More incremental improvements

classes/torrents.class.php

@@ -86,13 +86,13 @@ class Torrents
             $NotFound = [];
             $QueryID = G::$DB->get_query_id();
 
-            G::$DB->query("
+            G::$DB->prepare_query("
             SELECT
               `id`,
               `title`,
               `subject`,
               `object`,
-              `published`,
+              `year`,
               `identifier`,
               `workgroup`,
               `location`,
@@ -104,6 +104,7 @@ class Torrents
             WHERE
               `id` IN($IDs)
             ");
+            G::$DB->exec_prepared_query();
 
             while ($Group = G::$DB->next_record(MYSQLI_ASSOC, true)) {
                 $NotFound[$Group['id']] = $Group;
@@ -421,7 +422,7 @@ class Torrents
 
         Misc::write_log("Group $GroupID automatically deleted (No torrents have this group).");
 
-        G::$DB->query("
+        G::$DB->prepare_query("
         SELECT
           `category_id`
         FROM
@@ -429,9 +430,11 @@ class Torrents
         WHERE
           `id` = '$GroupID'
         ");
+        G::$DB->exec_prepared_query();
         list($Category) = G::$DB->next_record();
 
-        if ($Category == 1) {
+        # todo: Check strict equality here
+        if ($Category === 1) {
             G::$Cache->decrement('stats_album_count');
         }
         G::$Cache->decrement('stats_group_count');
@@ -514,25 +517,41 @@ class Torrents
         // Comments
         Comments::delete_page('torrents', $GroupID);
 
-        G::$DB->query("
+        G::$DB->prepare_query("
         DELETE
         FROM
           `torrents_group`
         WHERE
           `id` = '$GroupID'
         ");
+        G::$DB->exec_prepared_query();
 
-        G::$DB->query("
-        DELETE FROM torrents_tags
-          WHERE GroupID = ?", $GroupID);
+        G::$DB->prepare_query("
+        DELETE
+        FROM
+          `torrents_tags`
+        WHERE
+          `GroupID` = '$GroupID'
+        ");
+        G::$DB->exec_prepared_query();
 
-        G::$DB->query("
-        DELETE FROM bookmarks_torrents
-          WHERE GroupID = ?", $GroupID);
+        G::$DB->prepare_query("
+        DELETE
+        FROM
+          `bookmarks_torrents`
+        WHERE
+          `GroupID` = '$GroupID'
+        ");
+        G::$DB->exec_prepared_query();
 
-        G::$DB->query("
-        DELETE FROM wiki_torrents
-          WHERE PageID = ?", $GroupID);
+        G::$DB->prepare_query("
+        DELETE
+        FROM
+          `wiki_torrents`
+        WHERE
+          `PageID` = '$GroupID'
+        ");
+        G::$DB->exec_prepared_query();
 
         G::$Cache->delete_value("torrents_details_$GroupID");
         G::$Cache->delete_value("torrent_group_$GroupID");
@@ -549,7 +568,7 @@ class Torrents
     {
         $QueryID = G::$DB->get_query_id();
 
-        G::$DB->query("
+        G::$DB->prepare_query("
         UPDATE
           `torrents_group`
         SET
@@ -572,15 +591,18 @@ class Torrents
         WHERE
           `ID` = '$GroupID'
         ");
+        G::$DB->exec_prepared_query();
 
         // Fetch album artists
-        G::$DB->query("
+        G::$DB->prepare_query("
         SELECT GROUP_CONCAT(ag.`Name` separator ' ')
         FROM `torrents_artists` AS `ta`
           JOIN `artists_group` AS ag ON ag.`ArtistID` = ta.`ArtistID`
           WHERE ta.`GroupID` = '$GroupID'
         GROUP BY ta.`GroupID`
         ");
+        G::$DB->exec_prepared_query();
+
         if (G::$DB->has_results()) {
             list($ArtistName) = G::$DB->next_record(MYSQLI_NUM, false);
         } else {

classes/userrank.class.php

@@ -17,29 +17,33 @@ class UserRank
     {
         $QueryID = G::$DB->get_query_id();
 
