diff --git a/web/includes/actions.php b/web/includes/actions.php index 6eadb97ae..c184579ed 100644 --- a/web/includes/actions.php +++ b/web/includes/actions.php @@ -87,23 +87,23 @@ if ( !empty($action) ) $_REQUEST['filter']['sort_field'] = validStr($_REQUEST['sort_field']); $_REQUEST['filter']['sort_asc'] = validStr($_REQUEST['sort_asc']); $_REQUEST['filter']['limit'] = validInt($_REQUEST['limit']); - $sql = "replace into Filters set Name = '".dbEscape($filterName)."', Query = '".dbEscape(jsonEncode($_REQUEST['filter']))."'"; + $sql = "replace into Filters set Name = ".dbEscape($filterName).", Query = ".dbEscape(jsonEncode($_REQUEST['filter'])); if ( !empty($_REQUEST['autoArchive']) ) - $sql .= ", AutoArchive = '".dbEscape($_REQUEST['autoArchive'])."'"; + $sql .= ", AutoArchive = ".dbEscape($_REQUEST['autoArchive']); if ( !empty($_REQUEST['autoVideo']) ) - $sql .= ", AutoVideo = '".dbEscape($_REQUEST['autoVideo'])."'"; + $sql .= ", AutoVideo = ".dbEscape($_REQUEST['autoVideo']); if ( !empty($_REQUEST['autoUpload']) ) - $sql .= ", AutoUpload = '".dbEscape($_REQUEST['autoUpload'])."'"; + $sql .= ", AutoUpload = ".dbEscape($_REQUEST['autoUpload']); if ( !empty($_REQUEST['autoEmail']) ) - $sql .= ", AutoEmail = '".dbEscape($_REQUEST['autoEmail'])."'"; + $sql .= ", AutoEmail = ".dbEscape($_REQUEST['autoEmail']); if ( !empty($_REQUEST['autoMessage']) ) - $sql .= ", AutoMessage = '".dbEscape($_REQUEST['autoMessage'])."'"; + $sql .= ", AutoMessage = ".dbEscape($_REQUEST['autoMessage']); if ( !empty($_REQUEST['autoExecute']) && !empty($_REQUEST['autoExecuteCmd']) ) - $sql .= ", AutoExecute = '".dbEscape($_REQUEST['autoExecute'])."', AutoExecuteCmd = '".dbEscape($_REQUEST['autoExecuteCmd'])."'"; + $sql .= ", AutoExecute = ".dbEscape($_REQUEST['autoExecute']).", AutoExecuteCmd = ".dbEscape($_REQUEST['autoExecuteCmd']); if ( !empty($_REQUEST['autoDelete']) ) - $sql .= ", AutoDelete = '".dbEscape($_REQUEST['autoDelete'])."'"; + $sql .= ", AutoDelete = ".dbEscape($_REQUEST['autoDelete']); if ( !empty($_REQUEST['background']) ) - $sql .= ", Background = '".dbEscape($_REQUEST['background'])."'"; + $sql .= ", Background = ".dbEscape($_REQUEST['background']); dbQuery( $sql ); $refreshParent = true; } @@ -116,20 +116,20 @@ if ( !empty($action) ) { if ( $action == "rename" && isset($_REQUEST['eventName']) && !empty($_REQUEST['eid']) ) { - dbQuery( "update Events set Name = '".dbEscape($_REQUEST['eventName'])."' where Id = '".dbEscape($_REQUEST['eid'])."'" ); + dbQuery( "update Events set Name = ".dbEscape($_REQUEST['eventName'])." where Id = ".dbEscape($_REQUEST['eid']) ); } else if ( $action == "eventdetail" ) { if ( !empty($_REQUEST['eid']) ) { - dbQuery( "update Events set Cause = '".dbEscape($_REQUEST['newEvent']['Cause'])."', Notes = '".dbEscape($_REQUEST['newEvent']['Notes'])."' where Id = '".dbEscape($_REQUEST['eid'])."'" ); + dbQuery( "update Events set Cause = ".dbEscape($_REQUEST['newEvent']['Cause']).", Notes = ".dbEscape($_REQUEST['newEvent']['Notes'])." where Id = ".dbEscape($_REQUEST['eid']) ); $refreshParent = true; } else { foreach( getAffectedIds( 