From 4140d51e9f24aba2dd4ec29b96c54efb49a565a7 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Tue, 13 Aug 2019 11:45:50 -0400 Subject: [PATCH] database.php cleanup. remove dbFetchMonitor and dbFetchGroup. Their usage has been replaced with the Object::find_one usage. Also more quoting of table and colume names to fix #2659 --- web/includes/database.php | 179 +++++++++++++-------------- web/skins/classic/views/function.php | 12 +- web/skins/classic/views/plugin.php | 29 ++--- web/skins/classic/views/settings.php | 36 +++--- 4 files changed, 121 insertions(+), 135 deletions(-) diff --git a/web/includes/database.php b/web/includes/database.php index f214af58b..d941a01e0 100644 --- a/web/includes/database.php +++ b/web/includes/database.php @@ -2,25 +2,25 @@ // // ZoneMinder web database interface file, $Date$, $Revision$ // Copyright (C) 2001-2008 Philip Coombes -// +// // This program is free software; you can redistribute it and/or // modify it under the terms of the GNU General Public License // as published by the Free Software Foundation; either version 2 // of the License, or (at your option) any later version. -// +// // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. -// +// // You should have received a copy of the GNU General Public License // along with this program; if not, write to the Free Software // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// +// -define( 'DB_LOG_OFF', 0 ); -define( 'DB_LOG_ONLY', 1 ); -define( 'DB_LOG_DEBUG', 2 ); +define('DB_LOG_OFF', 0); +define('DB_LOG_ONLY', 1); +define('DB_LOG_DEBUG', 2); $GLOBALS['dbLogLevel'] = DB_LOG_OFF; @@ -29,10 +29,10 @@ $GLOBALS['dbConn'] = false; function dbConnect() { global $dbConn; - if (strpos(ZM_DB_HOST, ':')) { + if ( strpos(ZM_DB_HOST, ':') ) { // Host variable may carry a port or socket. list($host, $portOrSocket) = explode(':', ZM_DB_HOST, 2); - if (ctype_digit($portOrSocket)) { + if ( ctype_digit($portOrSocket) ) { $socket = ':host='.$host . ';port='.$portOrSocket; } else { $socket = ':unix_socket='.$portOrSocket; @@ -43,22 +43,22 @@ function dbConnect() { try { $dbOptions = null; - if ( defined( 'ZM_DB_SSL_CA_CERT' ) and ZM_DB_SSL_CA_CERT ) { + if ( defined('ZM_DB_SSL_CA_CERT') and ZM_DB_SSL_CA_CERT ) { $dbOptions = array( PDO::MYSQL_ATTR_SSL_CA => ZM_DB_SSL_CA_CERT, PDO::MYSQL_ATTR_SSL_KEY => ZM_DB_SSL_CLIENT_KEY, PDO::MYSQL_ATTR_SSL_CERT => ZM_DB_SSL_CLIENT_CERT, ); - $dbConn = new PDO( ZM_DB_TYPE . $socket . ';dbname='.ZM_DB_NAME, ZM_DB_USER, ZM_DB_PASS, $dbOptions ); + $dbConn = new PDO(ZM_DB_TYPE . $socket . ';dbname='.ZM_DB_NAME, ZM_DB_USER, ZM_DB_PASS, $dbOptions); } else { - $dbConn = new PDO( ZM_DB_TYPE . $socket . ';dbname='.ZM_DB_NAME, ZM_DB_USER, ZM_DB_PASS ); + $dbConn = new PDO(ZM_DB_TYPE . $socket . ';dbname='.ZM_DB_NAME, ZM_DB_USER, ZM_DB_PASS); } $dbConn->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); $dbConn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); } catch(PDOException $ex ) { echo 'Unable to connect to ZM db.' . $ex->getMessage(); - error_log('Unable to connect to ZM DB ' . $ex->getMessage() ); + error_log('Unable to connect to ZM DB ' . $ex->getMessage()); $dbConn = null; } } @@ -89,15 +89,15 @@ function dbDebug() { dbLogDebug(); } -function dbLog( $sql, $update=false ) { +function dbLog($sql, $update=false) { global $dbLogLevel; $noExecute = $update && ($dbLogLevel >= DB_LOG_DEBUG); if ( $dbLogLevel > DB_LOG_OFF ) - ZM\Logger::Debug( "SQL-LOG: $sql".