Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Sync my db api changes with trunk. still working my way through code …

…base ;/

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@4848 f5dc347c-c33d-0410-90a0-b07cc1902cb9
  • Loading branch information...
commit 58a5e554f7e610f9d61898a3b70197a4237ba1fe 1 parent 1de2b98
@grangeway grangeway authored
Showing with 678 additions and 565 deletions.
  1. +2 −2 admin/copy_field.php
  2. +2 −2 admin/install_functions.php
  3. +1 −1  admin/schema.php
  4. +1 −1  admin/upgrade_unattended.php
  5. +1 −1  api/soap/mc_file_api.php
  6. +2 −2 bugnote_view_inc.php
  7. +1 −2  changelog_page.php
  8. +1 −1  core/authentication_api.php
  9. +150 −144 core/bug_api.php
  10. +11 −13 core/bugnote_api.php
  11. +3 −5 core/category_api.php
  12. +22 −19 core/config_api.php
  13. +26 −26 core/custom_field_api.php
  14. +14 −8 core/database_api.php
  15. +4 −4 core/email_api.php
  16. +12 −31 core/email_queue_api.php
  17. +13 −16 core/file_api.php
  18. +229 −95 core/filter_api.php
  19. +2 −2 core/graph_api.php
  20. +4 −4 core/history_api.php
  21. +9 −9 core/news_api.php
  22. +1 −1  core/plugin_api.php
  23. +6 −3 core/print_api.php
  24. +9 −9 core/profile_api.php
  25. +15 −15 core/project_api.php
  26. +2 −2 core/relationship_api.php
  27. +20 −20 core/sponsorship_api.php
  28. +8 −8 core/summary_api.php
  29. +34 −37 core/tag_api.php
  30. +14 −15 core/tokens_api.php
  31. +4 −4 core/user_api.php
  32. +19 −28 core/version_api.php
  33. +3 −3 file_download.php
  34. +2 −2 graphs/graph_by_category.php
  35. +1 −4 lost_pwd.php
  36. +8 −7 manage_user_page.php
  37. +3 −6 manage_user_prune.php
  38. +15 −12 manage_user_update.php
  39. +4 −1 view_all_bug_page.php
View
4 admin/copy_field.php
@@ -62,9 +62,9 @@
$t_string_table = db_get_table( 'mantis_custom_field_string_table' );
$t_bug_table = db_get_table( 'mantis_bug_table' );
- $query = 'SELECT * FROM ' . $t_string_table . ' WHERE field_id = ' . $f_source_field_id . ' and value <> \'\'';
+ $query = 'SELECT * FROM ' . $t_string_table . ' WHERE field_id = ' . db_param(0) . ' and value <> ' . db_param(1);
- $result = @db_query( $query );
+ $result = @db_query_bound( $query, Array( $f_source_field_id, '' ) );
if ( FALSE == $result ) {
echo '<p>No fields need to be updated.</p>';
} else {
View
4 admin/install_functions.php
@@ -31,10 +31,10 @@ function install_category_migrate() {
$t_project_category_table = db_get_table( 'mantis_project_category_table' );
$query = "SELECT project_id, category FROM $t_project_category_table ORDER BY project_id, category";
- $t_category_result = db_query( $query );
+ $t_category_result = db_query_bound( $query );
$query = "SELECT project_id, category FROM $t_bug_table ORDER BY project_id, category";
- $t_bug_result = db_query( $query );
+ $t_bug_result = db_query_bound( $query );
$t_data = Array();
View
2  admin/schema.php
@@ -323,7 +323,7 @@
$upgrade[] = Array('CreateIndexSQL',Array('idx_access',db_get_table('mantis_user_table'),'access_level'));
$upgrade[] = Array('InsertData', Array( db_get_table('mantis_user_table'),
"(username, realname, email, password, date_created, last_visit, enabled, protected, access_level, login_count, lost_password_request_count, failed_login_count, cookie_string) VALUES
- ('administrator', '', 'root@localhost', '63a9f0ea7bb98050796b649e85481845', " . db_now() . ", " . db_now() . ", '1', '0', 90, 3, 0, 0, '" .
+ ('administrator', '', 'root@localhost', '63a9f0ea7bb98050796b649e85481845', '" . db_now() . "', '" . db_now() . "', '1', '0', 90, 3, 0, 0, '" .
md5( mt_rand( 0, mt_getrandmax() ) + mt_rand( 0, mt_getrandmax() ) ) . md5( time() ) . "')" ) );
$upgrade[] = Array('AlterColumnSQL', Array( db_get_table( 'mantis_bug_history_table' ), "old_value C(255) NOTNULL" ) );
$upgrade[] = Array('AlterColumnSQL', Array( db_get_table( 'mantis_bug_history_table' ), "new_value C(255) NOTNULL" ) );
View
2  admin/upgrade_unattended.php
@@ -78,7 +78,7 @@ function print_test_result( $p_result, $p_hard_fail=true, $p_message='' ) {
description char(255) NOT NULL,
PRIMARY KEY (upgrade_id))";
- $result = db_query( $query );
+ $result = db_query_bound( $query );
}
# link the data structures and upgrade list
View
2  api/soap/mc_file_api.php
@@ -124,7 +124,7 @@ function mci_file_add( $p_id, $p_name, $p_content, $p_file_type, $p_table, $p_ti
$query = "INSERT INTO $t_file_table
(" . $p_table . "_id, title, description, diskfile, filename, folder, filesize, file_type, date_added, content)
VALUES
- ($c_id, '$c_title', '$c_desc', '$c_disk_file_name', '$c_new_file_name', '$c_file_path', $c_file_size, '$c_file_type', " . db_now() .", '$c_content')";
+ ($c_id, '$c_title', '$c_desc', '$c_disk_file_name', '$c_new_file_name', '$c_file_path', $c_file_size, '$c_file_type', '" . db_now() ."', '$c_content')";
db_query( $query );
# get attachment id
View
4 bugnote_view_inc.php
@@ -96,8 +96,8 @@
# grab the bugnote text and id and prefix with v3_
$query = "SELECT note
FROM $t_bugnote_text_table
- WHERE id='$v3_bugnote_text_id'";
- $result2 = db_query( $query );
+ WHERE id=" . db_param(0);
+ $result2 = db_query_bound( $query, Array( $v3_bugnote_text_id ) );
$row = db_fetch_array( $result2 );
$v3_note = $row['note'];
View
3  changelog_page.php
@@ -95,7 +95,6 @@ function print_project_header ( $p_project_name ) {
$t_version_header_printed = false;
$t_version = $t_version_row['version'];
- $c_version = db_prepare_string( $t_version );
$t_version_id = version_get_id( $t_version, $t_project_id );
@@ -109,7 +108,7 @@ function print_project_header ( $p_project_name ) {
$t_issue_ids = array();
$t_issue_parents = array();
- $t_result = db_query_bound( $query, Array( $c_project_id, $c_version ) );
+ $t_result = db_query_bound( $query, Array( $c_project_id, $t_version ) );
while ( $t_row = db_fetch_array( $t_result ) ) {
# hide private bugs if user doesn't have access to view them.
View
2  core/authentication_api.php
@@ -510,7 +510,7 @@ function auth_reauthenticate_page( $p_user_id, $p_username ) {
}
?>
</p>
-<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
+<form method="post" action="<?php echo string_sanitize_url( $_SERVER['PHP_SELF'] ); ?>">
<?php
print_hidden_inputs( gpc_strip_slashes( $_POST ) );
View
294 core/bug_api.php
@@ -168,7 +168,7 @@ function bug_cache_array_rows( $p_bug_id_array ) {
$query = "SELECT *
FROM $t_bug_table
WHERE id IN (" . implode( ',', $c_bug_id_array ) . ')';
- $result = db_query( $query );
+ $result = db_query_bound( $query );
while ( $row = db_fetch_array( $result ) ) {
$row['date_submitted'] = db_unixtimestamp( $row['date_submitted'] );
@@ -373,8 +373,8 @@ function bug_check_workflow( $p_bug_status, $p_wanted_status ) {
#
function bug_create( $p_bug_data ) {
- $c_summary = db_prepare_string( $p_bug_data->summary );
- $c_description = db_prepare_string( $p_bug_data->description );
+ $c_summary = $p_bug_data->summary;
+ $c_description = $p_bug_data->description;
$c_project_id = db_prepare_int( $p_bug_data->project_id );
$c_reporter_id = db_prepare_int( $p_bug_data->reporter_id );
$c_handler_id = db_prepare_int( $p_bug_data->handler_id );
@@ -382,15 +382,15 @@ function bug_create( $p_bug_data ) {
$c_severity = db_prepare_int( $p_bug_data->severity );
$c_reproducibility = db_prepare_int( $p_bug_data->reproducibility );
$c_category_id = db_prepare_int( $p_bug_data->category_id );
- $c_os = db_prepare_string( $p_bug_data->os );
- $c_os_build = db_prepare_string( $p_bug_data->os_build );
- $c_platform = db_prepare_string( $p_bug_data->platform );
- $c_version = db_prepare_string( $p_bug_data->version );
- $c_build = db_prepare_string( $p_bug_data->build );
+ $c_os = $p_bug_data->os;
+ $c_os_build = $p_bug_data->os_build;
+ $c_platform = $p_bug_data->platform;
+ $c_version = $p_bug_data->version;
+ $c_build = $p_bug_data->build;
$c_profile_id = db_prepare_int( $p_bug_data->profile_id );
$c_view_state = db_prepare_int( $p_bug_data->view_state );
- $c_steps_to_reproduce = db_prepare_string( $p_bug_data->steps_to_reproduce );
- $c_additional_info = db_prepare_string( $p_bug_data->additional_information );
+ $c_steps_to_reproduce = $p_bug_data->steps_to_reproduce;
+ $c_additional_info = $p_bug_data->additional_information;
$c_sponsorship_total = 0;
$c_sticky = 0;
@@ -408,7 +408,7 @@ function bug_create( $p_bug_data ) {
# Only set target_version if user has access to do so
if ( access_has_project_level( config_get( 'roadmap_update_threshold' ) ) ) {
