From 211e191b50691980b1c66e68527072eaaf271151 Mon Sep 17 00:00:00 2001
From: "green-ponies (jgen)" <jgen.tech@gmail.com>
Date: Mon, 16 Jan 2012 17:30:06 -0500
Subject: [PATCH] Removing unnecessary and incorrect mysql_real_escape_string()
calls.
---
contrib/artists/main.php | 94 +++++++++-------------------------------
contrib/forum/main.php | 6 +--
contrib/notes/main.php | 2 +-
3 files changed, 25 insertions(+), 77 deletions(-)
diff --git a/contrib/artists/main.php b/contrib/artists/main.php
index f035224a..e4a5a803 100644
--- a/contrib/artists/main.php
+++ b/contrib/artists/main.php
@@ -130,10 +130,7 @@ class Artists implements Extension {
}
$database->execute("UPDATE images SET author = ? WHERE id = ?"
- , array(
- mysql_real_escape_string($artistName)
- , $event->image->id
- ));
+ , array($artistName, $event->image->id));
}
public function handle_commands($event)
{
@@ -434,7 +431,7 @@ class Artists implements Extension {
{
global $database;
- $result = $database->get_one("SELECT COUNT(1) FROM artist_urls WHERE url = ?", array(mysql_real_escape_string($url)));
+ $result = $database->get_one("SELECT COUNT(1) FROM artist_urls WHERE url = ?", array($url));
return ($result != 0);
}
@@ -442,7 +439,7 @@ class Artists implements Extension {
{
global $database;
- $result = $database->get_one("SELECT COUNT(1) FROM artist_members WHERE name = ?", array(mysql_real_escape_string($member)));
+ $result = $database->get_one("SELECT COUNT(1) FROM artist_members WHERE name = ?", array($member));
return ($result != 0);
}
@@ -450,7 +447,7 @@ class Artists implements Extension {
{
global $database;
- $result = $database->get_one("SELECT COUNT(1) FROM artist_alias WHERE alias = ?", array(mysql_real_escape_string($alias)));
+ $result = $database->get_one("SELECT COUNT(1) FROM artist_alias WHERE alias = ?", array($alias));
return ($result != 0);
}
@@ -460,23 +457,21 @@ class Artists implements Extension {
global $database;
$result = $database->get_one("SELECT COUNT(1) FROM artist_alias WHERE artist_id = ? AND alias = ?", array(
- $artistID
- , mysql_real_escape_string($alias)
- ));
+ $artistID, $alias));
return ($result != 0);
}
private function get_artistID_by_url($url)
{
global $database;
- $result = $database->get_row("SELECT artist_id FROM artist_urls WHERE url = ?", array(mysql_real_escape_string($url)));
+ $result = $database->get_row("SELECT artist_id FROM artist_urls WHERE url = ?", array($url));
return $result['artist_id'];
}
private function get_artistID_by_memberName($member)
{
global $database;
- $result = $database->get_row("SELECT artist_id FROM artist_members WHERE name = ?", array(mysql_real_escape_string($member)));
+ $result = $database->get_row("SELECT artist_id FROM artist_members WHERE name = ?", array($member));
return $result['artist_id'];
}
private function get_artistName_by_artistID($artistID)
@@ -622,12 +617,7 @@ class Artists implements Extension {
global $database;
$database->execute("UPDATE artists SET name = ?, notes = ?, updated = now(), user_id = ? WHERE id = ? "
- , array(
- mysql_real_escape_string($name)
- , mysql_real_escape_string($notes)
- , $userID
- , $artistID
- ));
+ , array( $name, $notes, $userID, $artistID ));
// ALIAS MATCHING SECTION
$i = 0;
@@ -718,11 +708,7 @@ class Artists implements Extension {
global $database;
$database->execute("UPDATE artist_alias SET alias = ?, updated = now(), user_id = ? WHERE id = ? "
- , array(
- mysql_real_escape_string($alias)
- , $userID
- , $aliasID
- ));
+ , array( $alias, $userID, $aliasID ));
}
private function update_url()
@@ -747,11 +733,7 @@ class Artists implements Extension {
global $database;
$database->execute("UPDATE artist_urls SET url = ?, updated = now(), user_id = ? WHERE id = ?"
- , array(
- mysql_real_escape_string($url)
- , $userID
- , $urlID
- ));
+ , array( $url, $userID, $urlID ));
}
private function update_member()
@@ -777,11 +759,7 @@ class Artists implements Extension {
global $database;
$database->execute("UPDATE artist_members SET name = ?, updated = now(), user_id = ? WHERE id = ?"
- , array(
- mysql_real_escape_string($memberName)
- , $userID
- , $memberID
- ));
+ , array( $memberName, $userID, $memberID ));
}
/*
@@ -853,11 +831,7 @@ class Artists implements Extension {
(user_id, name, notes, created, updated)
VALUES
(?, ?, ?, now(), now())",
- array(
- $user->id
- , mysql_real_escape_string($name)
- , mysql_real_escape_string($notes)
- ));
+ array( $user->id, $name, $notes ));
$result = $database->get_row("SELECT LAST_INSERT_ID() AS artistID", array());
@@ -871,9 +845,7 @@ class Artists implements Extension {
global $database;
$result = $database->get_one("SELECT COUNT(1) FROM artists WHERE name = ?"
