www/adiumxtras.com 39:41976c149346: too much over-escaping due t...

commits at adium.im commits at adium.im
Mon Dec 5 03:18:12 UTC 2011 

details:	http://hg.adium.im/www/adiumxtras.com/rev/41976c149346
revision:	39:41976c149346
branch:		adiumxtras.com
author:		Zachary West <zacw at adium.im>
date:		Sun Dec 04 22:18:08 2011 -0500

too much over-escaping due to smart slashes. Which are terrible.

diffs (200 lines):

diff -r 89f7b7aef605 -r 41976c149346 include.php
--- a/include.php	Sun Dec 04 22:13:53 2011 -0500
+++ b/include.php	Sun Dec 04 22:18:08 2011 -0500
@@ -106,7 +106,7 @@
 // We return the user_id to make life simpler.
 function validUser($userName, $password) {
 	global $sql;
-	$sql->query("SELECT user_id FROM users WHERE username='%s' AND password='%s'  AND status='Active'", mysql_escape_string($userName), mysql_escape_string($password));
+	$sql->query("SELECT user_id FROM users WHERE username='%s' AND password='%s'  AND status='Active'", $userName, $password);
 	return ($sql->num_rows() > 0) ? $sql->fetch_row_single() : FALSE;
 }
 
diff -r 89f7b7aef605 -r 41976c149346 manage.php
--- a/manage.php	Sun Dec 04 22:13:53 2011 -0500
+++ b/manage.php	Sun Dec 04 22:18:08 2011 -0500
@@ -16,7 +16,7 @@
 				if (array_search(userLevel($currentUserID), array("Admin", "Moderator", "Developer")) !== FALSE) {					
 					$commentsToDelete = commentsWithParent(intval($_GET['comment_id']));
 					if (count($commentsToDelete) > 0)
-						$sql->query("DELETE FROM comments WHERE comment_id IN (%s)", mysql_escape_string(implode(",", $commentsToDelete)));
+						$sql->query("DELETE FROM comments WHERE comment_id IN (%s)", implode(",", $commentsToDelete));
 
 					header(sprintf("Location: %s", $_SERVER['HTTP_REFERER']));
 				} else {
@@ -143,7 +143,7 @@
 					header(sprintf("Location: index.php?a=xtras&xtra_id=%d", intval($_GET['xtra_id'])));
 				} elseif (array_search(userLevel($currentUserID), array("Admin", "Moderator", "Developer")) !== FALSE) {
 					if ($_GET['disable_reason']) {
-						$sql->query("UPDATE xtras SET status='Disabled', disable_reason='%s', reviewer='%d' WHERE xtra_id='%d'", mysql_escape_string(strip_tags($_GET['disable_reason'])), $currentUserID, intval($_GET['xtra_id']));
+						$sql->query("UPDATE xtras SET status='Disabled', disable_reason='%s', reviewer='%d' WHERE xtra_id='%d'", strip_tags($_GET['disable_reason']), $currentUserID, intval($_GET['xtra_id']));
 						$sql->query("SELECT users.*, xtras.title FROM users, xtras WHERE xtras.user_id=users.user_id AND xtras.xtra_id='%d'", intval($_GET['xtra_id']));
 						$userInfo = $sql->fetch_assoc();
 						mail($userInfo['email'], "Your Xtra Was Disabled", sprintf("Your Xtra, %s, was just disabled:\n\n%s\n\nPlease visit the My Xtras to resubmit your Xtra.", $userInfo['title'], $_GET['disable_reason']), "From: xtras at adiumxtras.com");
@@ -168,7 +168,7 @@
 				// Admin/Moderator ONLY
 				if (array_search(userLevel($currentUserID), array("Admin", "Moderator", "Developer")) !== FALSE) {
 					if ($_GET['disable_reason']) {
-						$sql->query("UPDATE xtras SET status='Denied', deny_reason='%s', reviewer='%d' WHERE xtra_id='%d'", mysql_escape_string(strip_tags($_GET['disable_reason'])), $currentUserID, intval($_GET['xtra_id']));
+						$sql->query("UPDATE xtras SET status='Denied', deny_reason='%s', reviewer='%d' WHERE xtra_id='%d'", strip_tags($_GET['disable_reason']), $currentUserID, intval($_GET['xtra_id']));
 						$sql->query("SELECT users.*, xtras.title FROM users, xtras WHERE xtras.user_id=users.user_id AND xtras.xtra_id='%d'", intval($_GET['xtra_id']));
 						$userInfo = $sql->fetch_assoc();
 						mail($userInfo['email'], "Your Xtra Was Denied", sprintf("Your Xtra, %s, was just denied:\n\n%s\n\nPlease visit the My Xtras to resubmit your Xtra.", $userInfo['title'], $_GET['disable_reason']), "From: xtras at adiumxtras.com");
@@ -218,7 +218,7 @@
 				
