More prepared queries, friends feature, etc.

classes/wiki.class.php

@@ -22,7 +22,7 @@ class Wiki
         $Aliases = G::$Cache->get_value('wiki_aliases');
         if (!$Aliases) {
             $QueryID = G::$DB->get_query_id();
-            G::$DB->query("
+            G::$DB->prepared_query("
             SELECT Alias, ArticleID
             FROM wiki_aliases");
             $Aliases = G::$DB->to_pair('Alias', 'ArticleID');
@@ -67,7 +67,7 @@ class Wiki
         $Contents = G::$Cache->get_value('wiki_article_'.$ArticleID);
         if (!$Contents) {
             $QueryID = G::$DB->get_query_id();
-            G::$DB->query("
+            G::$DB->prepared_query("
             SELECT
               w.Revision,
               w.Title,

sections/forums/take_warn.php

@@ -35,7 +35,7 @@ if ($WarningLength !== 'verbal') {
   Tools::update_user_notes($UserID, $AdminComment);
 }
 
-$DB->query("
+$DB->prepared_query("
   INSERT INTO users_warnings_forums
     (UserID, Comment)
   VALUES
@@ -45,7 +45,7 @@ $DB->query("
 Misc::send_pm($UserID, $LoggedUser['ID'], $Subject, $PrivateMessage);
 
 //edit the post
-$DB->query("
+$DB->prepared_query("
   SELECT
     p.Body,
     p.AuthorID,
@@ -66,7 +66,7 @@ $DB->query("
 list($OldBody, $AuthorID, $TopicID, $ForumID, $Page) = $DB->next_record();
 
 // Perform the update
-$DB->query("
+$DB->prepared_query("
   UPDATE forums_posts
   SET Body = '" . db_string($Body) . "',
     EditedUserID = '$UserID',
@@ -101,7 +101,7 @@ if ($ThreadInfo['StickyPostID'] == $PostID) {
   $Cache->cache_value("thread_$TopicID" . '_info', $ThreadInfo, 0);
 }
 
-$DB->query("
+$DB->prepared_query("
   INSERT INTO comments_edits
     (Page, PostID, EditUser, EditTime, Body)
   VALUES

sections/forums/thread.php

@@ -22,7 +22,7 @@ if (!isset($_GET['threadid']) || !is_number($_GET['threadid'])) {
     if (isset($_GET['topicid']) && is_number($_GET['topicid'])) {
         $ThreadID = $_GET['topicid'];
     } elseif (isset($_GET['postid']) && is_number($_GET['postid'])) {
-        $DB->query("
+        $DB->prepared_query("
       SELECT TopicID
       FROM forums_posts
       WHERE ID = $_GET[postid]");
@@ -78,7 +78,7 @@ if ($ThreadInfo['Posts'] > $PerPage) {
         if ($ThreadInfo['StickyPostID'] < $_GET['postid']) {
             $SQL .= " AND ID != $ThreadInfo[StickyPostID]";
         }
-        $DB->query($SQL);
+        $DB->prepared_query($SQL);
         list($PostNum) = $DB->next_record();
     } else {
         $PostNum = 1;
@@ -94,7 +94,7 @@ list($CatalogueID, $CatalogueLimit) = Format::catalogue_limit($Page, $PerPage, T
 
 // Cache catalogue from which the page is selected, allows block caches and future ability to specify posts per page
 if (!$Catalogue = $Cache->get_value("thread_{$ThreadID}_catalogue_$CatalogueID")) {
-    $DB->query("
+    $DB->prepared_query("
     SELECT
       p.ID,
       p.AuthorID,
@@ -127,14 +127,14 @@ if ($ThreadInfo['Posts'] <= $PerPage*$Page && $ThreadInfo['StickyPostID'] > $Las
 //Why would we skip this on locked or stickied threads?
 //if (!$ThreadInfo['IsLocked'] || $ThreadInfo['IsSticky']) {
 