-        G::$DB->query("
+        G::$DB->prepare_query("
         DROP TEMPORARY TABLE IF EXISTS
           `temp_stats`
         ");
+        G::$DB->exec_prepared_query();
 
-        G::$DB->query("
+        G::$DB->prepare_query("
         CREATE TEMPORARY TABLE `temp_stats`(
           `id` INT NOT NULL PRIMARY KEY AUTO_INCREMENT,
           `value` BIGINT NOT NULL
         );
         ");
+        G::$DB->exec_prepared_query();
 
-        G::$DB->query("
+        G::$DB->prepare_query("
         INSERT INTO `temp_stats`(`value`) "
         . $Query
         );
+        G::$DB->exec_prepared_query();
 
-        G::$DB->query("
+        G::$DB->prepare_query("
         SELECT
           COUNT(`id`)
         FROM
           `temp_stats`
         ");
+        G::$DB->exec_prepared_query();
         list($UserCount) = G::$DB->next_record();
 
         $UserCount = (int) $UserCount;
@@ -51,6 +55,7 @@ class UserRank
         GROUP BY
           CEIL(`id` /($UserCount / 100));
         ");
+        G::$DB->exec_prepared_query();
 
         $Table = G::$DB->to_array();
         G::$DB->set_query_id($QueryID);

gazelle.sql

@@ -1188,14 +1188,14 @@ CREATE TABLE `torrents_bad_tags` (
 ) ENGINE=InnoDB CHARSET=utf8mb4;
 
 
+-- 2021-07-08
 CREATE TABLE `torrents_group` (
   `id` int NOT NULL AUTO_INCREMENT,
   `category_id` tinyint DEFAULT NULL,
   `title` varchar(255) DEFAULT NULL,
   `subject` varchar(255) DEFAULT NULL,
   `object` varchar(255) DEFAULT NULL,
-  `published` smallint DEFAULT NULL, -- todo: Change to date
+  `year` smallint DEFAULT NULL,
   `workgroup` varchar(255) DEFAULT NULL,
   `location` varchar(255) DEFAULT NULL,
   `identifier` varchar(50) DEFAULT NULL,
@@ -1208,7 +1208,7 @@ CREATE TABLE `torrents_group` (
   PRIMARY KEY (`id`),
   KEY `category_id` (`category_id`),
   KEY `title` (`title`),
-  KEY `published` (`published`),
+  KEY `year` (`year`),
   KEY `timestamp` (`timestamp`),
   KEY `revision_id` (`revision_id`);
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

sections/api/artist.php

@@ -138,7 +138,7 @@ if (($Importances = $Cache->get_value("artist_groups_$ArtistID")) === false) {
     SELECT DISTINCTROW
       ta.`GroupID`,
       ta.`Importance`,
-      tg.`published`
+      tg.`year`
     FROM
       `torrents_artists` AS ta
     JOIN `torrents_group` AS tg
@@ -147,7 +147,7 @@ if (($Importances = $Cache->get_value("artist_groups_$ArtistID")) === false) {
     WHERE
       ta.`ArtistID` = '$ArtistID'
     ORDER BY
-      tg.`published`,
+      tg.`year`,
       tg.`Name`
     DESC
     ");

sections/api/send_recommendation.php

@@ -1,5 +1,5 @@
 <?php
-#declare(strict_types=1);
+declare(strict_types=1);
 
 $FriendID = (int) $_POST['friend'];
 $Type = $_POST['type'];
@@ -12,7 +12,7 @@ if (empty($FriendID) || empty($Type) || empty($ID)) {
 }
 
