Skip to content

Commit 604c0c2

Browse files
author
Till Brehm
committed
Code review.
1 parent 938baf0 commit 604c0c2

File tree

66 files changed

+228
-376
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

66 files changed

+228
-376
lines changed

interface/lib/classes/aps_crawler.inc.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -595,7 +595,7 @@ public function fixURLs()
595595
foreach($incomplete_pkgs as $incomplete_pkg){
596596
$pkg_url = @file_get_contents($this->interface_pkg_dir.'/'.$incomplete_pkg['path'].'/PKG_URL');
597597
if($pkg_url != ''){
598-
$app->db->datalogUpdate('aps_packages', "package_url = '".$pkg_url."'", 'id', $incomplete_pkg['id']);
598+
$app->db->datalogUpdate('aps_packages', "package_url = '".$app->db->quote($pkg_url)."'", 'id', $incomplete_pkg['id']);
599599
}
600600
}
601601
}

interface/lib/classes/aps_guicontroller.inc.php

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -266,18 +266,18 @@ public function createPackageInstance($settings, $packageid)
266266
unset($tmp);
267267

268268
// get information if the webserver is a db server, too
269-
$web_server = $app->db->queryOneRecord("SELECT server_id,server_name,db_server FROM server WHERE server_id = ".$websrv['server_id']);
269+
$web_server = $app->db->queryOneRecord("SELECT server_id,server_name,db_server FROM server WHERE server_id = ".$app->functions->intval($websrv['server_id']));
270270
if($web_server['db_server'] == 1) {
271271
// create database on "localhost" (webserver)
272-
$mysql_db_server_id = $websrv['server_id'];
272+
$mysql_db_server_id = $app->functions->intval($websrv['server_id']);
273273
$mysql_db_host = 'localhost';
274274
$mysql_db_remote_access = 'n';
275275
$mysql_db_remote_ips = '';
276276
} else {
277277
//* get the default database server of the client
278-
$client = $app->db->queryOneRecord("SELECT default_dbserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ".$websrv['sys_groupid']);
278+
$client = $app->db->queryOneRecord("SELECT default_dbserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ".$app->functions->intval($websrv['sys_groupid']));
279279
if(is_array($client) && $client['default_dbserver'] > 0 && $client['default_dbserver'] != $websrv['server_id']) {
280-
$mysql_db_server_id = $client['default_dbserver'];
280+
$mysql_db_server_id = $app->functions->intval($client['default_dbserver']);
281281
$dbserver_config = $web_config = $app->getconf->get_server_config($app->functions->intval($mysql_db_server_id), 'server');
282282
$mysql_db_host = $dbserver_config['ip_address'];
283283
$mysql_db_remote_access = 'y';
@@ -301,13 +301,13 @@ public function createPackageInstance($settings, $packageid)
301301

302302
//* Find a free db name for the app
303303
for($n = 1; $n <= 1000; $n++) {
304-
$mysql_db_name = ($dbname_prefix != '' ? $dbname_prefix.'aps'.$n : uniqid('aps'));
304+
$mysql_db_name = $app->db->quote(($dbname_prefix != '' ? $dbname_prefix.'aps'.$n : uniqid('aps')));
305305
$tmp = $app->db->queryOneRecord("SELECT count(database_id) as number FROM web_database WHERE database_name = '".$app->db->quote($mysql_db_name)."'");
306306
if($tmp['number'] == 0) break;
307307
}
308308
//* Find a free db username for the app
309309
for($n = 1; $n <= 1000; $n++) {
310-
$mysql_db_user = ($dbuser_prefix != '' ? $dbuser_prefix.'aps'.$n : uniqid('aps'));
310+
$mysql_db_user = $app->db->quote(($dbuser_prefix != '' ? $dbuser_prefix.'aps'.$n : uniqid('aps')));
311311
$tmp = $app->db->queryOneRecord("SELECT count(database_user_id) as number FROM web_database_user WHERE database_user = '".$app->db->quote($mysql_db_user)."'");
312312
if($tmp['number'] == 0) break;
313313
}
@@ -316,12 +316,12 @@ public function createPackageInstance($settings, $packageid)
316316