-  $DB->query("
+  $DB->prepared_query("
     SELECT PostID
     FROM forums_last_read_topics
     WHERE UserID = '$LoggedUser[ID]'
       AND TopicID = '$ThreadID'");
   list($LastRead) = $DB->next_record();
   if ($LastRead < $LastPost) {
-      $DB->query("
+      $DB->prepared_query("
       INSERT INTO forums_last_read_topics
         (UserID, TopicID, PostID)
       VALUES
@@ -158,7 +158,7 @@ if (in_array($ThreadID, $UserSubscriptions)) {
 
 $QuoteNotificationsCount = $Cache->get_value('notify_quoted_' . $LoggedUser['ID']);
 if ($QuoteNotificationsCount === false || $QuoteNotificationsCount > 0) {
-    $DB->query("
+    $DB->prepared_query("
     UPDATE users_notify_quoted
     SET UnRead = false
     WHERE UserID = '$LoggedUser[ID]'
@@ -243,13 +243,13 @@ echo $Pages;
 
 if ($ThreadInfo['NoPoll'] == 0) {
     if (!list($Question, $Answers, $Votes, $Featured, $Closed) = $Cache->get_value("polls_$ThreadID")) {
-        $DB->query("
+        $DB->prepared_query("
       SELECT Question, Answers, Featured, Closed
       FROM forums_polls
       WHERE TopicID = '$ThreadID'");
         list($Question, $Answers, $Featured, $Closed) = $DB->next_record(MYSQLI_NUM, array(1));
         $Answers = unserialize($Answers);
-        $DB->query("
+        $DB->prepared_query("
       SELECT Vote, COUNT(UserID)
       FROM forums_polls_votes
       WHERE TopicID = '$ThreadID'
@@ -281,7 +281,7 @@ if ($ThreadInfo['NoPoll'] == 0) {
     #$RevealVoters = in_array($ForumID, FORUMS_TO_REVEAL_VOTERS);
 
     // Polls lose the you voted arrow thingy
-    $DB->query("
+    $DB->prepared_query("
     SELECT Vote
     FROM forums_polls_votes
     WHERE UserID = '".$LoggedUser['ID']."'
@@ -349,7 +349,7 @@ if ($ThreadInfo['NoPoll'] == 0) {
             $StaffNames[] = $Staffer['Username'];
         }
 
-        $DB->query("
+        $DB->prepared_query("
         SELECT
           fpv.Vote AS Vote,
           GROUP_CONCAT(um.Username SEPARATOR ', ')
@@ -636,7 +636,7 @@ if (!$ThreadInfo['IsLocked'] || check_perms('site_moderate_forums')) {
   }
 
 if (check_perms('site_moderate_forums')) {
-    G::$DB->query("
+    G::$DB->prepared_query("
       SELECT ID, AuthorID, AddedTime, Body
       FROM forums_topic_notes
       WHERE TopicID = $ThreadID

sections/forums/warn.php

@@ -11,14 +11,14 @@ $UserID = (int) $_POST['userid'];
 $Key = (int) $_POST['key'];
 $UserInfo = Users::user_info($UserID);
 
-$DB->query("
+$DB->prepared_query("
   SELECT p.Body, t.ForumID
   FROM forums_posts AS p
     JOIN forums_topics AS t ON p.TopicID = t.ID
   WHERE p.ID = '$PostID'");
 list($PostBody, $ForumID) = $DB -> next_record();
 
-View::show_header('Warn User');
+View::show_header('Warn');
 ?>
 
 <div>
@@ -75,7 +75,7 @@ View::show_header('Warn User');
             <textarea id="body" style="width: 95%;" tabindex="1" onkeyup="resize('body');" name="body" cols="90"
               rows="8"><?=$PostBody?></textarea>
             <br />
-            <input type="submit" id="submit_button" value="Warn user" tabindex="1" />
+            <input type="submit" id="submit_button" class="button-primary" value="Warn user" tabindex="1" />
           </td>
         </tr>
       </table>

sections/friends/add.php

@@ -1,23 +1,27 @@
 <?php
+declare(strict_types = 1);
+
 authorize();
-if (!is_number($_GET['friendid'])) {
-  error(404);
-}
-$FriendID = db_string($_GET['friendid']);
+
+$FriendID = (int) $_GET['friendid'];
+Security::checkInt($FriendID);
 
