February 2017 - Aur-dev - lists.archlinux.org

[aur-dev] [PATCH] pkgbase.php: Fix PHP notice
by Lukas Fleischer 28 Feb '17

28 Feb '17

Signed-off-by: Lukas Fleischer <lfleischer(a)archlinux.org> --- web/html/pkgbase.php | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/web/html/pkgbase.php b/web/html/pkgbase.php index ab40984..a593af1 100644 --- a/web/html/pkgbase.php +++ b/web/html/pkgbase.php @@ -44,6 +44,7 @@ if (isset($_POST['IDs'])) { } /* Perform package base actions. */ +$via = isset($_POST['via']) ? $_POST['via'] : NULL; $ret = false; $output = ""; $fragment = ""; @@ -56,7 +57,6 @@ if (check_token()) { list($ret, $output) = pkgbase_adopt($ids, true, NULL); } elseif (current_action("do_Disown")) { if (isset($_POST['confirm'])) { - $via = isset($_POST['via']) ? $_POST['via'] : NULL; list($ret, $output) = pkgbase_adopt($ids, false, $via); } else { $output = __("The selected packages have not been disowned, check the confirmation checkbox."); @@ -68,7 +68,6 @@ if (check_token()) { list($ret, $output) = pkgbase_vote($ids, false); } elseif (current_action("do_Delete")) { if (isset($_POST['confirm'])) { - $via = isset($_POST['via']) ? $_POST['via'] : NULL; if (!isset($_POST['merge_Into']) || empty($_POST['merge_Into'])) { list($ret, $output) = pkgbase_delete($ids, NULL, $via); unset($_GET['ID']); @@ -129,7 +128,7 @@ if (check_token()) { if ($ret) { if (current_action("do_CloseRequest") || - (current_action("do_Delete") && $_POST['via'])) { + (current_action("do_Delete") && $via)) { /* Redirect back to package request page on success. */ header('Location: ' . get_pkgreq_route()); exit(); -- 2.12.0

1 0

[aur-dev] [PATCH] pkgbase.php: Squelch PHP warning
by Lukas Fleischer 28 Feb '17

28 Feb '17

Signed-off-by: Lukas Fleischer <lfleischer(a)archlinux.org> --- web/html/pkgbase.php | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/web/html/pkgbase.php b/web/html/pkgbase.php index 23aa6c8..ab40984 100644 --- a/web/html/pkgbase.php +++ b/web/html/pkgbase.php @@ -145,17 +145,21 @@ if (check_token()) { } } -$pkgs = pkgbase_get_pkgnames($base_id); -if (!$output && count($pkgs) == 1) { - /* Not a split package. Redirect to the package page. */ - if (empty($_SERVER['QUERY_STRING'])) { - header('Location: ' . get_pkg_uri($pkgs[0]) . $fragment); - } else { - header('Location: ' . get_pkg_uri($pkgs[0]) . '?' . $_SERVER['QUERY_STRING'] . $fragment); +if (isset($base_id)) { + $pkgs = pkgbase_get_pkgnames($base_id); + if (!$output && count($pkgs) == 1) { + /* Not a split package. Redirect to the package page. */ + if (empty($_SERVER['QUERY_STRING'])) { + header('Location: ' . get_pkg_uri($pkgs[0]) . $fragment); + } else { + header('Location: ' . get_pkg_uri($pkgs[0]) . '?' . $_SERVER['QUERY_STRING'] . $fragment); + } } -} -$details = pkgbase_get_details($base_id); + $details = pkgbase_get_details($base_id); +} else { + $details = array(); +} html_header($title, $details); ?> @@ -169,10 +173,12 @@ html_header($title, $details); <?php include('pkg_search_form.php'); -if (isset($_COOKIE["AURSID"])) { - pkgbase_display_details($base_id, $details, $_COOKIE["AURSID"]); -} else { - pkgbase_display_details($base_id, $details, null); +if (isset($base_id)) { + if (isset($_COOKIE["AURSID"])) { + pkgbase_display_details($base_id, $details, $_COOKIE["AURSID"]); + } else { + pkgbase_display_details($base_id, $details, null); + } } html_footer(AURWEB_VERSION); -- 2.12.0

