www/adiumxtras.com 63:b8eaa35df880: Use a helper method for $_GETs.
commits at adium.im
commits at adium.im
Sat Nov 21 19:37:47 UTC 2015
details: http://hg.adium.im/www/adiumxtras.com/rev/b8eaa35df880
revision: 63:b8eaa35df880
branch: adiumxtras.com
author: Frank Dowsett <wixardy at adium.im>
date: Thu Oct 08 21:21:41 2015 -0400
Use a helper method for $_GETs.
Subject: www/adiumxtras.com 64:cd3cd13cc40d: Refactor all the mysql queries to use prepared statements.
details: http://hg.adium.im/www/adiumxtras.com/rev/cd3cd13cc40d
revision: 64:cd3cd13cc40d
branch: adiumxtras.com
author: Frank Dowsett <wixardy at adium.im>
date: Sat Nov 21 14:29:22 2015 -0500
Refactor all the mysql queries to use prepared statements.
Subject: www/adiumxtras.com 65:3aafd8c9b4e1: Deprecations--: eregi -> preg_match.
details: http://hg.adium.im/www/adiumxtras.com/rev/3aafd8c9b4e1
revision: 65:3aafd8c9b4e1
branch: adiumxtras.com
author: Frank Dowsett <wixardy at adium.im>
date: Sat Nov 21 14:30:46 2015 -0500
Deprecations--: eregi -> preg_match.
diffs (truncated from 1593 to 1000 lines):
diff -r 171bd5f90e0f -r 3aafd8c9b4e1 advanced_search.php
--- a/advanced_search.php Thu Apr 02 10:05:38 2015 +0200
+++ b/advanced_search.php Sat Nov 21 14:30:46 2015 -0500
@@ -4,9 +4,9 @@
$smarty->assign("title", "Advanced Search");
$smarty->assign("page", "search");
- $sql->query("SELECT cat_id, cat_name FROM cats WHERE allow_submit='Yes' ORDER BY sortorder");
- while ($row = $sql->fetch_assoc())
- $cats[] = $row;
+ $query = $pdo->prepare("SELECT cat_id, cat_name FROM cats WHERE allow_submit='Yes' ORDER BY sortorder");
+ $query->execute();
+ $cats = $query->fetchAll();
$smarty->assign("cats", $cats);
$smarty->display('advancedSearch.tpl');
diff -r 171bd5f90e0f -r 3aafd8c9b4e1 download
--- a/download Thu Apr 02 10:05:38 2015 +0200
+++ b/download Sat Nov 21 14:30:46 2015 -0500
@@ -8,8 +8,9 @@
exit();
}
- $sql->query("SELECT status, user_id, binary_name, title, bin_mime FROM xtras WHERE xtra_id='%d'", $xtra_id);
- list ($status, $user_id, $name, $title, $unapproved, $mime) = $sql->fetch_row();
+ $query = $pdo->prepare("SELECT status, user_id, binary_name, title, bin_mime FROM xtras WHERE xtra_id=?");
+ $query->execute(array($xtra_id));
+ list ($status, $user_id, $name, $title, $mime) = $query->fetch(PDO::FETCH_NUM);
if ($status != 'Approved' && $user_id != currentUID() && array_search(userLevel(currentUID()), array("Admin", "Developer", "Moderator")) === FALSE) {
$smarty->assign("title", "Unable to Download");
@@ -32,8 +33,10 @@
exit();
}
- if ($user_id != currentUID())
- $sql->query("UPDATE xtras SET downloads=downloads+1 WHERE xtra_id='%d'", $xtra_id);
+ if ($user_id != currentUID()) {
+ $query = $pdo->prepare("UPDATE xtras SET downloads=downloads+1 WHERE xtra_id=?"
+ $query->execute(array($xtra_id));
+ }
$filename = sprintf("/home/adiumx/public_html/dist/%s", $name);
header(sprintf("X-XtraName: %s", $title));
header("Cache-Control: private", false);
diff -r 171bd5f90e0f -r 3aafd8c9b4e1 download.php
--- a/download.php Thu Apr 02 10:05:38 2015 +0200
+++ b/download.php Sat Nov 21 14:30:46 2015 -0500
@@ -1,1 +1,1 @@
-<?php header(sprintf("Location: download/%s", intval($_GET['xtra_id'])));
\ No newline at end of file
+<?php header(sprintf("Location: download/%s", intval(getParam('xtra_id'))));
\ No newline at end of file
diff -r 171bd5f90e0f -r 3aafd8c9b4e1 include.php
--- a/include.php Thu Apr 02 10:05:38 2015 +0200
+++ b/include.php Sat Nov 21 14:30:46 2015 -0500
@@ -3,7 +3,7 @@
require_once("../sqlpass.php");
require_once("smarty/Smarty.class.php");
-if (!$NO_GZIP_ENCODE)
+if (isset($NO_GZIP_ENCODE) && !$NO_GZIP_ENCODE)
ob_start("ob_gzhandler");
// This is from functions.php of whatever
@@ -18,50 +18,13 @@
}
// End from
-class SQL {
- var $db = null;
- var $result = null;
-
- function connect($server, $username, $password, $database) {
- // Set up the connection, select the database. One swoop.
- $this->db = mysql_connect($server, $username, $password) or die(mysql_error());
- mysql_select_db($database, $this->db) or die(mysql_error($this->db));
- }
-
- function query() {
- // This is just like sprintf();
- $arguments = func_get_args();
- $numargs = func_num_args();
- $style = $arguments[0];
- unset($arguments[0]);
- $this->result = mysql_query(vsprintf($style, $arguments), $this->db) or die(mysql_error($this->db));
- }
-
- function fetch_row() {
- return mysql_fetch_row($this->result);
- }
-
- function fetch_assoc() {
- return mysql_fetch_assoc($this->result);
- }
-
- function num_rows() {
- return mysql_num_rows($this->result);
- }
-
- function insert_id() {
- return mysql_insert_id($this->db);
- }
-
- function fetch_row_single() {
- list ($single) = $this->fetch_row();
- return $single;
- }
+function getParam($key, $default_value = '') {
+ return isset($_GET[$key]) ? $_GET[$key] : $default_value;
}
class adiumSmarty extends Smarty {
function adiumSmarty() {
- global $sql;
+ global $pdo;
$this->template_dir = '/home/adiumx/public_html/templates';
$this->compile_dir = '/home/adiumx/public_html/smarty/templates_c';
$this->cache_dir = '/home/adiumx/public_html/smarty/cache';
@@ -73,10 +36,12 @@
// We === check for false because it returns the position which can be zero.
if (array_search(userLevel($userID), array("Admin", "Moderator", "Developer")) !== FALSE) {
$this->assign("showMod", 1);
- $sql->query("SELECT count(xtra_id) FROM xtras WHERE status='Pending'");
- $this->assign("modCount", $sql->fetch_row_single());
- $sql->query("SELECT count(*) FROM reported WHERE reviewed='No'");
- $this->assign("reported", $sql->fetch_row_single());
+ $query = $pdo->query("SELECT count(xtra_id) FROM xtras WHERE status='Pending'");
+ $query->execute();
+ $this->assign("modCount", $query->fetchColumn());
+ $query = $pdo->query("SELECT count(*) FROM reported WHERE reviewed='No'");
+ $query->execute();
+ $this->assign("reported", $query->fetchColumn());
}
}
}
@@ -84,43 +49,53 @@
// Get the comment count of an xtra
function commentCount ($xtraID) {
- $query = mysql_query(sprintf("SELECT count(comment_id) FROM comments WHERE xtra_id='%d'", $xtraID));
- return implode("", mysql_fetch_row($query));
+ global $pdo;
+ $query = $pdo->prepare("SELECT count(comment_id) FROM comments WHERE xtra_id=?");
+ $query->execute(array($xtraID));
+ return $query->fetchColumn();
}
function avgRating($xtraID) {
- $query = mysql_query(sprintf("SELECT AVG(rating) FROM ratings WHERE xtra_id='%d'", $xtraID));
- return round(implode("", mysql_fetch_row($query)), 1);
+ global $pdo;
+ $query = $pdo->prepare("SELECT AVG(rating) FROM ratings WHERE xtra_id=?");
+ $query->execute(array($xtraID));
+ return round($query->fetchColumn(), 1);
}
function voteCount($xtraID) {
- $query = mysql_query(sprintf("SELECT count(rating) FROM ratings WHERE xtra_id='%d'", $xtraID));
- return implode("", mysql_fetch_row($query));
+ global $pdo;
+ $query = $pdo->prepare("SELECT count(rating) FROM ratings WHERE xtra_id=?");
+ $query->execute(array($xtraID));
+ return $query->fetchColumn();
}
function userInfo($userID) {
- $query = mysql_query(sprintf("SELECT * FROM users WHERE user_id='%d'", $userID));
- return mysql_fetch_assoc($query);
+ global $pdo;
+ $query = $pdo->prepare("SELECT * FROM users WHERE user_id=?");
+ $query->execute(array($userID));
+ return $query->fetch();
}
// We return the user_id to make life simpler.
