arno/lychee
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Converted Settings to prepared statements (#38 #214 #196)

Browse Source
This commit is contained in:
Tobias Reich 2014-08-29 21:38:40 +02:00
parent e92635b44b
commit bef84572fb
1 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
php/modules/Settings.php
View File

@ -27,7 +27,8 @@ class Settings extends Module {
self::dependencies(isset($this->database)); self::dependencies(isset($this->database));
# Execute query # Execute query
$settings = $this->database->query('SELECT * FROM lychee_settings;'); $query = Database::prepare($this->database, "SELECT * FROM ?", [LYCHEE_TABLE_SETTINGS]);
$settings = $this->database->query($query);
# Add each to return # Add each to return
while ($setting = $settings->fetch_object()) $return[$setting->key] = $setting->value; while ($setting = $settings->fetch_object()) $return[$setting->key] = $setting->value;
@ -76,7 +77,8 @@ class Settings extends Module {
} }
# Execute query # Execute query
$result = $this->database->query("UPDATE lychee_settings SET value = '$username' WHERE `key` = 'username';"); $query = Database::prepare($this->database, "UPDATE ? SET value = '?' WHERE `key` = 'username'", [LYCHEE_TABLE_SETTINGS, $username]);
$result = $this->database->query($query);
if (!$result) { if (!$result) {
Log::error($this->database, __METHOD__, __LINE__, $this->database->error); Log::error($this->database, __METHOD__, __LINE__, $this->database->error);
@ -94,7 +96,10 @@ class Settings extends Module {
$password = get_hashed_password($password); $password = get_hashed_password($password);
# Execute query # Execute query
$result = $this->database->query("UPDATE lychee_settings SET value = '$password' WHERE `key` = 'password';"); # Do not prepare $password because it is hashed and save
# Preparing (escaping) the password would destroy the hash
$query = Database::prepare($this->database, "UPDATE ? SET value = '$password' WHERE `key` = 'password'", [LYCHEE_TABLE_SETTINGS]);
$result = $this->database->query($query);
if (!$result) { if (!$result) {
Log::error($this->database, __METHOD__, __LINE__, $this->database->error); Log::error($this->database, __METHOD__, __LINE__, $this->database->error);
@ -115,7 +120,8 @@ class Settings extends Module {
} }
# Execute query # Execute query
$result = $this->database->query("UPDATE lychee_settings SET value = '$key' WHERE `key` = 'dropboxKey';"); $query = Database::prepare($this->database, "UPDATE ? SET value = '?' WHERE `key` = 'dropboxKey'", [LYCHEE_TABLE_SETTINGS, $key]);
$result = $this->database->query($query);
if (!$result) { if (!$result) {
Log::error($this->database, __METHOD__, __LINE__, $this->database->error); Log::error($this->database, __METHOD__, __LINE__, $this->database->error);
@ -176,7 +182,10 @@ class Settings extends Module {
} }
# Execute query # Execute query
$result = $this->database->query("UPDATE lychee_settings SET value = '$sorting' WHERE `key` = 'sorting';"); # Do not prepare $sorting because it is a true statement
# Preparing (escaping) the sorting would destroy it
$query = Database::prepare($this->database, "UPDATE ? SET value = '$sorting' WHERE `key` = 'sorting'", [LYCHEE_TABLE_SETTINGS]);
$result = $this->database->query($query);
if (!$result) { if (!$result) {
Log::error($this->database, __METHOD__, __LINE__, $this->database->error); Log::error($this->database, __METHOD__, __LINE__, $this->database->error);