 // Make sure the recipient is on your friends list and not some random dude.
-$DB->query("
+$DB->prepare_query("
 SELECT
   f.`FriendID`,
   u.`Username`
@@ -27,6 +27,7 @@ ON
 WHERE
   f.`UserID` = '$LoggedUser[ID]' AND f.`FriendID` = '$FriendID'
 ");
+$DB->exec_prepared_query();
 
 if (!$DB->has_results()) {
     echo json_encode(array('status' => 'error', 'response' => 'Not on friend list.'));
@@ -49,7 +50,7 @@ switch ($Type) {
     WHERE
       `id` = '$ID'
     ");
-      break;
+    break;
 
     case 'artist':
     $Article = 'an';
@@ -75,6 +76,9 @@ switch ($Type) {
       `ID` = '$ID'
     ");
     break;
+
+    default:
+    break;
 }
 
 list($Name) = $DB->next_record();

sections/api/top10/torrents.php

@@ -27,7 +27,7 @@ SELECT
   g.`picture`,
   g.`tag_list`,
   t.`Media`,
-  g.`published`,
+  g.`year`,
   t.`Snatched`,
   t.`Seeders`,
   t.`Leechers`,

sections/better/covers.php

@@ -11,12 +11,12 @@ if (!empty($_GET['filter']) && $_GET['filter'] === 'all') {
       t.`GroupID` = tg.`id`
     JOIN `xbt_snatched` AS x
     ON
-      x.`fid` = t.`ID` AND x.`uid` = $LoggedUser[ID]
+      x.`fid` = t.`ID` AND x.`uid` = '$LoggedUser[ID]'
     ";
     $All = false;
 }
 
-$DB->query("
+$DB->prepare_query("
 SELECT SQL_CALC_FOUND_ROWS
   tg.`id`
 FROM
@@ -28,6 +28,7 @@ ORDER BY
   RAND()
 LIMIT 20
 ");
+$DB->exec_prepared_query();
 
 $Groups = $DB->to_array('id', MYSQLI_ASSOC);
 $DB->query('SELECT FOUND_ROWS()');
@@ -95,4 +96,5 @@ foreach ($Results as $Result) {
 } ?>
   </table>
 </div>
+
 <?php View::show_footer();

sections/bookmarks/add.php

@@ -71,20 +71,20 @@ if (!$DB->has_results()) {
         $Cache->delete_value("bookmarks_group_ids_$UserID");
         $DB->query("
         SELECT
-          `Name`,
-          `Year`,
-          `WikiBody`,
-          `TagList`
+          `title`,
+          `year`,
+          `description`,
+          `tag_list`
         FROM
           `torrents_group`
         WHERE
-          `ID` = $PageID
+          `id` = $PageID
         ");
 
         list($GroupTitle, $Year, $Body, $TagList) = $DB->next_record();
         $TagList = str_replace('_', '.', $TagList);
 
-        $DB->query("
+        $DB->prepare_query("
         SELECT
           `ID`,
           `Media`,
@@ -94,8 +94,9 @@ if (!$DB->has_results()) {
         FROM
           `torrents`
         WHERE
-          `GroupID` = $PageID
+          `GroupID` = '$PageID'
         ");
+        $DB->exec_prepared_query();
 
         // RSS feed stuff
         while ($Torrent = $DB->next_record()) {

sections/collages/add_torrent.php

@@ -3,54 +3,55 @@
 
 authorize();
 
-include(SERVER_ROOT.'/classes/validate.class.php');
+require_once SERVER_ROOT.'/classes/validate.class.php';
 $Val = new Validate;
 
-function add_torrent($CollageID, $GroupID) {
-  global $Cache, $LoggedUser, $DB;
+function add_torrent($CollageID, $GroupID)
+{
+    global $Cache, $LoggedUser, $DB;
 
-  $DB->query("
+    $DB->query("
     SELECT MAX(Sort)
     FROM collages_torrents
     WHERE CollageID = '$CollageID'");
-  list($Sort) = $DB->next_record();
-  $Sort += 10;
+    list($Sort) = $DB->next_record();
+    $Sort += 10;
 
