Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deprecate escapeInteger and escapeString in favor of using placeholders #26

Merged
merged 52 commits into from
Feb 2, 2015
Merged

deprecate escapeInteger and escapeString in favor of using placeholders #26

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
52 commits
Select commit Hold shift + click to select a range
021d583
db: add helper to build sql queries with variable length parameters
glensc Dec 13, 2014
70b57fd
db: add test for that helper
glensc Dec 13, 2014
74a817a
db: attachment: fix code not to use escapeInteger
glensc Dec 13, 2014
99093bc
misc: mark escapeInteger and escapeString deprecated
glensc Dec 13, 2014
b730732
db: add helper to build list of placeholders
glensc Dec 13, 2014
d8c946a
db: product: fix code not to use escapeInteger
glensc Dec 13, 2014
5dd700e
db: reminder_condition: fix code not to use escapeInteger
glensc Dec 13, 2014
ba689f0
db: resolution: fix code not to use escapeInteger
glensc Dec 13, 2014
8259493
db: authorized_replier: fix code not to use deprecated escapeInteger
glensc Dec 13, 2014
f6c4d54
db: group: fix code not to use deprecated escapeInteger
glensc Dec 13, 2014
4680261
db: status: fix code not to use deprecated escapeInteger
glensc Dec 13, 2014
8d631f5
status: fix missing params
glensc Dec 13, 2014
6957f5d
db: category: fix code not to use deprecated escapeInteger
glensc Dec 13, 2014
8fc1a4d
db: crm: fix code not to use deprecated escapeInteger
glensc Dec 13, 2014
3cb1b13
db: email_account: fix code not to use deprecated escapeInteger
glensc Dec 13, 2014
cb3ce03
db: email_response: not to use deprecated escapeInteger
glensc Dec 13, 2014
107df20
db: custom_field: not to use deprecated escapeInteger
glensc Dec 13, 2014
e16107e
db: custom_field: replace some instances of escapeInteger
glensc Dec 13, 2014
571856b
db: display_column: not to use deprecated escapeInteger
glensc Dec 13, 2014
db173ec
db: draft: not to use deprecated escapeInteger
glensc Dec 13, 2014
0fe7a9f
db: faq: not to use deprecated escapeInteger/escapeString
glensc Dec 13, 2014
a2754ae
db: add orderBy validator
glensc Dec 13, 2014
2e4ee79
db: history: not to use deprecated escapeInteger/escapeString
glensc Dec 13, 2014
d1776a0
db: time_tracking: not to use deprecated escapeInteger/escapeString
glensc Dec 13, 2014
5f1141b
db: project: not to use deprecated escapeInteger/escapeString
glensc Dec 13, 2014
079beb3
fix bad getAssoc usage (second param is force_array)
glensc Dec 13, 2014
5c1b302
group DbTest tests by method names
glensc Dec 14, 2014
1cbaadd
db: add fetchAssoc for simplified interface to getAssoc
glensc Dec 14, 2014
5d1c40d
replace deprecated getAssoc with fetchAssoc
glensc Dec 14, 2014
948fe08
db: impact_analysis: not to use deprecated escapeInteger/escapeString
glensc Dec 16, 2014
6008972
db: link_filter: not to use deprecated escapeInteger/escapeString
glensc Dec 16, 2014
eb73f97
db: news: not to use deprecated escapeInteger/escapeString
glensc Dec 16, 2014
e6515ed
db: priority: not to use deprecated escapeInteger/escapeString
glensc Dec 16, 2014
8c0c39b
db: scm: not to use deprecated escapeInteger/escapeString
glensc Dec 16, 2014
af1bc79
db: round_robin: not to use deprecated escapeInteger/escapeString
glensc Dec 16, 2014
ff44bdf
db: release: not to use deprecated escapeInteger/escapeString
glensc Dec 16, 2014
34101af
db: phone_support: not to use deprecated escapeInteger/escapeString
glensc Dec 16, 2014
78789d3
db: reminder: not to use deprecated escapeInteger/escapeString
glensc Dec 16, 2014
8b61513
db: reminder_action: not to use deprecated escapeInteger/escapeString
glensc Dec 16, 2014
6596f06
db: severity: not to use deprecated escapeInteger/escapeString
glensc Dec 16, 2014
c38d72e
db: mail_queue: not to use deprecated escapeInteger/escapeString (par…
glensc Dec 16, 2014
0d9ca11
db: user: use buildSet to update user params
glensc Dec 16, 2014
ab10d07
db: user: not to use deprecated escapeInteger/escapeString
glensc Dec 16, 2014
2054e5c
db: note: not to use deprecated escapeInteger/escapeString
glensc Dec 16, 2014
38514b6
db: note::insert use BuildSet instead of unreadable gibberish.
glensc Dec 16, 2014
e3949f0
skip DbMaxAllowedPacketTest on travis
glensc Dec 16, 2014
d128d37
db: not to use deprecated escapeInteger/escapeString
glensc Dec 18, 2014
c357ddc
db: note: not to use deprecated escapeInteger/escapeString
glensc Dec 18, 2014
e1ab3c3
db: mail_queue::add: not to use deprecated escapeInteger/escapeString
glensc Dec 18, 2014
b088128
db: notification: not to use deprecated escapeInteger/escapeString
glensc Dec 18, 2014
6e1b671
db: notification: not to use deprecated escapeInteger/escapeString
glensc Dec 18, 2014
7724d37
db: notification: not to use deprecated escapeInteger/escapeString
glensc Dec 18, 2014
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
96 changes: 40 additions & 56 deletions lib/eventum/class.attachment.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,46 +98,46 @@ public static function outputDownload(&$data, $filename, $filesize, $mimetype, $
* Method used to remove a specific file out of an existing attachment.
*
* @param integer $iaf_id The attachment file ID
* @return -1 or -2 if the removal was not successful, 1 otherwise
* @return int -1 or -2 if the removal was not successful, 1 otherwise
*/
public static function removeIndividualFile($iaf_id)
{
$usr_id = Auth::getUserID();
$iaf_id = Misc::escapeInteger($iaf_id);
$stmt = "SELECT
iat_iss_id
FROM
{{%issue_attachment}},
{{%issue_attachment_file}}
WHERE
iaf_id=$iaf_id AND
iaf_id=? AND
iat_id=iaf_iat_id";

