arno/lychee
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Converted Photo.php to prepared statements (#38 #214 #196)

Browse Source
This commit is contained in:
Tobias Reich 2014-08-29 21:16:10 +02:00
parent 8b76fadf6d
commit 606334fb62
1 changed files with 43 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
php/modules/Photo.php
View File

@ -148,7 +148,7 @@ class Photo extends Module {
$info = $this->getInfo($path); $info = $this->getInfo($path);
# Use title of file if IPTC title missing # Use title of file if IPTC title missing
if ($info['title']==='') $info['title'] = mysqli_real_escape_string($this->database, substr(basename($file['name'], $extension), 0, 30)); if ($info['title']==='') $info['title'] = substr(basename($file['name'], $extension), 0, 30);
# Use description parameter if set # Use description parameter if set
if ($description==='') $description = $info['description']; if ($description==='') $description = $info['description'];
@ -175,29 +175,8 @@ class Photo extends Module {
} }
# Save to DB # Save to DB
$query = "INSERT INTO lychee_photos (id, title, url, description, tags, type, width, height, size, iso, aperture, make, model, shutter, focal, takestamp, thumbUrl, album, public, star, checksum) $values = [LYCHEE_TABLE_PHOTOS, $id, $info['title'], $photo_name, $description, $tags, $info['type'], $info['width'], $info['height'], $info['size'], $info['iso'], $info['aperture'], $info['make'], $info['model'], $info['shutter'], $info['focal'], $info['takestamp'], $path_thumb, $albumID, $public, $star, $checksum];
VALUES ( $query = Database::prepare($this->database, "INSERT INTO ? (id, title, url, description, tags, type, width, height, size, iso, aperture, make, model, shutter, focal, takestamp, thumbUrl, album, public, star, checksum) VALUES ('?', '?', '?', '?', '?', '?', '?', '?', '?', '?', '?', '?', '?', '?', '?', '?', '?', '?', '?', '?', '?')", $values);
'" . $id . "',
'" . $info['title'] . "',
'" . $photo_name . "',
'" . $description . "',
'" . $tags . "',
'" . $info['type'] . "',
'" . $info['width'] . "',
'" . $info['height'] . "',
'" . $info['size'] . "',
'" . $info['iso'] . "',
'" . $info['aperture'] . "',
'" . $info['make'] . "',
'" . $info['model'] . "',
'" . $info['shutter'] . "',
'" . $info['focal'] . "',
'" . $info['takestamp'] . "',
'" . $path_thumb . "',
'" . $albumID . "',
'" . $public . "',
'" . $star . "',
'" . $checksum . "');";
$result = $this->database->query($query); $result = $this->database->query($query);
if (!$result) { if (!$result) {
@ -219,13 +198,9 @@ class Photo extends Module {
# Check dependencies # Check dependencies
self::dependencies(isset($this->database, $checksum)); self::dependencies(isset($this->database, $checksum));
# Escape
$checksum = mysqli_real_escape_string($this->database, $checksum);
if (isset($photoID)) $photoID = mysqli_real_escape_string($this->database, $photoID);
# Exclude $photoID from select when $photoID is set # Exclude $photoID from select when $photoID is set
if (isset($photoID)) $query = "SELECT id, url, thumbUrl FROM lychee_photos WHERE checksum = '$checksum' AND id <> '$photoID' LIMIT 1;"; if (isset($photoID)) $query = Database::prepare($this->database, "SELECT id, url, thumbUrl FROM ? WHERE checksum = '?' AND id <> '?' LIMIT 1", [LYCHEE_TABLE_PHOTOS, $checksum, $photoID]);
else $query = "SELECT id, url, thumbUrl FROM lychee_photos WHERE checksum = '$checksum' LIMIT 1;"; else $query = Database::prepare($this->database, "SELECT id, url, thumbUrl FROM ? WHERE checksum = '?' LIMIT 1", [LYCHEE_TABLE_PHOTOS, $checksum]);
$result = $this->database->query($query); $result = $this->database->query($query);