-  $DB->query("
+    $DB->query("
     SELECT GroupID
     FROM collages_torrents
     WHERE CollageID = '$CollageID'
       AND GroupID = '$GroupID'");
-  if (!$DB->has_results()) {
-    $DB->query("
+    if (!$DB->has_results()) {
+        $DB->query("
       INSERT IGNORE INTO collages_torrents
         (CollageID, GroupID, UserID, Sort, AddedOn)
       VALUES
         ('$CollageID', '$GroupID', '$LoggedUser[ID]', '$Sort', '" . sqltime() . "')");
 
-    $DB->query("
+        $DB->query("
       UPDATE collages
       SET NumTorrents = NumTorrents + 1, Updated = '" . sqltime() . "'
       WHERE ID = '$CollageID'");
 
-    $Cache->delete_value("collage_$CollageID");
-    $Cache->delete_value("torrents_details_$GroupID");
-    $Cache->delete_value("torrent_collages_$GroupID");
-    $Cache->delete_value("torrent_collages_personal_$GroupID");
+        $Cache->delete_value("collage_$CollageID");
+        $Cache->delete_value("torrents_details_$GroupID");
+        $Cache->delete_value("torrent_collages_$GroupID");
+        $Cache->delete_value("torrent_collages_personal_$GroupID");
 
-    $DB->query("
+        $DB->query("
       SELECT UserID
       FROM users_collage_subs
       WHERE CollageID = $CollageID");
-    while (list($CacheUserID) = $DB->next_record()) {
-      $Cache->delete_value("collage_subs_user_new_$CacheUserID");
+        while (list($CacheUserID) = $DB->next_record()) {
+            $Cache->delete_value("collage_subs_user_new_$CacheUserID");
+        }
     }
-  }
 }
 
 $CollageID = $_POST['collageid'];
 if (!is_number($CollageID)) {
-  error(404);
+    error(404);
 }
 $DB->query("
   SELECT UserID, CategoryID, Locked, NumTorrents, MaxGroups, MaxGroupsPerUser
@@ -59,107 +60,105 @@ $DB->query("
 list($UserID, $CategoryID, $Locked, $NumTorrents, $MaxGroups, $MaxGroupsPerUser) = $DB->next_record();
 
 if (!check_perms('site_collages_delete')) {
-  if ($Locked) {
-    $Err = 'This collage is locked';
-  }
-  if ($CategoryID == 0 && $UserID != $LoggedUser['ID']) {
-    $Err = 'You cannot edit someone else\'s personal collage.';
-  }
-  if ($MaxGroups > 0 && $NumTorrents >= $MaxGroups) {
-    $Err = 'This collage already holds its maximum allowed number of torrents.';
-  }
-
-  if (isset($Err)) {
-    error($Err);
-  }
+    if ($Locked) {
+        $Err = 'This collage is locked';
+    }
+    if ($CategoryID == 0 && $UserID != $LoggedUser['ID']) {
+        $Err = 'You cannot edit someone else\'s personal collage.';
+    }
+    if ($MaxGroups > 0 && $NumTorrents >= $MaxGroups) {
+        $Err = 'This collage already holds its maximum allowed number of torrents.';
+    }
+
+    if (isset($Err)) {
+        error($Err);
+    }
 }
 
 if ($MaxGroupsPerUser > 0) {
-  $DB->query("
+    $DB->query("
     SELECT COUNT(*)
     FROM collages_torrents
     WHERE CollageID = '$CollageID'
       AND UserID = '$LoggedUser[ID]'");
-  list($GroupsForUser) = $DB->next_record();
-  if (!check_perms('site_collages_delete') && $GroupsForUser >= $MaxGroupsPerUser) {
-    error(403);
-  }
+    list($GroupsForUser) = $DB->next_record();
+    if (!check_perms('site_collages_delete') && $GroupsForUser >= $MaxGroupsPerUser) {
+        error(403);
+    }
 }
 
 if ($_REQUEST['action'] == 'add_torrent') {
-  $Val->SetFields('url', '1', 'regex', 'The URL must be a link to a torrent on the site.', array('regex' => '/^'.TORRENT_GROUP_REGEX.'/i'));
-  $Err = $Val->ValidateForm($_POST);
+    $Val->SetFields('url', '1', 'regex', 'The URL must be a link to a torrent on the site.', array('regex' => '/^'.TORRENT_GROUP_REGEX.'/i'));
+    $Err = $Val->ValidateForm($_POST);
 