 // Check if the user $FriendID exists
-$DB->query("
-  SELECT 1
-  FROM users_main
-  WHERE ID = '$FriendID'");
+$DB->prepared_query("
+SELECT 1
+FROM `users_main`
+WHERE `ID` = '$FriendID'
+");
+
 if (!$DB->has_results()) {
-  error(404);
+    error(404);
 }
 
-$DB->query("
-  INSERT IGNORE INTO friends
-    (UserID, FriendID)
+$DB->prepared_query("
+  INSERT IGNORE INTO `friends`
+    (`UserID`, `FriendID`)
   VALUES
-    ('$LoggedUser[ID]', '$FriendID')");
+    ('$LoggedUser[ID]', '$FriendID')
+");
 
 header('Location: friends.php');

sections/friends/comment.php

@@ -1,9 +1,11 @@
-<?
-$DB->query("
-  UPDATE friends
-  SET Comment='$P[comment]'
-  WHERE UserID='$LoggedUser[ID]'
-    AND FriendID='$P[friendid]'");
+<?php
+declare(strict_types = 1);
+
+$DB->prepared_query("
+  UPDATE `friends`
+  SET `Comment`='$P[comment]'
+  WHERE `UserID`='$LoggedUser[ID]'
+    AND `FriendID`='$P[friendid]'
+");
 
 header('Location: friends.php');
-?>

sections/friends/friends.php

@@ -3,7 +3,7 @@
 
 /**
  * Main friends page
- * 
+ *
  * This page lists a user's friends.
  * There's no real point in caching this page.
  * I doubt users load it that much.
@@ -21,7 +21,7 @@ $UserID = $LoggedUser['ID'];
 list($Page, $Limit) = Format::page_limit(FRIENDS_PER_PAGE);
 
 // Main query
-$DB->query("
+$DB->prepared_query("
   SELECT
     SQL_CALC_FOUND_ROWS
     f.`FriendID`,
@@ -42,10 +42,10 @@ $DB->query("
 $Friends = $DB->to_array(false, MYSQLI_BOTH, array(6, 'Paranoia'));
 
 // Number of results (for pagination)
-$DB->query('SELECT FOUND_ROWS()');
+$DB->prepared_query('SELECT FOUND_ROWS()');
 list($Results) = $DB->next_record();
 
-// Start printing stuff ?>
+// Start printing stuff?>
 
 <div>
   <div class="header">

sections/friends/index.php

@@ -1,33 +1,35 @@
-<?
-$P = db_array($_POST);
+<?php
+declare(strict_types = 1);
+
 enforce_login();
-if (!empty($_REQUEST['friendid']) && !is_number($_REQUEST['friendid'])) {
-  error(404);
-}
+$P = db_array($_POST);
+
+$FriendID = (int) $_REQUEST['friendid'];
+Security::checkInt($FriendID);
 
 if (!empty($_REQUEST['action'])) {
-  switch ($_REQUEST['action']) {
+    switch ($_REQUEST['action']) {
     case 'add':
-      include(SERVER_ROOT.'/sections/friends/add.php');
+      require_once "$ENV->SERVER_ROOT/sections/friends/add.php";
       break;
+
     case 'Remove friend':
       authorize();
-      include(SERVER_ROOT.'/sections/friends/remove.php');
+      require_once "$ENV->SERVER_ROOT/sections/friends/remove.php";
       break;
+
     case 'Update':
       authorize();
-      include(SERVER_ROOT.'/sections/friends/comment.php');
-      break;
-    case 'whois':
-      include(SERVER_ROOT.'/sections/friends/whois.php');
+      require_once "$ENV->SERVER_ROOT/sections/friends/comment.php";
       break;
+
     case 'Contact':
-      header('Location: inbox.php?action=compose&to='.$_POST['friendid']);
+      header("Location: inbox.php?action=compose&to=$FriendID");
       break;
+      
     default:
       error(404);
   }
 } else {
-  include(SERVER_ROOT.'/sections/friends/friends.php');
+    require_once "$ENV->SERVER_ROOT/sections/friends/friends.php";
 }
-?>