function validUser($userName, $password) {
- global $sql;
- $sql->query("SELECT user_id FROM users WHERE username='%s' AND password='%s' AND status='Active'", $userName, $password);
- return ($sql->num_rows() > 0) ? $sql->fetch_row_single() : FALSE;
+ global $pdo;
+ $query = $pdo->prepare("SELECT user_id FROM users WHERE username=? AND password=? AND status='Active'");
+ $query->execute(array($userName, $password));
+ return $query->fetchColumn() ?: FALSE;
}
function userLevel($userID) {
- global $sql, $CACHE;
+ global $pdo, $CACHE;
if (!isset($CACHE['userLevel'])) {
- $sql->query("SELECT privs FROM users WHERE user_id='%d'", $userID);
- $CACHE['userLevel'] = ($sql->num_rows() > 0) ? $sql->fetch_row_single() : FALSE;
+ $query = $pdo->prepare("SELECT privs FROM users WHERE user_id=?");
+ $query->execute(array($userID));
+ $CACHE['userLevel'] = $query->fetchColumn() ?: FALSE;
}
return $CACHE['userLevel'];
}
function currentUID() {
- global $sql, $CACHE;
+ global $pdo, $CACHE;
if (!isset($CACHE['currentUID'])) {
if (isset($_COOKIE['xtras_pass'])) {
list ($user, $token, $mac) = explode(':', $_COOKIE['xtras_pass'], 3);
@@ -133,12 +108,13 @@
return false;
}
- $sql->query("SELECT user_id FROM users WHERE username='%s' AND status='Active'", $_COOKIE['xtras_user']);
+ $query = $pdo->prepare("SELECT user_id FROM users WHERE username=? AND status='Active'");
+ $query->execute(array($_COOKIE['xtras_user']));
- if ($sql->num_rows() === 0) {
+ if ($query->rowCount() === 0) {
return false;
} else {
- $CACHE['currentUID'] = $sql->fetch_row_single();
+ $CACHE['currentUID'] = $query->fetchColumn();
}
}
}
@@ -146,10 +122,10 @@
}
function modEmails() {
- global $sql;
- $sql->query("SELECT email FROM users WHERE privs in ('Admin', 'Moderator', 'Developer')");
- while (list($email) = $sql->fetch_row())
- $emails[] = $email;
+ global $pdo;
+ $query = $pdo->prepare("SELECT email FROM users WHERE privs in ('Admin', 'Moderator', 'Developer')");
+ $query->execute();
+ $emails = $query->fetchAll(PDO::FETCH_COLUMN);
return implode(",", $emails);
}
@@ -163,14 +139,19 @@
$comments = array();
$comments[] = $cid;
- $query = mysql_query("SELECT comment_id FROM comments WHERE parent_id='" . $cid . "%d'");
- while ($row = mysql_fetch_assoc($query))
+ global $pdo;
+ $query = $pdo->prepare("SELECT comment_id FROM comments WHERE parent_id=?");
+ $query->execute(array($cid));
+ while ($row = $query->fetch())
$comments = array_merge($comments, commentsWithParent($row['comment_id']));
return $comments;
}
-$sql = new SQL();
-$sql->connect("localhost", SQLUSERNAME, SQLPASSWORD, SQLDATABASE);
+$pdo = new PDO("mysql:host=". SQLHOSTNAME .";dbname=" . SQLDATABASE, SQLUSERNAME, SQLPASSWORD);
+$pdo->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
+$pdo->setAttribute( PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC );
+$pdo->setAttribute( PDO::ATTR_EMULATE_PREPARES, false );
+
$smarty = new adiumSmarty();
?>
\ No newline at end of file
diff -r 171bd5f90e0f -r 3aafd8c9b4e1 index.php
--- a/index.php Thu Apr 02 10:05:38 2015 +0200
+++ b/index.php Sat Nov 21 14:30:46 2015 -0500
@@ -1,9 +1,13 @@
-<?php
- if (!$_GET['do'] && $_POST['do'])
- $_GET['do'] = $_POST['do'];
-
- if ($_POST['a']) $_GET['a'] = $_POST['a'];
- switch ($_GET['a']) {
+<?php
+ $action = "";
+ if (!isset($_GET['do']) && isset($_POST['do']))
+ $action = $_POST['do'];
+ else if (isset($_GET['do']))
+ $action = $_GET['do'];
+
+ $page = isset($_GET['a']) ? $_GET['a'] : "";
+ if (isset($_POST['a'])) $page = $_POST['a'];
+ switch ($page) {
case "xtraotm":
include("xtraotm.php");
break;
diff -r 171bd5f90e0f -r 3aafd8c9b4e1 main.php
--- a/main.php Thu Apr 02 10:05:38 2015 +0200
+++ b/main.php Sat Nov 21 14:30:46 2015 -0500
@@ -6,8 +6,9 @@
$smarty->assign("page", "home");
// Gather category information the category information.
- $sql->query("SELECT cat_id as id, cat_thumb as img, cat_name as name FROM cats ORDER BY sortorder ASC");
- while ($row = $sql->fetch_assoc()) {
+ $query = $pdo->prepare("SELECT cat_id as id, cat_thumb as img, cat_name as name FROM cats ORDER BY sortorder ASC");
+ $query->execute();
+ while ($row = $query->fetch()) {
// Modify the link for the category.
$row["link"] = "index.php?a=search&cat_id=" . $row["id"];
// Modify the image for the category.
@@ -20,12 +21,13 @@
"img" => "images/xtras.png",
"name" => "View All");
// Easier to calculate the rowspan here than to do it in the template.
- $smarty->assign("categoryRowSpan", ceil($sql->num_rows()/5));
+ $smarty->assign("categoryRowSpan", ceil($query->rowCount()/5));
$smarty->assign("categories", $categories);
// Gather recent update information.
