diff --git a/web/includes/database.php b/web/includes/database.php index 4a12d2702..6c8a7d366 100644 --- a/web/includes/database.php +++ b/web/includes/database.php @@ -31,9 +31,7 @@ function dbConnect() global $dbConn; try { - #$dbConn = mysql_pconnect( ZM_DB_HOST, ZM_DB_USER, ZM_DB_PASS ) or die( "Could not connect to database: ".mysql_error() ); - $dbConn = new PDO( ZM_DB_TYPE . ':host=' . ZM_DB_HOST . ';dbname='.ZM_DB_NAME, ZM_DB_USER, ZM_DB_PASS ) or die( "Could not connect to database: ".mysql_error() ); - #mysql_select_db( ZM_DB_NAME, $dbConn ) or die( "Could not select database: ".mysql_error() ); + $dbConn = new PDO( ZM_DB_TYPE . ':host=' . ZM_DB_HOST . ';dbname='.ZM_DB_NAME, ZM_DB_USER, ZM_DB_PASS ); } catch(PDOException $ex ) { echo "Unable to connect to ZM db." . $ex->getMessage(); } @@ -86,16 +84,17 @@ function dbError( $sql ) function dbEscape( $string ) { + global $dbConn; if ( version_compare( phpversion(), "4.3.0", "<") ) if ( get_magic_quotes_gpc() ) - return( mysql_escape_string( stripslashes( $string ) ) ); + return( $dbConn->quote( stripslashes( $string ) ) ); else - return( mysql_escape_string( $string ) ); + return( $dbConn->quote( $string ) ); else if ( get_magic_quotes_gpc() ) - return( mysql_real_escape_string( stripslashes( $string ) ) ); + return( $dbConn->quote( stripslashes( $string ) ) ); else - return( mysql_real_escape_string( $string ) ); + return( $dbConn->quote( $string ) ); } function dbQuery( $sql ) diff --git a/web/includes/functions.php b/web/includes/functions.php index eb3696786..c5deee7ad 100644 --- a/web/includes/functions.php +++ b/web/includes/functions.php @@ -681,7 +681,7 @@ function getFormChanges( $values, $newValues, $types=false, $columns=false ) { if ( join(',',$newValues[$key]) != $values[$key] ) { - $changes[$key] = "$key = '".dbEscape(join(',',$newValues[$key]))."'"; + $changes[$key] = "$key = ".dbEscape(join(',',$newValues[$key])); } } elseif ( $values[$key] ) @@ -701,12 +701,12 @@ function getFormChanges( $values, $newValues, $types=false, $columns=false ) $changes[$key.'Size'] = $key."Size = ".$newValues[$key]['size']; ob_start(); readfile( $newValues[$key]['tmp_name'] ); - $changes[$key] = $key." = '".dbEscape( ob_get_contents() )."'"; + $changes[$key] = $key." = ".dbEscape( ob_get_contents() ); ob_end_clean(); } else { - $changes[$key] = "$key = '".dbEscape($value)."'"; + $changes[$key] = "$key = ".dbEscape($value); } break; } @@ -719,18 +719,18 @@ function getFormChanges( $values, $newValues, $types=false, $columns=false ) $changes[$key.'Size'] = $key."Size = ".$newValues[$key]['size']; ob_start(); readfile( $newValues[$key]['tmp_name'] ); - $changes[$key] = $key." = '".dbEscape( ob_get_contents() )."'"; + $changes[$key] = $key." = ".dbEscape( ob_get_contents() ); ob_end_clean(); } else { - $changes[$key] = "$key = '".dbEscape($value)."'"; + $changes[$key] = "$key = ".dbEscape($value); } break; } case 'file' : { - $changes[$key.'Type'] = $key."Type = '".dbEscape($newValues[$key]['type'])."'"; + $changes[$key.'Type'] = $key."Type = ".dbEscape($newValues[$key]['type']); $changes[$key.'Size'] = $key."Size = ".dbEscape($newValues[$key]['size']); ob_start(); readfile( $newValues[$key]['tmp_name'] ); @@ -750,7 +750,7 @@ function getFormChanges( $values, $newValues, $types=false, $columns=false ) { if ( !isset($values[$key]) || ($values[$key] != $value) ) { - $changes[$key] = "$key = '".dbEscape($value)."'"; + $changes[$key] = "$key = ".dbEscape($value); } break; } @@ -978,7 +978,7 @@ function zmaControl( $monitor, $mode=false ) { if ( !is_array( $monitor ) ) { - $sql = "select C.*, M.