sections/friends/remove.php

@@ -1,8 +1,10 @@
-<?
-$DB->query("
-  DELETE FROM friends
-  WHERE UserID='$LoggedUser[ID]'
-    AND FriendID='$P[friendid]'");
+<?php
+declare(strict_types = 1);
+
+$DB->prepared_query("
+  DELETE FROM `friends`
+  WHERE `UserID`='$LoggedUser[ID]'
+    AND `FriendID`='$P[friendid]'
+");
 
 header('Location: friends.php');
-?>

sections/inbox/compose.php

@@ -19,7 +19,7 @@ if (!empty($LoggedUser['DisablePM']) && !isset($StaffIDs[$ToID])) {
     error(403);
 }
 
-$DB->query("
+$DB->prepared_query("
   SELECT Username
   FROM users_main
   WHERE ID='$ToID'");
@@ -60,7 +60,7 @@ new TEXTAREA_PREVIEW(
       <div id="preview" class="hidden"></div>
       <div id="buttons" class="center">
         <input type="button" value="Preview" onclick="Quick_Preview();" />
-        <input type="submit" value="Send message" />
+        <input type="submit" class="button-primary" value="Send message" />
       </div>
     </div>
   </form>

sections/tools/misc/create_user.php

@@ -24,7 +24,7 @@ if (isset($_POST['Username'])) {
     $torrent_pass = Users::make_secret();
 
     //Create the account
-    $DB->query("
+    $DB->prepared_query("
       INSERT INTO users_main
         (Username, Email, PassHash, torrent_pass, Enabled, PermissionID)
       VALUES
@@ -39,7 +39,7 @@ if (isset($_POST['Username'])) {
     Tracker::update_tracker('add_user', array('id' => $UserID, 'passkey' => $torrent_pass));
 
     //Default stylesheet
-    $DB->query("
+    $DB->prepared_query("
       SELECT ID
       FROM stylesheets");
     list($StyleID) = $DB->next_record();
@@ -48,14 +48,14 @@ if (isset($_POST['Username'])) {
     $AuthKey = Users::make_secret();
 
     //Give them a row in users_info
-    $DB->query("
+    $DB->prepared_query("
       INSERT INTO users_info
         (UserID, StyleID, AuthKey, JoinDate)
       VALUES
         ('".db_string($UserID)."', '".db_string($StyleID)."', '".db_string($AuthKey)."', NOW())");
 
     // Give the notification settings
-    $DB->query("INSERT INTO users_notifications_settings (UserID) VALUES ('$UserID')");
+    $DB->prepared_query("INSERT INTO users_notifications_settings (UserID) VALUES ('$UserID')");
 
     //Redirect to users profile
     header ("Location: user.php?id=$UserID");

sections/top10/donors.php

@@ -15,7 +15,7 @@ $Limit = isset($_GET['limit']) ? intval($_GET['limit']) : 10;
 $Limit = in_array($Limit, array(10, 100, 250)) ? $Limit : 10;
 
 $IsMod = check_perms("users_mod");
-$DB->query("
+$DB->prepared_query("
 SELECT
   `UserID`,
   `TotalRank`,

sections/top10/history.php

@@ -66,7 +66,7 @@ if (!empty($_GET['date'])) {
 
     $Details = $Cache->get_value("top10_history_$SQLTime");
     if ($Details === false) {
-        $DB->query("
+        $DB->prepared_query("
         SELECT
           tht.`Rank`,
           tht.`TitleString`,

sections/top10/tags.php

@@ -28,7 +28,7 @@ $Limit = in_array($Limit, [10,100,250]) ? $Limit : 10;
 
 if ($Details == 'all' || $Details == 'ut') {
     if (!$TopUsedTags = $Cache->get_value('topusedtag_'.$Limit)) {
-        $DB->query("
+        $DB->prepared_query("
         SELECT
           t.ID,
           t.Name,
@@ -47,7 +47,7 @@ if ($Details == 'all' || $Details == 'ut') {
 
 if ($Details == 'all' || $Details == 'ur') {
     if (!$TopRequestTags = $Cache->get_value('toprequesttag_'.$Limit)) {
-        $DB->query("
+        $DB->prepared_query("
         SELECT
           t.ID,
           t.Name,

sections/top10/torrents.php

@@ -208,7 +208,7 @@ if ($Details === 'all' || $Details === 'day') {
               ORDER BY (t.Seeders + t.Leechers) DESC
               LIMIT $Limit;";
 