- $c_target_version = db_prepare_string( $p_bug_data->target_version );
+ $c_target_version = $p_bug_data->target_version;
} else {
$c_target_version = '';
}
@@ -471,21 +471,36 @@ function bug_create( $p_bug_data ) {
target_version
)
VALUES
- ( '$c_project_id',
- '$c_reporter_id', '$c_handler_id',
- '0', '$c_priority',
- '$c_severity', '$c_reproducibility',
- '$t_status', '$t_resolution',
- 10, '$c_category_id',
- " . db_now() . "," . db_now() . ",
- 10, '$t_text_id',
- '$c_os', '$c_os_build',
- '$c_platform', '$c_version',
- '$c_build',
- '$c_profile_id', '$c_summary', '$c_view_state', '$c_sponsorship_total', '$c_sticky', '',
- '$c_target_version'
- )";
- db_query( $query );
+ ( " . db_param(0) . ",
+ " . db_param(1) . ",
+ " . db_param(2) . ",
+ " . db_param(3) . ",
+ " . db_param(4) . ",
+ " . db_param(5) . ",
+ " . db_param(6) . ",
+ " . db_param(7) . ",
+ " . db_param(8) . ",
+ " . db_param(9) . ",
+ " . db_param(10) .",
+ " . db_param(11) . ",
+ " . db_param(12) . ",
+ " . db_param(13) . ",
+ " . db_param(14) . ",
+ " . db_param(15) . ",
+ " . db_param(16) . ",
+ " . db_param(17) . ",
+ " . db_param(18) . ",
+ " . db_param(19) . ",
+ " . db_param(20) . ",
+ " . db_param(21) . ",
+ " . db_param(22) . ",
+ " . db_param(23) . ",
+ " . db_param(24) . ",
+ " . db_param(25) . ",
+ " . db_param(26) . ")";
+ db_query_bound( $query, Array( $c_project_id, $c_reporter_id, $c_handler_id, 0, $c_priority, $c_severity, $c_reproducibility, $t_status,
+ $t_resolution, 10, $c_category_id, db_now(), db_now(), 10, $t_text_id, $c_os, $c_os_build, $c_platform, $c_version,$c_build,
+ $c_profile_id, $c_summary, $c_view_state, $c_sponsorship_total, $c_sticky, '', $c_target_version ) );
$t_bug_id = db_insert_id($t_bug_table);
@@ -562,12 +577,12 @@ function bug_copy( $p_bug_id, $p_target_project_id = null, $p_copy_custom_fields
$c_field_id = db_prepare_int( $t_bug_custom['field_id'] );
$c_new_bug_id = db_prepare_int( $t_new_bug_id );
- $c_value = db_prepare_string( $t_bug_custom['value'] );
+ $c_value = $t_bug_custom['value'];
$query = "INSERT INTO $t_mantis_custom_field_string_table
( field_id, bug_id, value )
- VALUES ('$c_field_id', '$c_new_bug_id', '$c_value')";
- db_query( $query );
+ VALUES (" . db_param(0) . ", " . db_param(1) . ", " . db_param(2) . ")";
+ db_query_bound( $query, Array( $c_field_id, $c_new_bug_id, $c_value ) );
}
}
@@ -599,24 +614,23 @@ function bug_copy( $p_bug_id, $p_target_project_id = null, $p_copy_custom_fields
$t_bugnote_text_insert_id = -1;
if ( $t_count2 > 0 ) {
$t_bugnote_text = db_fetch_array( $result2 );
- $t_bugnote_text['note'] = db_prepare_string( $t_bugnote_text['note'] );
$query2 = "INSERT INTO $t_mantis_bugnote_text_table
( note )
- VALUES ( '" . $t_bugnote_text['note'] . "' );";
- db_query( $query2 );
+ VALUES ( " . db_param(0) . " );";
+ db_query_bound( $query2, Array( $t_bugnote_text['note'] ) );
$t_bugnote_text_insert_id = db_insert_id( $t_mantis_bugnote_text_table );
}
$query2 = "INSERT INTO $t_mantis_bugnote_table
( bug_id, reporter_id, bugnote_text_id, view_state, date_submitted, last_modified )
- VALUES ( '$t_new_bug_id',
- '" . $t_bug_note['reporter_id'] . "',
- '$t_bugnote_text_insert_id',
- '" . $t_bug_note['view_state'] . "',
- '" . $t_bug_note['date_submitted'] . "',
- '" . $t_bug_note['last_modified'] . "' );";
- db_query( $query2 );
+ VALUES ( " . db_param(0) . ",
+ " . db_param(1) . ",
+ " . db_param(2) . ",
+ " . db_param(3) . ",
+ " . db_param(4) . ",
+ " . db_param(5) . ");";
+ db_query_bound( $query2, Array( $t_new_bug_id, $t_bug_note['reporter_id'], $t_bugnote_text_insert_id, $t_bug_note['view_state'], $t_bug_note['date_submitted'], $t_bug_note['last_modified'] ) );
}
}
@@ -624,8 +638,8 @@ function bug_copy( $p_bug_id, $p_target_project_id = null, $p_copy_custom_fields
if ( $p_copy_attachments ) {
$query = "SELECT *
FROM $t_mantis_bug_file_table
- WHERE bug_id = '$t_bug_id';";
- $result = db_query( $query );
+ WHERE bug_id = " . db_param(0);
+ $result = db_query_bound( $query, Array( $t_bug_id ) );
$t_count = db_num_rows( $result );
$t_bug_file = array();
@@ -643,17 +657,17 @@ function bug_copy( $p_bug_id, $p_target_project_id = null, $p_copy_custom_fields
$query = "INSERT INTO $t_mantis_bug_file_table
( bug_id, title, description, diskfile, filename, folder, filesize, file_type, date_added, content )
- VALUES ( '$t_new_bug_id',
- '" . db_prepare_string( $t_bug_file['title'] ) . "',
- '" . db_prepare_string( $t_bug_file['description'] ) . "',
- '" . db_prepare_string( $t_new_diskfile_name ) . "',
- '" . db_prepare_string( $t_new_file_name ) . "',
- '" . db_prepare_string( $t_bug_file['folder'] ) . "',
- '" . db_prepare_int( $t_bug_file['filesize'] ) . "',
- '" . db_prepare_string( $t_bug_file['file_type'] ) . "',
- '" . db_prepare_string( $t_bug_file['date_added'] ) . "',
- '" . db_prepare_string( $t_bug_file['content'] ) . "');";
- db_query( $query );
+ VALUES ( " . db_param(0) . ",
+ " . db_param(1) . ",
+ " . db_param(2) . ",
+ " . db_param(3) . ",
+ " . db_param(4) . ",
+ " . db_param(5) . ",
+ " . db_param(6) . ",
+ " . db_param(7) . ",
+ " . db_param(8) . ",
+ " . db_param(9) . ");";
+ db_query_bound( $query, Array( $t_new_bug_id, $t_bug_file['title'], $t_bug_file['description'], $t_new_diskfile_name, $t_new_file_name, $t_bug_file['folder'], $t_bug_file['filesize'], $t_bug_file['file_type'], $t_bug_file['date_added'], $t_bug_file['content'] ) );
}
}
@@ -661,16 +675,16 @@ function bug_copy( $p_bug_id, $p_target_project_id = null, $p_copy_custom_fields
if ( $p_copy_monitoring_users ) {
$query = "SELECT *
FROM $t_mantis_bug_monitor_table
- WHERE bug_id = '$t_bug_id';";
- $result = db_query( $query );
+ WHERE bug_id = " . db_param(0);
+ $result = db_query_bound( $query, Array( $t_bug_id ) );
$t_count = db_num_rows( $result );
for ( $i = 0; $i < $t_count; $i++ ) {
$t_bug_monitor = db_fetch_array( $result );
$query = "INSERT INTO $t_mantis_bug_monitor_table
( user_id, bug_id )
- VALUES ( '" . $t_bug_monitor['user_id'] . "', '$t_new_bug_id' );";
- db_query( $query );
+ VALUES ( " . db_param(0) . ", " . db_param(1) . ")";
+ db_query_bound( $query, Array( $t_bug_monitor['user_id'], $t_new_bug_id ) );
}
}
@@ -687,14 +701,14 @@ function bug_copy( $p_bug_id, $p_target_project_id = null, $p_copy_custom_fields
$t_bug_history = db_fetch_array( $result );
$query = "INSERT INTO $t_mantis_bug_history_table
( user_id, bug_id, date_modified, field_name, old_value, new_value, type )
- VALUES ( '" . db_prepare_int( $t_bug_history['user_id'] ) . "',
- '$t_new_bug_id',
- '" . db_prepare_string( $t_bug_history['date_modified'] ) . "',
- '" . db_prepare_string( $t_bug_history['field_name'] ) . "',
- '" . db_prepare_string( $t_bug_history['old_value'] ) . "',
- '" . db_prepare_string( $t_bug_history['new_value'] ) . "',
- '" . db_prepare_int( $t_bug_history['type'] ) . "' );";
- db_query( $query );
+ VALUES ( " . db_param(0) . ",
+ " . db_param(1) . ",
+ " . db_param(2) . ",
+ " . db_param(3) . ",
+ " . db_param(4) . ",
+ " . db_param(5) . ",
+ " . db_param(6) . " );";
+ db_query_bound( $query, Array( $t_bug_history['user_id'], $t_new_bug_id, $t_bug_history['date_modified'], $t_bug_history['field_name'], $t_bug_history['old_value'], $t_bug_history['new_value'], $t_bug_history['type'] ) );
}
}
@@ -706,7 +720,7 @@ function bug_copy( $p_bug_id, $p_target_project_id = null, $p_copy_custom_fields
# delete the bug, bugtext, bugnote, and bugtexts selected
# used in bug_delete.php & mass treatments
function bug_delete( $p_bug_id ) {
- $c_bug_id = db_prepare_int( $p_bug_id );
+ $c_bug_id = (int)$p_bug_id;
$t_bug_table = db_get_table( 'mantis_bug_table' );
$t_bug_text_table = db_get_table( 'mantis_bug_text_table' );
@@ -771,7 +785,7 @@ function bug_delete( $p_bug_id ) {
# --------------------
# Delete all bugs associated with a project
function bug_delete_all( $p_project_id ) {
- $c_project_id = db_prepare_int( $p_project_id );
+ $c_project_id = (int)$p_project_id;
$t_bug_table = db_get_table( 'mantis_bug_table' );
@@ -830,39 +844,50 @@ function bug_update( $p_bug_id, $p_bug_data, $p_update_extended = false, $p_bypa
# shouldn't get updated like this anyway. If you really need to change
# them use bug_set_field()
$query = "UPDATE $t_bug_table
- SET project_id='$c_bug_data->project_id',
- reporter_id='$c_bug_data->reporter_id',
