--- a/inc/users.inc.php Thu Jul 24 17:21:33 2008 +0000
+++ b/inc/users.inc.php Thu Aug 07 18:45:13 2008 +0000
@@ -40,19 +40,19 @@
// Set current user ID.
$userid=$_SESSION['userid'];
- $query = 'SELECT id FROM perm_items WHERE name='.$db->quote('user_is_ueberuser');
+ $query = 'SELECT id FROM perm_items WHERE name='.$db->quote('user_is_ueberuser', 'text');
$ueberUserId = $db->queryOne($query);
// Find the template ID that this user has been assigned.
$query = "SELECT perm_templ
FROM users
- WHERE id = " . $db->quote($userid) ;
+ WHERE id = " . $db->quote($userid, 'integer') ;
$templ_id = $db->queryOne($query);
// Does this user have ueberuser rights?
$query = "SELECT id
FROM perm_templ_items
- WHERE templ_id = " . $db->quote($templ_id) . "
+ WHERE templ_id = " . $db->quote($templ_id, 'integer') . "
AND perm_id = ".$ueberUserId;
$response = $db->query($query);
if (PEAR::isError($response)) { error($response->getMessage()); return false; }
@@ -63,14 +63,14 @@
// Find the permission ID for the requested permission.
$query = "SELECT id
FROM perm_items
- WHERE name = " . $db->quote($permission) ;
+ WHERE name = " . $db->quote($permission, 'text') ;
$perm_id = $db->queryOne($query);
// Check if the permission ID is assigned to the template ID.
$query = "SELECT id
FROM perm_templ_items
- WHERE templ_id = " . $db->quote($templ_id) . "
- AND perm_id = " . $db->quote($perm_id) ;
+ WHERE templ_id = " . $db->quote($templ_id, 'integer') . "
+ AND perm_id = " . $db->quote($perm_id, 'integer') ;
if (PEAR::isError($response)) { error($response->getMessage()); return false; }
$response = $db->query($query);
if ( $response->numRows() > 0 ) {
@@ -108,7 +108,7 @@
$add = '';
if(is_numeric($id)) {
//When a user id is given, it is excluded from the userlist returned.
- $add = " WHERE users.id!=".$db->quote($id);
+ $add = " WHERE users.id!=".$db->quote($id, 'integer');
}
// Make a huge query.
@@ -161,7 +161,7 @@
{
global $db;
if(is_numeric($id)) {
- $response = $db->query("SELECT id FROM users WHERE id=".$db->quote($id));
+ $response = $db->query("SELECT id FROM users WHERE id=".$db->quote($id, 'integer'));
if (PEAR::isError($response)) { error($response->getMessage()); return false; }
if ($response->numRows() == 1) {
return true;
@@ -179,7 +179,7 @@
function user_exists($user)
{
global $db;
- $response = $db->query("SELECT id FROM users WHERE username=".$db->quote($user));
+ $response = $db->query("SELECT id FROM users WHERE username=".$db->quote($user, 'text'));
if (PEAR::isError($response)) { error($response->getMessage()); return false; }
if ($response->numRows() == 0) {
return false;
@@ -215,11 +215,11 @@
}
}
- $query = "DELETE FROM zones WHERE owner = " . $db->quote($uid) ;
+ $query = "DELETE FROM zones WHERE owner = " . $db->quote($uid, 'integer') ;
$response = $db->query($query);
if (PEAR::isError($response)) { error($response->getMessage()); return false; }
- $query = "DELETE FROM users WHERE id = " . $db->quote($uid) ;
+ $query = "DELETE FROM users WHERE id = " . $db->quote($uid, 'integer') ;
$response = $db->query($query);
if (PEAR::isError($response)) { error($response->getMessage()); return false; }
}
@@ -284,7 +284,7 @@
// user, the username should apparantly changed. If so, check if the "new"
// username already exists.