-            $DB->query($Query);
+            $DB->prepared_query($Query);
             $TopTorrentsActiveLastDay = $DB->to_array(false, MYSQLI_NUM);
             $Cache->cache_value('top10tor_day_'.$Limit.$WhereSum.$GroupBySum, $TopTorrentsActiveLastDay, 3600 * 2);
             $Cache->clear_query_lock('top10');
@@ -235,7 +235,7 @@ if ($Details === 'all' || $Details === 'week') {
               ORDER BY (t.Seeders + t.Leechers) DESC
               LIMIT $Limit;";
 
-            $DB->query($Query);
+            $DB->prepared_query($Query);
             $TopTorrentsActiveLastWeek = $DB->to_array(false, MYSQLI_NUM);
             $Cache->cache_value('top10tor_week_'.$Limit.$WhereSum.$GroupBySum, $TopTorrentsActiveLastWeek, 3600 * 6);
             $Cache->clear_query_lock('top10');
@@ -262,7 +262,7 @@ if ($Details === 'all' || $Details === 'month') {
               ORDER BY (t.Seeders + t.Leechers) DESC
               LIMIT $Limit;";
 
-            $DB->query($Query);
+            $DB->prepared_query($Query);
             $TopTorrentsActiveLastMonth = $DB->to_array(false, MYSQLI_NUM);
             $Cache->cache_value('top10tor_month_'.$Limit.$WhereSum.$GroupBySum, $TopTorrentsActiveLastMonth, 3600 * 6);
             $Cache->clear_query_lock('top10');
@@ -294,7 +294,7 @@ if ($Details === 'all' || $Details === 'year') {
               ORDER BY (t.Seeders + t.Leechers) DESC
               LIMIT $Limit;";
 
-            $DB->query($Query);
+            $DB->prepared_query($Query);
             $TopTorrentsActiveLastYear = $DB->to_array(false, MYSQLI_NUM);
             $Cache->cache_value('top10tor_year_'.$Limit.$WhereSum.$GroupBySum, $TopTorrentsActiveLastYear, 3600 * 6);
             $Cache->clear_query_lock('top10');
@@ -325,7 +325,7 @@ if ($Details === 'all' || $Details === 'overall') {
               ORDER BY (t.Seeders + t.Leechers) DESC
               LIMIT $Limit;";
 
-            $DB->query($Query);
+            $DB->prepared_query($Query);
             $TopTorrentsActiveAllTime = $DB->to_array(false, MYSQLI_NUM);
             $Cache->cache_value('top10tor_overall_'.$Limit.$WhereSum.$GroupBySum, $TopTorrentsActiveAllTime, 3600 * 6);
             $Cache->clear_query_lock('top10');
@@ -351,7 +351,7 @@ if (($Details === 'all' || $Details === 'snatched') && !$Filtered) {
               ORDER BY t.Snatched DESC
               LIMIT $Limit;";
 
-            $DB->query($Query);
+            $DB->prepared_query($Query);
             $TopTorrentsSnatched = $DB->to_array(false, MYSQLI_NUM);
             $Cache->cache_value('top10tor_snatched_'.$Limit.$WhereSum.$GroupBySum, $TopTorrentsSnatched, 3600 * 6);
             $Cache->clear_query_lock('top10');
@@ -380,7 +380,7 @@ if (($Details === 'all' || $Details === 'data') && !$Filtered) {
               ORDER BY Data DESC
               LIMIT $Limit;";
 
