Merge remote-tracking branch 'origin/db-placeholders'

Conflicts: lib/eventum/class.email_account.php lib/eventum/class.faq.php
eventum · Feb 2, 2015 · e06d61d · e06d61d
2 parents 1a3fe41 + 7724d37
commit e06d61d
Show file tree

Hide file tree

Showing 47 changed files with 889 additions and 681 deletions.
diff --git a/lib/eventum/class.attachment.php b/lib/eventum/class.attachment.php
@@ -98,46 +98,46 @@ public static function outputDownload(&$data, $filename, $filesize, $mimetype, $
      * Method used to remove a specific file out of an existing attachment.
      *
      * @param   integer $iaf_id The attachment file ID
-     * @return  -1 or -2 if the removal was not successful, 1 otherwise
+     * @return int -1 or -2 if the removal was not successful, 1 otherwise
      */
     public static function removeIndividualFile($iaf_id)
     {
         $usr_id = Auth::getUserID();
-        $iaf_id = Misc::escapeInteger($iaf_id);
         $stmt = "SELECT
                     iat_iss_id
                  FROM
                     {{%issue_attachment}},
                     {{%issue_attachment_file}}
                  WHERE
-                    iaf_id=$iaf_id AND
+                    iaf_id=? AND
                     iat_id=iaf_iat_id";
+
+        $params = array($iaf_id);
         if (Auth::getCurrentRole() < User::getRoleID("Manager")) {
             $stmt .= " AND
-                    iat_usr_id=$usr_id";
+                    iat_usr_id=?";
+            $params[] = $usr_id;
         }
         try {
             $res = DB_Helper::getInstance()->getOne($stmt);
         } catch (DbException $e) {
             return -1;
         }
 
-
         if (empty($res)) {
             return -2;
         }
 
-
         // check if the file is the only one in the attachment
         $stmt = "SELECT
                     iat_id
                  FROM
                     {{%issue_attachment}},
                     {{%issue_attachment_file}}
                  WHERE
-                    iaf_id=$iaf_id AND
+                    iaf_id=? AND
                     iaf_iat_id=iat_id";
-        $attachment_id = DB_Helper::getInstance()->getOne($stmt);
+        $attachment_id = DB_Helper::getInstance()->getOne($stmt, array($iaf_id));
 
         $res = self::getFileList($attachment_id);
         if (count($res) > 1) {
@@ -157,7 +157,6 @@ public static function removeIndividualFile($iaf_id)
      */
     public static function getDetails($file_id)
     {
-        $file_id = Misc::escapeInteger($file_id);
         $stmt = "SELECT
                     *
                  FROM
@@ -173,8 +172,8 @@ public static function getDetails($file_id)
         }
 
         // don't allow customers to reach internal only files
-        if (($res['iat_status'] == 'internal')
-                && (User::getRoleByUser(Auth::getUserID(), Issue::getProjectID($res['iat_iss_id'])) <= User::getRoleID('Customer'))) {
+        $user_role_id = User::getRoleByUser(Auth::getUserID(), Issue::getProjectID($res['iat_iss_id']));
+        if (($res['iat_status'] == 'internal') && $user_role_id <= User::getRoleID('Customer')) {
             return '';
         } else {
             return $res;
@@ -190,16 +189,15 @@ public static function getDetails($file_id)
      */
     public static function removeByIssues($ids)
     {
-        $ids = Misc::escapeInteger($ids);
-        $items = @implode(", ", $ids);
         $stmt = "SELECT
                     iat_id
                  FROM
                     {{%issue_attachment}}
                  WHERE
-                    iat_iss_id IN ($items)";
+                    iat_iss_id IN (" . DB_Helper::buildList($ids) . ")";
+
         try {
-            $res = DB_Helper::getInstance()->getColumn($stmt);
+            $res = DB_Helper::getInstance()->getColumn($stmt, $ids);
         } catch (DbException $e) {
             return false;
         }
@@ -220,20 +218,22 @@ public static function removeByIssues($ids)
      */
     public static function remove($iat_id, $add_history = true)
     {
-        $iat_id = Misc::escapeInteger($iat_id);
         $usr_id = Auth::getUserID();
         $stmt = "SELECT
                     iat_iss_id
                  FROM
                     {{%issue_attachment}}
                  WHERE
-                    iat_id=$iat_id";
+                    iat_id=?";
+        $params = array($iat_id);
         if (Auth::getCurrentRole() < User::getRoleID("Manager")) {
             $stmt .= " AND
-                    iat_usr_id=$usr_id";
+                    iat_usr_id=?";
+            $params[] = $usr_id;
         }
+
         try {
-            $res = DB_Helper::getInstance()->getOne($stmt);
+            $res = DB_Helper::getInstance()->getOne($stmt, $params);
         } catch (DbException $e) {
             return -1;
         }
@@ -277,7 +277,6 @@ public static function remove($iat_id, $add_history = true)
      */
     public function removeFile($iaf_id)
     {
-        $iaf_id = Misc::escapeInteger($iaf_id);
         $stmt = "DELETE FROM
                     {{%issue_attachment_file}}
                  WHERE
@@ -299,7 +298,6 @@ public function removeFile($iaf_id)
      */
     public static function getFileList($attachment_id)
     {
-        $attachment_id = Misc::escapeInteger($attachment_id);
         $stmt = "SELECT
                     iaf_id,
                     iaf_filename,
@@ -330,7 +328,6 @@ public static function getFileList($attachment_id)
      */
     public static function getList($issue_id)
     {
-        $issue_id = Misc::escapeInteger($issue_id);
         $usr_id = Auth::getUserID();
         $prj_id = Issue::getProjectID($issue_id);
 