($noExecute?" (not executed)":"") ); + ZM\Logger::Debug( "SQL-LOG: $sql".($noExecute?' (not executed)':'') ); return( $noExecute ); } -function dbError( $sql ) { +function dbError($sql) { global $dbConn; $error = $dbConn->errorInfo(); if ( ! $error[0] ) @@ -110,37 +110,37 @@ function dbError( $sql ) { function dbEscape( $string ) { global $dbConn; - if ( version_compare( phpversion(), '4.3.0', '<') ) + if ( version_compare(phpversion(), '4.3.0', '<')) if ( get_magic_quotes_gpc() ) - return( $dbConn->quote( stripslashes( $string ) ) ); + return $dbConn->quote(stripslashes($string)); else - return( $dbConn->quote( $string ) ); + return $dbConn->quote($string); else if ( get_magic_quotes_gpc() ) - return( $dbConn->quote( stripslashes( $string ) ) ); + return $dbConn->quote(stripslashes($string)); else - return( $dbConn->quote( $string ) ); + return $dbConn->quote($string); } -function dbQuery( $sql, $params=NULL ) { +function dbQuery($sql, $params=NULL) { global $dbConn; - if ( dbLog( $sql, true ) ) + if ( dbLog($sql, true) ) return; $result = NULL; try { if ( isset($params) ) { - if ( ! $result = $dbConn->prepare( $sql ) ) { + if ( ! $result = $dbConn->prepare($sql) ) { ZM\Error("SQL: Error preparing $sql: " . $pdo->errorInfo); return NULL; } - if ( ! $result->execute( $params ) ) { - ZM\Error("SQL: Error executing $sql: " . implode(',', $result->errorInfo() ) ); + if ( ! $result->execute($params) ) { + ZM\Error("SQL: Error executing $sql: " . implode(',', $result->errorInfo())); return NULL; } } else { if ( defined('ZM_DB_DEBUG') ) { - ZM\Logger::Debug("SQL: $sql values:" . ($params?implode(',',$params):'') ); + ZM\Logger::Debug("SQL: $sql values:" . ($params?implode(',',$params):'')); } $result = $dbConn->query($sql); if ( ! $result ) { @@ -150,24 +150,24 @@ function dbQuery( $sql, $params=NULL ) { } if ( defined('ZM_DB_DEBUG') ) { if ( $params ) - ZM\Logger::Debug("SQL: $sql" . implode(',',$params) . ' rows: '.$result->rowCount() ); + ZM\Logger::Debug("SQL: $sql" . implode(',',$params) . ' rows: '.$result->rowCount()); else - ZM\Logger::Debug("SQL: $sql: rows:" . $result->rowCount() ); + ZM\Logger::Debug("SQL: $sql: rows:" . $result->rowCount()); } } catch(PDOException $e) { - ZM\Error( "SQL-ERR '".$e->getMessage()."', statement was '".$sql."' params:" . ($params?implode(',',$params):'') ); + ZM\Error("SQL-ERR '".$e->getMessage()."', statement was '".$sql."' params:" . ($params?implode(',',$params):'')); return NULL; } return $result; } -function dbFetchOne( $sql, $col=false, $params=NULL ) { - $result = dbQuery( $sql, $params ); - if ( ! $result ) { - ZM\Error( "SQL-ERR dbFetchOne no result, statement was '".$sql."'" . ( $params ? 'params: ' . join(',',$params) : '' ) ); +function dbFetchOne($sql, $col=false, $params=NULL) { + $result = dbQuery($sql, $params); + if ( !$result ) { + ZM\Error("SQL-ERR dbFetchOne no result, statement was '".$sql."'".($params ? 'params: ' . join(',',$params) : '')); return false; } - if ( ! $result->rowCount() ) { + if ( !