reindentation; attempting to refactor slightly (replace sql injection…

… prone db calls with db_query*(..); try and reduce nesting by exiting early if possible; these changes need testing and have not been yet (I will try and check them asap once they are commmitted so i can sync them to my other server) git-svn-id: https://xerteonlinetoolkits.googlecode.com/svn/trunk@124 912cdd6b-5c7d-d5a7-a2ba-d0f0cdb91641
thexerteproject · Oct 5, 2011 · 282a91c · 282a91c
1 parent 00fd048
commit 282a91c
Show file tree

Hide file tree

Showing 6 changed files with 600 additions and 667 deletions.
diff --git a/data.php b/data.php
@@ -9,125 +9,108 @@
  * @package
  */
 
-require("config.php");
+require_once("config.php");
 
 require $xerte_toolkits_site->php_library_path  . "database_library.php";
 require $xerte_toolkits_site->php_library_path  . "template_status.php";
 require $xerte_toolkits_site->php_library_path  . "display_library.php";
 
 /**
- *  connect to the database
+ *  Check the template ID is a number
  */
 
-$mysql_id=database_connect("data database connect successful","data database connect failed");
+if(!isset($_GET['template_id']) || !is_numeric($_GET['template_id'])) {
+    dont_show_template();
+    exit(0);
+}
+
 
 /**
- *  Check the template ID is a number
- */
+ *  Run the standard query from config.php, excessive in this case, but suitable
+ */ 
 
-if(is_numeric(mysql_real_escape_string($_GET['template_id']))){
+$query_to_check_data = "select * from {$xerte_toolkits_site->database_table_prefix}additional_sharing where sharing_type=? AND template_id = ?";
 
-    /**
-     *  Run the standard query from config.php, excessive in this case, but suitable
-     */ 
+$query_for_data_response = db_query_one($query_to_check_data, array('xml', $_GET['template_id']));
 
-    $query_to_check_data = "select * from " . $xerte_toolkits_site->database_table_prefix . "additional_sharing where sharing_type=\"xml\" and template_id=\"" . mysql_real_escape_string($_GET['template_id']) . "\"";
+/**
+ *  Check to see if for this ID a data value is set in additional sharing.
+ */
 
-    $query_for_data_response = mysql_query($query_to_check_data);
+if(!empty($query_for_data_response)) {
+
+    $row_data = $query_for_data_response;
 
     /**
-     *  Check to see if for this ID a data value is set in additional sharing.
+     *  The extra value in this case is the hostname we have limited XML consumption too, and as such see it exists
      */
 
-    if(mysql_num_rows($query_for_data_response)!=0){
-
-        $row_data = mysql_fetch_array($query_for_data_response);
+    if($row_data['extra']!=""){
 
         /**
-         *  The extra value in this case is the hostname we have limited XML consumption too, and as such see it exists
+         *  Compare to the host variables
          */
 
-        if($row_data['extra']!=""){
+        if(($row_data['extra']==$_SERVER['HTTP_REFERER'])||($row_data['extra']==$_SERVER['REMOTE_ADDR'])){
 
             /**
-             *  Compare to the host variables
+             *  Fetch and return the XML
              */
 
-            if(($row_data['extra']==$_SERVER['HTTP_REFERER'])||($row_data['extra']==$_SERVER['REMOTE_ADDR'])){
+            $query_for_preview_content = $xerte_toolkits_site->play_edit_preview_query;
 
-                /**
-                 *  Fetch and return the XML
-                 */
+            $query_for_preview_content_response = mysql_query($query_for_preview_content);
 
-                $query_for_preview_content = $xerte_toolkits_site->play_edit_preview_query;
+            $row = mysql_fetch_array($query_for_preview_content_response);
 
-                $query_for_preview_content_response = mysql_query($query_for_preview_content);
-
-                $row = mysql_fetch_array($query_for_preview_content_response);
-
-                $query_for_username = "select username from " . $xerte_toolkits_site->database_table_prefix . "logindetails where login_id=\"" . $row['user_id'] . "\"";
-
-                $query_for_username_response = mysql_query($query_for_username);
-
-                $row_username = mysql_fetch_array($query_for_username_response);
+            $query_for_username = "select username from {$xerte_toolkits_site->database_table_prefix}logindetails where login_id=?";
+            $row_username = db_query_one($query_for_username, array($row['user_id']));
 
+            if(empty($row_username)) {
+                _debug("User deleted, but template remains?");
+            }
+            else {
                 $path = $xerte_toolkits_site->users_file_area_short . $row['template_id'] . "-" . $row_username['username'] . "-" . $row['template_name'] . "/";
-
                 echo str_replace("FileLocation + '", $xerte_toolkits_site->site_url . $path, file_get_contents($path . "data.xml"));	
-
-            }else{
-
-                dont_show_template();
-
             }
-
-
         }else{
+            dont_show_template();
+        }
 
-            /**
-             *  Fetch and return the XML
-             */
-
-            $query_for_play_content_strip = str_replace("\" . \$xerte_toolkits_site->database_table_prefix . \"", $xerte_toolkits_site->database_table_prefix, $xerte_toolkits_site->play_edit_preview_query);
-
-            $query_for_play_content = str_replace("TEMPLATE_ID_TO_REPLACE", mysql_real_escape_string($_GET['template_id']), $query_for_play_content_strip);
-
-            $query_for_play_content_response = mysql_query($query_for_play_content);
-
-            $row = mysql_fetch_array($query_for_play_content_response);
-
-            $query_for_username = "select username from " . $xerte_toolkits_site->database_table_prefix . "logindetails where login_id=\"" . $row['user_id'] . "\"";
-
-            $query_for_username_response = mysql_query($query_for_username);
+    }else{
 
-            $row_username = mysql_fetch_array($query_for_username_response);
+        /**
+         *  Fetch and return the XML
+         */
 
-            $path = $xerte_toolkits_site->users_file_area_short . $row['template_id'] . "-" . $row_username['username'] . "-" . $row['template_name'] . "/";
+        $query_for_play_content_strip = str_replace("\" . \$xerte_toolkits_site->database_table_prefix . \"", $xerte_toolkits_site->database_table_prefix, $xerte_toolkits_site->play_edit_preview_query);
 
-            echo str_replace("FileLocation + '", $xerte_toolkits_site->site_url . $path, file_get_contents($path . "data.xml"));	
+        $query_for_play_content = str_replace("TEMPLATE_ID_TO_REPLACE", mysql_real_escape_string($_GET['template_id']), $query_for_play_content_strip);
 
+        $row = db_query_one($query_for_play_content);
 
-        }
+        $query_for_username = "select username from {$xerte_toolkits_site->database_table_prefix}logindetails where login_id=?";
 
+        $row_username = db_query_one($query_for_username, array($row['user_id']));
 
-    }else{
 
-            /***  
-                Display nothing
-             */
+        $path = $xerte_toolkits_site->users_file_area_short . $row['template_id'] . "-" . $row_username['username'] . "-" . $row['template_name'] . "/";
 
-        echo "XML Sharing not set up";
+        echo str_replace("FileLocation + '", $xerte_toolkits_site->site_url . $path, file_get_contents($path . "data.xml"));	
 
-        dont_show_template();
 
     }
 
+
 }else{
 
-    /**
-     *  Display nothing
+    /***  
+      Display nothing
      */
 
+    echo "XML Sharing not set up";
+
     dont_show_template();
 
 }
+