james/fembooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Removing unnecessary and incorrect mysql_real_escape_string() calls.

Browse Source
This commit is contained in:
green-ponies (jgen) 2012-01-16 17:30:06 -05:00
parent 9a4ea2bc77
commit 211e191b50
3 changed files with 25 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
contrib/artists/main.php
View File

@ -130,10 +130,7 @@ class Artists implements Extension {
} }
$database->execute("UPDATE images SET author = ? WHERE id = ?" $database->execute("UPDATE images SET author = ? WHERE id = ?"
, array( , array($artistName, $event->image->id));
mysql_real_escape_string($artistName)
, $event->image->id
));
} }
public function handle_commands($event) public function handle_commands($event)
{ {
@ -434,7 +431,7 @@ class Artists implements Extension {
{ {
global $database; global $database;
$result = $database->get_one("SELECT COUNT(1) FROM artist_urls WHERE url = ?", array(mysql_real_escape_string($url))); $result = $database->get_one("SELECT COUNT(1) FROM artist_urls WHERE url = ?", array($url));
return ($result != 0); return ($result != 0);
} }
@ -442,7 +439,7 @@ class Artists implements Extension {
{ {
global $database; global $database;
$result = $database->get_one("SELECT COUNT(1) FROM artist_members WHERE name = ?", array(mysql_real_escape_string($member))); $result = $database->get_one("SELECT COUNT(1) FROM artist_members WHERE name = ?", array($member));
return ($result != 0); return ($result != 0);
} }
@ -450,7 +447,7 @@ class Artists implements Extension {
{ {
global $database; global $database;
$result = $database->get_one("SELECT COUNT(1) FROM artist_alias WHERE alias = ?", array(mysql_real_escape_string($alias))); $result = $database->get_one("SELECT COUNT(1) FROM artist_alias WHERE alias = ?", array($alias));
return ($result != 0); return ($result != 0);
} }
@ -460,23 +457,21 @@ class Artists implements Extension {
global $database; global $database;
$result = $database->get_one("SELECT COUNT(1) FROM artist_alias WHERE artist_id = ? AND alias = ?", array( $result = $database->get_one("SELECT COUNT(1) FROM artist_alias WHERE artist_id = ? AND alias = ?", array(
$artistID $artistID, $alias));
, mysql_real_escape_string($alias)
));
return ($result != 0); return ($result != 0);
} }
private function get_artistID_by_url($url) private function get_artistID_by_url($url)
{ {
global $database; global $database;
$result = $database->get_row("SELECT artist_id FROM artist_urls WHERE url = ?", array(mysql_real_escape_string($url))); $result = $database->get_row("SELECT artist_id FROM artist_urls WHERE url = ?", array($url));
return $result['artist_id']; return $result['artist_id'];
} }
private function get_artistID_by_memberName($member) private function get_artistID_by_memberName($member)
{ {
global $database; global $database;
$result = $database->get_row("SELECT artist_id FROM artist_members WHERE name = ?", array(mysql_real_escape_string($member))); $result = $database->get_row("SELECT artist_id FROM artist_members WHERE name = ?", array($member));
return $result['artist_id']; return $result['artist_id'];
} }
private function get_artistName_by_artistID($artistID) private function get_artistName_by_artistID($artistID)
@ -622,12 +617,7 @@ class Artists implements Extension {
global $database; global $database;
$database->execute("UPDATE artists SET name = ?, notes = ?, updated = now(), user_id = ? WHERE id = ? " $database->execute("UPDATE artists SET name = ?, notes = ?, updated = now(), user_id = ? WHERE id = ? "
, array( , array( $name, $notes, $userID, $artistID ));
mysql_real_escape_string($name)
, mysql_real_escape_string($notes)
, $userID
, $artistID
));
// ALIAS MATCHING SECTION // ALIAS MATCHING SECTION
$i = 0; $i = 0;
@ -718,11 +708,7 @@ class Artists implements Extension {
global $database; global $database;
$database->execute("UPDATE artist_alias SET alias = ?, updated = now(), user_id = ? WHERE id = ? " $database->execute("UPDATE artist_alias SET alias = ?, updated = now(), user_id = ? WHERE id = ? "
, array( , array( $alias, $userID, $aliasID ));
mysql_real_escape_string($alias)
, $userID
, $aliasID
));
} }
private function update_url() private function update_url()
@ -747,11 +733,7 @@ class Artists implements Extension {
global $database; global $database;
$database->execute("UPDATE artist_urls SET url = ?, updated = now(), user_id = ? WHERE id = ?" $database->execute("UPDATE artist_urls SET url = ?, updated = now(), user_id = ? WHERE id = ?"
, array( , array( $url, $userID, $urlID ));
mysql_real_escape_string($url)
, $userID
, $urlID
));
} }
private function update_member() private function update_member()
@ -777,11 +759,7 @@ class Artists implements Extension {