 				// Update the static text fields.
 				// This is, truly, the easy part.
-				$sql->query("UPDATE xtras SET title='%s', description='%s', changes='%s', credits='%s', version='%s' WHERE xtra_id='%d'", mysql_escape_string($_POST['title']), mysql_escape_string($_POST['description']), mysql_escape_string($_POST['changes']), mysql_escape_string($_POST['credits']), mysql_escape_string($_POST['version']), mysql_escape_string($_POST['xtra_id']));
+				$sql->query("UPDATE xtras SET title='%s', description='%s', changes='%s', credits='%s', version='%s' WHERE xtra_id='%d'", $_POST['title'], $_POST['description'], $_POST['changes'], $_POST['credits'], $_POST['version'], $_POST['xtra_id']);
 				// Change the category.
 				$sql->query("UPDATE assoc SET cat_id='%d' WHERE xtra_id='%d'", intval($_POST['category']), intval($_POST['xtra_id']));
 
@@ -316,12 +316,12 @@
 				}
 				
 				if ($_POST['delete']) {
-					$sql->query("SELECT imgfile, thumbfile FROM images WHERE xtra_id='%d' AND image_id IN (%s)", intval($_POST['xtra_id']), mysql_escape_string(implode(",", $_POST['delete'])));
+					$sql->query("SELECT imgfile, thumbfile FROM images WHERE xtra_id='%d' AND image_id IN (%s)", intval($_POST['xtra_id']), implode(",", $_POST['delete']));
 					while (list($imgfile, $thumbfile) = $sql->fetch_row()) {
 						checkAndDelete(sprintf("%s%s", "/home/adiumx/public_html/images/pictures/", $imgfile));
 						checkAndDelete(sprintf("%s%s", "/home/adiumx/public_html/images/pictures/", $thumbfile));						
 					}
-					$sql->query("DELETE FROM images WHERE xtra_id='%d' AND image_id IN (%s)", intval($_POST['xtra_id']), mysql_escape_string(implode(",", $_POST['delete'])));
+					$sql->query("DELETE FROM images WHERE xtra_id='%d' AND image_id IN (%s)", intval($_POST['xtra_id']), implode(",", $_POST['delete']));
 				}
 				
 				$smarty->assign("title", "Xtra Saved");
@@ -333,7 +333,7 @@
 			case "create_xtra":
 				if ($_POST['name'] && $_POST['category']) {
 					// Yeehaw, let's create it and redirect them.
-					$sql->query("INSERT INTO xtras (user_id, title, status, date_added) VALUES ('%d', '%s', 'Build', NOW())", $currentUserID, mysql_escape_string(strip_tags($_POST['name'])));
+					$sql->query("INSERT INTO xtras (user_id, title, status, date_added) VALUES ('%d', '%s', 'Build', NOW())", $currentUserID, strip_tags($_POST['name']));
 					$newID = $sql->insert_id();
 					$sql->query("INSERT INTO assoc (xtra_id, cat_id) VALUES ('%d', '%d')", $newID, intval($_POST['category']));
 					header(sprintf("Location: index.php?a=xtras&xtra_id=%d&do=edit", $newID));
diff -r 89f7b7aef605 -r 41976c149346 search.php
--- a/search.php	Sun Dec 04 22:13:53 2011 -0500
+++ b/search.php	Sun Dec 04 22:18:08 2011 -0500
@@ -31,7 +31,7 @@
 		foreach ($arguments as $arg) {
 			if ($arg{0} == "-") { // Searches for results lacking this word. 
 				$arg = substr($arg, 1);
-				$where[] = sprintf("(xtras.title NOT LIKE '%%%s%%' AND xtras.description NOT LIKE '%%%s%%' AND xtras.credits NOT LIKE '%%%s%%')", mysql_escape_string($arg), mysql_escape_string($arg), mysql_escape_string($arg));
+				$where[] = sprintf("(xtras.title NOT LIKE '%%%s%%' AND xtras.description NOT LIKE '%%%s%%' AND xtras.credits NOT LIKE '%%%s%%')", $arg, $arg, $arg);
 			} else
 				$where[] = sprintf("(xtras.title LIKE '%%%s%%' OR xtras.description LIKE '%%%s%%' OR xtras.credits LIKE '%%%s%%')", $arg, $arg, $arg);
 		}
@@ -39,7 +39,7 @@
 	}
 	