@ -459,7 +434,8 @@ class Photo extends Module {
$this->plugins(__METHOD__, 0, func_get_args()); $this->plugins(__METHOD__, 0, func_get_args());
# Get photo # Get photo
$photos = $this->database->query("SELECT * FROM lychee_photos WHERE id = '$this->photoIDs' LIMIT 1;"); $query = Database::prepare($this->database, "SELECT * FROM ? WHERE id = '?' LIMIT 1", [LYCHEE_TABLE_PHOTOS, $this->photoIDs]);
$photos = $this->database->query($query);
$photo = $photos->fetch_assoc(); $photo = $photos->fetch_assoc();
# Parse photo # Parse photo
@ -472,11 +448,14 @@ class Photo extends Module {
if ($albumID!='false') { if ($albumID!='false') {
# Show photo as public when parent album is public
# Check if parent album is available and not photo not unsorted
if ($photo['album']!=0) { if ($photo['album']!=0) {
# Get album # Get album
$albums = $this->database->query("SELECT public FROM lychee_albums WHERE id = '" . $photo['album'] . " LIMIT 1';"); $query = Database::prepare($this->database, "SELECT public FROM ? WHERE id = '?' LIMIT 1", [LYCHEE_TABLE_ALBUMS, $photo['album']]);
$album = $albums->fetch_assoc(); $albums = $this->database->query($query);
$album = $albums->fetch_assoc();
# Parse album # Parse album
$photo['public'] = ($album['public']=='1' ? '2' : $photo['public']); $photo['public'] = ($album['public']=='1' ? '2' : $photo['public']);
@ -582,9 +561,6 @@ class Photo extends Module {
} }
# Security
foreach(array_keys($return) as $key) $return[$key] = mysqli_real_escape_string($this->database, $return[$key]);
# Call plugins # Call plugins
$this->plugins(__METHOD__, 1, func_get_args()); $this->plugins(__METHOD__, 1, func_get_args());
@ -601,7 +577,8 @@ class Photo extends Module {
$this->plugins(__METHOD__, 0, func_get_args()); $this->plugins(__METHOD__, 0, func_get_args());
# Get photo # Get photo
$photos = $this->database->query("SELECT title, url FROM lychee_photos WHERE id = '$this->photoIDs' LIMIT 1;"); $query = Database::prepare($this->database, "SELECT title, url FROM ? WHERE id = '?' LIMIT 1", [LYCHEE_TABLE_PHOTOS, $this->photoIDs]);
$photos = $this->database->query($query);
$photo = $photos->fetch_object(); $photo = $photos->fetch_object();
# Get extension # Get extension
@ -641,7 +618,8 @@ class Photo extends Module {
if (strlen($title)>50) $title = substr($title, 0, 50); if (strlen($title)>50) $title = substr($title, 0, 50);
# Set title # Set title
$result = $this->database->query("UPDATE lychee_photos SET title = '$title' WHERE id IN ($this->photoIDs);"); $query = Database::prepare($this->database, "UPDATE ? SET title = '?' WHERE id IN (?)", [LYCHEE_TABLE_PHOTOS, $title, $this->photoIDs]);
$result = $this->database->query($query);
# Call plugins # Call plugins
$this->plugins(__METHOD__, 1, func_get_args()); $this->plugins(__METHOD__, 1, func_get_args());
@ -667,7 +645,8 @@ class Photo extends Module {
if (strlen($description)>1000) $description = substr($description, 0, 1000); if (strlen($description)>1000) $description = substr($description, 0, 1000);
# Set description # Set description
$result = $this->database->query("UPDATE lychee_photos SET description = '$description' WHERE id IN ('$this->photoIDs');"); $query = Database::prepare($this->database, "UPDATE ? SET description = '?' WHERE id IN ('?')", [LYCHEE_TABLE_PHOTOS, $description, $this->photoIDs]);
$result = $this->database->query($query);
# Call plugins # Call plugins
$this->plugins(__METHOD__, 1, func_get_args()); $this->plugins(__METHOD__, 1, func_get_args());
@ -692,7 +671,8 @@ class Photo extends Module {
$error = false; $error = false;