global $database; global $database;
$database->execute("UPDATE artist_members SET name = ?, updated = now(), user_id = ? WHERE id = ?" $database->execute("UPDATE artist_members SET name = ?, updated = now(), user_id = ? WHERE id = ?"
, array( , array( $memberName, $userID, $memberID ));
mysql_real_escape_string($memberName)
, $userID
, $memberID
));
} }
/* /*
@ -853,11 +831,7 @@ class Artists implements Extension {
(user_id, name, notes, created, updated) (user_id, name, notes, created, updated)
VALUES VALUES
(?, ?, ?, now(), now())", (?, ?, ?, now(), now())",
array( array( $user->id, $name, $notes ));
$user->id
, mysql_real_escape_string($name)
, mysql_real_escape_string($notes)
));
$result = $database->get_row("SELECT LAST_INSERT_ID() AS artistID", array()); $result = $database->get_row("SELECT LAST_INSERT_ID() AS artistID", array());
@ -871,9 +845,7 @@ class Artists implements Extension {
global $database; global $database;
$result = $database->get_one("SELECT COUNT(1) FROM artists WHERE name = ?" $result = $database->get_one("SELECT COUNT(1) FROM artists WHERE name = ?"
, array( , array($name));
mysql_real_escape_string($name)
));
return ($result != 0); return ($result != 0);
} }
@ -937,9 +909,7 @@ class Artists implements Extension {
private function get_artist_id($name){ private function get_artist_id($name){
global $database; global $database;
$artistID = $database->get_row("SELECT id FROM artists WHERE name = ?" $artistID = $database->get_row("SELECT id FROM artists WHERE name = ?"
, array( , array( $name ));
mysql_real_escape_string($name)
));
return $artistID['id']; return $artistID['id'];
} }
@ -948,9 +918,7 @@ class Artists implements Extension {
global $database; global $database;
$artistID = $database->get_row("SELECT artist_id FROM artist_alias WHERE alias = ?" $artistID = $database->get_row("SELECT artist_id FROM artist_alias WHERE alias = ?"
, array( , array( $alias ));
mysql_real_escape_string($alias)
));
return $artistID["artist_id"]; return $artistID["artist_id"];
} }
@ -964,9 +932,7 @@ class Artists implements Extension {
global $database; global $database;
$database->execute("DELETE FROM artists WHERE id = ? " $database->execute("DELETE FROM artists WHERE id = ? "
, array( , array( $artistID ));
$artistID
));
} }
@ -1090,11 +1056,7 @@ class Artists implements Extension {
global $database; global $database;
$database->execute("INSERT INTO artist_urls (artist_id, created, updated, url, user_id) VALUES (?, now(), now(), ?, ?)" $database->execute("INSERT INTO artist_urls (artist_id, created, updated, url, user_id) VALUES (?, now(), now(), ?, ?)"
, array( , array( $artistID, $url, $userID ));
$artistID
, mysql_real_escape_string($url)
, $userID
));
} }
private function add_alias() private function add_alias()
@ -1124,11 +1086,7 @@ class Artists implements Extension {
global $database; global $database;
$database->execute("INSERT INTO artist_alias (artist_id, created, updated, alias, user_id) VALUES (?, now(), now(), ?, ?)" $database->execute("INSERT INTO artist_alias (artist_id, created, updated, alias, user_id) VALUES (?, now(), now(), ?, ?)"
, array( , array( $artistID, $alias, $userID ));
$artistID
, mysql_real_escape_string($alias)
, $userID
));
} }
private function add_members() private function add_members()
@ -1157,11 +1115,7 @@ class Artists implements Extension {
global $database; global $database;
$database->execute("INSERT INTO artist_members (artist_id, name, created, updated, user_id) VALUES (?, ?, now(), now(), ?)" $database->execute("INSERT INTO artist_members (artist_id, name, created, updated, user_id) VALUES (?, ?, now(), now(), ?)"
, array( , array( $artistID, $member, $userID ));
$artistID
, mysql_real_escape_string($member)
, $userID
));
} }
private function member_exists($artistID, $member) private function member_exists($artistID, $member)
@ -1171,10 +1125,7 @@ class Artists implements Extension {
global $database; global $database;
$result = $database->get_one("SELECT COUNT(1) FROM artist_members WHERE artist_id = ? AND name = ?" $result = $database->get_one("SELECT COUNT(1) FROM artist_members WHERE artist_id = ? AND name = ?"
, array( , array( $artistID, $member ));
$artistID
, mysql_real_escape_string($member)
));
return ($result != 0); return ($result != 0);
} }
@ -1185,10 +1136,7 @@ class Artists implements Extension {
global $database; global $database;
$result = $database->get_one("SELECT COUNT(1) FROM artist_urls WHERE artist_id = ? AND url = ?" $result = $database->get_one("SELECT COUNT(1) FROM artist_urls WHERE artist_id = ? AND url = ?"
, array( , array( $artistID, $url ));
$artistID
, mysql_real_escape_string($url)
));
return ($result != 0); return ($result != 0);
} }