 	if ($_GET['user']) {
-		$sql->query("SELECT user_id FROM users WHERE username LIKE '%s'", mysql_escape_string($_GET['user']));
+		$sql->query("SELECT user_id FROM users WHERE username LIKE '%s'", $_GET['user']);
 		$_GET['user_id'] = $sql->fetch_row_single();
 	}
 	
diff -r 89f7b7aef605 -r 41976c149346 users.php
--- a/users.php	Sun Dec 04 22:13:53 2011 -0500
+++ b/users.php	Sun Dec 04 22:18:08 2011 -0500
@@ -16,14 +16,14 @@
 		break;
 		
 		case "reset_password":
-			$sql->query("SELECT user_id FROM users WHERE vcode='%s' AND vcode != ''", mysql_escape_string($_POST['vcode']));
+			$sql->query("SELECT user_id FROM users WHERE vcode='%s' AND vcode != ''", $_POST['vcode']);
 			if ($sql->num_rows() == 0) {
 				$smarty->assign("title", "Error Resetting Password");
 				$smarty->assign("message", "The verification code you have provided is incorrect. Please try copy-and-pasting the address again.");
 				$smarty->display('error.tpl');
 			} else {
 				if ($_POST['password1'] == $_POST['password2'] && $_POST['password1'] != "") {
-					$sql->query("UPDATE users SET password='%s', vcode='' WHERE vcode='%s'", md5($_POST['password1']), mysql_escape_string($_POST['vcode']));
+					$sql->query("UPDATE users SET password='%s', vcode='' WHERE vcode='%s'", md5($_POST['password1']), $_POST['vcode']);
 					$smarty->assign("title", "Password Reset");
 					$smarty->assign("message", "Your password has been successfully reset. Please login.");
 					$smarty->display('loginForm.tpl');
@@ -38,7 +38,7 @@
 		
 		case "reset":
 			$_GET['vcode'] = str_replace(" ", "", $_GET['vcode']);
-			$sql->query("SELECT user_id FROM users WHERE vcode='%s' AND vcode != ''", mysql_escape_string($_GET['vcode']));
+			$sql->query("SELECT user_id FROM users WHERE vcode='%s' AND vcode != ''", $_GET['vcode']);
 			if ($sql->num_rows() == 0) {
 				$smarty->assign("title", "Error Resetting Password");
 				if (strlen($_GET['vcode']) != 32)
@@ -48,7 +48,7 @@
 				$smarty->display('error.tpl');
 			} else {
 				$smarty->assign("title", "Password Reset");
-				$smarty->assign("vcode", mysql_escape_string($_GET['vcode']));
+				$smarty->assign("vcode", $_GET['vcode']);
 				$smarty->display("forgotPasswordReset.tpl");
 			}
 		break;
@@ -61,11 +61,11 @@
 			} else {
 				if (strpos($_POST['username'], "@")) {
 					// They've provided an email.
-					$sql->query("SELECT user_id, username, email, vcode, status FROM users WHERE email LIKE '%s'", mysql_escape_string($_POST['username']));
+					$sql->query("SELECT user_id, username, email, vcode, status FROM users WHERE email LIKE '%s'", $_POST['username']);
 					$userInfo = $sql->fetch_assoc();
 				} else {
 					// Just a normal username.
-					$sql->query("SELECT user_id, username, email, vcode, status FROM users WHERE username LIKE '%s'", mysql_escape_string($_POST['username']));
+					$sql->query("SELECT user_id, username, email, vcode, status FROM users WHERE username LIKE '%s'", $_POST['username']);
 					$userInfo = $sql->fetch_assoc();
 				}
 				
