Use prepared queries on better, blog, and some bookmarks (add/remove artist notifications still broken)

sections/artist/notify.php

@@ -5,12 +5,12 @@ authorize();
 if (!check_perms('site_torrents_notify')) {
     error(403);
 }
-$ArtistID = $_GET['artistid'];
-if (!is_number($ArtistID)) {
-    error(0);
-}
+
+$ArtistID = (int) $_GET['artistid'];
+Security::checkInt($ArtistID);
+
 /*
-$DB->query("
+$DB->prepared_query("
   SELECT GROUP_CONCAT(Name SEPARATOR '|')
   FROM artists_alias
   WHERE ArtistID = '$ArtistID'
@@ -18,7 +18,8 @@ $DB->query("
   GROUP BY ArtistID");
 list($ArtistAliases) = $DB->next_record(MYSQLI_NUM, FALSE);
 */
-$DB->query("
+
+$DB->prepared_query("
   SELECT Name
   FROM artists_group
   WHERE ArtistID = '$ArtistID'");
@@ -26,7 +27,7 @@ list($ArtistAliases) = $DB->next_record(MYSQLI_NUM, false);
 
 $Notify = $Cache->get_value('notify_artists_'.$LoggedUser['ID']);
 if (empty($Notify)) {
-    $DB->query("
+    $DB->prepared_query("
     SELECT ID, Artists
     FROM users_notify_filters
     WHERE Label = 'Artist notifications'
@@ -34,13 +35,14 @@ if (empty($Notify)) {
     ORDER BY ID
     LIMIT 1");
 } else {
-    $DB->query("
+    $DB->prepared_query("
     SELECT ID, Artists
     FROM users_notify_filters
     WHERE ID = '$Notify[ID]'");
 }
+
 if (empty($Notify) && !$DB->has_results()) {
-    $DB->query("
+    $DB->prepared_query("
     INSERT INTO users_notify_filters
       (UserID, Label, Artists)
     VALUES
@@ -52,7 +54,7 @@ if (empty($Notify) && !$DB->has_results()) {
     list($ID, $ArtistNames) = $DB->next_record(MYSQLI_NUM, false);
     if (stripos($ArtistNames, "|$ArtistAliases|") === false) {
         $ArtistNames .= "$ArtistAliases|";
-        $DB->query("
+        $DB->prepared_query("
       UPDATE users_notify_filters
       SET Artists = '".db_string($ArtistNames)."'
       WHERE ID = '$ID'");

sections/artist/notifyremove.php

@@ -1,15 +1,16 @@
-<?
+<?php
+#declare(strict_types=1);
+
 authorize();
 if (!check_perms('site_torrents_notify')) {
-  error(403);
-}
-$ArtistID = $_GET['artistid'];
-if (!is_number($ArtistID)) {
-  error(0);
+    error(403);
 }
 
+$ArtistID = (int) $_GET['artistid'];
+Security::checkInt($ArtistID);
+
 if (($Notify = $Cache->get_value('notify_artists_'.$LoggedUser['ID'])) === false) {
-  $DB->query("
+    $DB->prepared_query("
     SELECT ID, Artists
     FROM users_notify_filters
     WHERE Label = 'Artist notifications'
@@ -17,33 +18,36 @@ if (($Notify = $Cache->get_value('notify_artists_'.$LoggedUser['ID'])) === false
     ORDER BY ID
     LIMIT 1");
 } else {
-  $DB->query("
+    $DB->prepared_query("
     SELECT ID, Artists
     FROM users_notify_filters
     WHERE ID = '$Notify[ID]'");
 }
 list($ID, $Artists) = $DB->next_record(MYSQLI_NUM, false);
-$DB->query("
+
+$DB->prepared_query("
   SELECT Name
   FROM artists_alias
   WHERE ArtistID = '$ArtistID'
     AND Redirect = 0");
+
 while (list($Alias) = $DB->next_record(MYSQLI_NUM, false)) {
-  while (stripos($Artists, "|$Alias|") !== false) {
-    $Artists = str_ireplace("|$Alias|", '|', $Artists);
-  }
+    while (stripos($Artists, "|$Alias|") !== false) {
+        $Artists = str_ireplace("|$Alias|", '|', $Artists);
+    }
 }
+
 if ($Artists == '|') {
-  $DB->query("
+    $DB->prepared_query("
     DELETE FROM users_notify_filters
     WHERE ID = $ID");
 } else {
-  $DB->query("
+    $DB->prepared_query("
     UPDATE users_notify_filters
     SET Artists = '".db_string($Artists)."'
     WHERE ID = '$ID'");
 }
+
 $Cache->delete_value('notify_filters_'.$LoggedUser['ID']);
 $Cache->delete_value('notify_artists_'.$LoggedUser['ID']);
 header('Location: '.$_SERVER['HTTP_REFERER']);
-?>

sections/better/covers.php

@@ -31,7 +31,7 @@ LIMIT 20
 $DB->exec_prepared_query();
 
