From cc7a82756b4f4d7ab18e928527c37489adbaf564 Mon Sep 17 00:00:00 2001
From: Marius Cramer <m.cramer@pixcept.de>
Date: Tue, 07 Apr 2015 14:10:50 -0400
Subject: [PATCH] - rewrite of sql queries to new form
---
interface/lib/classes/remoting_lib.inc.php | 49 ++++++++++++++++++++++---------------------------
1 files changed, 22 insertions(+), 27 deletions(-)
diff --git a/interface/lib/classes/remoting_lib.inc.php b/interface/lib/classes/remoting_lib.inc.php
index 0d89c1f..af0143f 100644
--- a/interface/lib/classes/remoting_lib.inc.php
+++ b/interface/lib/classes/remoting_lib.inc.php
@@ -110,7 +110,7 @@
if(isset($_SESSION['client_login']) && isset($_SESSION['client_sys_userid']) && $_SESSION['client_login'] == 1) {
$client_sys_userid = $app->functions->intval($_SESSION['client_sys_userid']);
- $client = $app->db->queryOneRecord("SELECT client.client_id FROM sys_user, client WHERE sys_user.client_id = client.client_id and sys_user.userid = " . $client_sys_userid);
+ $client = $app->db->queryOneRecord("SELECT client.client_id FROM sys_user, client WHERE sys_user.client_id = client.client_id and sys_user.userid = ?", $client_sys_userid);
$this->client_id = $client['client_id'];
$client_login = true;
@@ -125,23 +125,11 @@
$this->sys_groups = 1;
$_SESSION["s"]["user"]["typ"] = 'admin';
} else {
- //* load system user - try with sysuser and before with userid (workarrond)
- /*
- $user = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE sysuser_id = $client_id");
- if(empty($user["userid"])) {
- $user = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE userid = $client_id");
- if(empty($user["userid"])) {
- $this->errorMessage .= "No sysuser with the ID $client_id found.";
- return false;
- }
- }*/
-
- $user = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE client_id = $this->client_id");
+ $user = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE client_id = ?", $this->client_id);
$this->sys_username = $user['username'];
$this->sys_userid = $user['userid'];
$this->sys_default_group = $user['default_group'];
$this->sys_groups = $user['groups'];
- // $_SESSION["s"]["user"]["typ"] = $user['typ'];
// we have to force admin priveliges for the remoting API as some function calls might fail otherwise.
if($client_login == false) $_SESSION["s"]["user"]["typ"] = 'admin';
}
@@ -239,8 +227,8 @@
return parent::getDataRecord($primary_id);
} elseif($primary_id == -1) {
// Return a array with all records
- $sql = "SELECT * FROM ".$escape.$this->formDef['db_table'].$escape;
- return $app->db->queryAllRecords($sql);
+ $sql = "SELECT * FROM ??";
+ return $app->db->queryAllRecords($sql, $this->formDef['db_table']);
} else {
throw new SoapFault('invalid_id', 'The ID has to be > 0 or -1.');
return array();
@@ -263,9 +251,9 @@
}
$sql_where = substr($sql_where, 0, -5);
if($sql_where == '') $sql_where = '1';
- $sql = "SELECT * FROM ".$escape.$this->formDef['db_table'].$escape." WHERE ".$sql_where. " AND " . $this->getAuthSQL('r', $this->formDef['db_table']);
+ $sql = "SELECT * FROM ?? WHERE ".$sql_where. " AND " . $this->getAuthSQL('r', $this->formDef['db_table']);
if($sql_offset >= 0 && $sql_limit > 0) $sql .= ' LIMIT ' . $sql_offset . ',' . $sql_limit;
- return $app->db->queryAllRecords($sql);
+ return $app->db->queryAllRecords($sql, $this->formDef['db_table']);
} else {
$this->errorMessage = 'The ID must be either an integer or an array.';
return array();
@@ -303,8 +291,8 @@
$groups = $groupid;
if(!isset($params['_ispconfig_pw_crypted']) || $params['_ispconfig_pw_crypted'] != 1) $password = $app->auth->crypt_password(stripslashes($password));
$sql1 = "INSERT INTO sys_user (username,passwort,modules,startmodule,app_theme,typ,active,language,groups,default_group,client_id)
- VALUES ('$username','$password','$modules','$startmodule','$usertheme','$type','$active','$language',$groups,$groupid,$insert_id)";
- $app->db->query($sql1);
+ VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";
+ $app->db->query($sql1, $username,$password,$modules,$startmodule,$usertheme,$type,$active,$language,$groups,$groupid,$insert_id);
}
function ispconfig_sysuser_update($params, $client_id){
@@ -314,18 +302,25 @@
$client_id = $app->functions->intval($client_id);
if(!isset($params['_ispconfig_pw_crypted']) || $params['_ispconfig_pw_crypted'] != 1) $password = $app->auth->crypt_password(stripslashes($clear_password));
else $password = $clear_password;
- if ($clear_password) $pwstring = ", passwort = '$password'"; else $pwstring ="" ;
- $sql = "UPDATE sys_user set username = '$username' $pwstring WHERE client_id = $client_id";
- $app->db->query($sql);
+ $params = array($username);
+ if ($clear_password) {
+ $pwstring = ", passwort = ?";
+ $params[] = $password;
+ } else {
+ $pwstring ="" ;
+ }
+ $params[] = $client_id;
+ $sql = "UPDATE sys_user set username = ? $pwstring WHERE client_id = ?";
+ $app->db->query($sql, true, $params);
}
function ispconfig_sysuser_delete($client_id){
global $app;
$client_id = $app->functions->intval($client_id);
- $sql = "DELETE FROM sys_user WHERE client_id = $client_id";
- $app->db->query($sql);
- $sql = "DELETE FROM sys_group WHERE client_id = $client_id";
- $app->db->query($sql);
+ $sql = "DELETE FROM sys_user WHERE client_id = ?";
+ $app->db->query($sql, $client_id);
+ $sql = "DELETE FROM sys_group WHERE client_id = ?";
+ $app->db->query($sql, $client_id);
}
}
--
Gitblit v1.9.1