@@ -169,10 +169,10 @@
 				exit();
 			}
 		
-			$username = mysql_escape_string(trim(strip_tags($_POST['banana'])));
+			$username = trim(strip_tags($_POST['banana']));
 			$password1 = strip_tags($_POST['password1']);
 			$password2 = strip_tags($_POST['password2']);
-			$email = mysql_escape_string(strip_tags($_POST['email']));
+			$email = strip_tags($_POST['email']);
 			
 			$error = "";
 			
@@ -215,7 +215,7 @@
 
 		case "validate":
 			if ($_GET['vc']) {
-				$sql->query("SELECT user_id FROM users WHERE status='Pending' and vcode='%s'", mysql_escape_string($_GET['vc']));
+				$sql->query("SELECT user_id FROM users WHERE status='Pending' and vcode='%s'", $_GET['vc']);
 				if ($sql->num_rows() > 0) {
 					$sql->query("UPDATE users SET status='Active', vcode='' WHERE user_id='%d'", $sql->fetch_row_single());
 					header("Location: index.php?a=users&do=account");
@@ -284,14 +284,14 @@
 				} else {
 					$user_id = currentUID();
 					if ($_POST['password1'] == $_POST['password2'] && $_POST['password1'] != "")
-						$sql->query("UPDATE users SET show_email='%s', fname='%s', lname='%s', email='%s', website='%s', password='%s' WHERE user_id='%d'", intval($_POST['show_email']), mysql_escape_string($fname), mysql_escape_string($lname), mysql_escape_string($email), mysql_escape_string($website), md5($_POST['password1']), intval($user_id));
+						$sql->query("UPDATE users SET show_email='%s', fname='%s', lname='%s', email='%s', website='%s', password='%s' WHERE user_id='%d'", intval($_POST['show_email']), $fname, $lname, $email, $website, md5($_POST['password1']), intval($user_id));
 					else
-						$sql->query("UPDATE users SET show_email='%s', fname='%s', lname='%s', email='%s', website='%s' WHERE user_id='%d'", intval($_POST['show_email']), mysql_escape_string($fname), mysql_escape_string($lname), mysql_escape_string($email), mysql_escape_string($website), intval($user_id));
+						$sql->query("UPDATE users SET show_email='%s', fname='%s', lname='%s', email='%s', website='%s' WHERE user_id='%d'", intval($_POST['show_email']), $fname, $lname, $email, $website, intval($user_id));
 					$sql->query("DELETE FROM contactinfo WHERE user_id='%d'", $user_id);
 					if ($_POST['service'])
 						foreach ($_POST['service'] as $key => $value)
 							if ($_POST['serviceName'][$key])
-								$sql->query("INSERT INTO contactinfo (user_id, service, name) VALUES ('%d', '%s', '%s')", intval($user_id), mysql_escape_string($value), mysql_escape_string($_POST['serviceName'][$key]));
+								$sql->query("INSERT INTO contactinfo (user_id, service, name) VALUES ('%d', '%s', '%s')", intval($user_id), $value, $_POST['serviceName'][$key]);
 					header(sprintf("Location: index.php?a=users&do=profile&user_id=%d", $user_id));
 				}
 			} else {
diff -r 89f7b7aef605 -r 41976c149346 xtras.php
--- a/xtras.php	Sun Dec 04 22:13:53 2011 -0500
+++ b/xtras.php	Sun Dec 04 22:18:08 2011 -0500
@@ -5,7 +5,7 @@
 		case "add_comment":
 			if ($_POST['comment'] && $_POST['xtra_id']) {
 				if (currentUID()) {
-					$sql->query("INSERT INTO comments (xtra_id, parent_id, comment, user_id, posted) VALUES ('%d', '%d', '%s', '%d', NOW())", intval($_POST['xtra_id']), intval($_POST['parent_id']), mysql_escape_string(strip_tags($_POST['comment'])), currentUID());
+					$sql->query("INSERT INTO comments (xtra_id, parent_id, comment, user_id, posted) VALUES ('%d', '%d', '%s', '%d', NOW())", intval($_POST['xtra_id']), intval($_POST['parent_id']), strip_tags($_POST['comment']), currentUID());
 					$newCommentID = $sql->insert_id();
 					
 					// Email the author about the new comment.

More information about the commits mailing list