remove extra quoets since dbEcape does quoting now

This commit is contained in:
Isaac Connor 2013-10-17 15:35:23 -04:00
parent 92d22b5202
commit 36c4fad644
5 changed files with 22 additions and 23 deletions

View File

@ -31,9 +31,7 @@ function dbConnect()
global $dbConn;
try {
#$dbConn = mysql_pconnect( ZM_DB_HOST, ZM_DB_USER, ZM_DB_PASS ) or die( "Could not connect to database: ".mysql_error() );
$dbConn = new PDO( ZM_DB_TYPE . ':host=' . ZM_DB_HOST . ';dbname='.ZM_DB_NAME, ZM_DB_USER, ZM_DB_PASS ) or die( "Could not connect to database: ".mysql_error() );
#mysql_select_db( ZM_DB_NAME, $dbConn ) or die( "Could not select database: ".mysql_error() );
$dbConn = new PDO( ZM_DB_TYPE . ':host=' . ZM_DB_HOST . ';dbname='.ZM_DB_NAME, ZM_DB_USER, ZM_DB_PASS );
} catch(PDOException $ex ) {
echo "Unable to connect to ZM db." . $ex->getMessage();
}
@ -86,16 +84,17 @@ function dbError( $sql )
function dbEscape( $string )
{
global $dbConn;
if ( version_compare( phpversion(), "4.3.0", "<") )
if ( get_magic_quotes_gpc() )
return( mysql_escape_string( stripslashes( $string ) ) );
return( $dbConn->quote( stripslashes( $string ) ) );
else
return( mysql_escape_string( $string ) );
return( $dbConn->quote( $string ) );
else
if ( get_magic_quotes_gpc() )
return( mysql_real_escape_string( stripslashes( $string ) ) );
return( $dbConn->quote( stripslashes( $string ) ) );
else
return( mysql_real_escape_string( $string ) );
return( $dbConn->quote( $string ) );
}
function dbQuery( $sql )

