[aur-dev] [PATCH 1/1] use convenience wrapper for mysql_real_escape_string to aid database portability
when converting to postgres, each mysql_real_escape_string instance had to be changed, which was tedious. Centralizing the escape mechanism code would allow for much easier porting, in the same way that db_query provides a lightweight query abstraction. --- web/html/account.php | 2 +- web/html/addvote.php | 10 +++++----- web/html/logout.php | 2 +- web/html/passreset.php | 4 ++-- web/html/pkgsubmit.php | 36 ++++++++++++++++++------------------ web/html/voters.php | 2 +- web/lib/acctfuncs.inc | 26 +++++++++++++------------- web/lib/aur.inc | 30 ++++++++++++++++++------------ web/lib/aurjson.class.php | 8 ++++---- web/lib/pkgfuncs.inc | 12 ++++++------ web/lib/stats.inc | 2 +- web/template/pkg_comment_form.php | 2 +- 12 files changed, 71 insertions(+), 65 deletions(-) diff --git a/web/html/account.php b/web/html/account.php index afb0d7c..029ae79 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -111,7 +111,7 @@ if (isset($_COOKIE["AURSID"])) { $q.= "WHERE AccountTypes.ID = Users.AccountTypeID "; $q.= "AND Users.ID = Sessions.UsersID "; $q.= "AND Sessions.SessionID = '"; - $q.= mysql_real_escape_string($_COOKIE["AURSID"])."'"; + $q.= db_escape($_COOKIE["AURSID"])."'"; $result = db_query($q, $dbh); if (!mysql_num_rows($result)) { print __("Could not retrieve information for the specified user."); diff --git a/web/html/addvote.php b/web/html/addvote.php index 5936d56..e039d06 100644 --- a/web/html/addvote.php +++ b/web/html/addvote.php @@ -20,13 +20,13 @@ if ($atype == "Trusted User" OR $atype == "Developer") { $error = ""; if (!empty($_POST['user'])) { - $qcheck = "SELECT * FROM Users WHERE Username = '" . mysql_real_escape_string($_POST['user']) . "'"; + $qcheck = "SELECT * FROM Users WHERE Username = '" . db_escape($_POST['user']) . "'"; $check = mysql_num_rows(db_query($qcheck, $dbh)); if ($check == 0) { $error.= __("Username does not exist."); } else { - $qcheck = "SELECT * FROM TU_VoteInfo WHERE User = '" . mysql_real_escape_string($_POST['user']) . "'"; + $qcheck = "SELECT * FROM TU_VoteInfo WHERE User = '" . db_escape($_POST['user']) . "'"; $qcheck.= " AND End > UNIX_TIMESTAMP()"; $check = mysql_num_rows(db_query($qcheck, $dbh)); @@ -55,9 +55,9 @@ if ($atype == "Trusted User" OR $atype == "Developer") { if (!empty($_POST['addVote']) && empty($error)) { $q = "INSERT INTO TU_VoteInfo (Agenda, User, Submitted, End, SubmitterID) VALUES "; - $q.= "('" . mysql_real_escape_string($_POST['agenda']) . "', "; - $q.= "'" . mysql_real_escape_string($_POST['user']) . "', "; - $q.= "UNIX_TIMESTAMP(), UNIX_TIMESTAMP() + " . mysql_real_escape_string($len); + $q.= "('" . db_escape($_POST['agenda']) . "', "; + $q.= "'" . db_escape($_POST['user']) . "', "; + $q.= "UNIX_TIMESTAMP(), UNIX_TIMESTAMP() + " . db_escape($len); $q.= ", " . uid_from_sid($_COOKIE["AURSID"]) . ")"; db_query($q, $dbh); diff --git a/web/html/logout.php b/web/html/logout.php index 95cf460..ffde619 100644 --- a/web/html/logout.php +++ b/web/html/logout.php @@ -12,7 +12,7 @@ include_once("acctfuncs.inc"); # access AUR common functions if (isset($_COOKIE["AURSID"])) { $dbh = db_connect(); $q = "DELETE FROM Sessions WHERE SessionID = '"; - $q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'"; + $q.