- $query = "SELECT username FROM users WHERE id = " . $db->quote($id);
+ $query = "SELECT username FROM users WHERE id = " . $db->quote($id, 'integer');
$response = $db->query($query);
if (PEAR::isError($response)) { error($response->getMessage()); return false; }
@@ -297,7 +297,7 @@
// we have been given. User wants a change of username. Now, make
// sure it doesn't already exist.
- $query = "SELECT id FROM users WHERE username = " . $db->quote($user);
+ $query = "SELECT id FROM users WHERE username = " . $db->quote($user, 'integer');
$response = $db->query($query);
if (PEAR::isError($response)) { error($response->getMessage()); return false; }
@@ -311,18 +311,18 @@
// another user that goes by the wanted username. So, go ahead!
$query = "UPDATE users SET
- username = " . $db->quote($user) . ",
- fullname = " . $db->quote($fullname) . ",
- email = " . $db->quote($email) . ",
- perm_templ = " . $db->quote($perm_templ) . ",
- description = " . $db->quote($description) . ",
- active = " . $db->quote($active) ;
+ username = " . $db->quote($user, 'text') . ",
+ fullname = " . $db->quote($fullname, 'text') . ",
+ email = " . $db->quote($email, 'text') . ",
+ perm_templ = " . $db->quote($perm_templ, 'integer') . ",
+ description = " . $db->quote($description, 'text') . ",
+ active = " . $db->quote($active, 'integer') ;
if($password != "") {
- $query .= ", password = " . $db->quote(md5($password)) ;
+ $query .= ", password = " . $db->quote(md5($password), 'text') ;
}
- $query .= " WHERE id = " . $db->quote($id) ;
+ $query .= " WHERE id = " . $db->quote($id, 'integer') ;
$response = $db->query($query);
if (PEAR::isError($response)) { error($response->getMessage()); return false; }
@@ -347,14 +347,14 @@
return false;
}
- $query = "SELECT id, password FROM users WHERE username = " . $db->quote($_SESSION["userlogin"]);
+ $query = "SELECT id, password FROM users WHERE username = " . $db->quote($_SESSION["userlogin"], 'text');
$response = $db->query($query);
if (PEAR::isError($response)) { error($response->getMessage()); return false; }
$rinfo = $response->fetchRow();
if(md5($details['currentpass']) == $rinfo['password']) {
- $query = "UPDATE users SET password = " . $db->quote(md5($details['newpass'])) . " WHERE id = " . $db->quote($rinfo['id']) ;
+ $query = "UPDATE users SET password = " . $db->quote(md5($details['newpass']), 'text') . " WHERE id = " . $db->quote($rinfo['id'], 'integer') ;
$response = $db->query($query);
if (PEAR::isError($response)) { error($response->getMessage()); return false; }
@@ -373,7 +373,7 @@
function get_fullname_from_userid($id) {
global $db;
if (is_numeric($id)) {
- $response = $db->query("SELECT fullname FROM users WHERE id=".$db->quote($id));
+ $response = $db->query("SELECT fullname FROM users WHERE id=".$db->quote($id, 'integer'));
if (PEAR::isError($response)) { error($response->getMessage()); return false; }
$r = $response->fetchRow();
return $r["fullname"];
@@ -393,7 +393,7 @@
global $db;
if (is_numeric($id))
{
- $response = $db->query("SELECT fullname FROM users WHERE id=".$db->quote($id));