317317
//* Create the mysql database user
318318
$insert_data = "(`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_id`, `database_user`, `database_user_prefix`, `database_password`)
319-
VALUES( ".$websrv['sys_userid'].", ".$websrv['sys_groupid'].", 'riud', '".$websrv['sys_perm_group']."', '', 0, '$mysql_db_user', '".$app->db->quote($dbuser_prefix) . "', PASSWORD('$mysql_db_password'))";
319+
VALUES( ".$app->functions->intval($websrv['sys_userid']).", ".$app->functions->intval($websrv['sys_groupid']).", 'riud', '".$app->functions->intval($websrv['sys_perm_group'])."', '', 0, '$mysql_db_user', '".$app->db->quote($dbuser_prefix) . "', PASSWORD('$mysql_db_password'))";
320320
$mysql_db_user_id = $app->db->datalogInsert('web_database_user', $insert_data, 'database_user_id');
321321

322322
//* Create the mysql database
323323
$insert_data = "(`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_id`, `parent_domain_id`, `type`, `database_name`, `database_name_prefix`, `database_user_id`, `database_ro_user_id`, `database_charset`, `remote_access`, `remote_ips`, `backup_copies`, `active`, `backup_interval`)
324-
VALUES( ".$websrv['sys_userid'].", ".$websrv['sys_groupid'].", 'riud', '".$websrv['sys_perm_group']."', '', $mysql_db_server_id, ".$websrv['domain_id'].", 'mysql', '$mysql_db_name', '" . $app->db->quote($dbname_prefix) . "', '$mysql_db_user_id', 0, '', '$mysql_db_remote_access', '$mysql_db_remote_ips', ".$websrv['backup_copies'].", 'y', '".$websrv['backup_interval']."')";
324+
VALUES( ".$app->functions->intval($websrv['sys_userid']).", ".$app->functions->intval($websrv['sys_groupid']).", 'riud', '".$app->functions->intval($websrv['sys_perm_group'])."', '', $mysql_db_server_id, ".$app->functions->intval($websrv['domain_id']).", 'mysql', '$mysql_db_name', '" . $app->db->quote($dbname_prefix) . "', '$mysql_db_user_id', 0, '', '$mysql_db_remote_access', '$mysql_db_remote_ips', ".$app->functions->intval($websrv['backup_copies']).", 'y', '".$app->functions->intval($websrv['backup_interval'])."')";
325325
$app->db->datalogInsert('web_database', $insert_data, 'database_id');
326326

327327
//* Add db details to package settings
@@ -332,7 +332,7 @@ public function createPackageInstance($settings, $packageid)
332332
}
333333

334334
//* Insert new package instance
335-
$insert_data = "(`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_id`, `customer_id`, `package_id`, `instance_status`) VALUES (".$websrv['sys_userid'].", ".$websrv['sys_groupid'].", 'riud', '".$websrv['sys_perm_group']."', '', ".$app->db->quote($webserver_id).",".$app->db->quote($customerid).", ".$app->db->quote($packageid).", ".INSTANCE_PENDING.")";
335+
$insert_data = "(`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_id`, `customer_id`, `package_id`, `instance_status`) VALUES (".$app->functions->intval($websrv['sys_userid']).", ".$app->functions->intval($websrv['sys_groupid']).", 'riud', '".$app->functions->intval($websrv['sys_perm_group'])."', '', ".$app->db->quote($webserver_id).",".$app->db->quote($customerid).", ".$app->db->quote($packageid).", ".INSTANCE_PENDING.")";
336336
$InstanceID = $app->db->datalogInsert('aps_instances', $insert_data, 'id');
337337

338338
//* Insert all package settings
@@ -404,7 +404,7 @@ public function reinstallInstance($instanceid)
404404
$app->db->datalogSave('aps', 'INSERT', 'id', $instanceid, array(), $datalog);
405405
*/
406406