1 0

[aur-dev] [PATCH] account.php: Always initialize $success
by Lukas Fleischer 28 Feb '17

28 Feb '17

Signed-off-by: Lukas Fleischer <lfleischer(a)archlinux.org> --- web/html/account.php | 1 + 1 file changed, 1 insertion(+) diff --git a/web/html/account.php b/web/html/account.php index 0b75761..549f852 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -24,6 +24,7 @@ if (in_array($action, $need_userinfo)) { * which could be changed by process_account_form() */ if ($action == "UpdateAccount") { + $success = false; $update_account_message = ''; /* Details for account being updated */ /* Verify user permissions and that the request is a valid POST */ -- 2.12.0

1 0

[aur-dev] [PATCH 1/3] Remove bogus if-statement from pkgbase_delete()
by Lukas Fleischer 27 Feb '17

27 Feb '17

The variable $action is always undefined in pkgbase_delete() which makes the if-statement always true and triggers a warning whenever a package base is removed. Signed-off-by: Lukas Fleischer <lfleischer(a)archlinux.org> --- web/lib/pkgbasefuncs.inc.php | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/web/lib/pkgbasefuncs.inc.php b/web/lib/pkgbasefuncs.inc.php index 57b307d..b20c2ff 100644 --- a/web/lib/pkgbasefuncs.inc.php +++ b/web/lib/pkgbasefuncs.inc.php @@ -522,15 +522,13 @@ function pkgbase_delete ($base_ids, $merge_base_id, $via, $grant=false) { } /* Scan through pending deletion requests and close them. */ - if (!$action) { - $username = username_from_sid($_COOKIE['AURSID']); - foreach ($base_ids as $base_id) { - $pkgreq_ids = array_merge(pkgreq_by_pkgbase($base_id)); - foreach ($pkgreq_ids as $pkgreq_id) { - pkgreq_close(intval($pkgreq_id), 'accepted', - 'The user ' . $username . - ' deleted the package.', true); - } + $username = username_from_sid($_COOKIE['AURSID']); + foreach ($base_ids as $base_id) { + $pkgreq_ids = array_merge(pkgreq_by_pkgbase($base_id)); + foreach ($pkgreq_ids as $pkgreq_id) { + pkgreq_close(intval($pkgreq_id), 'accepted', + 'The user ' . $username . + ' deleted the package.', true); } } -- 2.12.0

1 2

[aur-dev] [PATCH 1/5] 404.php: Squelch warning on empty PATH_INFO
by Lukas Fleischer 27 Feb '17

27 Feb '17

Signed-off-by: Lukas Fleischer <lfleischer(a)archlinux.org> --- web/html/404.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/html/404.php b/web/html/404.php index 757c485..9f81d11 100644 --- a/web/html/404.php +++ b/web/html/404.php @@ -5,7 +5,7 @@ set_include_path(get_include_path() . PATH_SEPARATOR . '../lib'); $path = $_SERVER['PATH_INFO']; $tokens = explode('/', $path); -if (preg_match('/^([a-z0-9][a-z0-9.+_-]*?)(\.git)?$/', $tokens[1], $matches)) { +if (isset($tokens[1]) && preg_match('/^([a-z0-9][a-z0-9.+_-]*?)(\.git)?$/', $tokens[1], $matches)) { $gitpkg = $matches[1]; if (pkg_from_name($gitpkg)) { $gitcmd = 'git clone ' . sprintf(config_get('options', 'git_clone_uri_anon'), htmlspecialchars($gitpkg)); -- 2.12.0

1 4

[aur-dev] [PATCH 1/4] Fix SQL query used for creating new accounts
by Lukas Fleischer 26 Feb '17