 $Groups = $DB->to_array('id', MYSQLI_ASSOC);
-$DB->query('SELECT FOUND_ROWS()');
+$DB->prepared_query('SELECT FOUND_ROWS()');
 list($NumResults) = $DB->next_record();
 $Results = Torrents::get_groups(array_keys($Groups));
 

sections/better/folders.php

@@ -2,11 +2,11 @@
 #declare(strict_types=1);
 
 if (check_perms('admin_reports') && !empty($_GET['remove']) && is_number($_GET['remove'])) {
-    $DB->query("
+    $DB->prepared_query("
     DELETE FROM torrents_bad_folders
     WHERE TorrentID = ".$_GET['remove']);
 
-    $DB->query("
+    $DB->prepared_query("
     SELECT GroupID
     FROM torrents
     WHERE ID = ".$_GET['remove']);
@@ -24,7 +24,7 @@ if (!empty($_GET['filter']) && $_GET['filter'] == 'all') {
 }
 
 View::show_header('Torrents with bad folder names');
-$DB->query("
+$DB->prepared_query("
   SELECT tbf.TorrentID, t.GroupID
   FROM torrents_bad_folders AS tbf
     JOIN torrents AS t ON t.ID = tbf.TorrentID

sections/better/literature.php

@@ -31,7 +31,7 @@ LIMIT 20
 ");
 
 $Groups = $DB->to_array('id', MYSQLI_ASSOC);
-$DB->query('SELECT FOUND_ROWS()');
+$DB->prepared_query('SELECT FOUND_ROWS()');
 list($NumResults) = $DB->next_record();
 $Results = Torrents::get_groups(array_keys($Groups)); ?>
 

sections/better/single.php

@@ -2,7 +2,7 @@
 declare(strict_types = 1);
 
 if (($Results = $Cache->get_value('better_single_groupids')) === false) {
-    $DB->query("
+    $DB->prepared_query("
     SELECT
       t.`ID` AS `TorrentID`,
       t.`GroupID` AS `GroupID`

sections/better/tags.php

@@ -2,11 +2,11 @@
 declare(strict_types=1);
 
 if (check_perms('admin_reports') && !empty($_GET['remove']) && is_number($_GET['remove'])) {
-    $DB->query("
+    $DB->prepared_query("
     DELETE FROM torrents_bad_tags
     WHERE TorrentID = ".$_GET['remove']);
 
-    $DB->query("
+    $DB->prepared_query("
     SELECT GroupID
     FROM torrents
     WHERE ID = ".$_GET['remove']);
@@ -25,7 +25,7 @@ if (!empty($_GET['filter']) && $_GET['filter'] === 'all') {
 
 View::show_header('Torrents with bad tags');
 
-$DB->query("
+$DB->prepared_query("
   SELECT tbt.TorrentID, t.GroupID
   FROM torrents_bad_tags AS tbt
     JOIN torrents AS t ON t.ID = tbt.TorrentID

sections/blog/index.php

@@ -11,7 +11,7 @@ if (check_perms('admin_manage_blog')) {
         switch ($_REQUEST['action']) {
       case 'deadthread':
         if (is_number($_GET['id'])) {
-            $DB->query("
+            $DB->prepared_query("
             UPDATE blog
             SET ThreadID = NULL
             WHERE ID = ".$_GET['id']);
@@ -24,7 +24,7 @@ if (check_perms('admin_manage_blog')) {
       case 'takeeditblog':
         authorize();
         if (is_number($_POST['blogid']) && is_number($_POST['thread'])) {
-            $DB->query("
+            $DB->prepared_query("
             UPDATE blog
             SET
               Title = '".db_string($_POST['title'])."',
@@ -40,7 +40,7 @@ if (check_perms('admin_manage_blog')) {
       case 'editblog':
         if (is_number($_GET['id'])) {
             $BlogID = $_GET['id'];
-            $DB->query("
+            $DB->prepared_query("
             SELECT Title, Body, ThreadID
             FROM blog
             WHERE ID = $BlogID");
@@ -51,7 +51,7 @@ if (check_perms('admin_manage_blog')) {
       case 'deleteblog':
         if (is_number($_GET['id'])) {
             authorize();
-            $DB->query("
+            $DB->prepared_query("
             DELETE FROM blog
             WHERE ID = '".db_string($_GET['id'])."'");
             $Cache->delete_value('blog');
@@ -66,7 +66,7 @@ if (check_perms('admin_manage_blog')) {
         $Body = db_string($_POST['body']);
         $ThreadID = $_POST['thread'];
         if ($ThreadID && is_number($ThreadID)) {
-            $DB->query("
+            $DB->prepared_query("
             SELECT ForumID
             FROM forums_topics
             WHERE ID = $ThreadID");
@@ -81,7 +81,7 @@ if (check_perms('admin_manage_blog')) {
             }
         }
 