'markEid' ) as $markEid ) { - dbQuery( "update Events set Cause = '".dbEscape($_REQUEST['newEvent']['Cause'])."', Notes = '".dbEscape($_REQUEST['newEvent']['Notes'])."' where Id = '".dbEscape($markEid)."'" ); + dbQuery( "update Events set Cause = ".dbEscape($_REQUEST['newEvent']['Cause']).", Notes = ".dbEscape($_REQUEST['newEvent']['Notes'])." where Id = ".dbEscape($markEid) ); $refreshParent = true; } } @@ -139,13 +139,13 @@ if ( !empty($action) ) $archiveVal = ($action == "archive")?1:0; if ( !empty($_REQUEST['eid']) ) { - dbQuery( "update Events set Archived = $archiveVal where Id = '".dbEscape($_REQUEST['eid'])."'" ); + dbQuery( "update Events set Archived = $archiveVal where Id = ".dbEscape($_REQUEST['eid']) ); } else { foreach( getAffectedIds( 'markEid' ) as $markEid ) { - dbQuery( "update Events set Archived = $archiveVal where Id = '".dbEscape($markEid)."'" ); + dbQuery( "update Events set Archived = $archiveVal where Id = ".dbEscape($markEid) ); $refreshParent = true; } } @@ -159,7 +159,7 @@ if ( !empty($action) ) } if ( !empty($_REQUEST['fid']) ) { - dbQuery( "delete from Filters where Name = '".dbEscape($_REQUEST['fid'])."'" ); + dbQuery( "delete from Filters where Name = ".dbEscape($_REQUEST['fid']) ); //$refreshParent = true; } } @@ -172,7 +172,7 @@ if ( !empty($action) ) $mid = validInt($_REQUEST['mid']); if ( $action == "control" ) { - $monitor = dbFetchOne( "select C.*,M.* from Monitors as M inner join Controls as C on (M.ControlId = C.Id) where M.Id = '".dbEscape($mid)."'" ); + $monitor = dbFetchOne( "select C.*,M.* from Monitors as M inner join Controls as C on (M.ControlId = C.Id) where M.Id = ".dbEscape($mid) ); $ctrlCommand = buildControlCommand( $monitor ); @@ -226,7 +226,7 @@ if ( !empty($action) ) { if ( !empty($_REQUEST['cid']) ) { - $control = dbFetchOne( "select * from Controls where Id = '".dbEscape($_REQUEST['cid'])."'" ); + $control = dbFetchOne( "select * from Controls where Id = ".dbEscape($_REQUEST['cid']) ); } else { @@ -252,7 +252,7 @@ if ( !empty($action) ) { if ( !empty($_REQUEST['cid']) ) { - dbQuery( "update Controls set ".implode( ", ", $changes )." where Id = '".dbEscape($_REQUEST['cid'])."'" ); + dbQuery( "update Controls set ".implode( ", ", $changes )." where Id = ".dbEscape($_REQUEST['cid']) ); } else { @@ -269,8 +269,8 @@ if ( !empty($action) ) { foreach( $_REQUEST['markCids'] as $markCid ) { - dbQuery( "delete from Controls where Id = '".dbEscape($markCid)."'" ); - dbQuery( "update Monitors set Controllable = 0, ControlId = 0 where ControlId = '".dbEscape($markCid)."'" ); + dbQuery( "delete from Controls where Id = ".dbEscape($markCid) ); + dbQuery( "update Monitors set Controllable = 0, ControlId = 0 where ControlId = ".dbEscape($markCid) ); $refreshParent = true; } } @@ -292,7 +292,7 @@ if ( !empty($action) ) $oldEnabled = $monitor['Enabled']; if ( $newFunction != $oldFunction || $newEnabled != $oldEnabled ) { - dbQuery( "update Monitors set Function = '".dbEscape($newFunction)."', Enabled = '".$newEnabled."' where Id = '".$mid."'" ); + dbQuery( "update Monitors set Function = ".dbEscape($newFunction).", Enabled = '".