remove extra quoets since dbEcape does quoting now

This commit is contained in:
Isaac Connor 2013-10-17 15:35:23 -04:00
parent 92d22b5202
commit 36c4fad644
5 changed files with 22 additions and 23 deletions

View File

@ -31,9 +31,7 @@ function dbConnect()
global $dbConn; global $dbConn;
try { try {
#$dbConn = mysql_pconnect( ZM_DB_HOST, ZM_DB_USER, ZM_DB_PASS ) or die( "Could not connect to database: ".mysql_error() ); $dbConn = new PDO( ZM_DB_TYPE . ':host=' . ZM_DB_HOST . ';dbname='.ZM_DB_NAME, ZM_DB_USER, ZM_DB_PASS );
$dbConn = new PDO( ZM_DB_TYPE . ':host=' . ZM_DB_HOST . ';dbname='.ZM_DB_NAME, ZM_DB_USER, ZM_DB_PASS ) or die( "Could not connect to database: ".mysql_error() );
#mysql_select_db( ZM_DB_NAME, $dbConn ) or die( "Could not select database: ".mysql_error() );
} catch(PDOException $ex ) { } catch(PDOException $ex ) {
echo "Unable to connect to ZM db." . $ex->getMessage(); echo "Unable to connect to ZM db." . $ex->getMessage();
} }
@ -86,16 +84,17 @@ function dbError( $sql )
function dbEscape( $string ) function dbEscape( $string )
{ {
global $dbConn;
if ( version_compare( phpversion(), "4.3.0", "<") ) if ( version_compare( phpversion(), "4.3.0", "<") )
if ( get_magic_quotes_gpc() ) if ( get_magic_quotes_gpc() )
return( mysql_escape_string( stripslashes( $string ) ) ); return( $dbConn->quote( stripslashes( $string ) ) );
else else
return( mysql_escape_string( $string ) ); return( $dbConn->quote( $string ) );
else else
if ( get_magic_quotes_gpc() ) if ( get_magic_quotes_gpc() )
return( mysql_real_escape_string( stripslashes( $string ) ) ); return( $dbConn->quote( stripslashes( $string ) ) );
else else
return( mysql_real_escape_string( $string ) ); return( $dbConn->quote( $string ) );
} }
function dbQuery( $sql ) function dbQuery( $sql )

View File

@ -681,7 +681,7 @@ function getFormChanges( $values, $newValues, $types=false, $columns=false )
{ {
if ( join(',',$newValues[$key]) != $values[$key] ) if ( join(',',$newValues[$key]) != $values[$key] )
{ {
$changes[$key] = "$key = '".dbEscape(join(',',$newValues[$key]))."'"; $changes[$key] = "$key = ".dbEscape(join(',',$newValues[$key]));
} }
} }
elseif ( $values[$key] ) elseif ( $values[$key] )
@ -701,12 +701,12 @@ function getFormChanges( $values, $newValues, $types=false, $columns=false )
$changes[$key.'Size'] = $key."Size = ".$newValues[$key]['size']; $changes[$key.'Size'] = $key."Size = ".$newValues[$key]['size'];
ob_start(); ob_start();
readfile( $newValues[$key]['tmp_name'] ); readfile( $newValues[$key]['tmp_name'] );
$changes[$key] = $key." = '".dbEscape( ob_get_contents() )."'"; $changes[$key] = $key." = ".dbEscape( ob_get_contents() );
ob_end_clean(); ob_end_clean();
} }
else else
{ {
$changes[$key] = "$key = '".dbEscape($value)."'"; $changes[$key] = "$key = ".dbEscape($value);
} }
break; break;
} }
@ -719,18 +719,18 @@ function getFormChanges( $values, $newValues, $types=false, $columns=false )
$changes[$key.'Size'] = $key."Size = ".$newValues[$key]['size']; $changes[$key.'Size'] = $key."Size = ".$newValues[$key]['size'];
ob_start(); ob_start();
readfile( $newValues[$key]['tmp_name'] ); readfile( $newValues[$key]['tmp_name'] );
$changes[$key] = $key." = '".dbEscape( ob_get_contents() )."'"; $changes[$key] = $key." = ".dbEscape( ob_get_contents() );
ob_end_clean(); ob_end_clean();
} }
else else
{ {
$changes[$key] = "$key = '".dbEscape($value)."'"; $changes[$key] = "$key = ".dbEscape($value);
} }
break; break;
} }
case 'file' : case 'file' :
{ {
$changes[$key.'Type'] = $key."Type = '".dbEscape($newValues[$key]['type'])."'"; $changes[$key.'Type'] = $key."Type = ".dbEscape($newValues[$key]['type']);
$changes[$key.'Size'] = $key."Size = ".dbEscape($newValues[$key]['size']); $changes[$key.'Size'] = $key."Size = ".dbEscape($newValues[$key]['size']);
ob_start(); ob_start();
readfile( $newValues[$key]['tmp_name'] ); readfile( $newValues[$key]['tmp_name'] );
@ -750,7 +750,7 @@ function getFormChanges( $values, $newValues, $types=false, $columns=false )
{ {
if ( !isset($values[$key]) || ($values[$key] != $value) ) if ( !isset($values[$key]) || ($values[$key] != $value) )
{ {
$changes[$key] = "$key = '".dbEscape($value)."'"; $changes[$key] = "$key = ".dbEscape($value);
} }
break; break;
} }
@ -978,7 +978,7 @@ function zmaControl( $monitor, $mode=false )
{ {
if ( !is_array( $monitor ) ) if ( !is_array( $monitor ) )
{ {
$sql = "select C.*, M.* from Monitors as M left join Controls as C on (M.ControlId = C.Id ) where M.Id = '".dbEscape($monitor)."'"; $sql = "select C.*, M.* from Monitors as M left join Controls as C on (M.ControlId = C.Id ) where M.Id = ".dbEscape($monitor);
$monitor = dbFetchOne( $sql ); $monitor = dbFetchOne( $sql );
} }
if ( !$monitor || $monitor['Function'] == 'None' || $monitor['Function'] == 'Monitor' || $mode == "stop" ) if ( !$monitor || $monitor['Function'] == 'None' || $monitor['Function'] == 'Monitor' || $mode == "stop" )
@ -1394,7 +1394,7 @@ function parseFilter( &$filter, $saveToSession=false, $querySep='&amp;' )
switch ( $filter['terms'][$i]['attr'] ) switch ( $filter['terms'][$i]['attr'] )
{ {
case 'MonitorName': case 'MonitorName':
$filter['sql'] .= 'M.'.dbEscape(preg_replace( '/^Monitor/', '', $filter['terms'][$i]['attr'] )); $filter['sql'] .= dbEscape('M.'.preg_replace( '/^Monitor/', '', $filter['terms'][$i]['attr'] ));
break; break;
case 'DateTime': case 'DateTime':
$filter['sql'] .= "E.StartTime"; $filter['sql'] .= "E.StartTime";
@ -1420,7 +1420,7 @@ function parseFilter( &$filter, $saveToSession=false, $querySep='&amp;' )
case 'Cause': case 'Cause':
case 'Notes': case 'Notes':
case 'Archived': case 'Archived':
$filter['sql'] .= "E.".dbEscape($filter['terms'][$i]['attr']); $filter['sql'] .= dbEscape('E.'.$filter['terms'][$i]['attr']);
break; break;
case 'DiskPercent': case 'DiskPercent':
$filter['sql'] .= getDiskPercent(); $filter['sql'] .= getDiskPercent();
@ -1441,7 +1441,7 @@ function parseFilter( &$filter, $saveToSession=false, $querySep='&amp;' )
case 'Name': case 'Name':
case 'Cause': case 'Cause':
case 'Notes': case 'Notes':
$value = "'".dbEscape($value)."'"; $value = dbEscape($value);
break; break;
case 'DateTime': case 'DateTime':
$value = "'".strftime( STRF_FMT_DATETIME_DB, strtotime( $value ) )."'"; $value = "'".strftime( STRF_FMT_DATETIME_DB, strtotime( $value ) )."'";
@ -1467,7 +1467,7 @@ function parseFilter( &$filter, $saveToSession=false, $querySep='&amp;' )
case '>' : case '>' :
case '<' : case '<' :
case '<=' : case '<=' :
$filter['sql'] .= " ".dbEscape($filter['terms'][$i]['op'])." $value"; $filter['sql'] .= " ".$filter['terms'][$i]['op']." $value";
break; break;
case '=~' : case '=~' :
$filter['sql'] .= " regexp ".$value; $filter['sql'] .= " regexp ".$value;