26 Feb '17

Fixes a regression introduced in 608c483 (Add user set timezones, 2017-01-20). Signed-off-by: Lukas Fleischer <lfleischer(a)archlinux.org> --- web/lib/acctfuncs.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index d0a7ff9..5f7f1f4 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -292,7 +292,7 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C="" $q = "INSERT INTO Users (AccountTypeID, Suspended, "; $q.= "InactivityTS, Username, Email, Passwd , "; $q.= "RealName, LangPreference, Timezone, Homepage, IRCNick, PGPKey) "; - $q.= "VALUES (1, 0, 0, $U, $E, $P, $R, $L, $TZ "; + $q.= "VALUES (1, 0, 0, $U, $E, $P, $R, $L, $TZ, "; $q.= "$HP, $I, $K)"; $result = $dbh->exec($q); if (!$result) { -- 2.12.0

1 3

[aur-dev] aurweb 4.5.0 released
by Lukas Fleischer 26 Feb '17

26 Feb '17

Dear aurweb contributors and users, aurweb 4.5.0 has just been released. You will notice that after logging in, the home page is now replaced by a dashboard which shows your flagged packages and your recent package requests, followed by a list of your packages. There also is a list of packages you co-maintain which hopefully makes co-maintainers' lives easier. Moreover, co-maintainers of packages now receive out-of-date notifications. In your account settings, you can now specify a timezone which will be used to format dates and times throughout the whole aurweb interface. The most notable internal improvements were made in password security. The minimum password length was bumped to 8 characters. Passwords are now hashed using bcrypt instead of MD5. The conversion from MD5 to bcrypt is done automatically when logging in. We thus recommend to log out of the aurweb interface and log in again. There were also improvements to the SSH interface, including new commands to vote for packages and flag packages out-of-date. For a comprehensive list of changes, please consult the Git log [2]. As usual, bugs should be reported to the aurweb bug tracker [3]. [1] https://aur.archlinux.org/ [2] https://projects.archlinux.org/aurweb.git/log/?id=v4.5.0 [3] https://bugs.archlinux.org/index.php?project=2

1 0

[aur-dev] [PATCH] pkgreq_results.php: Hide empty table
by Lukas Fleischer 25 Feb '17

25 Feb '17

Display a message that no requests matched the filter criteria instead of showing an empty package requests table. Signed-off-by: Lukas Fleischer <lfleischer(a)archlinux.org> --- web/template/pkgreq_results.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/web/template/pkgreq_results.php b/web/template/pkgreq_results.php index 74fcb10..fb49dfa 100644 --- a/web/template/pkgreq_results.php +++ b/web/template/pkgreq_results.php @@ -1,3 +1,6 @@ +<?php if (count($results) == 0): ?> +<p><?= __("No requests matched your search criteria.") ?></p> +<?php else: ?> <?php if ($show_headers): ?> <div class="pkglist-stats"> <p> @@ -129,3 +132,4 @@ <?php endif; ?> </div> <?php endif; ?> +<?php endif; ?> -- 2.12.0