-  if ($Err) {
-    error($Err);
-  }
+    if ($Err) {
+        error($Err);
+    }
 
-  $URL = $_POST['url'];
+    $URL = $_POST['url'];
 
-  // Get torrent ID
-  preg_match('/^'.TORRENT_GROUP_REGEX.'/i', $URL, $Matches);
-  $TorrentID = $Matches[4];
-  if (!$TorrentID || (int)$TorrentID == 0) {
-    error(404);
-  }
+    // Get torrent ID
+    preg_match('/^'.TORRENT_GROUP_REGEX.'/i', $URL, $Matches);
+    $TorrentID = (int) $Matches[4];
+    Security::checkInt($TorrentID);
 
-  $DB->query("
+    $DB->query("
     SELECT ID
     FROM torrents_group
     WHERE ID = '$TorrentID'");
-  list($GroupID) = $DB->next_record();
-  if (!$GroupID) {
-    error('The torrent was not found in the database.');
-  }
-
-  add_torrent($CollageID, $GroupID);
-} else {
-  $URLs = explode("\n", $_REQUEST['urls']);
-  $GroupIDs = [];
-  $Err = '';
-  foreach ($URLs as $Key => &$URL) {
-    $URL = trim($URL);
-    if ($URL == '') {
-      unset($URLs[$Key]);
+    list($GroupID) = $DB->next_record();
+    if (!$GroupID) {
+        error('The torrent was not found in the database.');
     }
-  }
-  unset($URL);
 
-  if (!check_perms('site_collages_delete')) {
-    if ($MaxGroups > 0 && ($NumTorrents + count($URLs) > $MaxGroups)) {
-      $Err = "This collage can only hold $MaxGroups torrents.";
-    }
-    if ($MaxGroupsPerUser > 0 && ($GroupsForUser + count($URLs) > $MaxGroupsPerUser)) {
-      $Err = "You may only have $MaxGroupsPerUser torrents in this collage.";
+    add_torrent($CollageID, $GroupID);
+} else {
+    $URLs = explode("\n", $_REQUEST['urls']);
+    $GroupIDs = [];
+    $Err = '';
+    foreach ($URLs as $Key => &$URL) {
+        $URL = trim($URL);
+        if ($URL == '') {
+            unset($URLs[$Key]);
+        }
     }
-  }
-
-  foreach ($URLs as $URL) {
-    $Matches = [];
-    if (preg_match('/^'.TORRENT_GROUP_REGEX.'/i', $URL, $Matches)) {
-      $GroupIDs[] = $Matches[4];
-      $GroupID = $Matches[4];
-    } else {
-      $Err = "One of the entered URLs ($URL) does not correspond to a torrent group on the site.";
-      break;
+    unset($URL);
+
+    if (!check_perms('site_collages_delete')) {
+        if ($MaxGroups > 0 && ($NumTorrents + count($URLs) > $MaxGroups)) {
+            $Err = "This collage can only hold $MaxGroups torrents.";
+        }
+        if ($MaxGroupsPerUser > 0 && ($GroupsForUser + count($URLs) > $MaxGroupsPerUser)) {
+            $Err = "You may only have $MaxGroupsPerUser torrents in this collage.";
+        }
     }
 