407-
$sql = "SELECT web_database.database_id as database_id FROM aps_instances_settings, web_database WHERE aps_instances_settings.value = web_database.database_name AND aps_instances_settings.value = aps_instances_settings.name = 'main_database_name' AND aps_instances_settings.instance_id = ".$instanceid." LIMIT 0,1";
407+
$sql = "SELECT web_database.database_id as database_id FROM aps_instances_settings, web_database WHERE aps_instances_settings.value = web_database.database_name AND aps_instances_settings.value = aps_instances_settings.name = 'main_database_name' AND aps_instances_settings.instance_id = ".$app->db->quote($instanceid)." LIMIT 0,1";
408408
$tmp = $app->db->queryOneRecord($sql);
409409
if($tmp['database_id'] > 0) $app->db->datalogDelete('web_database', 'database_id', $tmp['database_id']);
410410

interface/lib/classes/auth.inc.php

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ class auth {
3333

3434
public function get_user_id()
3535
{
36-
return $_SESSION['s']['user']['userid'];
36+
return $app->functions->intval($_SESSION['s']['user']['userid']);
3737
}
3838

3939
public function is_admin() {
@@ -80,7 +80,9 @@ public function add_group_to_user($userid, $groupid) {
8080
public function get_client_limit($userid, $limitname)
8181
{
8282
global $app;
83-
83+
84+
$userid = $app->functions->intval($userid);
85+
8486
// simple query cache
8587
if($this->client_limits===null)
8688
$this->client_limits = $app->db->queryOneRecord("SELECT client.* FROM sys_user, client WHERE sys_user.userid = $userid AND sys_user.client_id = client.client_id");

interface/lib/classes/client_templates.inc.php

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,7 @@ function update_client_templates($clientId, $templates = array()) {
4949

5050
if($old_style == true) {
5151
// we have to take care of this in an other way
52-
$in_db = $app->db->queryAllRecords('SELECT `assigned_template_id`, `client_template_id` FROM `client_template_assigned` WHERE `client_id` = ' . $clientId);
52+
$in_db = $app->db->queryAllRecords('SELECT `assigned_template_id`, `client_template_id` FROM `client_template_assigned` WHERE `client_id` = ' . $app->functions->intval($clientId));
5353
if(is_array($in_db) && count($in_db) > 0) {
5454
foreach($in_db as $item) {
5555
if(array_key_exists($item['client_template_id'], $needed_types) == false) $needed_types[$item['client_template_id']] = 0;
@@ -61,32 +61,32 @@ function update_client_templates($clientId, $templates = array()) {
6161
if($count > 0) {
6262
// add new template to client (includes those from old-style without assigned_template_id)
6363
for($i = $count; $i > 0; $i--) {
64-
$app->db->query('INSERT INTO `client_template_assigned` (`client_id`, `client_template_id`) VALUES (' . $clientId . ', ' . $tpl_id . ')');
64+
$app->db->query('INSERT INTO `client_template_assigned` (`client_id`, `client_template_id`) VALUES (' . $app->functions->intval($clientId) . ', ' . $app->functions->intval($tpl_id) . ')');
6565
}
6666
} elseif($count < 0) {
6767
// remove old ones
6868
for($i = $count; $i < 0; $i++) {
69-
$app->db->query('DELETE FROM `client_template_assigned` WHERE client_id = ' . $clientId . ' AND client_template_id = ' . $tpl_id . ' LIMIT 1');
69+
$app->db->query('DELETE FROM `client_template_assigned` WHERE client_id = ' . $app->functions->intval($clientId) . ' AND client_template_id = ' . $app->functions->intval($tpl_id) . ' LIMIT 1');
7070
}
7171
}
7272
}
7373
} else {
7474
// we have to take care of this in an other way
75-
$in_db = $app->db->queryAllRecords('SELECT `assigned_template_id`, `client_template_id` FROM `client_template_assigned` WHERE `client_id` = ' . $clientId);
75+
$in_db = $app->db->queryAllRecords('SELECT `assigned_template_id`, `client_template_id` FROM `client_template_assigned` WHERE `client_id` = ' . $app->functions->intval($clientId));
7676
if(is_array($in_db) && count($in_db) > 0) {
7777
// check which templates were removed from this client
7878
foreach($in_db as $item) {
7979
if(in_array($item['assigned_template_id'], $used_assigned) == false) {
8080
// delete this one
81-
$app->db->query('DELETE FROM `client_template_assigned` WHERE `assigned_template_id` = ' . $item['assigned_template_id']);
81+
$app->db->query('DELETE FROM `client_template_assigned` WHERE `assigned_template_id` = ' . $app->functions->intval($item['assigned_template_id']));
8282
}
8383
}
8484
}
8585