- handler_id='$c_bug_data->handler_id',
- duplicate_id='$c_bug_data->duplicate_id',
- priority='$c_bug_data->priority',
- severity='$c_bug_data->severity',
- reproducibility='$c_bug_data->reproducibility',
- status='$c_bug_data->status',
- resolution='$c_bug_data->resolution',
- projection='$c_bug_data->projection',
- category_id='$c_bug_data->category_id',
- eta='$c_bug_data->eta',
- os='$c_bug_data->os',
- os_build='$c_bug_data->os_build',
- platform='$c_bug_data->platform',
- version='$c_bug_data->version',
- build='$c_bug_data->build',
- fixed_in_version='$c_bug_data->fixed_in_version',";
-
+ SET project_id=" . db_param(0) . ",
+ reporter_id=" . db_param(1) . ",
+ handler_id=" . db_param(2) . ",
+ duplicate_id=" . db_param(3) . ",
+ priority=" . db_param(4) . ",
+ severity=" . db_param(5) . ",
+ reproducibility=" . db_param(6) . ",
+ status=" . db_param(7) . ",
+ resolution=" . db_param(8) . ",
+ projection=" . db_param(9) . ",
+ category_id=" . db_param(10) . ",
+ eta=" . db_param(11) . ",
+ os=" . db_param(12) . ",
+ os_build=" . db_param(13) . ",
+ platform=" . db_param(14) . ",
+ version=" . db_param(15) . ",
+ build=" . db_param(16) . ",
+ fixed_in_version=" . db_param(17) . ",";
+
+ $t_fields = Array( $c_bug_data->project_id, $c_bug_data->reporter_id, $c_bug_data->handler_id, $c_bug_data->duplicate_id, $c_bug_data->priority, $c_bug_data->severity, $c_bug_data->reproducibility,
+ $c_bug_data->status, $c_bug_data->resolution, $c_bug_data->projection, $c_bug_data->category_id, $c_bug_data->eta, $c_bug_data->os, $c_bug_data->os_build, $c_bug_data->platform,
+ $c_bug_data->version, $c_bug_data->build, $c_bug_data->fixed_in_version);
+ $t_field_count = 18;
$t_roadmap_updated = false;
if ( access_has_project_level( config_get( 'roadmap_update_threshold' ) ) ) {
$query .= "
- target_version='$c_bug_data->target_version',";
+ target_version=" . db_param( $t_field_count++ ) . ",";
+ $t_fields[] = $c_bug_data->target_version;
$t_roadmap_updated = true;
}
$query .= "
- view_state='$c_bug_data->view_state',
- summary='$c_bug_data->summary',
- sponsorship_total='$c_bug_data->sponsorship_total',
- sticky='$c_bug_data->sticky'
- WHERE id='$c_bug_id'";
- db_query( $query );
+ view_state=" . db_param( $t_field_count++ ) .",
+ summary=" . db_param( $t_field_count++ ) .",
+ sponsorship_total=" . db_param( $t_field_count++ ) .",
+ sticky=" . db_param( $t_field_count++ ) ."
+ WHERE id=" . db_param( $t_field_count++ );
+ $t_fields[] = $c_bug_data->view_state;
+ $t_fields[] = $c_bug_data->summary;
+ $t_fields[] = $c_bug_data->sponsorship_total;
+ $t_fields[] = $c_bug_data->sticky;
+ $t_fields[] = $c_bug_id;
+
+ db_query_bound( $query, $t_fields );
bug_clear_cache( $p_bug_id );
@@ -900,11 +925,11 @@ function bug_update( $p_bug_id, $p_bug_data, $p_update_extended = false, $p_bypa
$t_bug_text_id = bug_get_field( $p_bug_id, 'bug_text_id' );
$query = "UPDATE $t_bug_text_table
- SET description='$c_bug_data->description',
- steps_to_reproduce='$c_bug_data->steps_to_reproduce',
- additional_information='$c_bug_data->additional_information'
- WHERE id='$t_bug_text_id'";
- db_query( $query );
+ SET description=" . db_param(0) . ",
+ steps_to_reproduce=" . db_param(1) . ",
+ additional_information=" . db_param(2) . "
+ WHERE id=" . db_param(3);
+ db_query_bound( $query, Array( $c_bug_data->description, $c_bug_data->steps_to_reproduce, $c_bug_data->additional_information, $t_bug_text_id ) );
bug_text_clear_cache( $p_bug_id );
@@ -1067,9 +1092,9 @@ function bug_get_newest_bugnote_timestamp( $p_bug_id ) {
$query = "SELECT last_modified
FROM $t_bugnote_table
- WHERE bug_id='$c_bug_id'
+ WHERE bug_id=" . db_param(0) . "
ORDER BY last_modified DESC";
- $result = db_query( $query, 1 );
+ $result = db_query_bound( $query, Array( $c_bug_id ), 1 );
$row = db_result( $result );
if ( false === $row ) {
@@ -1130,9 +1155,9 @@ function bug_get_attachments( $p_bug_id ) {
$query = "SELECT id, title, diskfile, filename, filesize, file_type, date_added
FROM $t_bug_file_table
- WHERE bug_id='$c_bug_id'
+ WHERE bug_id=" . db_param(0) . "
ORDER BY date_added";
- $db_result = db_query( $query );
+ $db_result = db_query_bound( $query, Array( $c_bug_id ) );
$num_notes = db_num_rows( $db_result );
$t_result = array();
@@ -1150,14 +1175,10 @@ function bug_get_attachments( $p_bug_id ) {
# --------------------
# set the value of a bug field
- function bug_set_field( $p_bug_id, $p_field_name, $p_status, $p_prepare = true ) {
+ function bug_set_field( $p_bug_id, $p_field_name, $p_status ) {
$c_bug_id = db_prepare_int( $p_bug_id );
$c_field_name = db_prepare_string( $p_field_name );
- if( $p_prepare ) {
- $c_status = '\'' . db_prepare_string( $p_status ) . '\''; #generic, unknown type
- } else {
- $c_status = $p_status; #generic, unknown type
- }
+ $c_status = $p_status; #generic, unknown type
$h_status = bug_get_field( $p_bug_id, $p_field_name );
@@ -1212,9 +1233,9 @@ function bug_assign( $p_bug_id, $p_user_id, $p_bugnote_text='', $p_bugnote_priva
# get user id
$query = "UPDATE $t_bug_table
- SET handler_id='$c_user_id', status='$t_ass_val'
- WHERE id='$c_bug_id'";
- db_query( $query );
+ SET handler_id=" . db_param(0) . ", status=" . db_param(1) . "
+ WHERE id=" . db_param(2);
+ db_query_bound( $query, Array( $c_user_id, $t_ass_val, $c_bug_id ) );
# log changes
history_log_event_direct( $c_bug_id, 'status', $h_status, $t_ass_val );
@@ -1365,9 +1386,9 @@ function bug_update_date( $p_bug_id ) {
$t_bug_table = db_get_table( 'mantis_bug_table' );
$query = "UPDATE $t_bug_table
- SET last_updated= " . db_now() . "
- WHERE id='$c_bug_id'";
- db_query( $query );
+ SET last_updated= " . db_param(0) . "
+ WHERE id=" . db_param(1);
+ db_query_bound( $query, Array( db_now(), $c_bug_id) );
bug_clear_cache( $p_bug_id );
@@ -1441,38 +1462,23 @@ function bug_format_id( $p_bug_id ) {
# --------------------
# Return a copy of the bug structure with all the instvars prepared for db insertion
function bug_prepare_db( $p_bug_data ) {
- $t_bug_data = new BugData;
- $t_bug_data->project_id = db_prepare_int( $p_bug_data->project_id );
- $t_bug_data->reporter_id = db_prepare_int( $p_bug_data->reporter_id );
- $t_bug_data->handler_id = db_prepare_int( $p_bug_data->handler_id );
- $t_bug_data->duplicate_id = db_prepare_int( $p_bug_data->duplicate_id );
- $t_bug_data->priority = db_prepare_int( $p_bug_data->priority );
- $t_bug_data->severity = db_prepare_int( $p_bug_data->severity );
- $t_bug_data->reproducibility = db_prepare_int( $p_bug_data->reproducibility );
- $t_bug_data->status = db_prepare_int( $p_bug_data->status );
- $t_bug_data->resolution = db_prepare_int( $p_bug_data->resolution );
- $t_bug_data->projection = db_prepare_int( $p_bug_data->projection );
- $t_bug_data->category_id = db_prepare_int( $p_bug_data->category_id );
- $t_bug_data->date_submitted = db_prepare_string( $p_bug_data->date_submitted );
- $t_bug_data->last_updated = db_prepare_string( $p_bug_data->last_updated );
- $t_bug_data->eta = db_prepare_int( $p_bug_data->eta );
- $t_bug_data->os = db_prepare_string( $p_bug_data->os );
- $t_bug_data->os_build = db_prepare_string( $p_bug_data->os_build );
- $t_bug_data->platform = db_prepare_string( $p_bug_data->platform );
- $t_bug_data->version = db_prepare_string( $p_bug_data->version );
- $t_bug_data->build = db_prepare_string( $p_bug_data->build );
- $t_bug_data->fixed_in_version = db_prepare_string( $p_bug_data->fixed_in_version );
- $t_bug_data->target_version = db_prepare_string( $p_bug_data->target_version );
- $t_bug_data->view_state = db_prepare_int( $p_bug_data->view_state );
- $t_bug_data->summary = db_prepare_string( $p_bug_data->summary );
- $t_bug_data->sponsorship_total = db_prepare_int( $p_bug_data->sponsorship_total );
- $t_bug_data->sticky = db_prepare_int( $p_bug_data->sticky );
-
- $t_bug_data->description = db_prepare_string( $p_bug_data->description );
- $t_bug_data->steps_to_reproduce = db_prepare_string( $p_bug_data->steps_to_reproduce );
- $t_bug_data->additional_information = db_prepare_string( $p_bug_data->additional_information );
+ $p_bug_data->project_id = (int)$p_bug_data->project_id;
+ $p_bug_data->reporter_id = (int)$p_bug_data->reporter_id;
+ $p_bug_data->handler_id = (int)$p_bug_data->handler_id;
+ $p_bug_data->duplicate_id = (int)$p_bug_data->duplicate_id;
+ $p_bug_data->priority = (int)$p_bug_data->priority;
+ $p_bug_data->severity = (int)$p_bug_data->severity;