$newEnabled."' where Id = '".$mid."'" ); $monitor['Function'] = $newFunction; $monitor['Enabled'] = $newEnabled; @@ -310,11 +310,11 @@ if ( !empty($action) ) elseif ( $action == "zone" && isset( $_REQUEST['zid'] ) ) { $zid = validInt($_REQUEST['zid']); - $monitor = dbFetchOne( "select * from Monitors where Id = '".dbEscape($mid)."'" ); + $monitor = dbFetchOne( "select * from Monitors where Id = ".dbEscape($mid) ); if ( !empty($zid) ) { - $zone = dbFetchOne( "select * from Zones where MonitorId = '".dbEscape($mid)."' and Id = '".dbEscape($zid)."'" ); + $zone = dbFetchOne( "select * from Zones where MonitorId = ".dbEscape($mid)." and Id = ".dbEscape($zid) ); } else { @@ -343,11 +343,11 @@ if ( !empty($action) ) { if ( $zid > 0 ) { - $sql = "update Zones set ".implode( ", ", $changes )." where MonitorId = '".dbEscape($mid)."' and Id = '".dbEscape($zid)."'"; + $sql = "update Zones set ".implode( ", ", $changes )." where MonitorId = ".dbEscape($mid)." and Id = ".dbEscape($zid); } else { - $sql = "insert into Zones set MonitorId = '".dbEscape($mid)."', ".implode( ", ", $changes ); + $sql = "insert into Zones set MonitorId = ".dbEscape($mid).", ".implode( ", ", $changes ); } dbQuery( $sql ); //if ( $cookies ) session_write_close(); @@ -363,7 +363,7 @@ if ( !empty($action) ) { $plugin=dbEscape($_REQUEST['pl']); $zid=validInt($_REQUEST['zid']); - $sql="SELECT * FROM PluginsConfig WHERE MonitorId='".dbEscape($mid)."' AND ZoneId='".$zid."' AND pluginName='".$plugin."'"; + $sql="SELECT * FROM PluginsConfig WHERE MonitorId=".dbEscape($mid)." AND ZoneId='".$zid."' AND pluginName=".$plugin; $pconfs=dbFetchAll( $sql ); $changes=0; foreach( $pconfs as $pconf ) @@ -371,7 +371,7 @@ if ( !empty($action) ) $value=$_REQUEST['pluginOpt'][$pconf['Name']]; if(array_key_exists($pconf['Name'], $_REQUEST['pluginOpt']) && ($pconf['Value']!=$value)) { - dbQuery("UPDATE PluginsConfig SET Value='".dbEscape($value)."' WHERE id='".$pconf['Id']."'"); + dbQuery("UPDATE PluginsConfig SET Value=".dbEscape($value)." WHERE id='".$pconf['Id']."'"); $changes++; } } @@ -388,8 +388,8 @@ if ( !empty($action) ) elseif ( $action == "sequence" && isset($_REQUEST['smid']) ) { $smid = validInt($_REQUEST['smid']); - $monitor = dbFetchOne( "select * from Monitors where Id = '".dbEscape($mid)."'" ); - $smonitor = dbFetchOne( "select * from Monitors where Id = '".dbEscape($smid)."'" ); + $monitor = dbFetchOne( "select * from Monitors where Id = ".dbEscape($mid) ); + $smonitor = dbFetchOne( "select * from Monitors where Id = ".dbEscape($smid) ); dbQuery( "update Monitors set Sequence = '".$smonitor['Sequence']."' where Id = '".$monitor['Id']."'" ); dbQuery( "update Monitors set Sequence = '".$monitor['Sequence']."' where Id = '".