= db_escape($_COOKIE["AURSID"]) . "'"; db_query($q, $dbh); # setting expiration to 1 means '1 second after midnight January 1, 1970' setcookie("AURSID", "", 1, "/"); diff --git a/web/html/passreset.php b/web/html/passreset.php index 2c7801d..daba63e 100644 --- a/web/html/passreset.php +++ b/web/html/passreset.php @@ -40,8 +40,8 @@ if (isset($_GET['resetkey'], $_POST['email'], $_POST['password'], $_POST['confir Salt = '$salt', ResetKey = '' WHERE ResetKey != '' - AND ResetKey = '".mysql_real_escape_string($resetkey)."' - AND Email = '".mysql_real_escape_string($email)."'"; + AND ResetKey = '".db_escape($resetkey)."' + AND Email = '".db_escape($email)."'"; $result = db_query($q, $dbh); if (!mysql_affected_rows($dbh)) { $error = __('Invalid e-mail and reset key combination.'); diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index 5797626..177f5e1 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -294,7 +294,7 @@ if ($_COOKIE["AURSID"]): $dbh = db_connect(); - $q = "SELECT * FROM Packages WHERE Name = '" . mysql_real_escape_string($new_pkgbuild['pkgname']) . "'"; + $q = "SELECT * FROM Packages WHERE Name = '" . db_escape($new_pkgbuild['pkgname']) . "'"; $result = db_query($q, $dbh); $pdata = mysql_fetch_assoc($result); @@ -313,7 +313,7 @@ if ($_COOKIE["AURSID"]): # If a new category was chosen, change it to that if ($_POST['category'] > 1) { $q = sprintf( "UPDATE Packages SET CategoryID = %d WHERE ID = %d", - mysql_real_escape_string($_REQUEST['category']), + db_escape($_REQUEST['category']), $packageID); db_query($q, $dbh); @@ -321,12 +321,12 @@ if ($_COOKIE["AURSID"]): # Update package data $q = sprintf("UPDATE Packages SET ModifiedTS = UNIX_TIMESTAMP(), Name = '%s', Version = '%s-%s', License = '%s', Description = '%s', URL = '%s', OutOfDateTS = NULL, MaintainerUID = '%d' WHERE ID = %d", - mysql_real_escape_string($new_pkgbuild['pkgname']), - mysql_real_escape_string($new_pkgbuild['pkgver']), - mysql_real_escape_string($new_pkgbuild['pkgrel']), - mysql_real_escape_string($new_pkgbuild['license']), - mysql_real_escape_string($new_pkgbuild['pkgdesc']), - mysql_real_escape_string($new_pkgbuild['url']), + db_escape($new_pkgbuild['pkgname']), + db_escape($new_pkgbuild['pkgver']), + db_escape($new_pkgbuild['pkgrel']), + db_escape($new_pkgbuild['license']), + db_escape($new_pkgbuild['pkgdesc']), + db_escape($new_pkgbuild['url']), uid_from_sid($_COOKIE["AURSID"]), $packageID); @@ -337,13 +337,13 @@ if ($_COOKIE["AURSID"]): # This is a brand new package $q = sprintf("INSERT INTO Packages (Name, License, Version, CategoryID, Description, URL, SubmittedTS, ModifiedTS, SubmitterUID, MaintainerUID) VALUES ('%s', '%s', '%s-%s', %d, '%s', '%s', UNIX_TIMESTAMP(), UNIX_TIMESTAMP(), %d, %d)", - mysql_real_escape_string($new_pkgbuild['pkgname']), - mysql_real_escape_string($new_pkgbuild['license']), - mysql_real_escape_string($new_pkgbuild['pkgver']), - mysql_real_escape_string($new_pkgbuild['pkgrel']), - mysql_real_escape_string($_REQUEST['category']), - mysql_real_escape_string($new_pkgbuild['pkgdesc']), - mysql_real_escape_string($new_pkgbuild['url']), + db_escape($new_pkgbuild['pkgname']), + db_escape($new_pkgbuild['license']), + db_escape($new_pkgbuild['pkgver']), + db_escape($new_pkgbuild['pkgrel']), + db_escape($_REQUEST['category']), + db_escape($new_pkgbuild['pkgdesc']), + db_escape($new_pkgbuild['url']), $uid, $uid); @@ -364,8 +364,8 @@ if ($_COOKIE["AURSID"]): $q = sprintf("INSERT INTO PackageDepends (PackageID, DepName, DepCondition) VALUES (%d, '%s', '%s')", $packageID, - mysql_real_escape_string($deppkgname), - mysql_real_escape_string($depcondition)); + db_escape($deppkgname), + db_escape($depcondition)); db_query($q, $dbh); } @@ -375,7 +375,7 @@ if ($_COOKIE["AURSID"]): foreach ($sources as $src) { if ($src != "" ) { $q = "INSERT INTO PackageSources (PackageID, Source) VALUES ("; - $q .= $packageID . ", '" . mysql_real_escape_string($src) . "')"; + $q .= $packageID . ", '" . db_escape($src) . "')"; db_query($q, $dbh); } } diff --git a/web/html/voters.php b/web/html/voters.php index 6a16818..384a782 100644 --- a/web/html/voters.php +++ b/web/html/voters.php @@ -5,7 +5,7 @@ include('pkgfuncs.inc'); function getvotes($pkgid) { $dbh = db_connect(); - $pkgid = mysql_real_escape_string($pkgid); + $pkgid = db_escape($pkgid); $result = db_query("SELECT UsersID,Username FROM PackageVotes LEFT JOIN Users on (UsersID = ID) WHERE PackageID = $pkgid ORDER BY Username", $dbh); return $result; diff --git a/web/lib/acctfuncs.inc b/web/lib/acctfuncs.inc index f07c1fc..a0efa6e 100644 --- a/web/lib/acctfuncs.inc +++ b/web/lib/acctfuncs.inc @@ -225,7 +225,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", # NOTE: a race condition exists here if we care... # $q = "SELECT COUNT(*) AS CNT FROM Users "; - $q.= "WHERE Username = '".mysql_real_escape_string($U)."'"; + $q.= "WHERE Username = '".db_escape($U)."'"; if ($TYPE == "edit") { $q.= " AND ID != ".intval($UID); } @@ -243,7 +243,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", # NOTE: a race condition exists here if we care... # $q = "SELECT COUNT(*) AS CNT FROM Users "; - $q.= "WHERE Email = '".mysql_real_escape_string($E)."'"; + $q.= "WHERE Email = '".db_escape($E)."'"; if ($TYPE == "edit") { $q.= " AND ID != ".intval($UID); } @@ -265,7 +265,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", # no errors, go ahead and create the unprivileged user $salt = generate_salt(); $P = salted_hash($P, $salt); - $escaped = array_map('mysql_real_escape_string', + $escaped = array_map('db_escape', array($U, $E, $P, $salt, $R, $L, $I)); $q = "INSERT INTO Users (" . "AccountTypeID, Suspended, Username, Email, Passwd, Salt" . @@ -289,7 +289,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", # no errors, go ahead and modify the user account $q = "UPDATE Users SET "; - $q.= "Username = '".mysql_real_escape_string($U)."'"; + $q.= "Username = '".db_escape($U)."'"; if ($T) { $q.= ", AccountTypeID = ".intval($T); } @@ -298,15 +298,15 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", } else { $q.= ", Suspended = 0"; } - $q.= ", Email = '".mysql_real_escape_string($E)."'"; + $q.= ", Email = '".db_escape($E)."'"; if ($P) { $salt = generate_salt(); $hash = salted_hash($P, $salt); $q .