+ $p_bug_data->reproducibility = (int)$p_bug_data->reproducibility;
+ $p_bug_data->status = (int)$p_bug_data->status;
+ $p_bug_data->resolution = (int)$p_bug_data->resolution;
+ $p_bug_data->projection = (int)$p_bug_data->projection;
+ $p_bug_data->category_id = (int)$p_bug_data->category_id;
+ $p_bug_data->eta = (int)$p_bug_data->eta;
+ $p_bug_data->view_state = (int)$p_bug_data->view_state;
+ $p_bug_data->sponsorship_total = (int)$p_bug_data->sponsorship_total;
+ $p_bug_data->sticky = (int)$p_bug_data->sticky;
- return $t_bug_data;
+ return $p_bug_data;
}
# --------------------
View
24 core/bugnote_api.php
@@ -101,21 +101,19 @@ function bugnote_is_user_reporter( $p_bugnote_id, $p_user_id ) {
# return the ID of the new bugnote
function bugnote_add ( $p_bug_id, $p_bugnote_text, $p_time_tracking = '0:00', $p_private = false, $p_type = 0, $p_attr = '', $p_user_id = null ) {
$c_bug_id = db_prepare_int( $p_bug_id );
- $c_bugnote_text = db_prepare_string( $p_bugnote_text );
+
$c_time_tracking = db_prepare_time( $p_time_tracking );
$c_private = db_prepare_bool( $p_private );
$c_type = db_prepare_int( $p_type );
- $c_attr = db_prepare_string( $p_attr );
$t_bugnote_text_table = db_get_table( 'mantis_bugnote_text_table' );
$t_bugnote_table = db_get_table( 'mantis_bugnote_table' );
-
# insert bugnote text
$query = "INSERT INTO $t_bugnote_text_table
( note )
VALUES
( " . db_param(0) . " )";
- db_query_bound( $query, Array( $c_bugnote_text ) );
+ db_query_bound( $query, Array( $p_bugnote_text ) );
# retrieve bugnote text id number
$t_bugnote_text_id = db_insert_id( $t_bugnote_text_table );
@@ -139,8 +137,8 @@ function bugnote_add ( $p_bug_id, $p_bugnote_text, $p_time_tracking = '0:00', $p
$query = "INSERT INTO $t_bugnote_table
(bug_id, reporter_id, bugnote_text_id, view_state, date_submitted, last_modified, note_type, note_attr, time_tracking )
VALUES
- ('$c_bug_id', '$c_user_id','$t_bugnote_text_id', '$t_view_state', " . db_now() . "," . db_now() . ", '$c_type', '$c_attr', '$c_time_tracking' )";
- db_query( $query );
+ (" . db_param(0) . ", " . db_param(1) . "," . db_param(2) . ", " . db_param(3) . ", " . db_param(4) . "," . db_param(5) . ", " . db_param(6) . ", " . db_param(7) . ", " . db_param(8) . " )";
+ db_query_bound( $query, Array( $c_bug_id, $c_user_id, $t_bugnote_text_id, $t_view_state, db_now(), db_now(), $c_type, $p_attr, $c_time_tracking ) );
# get bugnote id
$t_bugnote_id = db_insert_id( $t_bugnote_table );
@@ -240,8 +238,8 @@ function bugnote_get_field( $p_bugnote_id, $p_field_name ) {
$query = "SELECT $c_field_name
FROM $t_bugnote_table
- WHERE id='$c_bugnote_id' ";
- $result = db_query( $query, 1 );
+ WHERE id=" . db_param(0);
+ $result = db_query_bound( $query, Array( $c_bugnote_id ), 1 );
return db_result( $result );
}
@@ -254,9 +252,9 @@ function bugnote_get_latest_id( $p_bug_id ) {
$query = "SELECT id
FROM $t_bugnote_table
- WHERE bug_id='$c_bug_id'
+ WHERE bug_id=" . db_param(0) . "
ORDER by last_modified DESC";
- $result = db_query( $query, 1 );
+ $result = db_query_bound( $query, Array( $c_bug_id ), 1 );
return db_result( $result );
}
@@ -390,9 +388,9 @@ function bugnote_date_update( $p_bugnote_id ) {
$t_bugnote_table = db_get_table( 'mantis_bugnote_table' );
$query = "UPDATE $t_bugnote_table
- SET last_modified=" . db_now() . "
- WHERE id='$c_bugnote_id'";
- db_query( $query );
+ SET last_modified=" . db_param(0) . "
+ WHERE id=" . db_param(1);
+ db_query_bound( $query, Array( db_now(), $c_bugnote_id ) );
# db_query errors if there was a problem so:
return true;
View
8 core/category_api.php
@@ -68,13 +68,12 @@ function category_ensure_exists( $p_category_id ) {
# Returns true if the category is unique, false otherwise
function category_is_unique( $p_project_id, $p_name ) {
$c_project_id = db_prepare_int( $p_project_id );
- $c_name = db_prepare_string( $p_name );
$t_category_table = db_get_table( 'mantis_category_table' );
$query = "SELECT COUNT(*) FROM $t_category_table
- WHERE project_id=" . db_param(0) . " AND " . db_helper_like( 'name', $c_name );
- $count = db_result( db_query_bound( $query, array( $c_project_id ) ) );
+ WHERE project_id=" . db_param(0) . " AND " . db_helper_like( 'name', 1 );
+ $count = db_result( db_query_bound( $query, array( $c_project_id, $p_name ) ) );
if ( 0 < $count ) {
return false;
@@ -101,7 +100,6 @@ function category_ensure_unique( $p_project_id, $p_name ) {
# Add a new category to the project
function category_add( $p_project_id, $p_name ) {
$c_project_id = db_prepare_int( $p_project_id );
- $c_name = db_prepare_string( $p_name );
category_ensure_unique( $p_project_id, $p_name );
@@ -111,7 +109,7 @@ function category_add( $p_project_id, $p_name ) {
( project_id, name )
VALUES
( " . db_param(0) . ', ' . db_param(1) . ' )';
- db_query_bound( $query, array( $c_project_id, $c_name ) );
+ db_query_bound( $query, array( $c_project_id, $p_name ) );
# db_query errors on failure so:
return db_insert_id( $t_category_table );
View
41 core/config_api.php
@@ -287,42 +287,45 @@ function config_is_set( $p_option, $p_user = null, $p_project = null ) {
function config_set( $p_option, $p_value, $p_user = NO_USER, $p_project = ALL_PROJECTS, $p_access = ADMINISTRATOR ) {
if ( is_array( $p_value ) || is_object( $p_value ) ) {
$t_type = CONFIG_TYPE_COMPLEX;
- $c_value = db_prepare_string( serialize( $p_value ) );
+ $c_value = serialize( $p_value );
} else if ( is_int( $p_value ) || is_numeric( $p_value ) ) {
$t_type = CONFIG_TYPE_INT;
$c_value = db_prepare_int( $p_value );
} else {
$t_type = CONFIG_TYPE_STRING;
- $c_value = db_prepare_string( $p_value );
+ $c_value = $p_value;
}
if ( config_can_set_in_database( $p_option ) ) {
- $c_option = db_prepare_string( $p_option );
+ $c_option = $p_option;
$c_user = db_prepare_int( $p_user );
$c_project = db_prepare_int( $p_project );
$c_access = db_prepare_int( $p_access );
$t_config_table = db_get_table( 'mantis_config_table' );
$query = "SELECT COUNT(*) from $t_config_table
- WHERE config_id = '$c_option' AND
- project_id = $c_project AND
- user_id = $c_user";
- $result = db_query( $query );
+ WHERE config_id = " . db_param(0) . " AND
+ project_id = " . db_param(1) . " AND
+ user_id = " . db_param(2);
+ $result = db_query_bound( $query, Array( $c_option, $c_project, $c_user ) );
+ $t_params = Array();
if ( 0 < db_result( $result ) ) {
$t_set_query = "UPDATE $t_config_table
- SET value='$c_value', type=$t_type, access_reqd=$c_access
- WHERE config_id = '$c_option' AND
- project_id = $c_project AND
- user_id = $c_user";
+ SET value=" . db_param(0) . ", type=" . db_param(1) . ", access_reqd=" . db_param(2) . "
+ WHERE config_id = " . db_param(3) . " AND
+ project_id = " . db_param(4) . " AND
+ user_id = " . db_param(5);
+ $t_params = Array( $c_value, $t_type, $c_access, $c_option, $c_project, $c_user );
} else {
$t_set_query = "INSERT INTO $t_config_table
( value, type, access_reqd, config_id, project_id, user_id )
VALUES
- ('$c_value', $t_type, $c_access, '$c_option', $c_project, $c_user )";
+ (" . db_param(0) . ", " . db_param(1) . ", " . db_param(2) . ", " . db_param(3) . ", " . db_param(4) . "," . db_param(5) . " )";
+ $t_params = Array( $c_value, $t_type, $c_access, $c_option, $c_project, $c_user );
}
- $result = db_query( $t_set_query );
+ $result = db_query_bound( $t_set_query, Array( $t_params ) );
}
config_set_cache( $p_option, $p_value, $t_type, $p_user, $p_project, $p_access );
@@ -397,11 +400,11 @@ function config_delete( $p_option, $p_user = ALL_USERS, $p_project = ALL_PROJECT
$c_user = db_prepare_int( $p_user );
$c_project = db_prepare_int( $p_project );
$query = "DELETE FROM $t_config_table
- WHERE config_id = '$c_option' AND
- project_id=$c_project AND
- user_id=$c_user";
+ WHERE config_id = " . db_param(0) . " AND
+ project_id=" . db_param(1) . " AND
+ user_id=" . db_param(2);
- $result = @db_query( $query);
+ $result = @db_query_bound( $query, Array( $c_option, $c_project, $c_user ) );
}
config_flush_cache( $p_option, $p_user, $p_project );
@@ -414,9 +417,9 @@ function config_delete_project( $p_project = ALL_PROJECTS ) {
$t_config_table = db_get_table( 'mantis_config_table' );
$c_project = db_prepare_int( $p_project );
$query = "DELETE FROM $t_config_table
- WHERE project_id=$c_project";
+ WHERE project_id=" . db_param(0);
- $result = @db_query( $query);
+ $result = @db_query_bound( $query, Array( $c_project ) );
