; * $aFoo['field'] = 'value';

16
include/distributions.php
View File

@@ -96,14 +96,11 @@ class distribution{
else else
$this->sQueued = 'false'; $this->sQueued = 'false';
$aInsert = compile_insert_string(array( 'name' => $this->sName, $hResult = query_parameters("INSERT INTO distributions (name, url, submitterId, queued) ".
'url' => $this->sUrl, "VALUES ('?', '?', '?', '?')",
'submitterId' => $_SESSION['current']->iUserId, $this->sName, $this->sUrl, $_SESSION['current']->iUserId,
'queued' => $this->sQueued )); $this->sQueued);
$sFields = "({$aInsert['FIELDS']})"; if($hResult)
$sValues = "({$aInsert['VALUES']})";
if(query_appdb("INSERT INTO distributions $sFields VALUES $sValues", "Error while creating Distribution."))
{ {
$this->iDistributionId = mysql_insert_id(); $this->iDistributionId = mysql_insert_id();
$this->distribution($this->iDistributionId); $this->distribution($this->iDistributionId);
@@ -111,8 +108,11 @@ class distribution{
return true; return true;
} }
else else
{
addmsg("Error while creating Distribution.", "red");
return false; return false;
} }
}
// Update Distribution. // Update Distribution.
function update() function update()

16
include/monitor.php
View File

@@ -61,22 +61,22 @@ class Monitor {
*/ */
function create($iUserId, $iAppId=0, $iVersionId=0) function create($iUserId, $iAppId=0, $iVersionId=0)
{ {
$aInsert = compile_insert_string(array( 'versionId' => $iVersionId, $hResult = query_parameters("INSERT INTO appMonitors (versionId, appId, userId) ".
'appId' => $iAppId, "VALUES ('?', '?', '?')",
'userId' => $iUserId )); $iVersionId, $iAppId, $iUserId);
$sFields = "({$aInsert['FIELDS']})"; if($hResult)
$sValues = "({$aInsert['VALUES']})";
if(query_appdb("INSERT INTO appMonitors $sFields VALUES $sValues", "Error while creating a new Monitor."))
{ {
$this->Monitor(mysql_insert_id()); $this->Monitor(mysql_insert_id());
$sWhatChanged = "New monitor\n\n"; $sWhatChanged = "New monitor\n\n";
$this->SendNotificationMail("add", $sWhatChanged); $this->SendNotificationMail("add", $sWhatChanged);
return true; return true;
} } else
else {
addmsg("Error while creating a new Monitor.", "red");
return false; return false;
} }
}
/** /**

14
include/note.php
View File

@@ -49,14 +49,11 @@ class Note {
*/ */
function create($sTitle, $sDescription, $iVersionId) function create($sTitle, $sDescription, $iVersionId)
{ {
$aInsert = compile_insert_string(array( 'versionId' => $iVersionId, $hResult = query_parameters("INSERT INTO appNotes (versionId, noteTitle, noteDesc) ".
'noteTitle' => $sTitle, "VALUES('?', '?', '?')",
'noteDesc' => $sDescription )); $iVersionId, $sTitle, $sDescription);
$sFields = "({$aInsert['FIELDS']})"; if($hResult)
$sValues = "({$aInsert['VALUES']})";
if(query_appdb("INSERT INTO appNotes $sFields VALUES $sValues", "Error while creating a new note."))
{ {
$this->note(mysql_insert_id()); $this->note(mysql_insert_id());
$sWhatChanged = "Description is:\n".$sDescription.".\n\n"; $sWhatChanged = "Description is:\n".$sDescription.".\n\n";
@@ -64,8 +61,11 @@ class Note {
return true; return true;
} }
else else
{
addmsg("Error while creating a new note.", "red");
return false; return false;
} }
}
/** /**

17
include/screenshot.php
View File

@@ -70,15 +70,11 @@ class Screenshot {
$this->bQueued = false; $this->bQueued = false;
} }
$aInsert = compile_insert_string(array( 'versionId' => $iVersionId, $hResult = query_parameters("INSERT INTO appData (versionId, type, description, queued, submitterId) ".
'type' => "image", "VALUES('?', '?', '?', '?', '?')",
'description' => $sDescription, $iVersionId, "image", $sDescription, $this->bQueued?"true":"false",
'queued' => $this->bQueued?"true":"false", $_SESSION['current']->iUserId);
'submitterId' => $_SESSION['current']->iUserId )); if($hResult)
$sFields = "({$aInsert['FIELDS']})";
$sValues = "({$aInsert['VALUES']})";
if(query_appdb("INSERT INTO appData $sFields VALUES $sValues", "Error while creating a new screenshot."))
{ {
$this->iScreenshotId = mysql_insert_id(); $this->iScreenshotId = mysql_insert_id();
@@ -120,8 +116,11 @@ class Screenshot {
return true; return true;
} }
else else
{
addmsg("Error while creating a new screenshot.", "red");
return false; return false;
} }
}
/** /**