$result->rowCount() ) { # No rows is not an error return false; } @@ -179,109 +179,109 @@ function dbFetchOne( $sql, $col=false, $params=NULL ) { return false; } return $dbRow[$col]; - } + } return $dbRow; } return false; } -function dbFetchAll( $sql, $col=false, $params=NULL ) { - $result = dbQuery( $sql, $params ); +function dbFetchAll($sql, $col=false, $params=NULL) { + $result = dbQuery($sql, $params); if ( ! $result ) { - ZM\Error( "SQL-ERR dbFetchAll no result, statement was '".$sql."'" . ( $params ? 'params: ' .join(',', $params) : '' ) ); + ZM\Error("SQL-ERR dbFetchAll no result, statement was '".$sql."'".($params ? 'params: '.join(',', $params) : '')); return false; } $dbRows = array(); - while( $dbRow = $result->fetch( PDO::FETCH_ASSOC ) ) - $dbRows[] = $col?$dbRow[$col]:$dbRow; + while ( $dbRow = $result->fetch(PDO::FETCH_ASSOC) ) + $dbRows[] = $col ? $dbRow[$col] : $dbRow; return $dbRows; } -function dbFetchAssoc( $sql, $indexCol, $dataCol=false ) { - $result = dbQuery( $sql ); +function dbFetchAssoc($sql, $indexCol, $dataCol=false) { + $result = dbQuery($sql); $dbRows = array(); - while( $dbRow = $result->fetch( PDO::FETCH_ASSOC ) ) - $dbRows[$dbRow[$indexCol]] = $dataCol?$dbRow[$dataCol]:$dbRow; - return( $dbRows ); + while( $dbRow = $result->fetch(PDO::FETCH_ASSOC) ) + $dbRows[$dbRow[$indexCol]] = $dataCol ? $dbRow[$dataCol] : $dbRow; + return $dbRows; } -function dbFetch( $sql, $col=false ) { - return( dbFetchAll( $sql, $col ) ); +function dbFetch($sql, $col=false) { + return dbFetchAll($sql, $col); } -function dbFetchNext( $result, $col=false ) { - if ( $dbRow = $result->fetch( PDO::FETCH_ASSOC ) ) - return( $col?$dbRow[$col]:$dbRow ); - return( false ); +function dbFetchNext($result, $col=false) { + if ( $dbRow = $result->fetch(PDO::FETCH_ASSOC) ) + return $col ? $dbRow[$col] : $dbRow; + return false; } function dbNumRows( $sql ) { - $result = dbQuery( $sql ); - return( $result->rowCount() ); + $result = dbQuery($sql); + return $result->rowCount(); } function dbInsertId() { global $dbConn; - return( $dbConn->lastInsertId() ); + return $dbConn->lastInsertId(); } -function getEnumValues( $table, $column ) { - $row = dbFetchOne( "describe $table $column" ); - preg_match_all( "/'([^']+)'/", $row['Type'], $matches ); - return( $matches[1] ); +function getEnumValues($table, $column) { + $row = dbFetchOne("DESCRIBE `$table` `$column`"); + preg_match_all("/'([^']+)'/", $row['Type'], $matches); + return $matches[1]; } -function getSetValues( $table, $column ) { - return( getEnumValues( $table, $column ) ); +function getSetValues($table, $column) { + return getEnumValues($table, $column); } -function getUniqueValues( $table, $column, $asString=1 ) { +function getUniqueValues($table, $column, $asString=1) { $values = array(); - $sql = "select distinct $column from $table where (not isnull($column) and $column != '') order by $column"; - foreach( dbFetchAll( $sql ) as $row ) { + $sql = "SELECT DISTINCT `$column` FROM `$table` WHERE (NOT isnull(`$column`) AND `$column` != '') ORDER BY `$column`"; + foreach ( dbFetchAll($sql) as $row ) { if ( $asString ) $values[$row[$column]] = $row[$column]; else $values[] = $row[$column]; } - return( $values ); -} + return $values; +} function getTableColumns( $table, $asString=1 ) { $columns = array(); - $sql = "describe $table"; - foreach( dbFetchAll( $sql ) as $row ) { + $sql = "DESCRIBE `$table`"; + foreach ( dbFetchAll($sql) as $row ) { if ( $asString ) $columns[$row['Field']] = $row['Type']; else $columns[] = $row['Type']; } - return( $columns ); -} + return $columns; +} function getTableAutoInc( $table ) { - $row = dbFetchOne( 'show table status where Name=?', NULL, array($table) ); - return( $row['Auto_increment'] ); + $row = dbFetchOne('SHOW TABLE status WHERE Name=?', NULL, array($table)); + return $row['Auto_increment']; } function getTableDescription( $table, $asString=1 ) { $columns = array(); - foreach( dbFetchAll( "describe $table" ) as $row ) { + foreach( dbFetchAll("DESCRIBE `$table`") as $row ) { $desc = array( 'name' => $row['Field'], 'required' => ($row['Null']=='NO')?true:false, 'default' => $row['Default'], 'db' => $row, ); - if ( preg_match( "/^varchar\((\d+)\)$/", $row['Type'], $matches ) ) { + if ( preg_match('/^varchar\((\d+)\)$/', $row['Type'], $matches) ) { $desc['type'] = 'text'; $desc['typeAttrib'] = 'varchar'; $desc['maxLength'] = $matches[1]; - } elseif ( preg_match( "/^(\w+)?text$/", $row['Type'], $matches ) ) { + } elseif ( preg_match('/^(\w+)?text$/', $row['Type'], $matches) ) { $desc['type'] = 'text'; - if (!empty($matches[1]) ) + if ( !empty($matches[1]) ) $desc['typeAttrib'] = $matches[1]; switch ( $matches[1] ) { case 'tiny' : @@ -295,15 +295,15 @@ function getTableDescription( $table, $asString=1 ) { //$desc['minLength'] = -128; break; default : - ZM\Error( "Unexpected text qualifier '".$matches[1]."' found for field '".$row['Field']."' in table '".$table."'" ); + ZM\Error("Unexpected text qualifier '".$matches[1]."' found for field '".$row['Field']."' in table '".$table."'"); break; } - } elseif ( preg_match( "/^(enum|set)\((.*)\)$/", $row['Type'], $matches ) ) { + } elseif ( preg_match('/^(enum|set)\((.*)\)$/', $row['Type'], $matches) ) { $desc['type'] = 'text'; $desc['typeAttrib'] = $matches[1]; - preg_match_all( "/'([^']+)'/", $matches[2], $matches ); + preg_match_all("/'([^']+)'/", $matches[2], $matches); $desc['values'] = $matches[1]; - } elseif ( preg_match( "/^(\w+)?int\(\d+\)(?:\s+(unsigned))?$/", $row['Type'], $matches ) ) { + } elseif ( preg_match('/^(\w+)?int\(\d+\)(?:\s+(unsigned))?$/', $row['Type'], $matches) ) { $desc['type'] = 'integer'; switch ( $matches[1] ) { case 'tiny' : @@ -327,7 +327,7 @@ function getTableDescription( $table, $asString=1 ) { //$desc['maxValue'] = 127; break; default : - ZM\Error( "Unexpected integer qualifier '".$matches[1]."' found for field '".$row['Field']."' in table '".$table."'" ); + ZM\Error("Unexpected integer qualifier '".$matches[1]."' found for field '".$row['Field']."' in table '".$table."'"); break; } if ( !empty($matches[1]) ) @@ -336,7 +336,7 @@ function getTableDescription( $table, $asString=1 ) { $desc['maxValue'] += (-$desc['minValue']); $desc['minValue'] = 0; } - } elseif ( preg_match( "/^(?:decimal|numeric)\((\d+)(?:,(\d+))?\)(?:\s+(unsigned))?$/", $row['Type'], $matches ) ) { + } elseif ( preg_match('/^(?:decimal|numeric)\((\d+)(?:,(\d+))?\)(?:\s+(unsigned))?