# flush cache here in case some of the deleted configs are in use.
config_flush_cache();
View
52 core/custom_field_api.php
@@ -529,8 +529,8 @@ function custom_field_link( $p_field_id, $p_project_id ) {
$query = "INSERT INTO $t_custom_field_project_table
( field_id, project_id )
VALUES
- ( '$c_field_id', '$c_project_id' )";
- db_query( $query );
+ ( " . db_param(0) . ", " . db_param(1) . " )";
+ db_query_bound( $query, Array( $c_field_id, $c_project_id ) );
# db_query errors on failure so:
return true;
@@ -549,9 +549,9 @@ function custom_field_unlink( $p_field_id, $p_project_id ) {
$t_custom_field_project_table = db_get_table( 'mantis_custom_field_project_table' );
$query = "DELETE FROM $t_custom_field_project_table
- WHERE field_id = '$c_field_id' AND
- project_id = '$c_project_id'";
- db_query( $query );
+ WHERE field_id = " . db_param(0) . " AND
+ project_id = " . db_param(1);
+ db_query_bound( $query, Array( $c_field_id, $c_project_id ) );
# db_query errors on failure so:
return true;
@@ -567,20 +567,20 @@ function custom_field_destroy( $p_field_id ) {
# delete all values
$t_custom_field_string_table = db_get_table( 'mantis_custom_field_string_table' );
$query = "DELETE FROM $t_custom_field_string_table
- WHERE field_id='$c_field_id'";
- db_query( $query );
+ WHERE field_id=" . db_param(0);
+ db_query_bound( $query, Array( $c_field_id ) );
# delete all project associations
$t_custom_field_project_table = db_get_table( 'mantis_custom_field_project_table' );
$query = "DELETE FROM $t_custom_field_project_table
- WHERE field_id='$c_field_id'";
- db_query( $query );
+ WHERE field_id=" . db_param(0);
+ db_query_bound( $query, Array( $c_field_id ) );
$t_custom_field_table = db_get_table( 'mantis_custom_field_table' );
# delete the definition
$query = "DELETE FROM $t_custom_field_table
- WHERE id='$c_field_id'";
- db_query( $query );
+ WHERE id=";
+ db_query_bound( $query, Array( $c_field_id ) );
custom_field_clear_cache( $p_field_id );
@@ -599,8 +599,8 @@ function custom_field_unlink_all( $p_project_id ) {
# delete all project associations
$t_custom_field_project_table = db_get_table( 'mantis_custom_field_project_table' );
$query = "DELETE FROM $t_custom_field_project_table
- WHERE project_id='$c_project_id'";
- db_query( $query );
+ WHERE project_id=" . db_param(0);
+ db_query_bound( $query, Array( $c_project_id ) );
# db_query errors on failure so:
return true;
@@ -747,7 +747,7 @@ function custom_field_get_ids( ) {
$query = "SELECT id, name
FROM $t_custom_field_table
ORDER BY name ASC";
- $result = db_query( $query );
+ $result = db_query_bound( $query );
$t_row_count = db_num_rows( $result );
$t_ids = array();
@@ -773,8 +773,8 @@ function custom_field_get_project_ids( $p_field_id ) {
$t_custom_field_project_table = db_get_table( 'mantis_custom_field_project_table' );
$query = "SELECT project_id
FROM $t_custom_field_project_table
- WHERE field_id = '$c_field_id'";
- $result = db_query( $query );
+ WHERE field_id = " . db_param(0);
+ $result = db_query_bound( $query, Array( $c_field_id ) );
$t_row_count = db_num_rows( $result );
$t_ids = array();
@@ -825,8 +825,8 @@ function custom_field_get_value( $p_field_id, $p_bug_id ) {
$t_custom_field_table = db_get_table( 'mantis_custom_field_table' );
$query = "SELECT access_level_r, default_value, type
FROM $t_custom_field_table
- WHERE id='$c_field_id'";
- $result = db_query( $query );
+ WHERE id=" . db_param(0);
+ $result = db_query_bound( $query, Array( $c_field_id ) );
$row = db_fetch_array( $result );
$t_access_level_r = $row['access_level_r'];
@@ -839,9 +839,9 @@ function custom_field_get_value( $p_field_id, $p_bug_id ) {
$t_custom_field_string_table = db_get_table( 'mantis_custom_field_string_table' );
$query = "SELECT value
FROM $t_custom_field_string_table
- WHERE bug_id='$c_bug_id' AND
- field_id='$c_field_id'";
- $result = db_query( $query );
+ WHERE bug_id=" . db_param(0) ." AND
+ field_id=" . db_param(1);
+ $result = db_query_bound( $query, Array( $c_bug_id, $c_field_id ) );
if( db_num_rows( $result ) > 0 ) {
return custom_field_database_to_value( db_result( $result ) , $row['type'] );
@@ -932,9 +932,9 @@ function custom_field_get_sequence( $p_field_id, $p_project_id ) {
$t_custom_field_project_table = db_get_table( 'mantis_custom_field_project_table' );
$query = "SELECT sequence
FROM $t_custom_field_project_table
- WHERE field_id='$c_field_id' AND
- project_id='$c_project_id'";
- $result = db_query( $query, 1 );
+ WHERE field_id=" . db_param(0) . " AND
+ project_id=" . db_param(1) ;
+ $result = db_query_bound( $query, Array( $c_field_id, $c_project_id ), 1 );
if ( 0 == db_num_rows( $result ) ) {
return false;
@@ -958,8 +958,8 @@ function custom_field_validate( $p_field_id, $p_value ) {
$query = "SELECT name, type, possible_values, valid_regexp,
access_level_rw, length_min, length_max, default_value
FROM $t_custom_field_table
- WHERE id='$c_field_id'";
- $result = db_query( $query );
+ WHERE id=" . db_param(0);
+ $result = db_query_bound( $query, Array( $c_field_id ) );
$row = db_fetch_array( $result );
$t_name = $row['name'];
View
22 core/database_api.php
@@ -68,11 +68,9 @@ function db_connect( $p_dsn, $p_hostname = null, $p_username = null, $p_password
if ( $t_result ) {
# For MySQL, the charset for the connection needs to be specified.
if ( db_is_mysql() ) {
- $c_charset = db_prepare_string( lang_get( 'charset' ) );
-
# @@@ Is there a way to translate any charset name to MySQL format? e.g. remote the dashes?
# @@@ Is this needed for other databases?
- if ( strtolower( $c_charset ) === 'utf-8' ) {
+ if ( strtolower( lang_get( 'charset' ) ) === 'utf-8' ) {
db_query_bound( 'SET NAMES UTF8' );
}
} elseif ( db_is_db2() && $p_db_schema !== null && !is_blank( $p_db_schema ) ) {
@@ -653,7 +651,7 @@ function db_prepare_bool( $p_bool ) {
function db_now() {
global $g_db;
- return $g_db->DBTimeStamp(time());
+ return $g_db->BindTimeStamp(time());
}
# --------------------
@@ -670,7 +668,7 @@ function db_timestamp( $p_date=null ) {
} else {
$p_timestamp = time();
}
- return $g_db->DBTimeStamp($p_timestamp) ;
+ return $g_db->BindTimeStamp($p_timestamp) ;
}
function db_unixtimestamp( $p_date=null ) {
@@ -710,7 +708,7 @@ function db_minutes_to_hhmm( $p_min = 0 ) {
# $p_case_sensitive - true: case sensitive, false: case insensitive
# returns (field LIKE 'value') OR (field ILIKE 'value')
# The field name and value are assumed to be safe to insert in a query (i.e. already cleaned).
- function db_helper_like( $p_field_name, $p_value, $p_case_sensitive = false ) {
+ function db_helper_like( $p_field_name, $p_param_id, $p_case_sensitive = false ) {
$t_like_keyword = 'LIKE';
if ( $p_case_sensitive === false ) {
@@ -719,16 +717,24 @@ function db_helper_like( $p_field_name, $p_value, $p_case_sensitive = false ) {
}
}
- return "($p_field_name $t_like_keyword '$p_value')";
+ return "($p_field_name $t_like_keyword " . db_param( $p_param_id ) . ')';