= ", Passwd = '$hash', Salt = '$salt'"; } - $q.= ", RealName = '".mysql_real_escape_string($R)."'"; - $q.= ", LangPreference = '".mysql_real_escape_string($L)."'"; - $q.= ", IRCNick = '".mysql_real_escape_string($I)."'"; + $q.= ", RealName = '".db_escape($R)."'"; + $q.= ", LangPreference = '".db_escape($L)."'"; + $q.= ", IRCNick = '".db_escape($I)."'"; $q.= " WHERE ID = ".intval($UID); $result = db_query($q, $dbh); if (!$result) { @@ -372,19 +372,19 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="", $search_vars[] = "S"; } if ($U) { - $q.= "AND Username LIKE '%".mysql_real_escape_string($U)."%' "; + $q.= "AND Username LIKE '%".db_escape($U)."%' "; $search_vars[] = "U"; } if ($E) { - $q.= "AND Email LIKE '%".mysql_real_escape_string($E)."%' "; + $q.= "AND Email LIKE '%".db_escape($E)."%' "; $search_vars[] = "E"; } if ($R) { - $q.= "AND RealName LIKE '%".mysql_real_escape_string($R)."%' "; + $q.= "AND RealName LIKE '%".db_escape($R)."%' "; $search_vars[] = "R"; } if ($I) { - $q.= "AND IRCNick LIKE '%".mysql_real_escape_string($I)."%' "; + $q.= "AND IRCNick LIKE '%".db_escape($I)."%' "; $search_vars[] = "I"; } switch ($SB) { @@ -716,7 +716,7 @@ function valid_user( $user ) if ( $user ) { $dbh = db_connect(); $q = "SELECT ID FROM Users WHERE Username = '" - . mysql_real_escape_string($user). "'"; + . db_escape($user). "'"; $result = mysql_fetch_row(db_query($q, $dbh)); diff --git a/web/lib/aur.inc b/web/lib/aur.inc index 744b31e..f0a07a7 100644 --- a/web/lib/aur.inc +++ b/web/lib/aur.inc @@ -26,7 +26,7 @@ function check_sid() { # $dbh = db_connect(); $q = "SELECT LastUpdateTS, UNIX_TIMESTAMP() FROM Sessions "; - $q.= "WHERE SessionID = '" . mysql_real_escape_string($_COOKIE["AURSID"]) . "'"; + $q.= "WHERE SessionID = '" . db_escape($_COOKIE["AURSID"]) . "'"; $result = db_query($q, $dbh); if (mysql_num_rows($result) == 0) { # Invalid SessionID - hacker alert! @@ -50,7 +50,7 @@ function check_sid() { # session id timeout was reached and they must login again. # $q = "DELETE FROM Sessions WHERE SessionID = '"; - $q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'"; + $q.= db_escape($_COOKIE["AURSID"]) . "'"; db_query($q, $dbh); setcookie("AURSID", "", 1, "/"); @@ -66,7 +66,7 @@ function check_sid() { # overwritten. if ($last_update < time() + $LOGIN_TIMEOUT) { $q = "UPDATE Sessions SET LastUpdateTS = UNIX_TIMESTAMP() "; - $q.= "WHERE SessionID = '".mysql_real_escape_string($_COOKIE["AURSID"])."'"; + $q.= "WHERE SessionID = '".db_escape($_COOKIE["AURSID"])."'"; db_query($q, $dbh); } } @@ -110,7 +110,7 @@ function username_from_id($id="") { return ""; } $dbh = db_connect(); - $q = "SELECT Username FROM Users WHERE ID = " . mysql_real_escape_string($id); + $q = "SELECT Username FROM Users WHERE ID = " . db_escape($id); $result = db_query($q, $dbh); if (!$result) { return "None"; @@ -131,7 +131,7 @@ function username_from_sid($sid="") { $q = "SELECT Username "; $q.= "FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; - $q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'"; + $q.= "AND Sessions.SessionID = '" . db_escape($sid) . "'"; $result = db_query($q, $dbh); if (!