- $sql->query("SELECT xtras.title as name, xtras.xtra_id as id, xtras.thumbnail as img, assoc.cat_id as cat_id, cats.cat_name_sing as text FROM xtras, assoc, cats WHERE xtras.xtra_id = assoc.xtra_id AND cats.cat_id = assoc.cat_id AND xtras.status='Approved' ORDER BY date_reviewed DESC LIMIT 8");
- while ($row = $sql->fetch_assoc()) {
+ $query = $pdo->prepare("SELECT xtras.title as name, xtras.xtra_id as id, xtras.thumbnail as img, assoc.cat_id as cat_id, cats.cat_name_sing as text FROM xtras, assoc, cats WHERE xtras.xtra_id = assoc.xtra_id AND cats.cat_id = assoc.cat_id AND xtras.status='Approved' ORDER BY date_reviewed DESC LIMIT 8");
+ $query->execute();
+ while ($row = $query->fetch()) {
$row["link"] = "index.php?a=xtras&xtra_id=" . $row["id"];
if (!$row["img"])
$row["img"] = "/images/ph" . $row["cat_id"] . ".png";
@@ -36,8 +38,9 @@
$smarty->assign("recentUpdates", $recentUpdates);
// Get Xtra of the Moment information
- $sql->query("SELECT xtraotm.xotm_id, users.*, xtras.downloads, xtras.title as name, xtras.description, xtras.xtra_id as id, xtras.thumbnail as img, assoc.cat_id as cat_id, cats.cat_name_sing as text FROM xtraotm, xtras, assoc, cats, users WHERE xtras.xtra_id=xtraotm.xtra_id AND xtras.xtra_id = assoc.xtra_id AND cats.cat_id = assoc.cat_id AND users.user_id = xtras.user_id AND xtras.status='Approved' ORDER BY xotm_id DESC LIMIT 0,1");
- $row = $sql->fetch_assoc();
+ $query = $pdo->prepare("SELECT xtraotm.xotm_id, users.*, xtras.downloads, xtras.title as name, xtras.description, xtras.xtra_id as id, xtras.thumbnail as img, assoc.cat_id as cat_id, cats.cat_name_sing as text FROM xtraotm, xtras, assoc, cats, users WHERE xtras.xtra_id=xtraotm.xtra_id AND xtras.xtra_id = assoc.xtra_id AND cats.cat_id = assoc.cat_id AND users.user_id = xtras.user_id AND xtras.status='Approved' ORDER BY xotm_id DESC LIMIT 0,1");
+ $query->execute();
+ $row = $query->fetch();
$row["link"] = "index.php?a=xtras&xtra_id=" . $row["id"];
if (!$row["img"])
$row["img"] = "/images/ph" . $row["cat_id"] . ".png";
@@ -47,8 +50,9 @@
$row["votes"] = voteCount($row["id"]);
$smarty->assign("xotm", $row);
- $sql->query("SELECT comments.*, users.username FROM comments, users WHERE comments.user_id = users.user_id ORDER BY posted DESC LIMIT 10");
- while ($comment = $sql->fetch_assoc()) {
+ $query = $pdo->prepare("SELECT comments.*, users.username FROM comments, users WHERE comments.user_id = users.user_id ORDER BY posted DESC LIMIT 10");
+ $query->execute();
+ while ($comment = $query->fetch()) {
$comment["user_id"] = $comment['user_id'];
$comment["base_url"] = "http://adiumxtras.com/index.php?a=xtras&xtra_id=" . $comment["xtra_id"];
$comment['com_name'] = $comment['username'];
@@ -56,6 +60,6 @@
}
$smarty->assign("recentComments", $comments);
-
+
$smarty->display("main.tpl");
?>
\ No newline at end of file
diff -r 171bd5f90e0f -r 3aafd8c9b4e1 manage.php
--- a/manage.php Thu Apr 02 10:05:38 2015 +0200
+++ b/manage.php Sat Nov 21 14:30:46 2015 -0500
@@ -11,12 +11,17 @@
// Compare === due to the fact that array_search returns the index (which may be zero).
if (array_search(userLevel($currentUserID), array("Admin", "Moderator", "Developer", "Contributor")) !== FALSE) {
// *pshew*, the user has the ability to do things.
- switch ($_GET['do']) {
+ $xtraID = intval(getParam('xtra_id'));
+ $disable_reason = strip_tags(getParam('disable_reason'));
+ switch ($action) {
case "del_comment":
- if (array_search(userLevel($currentUserID), array("Admin", "Moderator", "Developer")) !== FALSE) {
- $commentsToDelete = commentsWithParent(intval($_GET['comment_id']));
- if (count($commentsToDelete) > 0)
- $sql->query("DELETE FROM comments WHERE comment_id IN (%s)", implode(",", $commentsToDelete));
+ if (array_search(userLevel($currentUserID), array("Admin", "Moderator", "Developer")) !== FALSE) {
+ $commentsToDelete = commentsWithParent(intval(getParam('comment_id')));
+ if (count($commentsToDelete) > 0) {
+ $commentsToDelete = implode(",", $commentsToDelete);
+ $query = $pdo->prepare("DELETE FROM comments WHERE comment_id IN (".$commentsToDelete.")");
+ $query->execute();
+ }
header(sprintf("Location: %s", $_SERVER['HTTP_REFERER']));
} else {
@@ -27,13 +32,16 @@
break;
case "request_approval":
- $sql->query("SELECT xtras.*, assoc.cat_id FROM xtras, assoc WHERE assoc.xtra_id=xtras.xtra_id AND xtras.xtra_id='%d'", intval($_GET['xtra_id']));
- $xtraDetail = $sql->fetch_assoc();
+ $query = $pdo->prepare("SELECT xtras.*, assoc.cat_id FROM xtras, assoc WHERE assoc.xtra_id=xtras.xtra_id AND xtras.xtra_id=?");
+ $query->execute(array($xtraID));
+ $xtraDetail = $query->fetch();
if ($currentUserID == $xtraDetail['user_id'] || array_search(userLevel($currentUserID), array("Admin", "Moderator", "Developer")) !== FALSE) {
$readyForPending = 0;
$isVisual = (array_search($xtraDetail['cat_id'], array(1, 2, 4, 5, 7)) !== FALSE) ? TRUE : FALSE;
- $sql->query("SELECT count(*) FROM images WHERE xtra_id='%d'", $xtraDetail['xtra_id']);
- list ($number) = $sql->fetch_row_single();
+ $query = $pdo->prepare("SELECT count(*) FROM images WHERE xtra_id=?");
+ $query->execute(array($xtraDetail['xtra_id']));
+
+ $number = $query->fetchColumn();
if ($xtraDetail['binary_name']) {
if (!$isVisual)
$readyForPending = 1;
@@ -45,7 +53,8 @@
$smarty->assign("message", "Failed to set pending: No binary file was uploaded");
if ($readyForPending) {
- $sql->query("UPDATE xtras SET status='Pending' WHERE xtra_id='%d'", intval($_GET['xtra_id']));
+ $query = $pdo->prepare("UPDATE xtras SET status='Pending' WHERE xtra_id=?");
+ $query->execute(array($xtraID));
$smarty->assign("title", "Now In Pending");
$smarty->assign("message", "Your Xtra is now classified as pending. Please wait a few days for a response from the moderators.");
$smarty->display('message.tpl');
@@ -61,30 +70,38 @@
break;
case "delete":
- $sql->query("SELECT user_id, status FROM xtras WHERE xtra_id='%d'", intval($_GET['xtra_id']));
- list ($xtraOwner, $status) = $sql->fetch_row();
- if ($sql->num_rows() < 0)
+ $query = $pdo->prepare("SELECT user_id, status FROM xtras WHERE xtra_id=?");
+ $query->execute(array($xtraID));
+ list($xtraOwner, $status) = $query->fetch(PDO::FETCH_NUM);
+ if ($query->rowCount() < 0)
break;
if ($currentUserID == $xtraOwner || array_search(userLevel($currentUserID), array("Admin", "Moderator", "Developer")) !== FALSE) {
- if ($_GET['confirm']) {
- $sql->query("SELECT binary_name, thumbnail FROM xtras WHERE xtra_id='%d'", intval($_GET['xtra_id']));
- list ($binaryName, $thumbnail) = $sql->fetch_row();
+ if (getParam('confirm')) {