}
# --------------------
# helper function to compare two dates against a certain number of days
# limitstring can be '> 1' '<= 2 ' etc
# @@@ Check if there is a way to do that using ADODB rather than implementing it here.
- function db_helper_compare_days($p_date1, $p_date2, $p_limitstring) {
+ function db_helper_compare_days($p_date1_id_or_column, $p_date2_id_or_column, $p_limitstring) {
$t_db_type = config_get_global( 'db_type' );
+ $p_date1 = $p_date1_id_or_column;
+ $p_date2 = $p_date2_id_or_column;
+ if( is_int( $p_date1_id_or_column ) ) {
+ $p_date1 = db_param( $p_date1_id_or_column );
+ }
+ if( is_int( $p_date2_id_or_column ) ) {
+ $p_date2 = db_param( $p_date2_id_or_column );
+ }
switch( $t_db_type ) {
case 'mssql':
case 'odbc_mssql':
View
8 core/email_api.php
@@ -237,8 +237,8 @@ function email_collect_recipients( $p_bug_id, $p_notify_type ) {
if ( ON == email_notify_flag( $p_notify_type, 'monitor' ) ) {
$query = "SELECT DISTINCT user_id
FROM $t_bug_monitor_table
- WHERE bug_id=$c_bug_id";
- $result = db_query( $query );
+ WHERE bug_id=" . db_param(0);
+ $result = db_query_bound( $query, Array( $c_bug_id ) );
$count = db_num_rows( $result );
for ( $i=0 ; $i < $count ; $i++ ) {
@@ -258,8 +258,8 @@ function email_collect_recipients( $p_bug_id, $p_notify_type ) {
if ( ON == email_notify_flag( $p_notify_type, 'bugnotes' ) ) {
$query = "SELECT DISTINCT reporter_id
FROM $t_bugnote_table
- WHERE bug_id = $c_bug_id";
- $result = db_query( $query );
+ WHERE bug_id = " . db_param(0);
+ $result = db_query_bound( $query, Array( $c_bug_id ) );
$count = db_num_rows( $result );
for( $i=0 ; $i < $count ; $i++ ) {
View
43 core/email_queue_api.php
@@ -36,28 +36,9 @@ class EmailData {
# --------------------
# Return a copy of the bug structure with all the instvars prepared for db insertion
function email_queue_prepare_db( $p_email_data ) {
- $t_email_data = new EmailData;
-
- $t_email_data->email_id = db_prepare_int( $p_email_data->email_id );
- $t_email_data->email = db_prepare_string( $p_email_data->email );
- $t_email_data->subject = db_prepare_string( $p_email_data->subject );
- $t_email_data->body = db_prepare_string( $p_email_data->body );
-
- $t_email_data->metadata = array();
-
- foreach( $p_email_data->metadata as $t_key => $t_value ) {
- if ( $t_key != 'headers' ) {
- $t_email_data->metadata[$t_key] = db_prepare_string( $t_value );
- }
- }
-
- foreach( $p_email_data->metadata['headers'] as $t_key => $t_value ) {
- $t_email_data->metadata['headers'][$t_key] = db_prepare_string( $t_value );
- }
+ $p_email_data->email_id = db_prepare_int( $p_email_data->email_id );
- $t_email_data->submitted = db_prepare_string( $p_email_data->submitted );
-
- return $t_email_data;
+ return $p_email_data;
}
# --------------------
@@ -96,13 +77,13 @@ function email_queue_add( $p_email_data ) {
submitted,
metadata)
VALUES
- ( '$c_email',
- '$c_subject',
- '$c_body',
- " . db_now() . ",
- '$c_metadata'
+ ( " . db_param(0) . ",
+ " . db_param(1) . ",
+ " . db_param(2) . ",
+ " . db_param(3) . ",
+ " . db_param(4) . "
)";
- db_query( $query );
+ db_query_bound( $query, Array( $c_email, $c_subject, $c_body, db_now(), $c_metadata ) );
return db_insert_id( $t_email_table );
}
@@ -142,8 +123,8 @@ function email_queue_get( $p_email_id ) {
$query = "SELECT *
FROM $t_email_table
- WHERE email_id='$c_email_id'";
- $result = db_query( $query );
+ WHERE email_id=" . db_param(0);
+ $result = db_query_bound( $query, Array( $c_email_id ) );
$t_row = db_fetch_array( $result );
@@ -156,8 +137,8 @@ function email_queue_delete( $p_email_id ) {
$t_email_table = db_get_table( 'mantis_email_table' );
$query = "DELETE FROM $t_email_table
- WHERE email_id='$c_email_id'";
- db_query( $query );
+ WHERE email_id=" . db_param(0);
+ db_query_bound( $query, Array( $c_email_id ) );
}
# --------------------
View
29 core/file_api.php
@@ -242,8 +242,8 @@ function swap_content( span ) {
default:
$query = "SELECT *
FROM $t_bug_file_table
- WHERE id='$c_id'";
- $result = db_query( $query );
+ WHERE id=" . db_param(0);
+ $result = db_query_bound( $query, Array( $c_id ) );
$row = db_fetch_array( $result );
$v_content=$row['content'];
}
@@ -294,8 +294,8 @@ function file_delete_attachments( $p_bug_id ) {
# Delete files from disk
$query = "SELECT diskfile, filename
FROM $t_bug_file_table
- WHERE bug_id='$c_bug_id'";
- $result = db_query( $query );
+ WHERE bug_id=" . db_param(0);
+ $result = db_query_bound( $query, Array( $c_bug_id ) );
$file_count = db_num_rows( $result );
if ( 0 == $file_count ) {
@@ -369,8 +369,8 @@ function file_delete_project_files( $p_project_id ) {
# Delete the corresponding db records
$query = "DELETE FROM $t_project_file_table
- WHERE project_id=$p_project_id";
- $result = db_query($query);
+ WHERE project_id=" . db_param(0);
+ $result = db_query_bound($query, Array( $p_project_id ) );
}
# --------------------
# Delete all cached files that are older than configured number of days.
@@ -462,8 +462,8 @@ function file_delete( $p_file_id, $p_table = 'bug' ) {
$t_file_table = db_get_table( 'mantis_' . $p_table . '_file_table' );
$query = "DELETE FROM $t_file_table
- WHERE id='$c_file_id'";
- db_query( $query );
+ WHERE id=" . db_param(0);
+ db_query_bound( $query, Array( $c_file_id ) );
return true;
}
# --------------------
@@ -533,12 +533,12 @@ function file_generate_unique_name( $p_seed , $p_filepath ) {
function diskfile_is_name_unique( $p_name , $p_filepath ) {
$t_file_table = db_get_table( 'mantis_bug_file_table' );
- $c_name = db_prepare_string( $p_filepath . $p_name );
+ $c_name = $p_filepath . $p_name;
$query = "SELECT COUNT(*)
FROM $t_file_table
- WHERE diskfile='$c_name'";
- $result = db_query( $query );
+ WHERE diskfile=" . db_param(0);
+ $result = db_query_bound( $query, Array( $c_name ) );
$t_count = db_result( $result );
if ( $t_count > 0 ) {
@@ -553,13 +553,10 @@ function diskfile_is_name_unique( $p_name , $p_filepath ) {
function file_is_name_unique( $p_name, $p_bug_id ) {
$t_file_table = db_get_table( 'mantis_bug_file_table' );
- $c_name = db_prepare_string( $p_name );
- $c_bug = db_prepare_string( $p_bug_id );
-
$query = "SELECT COUNT(*)
FROM $t_file_table
- WHERE filename='$c_name' and bug_id=$c_bug";
- $result = db_query( $query );
+ WHERE filename=" . db_param(0) . " AND bug_id=" . db_param(1);
+ $result = db_query_bound( $query, Array( $p_name, $p_bug_id ) );
$t_count = db_result( $result );
if ( $t_count > 0 ) {
View
324 core/filter_api.php
@@ -421,7 +421,8 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
$t_limit_reporters = config_get( 'limit_reporters' );
$t_bug_relationship_table = db_get_table( 'mantis_bug_relationship_table' );
$t_report_bug_threshold = config_get( 'report_bug_threshold' );
-
+ $t_where_param_count = 0;
+
$t_current_user_id = auth_get_current_user_id();
if ( null === $p_user_id ) {
@@ -460,7 +461,8 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
$t_view_type = $t_filter['_view_type'];
- $t_where_clauses = array( "$t_project_table.enabled = '1'", "$t_project_table.id = $t_bug_table.project_id" );
+ $t_where_clauses = array( "$t_project_table.enabled = " . db_param($t_where_param_count++), "$t_project_table.id = $t_bug_table.project_id" );
+ $t_where_params = array( 1 );
$t_select_clauses = array( "$t_bug_table.*" );
$t_join_clauses = array();
$t_from_clauses = array();
@@ -595,8 +597,9 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
# view state
$t_view_state = db_prepare_int( $t_filter['view_state'] );
if ( ( $t_filter['view_state'] !== META_FILTER_ANY ) && ( !is_blank( $t_filter['view_state'] ) ) ) {
- $t_view_state_query = "($t_bug_table.view_state='$t_view_state')";
+ $t_view_state_query = "($t_bug_table.view_state=" . db_param($t_where_param_count++) .")";
log_event( LOG_FILTERING, 'FILTERING: view_state query = ' . $t_view_state_query );
+ $t_where_params[] = $t_view_state;
array_push( $t_where_clauses, $t_view_state_query );
} else {
log_event( LOG_FILTERING, 'FILTERING: no view_state query' );
@@ -649,7 +652,8 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
#
if ( ( ON === $t_limit_reporters ) && ( ! access_has_project_level( REPORTER + 1, $t_project_id, $t_user_id ) ) ) {
$c_reporter_id = $c_user_id;
- array_push( $t_where_clauses, "($t_bug_table.reporter_id='$c_reporter_id')" );
+ $t_where_params = $c_reporter_id;
+ array_push( $t_where_clauses, "($t_bug_table.reporter_id=" . db_param($t_where_param_count++) . ")" );
}
# handler
@@ -699,15 +703,19 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
foreach( $t_filter['show_category'] as $t_filter_member ) {
if ( META_FILTER_NONE == $t_filter_member ) {
} else {
- $c_show_category = db_prepare_string( $t_filter_member );
- array_push( $t_clauses, "'$c_show_category'" );
+ array_push( $t_clauses, $t_filter_member );
}
}
if ( 1 < count( $t_clauses ) ) {
- array_push( $t_where_clauses, "( $t_bug_table.category_id in ( SELECT id FROM $t_category_table WHERE name in (". implode( ', ', $t_clauses ) .") ) )" );
+ foreach( $t_clauses as $t_clause ) {
+ $t_where_tmp[] = db_param($t_where_param_count++);
+ $t_where_params[] = $t_clause;
+ }