@@ -346,22 +343,23 @@ public static function getList($issue_id)
                     {{%issue_attachment}},
                     {{%user}}
                  WHERE
-                    iat_iss_id=$issue_id AND
+                    iat_iss_id=? AND
                     iat_usr_id=usr_id";
         if (User::getRoleByUser($usr_id, $prj_id) <= User::getRoleID('Customer')) {
             $stmt .= " AND iat_status='public' ";
         }
         $stmt .= "
                  ORDER BY
                     iat_created_date ASC";
+        $params = array($issue_id);
         try {
-            $res = DB_Helper::getInstance()->getAll($stmt);
+            $res = DB_Helper::getInstance()->getAll($stmt, $params);
         } catch (DbException $e) {
             return "";
         }
 
         foreach ($res as &$row) {
-            $row["iat_description"] = Link_Filter::processText(Issue::getProjectID($issue_id), nl2br(htmlspecialchars($row["iat_description"])));
+            $row["iat_description"] = Link_Filter::processText($prj_id, nl2br(htmlspecialchars($row["iat_description"])));
             $row["files"] = self::getFileList($row["iat_id"]);
             $row["iat_created_date"] = Date_Helper::getFormattedDate($row["iat_created_date"]);
 
@@ -389,7 +387,6 @@ public static function getList($issue_id)
      */
     public static function attach($usr_id, $status = 'public')
     {
-        $usr_id = Misc::escapeInteger($usr_id);
         $files = array();
         $nfiles = count($_FILES["attachment"]["name"]);
         for ($i = 0; $i < $nfiles; $i++) {
@@ -452,7 +449,6 @@ public static function attach($usr_id, $status = 'public')
      */
     public static function addFile($attachment_id, $filename, $filetype, &$blob)
     {
-        $attachment_id = Misc::escapeInteger($attachment_id);
         $filesize = strlen($blob);
         $stmt = "INSERT INTO
                     {{%issue_attachment_file}}
@@ -491,46 +487,34 @@ public static function addFile($attachment_id, $filename, $filetype, &$blob)
      * @param   integer $associated_note_id The note ID that these attachments should be associated with
      * @return  integer The new attachment ID
      */
-    public static function add($issue_id, $usr_id, $description, $internal_only = false, $unknown_user = false, $associated_note_id = false)
+    public static function add($issue_id, $usr_id, $description, $internal_only = false, $unknown_user = null, $associated_note_id = null)
     {
-        $issue_id = Misc::escapeInteger($issue_id);
-        $usr_id = Misc::escapeInteger($usr_id);
         if ($internal_only) {
             $attachment_status = 'internal';
         } else {
             $attachment_status = 'public';
         }
 
-        $stmt = "INSERT INTO
-                    {{%issue_attachment}}
-                 (
-                    iat_iss_id,
-                    iat_usr_id,
-                    iat_created_date,
-                    iat_description,
-                    iat_status";
-        if ($unknown_user != false) {
-            $stmt .= ", iat_unknown_user ";
-        }
-        if ($associated_note_id != false) {
-            $stmt .= ", iat_not_id ";
-        }
-        $stmt .=") VALUES (
-                    $issue_id,
-                    $usr_id,
-                    '" . Date_Helper::getCurrentDateGMT() . "',
-                    '" . Misc::escapeString($description) . "',
-                    '" . Misc::escapeString($attachment_status) . "'";
-        if ($unknown_user != false) {
-            $stmt .= ", '" . Misc::escapeString($unknown_user) . "'";
+        $params = array(
+            'iat_iss_id' => $issue_id,
+            'iat_usr_id' => $usr_id,
+            'iat_created_date'=> Date_Helper::getCurrentDateGMT(),
+            'iat_description'=> $description,
+            'iat_status' => $attachment_status,
+        );
+
+        if ($unknown_user) {
+            $params['iat_unknown_user'] = $unknown_user;
         }
-        if ($associated_note_id != false) {
-            $stmt .= ", " . Misc::escapeInteger($associated_note_id);
+
+        if ($associated_note_id) {
+            $params['iat_not_id'] = $associated_note_id;
         }
-        $stmt .= " )";
+
+        $stmt = "INSERT INTO {{%issue_attachment}} SET ". DB_Helper::buildSet($params);
 
         try {
-            DB_Helper::getInstance()->query($stmt);
+            DB_Helper::getInstance()->query($stmt, $params);
         } catch (DbException $e) {
             return false;
         }