30
include/testResults.php
View File

@@ -69,23 +69,18 @@ class testData{
else else
$this->sQueued = 'false'; $this->sQueued = 'false';
$aInsert = compile_insert_string(array( 'versionId' => $this->iVersionId,
'whatWorks' => $this->sWhatWorks,
'whatDoesnt' => $this->sWhatDoesnt,
'whatNotTested' => $this->sWhatNotTested,
'testedDate' => $this->sTestedDate,
'distributionId' => $this->iDistributionId,
'testedRelease' => $this->sTestedRelease,
'installs' => $this->sInstalls,
'runs' => $this->sRuns,
'testedRating' => $this->sTestedRating,
'comments' => $this->sComments,
'submitterId' => $_SESSION['current']->iUserId,
'queued' => $this->sQueued ));
$sFields = "({$aInsert['FIELDS']})";
$sValues = "({$aInsert['VALUES']})";
if(query_appdb("INSERT INTO testResults $sFields VALUES $sValues", "Error while creating test results.")) $hResult = query_parameters("INSERT INTO testResults (versionId, whatWorks, whatDoesnt,".
"whatNotTested, testedDate, distributionId, testedRelease,".
"installs, runs, testedRating, comments, submitterId, queued)".
" VALUES('?', '?', '?', '?', '?', '?', '?', '?', '?', '?', '?',".
"'?', '?')",
$this->iVersionId, $this->sWhatWorks, $this->sWhatDoesnt,
$this->sWhatNotTested, $this->sTestedDate, $this->iDistributionId,
$this->sTestedRelease, $this->sInstalls, $this->sRuns,
$this->sTestedRating, $this->sComments, $_SESSION['current']->iUserId,
$this->sQueued);
if($hResult)
{ {
$this->iTestingId = mysql_insert_id(); $this->iTestingId = mysql_insert_id();
$this->testData($this->iTestingId); $this->testData($this->iTestingId);
@@ -93,8 +88,11 @@ class testData{
return true; return true;
} }
else else
{
addmsg("Error while creating test results.", "red");
return false; return false;
} }
}
// Update Test Results. // Update Test Results.
function update($bSilent=false) function update($bSilent=false)

18
include/url.php
View File

@@ -62,16 +62,11 @@ class Url {
$this->bQueued = true; $this->bQueued = true;
} }
$aInsert = compile_insert_string(array( 'appId' => $iAppId, $hResult = query_parameters("INSERT INTO appData (appId, versionId, type, description,".
'versionId' => $iVersionId, "queued, submitterId) VALUES ('?', '?', '?', '?', '?', '?')",
'type' => "url", $iAppId, $iVersionId, "url", $sDescription, $this->bQueued,
'description' => $sDescription, $_SESSION['current']->iUserId);
'queued' => $this->bQueued, if($hResult)
'submitterId' => $_SESSION['current']->iUserId ));
$sFields = "({$aInsert['FIELDS']})";
$sValues = "({$aInsert['VALUES']})";
if(query_appdb("INSERT INTO appData $sFields VALUES $sValues", "Error while creating a new url."))
{ {
$this->iUrlId = mysql_insert_id(); $this->iUrlId = mysql_insert_id();
$this->url($this->iUrlId,$this->bQueued); $this->url($this->iUrlId,$this->bQueued);
@@ -79,8 +74,11 @@ class Url {
return true; return true;
} }
else else
{
addmsg("Error while creating a new url.", "red");
return false; return false;
} }
}
/** /**