+ array_push( $t_where_clauses, "( $t_bug_table.category_id in ( SELECT id FROM $t_category_table WHERE name in (". implode( ', ', $t_where_tmp ) .") ) )" );
} else {
- array_push( $t_where_clauses, "( $t_bug_table.category_id in ( SELECT id FROM $t_category_table WHERE name=$t_clauses[0] ) )" );
+ $t_where_params[] = $t_clauses[0];
+ array_push( $t_where_clauses, "( $t_bug_table.category_id in ( SELECT id FROM $t_category_table WHERE name=" . db_param($t_where_param_count++). ") )" );
}
}
@@ -729,9 +737,14 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
array_push( $t_clauses, $c_show_severity );
}
if ( 1 < count( $t_clauses ) ) {
- array_push( $t_where_clauses, "( $t_bug_table.severity in (". implode( ', ', $t_clauses ) .") )" );
+ foreach( $t_clauses as $t_clause ) {
+ $t_where_tmp[] = db_param($t_where_param_count++);
+ $t_where_params[] = $t_clause;
+ }
+ array_push( $t_where_clauses, "( $t_bug_table.severity in (". implode( ', ', $t_where_tmp ) .") )" );
} else {
- array_push( $t_where_clauses, "( $t_bug_table.severity=$t_clauses[0] )" );
+ $t_where_params[] = $t_clauses[0];
+ array_push( $t_where_clauses, "( $t_bug_table.severity=" . db_param($t_where_param_count++). " )" );
}
}
@@ -786,10 +799,16 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
array_push( $t_clauses, $c_show_status );
}
if ( 1 < count( $t_clauses ) ) {
- array_push( $t_where_clauses, "( $t_bug_table.status in (". implode( ', ', $t_clauses ) .") )" );
+ foreach( $t_clauses as $t_clause ) {
+ $t_where_tmp[] = db_param($t_where_param_count++);
+ $t_where_params[] = $t_clause;
+ }
+ array_push( $t_where_clauses, "( $t_bug_table.status in (". implode( ', ', $t_where_tmp ) .") )" );
} else {
- array_push( $t_where_clauses, "( $t_bug_table.status=$t_clauses[0] )" );
+ $t_where_params[] = $t_clauses[0];
+ array_push( $t_where_clauses, "( $t_bug_table.status=" . db_param($t_where_param_count++). " )" );
}
+
}
# resolution
@@ -810,9 +829,14 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
array_push( $t_clauses, $c_show_resolution );
}
if ( 1 < count( $t_clauses ) ) {
- array_push( $t_where_clauses, "( $t_bug_table.resolution in (". implode( ', ', $t_clauses ) .") )" );
+ foreach( $t_clauses as $t_clause ) {
+ $t_where_tmp[] = db_param($t_where_param_count++);
+ $t_where_params[] = $t_clause;
+ }
+ array_push( $t_where_clauses, "( $t_bug_table.resolution in (". implode( ', ', $t_where_tmp ) .") )" );
} else {
- array_push( $t_where_clauses, "( $t_bug_table.resolution=$t_clauses[0] )" );
+ $t_where_params[] = $t_clauses[0];
+ array_push( $t_where_clauses, "( $t_bug_table.resolution=" . db_param($t_where_param_count++). " )" );
}
}
@@ -834,9 +858,14 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
array_push( $t_clauses, $c_show_priority );
}
if ( 1 < count( $t_clauses ) ) {
- array_push( $t_where_clauses, "( $t_bug_table.priority in (". implode( ', ', $t_clauses ) .") )" );
+ foreach( $t_clauses as $t_clause ) {
+ $t_where_tmp[] = db_param($t_where_param_count++);
+ $t_where_params[] = $t_clause;
+ }
+ array_push( $t_where_clauses, "( $t_bug_table.priority in (". implode( ', ', $t_where_tmp ) .") )" );
} else {
- array_push( $t_where_clauses, "( $t_bug_table.priority=$t_clauses[0] )" );
+ $t_where_params[] = $t_clauses[0];
+ array_push( $t_where_clauses, "( $t_bug_table.priority=" . db_param($t_where_param_count++). " )" );
}
}
@@ -863,9 +892,14 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
}
}
if ( 1 < count( $t_clauses ) ) {
- array_push( $t_where_clauses, "( $t_bug_table.build in (". implode( ', ', $t_clauses ) .") )" );
+ foreach( $t_clauses as $t_clause ) {
+ $t_where_tmp[] = db_param($t_where_param_count++);
+ $t_where_params[] = $t_clause;
+ }
+ array_push( $t_where_clauses, "( $t_bug_table.build in (". implode( ', ', $t_where_tmp ) .") )" );
} else {
- array_push( $t_where_clauses, "( $t_bug_table.build=$t_clauses[0] )" );
+ $t_where_params[] = $t_clauses[0];
+ array_push( $t_where_clauses, "( $t_bug_table.build=" . db_param($t_where_param_count++). " )" );
}
}
@@ -884,9 +918,14 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
}
if ( 1 < count( $t_clauses ) ) {
- array_push( $t_where_clauses, "( $t_bug_table.version in (". implode( ', ', $t_clauses ) .") )" );
+ foreach( $t_clauses as $t_clause ) {
+ $t_where_tmp[] = db_param($t_where_param_count++);
+ $t_where_params[] = $t_clause;
+ }
+ array_push( $t_where_clauses, "( $t_bug_table.version in (". implode( ', ', $t_where_tmp ) .") )" );
} else {
- array_push( $t_where_clauses, "( $t_bug_table.version=$t_clauses[0] )" );
+ $t_where_params[] = $t_clauses[0];
+ array_push( $t_where_clauses, "( $t_bug_table.version=" . db_param($t_where_param_count++). " )" );
}
}
@@ -904,9 +943,14 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
}
}
if ( 1 < count( $t_clauses ) ) {
- array_push( $t_where_clauses, "( $t_bug_table.profile_id in (". implode( ', ', $t_clauses ) .") )" );
+ foreach( $t_clauses as $t_clause ) {
+ $t_where_tmp[] = db_param($t_where_param_count++);
+ $t_where_params[] = $t_clause;
+ }
+ array_push( $t_where_clauses, "( $t_bug_table.profile_id in (". implode( ', ', $t_where_tmp ) .") )" );
} else {
- array_push( $t_where_clauses, "( $t_bug_table.profile_id=$t_clauses[0] )" );
+ $t_where_params[] = $t_clauses[0];
+ array_push( $t_where_clauses, "( $t_bug_table.profile_id=" . db_param($t_where_param_count++). " )" );
}
}
@@ -925,9 +969,14 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
}
if ( 1 < count( $t_clauses ) ) {
- array_push( $t_where_clauses, "( $t_bug_table.platform in (". implode( ', ', $t_clauses ) .") )" );
+ foreach( $t_clauses as $t_clause ) {
+ $t_where_tmp[] = db_param($t_where_param_count++);
+ $t_where_params[] = $t_clause;
+ }
+ array_push( $t_where_clauses, "( $t_bug_table.platform in (". implode( ', ', $t_where_tmp ) .") )" );
} else {
- array_push( $t_where_clauses, "( $t_bug_table.platform = $t_clauses[0] )" );
+ $t_where_params[] = $t_clauses[0];
+ array_push( $t_where_clauses, "( $t_bug_table.platform = " . db_param($t_where_param_count++). " )" );
}
}
@@ -946,9 +995,14 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
}
if ( 1 < count( $t_clauses ) ) {
- array_push( $t_where_clauses, "( $t_bug_table.os in (". implode( ', ', $t_clauses ) .") )" );
+ foreach( $t_clauses as $t_clause ) {
+ $t_where_tmp[] = db_param($t_where_param_count++);
+ $t_where_params[] = $t_clause;
+ }
+ array_push( $t_where_clauses, "( $t_bug_table.os in (". implode( ', ', $t_where_tmp ) .") )" );
} else {
- array_push( $t_where_clauses, "( $t_bug_table.os = $t_clauses[0] )" );
+ $t_where_params[] = $t_clauses[0];
+ array_push( $t_where_clauses, "( $t_bug_table.os = " . db_param($t_where_param_count++). " )" );
}
}
@@ -967,9 +1021,14 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
}
if ( 1 < count( $t_clauses ) ) {
- array_push( $t_where_clauses, "( $t_bug_table.os_build in (". implode( ', ', $t_clauses ) .") )" );
+ foreach( $t_clauses as $t_clause ) {
+ $t_where_tmp[] = db_param($t_where_param_count++);
+ $t_where_params[] = $t_clause;
+ }
+ array_push( $t_where_clauses, "( $t_bug_table.os_build in (". implode( ', ', $t_where_tmp ) .") )" );
} else {
- array_push( $t_where_clauses, "( $t_bug_table.os_build = $t_clauses[0] )" );
+ $t_where_params[] = $t_clauses[0];
+ array_push( $t_where_clauses, "( $t_bug_table.os_build = " . db_param($t_where_param_count++). " )" );
}
}
@@ -983,10 +1042,12 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
is_numeric( $t_filter['end_year'] )
) {
- $t_start_string = db_prepare_string( $t_filter['start_year'] . "-". $t_filter['start_month'] . "-" . $t_filter['start_day'] ." 00:00:00" );
- $t_end_string = db_prepare_string( $t_filter['end_year'] . "-". $t_filter['end_month'] . "-" . $t_filter['end_day'] ." 23:59:59" );
+ $t_start_string = $t_filter['start_year'] . "-". $t_filter['start_month'] . "-" . $t_filter['start_day'] ." 00:00:00";
+ $t_end_string = $t_filter['end_year'] . "-". $t_filter['end_month'] . "-" . $t_filter['end_day'] ." 23:59:59";
- array_push( $t_where_clauses, "($t_bug_table.date_submitted BETWEEN '$t_start_string' AND '$t_end_string' )" );
+ $t_where_params[] = $t_start_string;
+ $t_where_params[] = $t_end_string;
+ array_push( $t_where_clauses, "($t_bug_table.date_submitted BETWEEN " . db_param($t_where_param_count++). " AND " . db_param($t_where_param_count++). " )" );
}
# fixed in version
@@ -1003,9 +1064,14 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
}
}
if ( 1 < count( $t_clauses ) ) {
- array_push( $t_where_clauses, "( $t_bug_table.fixed_in_version in (". implode( ', ', $t_clauses ) .") )" );
+ foreach( $t_clauses as $t_clause ) {
+ $t_where_tmp[] = db_param($t_where_param_count++);
+ $t_where_params[] = $t_clause;
+ }
+ array_push( $t_where_clauses, "( $t_bug_table.fixed_in_version in (". implode( ', ', $t_where_tmp ) .") )" );
} else {
- array_push( $t_where_clauses, "( $t_bug_table.fixed_in_version=$t_clauses[0] )" );
+ $t_where_params[] = $t_clauses[0];
+ array_push( $t_where_clauses, "( $t_bug_table.fixed_in_version=" . db_param($t_where_param_count++). " )" );
}
}