$params = array($iaf_id);
if (Auth::getCurrentRole() < User::getRoleID("Manager")) {
$stmt .= " AND
iat_usr_id=$usr_id";
iat_usr_id=?";
$params[] = $usr_id;
}
try {
$res = DB_Helper::getInstance()->getOne($stmt);
} catch (DbException $e) {
return -1;
}


if (empty($res)) {
return -2;
}


// check if the file is the only one in the attachment
$stmt = "SELECT
iat_id
FROM
{{%issue_attachment}},
{{%issue_attachment_file}}
WHERE
iaf_id=$iaf_id AND
iaf_id=? AND
iaf_iat_id=iat_id";
$attachment_id = DB_Helper::getInstance()->getOne($stmt);
$attachment_id = DB_Helper::getInstance()->getOne($stmt, array($iaf_id));

$res = self::getFileList($attachment_id);
if (count($res) > 1) {
Expand All @@ -157,7 +157,6 @@ public static function removeIndividualFile($iaf_id)
*/
public static function getDetails($file_id)
{
$file_id = Misc::escapeInteger($file_id);
$stmt = "SELECT
*
FROM
Expand All @@ -173,8 +172,8 @@ public static function getDetails($file_id)
}

// don't allow customers to reach internal only files
if (($res['iat_status'] == 'internal')
&& (User::getRoleByUser(Auth::getUserID(), Issue::getProjectID($res['iat_iss_id'])) <= User::getRoleID('Customer'))) {
$user_role_id = User::getRoleByUser(Auth::getUserID(), Issue::getProjectID($res['iat_iss_id']));
if (($res['iat_status'] == 'internal') && $user_role_id <= User::getRoleID('Customer')) {
return '';
} else {
return $res;
Expand All @@ -190,16 +189,15 @@ public static function getDetails($file_id)
*/
public static function removeByIssues($ids)
{
$ids = Misc::escapeInteger($ids);
$items = @implode(", ", $ids);
$stmt = "SELECT
iat_id
FROM
{{%issue_attachment}}
WHERE
iat_iss_id IN ($items)";
iat_iss_id IN (" . DB_Helper::buildList($ids) . ")";

try {
$res = DB_Helper::getInstance()->getColumn($stmt);
$res = DB_Helper::getInstance()->getColumn($stmt, $ids);
} catch (DbException $e) {
return false;
}
Expand All @@ -220,20 +218,22 @@ public static function removeByIssues($ids)
*/
public static function remove($iat_id, $add_history = true)
{
$iat_id = Misc::escapeInteger($iat_id);
$usr_id = Auth::getUserID();
$stmt = "SELECT
iat_iss_id
FROM
{{%issue_attachment}}
WHERE
iat_id=$iat_id";
iat_id=?";
$params = array($iat_id);
if (Auth::getCurrentRole() < User::getRoleID("Manager")) {
$stmt .= " AND
iat_usr_id=$usr_id";
iat_usr_id=?";
$params[] = $usr_id;
}