8686
if(count($new_tpl) > 0) {
8787
foreach($new_tpl as $item) {
8888
// add new template to client (includes those from old-style without assigned_template_id)
89-
$app->db->query('INSERT INTO `client_template_assigned` (`client_id`, `client_template_id`) VALUES (' . $clientId . ', ' . $item . ')');
89+
$app->db->query('INSERT INTO `client_template_assigned` (`client_id`, `client_template_id`) VALUES (' . $app->functions->intval($clientId) . ', ' . $app->functions->intval($item) . ')');
9090
}
9191
}
9292
}

interface/lib/classes/custom_datasource.inc.php

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -46,9 +46,9 @@ function dns_servers($field, $record) {
4646

4747
if($_SESSION["s"]["user"]["typ"] == 'user') {
4848
// Get the limits of the client
49-
$client_group_id = $_SESSION["s"]["user"]["default_group"];
49+
$client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
5050
$client = $app->db->queryOneRecord("SELECT default_dnsserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
51-
$sql = "SELECT server_id,server_name FROM server WHERE server_id = ".$client['default_dnsserver'];
51+
$sql = "SELECT server_id,server_name FROM server WHERE server_id = ".$app->functions->intval($client['default_dnsserver']);
5252
} else {
5353
$sql = "SELECT server_id,server_name FROM server WHERE dns_server = 1 ORDER BY server_name";
5454
}
@@ -68,9 +68,9 @@ function slave_dns_servers($field, $record) {
6868

6969
if($_SESSION["s"]["user"]["typ"] == 'user') {
7070
// Get the limits of the client
71-
$client_group_id = $_SESSION["s"]["user"]["default_group"];
71+
$client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
7272
$client = $app->db->queryOneRecord("SELECT default_slave_dnsserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
73-
$sql = "SELECT server_id,server_name FROM server WHERE server_id = ".$client['default_slave_dnsserver'];
73+
$sql = "SELECT server_id,server_name FROM server WHERE server_id = ".$app->functions->intval($client['default_slave_dnsserver']);
7474
} else {
7575
$sql = "SELECT server_id,server_name FROM server WHERE dns_server = 1 ORDER BY server_name";
7676
}
@@ -99,7 +99,7 @@ function webdav_domains($field, $record) {
9999
}
100100
if(count($server_ids) == 0) return array();
101101
$server_ids = implode(',', $server_ids);
102-
$records = $app->db->queryAllRecords("SELECT web_domain.domain_id, CONCAT(web_domain.domain, ' :: ', server.server_name) AS parent_domain FROM web_domain, server WHERE web_domain.type = 'vhost' AND web_domain.server_id IN (".$server_ids.") AND web_domain.server_id = server.server_id AND ".$app->tform->getAuthSQL('r', 'web_domain')." ORDER BY web_domain.domain");
102+
$records = $app->db->queryAllRecords("SELECT web_domain.domain_id, CONCAT(web_domain.domain, ' :: ', server.server_name) AS parent_domain FROM web_domain, server WHERE web_domain.type = 'vhost' AND web_domain.server_id IN (".$app->db->quote($server_ids).") AND web_domain.server_id = server.server_id AND ".$app->tform->getAuthSQL('r', 'web_domain')." ORDER BY web_domain.domain");
103103