+ $response = $db->query("SELECT fullname FROM users WHERE id=".$db->quote($id, 'integer'));
if (PEAR::isError($response)) { error($response->getMessage()); return false; }
if ($response->numRows() == 1)
{
@@ -419,7 +419,7 @@
global $db;
if (is_numeric($id)) {
- $response = $db->query("SELECT users.id, users.fullname FROM users, zones WHERE zones.domain_id=".$db->quote($id)." AND zones.owner=users.id ORDER by fullname");
+ $response = $db->query("SELECT users.id, users.fullname FROM users, zones WHERE zones.domain_id=".$db->quote($id, 'integer')." AND zones.owner=users.id ORDER by fullname");
if (PEAR::isError($response)) { error($response->getMessage()); return false; }
if ($response->numRows() == 0) {
return "";
@@ -444,8 +444,8 @@
if (is_numeric($zoneid)) {
$response = $db->query("SELECT zones.id
FROM zones
- WHERE zones.owner = " . $db->quote($userid) . "
- AND zones.domain_id = ". $db->quote($zoneid)) ;
+ WHERE zones.owner = " . $db->quote($userid, 'integer') . "
+ AND zones.domain_id = ". $db->quote($zoneid, 'integer')) ;
if (PEAR::isError($response)) { error($response->getMessage()); return false; }
if ($response->numRows() == 0) {
return "0";
@@ -464,12 +464,12 @@
if (v_num($specific)) {
- $sql_add = "AND users.id = " . $db->quote($specific) ;
+ $sql_add = "AND users.id = " . $db->quote($specific, 'integer') ;
} else {
if (verify_permission('user_view_others')) {
$sql_add = "";
} else {
- $sql_add = "AND users.id = " . $db->quote($userid) ;
+ $sql_add = "AND users.id = " . $db->quote($userid, 'integer') ;
}
}
@@ -517,7 +517,7 @@
if ($templ_id > 0) {
$limit = ", perm_templ_items
- WHERE perm_templ_items.templ_id = " . $db->quote($templ_id) . "
+ WHERE perm_templ_items.templ_id = " . $db->quote($templ_id, 'integer') . "
AND perm_templ_items.perm_id = perm_items.id";
}
@@ -553,7 +553,7 @@
$query = "SELECT *
FROM perm_templ
- WHERE perm_templ.id = " . $db->quote($templ_id);
+ WHERE perm_templ.id = " . $db->quote($templ_id, 'integer');
$response = $db->query($query);
if (PEAR::isError($response)) { error($response->getMessage()); return false; }
@@ -593,8 +593,8 @@
$query = "INSERT INTO perm_templ (name, descr)
VALUES ("
- . $db->quote($details['templ_name']) . ", "
- . $db->quote($details['templ_descr']) . ")";
+ . $db->quote($details['templ_name'], 'text') . ", "
+ . $db->quote($details['templ_descr'], 'text') . ")";
$response = $db->query($query);
if (PEAR::isError($response)) { error($response->getMessage()); return false; }
@@ -602,7 +602,7 @@
$perm_templ_id = $db->lastInsertId('perm_templ', 'id');
foreach ($details['perm_id'] AS $perm_id) {
- $query = "INSERT INTO perm_templ_items (templ_id, perm_id) VALUES (" . $db->quote($perm_templ_id) . "," . $db->quote($perm_id) . ")";
+ $query = "INSERT INTO perm_templ_items (templ_id, perm_id) VALUES (" . $db->quote($perm_templ_id, 'integer') . "," . $db->quote($perm_id, 'integer') . ")";
$response = $db->query($query);
if (PEAR::isError($response)) { error($response->getMessage()); return false; }
}
@@ -618,9 +618,9 @@
// Fix permission template name and description first.