try {
$res = DB_Helper::getInstance()->getOne($stmt);
$res = DB_Helper::getInstance()->getOne($stmt, $params);
} catch (DbException $e) {
return -1;
}
Expand Down Expand Up @@ -277,7 +277,6 @@ public static function remove($iat_id, $add_history = true)
*/
public function removeFile($iaf_id)
{
$iaf_id = Misc::escapeInteger($iaf_id);
$stmt = "DELETE FROM
{{%issue_attachment_file}}
WHERE
Expand All @@ -299,7 +298,6 @@ public function removeFile($iaf_id)
*/
public static function getFileList($attachment_id)
{
$attachment_id = Misc::escapeInteger($attachment_id);
$stmt = "SELECT
iaf_id,
iaf_filename,
Expand Down Expand Up @@ -330,7 +328,6 @@ public static function getFileList($attachment_id)
*/
public static function getList($issue_id)
{
$issue_id = Misc::escapeInteger($issue_id);
$usr_id = Auth::getUserID();
$prj_id = Issue::getProjectID($issue_id);

Expand All @@ -346,22 +343,23 @@ public static function getList($issue_id)
{{%issue_attachment}},
{{%user}}
WHERE
iat_iss_id=$issue_id AND
iat_iss_id=? AND
iat_usr_id=usr_id";
if (User::getRoleByUser($usr_id, $prj_id) <= User::getRoleID('Customer')) {
$stmt .= " AND iat_status='public' ";
}
$stmt .= "
ORDER BY
iat_created_date ASC";
$params = array($issue_id);
try {
$res = DB_Helper::getInstance()->getAll($stmt);
$res = DB_Helper::getInstance()->getAll($stmt, $params);
} catch (DbException $e) {
return "";
}

foreach ($res as &$row) {
$row["iat_description"] = Link_Filter::processText(Issue::getProjectID($issue_id), nl2br(htmlspecialchars($row["iat_description"])));
$row["iat_description"] = Link_Filter::processText($prj_id, nl2br(htmlspecialchars($row["iat_description"])));
$row["files"] = self::getFileList($row["iat_id"]);
$row["iat_created_date"] = Date_Helper::getFormattedDate($row["iat_created_date"]);

Expand Down Expand Up @@ -389,7 +387,6 @@ public static function getList($issue_id)
*/
public static function attach($usr_id, $status = 'public')
{
$usr_id = Misc::escapeInteger($usr_id);
$files = array();
$nfiles = count($_FILES["attachment"]["name"]);
for ($i = 0; $i < $nfiles; $i++) {
Expand Down Expand Up @@ -452,7 +449,6 @@ public static function attach($usr_id, $status = 'public')
*/
public static function addFile($attachment_id, $filename, $filetype, &$blob)
{
$attachment_id = Misc::escapeInteger($attachment_id);
$filesize = strlen($blob);
$stmt = "INSERT INTO
{{%issue_attachment_file}}
Expand Down Expand Up @@ -491,46 +487,34 @@ public static function addFile($attachment_id, $filename, $filetype, &$blob)
* @param integer $associated_note_id The note ID that these attachments should be associated with
* @return integer The new attachment ID
*/
public static function add($issue_id, $usr_id, $description, $internal_only = false, $unknown_user = false, $associated_note_id = false)
public static function add($issue_id, $usr_id, $description, $internal_only = false, $unknown_user = null, $associated_note_id = null)
{
$issue_id = Misc::escapeInteger($issue_id);
$usr_id = Misc::escapeInteger($usr_id);
if ($internal_only) {
$attachment_status = 'internal';
} else {
$attachment_status = 'public';
}

$stmt = "INSERT INTO
{{%issue_attachment}}
(
iat_iss_id,
iat_usr_id,
iat_created_date,
iat_description,
iat_status";
if ($unknown_user != false) {
$stmt .= ", iat_unknown_user ";
}
if ($associated_note_id != false) {
$stmt .= ", iat_not_id ";
}
$stmt .=") VALUES (
$issue_id,
$usr_id,
'" . Date_Helper::getCurrentDateGMT() . "',
'" . Misc::escapeString($description) . "',
'" . Misc::escapeString($attachment_status) . "'";
if ($unknown_user != false) {
$stmt .= ", '" . Misc::escapeString($unknown_user) . "'";
$params = array(
'iat_iss_id' => $issue_id,
'iat_usr_id' => $usr_id,
'iat_created_date'=> Date_Helper::getCurrentDateGMT(),
'iat_description'=> $description,
'iat_status' => $attachment_status,
);

if ($unknown_user) {
$params['iat_unknown_user'] = $unknown_user;
}
if ($associated_note_id != false) {
$stmt .= ", " . Misc::escapeInteger($associated_note_id);

if ($associated_note_id) {
$params['iat_not_id'] = $associated_note_id;
}
$stmt .= " )";