$smonitor['Id']."'" ); @@ -404,7 +404,7 @@ if ( !empty($action) ) $deletedZid = 0; foreach( $_REQUEST['markZids'] as $markZid ) { - dbQuery( "delete from Zones where MonitorId = '".dbEscape($mid)."' && Id = '".dbEscape($markZid)."'" ); + dbQuery( "delete from Zones where MonitorId = ".dbEscape($mid)." && Id = ".dbEscape($markZid) ); $deletedZid = 1; } if ( $deletedZid ) @@ -427,11 +427,11 @@ if ( !empty($action) ) if ( !empty($_REQUEST['mid']) ) { $mid = validInt($_REQUEST['mid']); - $monitor = dbFetchOne( "select * from Monitors where Id = '".dbEscape($mid)."'" ); + $monitor = dbFetchOne( "select * from Monitors where Id = ".dbEscape($mid) ); if ( ZM_OPT_X10 ) { - $x10Monitor = dbFetchOne( "select * from TriggersX10 where MonitorId = '".dbEscape($mid)."'" ); + $x10Monitor = dbFetchOne( "select * from TriggersX10 where MonitorId = ".dbEscape($mid) ); if ( !$x10Monitor ) $x10Monitor = array(); } @@ -462,7 +462,7 @@ if ( !empty($action) ) if ( !empty($_REQUEST['mid']) ) { $mid = validInt($_REQUEST['mid']); - $sql = "update Monitors set ".implode( ", ", $changes )." where Id = '".dbEscape($mid)."'"; + $sql = "update Monitors set ".implode( ", ", $changes )." where Id = ".dbEscape($mid); dbQuery( $sql ); if ( isset($changes['Name']) ) { @@ -477,7 +477,7 @@ if ( !empty($action) ) $oldH = $monitor['Height']; $oldA = $oldW * $oldH; - $zones = dbFetchAll( "select * from Zones where MonitorId = '".dbEscape($mid)."'" ); + $zones = dbFetchAll( "select * from Zones where MonitorId = ".dbEscape($mid) ); foreach ( $zones as $zone ) { $newZone = $zone; @@ -500,7 +500,7 @@ if ( !empty($action) ) if ( count( $changes ) ) { - dbQuery( "update Zones set ".implode( ", ", $changes )." where MonitorId = '".dbEscape($mid)."' and Id = '".$zone['Id']."'" ); + dbQuery( "update Zones set ".implode( ", ", $changes )." where MonitorId = ".dbEscape($mid)." and Id = '".$zone['Id']."'" ); } } } @@ -519,7 +519,7 @@ if ( !empty($action) ) symlink( $mid, ZM_DIR_EVENTS.'/'.$_REQUEST['newMonitor']['Name'] ); if ( isset($_COOKIE['zmGroup']) ) { - $sql = "update Groups set MonitorIds = concat(MonitorIds,',".$mid."') where Id = '".dbEscape($_COOKIE['zmGroup'])."'"; + $sql = "update Groups set MonitorIds = concat(MonitorIds,',".$mid."') where Id = ".dbEscape($_COOKIE['zmGroup']); dbQuery( $sql ); } } @@ -534,17 +534,17 @@ if ( !empty($action) ) { if ( $x10Monitor && isset($_REQUEST['newX10Monitor']) ) { - dbQuery( "update TriggersX10 set ".implode( ", ", $x10Changes )." where MonitorId = '".dbEscape($mid)."'" ); + dbQuery( "update TriggersX10 set ".implode( ", ", $x10Changes )." where MonitorId = ".dbEscape($mid) ); } elseif ( !$user['MonitorIds'] ) { if ( !$x10Monitor ) { - dbQuery( "insert into TriggersX10 set MonitorId = '".dbEscape($mid)."', ".implode( ", ", $x10Changes ) ); + dbQuery( "insert into TriggersX10 set MonitorId = ".dbEscape($mid).", ".implode( ", ", $x10Changes ) ); } else { - dbQuery( "delete from TriggersX10 where MonitorId = '".dbEscape($mid)."'" ); + dbQuery( "delete from TriggersX10 where MonitorId = ".dbEscape($mid) ); } } $restart = true; @@ -553,7 +553,7 @@ if ( !empty($action) ) if ( $restart ) { - $monitor = dbFetchOne( "select * from Monitors where Id = '".dbEscape($mid)."'" ); + $monitor = dbFetchOne( "select * from Monitors where Id = ".dbEscape($mid) ); fixDevices(); //if ( $cookies ) //session_write_close(); @@ -576,7 +576,7 @@ if ( !empty($action) ) { if ( canEdit( 