- , array(
- mysql_real_escape_string($name)
- ));
+ , array($name));
return ($result != 0);
}
@@ -937,9 +909,7 @@ class Artists implements Extension {
private function get_artist_id($name){
global $database;
$artistID = $database->get_row("SELECT id FROM artists WHERE name = ?"
- , array(
- mysql_real_escape_string($name)
- ));
+ , array( $name ));
return $artistID['id'];
}
@@ -948,9 +918,7 @@ class Artists implements Extension {
global $database;
$artistID = $database->get_row("SELECT artist_id FROM artist_alias WHERE alias = ?"
- , array(
- mysql_real_escape_string($alias)
- ));
+ , array( $alias ));
return $artistID["artist_id"];
}
@@ -964,9 +932,7 @@ class Artists implements Extension {
global $database;
$database->execute("DELETE FROM artists WHERE id = ? "
- , array(
- $artistID
- ));
+ , array( $artistID ));
}
@@ -1090,11 +1056,7 @@ class Artists implements Extension {
global $database;
$database->execute("INSERT INTO artist_urls (artist_id, created, updated, url, user_id) VALUES (?, now(), now(), ?, ?)"
- , array(
- $artistID
- , mysql_real_escape_string($url)
- , $userID
- ));
+ , array( $artistID, $url, $userID ));
}
private function add_alias()
@@ -1124,11 +1086,7 @@ class Artists implements Extension {
global $database;
$database->execute("INSERT INTO artist_alias (artist_id, created, updated, alias, user_id) VALUES (?, now(), now(), ?, ?)"
- , array(
- $artistID
- , mysql_real_escape_string($alias)
- , $userID
- ));
+ , array( $artistID, $alias, $userID ));
}
private function add_members()
@@ -1157,11 +1115,7 @@ class Artists implements Extension {
global $database;
$database->execute("INSERT INTO artist_members (artist_id, name, created, updated, user_id) VALUES (?, ?, now(), now(), ?)"
- , array(
- $artistID
- , mysql_real_escape_string($member)
- , $userID
- ));
+ , array( $artistID, $member, $userID ));
}
private function member_exists($artistID, $member)
@@ -1171,10 +1125,7 @@ class Artists implements Extension {
global $database;
$result = $database->get_one("SELECT COUNT(1) FROM artist_members WHERE artist_id = ? AND name = ?"
- , array(
- $artistID
- , mysql_real_escape_string($member)
- ));
+ , array( $artistID, $member ));
return ($result != 0);
}
@@ -1185,10 +1136,7 @@ class Artists implements Extension {
global $database;
$result = $database->get_one("SELECT COUNT(1) FROM artist_urls WHERE artist_id = ? AND url = ?"
- , array(
- $artistID
- , mysql_real_escape_string($url)
- ));
+ , array( $artistID, $url ));
return ($result != 0);
}
diff --git a/contrib/forum/main.php b/contrib/forum/main.php
index 7a0caed0..a2b2365e 100644
--- a/contrib/forum/main.php
+++ b/contrib/forum/main.php
@@ -197,7 +197,7 @@ class Forum extends SimpleExtension {
$hasErrors = true;
$errors .= "<div id='error'>You cannot have an empty title.</div>";
}
- else if (strlen(mysql_real_escape_string(html_escape($_POST["title"]))) > 255)
+ else if (strlen(html_escape($_POST["title"])) > 255)
{
$hasErrors = true;
$errors .= "<div id='error'>Your title is too long.</div>";
@@ -318,7 +318,7 @@ class Forum extends SimpleExtension {
private function save_new_thread($user)
{
- $title = mysql_real_escape_string(html_escape($_POST["title"]));
+ $title = html_escape($_POST["title"]);
$sticky = html_escape($_POST["sticky"]);
if($sticky == ""){
@@ -344,7 +344,7 @@ class Forum extends SimpleExtension {
{
global $config;
$userID = $user->id;
- $message = mysql_real_escape_string(html_escape($_POST["message"]));
+ $message = html_escape($_POST["message"]);
$max_characters = $config->get_int('forumMaxCharsPerPost');
$message = substr($message, 0, $max_characters);
diff --git a/contrib/notes/main.php b/contrib/notes/main.php
index 4c9dd8c8..ea82ea6c 100644
--- a/contrib/notes/main.php
+++ b/contrib/notes/main.php
@@ -264,7 +264,7 @@ class Notes extends SimpleExtension {
$noteY1 = int_escape($_POST["note_y1"]);
$noteHeight = int_escape($_POST["note_height"]);
$noteWidth = int_escape($_POST["note_width"]);
- $noteText = mysql_real_escape_string(html_escape($_POST["note_text"]));
+ $noteText = html_escape($_POST["note_text"]);
$database->execute("
INSERT INTO notes