$stmt = "INSERT INTO {{%issue_attachment}} SET ". DB_Helper::buildSet($params);

try {
DB_Helper::getInstance()->query($stmt);
DB_Helper::getInstance()->query($stmt, $params);
} catch (DbException $e) {
return false;
}
Expand Down
12 changes: 6 additions & 6 deletions lib/eventum/class.authorized_replier.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,6 @@ class Authorized_Replier
*/
public static function getAuthorizedRepliers($issue_id)
{
$issue_id = Misc::escapeInteger($issue_id);
// split into users and others (those with email address but no real user accounts)
$repliers = array(
"users" => array(),
Expand All @@ -61,6 +60,7 @@ public static function getAuthorizedRepliers($issue_id)
WHERE
iur_iss_id=? AND
iur_usr_id=usr_id";

$params = array(APP_SYSTEM_USER_ID, APP_SYSTEM_USER_ID, $issue_id);
try {
$res = DB_Helper::getInstance()->getAll($stmt, $params);
Expand Down Expand Up @@ -99,17 +99,17 @@ public static function getAuthorizedRepliers($issue_id)
*/
public static function removeRepliers($iur_ids)
{
$iur_ids = Misc::escapeInteger($iur_ids);
$iur_list = DB_Helper::buildList($iur_ids);

// get issue_id for logging
$stmt = "SELECT
iur_iss_id
FROM
{{%issue_user_replier}}
WHERE
iur_id IN(" . join(",", $iur_ids) . ")";
iur_id IN ($iur_list)";
try {
$issue_id = DB_Helper::getInstance()->getOne($stmt);
$issue_id = DB_Helper::getInstance()->getOne($stmt, $iur_ids);
} catch (DbException $e) {
// FIXME: why continuing on error?
}
Expand All @@ -119,9 +119,9 @@ public static function removeRepliers($iur_ids)
$stmt = "DELETE FROM
{{%issue_user_replier}}
WHERE
iur_id IN(" . join(",", $iur_ids) . ")";
iur_id IN ($iur_list)";
try {
DB_Helper::getInstance()->query($stmt);
DB_Helper::getInstance()->query($stmt, $iur_ids);
} catch (DbException $e) {
return -1;
}
Expand Down
11 changes: 5 additions & 6 deletions lib/eventum/class.category.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,13 +67,12 @@ public static function getDetails($prc_id)
*/
public static function removeByProjects($ids)
{
$items = @implode(", ", Misc::escapeInteger($ids));
$stmt = "DELETE FROM
{{%project_category}}
WHERE
prc_prj_id IN ($items)";
prc_prj_id IN (" . DB_Helper::buildList($ids) . ")";
try {
DB_Helper::getInstance()->query($stmt);
DB_Helper::getInstance()->query($stmt, $ids);
} catch (DbException $e) {
return false;
}
Expand All @@ -89,13 +88,13 @@ public static function removeByProjects($ids)
*/
public static function remove()
{
$items = @implode(", ", Misc::escapeInteger($_POST["items"]));
$items = $_POST["items"];
$stmt = "DELETE FROM
{{%project_category}}
WHERE
prc_id IN ($items)";
prc_id IN (" . DB_Helper::buildList($items) . ")";
try {
DB_Helper::getInstance()->query($stmt);
DB_Helper::getInstance()->query($stmt, $items);
} catch (DbException $e) {
return false;
}
Expand Down
12 changes: 6 additions & 6 deletions lib/eventum/class.crm.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -498,13 +498,13 @@ public static function updateAccountManager()
*/
public static function removeAccountManager()
{
$items = @implode(", ", Misc::escapeInteger($_POST["items"]));
$items = $_POST["items"];
$stmt = "DELETE FROM
{{%customer_account_manager}}
WHERE
cam_id IN ($items)";
cam_id IN (" . DB_Helper::buildList($items) . ")";
try {
DB_Helper::getInstance()->query($stmt);
DB_Helper::getInstance()->query($stmt, $items);
} catch (DbException $e) {
return false;
}
Expand Down Expand Up @@ -534,7 +534,7 @@ public static function getAccountManagers($prj_id, $customer_id)
cam_prj_id=? AND
cam_customer_id=?";
try {
$res = DB_Helper::getInstance()->getAssoc($stmt, false, array($prj_id, $customer_id), DB_FETCHMODE_ASSOC);
$res = DB_Helper::getInstance()->fetchAssoc($stmt, array($prj_id, $customer_id), DB_FETCHMODE_ASSOC);
} catch (DbException $e) {
return array();
}
Expand Down Expand Up @@ -704,9 +704,9 @@ public static function removeNotes($ids)
$stmt = "DELETE FROM
{{%customer_note}}
WHERE
cno_id IN (" . join(", ", Misc::escapeInteger($ids)) . ")";
cno_id IN (" . DB_Helper::buildList($ids) . ")";
try {
DB_Helper::getInstance()->query($stmt);
DB_Helper::getInstance()->query($stmt, $ids);
} catch (DbException $e) {
return -1;
}
Expand Down
Loading