@@ -1025,9 +1091,14 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
#echo var_dump( $t_clauses ); exit;
if ( 1 < count( $t_clauses ) ) {
- array_push( $t_where_clauses, "( $t_bug_table.target_version in (". implode( ', ', $t_clauses ) .") )" );
+ foreach( $t_clauses as $t_clause ) {
+ $t_where_tmp[] = db_param($t_where_param_count++);
+ $t_where_params[] = $t_clause;
+ }
+ array_push( $t_where_clauses, "( $t_bug_table.target_version in (". implode( ', ', $t_where_tmp ) .") )" );
} else {
- array_push( $t_where_clauses, "( $t_bug_table.target_version=$t_clauses[0] )" );
+ $t_where_params[] = $t_clauses[0];
+ array_push( $t_where_clauses, "( $t_bug_table.target_version=" . db_param($t_where_param_count++). " )" );
}
}
@@ -1056,9 +1127,14 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
}
}
if ( 1 < count( $t_clauses ) ) {
- array_push( $t_where_clauses, "( $t_table_name.user_id in (". implode( ', ', $t_clauses ) .") )" );
+ foreach( $t_clauses as $t_clause ) {
+ $t_where_tmp[] = db_param($t_where_param_count++);
+ $t_where_params[] = $t_clause;
+ }
+ array_push( $t_where_clauses, "( $t_table_name.user_id in (". implode( ', ', $t_where_tmp ) .") )" );
} else {
- array_push( $t_where_clauses, "( $t_table_name.user_id=$t_clauses[0] )" );
+ $t_where_params[] = $t_clauses[0];
+ array_push( $t_where_clauses, "( $t_table_name.user_id=" . db_param($t_where_param_count++). " )" );
}
}
# bug relationship
@@ -1077,8 +1153,12 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
array_push( $t_join_clauses, "LEFT JOIN $t_bug_relationship_table $t_table_name ON $t_table_name.destination_bug_id = $t_bug_table.id" );
array_push( $t_join_clauses, "LEFT JOIN $t_bug_relationship_table ${t_table_name}2 ON ${t_table_name}2.source_bug_id = $t_bug_table.id" );
// get reverse relationships
- array_push( $t_clauses, "($t_table_name.relationship_type='$t_comp_type' AND $t_table_name.source_bug_id='$c_rel_bug')" );
- array_push( $t_clauses, "($t_table_name"."2.relationship_type='$c_rel_type' AND $t_table_name"."2.destination_bug_id='$c_rel_bug')" );
+ $t_where_params[] = $t_comp_type;
+ $t_where_params[] = $c_rel_bug;
+ $t_where_params[] = $c_rel_type;
+ $t_where_params[] = $c_rel_bug;
+ array_push( $t_clauses, "($t_table_name.relationship_type=" . db_param($t_where_param_count++). " AND $t_table_name.source_bug_id=" . db_param($t_where_param_count++). ")" );
+ array_push( $t_clauses, "($t_table_name"."2.relationship_type=" . db_param($t_where_param_count++). " AND $t_table_name"."2.destination_bug_id=" . db_param($t_where_param_count++). ")" );
array_push( $t_where_clauses, '('. implode( ' OR ', $t_clauses ) .')' );
}
@@ -1207,7 +1287,8 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
switch( $t_def['type'] ) {
case CUSTOM_FIELD_TYPE_MULTILIST:
case CUSTOM_FIELD_TYPE_CHECKBOX:
- array_push( $t_filter_array , db_helper_like( "$t_table_name.value", '%|' . db_prepare_string( $t_filter_member ) . '|%' ) );
+ $t_where_params[] = '%|' . $t_filter_member . '|%';
+ array_push( $t_filter_array , db_helper_like( "$t_table_name.value", db_param($t_where_param_count++)) );
break;
default:
array_push( $t_filter_array, "$t_table_name.value = '" . db_prepare_string( $t_filter_member ) . "'" );
@@ -1226,21 +1307,6 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
$t_textsearch_wherejoin_clause = '';
# Simple Text Search - Thanks to Alan Knowles
if ( !is_blank( $t_filter['search'] ) ) {
- $c_search = db_prepare_string( $t_filter['search'] );
- $c_search_int = db_prepare_int( $t_filter['search'] );
- $t_textsearch_where_clause = '(' . db_helper_like( 'summary', "%$c_search%" ) .
- ' OR ' . db_helper_like( "$t_bug_text_table.description", "%$c_search%" ) .
- ' OR ' . db_helper_like( "$t_bug_text_table.steps_to_reproduce", "%$c_search%" ) .
- ' OR ' . db_helper_like( "$t_bug_text_table.additional_information", "%$c_search%" ) .
- " OR ( $t_bug_table.id = '$c_search_int' ) )";
-
- $t_textsearch_wherejoin_clause = '(' . db_helper_like( 'summary', "%$c_search%" ) .
- ' OR ' . db_helper_like( "$t_bug_text_table.description", "%$c_search%" ) .
- ' OR ' . db_helper_like( "$t_bug_text_table.steps_to_reproduce", "%$c_search%" ) .
- ' OR ' . db_helper_like( "$t_bug_text_table.additional_information", "%$c_search%" ) .
- ' OR ' . db_helper_like( "$t_bug_table.id", "%$c_search%" ) .
- ' OR ' . db_helper_like( "$t_bugnote_text_table.note", "%$c_search%" ) . ' )';
-
array_push( $t_where_clauses, "($t_bug_text_table.id = $t_bug_table.bug_text_id)" );
$t_from_clauses = array( $t_bug_text_table, $t_project_table, $t_bug_table );
@@ -1263,30 +1329,65 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
$q1 = "";
$q2 = "";
$bug_count = 0;
+ $t_search_where_params = array();
+ $t_search_where_params2 = array();
for ( $i = 0; $i < 2; $i++ ) {
+ $t_search_where_param_count = $t_where_param_count;
$t_id_where = $t_where;
$t_id_join = $t_join;
if ( $i == 0 ) {
- if ( !is_blank( $t_id_where ) && !is_blank( $t_textsearch_where_clause ) ) {
+ if ( !is_blank( $t_id_where ) && !is_blank( $t_filter['search'] ) ) {
+ $c_search = '%' . $t_filter['search'] . '%';
+ $c_search_int = db_prepare_int( $t_filter['search'] );
+ $t_textsearch_where_clause = '(' . db_helper_like( 'summary', db_param($t_search_where_param_count++) ) .
+ ' OR ' . db_helper_like( "$t_bug_text_table.description", db_param($t_search_where_param_count++) ) .
+ ' OR ' . db_helper_like( "$t_bug_text_table.steps_to_reproduce", db_param($t_search_where_param_count++) ) .
+ ' OR ' . db_helper_like( "$t_bug_text_table.additional_information", db_param($t_search_where_param_count++) ) .
+ " OR ( $t_bug_table.id = " . db_param($t_search_where_param_count++) . " ) )";
+ $t_search_where_params = array();
+ $t_search_where_params[] = $c_search;
+ $t_search_where_params[] = $c_search;
+ $t_search_where_params[] = $c_search;
+ $t_search_where_params[] = $c_search;
+ $t_search_where_params[] = $c_search_int;
$t_id_where = $t_id_where . ' AND ' . $t_textsearch_where_clause;
}
- } else if ( !is_blank( $t_textsearch_wherejoin_clause ) ) {
+ } else if ( !is_blank( $t_filter['search'] ) ) {
+ $c_search = '%' . $t_filter['search'] . '%';
+ $c_search_int = db_prepare_int( $t_filter['search'] );
+ $t_textsearch_wherejoin_clause = '(' . db_helper_like( 'summary', db_param($t_search_where_param_count++) ) .
+ ' OR ' . db_helper_like( "$t_bug_text_table.description", db_param($t_search_where_param_count++) ) .
+ ' OR ' . db_helper_like( "$t_bug_text_table.steps_to_reproduce", db_param($t_search_where_param_count++) ) .
+ ' OR ' . db_helper_like( "$t_bug_text_table.additional_information", db_param($t_search_where_param_count++) ) .
+ ' OR ' . db_helper_like( "$t_bug_table.id", db_param($t_search_where_param_count++) ) .
+ ' OR ' . db_helper_like( "$t_bugnote_text_table.note", db_param($t_search_where_param_count++) ) . ' )';
+ $t_search_where_params2 = array();
+ $t_search_where_params2[] = $c_search;
+ $t_search_where_params2[] = $c_search;
+ $t_search_where_params2[] = $c_search;
+ $t_search_where_params2[] = $c_search;
+ $t_search_where_params2[] = $c_search;
+ $t_search_where_params2[] = $c_search;
$t_id_where = $t_id_where . ' AND ' . $t_textsearch_wherejoin_clause;
$t_id_join = $t_id_join . " INNER JOIN $t_bugnote_table ON $t_bugnote_table.bug_id = $t_bug_table.id";
$t_id_join = $t_id_join . " INNER JOIN $t_bugnote_text_table ON $t_bugnote_text_table.id = $t_bugnote_table.bugnote_text_id";
+
}
$query = " $t_from
$t_id_join
$t_id_where";
+ $t_query_params = array();
- if ( ( $i == 0 ) || ( !is_blank( $t_textsearch_wherejoin_clause ) ) ) {
+ if ( ( $i == 0 ) || ( !is_blank( $t_filter['search'] ) ) ) {
if( $i == 0) {
$q1 = "SELECT DISTINCT $t_bug_table.id AS id" . $query;
+ $t_query_params = array_merge($t_where_params, $t_search_where_params);
} else {
$q2 = "SELECT DISTINCT $t_bug_table.id AS id" . $query;
+ $t_query_params = array_merge($t_where_params, $t_search_where_params2);
}
-
- $result = db_query( "SELECT Count(DISTINCT $t_bug_table.id) as idcnt" . $query );
+
+ $result = db_query_bound( "SELECT Count(DISTINCT $t_bug_table.id) as idcnt" . $query, $t_query_params );
$row = db_fetch_array( $result );
$bug_count += $row['idcnt'];
}
@@ -1296,16 +1397,20 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
$rows = array();
$t_where = '';
+ $t_where_params2 = array();
if ( $bug_count > 0 ) {
$t_where .= "WHERE $t_bug_table.id in ( ";
if ( !is_blank($q1) ) {
$t_where .= "$q1";
+ $t_where_params2 = array_merge($t_where_params, $t_search_where_params);
if ( !is_blank($q2) ) {
- $t_where .= " OR $q2";
+ $t_where .= ") OR $t_bug_table.id in ( $q2";
+ $t_where_params2 = array_merge($t_where_params2, $t_where_params, $t_search_where_params2);
}
$t_where .= ")";
} else {
- $t_where .= " $q2)";
+ $t_where .= " $q2)";
+ $t_where_params2 = array_merge($t_where_params, $t_search_where_params2);
}
} else {
return $rows;
@@ -1422,10 +1527,12 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
$t_offset = ( ( $c_page_number - 1 ) * $c_per_page );
# perform query
- $result2 = db_query( $query2, $c_per_page, $t_offset );
+ $result2 = db_query_bound(