View File

@ -681,7 +681,7 @@ function getFormChanges( $values, $newValues, $types=false, $columns=false )
{
if ( join(',',$newValues[$key]) != $values[$key] )
{
$changes[$key] = "$key = '".dbEscape(join(',',$newValues[$key]))."'";
$changes[$key] = "$key = ".dbEscape(join(',',$newValues[$key]));
}
}
elseif ( $values[$key] )
@ -701,12 +701,12 @@ function getFormChanges( $values, $newValues, $types=false, $columns=false )
$changes[$key.'Size'] = $key."Size = ".$newValues[$key]['size'];
ob_start();
readfile( $newValues[$key]['tmp_name'] );
$changes[$key] = $key." = '".dbEscape( ob_get_contents() )."'";
$changes[$key] = $key." = ".dbEscape( ob_get_contents() );
ob_end_clean();
}
else
{
$changes[$key] = "$key = '".dbEscape($value)."'";
$changes[$key] = "$key = ".dbEscape($value);
}
break;
}
@ -719,18 +719,18 @@ function getFormChanges( $values, $newValues, $types=false, $columns=false )
$changes[$key.'Size'] = $key."Size = ".$newValues[$key]['size'];
ob_start();
readfile( $newValues[$key]['tmp_name'] );
$changes[$key] = $key." = '".dbEscape( ob_get_contents() )."'";
$changes[$key] = $key." = ".dbEscape( ob_get_contents() );
ob_end_clean();
}
else
{
$changes[$key] = "$key = '".dbEscape($value)."'";
$changes[$key] = "$key = ".dbEscape($value);
}
break;
}
case 'file' :
{
$changes[$key.'Type'] = $key."Type = '".dbEscape($newValues[$key]['type'])."'";
$changes[$key.'Type'] = $key."Type = ".dbEscape($newValues[$key]['type']);
$changes[$key.'Size'] = $key."Size = ".dbEscape($newValues[$key]['size']);
ob_start();
readfile( $newValues[$key]['tmp_name'] );
@ -750,7 +750,7 @@ function getFormChanges( $values, $newValues, $types=false, $columns=false )
{
if ( !isset($values[$key]) || ($values[$key] != $value) )
{
$changes[$key] = "$key = '".dbEscape($value)."'";
$changes[$key] = "$key = ".dbEscape($value);
}
break;
}
@ -978,7 +978,7 @@ function zmaControl( $monitor, $mode=false )
{
if ( !is_array( $monitor ) )
{
$sql = "select C.*, M.* from Monitors as M left join Controls as C on (M.ControlId = C.Id ) where M.Id = '".dbEscape($monitor)."'";
$sql = "select C.*, M.* from Monitors as M left join Controls as C on (M.ControlId = C.Id ) where M.Id = ".dbEscape($monitor);
$monitor = dbFetchOne( $sql );
}
if ( !$monitor || $monitor['Function'] == 'None' || $monitor['Function'] == 'Monitor' || $mode == "stop" )
@ -1394,7 +1394,7 @@ function parseFilter( &$filter, $saveToSession=false, $querySep='&amp;' )
switch ( $filter['terms'][$i]['attr'] )
{
case 'MonitorName':
$filter['sql'] .= 'M.'.dbEscape(preg_replace( '/^Monitor/', '', $filter['terms'][$i]['attr'] ));
$filter['sql'] .= dbEscape('M.'.preg_replace( '/^Monitor/', '', $filter['terms'][$i]['attr'] ));
break;
case 'DateTime':
$filter['sql'] .= "E.StartTime";
@ -1420,7 +1420,7 @@ function parseFilter( &$filter, $saveToSession=false, $querySep='&amp;' )
case 'Cause':
case 'Notes':
case 'Archived':
$filter['sql'] .= "E.".dbEscape($filter['terms'][$i]['attr']);
$filter['sql'] .= dbEscape('E.'.$filter['terms'][$i]['attr']);
break;
case 'DiskPercent':
$filter['sql'] .= getDiskPercent();
@ -1441,7 +1441,7 @@ function parseFilter( &$filter, $saveToSession=false, $querySep='&amp;' )
case 'Name':
case 'Cause':
case 'Notes':
$value = "'".dbEscape($value)."'";
$value = dbEscape($value);
break;
case 'DateTime':
$value = "'".strftime( STRF_FMT_DATETIME_DB, strtotime( $value ) )."'";
@ -1467,7 +1467,7 @@ function parseFilter( &$filter, $saveToSession=false, $querySep='&amp;' )
case '>' :
case '<' :
case '<=' :
$filter['sql'] .= " ".dbEscape($filter['terms'][$i]['op'])." $value";
$filter['sql'] .= " ".$filter['terms'][$i]['op']." $value";
break;
case '=~' :
$filter['sql'] .= " regexp ".$value;

View File

@ -464,8 +464,8 @@ class Logger
try {
global $dbCon;
$sql = "INSERT INTO Logs ( TimeKey, Component, Pid, Level, Code, Message, File, Line ) values ( ?, ?, ?, ?, ?, ?, ?, ? )";
$stmt = $dbCon->prepare( $sql );
$result = $dbCon->execute( array( sprintf( "%d.%06d", $time['sec'], $time['usec'] ), .dbEscape($this->id), getmypid(), dbEscape($level), dbEscape($code), dbEscape($string), $dbFile, $dbLine ) );
$stmt = $dbConn->prepare( $sql );
$result = $stmt->execute( array( sprintf( "%d.%06d", $time['sec'], $time['usec'] ), dbEscape($this->id), getmypid(), dbEscape($level), dbEscape($code), dbEscape($string), $dbFile, $dbLine ) );
} catch(PDOException $ex) {
$this->databaseLevel = self::NOLOG;
Fatal( "Can't write log entry '$sql': ". $ex->getMessage() );

View File

@ -27,7 +27,7 @@ if ( !canView( 'Stream' ) )
$groupSql = "";
if ( !empty($_REQUEST['group']) )
{
$sql = "select * from Groups where Id = '".dbEscape($_REQUEST['group'])."'";
$sql = "select * from Groups where Id = ".dbEscape($_REQUEST['group']);
$row = dbFetchOne( $sql );
$groupSql = " and find_in_set( Id, '".$row['MonitorIds']."' )";
}

View File

@ -70,7 +70,7 @@ if ( !isset($newZone) )
{
if ( $zid > 0 )
{
$zone = dbFetchOne( "select * from Zones where MonitorId = '".dbEscape($monitor['Id'])."' and Id = '".dbEscape($zid)."'" );
$zone = dbFetchOne( "select * from Zones where MonitorId = ".dbEscape($monitor['Id'])." and Id = ".dbEscape($zid) );
}
else
{