$/', $row['Type'], $matches) ) { $desc['type'] = 'fixed'; $desc['range'] = $matches[1]; if ( isset($matches[2]) ) @@ -344,7 +344,7 @@ function getTableDescription( $table, $asString=1 ) { else $desc['precision'] = 0; $desc['unsigned'] = ( isset($matches[3]) && $matches[3] == 'unsigned' ); - } elseif ( preg_match( "/^(datetime|timestamp|date|time)$/", $row['Type'], $matches ) ) { + } elseif ( preg_match('/^(datetime|timestamp|date|time)$/', $row['Type'], $matches) ) { $desc['type'] = 'datetime'; switch ( $desc['typeAttrib'] = $matches[1] ) { case 'datetime' : @@ -362,7 +362,7 @@ function getTableDescription( $table, $asString=1 ) { break; } } else { - ZM\Error( "Can't parse database type '".$row['Type']."' found for field '".$row['Field']."' in table '".$table."'" ); + ZM\Error("Can't parse database type '".$row['Type']."' found for field '".$row['Field']."' in table '".$table."'"); } if ( $asString ) @@ -370,15 +370,6 @@ function getTableDescription( $table, $asString=1 ) { else $columns[] = $desc; } - return( $columns ); -} - -function dbFetchMonitor( $mid ) { - return( dbFetchOne( 'select * from Monitors where Id = ?', NULL, array($mid) ) ); + return $columns; } - -function dbFetchGroup( $gid ) { - return( dbFetchOne( 'select * from Groups where Id = ?', NULL, array($gid) ) ); -} - ?> diff --git a/web/skins/classic/views/function.php b/web/skins/classic/views/function.php index 506bc006b..1cd2985ef 100644 --- a/web/skins/classic/views/function.php +++ b/web/skins/classic/views/function.php @@ -23,34 +23,34 @@ if ( !canEdit('Monitors') ) { return; } -$monitor = dbFetchMonitor($_REQUEST['mid']); +$monitor = ZM\Monitor::find_one(array('Id'=>$_REQUEST['mid'])); $focusWindow = true; -xhtmlHeaders(__FILE__, translate('Function').' - '.validHtmlStr($monitor['Name'])); +xhtmlHeaders(__FILE__, translate('Function').' - '.validHtmlStr($monitor->Name())); ?>
- +

- checked="checked"/> + Enabled()) ) { ?> checked="checked"/>

diff --git a/web/skins/classic/views/plugin.php b/web/skins/classic/views/plugin.php index ea7a9f347..4f41b3fbd 100644 --- a/web/skins/classic/views/plugin.php +++ b/web/skins/classic/views/plugin.php @@ -19,23 +19,21 @@ // -if ( !canView( 'Monitors' ) ) -{ - $view = "error"; - return; +if ( !canView('Monitors') ) { + $view = 'error'; + return; } $mid = validInt($_REQUEST['mid']); $zid = !empty($_REQUEST['zid'])?validInt($_REQUEST['zid']):0; - if ( $zid > 0 ) { - $newZone = dbFetchOne( 'SELECT * FROM Zones WHERE MonitorId = ? AND Id = ?', NULL, array( $mid, $zid) ); + $newZone = dbFetchOne('SELECT * FROM Zones WHERE MonitorId = ? AND Id = ?', NULL, array($mid, $zid)); } else { - $view = "error"; + $view = 'error'; return; } -$monitor = dbFetchMonitor ( $mid ); +$monitor = ZM\Monitor::find_one($mid); // Only allow certain filename characters (not including a period) to prevent directory traversal. $plugin = preg_replace('/[^-a-zA-Z0-9]/', '', $_REQUEST['pl']); @@ -104,7 +102,7 @@ function pLang($name)
@@ -115,16 +113,14 @@ function pLang($name)
- +
$popt) -{ - ?> +foreach($pluginOptions as $name => $popt) { +?> $popt) - + - + - + - +
disabled="disabled"/> disabled="disabled"/>
disabled="disabled"/>/>
disabled="disabled"/>/>
disabled="disabled"/>/>
- disabled="disabled"/> + +