-            $DB->query($Query);
+            $DB->prepared_query($Query);
             $TopTorrentsTransferred = $DB->to_array(false, MYSQLI_NUM);
             $Cache->cache_value('top10tor_data_'.$Limit.$WhereSum.$GroupBySum, $TopTorrentsTransferred, 3600 * 6);
             $Cache->clear_query_lock('top10');
@@ -405,7 +405,7 @@ if (($Details === 'all' || $Details === 'seeded') && !$Filtered) {
               ORDER BY t.Seeders DESC
               LIMIT $Limit;";
 
-            $DB->query($Query);
+            $DB->prepared_query($Query);
             $TopTorrentsSeeded = $DB->to_array(false, MYSQLI_NUM);
             $Cache->cache_value('top10tor_seeded_'.$Limit.$WhereSum.$GroupBySum, $TopTorrentsSeeded, 3600 * 6);
             $Cache->clear_query_lock('top10');

sections/top10/users.php

@@ -48,7 +48,7 @@ $BaseQuery = "
 
   if ($Details == 'all' || $Details == 'ul') {
       if (!$TopUserUploads = $Cache->get_value('topuser_ul_'.$Limit)) {
-          $DB->query("$BaseQuery ORDER BY u.Uploaded DESC LIMIT $Limit;");
+          $DB->prepared_query("$BaseQuery ORDER BY u.Uploaded DESC LIMIT $Limit;");
           $TopUserUploads = $DB->to_array();
           $Cache->cache_value('topuser_ul_'.$Limit, $TopUserUploads, 3600 * 12);
       }
@@ -57,7 +57,7 @@ $BaseQuery = "
 
   if ($Details == 'all' || $Details == 'dl') {
       if (!$TopUserDownloads = $Cache->get_value('topuser_dl_'.$Limit)) {
-          $DB->query("$BaseQuery ORDER BY u.Downloaded DESC LIMIT $Limit;");
+          $DB->prepared_query("$BaseQuery ORDER BY u.Downloaded DESC LIMIT $Limit;");
           $TopUserDownloads = $DB->to_array();
           $Cache->cache_value('topuser_dl_'.$Limit, $TopUserDownloads, 3600 * 12);
       }
@@ -66,7 +66,7 @@ $BaseQuery = "
 
   if ($Details == 'all' || $Details == 'numul') {
       if (!$TopUserNumUploads = $Cache->get_value('topuser_numul_'.$Limit)) {
-          $DB->query("$BaseQuery ORDER BY NumUploads DESC LIMIT $Limit;");
+          $DB->prepared_query("$BaseQuery ORDER BY NumUploads DESC LIMIT $Limit;");
           $TopUserNumUploads = $DB->to_array();
           $Cache->cache_value('topuser_numul_'.$Limit, $TopUserNumUploads, 3600 * 12);
       }
@@ -75,7 +75,7 @@ $BaseQuery = "
 
   if ($Details == 'all' || $Details == 'uls') {
       if (!$TopUserUploadSpeed = $Cache->get_value('topuser_ulspeed_'.$Limit)) {
-          $DB->query("$BaseQuery ORDER BY UpSpeed DESC LIMIT $Limit;");
+          $DB->prepared_query("$BaseQuery ORDER BY UpSpeed DESC LIMIT $Limit;");
           $TopUserUploadSpeed = $DB->to_array();
           $Cache->cache_value('topuser_ulspeed_'.$Limit, $TopUserUploadSpeed, 3600 * 12);
       }
@@ -84,7 +84,7 @@ $BaseQuery = "
 
   if ($Details == 'all' || $Details == 'dls') {
       if (!$TopUserDownloadSpeed = $Cache->get_value('topuser_dlspeed_'.$Limit)) {
-          $DB->query("$BaseQuery ORDER BY DownSpeed DESC LIMIT $Limit;");
+          $DB->prepared_query("$BaseQuery ORDER BY DownSpeed DESC LIMIT $Limit;");
           $TopUserDownloadSpeed = $DB->to_array();
           $Cache->cache_value('topuser_dlspeed_'.$Limit, $TopUserDownloadSpeed, 3600 * 12);
       }