1 0

[aur-dev] [PATCH] Use bcrypt to hash passwords
by Lukas Fleischer 24 Feb '17

24 Feb '17

Replace the default hash function used for storing passwords by password_hash() which internally uses bcrypt. Legacy MD5 hashes are still supported and are immediately converted to the new format when a user logs in. Since big parts of the authentication system needed to be rewritten in this context, this patch also includes some simplification and refactoring of all code related to password checking and resetting. Fixes FS#52297. Signed-off-by: Lukas Fleischer <lfleischer(a)archlinux.org> --- This replaces the SHA-512 patch sent earlier. Thanks to Johannes for suggesting to use bcrypt instead! Again, it would be great if somebody could review the new patch! schema/aur-schema.sql | 2 +- upgrading/4.5.0.txt | 6 ++ web/html/passreset.php | 5 +- web/lib/acctfuncs.inc.php | 144 +++++++++++++++++++--------------------------- web/lib/aur.inc.php | 57 ------------------ 5 files changed, 67 insertions(+), 147 deletions(-) diff --git a/schema/aur-schema.sql b/schema/aur-schema.sql index 99f9083..b75a257 100644 --- a/schema/aur-schema.sql +++ b/schema/aur-schema.sql @@ -27,7 +27,7 @@ CREATE TABLE Users ( Username VARCHAR(32) NOT NULL, Email VARCHAR(254) NOT NULL, HideEmail TINYINT UNSIGNED NOT NULL DEFAULT 0, - Passwd CHAR(32) NOT NULL, + Passwd VARCHAR(255) NOT NULL, Salt CHAR(32) NOT NULL DEFAULT '', ResetKey CHAR(32) NOT NULL DEFAULT '', RealName VARCHAR(64) NOT NULL DEFAULT '', diff --git a/upgrading/4.5.0.txt b/upgrading/4.5.0.txt index fb0a299..37b2b81 100644 --- a/upgrading/4.5.0.txt +++ b/upgrading/4.5.0.txt @@ -18,3 +18,9 @@ ALTER TABLE Users ---- ALTER TABLE Bans MODIFY IPAddress VARCHAR(45) NULL DEFAULT NULL; ---- + +4. Resize the Passwd column of the Users table: + +--- +ALTER TABLE Users MODIFY Passwd VARCHAR(255) NOT NULL; +--- diff --git a/web/html/passreset.php b/web/html/passreset.php index cb2f6bc..e89967d 100644 --- a/web/html/passreset.php +++ b/web/html/passreset.php @@ -34,10 +34,7 @@ if (isset($_GET['resetkey'], $_POST['email'], $_POST['password'], $_POST['confir } if (empty($error)) { - $salt = generate_salt(); - $hash = salted_hash($password, $salt); - - $error = password_reset($hash, $salt, $resetkey, $email); + $error = password_reset($password, $resetkey, $email); } } elseif (isset($_POST['email'])) { $email = $_POST['email']; diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index b3cf612..fe61f50 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -272,13 +272,12 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C="" if ($TYPE == "new") { /* Create an unprivileged user. */ - $salt = generate_salt(); if (empty($P)) { $send_resetkey = true; $email = $E; } else { $send_resetkey = false; - $P = salted_hash($P, $salt); + $P = password_hash($P, PASSWORD_DEFAULT); } $U = $dbh->quote($U); $E = $dbh->quote($E); @@ -291,9 +290,9 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C="" $I = $dbh->quote($I); $K = $dbh->quote(str_replace(" ", "", $K)); $q = "INSERT INTO Users (AccountTypeID, Suspended, "; - $q.= "InactivityTS, Username, Email, Passwd, Salt, "; + $q.= "InactivityTS, Username, Email, Passwd , "; $q.= "RealName, LangPreference, Timezone, Homepage, IRCNick, PGPKey) "; - $q.= "VALUES (1, 0, 0, $U, $E, $P, $salt, $R, $L, $TZ "; + $q.= "VALUES (1, 0, 0, $U, $E, $P, $R, $L, $TZ "; $q.= "$HP, $I, $K)"; $result = $dbh->exec($q); if (!$result) { @@ -350,9 +349,8 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C="" $q.= ", HideEmail = 0"; } if ($P) { - $salt = generate_salt(); - $hash = salted_hash($P, $salt); - $q .= ", Passwd = '$hash', Salt = '$salt'"; + $hash = password_hash($P, PASSWORD_DEFAULT); + $q .= ", Passwd = " . $dbh->quote($hash); } $q.= ", RealName = " . $dbh->quote($R); $q.= ", LangPreference = " . $dbh->quote($L); @@ -528,19 +526,24 @@ function try_login() { if (user_suspended($userID)) { $login_error = __('Account suspended'); return array('SID' => '', 'error' => $login_error); - } elseif (passwd_is_empty($userID)) { - $login_error = __('Your password has been reset. ' . - 'If you just created a new account, please ' . - 'use the link from the confirmation email ' . - 'to set an initial password. Otherwise, ' . - 'please request a reset key on the %s' . - 'Password Reset%s page.', '<a href="' . - htmlspecialchars(get_uri('/passreset')) . '">', - '</a>'); - return array('SID' => '', 'error' => $login_error); - } elseif (!valid_passwd($userID, $_REQUEST['passwd'])) { - $login_error = __("Bad username or password."); - return array('SID' => '', 'error' => $login_error); + } + + switch (check_passwd($userID, $_REQUEST['passwd'])) { + case -1: + $login_error = __('Your password has been reset. ' . + 'If you just created a new account, please ' . + 'use the link from the confirmation email ' . + 'to set an initial password. Otherwise, ' . + 'please request a reset key on the %s' . + 'Password Reset%s page.', '<a href="' . + htmlspecialchars(get_uri('/passreset')) . '">', + '</a>'); + return array('SID' => '', 'error' => $login_error); + case 0: + $login_error = __("Bad username or password."); + return array('SID' => '', 'error' => $login_error); + case 1: + break; } $logged_in = 0; @@ -736,18 +739,18 @@ function send_resetkey($email, $welcome=false) { /** * Change a user's password in the database if reset key and e-mail are correct * - * @param string $hash New MD5 hash of a user's password - * @param string $salt New salt for the user's password + * @param string $password The new password * @param string $resetkey Code e-mailed to a user to reset a password * @param string $email E-mail address of the user resetting their password * * @return string|void Redirect page if successful, otherwise return error message */ -function password_reset($hash, $salt, $resetkey, $email) { +function password_reset($password, $resetkey, $email) { + $hash = password_hash($password, PASSWORD_DEFAULT); + $dbh = DB::connect(); - $q = "UPDATE Users "; - $q.