# Get photos # Get photos
$photos = $this->database->query("SELECT id, star FROM lychee_photos WHERE id IN ($this->photoIDs);"); $query = Database::prepare($this->database, "SELECT id, star FROM ? WHERE id IN (?)", [LYCHEE_TABLE_PHOTOS, $this->photoIDs]);
$photos = $this->database->query($query);
# For each photo # For each photo
while ($photo = $photos->fetch_object()) { while ($photo = $photos->fetch_object()) {
@ -701,7 +681,8 @@ class Photo extends Module {
$star = ($photo->star==0 ? 1 : 0); $star = ($photo->star==0 ? 1 : 0);
# Set star # Set star
$star = $this->database->query("UPDATE lychee_photos SET star = '$star' WHERE id = '$photo->id';"); $query = Database::prepare($this->database, "UPDATE ? SET star = '?' WHERE id = '?'", [LYCHEE_TABLE_PHOTOS, $star, $photo->id]);
$star = $this->database->query($query);
if (!$star) $error = true; if (!$star) $error = true;
} }
@ -726,15 +707,16 @@ class Photo extends Module {
$this->plugins(__METHOD__, 0, func_get_args()); $this->plugins(__METHOD__, 0, func_get_args());
# Get photo # Get photo
$photos = $this->database->query("SELECT public, album FROM lychee_photos WHERE id = '$this->photoIDs' LIMIT 1;"); $query = Database::prepare($this->database, "SELECT public, album FROM ? WHERE id = '?' LIMIT 1", [LYCHEE_TABLE_PHOTOS, $this->photoIDs]);
$photos = $this->database->query($query);
$photo = $photos->fetch_object(); $photo = $photos->fetch_object();
# Check if public # Check if public
if ($photo->public==1) return true; if ($photo->public==1) return true;
else { else {
$album = new Album($this->database, null, null, $photo->album); $album = new Album($this->database, null, null, $photo->album);
$acP = $album->checkPassword($password); $acP = $album->checkPassword($password);
$agP = $album->getPublic(); $agP = $album->getPublic();
if ($acP===true&&$agP===true) return true; if ($acP===true&&$agP===true) return true;
} }
@ -754,14 +736,16 @@ class Photo extends Module {
$this->plugins(__METHOD__, 0, func_get_args()); $this->plugins(__METHOD__, 0, func_get_args());
# Get public # Get public
$photos = $this->database->query("SELECT public FROM lychee_photos WHERE id = '$this->photoIDs' LIMIT 1;"); $query = Database::prepare($this->database, "SELECT public FROM ? WHERE id = '?' LIMIT 1", [LYCHEE_TABLE_PHOTOS, $this->photoIDs]);
$photos = $this->database->query($query);
$photo = $photos->fetch_object(); $photo = $photos->fetch_object();
# Invert public # Invert public
$public = ($photo->public==0 ? 1 : 0); $public = ($photo->public==0 ? 1 : 0);
# Set public # Set public
$result = $this->database->query("UPDATE lychee_photos SET public = '$public' WHERE id = '$this->photoIDs';"); $query = Database::prepare($this->database, "UPDATE ? SET public = '?' WHERE id = '?'", [LYCHEE_TABLE_PHOTOS, $public, $this->photoIDs]);
$result = $this->database->query($query);
# Call plugins # Call plugins
$this->plugins(__METHOD__, 1, func_get_args()); $this->plugins(__METHOD__, 1, func_get_args());
@ -783,7 +767,8 @@ class Photo extends Module {
$this->plugins(__METHOD__, 0, func_get_args()); $this->plugins(__METHOD__, 0, func_get_args());
# Set album # Set album
$result = $this->database->query("UPDATE lychee_photos SET album = '$albumID' WHERE id IN ($this->photoIDs);"); $query = Database::prepare($this->database, "UPDATE ? SET album = '?' WHERE id IN (?)", [LYCHEE_TABLE_PHOTOS, $albumID, $this->photoIDs]);
$result = $this->database->query($query);
# Call plugins # Call plugins
$this->plugins(__METHOD__, 1, func_get_args()); $this->plugins(__METHOD__, 1, func_get_args());
@ -813,7 +798,8 @@ class Photo extends Module {
} }