$query = "UPDATE perm_templ
- SET name = " . $db->quote($details['templ_name']) . ",
- descr = " . $db->quote($details['templ_descr']) . "
- WHERE id = " . $db->quote($details['templ_id']) ;
+ SET name = " . $db->quote($details['templ_name'], 'text') . ",
+ descr = " . $db->quote($details['templ_descr'], 'text') . "
+ WHERE id = " . $db->quote($details['templ_id'], 'integer') ;
$response = $db->query($query);
if (PEAR::isError($response)) { error($response->getMessage()); return false; }
@@ -636,7 +636,7 @@
if (PEAR::isError($response)) { error($response->getMessage()); return false; }
foreach ($details['perm_id'] AS $perm_id) {
- $query = "INSERT INTO perm_templ_items (templ_id, perm_id) VALUES (" . $db->quote($details['templ_id']) . "," . $db->quote($perm_id) . ")";
+ $query = "INSERT INTO perm_templ_items (templ_id, perm_id) VALUES (" . $db->quote($details['templ_id'], 'integer') . "," . $db->quote($perm_id, 'integer') . ")";
$response = $db->query($query);
if (PEAR::isError($response)) { error($response->getMessage()); return false; }
}
@@ -674,7 +674,7 @@
// current username is not the same as the username that was given by the
// user, the username should apparantly changed. If so, check if the "new"
// username already exists.
- $query = "SELECT username FROM users WHERE id = " . $db->quote($details['uid']);
+ $query = "SELECT username FROM users WHERE id = " . $db->quote($details['uid'], 'integer');
$response = $db->query($query);
if (PEAR::isError($response)) { error($response->getMessage()); return false; }
@@ -685,7 +685,7 @@
// Username of user ID in the database is different from the name
// we have been given. User wants a change of username. Now, make
// sure it doesn't already exist.
- $query = "SELECT id FROM users WHERE username = " . $db->quote($details['username']);
+ $query = "SELECT id FROM users WHERE username = " . $db->quote($details['username'], 'text');
$response = $db->query($query);
if (PEAR::isError($response)) { error($response->getMessage()); return false; }
@@ -699,23 +699,23 @@
// another user that goes by the wanted username. So, go ahead!
$query = "UPDATE users SET
- username = " . $db->quote($details['username']) . ",
- fullname = " . $db->quote($details['fullname']) . ",
- email = " . $db->quote($details['email']) . ",
- description = " . $db->quote($details['descr']) . ",
- active = " . $db->quote($active) ;
+ username = " . $db->quote($details['username'], 'text') . ",
+ fullname = " . $db->quote($details['fullname'], 'text') . ",
+ email = " . $db->quote($details['email'], 'text') . ",
+ description = " . $db->quote($details['descr'], 'text') . ",
+ active = " . $db->quote($active, 'integer') ;
// If the user is alllowed to change the permission template, set it.
if ($perm_templ_perm_edit == "1") {
- $query .= ", perm_templ = " . $db->quote($details['templ_id']) ;
+ $query .= ", perm_templ = " . $db->quote($details['templ_id'], 'integer') ;
}
if(isset($details['password']) && $details['password'] != "") {
- $query .= ", password = '" . md5($db->quote($details['password'])) . "' ";
+ $query .= ", password = " . $db->quote(md5($details['password']), 'text');
}
- $query .= " WHERE id = " . $db->quote($details['uid']) ;
+ $query .= " WHERE id = " . $db->quote($details['uid'], 'integer') ;
$response = $db->query($query);
if (PEAR::isError($response)) { error($response->getMessage()); return false; }
@@ -748,13 +748,13 @@
}
$query = "INSERT INTO users (username, password, fullname, email, description, perm_templ, active) VALUES ("
- . $db->quote($details['username']) . ", "
- . $db->quote(md5($details['password'])) . ", "
- . $db->quote($details['fullname']) . ", "
- . $db->quote($details['email']) . ", "
- . $db->quote($details['descr']) . ", "
- . $db->quote($details['perm_templ']) . ", "
- . $db->quote($active)
+ . $db->quote($details['username'], 'text') . ", "
+ . $db->quote(md5($details['password']), 'text') . ", "
+ . $db->quote($details['fullname'], 'text') . ", "
+ . $db->quote($details['email'], 'text') . ", "
+ . $db->quote($details['descr'], 'text') . ", "
+ . $db->quote($details['perm_templ'], 'integer') . ", "
+ . $db->quote($active, 'integer')
. ")";
$response = $db->query($query);