6
contrib/forum/main.php
View File

@ -197,7 +197,7 @@ class Forum extends SimpleExtension {
$hasErrors = true; $hasErrors = true;
$errors .= "<div id='error'>You cannot have an empty title.</div>"; $errors .= "<div id='error'>You cannot have an empty title.</div>";
} }
else if (strlen(mysql_real_escape_string(html_escape($_POST["title"]))) > 255) else if (strlen(html_escape($_POST["title"])) > 255)
{ {
$hasErrors = true; $hasErrors = true;
$errors .= "<div id='error'>Your title is too long.</div>"; $errors .= "<div id='error'>Your title is too long.</div>";
@ -318,7 +318,7 @@ class Forum extends SimpleExtension {
private function save_new_thread($user) private function save_new_thread($user)
{ {
$title = mysql_real_escape_string(html_escape($_POST["title"])); $title = html_escape($_POST["title"]);
$sticky = html_escape($_POST["sticky"]); $sticky = html_escape($_POST["sticky"]);
if($sticky == ""){ if($sticky == ""){
@ -344,7 +344,7 @@ class Forum extends SimpleExtension {
{ {
global $config; global $config;
$userID = $user->id; $userID = $user->id;
$message = mysql_real_escape_string(html_escape($_POST["message"])); $message = html_escape($_POST["message"]);
$max_characters = $config->get_int('forumMaxCharsPerPost'); $max_characters = $config->get_int('forumMaxCharsPerPost');
$message = substr($message, 0, $max_characters); $message = substr($message, 0, $max_characters);

2
contrib/notes/main.php
View File

@ -264,7 +264,7 @@ class Notes extends SimpleExtension {
$noteY1 = int_escape($_POST["note_y1"]); $noteY1 = int_escape($_POST["note_y1"]);
$noteHeight = int_escape($_POST["note_height"]); $noteHeight = int_escape($_POST["note_height"]);
$noteWidth = int_escape($_POST["note_width"]); $noteWidth = int_escape($_POST["note_width"]);
$noteText = mysql_real_escape_string(html_escape($_POST["note_text"])); $noteText = html_escape($_POST["note_text"]);
$database->execute(" $database->execute("
INSERT INTO notes INSERT INTO notes