+ $query = $pdo->prepare("SELECT binary_name, thumbnail FROM xtras WHERE xtra_id=?");
+ $query->execute(array($xtraID));
+ list($binaryName, $thumbnail) = $query->fetch(PDO::FETCH_NUM);
checkAndDelete(sprintf("%s%s", $binaryLocation, $binaryName));
checkAndDelete(sprintf("%s%s", $thumbsLocation, $thumbnail));
- $sql->query("SELECT imgfile, thumbfile FROM images WHERE xtra_id='%d'", intval($_GET['xtra_id']));
- while (list ($imgfile, $thumbfile) = $sql->fetch_row()) {
+ $query = $pdo->prepare("SELECT imgfile, thumbfile FROM images WHERE xtra_id=?");
+ $query->execute(array($xtraID));
+ while (list ($imgfile, $thumbfile) = $query->fetch(PDO::FETCH_NUM)) {
checkAndDelete(sprintf("%s%s", $picturesLocation, $imgfile));
checkAndDelete(sprintf("%s%s", $picturesLocation, $thumbfile));
}
- $sql->query("DELETE FROM comments WHERE xtra_id='%d'", intval($_GET['xtra_id']));
- $sql->query("DELETE FROM assoc WHERE xtra_id='%d'", intval($_GET['xtra_id']));
- $sql->query("DELETE FROM xtras WHERE xtra_id='%d'", intval($_GET['xtra_id']));
- $sql->query("DELETE FROM ratings WHERE xtra_id='%d'", intval($_GET['xtra_id']));
- $sql->query("DELETE FROM images WHERE xtra_id='%d'", intval($_GET['xtra_id']));
+ $query = $pdo->prepare("DELETE FROM comments WHERE xtra_id=?");
+ $query->execute(array($xtraID));
+ $query = $pdo->prepare("DELETE FROM assoc WHERE xtra_id=?");
+ $query->execute(array($xtraID));
+ $query = $pdo->prepare("DELETE FROM xtras WHERE xtra_id=?");
+ $query->execute(array($xtraID));
+ $query = $pdo->prepare("DELETE FROM ratings WHERE xtra_id=?");
+ $query->execute(array($xtraID));
+ $query = $pdo->prepare("DELETE FROM images WHERE xtra_id=?");
+ $query->execute(array($xtraID));
header("Location: index.php");
} else {
$smarty->assign("title", "Confirm Delete");
- $smarty->assign("xtra_id", intval($_GET['xtra_id']));
+ $smarty->assign("xtra_id", $xtraID);
$smarty->display("confirmDelete.tpl");
}
} else {
@@ -95,19 +112,23 @@
break;
case "approve":
- $sql->query("SELECT user_id, status FROM xtras WHERE xtra_id='%d'", intval($_GET['xtra_id']));
- list ($xtraOwner, $status) = $sql->fetch_row();
+ $query = $pdo->prepare("SELECT user_id, status FROM xtras WHERE xtra_id=?");
+ $query->execute(array($xtraID));
+ list($xtraOwner, $status) = $query->fetch(PDO::FETCH_NUM);
// Get the xtra's category, in case it's a plugin (and only Devs/Admins can approve it)
- $sql->query("SELECT cats.cat_name FROM assoc, cats WHERE assoc.xtra_id='%d' and cats.cat_id = assoc.cat_id", intval($_GET['xtra_id']));
- list($cat_name) = $sql->fetch_row();
+ $query = $pdo->prepare("SELECT cats.cat_name FROM assoc, cats WHERE assoc.xtra_id=? and cats.cat_id = assoc.cat_id");
+ $query->execute(array($xtraID));
+ $cat_name = $query->fetchColumn();
// Does the user have sufficient access to approve?
if (($cat_name == "Plugins" && array_search(userLevel($currentUserID), array("Admin", "Developer")) !== FALSE) || ($cat_name != "Plugins" && array_search(userLevel($currentUserID), array("Admin", "Moderator", "Developer")) !== FALSE)) {
- $sql->query("UPDATE xtras SET status='Approved', date_reviewed=NOW(), reviewer='%d' WHERE xtra_id='%d'", $currentUserID, intval($_GET['xtra_id']));
- $sql->query("SELECT users.*, xtras.title FROM users, xtras WHERE xtras.user_id=users.user_id AND xtras.xtra_id='%d'", intval($_GET['xtra_id']));
- $userInfo = $sql->fetch_assoc();
- mail($userInfo['email'], "Your Xtra Was Approved", sprintf("Your Xtra, %s, was just approved:\n\nhttp://adiumxtras.com/index.php?a=xtras&xtra_id=%d", $userInfo['title'], intval($_GET['xtra_id'])), "From: xtras at adiumxtras.com");
- header(sprintf("Location: index.php?a=xtras&xtra_id=%d", intval($_GET['xtra_id'])));
+ $query = $pdo->prepare("UPDATE xtras SET status='Approved', date_reviewed=NOW(), reviewer=? WHERE xtra_id=?");
+ $query->execute(array($currentUserID, $xtraID));
+ $query = $pdo->prepare("SELECT users.*, xtras.title FROM users, xtras WHERE xtras.user_id=users.user_id AND xtras.xtra_id=?");
+ $query->execute(array($xtraID));
+ $userInfo = $query->fetch();
+ mail($userInfo['email'], "Your Xtra Was Approved", sprintf("Your Xtra, %s, was just approved:\n\nhttp://adiumxtras.com/index.php?a=xtras&xtra_id=%d", $userInfo['title'], $xtraID), "From: xtras at adiumxtras.com");
+ header(sprintf("Location: index.php?a=xtras&xtra_id=%d", $xtraID));
} else {
$smarty->assign("title", "Error Editing");
$smarty->assign("message", "You have invalid access to edit this Xtra. Remember: Only moderators can approve plugins.");
@@ -116,16 +137,19 @@
break;
case "enable":
- $sql->query("SELECT user_id, status FROM xtras WHERE xtra_id='%d'", intval($_GET['xtra_id']));
- list ($xtraOwner, $status) = $sql->fetch_row();
+ $query = $pdo->prepare("SELECT user_id, status FROM xtras WHERE xtra_id=?");
+ $query->execute(array($xtraID));
+ list($xtraOwner, $status) = $query->fetch(PDO::FETCH_NUM);
// Does the user have sufficient access to disable?
// Admin/Moderator or *this Xtra's* contributor ONLY
if ($currentUserID == $xtraOwner && array_search(userLevel($currentUserID), array("Admin", "Moderator", "Developer")) === FALSE) {
- $sql->query("UPDATE xtras SET status='Pending' WHERE xtra_id='%d'", intval($_GET['xtra_id']));
- header(sprintf("Location: index.php?a=xtras&xtra_id=%d&do=edit", intval($_GET['xtra_id'])));
+ $query = $pdo->prepare("UPDATE xtras SET status='Pending' WHERE xtra_id=?");
+ $query->execute(array($xtraID));
+ header(sprintf("Location: index.php?a=xtras&xtra_id=%d&do=edit", $xtraID));
} elseif (array_search(userLevel($currentUserID), array("Admin", "Moderator", "Developer")) !== FALSE) {
- $sql->query("UPDATE xtras SET status='Approved', disable_reason='' WHERE xtra_id='%d'", intval($_GET['xtra_id']));
- header(sprintf("Location: index.php?a=xtras&xtra_id=%d", intval($_GET['xtra_id'])));
+ $query = $pdo->prepare("UPDATE xtras SET status='Approved', disable_reason='' WHERE xtra_id=?");
+ $query->execute(array($xtraID));
+ header(sprintf("Location: index.php?a=xtras&xtra_id=%d", $xtraID));
} else {
$smarty->assign("title", "Error Editing");
$smarty->assign("message", "You have invalid access to edit this Xtra.");
@@ -134,24 +158,28 @@
break;
case "disable":
- $sql->query("SELECT user_id, status FROM xtras WHERE xtra_id='%d'", intval($_GET['xtra_id']));
- list ($xtraOwner, $status) = $sql->fetch_row();
+ $query = $pdo->prepare("SELECT user_id, status FROM xtras WHERE xtra_id=?");
+ $query->execute(array($xtraID));
+ list($xtraOwner, $status) = $query->fetch(PDO::FETCH_NUM);
// Does the user have sufficient access to disable?