View File

@ -464,8 +464,8 @@ class Logger
try { try {
global $dbCon; global $dbCon;
$sql = "INSERT INTO Logs ( TimeKey, Component, Pid, Level, Code, Message, File, Line ) values ( ?, ?, ?, ?, ?, ?, ?, ? )"; $sql = "INSERT INTO Logs ( TimeKey, Component, Pid, Level, Code, Message, File, Line ) values ( ?, ?, ?, ?, ?, ?, ?, ? )";
$stmt = $dbCon->prepare( $sql ); $stmt = $dbConn->prepare( $sql );
$result = $dbCon->execute( array( sprintf( "%d.%06d", $time['sec'], $time['usec'] ), .dbEscape($this->id), getmypid(), dbEscape($level), dbEscape($code), dbEscape($string), $dbFile, $dbLine ) ); $result = $stmt->execute( array( sprintf( "%d.%06d", $time['sec'], $time['usec'] ), dbEscape($this->id), getmypid(), dbEscape($level), dbEscape($code), dbEscape($string), $dbFile, $dbLine ) );
} catch(PDOException $ex) { } catch(PDOException $ex) {
$this->databaseLevel = self::NOLOG; $this->databaseLevel = self::NOLOG;
Fatal( "Can't write log entry '$sql': ". $ex->getMessage() ); Fatal( "Can't write log entry '$sql': ". $ex->getMessage() );

View File

@ -27,7 +27,7 @@ if ( !canView( 'Stream' ) )
$groupSql = ""; $groupSql = "";
if ( !empty($_REQUEST['group']) ) if ( !empty($_REQUEST['group']) )
{ {
$sql = "select * from Groups where Id = '".dbEscape($_REQUEST['group'])."'"; $sql = "select * from Groups where Id = ".dbEscape($_REQUEST['group']);
$row = dbFetchOne( $sql ); $row = dbFetchOne( $sql );
$groupSql = " and find_in_set( Id, '".$row['MonitorIds']."' )"; $groupSql = " and find_in_set( Id, '".$row['MonitorIds']."' )";
} }

View File

@ -70,7 +70,7 @@ if ( !isset($newZone) )
{ {
if ( $zid > 0 ) if ( $zid > 0 )
{ {
$zone = dbFetchOne( "select * from Zones where MonitorId = '".dbEscape($monitor['Id'])."' and Id = '".dbEscape($zid)."'" ); $zone = dbFetchOne( "select * from Zones where MonitorId = ".dbEscape($monitor['Id'])." and Id = ".dbEscape($zid) );
} }
else else
{ {