104104
$records_new = array();
105105
if(is_array($records)) {
@@ -146,12 +146,12 @@ function client_servers($field, $record) {
146146

147147
if($_SESSION["s"]["user"]["typ"] == 'user') {
148148
// Get the limits of the client
149-
$client_group_id = $_SESSION["s"]["user"]["default_group"];
149+
$client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
150150
$sql = "SELECT $server_type as server_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id";
151151
$client = $app->db->queryOneRecord($sql);
152152
if($client['server_id'] > 0) {
153153
//* Select the default server for the client
154-
$sql = "SELECT server_id,server_name FROM server WHERE server_id = ".$client['server_id'];
154+
$sql = "SELECT server_id,server_name FROM server WHERE server_id = ".$app->functions->intval($client['server_id']);
155155
} else {
156156
//* Not able to find the clients defaults, use this as fallback and add a warning message to the log
157157
$app->log('Unable to find default server for client in custom_datasource.inc.php', 1);

interface/lib/classes/form.inc.php

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,7 @@
11
<?php
22

3+
die('Deprecated file: form.inc.php');
4+
35
/*
46
Copyright (c) 2007, Till Brehm, projektfarm Gmbh
57
All rights reserved.

interface/lib/classes/plugin_backuplist.inc.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -108,8 +108,8 @@ function onShow() {
108108
}
109109

110110
//* Get the data
111-
$web = $app->db->queryOneRecord("SELECT server_id FROM web_domain WHERE domain_id = ".$this->form->id);
112-
$sql = "SELECT * FROM web_backup WHERE parent_domain_id = ".$this->form->id." AND server_id = ".$web['server_id']." ORDER BY tstamp DESC, backup_type ASC";
111+
$web = $app->db->queryOneRecord("SELECT server_id FROM web_domain WHERE domain_id = ".$app->functions->intval($this->form->id));
112+
$sql = "SELECT * FROM web_backup WHERE parent_domain_id = ".$app->functions->intval($this->form->id)." AND server_id = ".$app->functions->intval($web['server_id'])." ORDER BY tstamp DESC, backup_type ASC";
113113
$records = $app->db->queryAllRecords($sql);
114114

115115
$bgcolor = "#FFFFFF";

interface/web/admin/login_as.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@
5151
$client_id = $app->functions->intval($_GET['cid']);
5252
$tmp_client = $app->db->queryOneRecord("SELECT username FROM client WHERE client_id = $client_id");
5353
$tmp_sys_user = $app->db->queryOneRecord("SELECT userid FROM sys_user WHERE username = '".$app->db->quote($tmp_client['username'])."'");
54-
$userId = $tmp_sys_user['userid'];
54+
$userId = $app->functions->intval($tmp_sys_user['userid']);
5555
unset($tmp_client);
5656
unset($tmp_sys_user);
5757
$backlink = 'client/client_list.php';

interface/web/admin/remote_action_ispcupdate.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -81,7 +81,7 @@
8181
foreach ($servers as $serverId) {
8282
$sql = "INSERT INTO sys_remoteaction (server_id, tstamp, action_type, action_param, action_state, response) " .
8383
"VALUES (".
84-
(int)$serverId . ", " .
84+
$app->functions->intval($serverId) . ", " .
8585
time() . ", " .
8686
"'ispc_update', " .
8787
"'', " .

interface/web/admin/remote_action_osupdate.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -76,7 +76,7 @@
7676
foreach ($servers as $serverId) {
7777
$sql = "INSERT INTO sys_remoteaction (server_id, tstamp, action_type, action_param, action_state, response) " .
7878
"VALUES (".
79-
(int)$serverId . ", " .
79+
$app->functions->intval($serverId) . ", " .
8080
time() . ", " .
8181
"'os_update', " .
8282
"'', " .

0 commit comments

Comments
 (0)