= "SET Passwd = '$hash', "; - $q.= "Salt = '$salt', "; + $q = "UPDATE Users SET "; + $q.= "Passwd = " . $dbh->quote($hash) . ", "; $q.= "ResetKey = '' "; $q.= "WHERE ResetKey != '' "; $q.= "AND ResetKey = " . $dbh->quote($resetkey) . " "; @@ -778,75 +781,46 @@ function good_passwd($passwd) { /** * Determine if the password is correct and salt it if it hasn't been already * - * @param string $userID The user ID to check the password against + * @param int $user_id The user ID to check the password against * @param string $passwd The password the visitor sent * - * @return bool True if password was correct and properly salted, otherwise false + * @return int Positive if password is correct, negative if password is unset */ -function valid_passwd($userID, $passwd) { +function check_passwd($user_id, $passwd) { $dbh = DB::connect(); - if ($passwd == "") { - return false; - } - /* Get salt for this user. */ - $salt = get_salt($userID); - if ($salt) { - $q = "SELECT ID FROM Users "; - $q.= "WHERE ID = " . $userID . " "; - $q.= "AND Passwd = " . $dbh->quote(salted_hash($passwd, $salt)); - $result = $dbh->query($q); - if (!$result) { - return false; - } - - $row = $result->fetch(PDO::FETCH_NUM); - return ($row[0] > 0); - } else { - /* Check password without using salt. */ - $q = "SELECT ID FROM Users "; - $q.= "WHERE ID = " . $userID . " "; - $q.= "AND Passwd = " . $dbh->quote(md5($passwd)); - $result = $dbh->query($q); - if (!$result) { - return false; - } - - $row = $result->fetch(PDO::FETCH_NUM); - if (!$row[0]) { - return false; - } - - /* Password correct, but salt it first! */ - if (!save_salt($userID, $passwd)) { - trigger_error("Unable to salt user's password;" . - " ID " . $userID, E_USER_WARNING); - return false; + /* Get password version, hash, as well as salt and authenticate. */ + $q = "SELECT Passwd, Salt FROM Users WHERE ID = " . intval($user_id); + $result = $dbh->query($q); + if (!$result) { + return 0; + } + $row = $result->fetch(PDO::FETCH_ASSOC); + if (!$row) { + return 0; + } + $hash = $row['Passwd']; + $salt = $row['Salt']; + if (!$hash) { + return -1; + } + if (!password_verify($passwd, $hash)) { + /* Invalid password, fall back to MD5. */ + if (md5($salt . $passwd) != $hash) { + return 0; } - - return true; } -} - -/** - * Determine if a user's password is empty - * - * @param string $uid The user ID to check for an empty password - * - * @return bool True if the user's password is empty, otherwise false - */ -function passwd_is_empty($uid) { - $dbh = DB::connect(); - $q = "SELECT * FROM Users WHERE ID = " . $dbh->quote($uid) . " "; - $q .= "AND Passwd = " . $dbh->quote(''); - $result = $dbh->query($q); + /* Password correct, migrate the hash if necessary. */ + if (password_needs_rehash($hash, PASSWORD_DEFAULT)) { + $hash = password_hash($passwd, PASSWORD_DEFAULT); - if ($result->fetchColumn()) { - return true; - } else { - return false; + $q = "UPDATE Users SET Passwd = " . $dbh->quote($hash) . " "; + $q.= "WHERE ID = " . intval($user_id); + $dbh->query($q); } + + return 1; } /** diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 94a3849..d58df40 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -538,63 +538,6 @@ function mkurl($append) { } /** - * Determine a user's salt from the database - * - * @param string $user_id The user ID of the user trying to log in - * - * @return string|void Return the salt for the requested user, otherwise void - */ -function get_salt($user_id) { - $dbh = DB::connect(); - $q = "SELECT Salt FROM Users WHERE ID = " . $user_id; - $result = $dbh->query($q); - if ($result) { - $row = $result->fetch(PDO::FETCH_NUM); - return $row[0]; - } - return; -} - -/** - * Save a user's salted password in the database - * - * @param string $user_id The user ID of the user who is salting their password - * @param string $passwd The password of the user logging in - */ -function save_salt($user_id, $passwd) { - $dbh = DB::connect(); - $salt = generate_salt(); - $hash = salted_hash($passwd, $salt); - $q = "UPDATE Users SET Salt = " . $dbh->quote($salt) . ", "; - $q.= "Passwd = " . $dbh->quote($hash) . " WHERE ID = " . $user_id; - return $dbh->exec($q); -} - -/** - * Generate a string to be used for salting passwords - * - * @return string MD5 hash of concatenated random number and current time - */ -function generate_salt() { - return md5(uniqid(mt_rand(), true)); -} - -/** - * Combine salt and password to form a hash - * - * @param string $passwd User plaintext password - * @param string $salt MD5 hash to be used as user salt - * - * @return string The MD5 hash of the concatenated salt and user password - */ -function salted_hash($passwd, $salt) { - if (strlen($salt) != 32) { - trigger_error('Salt does not look like an md5 hash', E_USER_WARNING); - } - return md5($salt . $passwd); -} - -/** * Get a package comment * * @param int $comment_id The ID of the comment -- 2.11.1