31
include/user.php
View File

@@ -83,14 +83,11 @@ class User {
return false; return false;
} else } else
{ {
$aInsert = compile_insert_string(array( 'realname' => $sRealname, $hResult = query_parameters("INSERT INTO user_list (realname, email, CVSrelease, password, stamp,".
'email' => $sEmail, "created) VALUES ('?', '?', '?', password('?'), ?, ?)",
'CVSrelease' => $sWineRelease )); $sRealname, $sEmail, $sWineRelease, $sPassword, "NOW()", "NOW()");
$sFields = "({$aInsert['FIELDS']}, `password`, `stamp`, `created`)"; if(!$hResult) addMsg("Error while creating a new user.", "red");
$sValues = "({$aInsert['VALUES']}, password('".$sPassword."'), NOW(), NOW() )";
query_appdb("INSERT INTO user_list $sFields VALUES $sValues", "Error while creating a new user.");
$retval = $this->login($sEmail, $sPassword); $retval = $this->login($sEmail, $sPassword);
$this->setPref("comments:mode", "threaded"); /* set the users default comments:mode to threaded */ $this->setPref("comments:mode", "threaded"); /* set the users default comments:mode to threaded */
@@ -183,7 +180,8 @@ class User {
return false; return false;
$hResult = query_appdb("DELETE FROM user_prefs WHERE userid = ".$this->iUserId." AND name = '$sKey'"); $hResult = query_appdb("DELETE FROM user_prefs WHERE userid = ".$this->iUserId." AND name = '$sKey'");
$hResult = query_appdb("INSERT INTO user_prefs VALUES(".$this->iUserId.", '$sKey', '$sValue')"); $hResult = query_parameters("INSERT INTO user_prefs (userid, name, value) VALUES".
"('?', '?', '?')", $this->iUserId, $sKey, $sValue);
return $hResult; return $hResult;
} }
@@ -279,14 +277,12 @@ class User {
((!$bSuperMaintainer && !$this->isMaintainer($iVersionId)) | $bSuperMaintainer)) ((!$bSuperMaintainer && !$this->isMaintainer($iVersionId)) | $bSuperMaintainer))
{ {
// insert the new entry into the maintainers list // insert the new entry into the maintainers list
$sQuery = "INSERT into appMaintainers VALUES(null,". $hResult = query_parameters("INSERT INTO appMaintainers (maintainerId, appId,".
"$iAppId,". "versionId, userId, superMaintainer, submitTime) ".
"$iVersionId,". "VALUES (?, '?', '?', '?', '?', ?)",
"$this->iUserId,". "null", $iAppId, $iVersionId, $this->iUserId,
"$bSuperMaintainer,". $bSuperMaintainer, "NOW()");
"NOW());"; if($hResult)
if (query_appdb($sQuery))
{ {
$statusMessage = "<p>The maintainer was successfully added into the database</p>\n"; $statusMessage = "<p>The maintainer was successfully added into the database</p>\n";
@@ -400,7 +396,8 @@ class User {
if($this->hasPriv($sPriv)) if($this->hasPriv($sPriv))
return true; return true;
$hResult = query_appdb("INSERT INTO user_privs VALUES ($this->iUserId, '$sPriv')"); $hResult = query_parameters("INSERT INTO user_privs (userid, priv) VALUES".
" ('?', '?')", $this->iUserId, $sPriv);
return $hResult; return $hResult;
} }

22
include/util.php
View File

@@ -580,24 +580,20 @@ function process_app_version_changes($isVersion)
if($isVersion) if($isVersion)
{ {
$aInsert = compile_insert_string( array('versionId' => $_REQUEST['versionId'], $hResult = query_parameters("INSERT INTO appData (versionId, type, description, url) ".
'type' => 'url', "VALUES ('?', '?', '?', '?')",
'description' => $_REQUEST['url_desc'], $_REQUEST['versionId'], "url", $_REQUEST['url_desc'],
'url' => $_REQUEST['url'])); $_REQUEST['url']);
} else } else
{ {
$aInsert = compile_insert_string( array( 'appId' => $_REQUEST['appId'], $hResult = query_parameters("INSERT INTO appData (appId, type, description, url) ".
'type' => 'url', "VALUES ('?', '?', '?', '?')",
'description' => $_REQUEST['url_desc'], $_REQUEST['appId'], "url", $_REQUEST['url_desc'],
'url' => $_REQUEST['url'])); $_REQUEST['url']);
} }
$sQuery = "INSERT INTO appData ({$aInsert['FIELDS']}) VALUES ({$aInsert['VALUES']})"; if ($hResult)
if($_SESSION['current']->showDebuggingInfos()) { echo "<p align=center><b>query:</b> $sQuery </p>"; }
if (query_appdb($sQuery))
{ {
addmsg("The URL was successfully added into the database", "green"); addmsg("The URL was successfully added into the database", "green");
$sWhatChanged .= " Added Url: Description: ".stripslashes($_REQUEST['url_desc'])."\n"; $sWhatChanged .= " Added Url: Description: ".stripslashes($_REQUEST['url_desc'])."\n";