-    $DB->query("
+    foreach ($URLs as $URL) {
+        $Matches = [];
+        if (preg_match('/^'.TORRENT_GROUP_REGEX.'/i', $URL, $Matches)) {
+            $GroupIDs[] = $Matches[4];
+            $GroupID = $Matches[4];
+        } else {
+            $Err = "One of the entered URLs ($URL) does not correspond to a torrent group on the site.";
+            break;
+        }
+
+        $DB->query("
       SELECT ID
       FROM torrents_group
       WHERE ID = '$GroupID'");
-    if (!$DB->has_results()) {
-      $Err = "One of the entered URLs ($URL) does not correspond to a torrent group on the site.";
-      break;
+        if (!$DB->has_results()) {
+            $Err = "One of the entered URLs ($URL) does not correspond to a torrent group on the site.";
+            break;
+        }
     }
-  }
 
-  if ($Err) {
-    error($Err);
-  }
+    if ($Err) {
+        error($Err);
+    }
 
-  foreach ($GroupIDs as $GroupID) {
-    add_torrent($CollageID, $GroupID);
-  }
+    foreach ($GroupIDs as $GroupID) {
+        add_torrent($CollageID, $GroupID);
+    }
 }
 header('Location: collages.php?id='.$CollageID);

sections/collages/download.php

@@ -59,7 +59,7 @@ SELECT
   t.`Encoding`,
   IF(
     t.`RemasterYear` = 0,
-    tg.`published`,
+    tg.`year`,
     t.`RemasterYear`
   ) AS `Year`,
   tg.`title`,

sections/schedule/daily/delete_dead_torrents.php

@@ -28,7 +28,7 @@ echo 'Found '.count($Torrents)." inactive torrents to be deleted.\n";
 $LogEntries = $DeleteNotes = [];
 
 // Exceptions for inactivity deletion
-$InactivityExceptionsMade = []; // UserID => expiry time of exception
+$InactivityExceptionsMade = [2]; // UserID => expiry time of exception
 
 $i = 0;
 foreach ($Torrents as $Torrent) {

sections/torrents/masspm.php

@@ -1,64 +1,83 @@
-<?
+<?php
 #declare(strict_types = 1);
 
-if (!isset($_GET['id']) || !is_number($_GET['id']) || !isset($_GET['torrentid']) || !is_number($_GET['torrentid'])) {
-  error(0);
-}
-$GroupID = $_GET['id'];
-$TorrentID = $_GET['torrentid'];
-
-$DB->query("
-  SELECT
-    t.Media,
-    t.FreeTorrent,
-    t.GroupID,
-    t.UserID,
-    t.Description AS TorrentDescription,
-    tg.CategoryID,
-    tg.Name AS Title,
-    tg.Year,
-    tg.ArtistID,
-    ag.Name AS ArtistName
-  FROM torrents AS t
-    JOIN torrents_group AS tg ON tg.ID=t.GroupID
-    LEFT JOIN artists_group AS ag ON ag.ArtistID=tg.ArtistID
-  WHERE t.ID='$TorrentID'");
+$GroupID = (int) $_GET['id'];
+$TorrentID = (int) $_GET['torrentid'];
+Security::checkInt($GroupID, $TorrentID);
 
-list($Properties) = $DB->to_array(false,MYSQLI_BOTH);
+$DB->prepare_query("
+SELECT
+  t.`Media`,
+  t.`FreeTorrent`,
+  t.`GroupID`,
+  t.`UserID`,
+  t.`Description` AS TorrentDescription,
+  tg.`category_id`,
+  tg.`title` AS Title,
+  tg.`year`,
+  tg.`artist_id`,
+  ag.`Name` AS ArtistName
+FROM
+  `torrents` AS t
+JOIN `torrents_group` AS tg
+ON
+  tg.`id` = t.`GroupID`
+LEFT JOIN `artists_group` AS ag
+ON
+  ag.`ArtistID` = tg.`artist_id`
+WHERE
+  t.`ID` = '$TorrentID'
+");
+$DB->exec_prepared_query();
 
+list($Properties) = $DB->to_array(false, MYSQLI_BOTH);
 if (!$Properties) {
-  error(404);
+    error(404);
 }
 