diff --git a/lib/eventum/class.authorized_replier.php b/lib/eventum/class.authorized_replier.php
@@ -42,7 +42,6 @@ class Authorized_Replier
      */
     public static function getAuthorizedRepliers($issue_id)
     {
-        $issue_id = Misc::escapeInteger($issue_id);
         // split into users and others (those with email address but no real user accounts)
         $repliers = array(
             "users" =>  array(),
@@ -61,6 +60,7 @@ public static function getAuthorizedRepliers($issue_id)
                  WHERE
                     iur_iss_id=? AND
                     iur_usr_id=usr_id";
+
         $params = array(APP_SYSTEM_USER_ID, APP_SYSTEM_USER_ID, $issue_id);
         try {
             $res = DB_Helper::getInstance()->getAll($stmt, $params);
@@ -99,17 +99,17 @@ public static function getAuthorizedRepliers($issue_id)
      */
     public static function removeRepliers($iur_ids)
     {
-        $iur_ids = Misc::escapeInteger($iur_ids);
+        $iur_list = DB_Helper::buildList($iur_ids);
 
         // get issue_id for logging
         $stmt = "SELECT
                     iur_iss_id
                  FROM
                     {{%issue_user_replier}}
                  WHERE
-                    iur_id IN(" . join(",", $iur_ids) . ")";
+                    iur_id IN ($iur_list)";
         try {
-            $issue_id = DB_Helper::getInstance()->getOne($stmt);
+            $issue_id = DB_Helper::getInstance()->getOne($stmt, $iur_ids);
         } catch (DbException $e) {
             // FIXME: why continuing on error?
         }
@@ -119,9 +119,9 @@ public static function removeRepliers($iur_ids)
             $stmt = "DELETE FROM
                         {{%issue_user_replier}}
                      WHERE
-                        iur_id IN(" . join(",", $iur_ids) . ")";
+                        iur_id IN ($iur_list)";
             try {
-                DB_Helper::getInstance()->query($stmt);
+                DB_Helper::getInstance()->query($stmt, $iur_ids);
             } catch (DbException $e) {
                 return -1;
             }

diff --git a/lib/eventum/class.category.php b/lib/eventum/class.category.php
@@ -67,13 +67,12 @@ public static function getDetails($prc_id)
      */
     public static function removeByProjects($ids)
     {
-        $items = @implode(", ", Misc::escapeInteger($ids));
         $stmt = "DELETE FROM
                     {{%project_category}}
                  WHERE
-                    prc_prj_id IN ($items)";
+                    prc_prj_id IN (" . DB_Helper::buildList($ids) . ")";
         try {
-            DB_Helper::getInstance()->query($stmt);
+            DB_Helper::getInstance()->query($stmt, $ids);
         } catch (DbException $e) {
             return false;
         }
@@ -89,13 +88,13 @@ public static function removeByProjects($ids)
      */
     public static function remove()
     {
-        $items = @implode(", ", Misc::escapeInteger($_POST["items"]));
+        $items = $_POST["items"];
         $stmt = "DELETE FROM
                     {{%project_category}}
                  WHERE
-                    prc_id IN ($items)";
+                    prc_id IN (" . DB_Helper::buildList($items) . ")";
         try {
-            DB_Helper::getInstance()->query($stmt);
+            DB_Helper::getInstance()->query($stmt, $items);
         } catch (DbException $e) {
             return false;
         }

diff --git a/lib/eventum/class.crm.php b/lib/eventum/class.crm.php
@@ -498,13 +498,13 @@ public static function updateAccountManager()
      */
     public static function removeAccountManager()
     {
-        $items = @implode(", ", Misc::escapeInteger($_POST["items"]));
+        $items = $_POST["items"];
         $stmt = "DELETE FROM
                     {{%customer_account_manager}}
                  WHERE
-                    cam_id IN ($items)";
+                    cam_id IN (" . DB_Helper::buildList($items) . ")";
         try {
-            DB_Helper::getInstance()->query($stmt);
+            DB_Helper::getInstance()->query($stmt, $items);
         } catch (DbException $e) {
             return false;
         }
@@ -534,7 +534,7 @@ public static function getAccountManagers($prj_id, $customer_id)
                     cam_prj_id=? AND
                     cam_customer_id=?";
         try {
-            $res = DB_Helper::getInstance()->getAssoc($stmt, false, array($prj_id, $customer_id), DB_FETCHMODE_ASSOC);
+            $res = DB_Helper::getInstance()->fetchAssoc($stmt, array($prj_id, $customer_id), DB_FETCHMODE_ASSOC);
         } catch (DbException $e) {
             return array();
         }
@@ -704,9 +704,9 @@ public static function removeNotes($ids)
         $stmt = "DELETE FROM
                     {{%customer_note}}
                  WHERE
-                    cno_id IN (" . join(", ", Misc::escapeInteger($ids)) . ")";
+                    cno_id IN (" . DB_Helper::buildList($ids) . ")";
         try {
-            DB_Helper::getInstance()->query($stmt);
+            DB_Helper::getInstance()->query($stmt, $ids);
         } catch (DbException $e) {
             return -1;
         }