-        $DB->query("
+        $DB->prepared_query("
           INSERT INTO blog
             (UserID, Title, Body, Time, ThreadID, Important)
           VALUES
@@ -96,7 +96,7 @@ if (check_perms('admin_manage_blog')) {
             $Cache->delete_value('blog_latest_id');
         }
         if (isset($_POST['subscribe'])) {
-            $DB->query("
+            $DB->prepared_query("
             INSERT IGNORE INTO users_subscriptions
             VALUES ('$LoggedUser[ID]', $ThreadID)");
             $Cache->delete_value('subscriptions_user_'.$LoggedUser['ID']);
@@ -140,7 +140,7 @@ if (check_perms('admin_manage_blog')) {
       <label for="subscribebox">Subscribe</label>
 
       <div class="center">
-        <input type="submit"
+        <input type="submit" class="button-primary"
           value="<?=!isset($_GET['action']) ? 'Create blog post' : 'Edit blog post'; ?>" />
       </div>
     </div>
@@ -153,7 +153,7 @@ if (check_perms('admin_manage_blog')) {
 <div>
   <?php
 if (!$Blog = $Cache->get_value('blog')) {
-    $DB->query("
+    $DB->prepared_query("
     SELECT
       b.ID,
       um.Username,
@@ -174,7 +174,7 @@ if ($LoggedUser['LastReadBlog'] < $Blog[0][0]) {
     $Cache->begin_transaction('user_info_heavy_'.$LoggedUser['ID']);
     $Cache->update_row(false, array('LastReadBlog' => $Blog[0][0]));
     $Cache->commit_transaction(0);
-    $DB->query("
+    $DB->prepared_query("
     UPDATE users_info
     SET LastReadBlog = '".$Blog[0][0]."'
     WHERE UserID = ".$LoggedUser['ID']);

sections/bookmarks/add.php

@@ -18,7 +18,7 @@ if (!is_number($_GET['id'])) {
 }
 
 $PageID = $_GET['id'];
-$DB->query("
+$DB->prepared_query("
 SELECT
   `UserID`
 FROM
@@ -29,7 +29,7 @@ WHERE
 
 if (!$DB->has_results()) {
     if ($Type === 'torrent') {
-        $DB->query("
+        $DB->prepared_query("
         SELECT
           MAX(`Sort`)
         FROM
@@ -44,7 +44,7 @@ if (!$DB->has_results()) {
         }
 
         $Sort += 1;
-        $DB->query("
+        $DB->prepared_query("
         INSERT IGNORE
         INTO $Table(`UserID`, $Col, `Time`, `Sort`)
         VALUES(
@@ -55,7 +55,7 @@ if (!$DB->has_results()) {
         )
         ");
     } else {
-        $DB->query("
+        $DB->prepared_query("
         INSERT IGNORE
         INTO $Table(`UserID`, $Col, `Time`)
         VALUES(
@@ -69,7 +69,7 @@ if (!$DB->has_results()) {
     $Cache->delete_value('bookmarks_'.$Type.'_'.$LoggedUser['ID']);
     if ($Type === 'torrent') {
         $Cache->delete_value("bookmarks_group_ids_$UserID");
-        $DB->query("
+        $DB->prepared_query("
         SELECT
           `title`,
           `year`,
@@ -115,7 +115,7 @@ if (!$DB->has_results()) {
             $Feed->populate('torrents_bookmarks_t_'.$LoggedUser['torrent_pass'], $Item);
         }
     } elseif ($Type === 'request') {
-        $DB->query("
+        $DB->prepared_query("
         SELECT
           `UserID`
         FROM

sections/bookmarks/artists.php

@@ -13,7 +13,7 @@ if (!empty($_GET['userid'])) {
         error(404);
     }
 
-    $DB->query("
+    $DB->prepared_query("
       SELECT Username
       FROM users_main
       WHERE ID = '$UserID'");
@@ -25,7 +25,7 @@ if (!empty($_GET['userid'])) {
 $Sneaky = $UserID !== $LoggedUser['ID'];
 //$ArtistList = Bookmarks::all_bookmarks('artist', $UserID);
 
-$DB->query("
+$DB->prepared_query("
   SELECT ag.ArtistID, ag.Name
   FROM bookmarks_artists AS ba
     INNER JOIN artists_group AS ag ON ba.ArtistID = ag.ArtistID
@@ -81,7 +81,7 @@ foreach ($ArtistList as $Artist) {
         <?php
   if (check_perms('site_torrents_notify')) {
       if (($Notify = $Cache->get_value('notify_artists_'.$LoggedUser['ID'])) === false) {
-          $DB->query("
+          $DB->prepared_query("
             SELECT ID, Artists
             FROM users_notify_filters
             WHERE UserID = '$LoggedUser[ID]'