$result) { return ""; @@ -151,7 +151,7 @@ function email_from_sid($sid="") { $q = "SELECT Email "; $q.= "FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; - $q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'"; + $q.= "AND Sessions.SessionID = '" . db_escape($sid) . "'"; $result = db_query($q, $dbh); if (!$result) { return ""; @@ -173,7 +173,7 @@ function account_from_sid($sid="") { $q.= "FROM Users, AccountTypes, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; $q.= "AND AccountTypes.ID = Users.AccountTypeID "; - $q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'"; + $q.= "AND Sessions.SessionID = '" . db_escape($sid) . "'"; $result = db_query($q, $dbh); if (!$result) { return ""; @@ -193,7 +193,7 @@ function uid_from_sid($sid="") { $q = "SELECT Users.ID "; $q.= "FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; - $q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'"; + $q.= "AND Sessions.SessionID = '" . db_escape($sid) . "'"; $result = db_query($q, $dbh); if (!$result) { return 0; @@ -245,6 +245,12 @@ function db_query($query="", $db_handle="") { return $result; } +# database escape abstraction, to make porting +# to alternate databases slightly easier +function db_escape($unescaped) { + return mysql_real_escape_string($unescaped); +} + # set up the visitor's language # function set_lang() { @@ -272,7 +278,7 @@ function set_lang() { $q = "SELECT LangPreference FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; $q.= "AND Sessions.SessionID = '"; - $q.= mysql_real_escape_string($_COOKIE["AURSID"])."'"; + $q.= db_escape($_COOKIE["AURSID"])."'"; $result = db_query($q, $dbh); if ($result) { @@ -332,7 +338,7 @@ function can_submit_pkg($name="", $sid="") { if (!$name || !$sid) {return 0;} $dbh = db_connect(); $q = "SELECT MaintainerUID "; - $q.= "FROM Packages WHERE Name = '".mysql_real_escape_string($name)."'"; + $q.= "FROM Packages WHERE Name = '".db_escape($name)."'"; $result = db_query($q, $dbh); if (mysql_num_rows($result) == 0) {return 1;} $row = mysql_fetch_row($result); @@ -403,7 +409,7 @@ function uid_from_username($username="") return ""; } $dbh = db_connect(); - $q = "SELECT ID FROM Users WHERE Username = '".mysql_real_escape_string($username) + $q = "SELECT ID FROM Users WHERE Username = '".db_escape($username) ."'"; $result = db_query($q, $dbh); if (!$result) { @@ -422,7 +428,7 @@ function uid_from_email($email="") return ""; } $dbh = db_connect(); - $q = "SELECT ID FROM Users WHERE Email = '".mysql_real_escape_string($email) + $q = "SELECT ID FROM Users WHERE Email = '".db_escape($email) ."'"; $result = db_query($q, $dbh); if (!$result) { diff --git a/web/lib/aurjson.class.php b/web/lib/aurjson.class.php index 50cf6d0..6719206 100644 --- a/web/lib/aurjson.class.php +++ b/web/lib/aurjson.class.php @@ -136,7 +136,7 @@ class AurJSON { if (is_numeric($arg)) { $id_args[] = intval($arg); } else { - $escaped = mysql_real_escape_string($arg, $this->dbh); + $escaped = db_escape($arg, $this->dbh); $name_args[] = "'" . $escaped . "'"; } } @@ -154,7 +154,7 @@ class AurJSON { return $this->json_error('Query arg too small'); } - $keyword_string = mysql_real_escape_string($keyword_string, $this->dbh); + $keyword_string = db_escape($keyword_string, $this->dbh); $keyword_string = addcslashes($keyword_string, '%_'); $where_condition = "( Name LIKE '%{$keyword_string}%' OR " . @@ -177,7 +177,7 @@ class AurJSON { } else { $where_condition = sprintf("Name=\"%s\"", - mysql_real_escape_string($pqdata, $this->dbh)); + db_escape($pqdata, $this->dbh)); } return $this->process_query('info', $where_condition); @@ -220,7 +220,7 @@ class AurJSON { * @return mixed Returns an array of value data containing the package data **/ private function msearch($maintainer) { - $maintainer = mysql_real_escape_string($maintainer, $this->dbh); + $maintainer = db_escape($maintainer, $this->dbh); $where_condition = "Users.Username = '{$maintainer}'"; diff --git a/web/lib/pkgfuncs.inc b/web/lib/pkgfuncs.inc index 25a09c4..f16d2be 100644 --- a/web/lib/pkgfuncs.inc +++ b/web/lib/pkgfuncs.inc @@ -94,7 +94,7 @@ function package_exists($name="") { if (!$name) {return NULL;} $dbh = db_connect(); $q = "SELECT ID FROM Packages "; - $q.= "WHERE Name = '".mysql_real_escape_string($name)."' "; + $q.= "WHERE Name = '".db_escape($name)."' "; $result = db_query($q, $dbh); if (!$result) {return NULL;} $row = mysql_fetch_row($result); @@ -127,7 +127,7 @@ function package_required($name="") { $dbh = db_connect(); $q = "SELECT p.Name, PackageID FROM PackageDepends pd "; $q.= "JOIN Packages p ON pd.PackageID = p.ID "; - $q.= "WHERE DepName = '".mysql_real_escape_string($name)."' "; + $q.= "WHERE DepName = '".db_escape($name)."' "; $q.= "ORDER BY p.Name"; $result = db_query($q, $dbh); if (!$result) {return array();} @@ -216,7 +216,7 @@ function pkgvotes_from_sid($sid="") { $q.= "FROM PackageVotes, Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; $q.= "AND Users.ID = PackageVotes.UsersID "; - $q.= "AND Sessions.SessionID = '".mysql_real_escape_string($sid)."'"; + $q.= "AND Sessions.SessionID = '".db_escape($sid)."'"; $result = db_query($q, $dbh); if ($result) { while ($row = mysql_fetch_row($result)) { @@ -237,7 +237,7 @@ function pkgnotify_from_sid($sid="") { $q.= "FROM CommentNotify, Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; $q.= "AND Users.ID = CommentNotify.UserID "; - $q.= "AND Sessions.SessionID = '".mysql_real_escape_string($sid)."'"; + $q.= "AND Sessions.SessionID = '".db_escape($sid)."'"; $result = db_query($q, $dbh); if ($result) { while ($row = mysql_fetch_row($result)) { @@ -267,7 +267,7 @@ function pkgname_from_id($pkgid=0) { # function pkgname_is_blacklisted($name) { $dbh = db_connect(); - $q = "SELECT COUNT(*) FROM PackageBlacklist WHERE Name = '" . mysql_real_escape_string($name) . "'"; + $q = "SELECT COUNT(*) FROM PackageBlacklist WHERE Name = '" . db_escape($name) . "'"; $result = db_query($q, $dbh); if (!