// Admin/Moderator or *this Xtra's* contributor ONLY
if ($currentUserID == $xtraOwner && array_search(userLevel($currentUserID), array("Admin", "Moderator", "Developer")) === FALSE) {
- $sql->query("UPDATE xtras SET status='Held' WHERE xtra_id='%d' AND status='Approved'", intval($_GET['xtra_id']));
- header(sprintf("Location: index.php?a=xtras&xtra_id=%d", intval($_GET['xtra_id'])));
+ $query = $pdo->prepare("UPDATE xtras SET status='Held' WHERE xtra_id=? AND status='Approved'");
+ $query->execute(array($xtraID));
+ header(sprintf("Location: index.php?a=xtras&xtra_id=%d", $xtraID));
} elseif (array_search(userLevel($currentUserID), array("Admin", "Moderator", "Developer")) !== FALSE) {
- if ($_GET['disable_reason']) {
- $sql->query("UPDATE xtras SET status='Disabled', disable_reason='%s', reviewer='%d' WHERE xtra_id='%d'", strip_tags($_GET['disable_reason']), $currentUserID, intval($_GET['xtra_id']));
- $sql->query("SELECT users.*, xtras.title FROM users, xtras WHERE xtras.user_id=users.user_id AND xtras.xtra_id='%d'", intval($_GET['xtra_id']));
- $userInfo = $sql->fetch_assoc();
- mail($userInfo['email'], "Your Xtra Was Disabled", sprintf("Your Xtra, %s, was just disabled:\n\n%s\n\nPlease visit the My Xtras to resubmit your Xtra.", $userInfo['title'], $_GET['disable_reason']), "From: xtras at adiumxtras.com");
- header(sprintf("Location: index.php?a=xtras&xtra_id=%d&do=edit", intval($_GET['xtra_id'])));
+ if ($disable_reason) {
+ $query = $pdo->prepare("UPDATE xtras SET status='Disabled', disable_reason=?, reviewer=? WHERE xtra_id=?");
+ $query->execute(array($disable_reason, $currentUserID, $xtraID));
+ $query = $pdo->prepare("SELECT users.*, xtras.title FROM users, xtras WHERE xtras.user_id=users.user_id AND xtras.xtra_id=?");
+ $query->execute(array($xtraID));
+ $userInfo = $query->fetch();
+ mail($userInfo['email'], "Your Xtra Was Disabled", sprintf("Your Xtra, %s, was just disabled:\n\n%s\n\nPlease visit the My Xtras to resubmit your Xtra.", $userInfo['title'], $disable_reason), "From: xtras at adiumxtras.com");
+ header(sprintf("Location: index.php?a=xtras&xtra_id=%d&do=edit", $xtraID));
} else {
$smarty->assign("do", "disable");
$smarty->assign("title", "Disable An Xtra");
- $smarty->assign("xtra_id", intval($_GET['xtra_id']));
+ $smarty->assign("xtra_id", $xtraID);
$smarty->display("disableForm.tpl");
}
} else {
@@ -162,21 +190,25 @@
break;
case "deny":
- $sql->query("SELECT user_id, status FROM xtras WHERE xtra_id='%d'", intval($_GET['xtra_id']));
- list ($xtraOwner, $status) = $sql->fetch_row();
+ $error = null;
+ $query = $pdo->prepare("SELECT user_id, status FROM xtras WHERE xtra_id=?");
+ $query->execute(array($xtraID));
+ list($xtraOwner, $status) = $query->fetch(PDO::FETCH_NUM);
// Does the user have sufficient access to disable?
// Admin/Moderator ONLY
if (array_search(userLevel($currentUserID), array("Admin", "Moderator", "Developer")) !== FALSE) {
- if ($_GET['disable_reason']) {
- $sql->query("UPDATE xtras SET status='Denied', deny_reason='%s', reviewer='%d' WHERE xtra_id='%d'", strip_tags($_GET['disable_reason']), $currentUserID, intval($_GET['xtra_id']));
- $sql->query("SELECT users.*, xtras.title FROM users, xtras WHERE xtras.user_id=users.user_id AND xtras.xtra_id='%d'", intval($_GET['xtra_id']));
- $userInfo = $sql->fetch_assoc();
- mail($userInfo['email'], "Your Xtra Was Denied", sprintf("Your Xtra, %s, was just denied:\n\n%s\n\nPlease visit the My Xtras to resubmit your Xtra.", $userInfo['title'], $_GET['disable_reason']), "From: xtras at adiumxtras.com");
- header(sprintf("Location: index.php?a=xtras&xtra_id=%d", intval($_GET['xtra_id'])));
+ if ($disable_reason) {
+ $query = $pdo->prepare("UPDATE xtras SET status='Denied', deny_reason=?, reviewer=? WHERE xtra_id=?");
+ $query->execute(array($disable_reason, $currentUserID, $xtraID));
+ $query = $pdo->prepare("SELECT users.*, xtras.title FROM users, xtras WHERE xtras.user_id=users.user_id AND xtras.xtra_id=?");
+ $query->execute(array($xtraID));
+ $userInfo = $query->fetch();
+ mail($userInfo['email'], "Your Xtra Was Denied", sprintf("Your Xtra, %s, was just denied:\n\n%s\n\nPlease visit the My Xtras to resubmit your Xtra.", $userInfo['title'], $disable_reason), "From: xtras at adiumxtras.com");
+ header(sprintf("Location: index.php?a=xtras&xtra_id=%d", $xtraID));
} else {
$smarty->assign("do", "deny");
$smarty->assign("title", "Deny An Xtra");
- $smarty->assign("xtra_id", intval($_GET['xtra_id']));
+ $smarty->assign("xtra_id", $xtraID);
$smarty->display("disableForm.tpl");
}
} else {
@@ -187,9 +219,11 @@
break;
case "save":
+ $error = null;
$_POST['xtra_id'] = intval($_POST['xtra_id']);
- $sql->query("SELECT user_id, binary_name, status FROM xtras WHERE xtra_id='%d'", intval($_POST['xtra_id']));
- list ($xtraOwner, $binaryName, $status) = $sql->fetch_row();
+ $query = $pdo->prepare("SELECT user_id, binary_name, status FROM xtras WHERE xtra_id=?");
+ $query->execute(array(intval($_POST['xtra_id'])));
+ list($xtraOwner, $binaryName, $status) = $query->fetch(PDO::FETCH_NUM);
// Does the user have sufficient access to edit?
// Admin/Moderator or *this Xtra's* contributor ONLY
if ($currentUserID != $xtraOwner && array_search(userLevel($currentUserID), array("Admin", "Moderator", "Developer")) === FALSE) {
@@ -218,9 +252,11 @@
// Update the static text fields.
// This is, truly, the easy part.
- $sql->query("UPDATE xtras SET title='%s', description='%s', changes='%s', credits='%s', version='%s' WHERE xtra_id='%d'", $_POST['title'], $_POST['description'], $_POST['changes'], $_POST['credits'], $_POST['version'], $_POST['xtra_id']);
+ $query = $pdo->prepare("UPDATE xtras SET title=?, description=?, changes=?, credits=?, version=? WHERE xtra_id=?");
+ $query->execute(array($_POST['title'], $_POST['description'], $_POST['changes'], $_POST['credits'], $_POST['version'], $_POST['xtra_id']));
// Change the category.