2 2

[aur-dev] [PATCH] Fix user name in disown notifications
by Lukas Fleischer 24 Feb '17

24 Feb '17

Do not overwrite the $uid variable when updating co-maintainers. Fixes FS#52225. Signed-off-by: Lukas Fleischer <lfleischer(a)archlinux.org> --- web/lib/pkgbasefuncs.inc.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/web/lib/pkgbasefuncs.inc.php b/web/lib/pkgbasefuncs.inc.php index 4f10204..57b307d 100644 --- a/web/lib/pkgbasefuncs.inc.php +++ b/web/lib/pkgbasefuncs.inc.php @@ -680,15 +680,15 @@ function pkgbase_adopt ($base_ids, $action=true, $via) { $comaintainers = pkgbase_get_comaintainers($base_id); if (count($comaintainers) > 0) { - $uid = uid_from_username($comaintainers[0]); + $comaintainer_uid = uid_from_username($comaintainers[0]); $comaintainers = array_diff($comaintainers, array($comaintainers[0])); pkgbase_set_comaintainers($base_id, $comaintainers); } else { - $uid = "NULL"; + $comaintainer_uid = "NULL"; } $q = "UPDATE PackageBases "; - $q.= "SET MaintainerUID = " . $uid . " "; + $q.= "SET MaintainerUID = " . $comaintainer_uid . " "; $q.= "WHERE ID = " . $base_id; $dbh->exec($q); } -- 2.11.1

1 0