12
include/vendor.php
View File

@@ -56,20 +56,20 @@ class Vendor {
*/ */
function create($sName=null, $sWebpage=null) function create($sName=null, $sWebpage=null)
{ {
$aInsert = compile_insert_string(array( 'vendorName'=> $sName, $hResult = query_parameters("INSERT INTO vendor (vendorName, vendorURL) ".
'vendorURL' => $sWebpage )); "VALUES ('?', '?')", $sName, $sWebpage);
$sFields = "({$aInsert['FIELDS']})"; if($hResult)
$sValues = "({$aInsert['VALUES']})";
if(query_appdb("INSERT INTO vendor $sFields VALUES $sValues", "Error while creating a new vendor."))
{ {
$this->iVendorId = mysql_insert_id(); $this->iVendorId = mysql_insert_id();
$this->vendor($this->iVendorId); $this->vendor($this->iVendorId);
return true; return true;
} }
else else
{
addmsg("Error while creating a new vendor.", "red");
return false; return false;
} }
}
/** /**

18
include/version.php
View File

@@ -182,17 +182,14 @@ class Version {
else else
$this->sQueued = 'false'; $this->sQueued = 'false';
$aInsert = compile_insert_string(array( 'versionName' => $this->sName, $hResult = query_parameters("INSERT INTO appVersion (versionName, description, maintainer_release,".
'description' => $this->sDescription, "maintainer_rating, appId, submitterId, queued) VALUES ".
'maintainer_release'=> $this->sTestedRelease, "('?', '?', '?', '?', '?', '?', '?')",
'maintainer_rating' => $this->sTestedRating, $this->sName, $this->sDescription, $this->sTestedRelease,
'appId' => $this->iAppId, $this->sTestedRating, $this->iAppId, $_SESSION['current']->iUserId,
'submitterId' => $_SESSION['current']->iUserId, $this->sQueued);
'queued' => $this->sQueued ));
$sFields = "({$aInsert['FIELDS']})";
$sValues = "({$aInsert['VALUES']})";
if(query_appdb("INSERT INTO appVersion $sFields VALUES $sValues", "Error while creating a new version.")) if($hResult)
{ {
$this->iVersionId = mysql_insert_id(); $this->iVersionId = mysql_insert_id();
$this->Version($this->iVersionId); $this->Version($this->iVersionId);
@@ -201,6 +198,7 @@ class Version {
} }
else else
{ {
addmsg("Error while creating a new version", "red");
return false; return false;
} }
} }

4
include/vote.php
View File

@@ -66,7 +66,9 @@ function vote_add($appId, $slot, $userId = null)
return; return;
vote_remove($slot, $userId); vote_remove($slot, $userId);
query_appdb("INSERT INTO appVotes VALUES (null, null, $appId, $userId, $slot)");
query_parameters("INSERT INTO appVotes (id, time, appId, userId, slot)
VALUES (?, ?, '?', '?', '?')", "null", "null", $appId, $userId, $slot);
} }

15
maintainersubmit.php
View File

@@ -82,15 +82,14 @@ if( $aClean['maintainReason'] )
apidb_header("Submit Maintainer Request"); apidb_header("Submit Maintainer Request");
// add to queue // add to queue
$query = "INSERT INTO appMaintainerQueue VALUES (null, '". $hResult = query_parameters("INSERT INTO appMaintainerQueue (queueId, appId, versionId, ".
$aClean['appId']."', '". "userId, maintainReason, superMaintainer, submitTime) ".
$aClean['versionId']."', '". "VALUES (?, '?', '?', '?', '?', '?', ?)",
addslashes($_SESSION['current']->iUserId)."', '". "null", $aClean['appId'], $aClean['versionId'],
$aClean['maintainReason']."', '". $_SESSION['current']->iUserId, $aClean['maintainReason'],
$aClean['superMaintainer']."',". $aClean['superMaintainer'], "NOW()");
"NOW()".");";
if (query_appdb($query)) if ($hResult)
{ {
echo "<p>Your maintainer request has been submitted for review. You should hear back\n"; echo "<p>Your maintainer request has been submitted for review. You should hear back\n";
echo "soon about the status of your submission</p>\n"; echo "soon about the status of your submission</p>\n";