- $sql->query("UPDATE assoc SET cat_id='%d' WHERE xtra_id='%d'", intval($_POST['category']), intval($_POST['xtra_id']));
+ $query = $pdo->prepare("UPDATE assoc SET cat_id=? WHERE xtra_id=?");
+ $query->execute(array(intval($_POST['category']), intval($_POST['xtra_id'])));
$mime_exts['application/zip'] = 'zip';
$mime_exts['application/x-gzip'] = 'tgz';
@@ -251,10 +287,13 @@
move_uploaded_file($_FILES['archive']['tmp_name'], $binaryName);
chmod($binaryName, 0644);
- if ($status == 'Approved')
- $sql->query("UPDATE xtras SET binary_name='%s', bin_mime='%s', filesize='%s', bin_updated=NOW(), status='Pending' WHERE xtra_id='%d'", basename($binaryName), $_FILES['archive']['type'], dlSize($_FILES['archive']['size']), intval($_POST['xtra_id']));
- else
- $sql->query("UPDATE xtras SET binary_name='%s', bin_mime='%s', filesize='%s', bin_updated=NOW() WHERE xtra_id='%d'", basename($binaryName), $_FILES['archive']['type'], dlSize($_FILES['archive']['size']), intval($_POST['xtra_id']));
+ if ($status == 'Approved') {
+ $query = $pdo->prepare("UPDATE xtras SET binary_name=?, bin_mime=?, filesize=?, bin_updated=NOW(), status='Pending' WHERE xtra_id=?");
+ $query->execute(array(basename($binaryName), $_FILES['archive']['type'], dlSize($_FILES['archive']['size']), intval($_POST['xtra_id'])));
+ } else {
+ $query = $pdo->prepare("UPDATE xtras SET binary_name=?, bin_mime=?, filesize=?, bin_updated=NOW() WHERE xtra_id=?");
+ $query->execute(array(basename($binaryName), $_FILES['archive']['type'], dlSize($_FILES['archive']['size']), intval($_POST['xtra_id'])));
+ }
}
} else if ($_FILES['archive']['error'] == UPLOAD_ERR_INI_SIZE) {
$error[] = "The archive was too large vs. the PHP .ini file. Please try again.";
@@ -268,8 +307,9 @@
if (!preg_match("/jpe?g|png|gif/", $_FILES['thumbnail']['type'])) {
$error[] = "The thumbnail you provided was not png, gif or jpeg format. Please try again.";
} else {
- $sql->query("SELECT thumbnail FROM xtras WHERE xtra_id='%d'", intval($_POST['xtra_id']));
- $thumbnail = $sql->fetch_row_single();
+ $query = $pdo->prepare("SELECT thumbnail FROM xtras WHERE xtra_id=?");
+ $query->execute(array(intval($_POST['xtra_id'])));
+ $thumbnail = $query->fetchColumn();
if ($thumbnail)
checkAndDelete(sprintf("%s%s", $thumbsLocation, $thumbnail));
@@ -283,7 +323,8 @@
if ($imgwidth > 50 || $imgheight > 50)
system(sprintf("/usr/bin/convert -size 50x50 %s -resize 50x50 %s", $thumbName, $thumbName), $thumb_error);
- $sql->query("UPDATE xtras SET thumbnail='%s' WHERE xtra_id='%d'", basename($thumbName), intval($_POST['xtra_id']));
+ $query = $pdo->prepare("UPDATE xtras SET thumbnail=? WHERE xtra_id=?");
+ $query->execute(array(basename($thumbName), intval($_POST['xtra_id'])));
}
}
@@ -296,32 +337,38 @@
} elseif (!preg_match("/jpe?g|png|gif/", $_FILES['previewImage']['type'][$key])) {
$error[] = sprintf("The preview image (%s) you provided was not png, gif or jpeg format. Please try again.", $_FILES['previewImage']['name'][$key]);
} else {
- $sql->query("INSERT INTO images SET xtra_id='%d'", intval($_POST['xtra_id']));
- $newImageID = $sql->insert_id();
+ $query = $pdo->prepare("INSERT INTO images SET xtra_id=?");
+ $query->execute(array(intval($_POST['xtra_id'])));
+ $newImageID = $pdo->lastInsertId();
$imageName = sprintf("%s%s_image_%s.%s", $picturesLocation, $baseFileName, $newImageID, $mime_exts[$_FILES['previewImage']['type'][$key]]);
$thumbImgName = sprintf("%s%s_thumb_%s.%s", $picturesLocation, $baseFileName, $newImageID, $mime_exts[$_FILES['previewImage']['type'][$key]]);
list ($imageWidth, $imageHeight) = getimagesize($_FILES['previewImage']['tmp_name'][$key]);
- $sql->query("UPDATE images SET imgfile='%s', iwidth='%d', iheight='%d' WHERE image_id='%d'", basename($imageName), $imageWidth, $imageHeight, $newImageID);
+ $query = $pdo->prepare("UPDATE images SET imgfile=?, iwidth=?, iheight=? WHERE image_id=?");
+ $query->execute(array(basename($imageName), $imageWidth, $imageHeight, $newImageID));
move_uploaded_file($_FILES['previewImage']['tmp_name'][$key], $imageName);
if ($imageWidth > 500 || $imageHeight > 400) {
system(sprintf("/usr/bin/convert -size 450x300 %s -resize 450x300 %s", $imageName, $thumbImgName), $thumb_error);
list ($imageWidth, $imageHeight) = getimagesize($thumbImgName);
- $sql->query("UPDATE images SET thumbfile='%s', twidth='%d', theight='%d' WHERE image_id='%d'", basename($thumbImgName), $imageWidth, $imageHeight, $newImageID);
+ $query = $pdo->prepare("UPDATE images SET thumbfile=?, twidth=?, theight=? WHERE image_id=?");
+ $query->execute(array(basename($thumbImgName), $imageWidth, $imageHeight, $newImageID));
}
}
}
if ($_POST['delete']) {
- $sql->query("SELECT imgfile, thumbfile FROM images WHERE xtra_id='%d' AND image_id IN (%s)", intval($_POST['xtra_id']), implode(",", $_POST['delete']));
- while (list($imgfile, $thumbfile) = $sql->fetch_row()) {
+ $qMarks = rtrim(str_repeat('?,', count($_POST['delete'])), ',');
+ $query = $pdo->prepare("SELECT imgfile, thumbfile FROM images WHERE xtra_id=? AND image_id IN ($qMarks)");
+ $query->execute(array_merge(array(intval($_POST['xtra_id'])), $_POST['delete']));
+ while (list ($imgfile, $thumbfile) = $query->fetch(PDO::FETCH_NUM)) {
checkAndDelete(sprintf("%s%s", "/home/adiumx/public_html/images/pictures/", $imgfile));
checkAndDelete(sprintf("%s%s", "/home/adiumx/public_html/images/pictures/", $thumbfile));
}
- $sql->query("DELETE FROM images WHERE xtra_id='%d' AND image_id IN (%s)", intval($_POST['xtra_id']), implode(",", $_POST['delete']));
+ $query = $pdo->prepare("DELETE FROM images WHERE xtra_id=? AND image_id IN ($qMarks)");
+ $query->execute(array_merge(array(intval($_POST['xtra_id'])), $_POST['delete']));
}
$smarty->assign("title", "Xtra Saved");
@@ -333,9 +380,11 @@
case "create_xtra":
if ($_POST['name'] && $_POST['category']) {
// Yeehaw, let's create it and redirect them.
- $sql->query("INSERT INTO xtras (user_id, title, status, date_added) VALUES ('%d', '%s', 'Build', NOW())", $currentUserID, strip_tags($_POST['name']));
- $newID = $sql->insert_id();
- $sql->query("INSERT INTO assoc (xtra_id, cat_id) VALUES ('%d', '%d')", $newID, intval($_POST['category']));
+ $query = $pdo->prepare("INSERT INTO xtras (user_id, title, status, date_added) VALUES (?, ?, 'Build', NOW())");
+ $query->execute(array($currentUserID, strip_tags($_POST['name'])));
+ $newID = $pdo->lastInsertId();
+ $query = $pdo->prepare("INSERT INTO assoc (xtra_id, cat_id) VALUES (?, ?)");
+ $query->execute(array($newID, intval($_POST['category'])));
header(sprintf("Location: index.php?a=xtras&xtra_id=%d&do=edit", $newID));
} else {
// Somehow they failed the easiest thing in the world, filling out one field.