$result) return false; @@ -432,7 +432,7 @@ function pkg_search_page($SID="") { } if (isset($_GET['K'])) { - $_GET['K'] = mysql_real_escape_string(trim($_GET['K'])); + $_GET['K'] = db_escape(trim($_GET['K'])); # Search by maintainer if (isset($_GET["SeB"]) && $_GET["SeB"] == "m") { diff --git a/web/lib/stats.inc b/web/lib/stats.inc index 75b2537..b825b2e 100644 --- a/web/lib/stats.inc +++ b/web/lib/stats.inc @@ -53,7 +53,7 @@ function updates_table($dbh) function user_table($user, $dbh) { global $apc_prefix; - $escuser = mysql_real_escape_string($user); + $escuser = db_escape($user); $base_q = "SELECT count(*) FROM Packages,Users WHERE Packages.MaintainerUID = Users.ID AND Users.Username='" . $escuser . "'"; $maintainer_unsupported_count = db_cache_value($base_q, $dbh, diff --git a/web/template/pkg_comment_form.php b/web/template/pkg_comment_form.php index e52c92d..eab32b4 100644 --- a/web/template/pkg_comment_form.php +++ b/web/template/pkg_comment_form.php @@ -7,7 +7,7 @@ if (isset($_REQUEST['comment'])) { $q = 'INSERT INTO PackageComments '; $q.= '(PackageID, UsersID, Comments, CommentTS) VALUES ('; $q.= intval($_REQUEST['ID']) . ', ' . uid_from_sid($_COOKIE['AURSID']) . ', '; - $q.= "'" . mysql_real_escape_string($_REQUEST['comment']) . "', "; + $q.= "'" . db_escape($_REQUEST['comment']) . "', "; $q.= 'UNIX_TIMESTAMP())'; db_query($q, $dbh); -- 1.7.4.1
On Mon, Apr 25, 2011 at 10:21:55PM -0700, elij wrote:
when converting to postgres, each mysql_real_escape_string instance had to be changed, which was tedious. Centralizing the escape mechanism code would allow for much easier porting, in the same way that db_query provides a lightweight query abstraction. --- web/html/account.php | 2 +- web/html/addvote.php | 10 +++++----- web/html/logout.php | 2 +- web/html/passreset.php | 4 ++-- web/html/pkgsubmit.php | 36 ++++++++++++++++++------------------ web/html/voters.php | 2 +- web/lib/acctfuncs.inc | 26 +++++++++++++------------- web/lib/aur.inc | 30 ++++++++++++++++++------------ web/lib/aurjson.class.php | 8 ++++---- web/lib/pkgfuncs.inc | 12 ++++++------ web/lib/stats.inc | 2 +- web/template/pkg_comment_form.php | 2 +- 12 files changed, 71 insertions(+), 65 deletions(-)
Sounds like a good idea as well, but I'm not sure if this makes a lot of sense if we keep any other mysql_*() invocations. I'd say we should use some proper database abstraction layers if we aim at database independent code...
On Tue, Apr 26, 2011 at 10:10 AM, Lukas Fleischer <archlinux@cryptocrack.de> wrote:
On Mon, Apr 25, 2011 at 10:21:55PM -0700, elij wrote:
when converting to postgres, each mysql_real_escape_string instance had to be changed, which was tedious. Centralizing the escape mechanism code would allow for much easier porting, in the same way that db_query provides a lightweight query abstraction. --- web/html/account.php | 2 +- web/html/addvote.php | 10 +++++----- web/html/logout.php | 2 +- web/html/passreset.php | 4 ++-- web/html/pkgsubmit.php | 36 ++++++++++++++++++------------------ web/html/voters.php | 2 +- web/lib/acctfuncs.inc | 26 +++++++++++++------------- web/lib/aur.inc | 30 ++++++++++++++++++------------ web/lib/aurjson.class.php | 8 ++++---- web/lib/pkgfuncs.inc | 12 ++++++------ web/lib/stats.inc | 2 +- web/template/pkg_comment_form.php | 2 +- 12 files changed, 71 insertions(+), 65 deletions(-)
Sounds like a good idea as well, but I'm not sure if this makes a lot of sense if we keep any other mysql_*() invocations. I'd say we should use some proper database abstraction layers if we aim at database independent code...