* from Monitors as M left join Controls as C on (M.ControlId = C.Id ) where M.Id = '".dbEscape($monitor)."'"; + $sql = "select C.*, M.* from Monitors as M left join Controls as C on (M.ControlId = C.Id ) where M.Id = ".dbEscape($monitor); $monitor = dbFetchOne( $sql ); } if ( !$monitor || $monitor['Function'] == 'None' || $monitor['Function'] == 'Monitor' || $mode == "stop" ) @@ -1394,7 +1394,7 @@ function parseFilter( &$filter, $saveToSession=false, $querySep='&' ) switch ( $filter['terms'][$i]['attr'] ) { case 'MonitorName': - $filter['sql'] .= 'M.'.dbEscape(preg_replace( '/^Monitor/', '', $filter['terms'][$i]['attr'] )); + $filter['sql'] .= dbEscape('M.'.preg_replace( '/^Monitor/', '', $filter['terms'][$i]['attr'] )); break; case 'DateTime': $filter['sql'] .= "E.StartTime"; @@ -1420,7 +1420,7 @@ function parseFilter( &$filter, $saveToSession=false, $querySep='&' ) case 'Cause': case 'Notes': case 'Archived': - $filter['sql'] .= "E.".dbEscape($filter['terms'][$i]['attr']); + $filter['sql'] .= dbEscape('E.'.$filter['terms'][$i]['attr']); break; case 'DiskPercent': $filter['sql'] .= getDiskPercent(); @@ -1441,7 +1441,7 @@ function parseFilter( &$filter, $saveToSession=false, $querySep='&' ) case 'Name': case 'Cause': case 'Notes': - $value = "'".dbEscape($value)."'"; + $value = dbEscape($value); break; case 'DateTime': $value = "'".strftime( STRF_FMT_DATETIME_DB, strtotime( $value ) )."'"; @@ -1467,7 +1467,7 @@ function parseFilter( &$filter, $saveToSession=false, $querySep='&' ) case '>' : case '<' : case '<=' : - $filter['sql'] .= " ".dbEscape($filter['terms'][$i]['op'])." $value"; + $filter['sql'] .= " ".$filter['terms'][$i]['op']." $value"; break; case '=~' : $filter['sql'] .= " regexp ".$value; diff --git a/web/includes/logger.php b/web/includes/logger.php index 65aa96e40..f522cd83d 100644 --- a/web/includes/logger.php +++ b/web/includes/logger.php @@ -464,8 +464,8 @@ class Logger try { global $dbCon; $sql = "INSERT INTO Logs ( TimeKey, Component, Pid, Level, Code, Message, File, Line ) values ( ?, ?, ?, ?, ?, ?, ?, ? )"; - $stmt = $dbCon->prepare( $sql ); - $result = $dbCon->execute( array( sprintf( "%d.%06d", $time['sec'], $time['usec'] ), .dbEscape($this->id), getmypid(), dbEscape($level), dbEscape($code), dbEscape($string), $dbFile, $dbLine ) ); + $stmt = $dbConn->prepare( $sql ); + $result = $stmt->execute( array( sprintf( "%d.%06d", $time['sec'], $time['usec'] ), dbEscape($this->id), getmypid(), dbEscape($level), dbEscape($code), dbEscape($string), $dbFile, $dbLine ) ); } catch(PDOException $ex) { $this->databaseLevel = self::NOLOG; Fatal( "Can't write log entry '$sql': ". $ex->getMessage() ); diff --git a/web/skins/classic/views/montage.php b/web/skins/classic/views/montage.php index 6a93ee727..45f76057f 100644 --- a/web/skins/classic/views/montage.php +++ b/web/skins/classic/views/montage.php @@ -27,7 +27,7 @@ if ( !canView( 'Stream' ) ) $groupSql = ""; if ( !empty($_REQUEST['group']) ) { - $sql = "select * from Groups where Id = '".dbEscape($_REQUEST['group'])."'"; + $sql = "select * from Groups where Id = ".dbEscape($_REQUEST['group']); $row = dbFetchOne( $sql ); $groupSql = " and find_in_set( Id, '".$row['MonitorIds']."' )"; } diff --git a/web/skins/classic/views/zone.php b/web/skins/classic/views/zone.php index f7b917e26..6fe34e23a 100644 --- a/web/skins/classic/views/zone.php +++ b/web/skins/classic/views/zone.php @@ -70,7 +70,7 @@ if ( !isset($newZone) ) { if ( $zid > 0 ) { - $zone = dbFetchOne( "select * from Zones where MonitorId = '".dbEscape($monitor['Id'])."' and Id = '".dbEscape($zid)."'" ); + $zone = dbFetchOne( "select * from Zones where MonitorId = ".dbEscape($monitor['Id'])." and Id = ".dbEscape($zid) ); } else {