@@ -349,8 +398,9 @@
break;
case "submit":
- $sql->query("SELECT cat_id, cat_name FROM cats WHERE allow_submit='Yes' ORDER BY sortorder");
- while ($row = $sql->fetch_assoc())
+ $query = $pdo->prepare("SELECT cat_id, cat_name FROM cats WHERE allow_submit='Yes' ORDER BY sortorder");
+ $query->execute();
+ while ($row = $query->fetch())
$cats[] = $row;
$smarty->assign("cats", $cats);
$smarty->assign("title", "Submit an Xtra");
diff -r 171bd5f90e0f -r 3aafd8c9b4e1 massmail.php
--- a/massmail.php Thu Apr 02 10:05:38 2015 +0200
+++ b/massmail.php Sat Nov 21 14:30:46 2015 -0500
@@ -11,12 +11,12 @@
exit();
}
- switch ($_GET['do']) {
+ switch ($action) {
case "send":
if (!$_POST['cats'] || !$_POST['subject']) {
- $sql->query("SELECT cat_id, cat_name FROM cats WHERE allow_submit='Yes' ORDER BY sortorder");
- while ($row = $sql->fetch_assoc())
- $cats[] = $row;
+ $query = $pdo->prepare("SELECT cat_id, cat_name FROM cats WHERE allow_submit='Yes' ORDER BY sortorder");
+ $query->execute();
+ $cats = $query->fetchAll();
$smarty->assign("cats", $cats);
$smarty->assign("title", "Mass Mail");
$smarty->assign("subject", $_POST['subject']);
@@ -25,10 +25,11 @@
$smarty->display('massmail.tpl');
break;
}
- $searchedCategories = implode(",", $_POST['cats']);
- $sql->query("SELECT DISTINCT users.username AS username, users.email AS email FROM xtras, assoc, users WHERE xtras.status='Approved' AND xtras.xtra_id=assoc.xtra_id AND xtras.user_id = users.user_id AND assoc.cat_id IN(%s)", $searchedCategories);
- $count = $sql->num_rows();
- while ($row = $sql->fetch_assoc()) {
+ $qMarks = rtrim(str_repeat('?,', count($_POST['cats'])), ',');
+ $query = $pdo->prepare("SELECT DISTINCT users.username AS username, users.email AS email FROM xtras, assoc, users WHERE xtras.status='Approved' AND xtras.xtra_id=assoc.xtra_id AND xtras.user_id = users.user_id AND assoc.cat_id IN($qMarks)");
+ $query->execute(array($_POST['cats']));
+ $count = $query->rowCount();
+ while ($row = $query->fetch()) {
$message = str_replace("%username%", $row['username'], $_POST['mail']);
mail($row['email'], "[Adium Xtras] ". $_POST['subject'], $message, "From: xtras at adiumxtras.com\r\n");
}
@@ -39,9 +40,9 @@
break;
default:
- $sql->query("SELECT cat_id, cat_name FROM cats WHERE allow_submit='Yes' ORDER BY sortorder");
- while ($row = $sql->fetch_assoc())
- $cats[] = $row;
+ $query = $pdo->prepare("SELECT cat_id, cat_name FROM cats WHERE allow_submit='Yes' ORDER BY sortorder");
+ $query->execute();
+ $cats = $query->fetchAll();
$smarty->assign("cats", $cats);
$smarty->assign("title", "Mass Mail");
$smarty->display('massmail.tpl');
diff -r 171bd5f90e0f -r 3aafd8c9b4e1 minicat.php
--- a/minicat.php Thu Apr 02 10:05:38 2015 +0200
+++ b/minicat.php Sat Nov 21 14:30:46 2015 -0500
@@ -1,7 +1,7 @@
<?php
-$sql->query("SELECT cat_id, cat_name, cat_code FROM cats ORDER BY sortorder");
-while ($category = $sql->fetch_assoc())
- $categories[] = $category;
+$query = $pdo->prepare("SELECT cat_id, cat_name, cat_code FROM cats ORDER BY sortorder");
+$query->execute();
+$categories = $query->fetchAll();
// Add the "all" category, since it's not in the SQL table.
$categories[] = array("cat_name" => "All", "cat_id" => "all", "cat_code" => "xtras");
diff -r 171bd5f90e0f -r 3aafd8c9b4e1 reported.php
--- a/reported.php Thu Apr 02 10:05:38 2015 +0200
+++ b/reported.php Sat Nov 21 14:30:46 2015 -0500
@@ -8,19 +8,24 @@
exit();
}
- switch ($_GET['do']) {
+ switch ($action) {
case "dequeue":
- $sql->query("UPDATE reported SET reviewed='Yes' WHERE reported_id='%d'", intval($_GET['reported_id']));
+ $reportedID = getParam('reported_id', 0);
+ $query = $pdo->prepare("UPDATE reported SET reviewed='Yes' WHERE reported_id=?");
+ $query->execute(array($reportedID));
header("Location: index.php?a=reported");
break;
default:
- $sql->query("SELECT * FROM reported WHERE reviewed='No'");
- while ($row = $sql->fetch_assoc()) {
- $query = mysql_query(sprintf("SELECT xtras.*, cats.* FROM xtras, cats, assoc WHERE xtras.xtra_id=assoc.xtra_id AND cats.cat_id = assoc.cat_id AND xtras.xtra_id='%d'", $row['xtra_id']));
- $row["xtra"] = mysql_fetch_assoc($query);
- $query = mysql_query(sprintf("SELECT * FROM comments WHERE comment_id='%d'", $row['comment_id']));
- $row["commentInfo"] = mysql_fetch_assoc($query);
+ $query = $pdo->prepare("SELECT * FROM reported WHERE reviewed='No'");
+ $query->execute();
+ $xtraQuery = $pdo->prepare("SELECT xtras.*, cats.* FROM xtras, cats, assoc WHERE xtras.xtra_id=assoc.xtra_id AND cats.cat_id = assoc.cat_id AND xtras.xtra_id=?");
+ $commentQuery = $pdo->prepare("SELECT * FROM comments WHERE comment_id=?");
+ while ($row = $query->fetch()) {
+ $xtraQuery->execute(array($row['xtra_id']));
+ $row["xtra"] = $xtraQuery->fetch();
+ $commentQuery->execute(array($row['comment_id']));
+ $row["commentInfo"] = $commentQuery->fetch();
if (intval($row["user"]) == $row["user"])
$row["userInfo"] = userInfo($row["user"]);
$comments[] = $row;
diff -r 171bd5f90e0f -r 3aafd8c9b4e1 search.php
--- a/search.php Thu Apr 02 10:05:38 2015 +0200
+++ b/search.php Sat Nov 21 14:30:46 2015 -0500
@@ -6,20 +6,22 @@
// Assign the standard stuff.
$catInfo = array("cat_id" => "all", "cat_name" => "All", "cat_thumb" => "xtras.png", "left_pad" => "60");
-
- if ($_GET["cat_id"] != "all" && $_GET["cat_id"]) {
- $sql->query("SELECT cat_id, cat_name, cat_thumb, left_pad FROM cats WHERE cat_id='%d'", intval($_GET["cat_id"]));
- $catInfo = $sql->fetch_assoc();
+
+ $catID = getParam("cat_id");
+ if ($catID && $catID != "all") {
+ $query = $pdo->prepare("SELECT cat_id, cat_name, cat_thumb, left_pad FROM cats WHERE cat_id=?");
+ $query->execute(array(intval($catID)));
+ $catInfo = $query->fetch();
}
-
- $_GET["start"] = intval($_GET["start"]);
+
+ $startPosition = intval(getParam("start", 0));
$smarty->assign("catInfo", $catInfo);
$searchTerms = "";
// Validate search terms.
- if ($_GET['s']) {
- $keys = $_GET['s'];
+ $keys = getParam('s');
+ if ($keys) {
// Add it to the search field.
$smarty->assign("searchValue", htmlspecialchars(stripslashes($keys)));
@@ -37,29 +39,33 @@
}
$searchTerms = "(" . implode(" AND ", $where) . ") AND ";
}
-
- if ($_GET['user']) {
- $sql->query("SELECT user_id FROM users WHERE username LIKE '%s'", $_GET['user']);
- $_GET['user_id'] = $sql->fetch_row_single();
+
+ $userID = intval(getParam('user_id'));
+ $user = getParam('user');
+ if ($user) {
+ $query = $pdo->prepare("SELECT user_id FROM users WHERE username LIKE ?");
+ $query->execute(array($user));
+ $userID = $query->fetchColumn();
}
// Only show approved Xtras, unless... (see below)
$showApproved = " AND xtras.status='Approved'";
- if ($_GET['user_id']) {
- $sql->query("SELECT username FROM users WHERE user_id='%d'", intval($_GET['user_id']));
- $byUserName = $sql->fetch_row_single();
+ if ($userID) {
+ $query = $pdo->prepare("SELECT username FROM users WHERE user_id=?");
+ $query->execute(array($userID));
+ $byUserName = $query->fetchColumn();
// If the user is searching themselves, show even unapproved Xtras.