'Monitors', $markMid ) ) { - $sql = "select * from Monitors where Id = '".dbEscape($markMid)."'"; + $sql = "select * from Monitors where Id = ".dbEscape($markMid); if ( $monitor = dbFetchOne( $sql ) ) { if ( daemonCheck() ) @@ -586,10 +586,10 @@ if ( !empty($action) ) } // This is the important stuff - dbQuery( "delete from Monitors where Id = '".dbEscape($markMid)."'" ); - dbQuery( "delete from Zones where MonitorId = '".dbEscape($markMid)."'" ); + dbQuery( "delete from Monitors where Id = ".dbEscape($markMid) ); + dbQuery( "delete from Zones where MonitorId = ".dbEscape($markMid) ); if ( ZM_OPT_X10 ) - dbQuery( "delete from TriggersX10 where MonitorId = '".dbEscape($markMid)."'" ); + dbQuery( "delete from TriggersX10 where MonitorId = ".dbEscape($markMid) ); fixSequences(); @@ -598,7 +598,7 @@ if ( !empty($action) ) // well time out before completing, in which case zmaudit will still tidy up if ( !ZM_OPT_FAST_DELETE ) { - $sql = "select Id from Events where MonitorId = '".dbEscape($markMid)."'"; + $sql = "select Id from Events where MonitorId = ".dbEscape($markMid); $markEids = dbFetchAll( $sql, 'Id' ); foreach( $markEids as $markEid ) deleteEvent( $markEid ); @@ -626,11 +626,11 @@ if ( !empty($action) ) { if ( isset($_REQUEST['did']) ) { - dbQuery( "update Devices set Name = '".dbEscape($_REQUEST['newDevice']['Name'])."', KeyString = '".dbEscape($_REQUEST['newDevice']['KeyString'])."' where Id = '".dbEscape($_REQUEST['did'])."'" ); + dbQuery( "update Devices set Name = ".dbEscape($_REQUEST['newDevice']['Name']).", KeyString = ".dbEscape($_REQUEST['newDevice']['KeyString'])." where Id = ".dbEscape($_REQUEST['did']) ); } else { - dbQuery( "insert into Devices set Name = '".dbEscape($_REQUEST['newDevice']['Name'])."', KeyString = '".dbEscape($_REQUEST['newDevice']['KeyString'])."'" ); + dbQuery( "insert into Devices set Name = ".dbEscape($_REQUEST['newDevice']['Name']).", KeyString = ".dbEscape($_REQUEST['newDevice']['KeyString']) ); } $refreshParent = true; $view = 'none'; @@ -642,7 +642,7 @@ if ( !empty($action) ) { foreach( $_REQUEST['markDids'] as $markDid ) { - dbQuery( "delete from Devices where Id = '".dbEscape($markDid)."'" ); + dbQuery( "delete from Devices where Id = ".dbEscape($markDid) ); $refreshParent = true; } } @@ -802,7 +802,7 @@ if ( !empty($action) ) elseif ( $action == "user" ) { if ( !empty($_REQUEST['uid']) ) - $dbUser = dbFetchOne( "select * from Users where Id = '".dbEscape($_REQUEST['uid'])."'" ); + $dbUser = dbFetchOne( "select * from Users where Id = ".dbEscape($_REQUEST['uid']) ); else $dbUser = array(); @@ -810,7 +810,7 @@ if ( !empty($action) ) $changes = getFormChanges( $dbUser, $_REQUEST['newUser'], $types ); if ( $_REQUEST['newUser']['Password'] ) - $changes['Password'] = "Password = password('".dbEscape($_REQUEST['newUser']['Password'])."')"; + $changes['Password'] = "Password = password(".dbEscape($_REQUEST['newUser']['Password']).")"; else unset( $changes['Password'] ); @@ -818,7 +818,7 @@ if ( !empty($action) ) { if ( !empty($_REQUEST['uid']) ) { - $sql = "update Users set ".implode( ", ", $changes )." where Id = '".dbEscape($_REQUEST['uid'])."'"; + $sql = "update Users set ".implode( ", ", $changes )." where Id = ".dbEscape($_REQUEST['uid']); } else { @@ -853,18 +853,18 @@ if ( !empty($action) ) $definition = join( ',', $definitions ); if ( $_REQUEST['newState'] ) $_REQUEST['runState'] = $_REQUEST['newState']; - dbQuery( "replace into States set Name = '".dbEscape($_REQUEST['runState'])."', Definition = '".dbEscape($definition)."'" ); + dbQuery( "replace into States set Name = ".dbEscape($_REQUEST['runState']).", Definition = ".dbEscape($definition) ); } } elseif ( $action == "group" ) { if ( !empty($_REQUEST['gid']) ) { - $sql = "update Groups set Name = '".dbEscape($_REQUEST['newGroup']['Name'])."', MonitorIds = '".dbEscape(join(',',$_REQUEST['newGroup']['MonitorIds']))."' where Id = '".dbEscape($_REQUEST['gid'])."'"; + $sql = "update Groups set Name = ".dbEscape($_REQUEST['newGroup']['Name']).", MonitorIds = ".dbEscape(join(',',$_REQUEST['newGroup']['MonitorIds']))." where Id = ".dbEscape($_REQUEST['gid']); } else { - $sql = "insert into Groups set Name = '".dbEscape($_REQUEST['newGroup']['Name'])."', MonitorIds = '".dbEscape(join(',',$_REQUEST['newGroup']['MonitorIds']))."'"; + $sql = "insert into Groups set Name = ".dbEscape($_REQUEST['newGroup']['Name']).", MonitorIds = ".dbEscape(join(',',$_REQUEST['newGroup']['MonitorIds'])); } dbQuery( $sql ); $refreshParent = true; @@ -873,18 +873,18 @@ if ( !empty($action) ) elseif ( $action == "delete" ) { if ( isset($_REQUEST['runState']) ) - dbQuery( "delete from States where Name = '".dbEscape($_REQUEST['runState'])."'" ); + dbQuery( "delete from States where Name = ".dbEscape($_REQUEST['runState']) ); if ( isset($_REQUEST['markUids']) ) { foreach( $_REQUEST['markUids'] as $markUid ) - dbQuery( "delete from Users where Id = '".dbEscape($markUid)."'" ); + dbQuery( "delete from Users where Id = ".dbEscape($markUid) ); if ( $markUid == $user['Id'] ) userLogout(); } if ( !empty($_REQUEST['gid']) ) { - dbQuery( "delete from Groups where Id = '".dbEscape($_REQUEST['gid'])."'" ); + dbQuery( "delete from Groups where Id = ".dbEscape($_REQUEST['gid']) ); if ( isset($_COOKIE['zmGroup']) ) { if ( $_REQUEST['gid'] == $_COOKIE['zmGroup'] ) @@ -903,18 +903,18 @@ if ( !empty($action) ) { $uid = $user['Id']; - $dbUser = dbFetchOne( "select Id, Password, Language from Users where Id = '".dbEscape($uid)."'" ); + $dbUser = dbFetchOne( "select Id, Password, Language from Users where Id = ".dbEscape($uid) ); $types = array(); $changes = getFormChanges( $dbUser, $_REQUEST['newUser'], $types ); if ( !empty($_REQUEST['newUser']['Password']) ) - $changes['Password'] = "Password = password('".dbEscape($_REQUEST['newUser']['Password'])."')"; + $changes['Password'] = "Password = password(".dbEscape($_REQUEST['newUser']['Password']).")"; else unset( $changes['Password'] ); if ( count( $changes ) ) { - $sql = "update Users set ".implode( ", ", $changes )." where Id = '".dbEscape($uid)."'"; + $sql = "update Users set ".implode( ", ", $changes )." where Id = ".dbEscape($uid); dbQuery( $sql ); $refreshParent = true; }