# Set tags # Set tags
$result = $this->database->query("UPDATE lychee_photos SET tags = '$tags' WHERE id IN ($this->photoIDs);"); $query = Database::prepare($this->database, "UPDATE ? SET tags = '?' WHERE id IN (?)", [LYCHEE_TABLE_PHOTOS, $tags, $this->photoIDs]);
$result = $this->database->query($query);
# Call plugins # Call plugins
$this->plugins(__METHOD__, 1, func_get_args()); $this->plugins(__METHOD__, 1, func_get_args());
@ -835,7 +821,8 @@ class Photo extends Module {
$this->plugins(__METHOD__, 0, func_get_args()); $this->plugins(__METHOD__, 0, func_get_args());
# Get photos # Get photos
$photos = $this->database->query("SELECT id, checksum FROM lychee_photos WHERE id IN ($this->photoIDs);"); $query = Database::prepare($this->database, "SELECT id, checksum FROM ? WHERE id IN (?)", [LYCHEE_TABLE_PHOTOS, $this->photoIDs]);
$photos = $this->database->query($query);
if (!$photos) { if (!$photos) {
Log::error($this->database, __METHOD__, __LINE__, $this->database->error); Log::error($this->database, __METHOD__, __LINE__, $this->database->error);
return false; return false;
@ -849,7 +836,9 @@ class Photo extends Module {
while(strlen($id)<14) $id .= 0; while(strlen($id)<14) $id .= 0;
# Duplicate entry # Duplicate entry
$duplicate = $this->database->query("INSERT INTO lychee_photos(id, title, url, description, tags, type, width, height, size, iso, aperture, make, model, shutter, focal, takestamp, thumbUrl, album, public, star, checksum) SELECT '$id' AS id, title, url, description, tags, type, width, height, size, iso, aperture, make, model, shutter, focal, takestamp, thumbUrl, album, public, star, checksum FROM lychee_photos WHERE id = '$photo->id';"); $values = [LYCHEE_TABLE_PHOTOS, $id, LYCHEE_TABLE_PHOTOS, $photo->id];
$query = Database::prepare($this->database, "INSERT INTO ? (id, title, url, description, tags, type, width, height, size, iso, aperture, make, model, shutter, focal, takestamp, thumbUrl, album, public, star, checksum) SELECT '?' AS id, title, url, description, tags, type, width, height, size, iso, aperture, make, model, shutter, focal, takestamp, thumbUrl, album, public, star, checksum FROM ? WHERE id = '?'", $values);
$duplicate = $this->database->query($query);
if (!$duplicate) { if (!$duplicate) {
Log::error($this->database, __METHOD__, __LINE__, $this->database->error); Log::error($this->database, __METHOD__, __LINE__, $this->database->error);
return false; return false;
@ -870,7 +859,8 @@ class Photo extends Module {
$this->plugins(__METHOD__, 0, func_get_args()); $this->plugins(__METHOD__, 0, func_get_args());
# Get photos # Get photos
$photos = $this->database->query("SELECT id, url, thumbUrl, checksum FROM lychee_photos WHERE id IN ($this->photoIDs);"); $query = Database::prepare($this->database, "SELECT id, url, thumbUrl, checksum FROM ? WHERE id IN (?)", [LYCHEE_TABLE_PHOTOS, $this->photoIDs]);
$photos = $this->database->query($query);
if (!$photos) { if (!$photos) {
Log::error($this->database, __METHOD__, __LINE__, $this->database->error); Log::error($this->database, __METHOD__, __LINE__, $this->database->error);
return false; return false;
@ -908,7 +898,8 @@ class Photo extends Module {
} }
# Delete db entry # Delete db entry
$delete = $this->database->query("DELETE FROM lychee_photos WHERE id = '$photo->id';"); $query = Database::prepare($this->database, "DELETE FROM ? WHERE id = '?'", [LYCHEE_TABLE_PHOTOS, $photo->id]);
$delete = $this->database->query($query);
if (!$delete) { if (!$delete) {
Log::error($this->database, __METHOD__, __LINE__, $this->database->error); Log::error($this->database, __METHOD__, __LINE__, $this->database->error);
return false; return false;