$currentUserID = currentUID();
- if ($_GET['user_id'] == $currentUserID || array_search(userLevel($currentUserID), array("Admin", "Moderator", "Developer")) !== FALSE)
+ if ($userID == $currentUserID || array_search(userLevel($currentUserID), array("Admin", "Moderator", "Developer")) !== FALSE)
$showApproved = "";
- if ($_GET['user_id'] == $currentUserID)
+ if ($userID == $currentUserID)
$smarty->assign("page", "myxtras");
- $smarty->assign("byUID", intval($_GET['user_id']));
+ $smarty->assign("byUID", $userID);
$smarty->assign("byUIDUsername", $byUserName);
- $searchTerms .= sprintf("xtras.user_id='%d' AND", intval($_GET['user_id']));
+ $searchTerms .= sprintf("xtras.user_id='%d' AND", $userID);
}
- switch ($_GET['do']) {
+ switch ($action) {
case "queue":
$showApproved = " AND xtras.status='Pending'";
if (array_search(userLevel(currentUID()), array("Admin", "Developer")) === FALSE)
@@ -70,46 +76,54 @@
}
if ($keys)
- $smarty->assign("title", sprintf("Categories: %s, Search: %s", $catInfo["cat_name"], htmlspecialchars(stripslashes($_GET['s']))));
+ $smarty->assign("title", sprintf("Categories: %s, Search: %s", $catInfo["cat_name"], htmlspecialchars(stripslashes($keys))));
else
- if ($_GET['user_id'])
- $smarty->assign("title", sprintf("Categories: %s, User: %s (%d)", $catInfo["cat_name"], $byUserName, $_GET['user_id']));
+ if ($userID)
+ $smarty->assign("title", sprintf("Categories: %s, User: %s (%d)", $catInfo["cat_name"], $byUserName, $userID));
else
$smarty->assign("title", sprintf("Categories: %s", $catInfo["cat_name"]));
// Sort by is sent by the browser. Checks to ensure it's a valid one before
// it'll use it in any SQL, etc.
- if (array_search($_GET["sort"], array("date_reviewed", "downloads", "ranking")) === FALSE)
- $_GET['sort'] = "ranking";
- if ($_GET['type'] == "rss")
- $_GET['sort'] = "date_reviewed";
- $smarty->assign("sort", $_GET["sort"]);
+ $sort = getParam("sort");
+ if (array_search($sort, array("date_reviewed", "downloads", "ranking")) === FALSE)
+ $sort = "ranking";
+
+ $type = getParam('type');
+ if ($type == "rss")
+ $sort = "date_reviewed";
+ $smarty->assign("sort", $sort);
// Get the actual xtras.
// Not converting the date entries to timestamps is unrealistic given how poorly smarty handles operators on them.
if ($catInfo["cat_id"] != "all") {
- $sql->query("SELECT count(*) FROM xtras, assoc, users WHERE %s xtras.xtra_id=assoc.xtra_id AND xtras.user_id = users.user_id AND assoc.cat_id='%d' %s", $searchTerms, $catInfo["cat_id"], $showApproved);
- $smarty->assign("total", $sql->fetch_row_single());
- $sql->query("SELECT xtras.*, UNIX_TIMESTAMP(xtras.bin_updated) as bin_added, UNIX_TIMESTAMP(xtras.date_added) as date_added, UNIX_TIMESTAMP(date_reviewed) AS date_reviewed, assoc.cat_id, users.username FROM xtras, assoc, users WHERE %s xtras.xtra_id=assoc.xtra_id AND xtras.user_id = users.user_id AND assoc.cat_id='%d' %s ORDER BY %s DESC LIMIT %d,%d", $searchTerms, $catInfo["cat_id"], $showApproved, $_GET["sort"], $_GET["start"], PERPAGE);
+ $query = $pdo->prepare("SELECT count(*) FROM xtras, assoc, users WHERE $searchTerms xtras.xtra_id=assoc.xtra_id AND xtras.user_id = users.user_id AND assoc.cat_id=? $showApproved");
+ $query->execute(array($catInfo["cat_id"]));
+ $smarty->assign("total", $query->fetchColumn());
+ $query = $pdo->prepare("SELECT xtras.*, UNIX_TIMESTAMP(xtras.bin_updated) as bin_added, UNIX_TIMESTAMP(xtras.date_added) as date_added, UNIX_TIMESTAMP(date_reviewed) AS date_reviewed, assoc.cat_id, users.username FROM xtras, assoc, users WHERE $searchTerms xtras.xtra_id=assoc.xtra_id AND xtras.user_id = users.user_id AND assoc.cat_id=? $showApproved ORDER BY ? DESC LIMIT ?,?");
+ $query->execute(array($catInfo["cat_id"], $sort, $startPosition, PERPAGE));
} else {
- $sql->query("SELECT count(*) FROM xtras, assoc, users, cats WHERE %s xtras.xtra_id=assoc.xtra_id AND xtras.user_id = users.user_id AND assoc.cat_id = cats.cat_id %s", $searchTerms, $showApproved);
- $smarty->assign("total", $sql->fetch_row_single());
- $sql->query("SELECT xtras.*, UNIX_TIMESTAMP(xtras.bin_updated) as bin_added, UNIX_TIMESTAMP(xtras.date_added) as date_added, UNIX_TIMESTAMP(date_reviewed) AS date_reviewed, users.username, cats.cat_name, cats.cat_id FROM xtras, assoc, users, cats WHERE %s xtras.xtra_id=assoc.xtra_id AND xtras.user_id = users.user_id AND assoc.cat_id = cats.cat_id %s ORDER BY %s DESC LIMIT %d,%d", $searchTerms, $showApproved, $_GET["sort"], $_GET["start"], PERPAGE);
+ $query = $pdo->prepare("SELECT count(*) FROM xtras, assoc, users, cats WHERE $searchTerms xtras.xtra_id=assoc.xtra_id AND xtras.user_id = users.user_id AND assoc.cat_id = cats.cat_id $showApproved");
+ $query->execute();
+ $smarty->assign("total", $query->fetchColumn());
+ $query = $pdo->prepare("SELECT xtras.*, UNIX_TIMESTAMP(xtras.bin_updated) as bin_added, UNIX_TIMESTAMP(xtras.date_added) as date_added, UNIX_TIMESTAMP(date_reviewed) AS date_reviewed, users.username, cats.cat_name, cats.cat_id FROM xtras, assoc, users, cats WHERE $searchTerms xtras.xtra_id=assoc.xtra_id AND xtras.user_id = users.user_id AND assoc.cat_id = cats.cat_id $showApproved ORDER BY ? DESC LIMIT ?,?");
+ $query->execute(array($sort, $startPosition, PERPAGE));
}
- $smarty->assign("curPage", $_GET["start"]);
+ $smarty->assign("curPage", $startPosition);
$smarty->assign("perPage", PERPAGE);
- $smarty->assign("pagerURL", sprintf("index.php?a=search&cat_id=%s&sort=%s&user_id=%d&s=%s&start=%%d%s", $catInfo["cat_id"], $_GET["sort"], intval($_GET['user_id']), str_replace("%", "%%", $_GET["s"]), ($_GET['do'] == "queue") ? "&do=queue" : ""));
-
- while ($row = $sql->fetch_assoc()) {
- if ($_GET['type'] != "rss") {
+ $escaped_keys = str_replace("%", "%%", $keys);
+ $smarty->assign("pagerURL", sprintf("index.php?a=search&cat_id=%s&sort=%s&user_id=%d&s=%s&start=%%d%s", $catInfo["cat_id"], $sort, $userID, $escaped_keys, ($action == "queue") ? "&do=queue" : ""));
+ $xtrasList = null;
+ while ($row = $query->fetch()) {
+ if ($type != "rss") {
$row["commentCount"] = commentCount($row["xtra_id"]);
$row["rating"] = avgRating($row["xtra_id"]);
$row["votes"] = voteCount($row["xtra_id"]);
}
- if ($row["cat_name"] == "Miscellaneous" || $catInfo["cat_name"] == "Miscellaneous") {
+ if ((isset($row["cat_name"]) && $row["cat_name"] == "Miscellaneous") || $catInfo["cat_name"] == "Miscellaneous") {
$row["showInstall"] = "No";
} else {
$row["showInstall"] = "Yes";
@@ -128,11 +142,11 @@
$smarty->assign("sortBy", $sortInfo);
// This is for the 'micro' menu at the top.
- if ($_GET['type'] != "rss")
+ if ($type != "rss")
include("minicat.php");
$smarty->assign("categories", $categories);
- if ($_GET['type'] == "rss") {
+ if ($type == "rss") {
header("Content-type: application/rss+xml\n");
More information about the commits
mailing list