Well, one has to start somewhere to get said abstraction layer, and this seems like as good as any start. It is the most-used function [1], with "result row processing functions" coming in next. So this patch gets a +1 from me, and eventually we can have a set of db_* functions we are able to use, can move to a db_mysql.inc file, and go from there. -Dan [1] dmcgee@clifden ~/projects/aur (master) $ find -name '*.php' | xargs grep -R --color -o -h 'mysql_[^( ]*(' * | sort | uniq -c | sort -n 1 mysql_connect( 1 mysql_init( 1 mysql_library_end( 1 mysql_library_init( 1 mysql_real_connect( 1 mysql_store_result( 2 mysql_affected_rows( 2 mysql_close( 2 mysql_insert_id( 3 mysql_fetch_array( 3 mysql_free_result( 4 mysql_fetch_object( 5 mysql_result( 5 mysql_select_db( 6 mysql_error( 10 mysql_die( 10 mysql_query( 25 mysql_fetch_row( 36 mysql_fetch_assoc( 38 mysql_num_rows( 99 mysql_real_escape_string(
On Tue, Apr 26, 2011 at 10:42:58AM -0500, Dan McGee wrote:
On Tue, Apr 26, 2011 at 10:10 AM, Lukas Fleischer <archlinux@cryptocrack.de> wrote:
On Mon, Apr 25, 2011 at 10:21:55PM -0700, elij wrote:
when converting to postgres, each mysql_real_escape_string instance had to be changed, which was tedious. Centralizing the escape mechanism code would allow for much easier porting, in the same way that db_query provides a lightweight query abstraction. --- web/html/account.php | 2 +- web/html/addvote.php | 10 +++++----- web/html/logout.php | 2 +- web/html/passreset.php | 4 ++-- web/html/pkgsubmit.php | 36 ++++++++++++++++++------------------ web/html/voters.php | 2 +- web/lib/acctfuncs.inc | 26 +++++++++++++------------- web/lib/aur.inc | 30 ++++++++++++++++++------------ web/lib/aurjson.class.php | 8 ++++---- web/lib/pkgfuncs.inc | 12 ++++++------ web/lib/stats.inc | 2 +- web/template/pkg_comment_form.php | 2 +- 12 files changed, 71 insertions(+), 65 deletions(-)
Sounds like a good idea as well, but I'm not sure if this makes a lot of sense if we keep any other mysql_*() invocations. I'd say we should use some proper database abstraction layers if we aim at database independent code...
Well, one has to start somewhere to get said abstraction layer, and this seems like as good as any start. It is the most-used function [1], with "result row processing functions" coming in next. So this patch gets a +1 from me, and eventually we can have a set of db_* functions we are able to use, can move to a db_mysql.inc file, and go from there.
Well, what I wanted to say is that I'd prefer to have that bundled with another bunch of patches before merging it into master. Just as if we'd switch from MySQL functions to MDB2 or any other existant abstraction layer, migrating small parts only does not make any sense here. I am pretty sure that this will be forgotten if I just apply that patch. And having some mixture of native MySQL functions and database abstraction isn't any better than using native MySQL functions only.
-Dan
[1] dmcgee@clifden ~/projects/aur (master) $ find -name '*.php' | xargs grep -R --color -o -h 'mysql_[^( ]*(' * | sort | uniq -c | sort -n 1 mysql_connect( 1 mysql_init( 1 mysql_library_end( 1 mysql_library_init( 1 mysql_real_connect( 1 mysql_store_result( 2 mysql_affected_rows( 2 mysql_close( 2 mysql_insert_id( 3 mysql_fetch_array( 3 mysql_free_result( 4 mysql_fetch_object( 5 mysql_result( 5 mysql_select_db( 6 mysql_error( 10 mysql_die( 10 mysql_query( 25 mysql_fetch_row( 36 mysql_fetch_assoc( 38 mysql_num_rows( 99 mysql_real_escape_string(
Not that it makes a huge difference but your stats are somewhat confusing - especially since you seem to use find(1) and xargs(1) without doing any replacement in the grep(1) invocation (note the wildcard character used with grep(1) here). Searching in the actual source files only seems to me to be more appropriate: ---- $ grep -oh 'mysql_[^( ]*(' $(git ls-files) | sort | uniq -c | sort -n 1 mysql_affected_rows( 1 mysql_autocommit( 1 mysql_connect( 1 mysql_init( 1 mysql_insert_id( 1 mysql_library_end( 1 mysql_library_init( 1 mysql_real_connect( 1 mysql_store_result( 2 mysql_close( 2 mysql_fetch_object( 2 mysql_free_result( 3 mysql_fetch_array( 3 mysql_select_db( 5 mysql_result( 6 mysql_error( 10 mysql_query( 13 mysql_die( 22 mysql_fetch_assoc( 22 mysql_num_rows( 25 mysql_fetch_row( 66 mysql_real_escape_string( ----
participants (3)
-
Dan McGee
-
elij
-
Lukas Fleischer