 View::show_header('Edit torrent', 'upload');
 
 if (!check_perms('site_moderate_requests')) {
-  error(403);
+    error(403);
 }
-
 ?>
+
 <div>
   <div class="header">
-    <h2>Send PM To All Snatchers Of "<?=$Properties['ArtistName']?> - <?=$Properties['Title']?>"</h2>
+    <h2>
+      Send PM to All Snatchers of
+      "<?=$Properties['ArtistName']?> - <?=$Properties['Title']?>"
+    </h2>
   </div>
+
   <form class="send_form" name="mass_message" action="torrents.php" method="post">
     <input type="hidden" name="action" value="takemasspm" />
-    <input type="hidden" name="auth" value="<?=$LoggedUser['AuthKey']?>" />
+    <input type="hidden" name="auth"
+      value="<?=$LoggedUser['AuthKey']?>" />
     <input type="hidden" name="torrentid" value="<?=$TorrentID?>" />
     <input type="hidden" name="groupid" value="<?=$GroupID?>" />
+
     <table class="layout">
       <tr>
-        <td class="label">Subject</td>
+        <td class="label">
+          Subject
+        </td>
+
         <td>
           <input type="text" name="subject" value="" size="60" />
         </td>
       </tr>
+
       <tr>
-        <td class="label">Message</td>
+        <td class="label">
+          Message
+        </td>
+
         <td>
           <textarea name="message" id="message" cols="60" rows="8"></textarea>
         </td>
       </tr>
+
       <tr>
         <td colspan="2" class="center">
           <input type="submit" value="Send Mass PM" />
@@ -67,4 +86,5 @@ if (!check_perms('site_moderate_requests')) {
     </table>
   </form>
 </div>
-<? View::show_footer(); ?>
+
+<?php View::show_footer();

sections/torrents/takenewgroup.php

@@ -1,25 +1,29 @@
 <?php
 #declare(strict_types = 1);
 
-/***************************************************************
-* This page handles the backend of the "new group" function
-* which splits a torrent off into a new group.
-****************************************************************/
+/**
+ * This page handles the backend of the "new group" function
+ * which splits a torrent off into a new group.
+ */
 
+# Validate permissions
 authorize();
 
 if (!check_perms('torrents_edit')) {
     error(403);
 }
 
+# Set variables
 $OldGroupID = $_POST['oldgroupid'];
 $TorrentID = $_POST['torrentid'];
 $ArtistName = db_string(trim($_POST['artist']));
 $Title = db_string(trim($_POST['title']));
 $Year = db_string(trim($_POST['year']));
 
-if (!is_number($OldGroupID) || !is_number($TorrentID) || !is_number($Year) || !$OldGroupID || !$TorrentID || !$Year || empty($Title) || empty($ArtistName)) {
-    error(0);
+# Digits, check 'em
+Security::checkInt($OldGroupID, $TorrentID, $Year);
+if (empty($Title) || empty($ArtistName)) {
+    error(400);
 }
 
 // Everything is legit, let's just confim they're not retarded

sections/upload/upload.php

@@ -22,14 +22,14 @@ View::show_header(
 
 if (empty($Properties) && !empty($_GET['groupid']) && is_number($_GET['groupid'])) {
     $GroupID = $_GET['groupid'];
-    $DB->query("
+    $DB->prepare_query("
       SELECT
         tg.`id` as GroupID,
         tg.`category_id`,
         tg.`title` AS Title,
         tg.`subject`,
         tg.`object` AS TitleJP,
-        tg.`published`,
+        tg.`year`,
         tg.`workgroup`,
         tg.`location`,
         tg.`identifier`,
@@ -40,6 +40,7 @@ if (empty($Properties) && !empty($_GET['groupid']) && is_number($_GET['groupid']
       WHERE tg.`id` = '$GroupID'
       GROUP BY tg.`id`
       ");
+    $DB->exec_prepared_query();
 
     if ($DB->has_results()) {
         list($Properties) = $DB->to_array(false, MYSQLI_BOTH);

sections/upload/upload_handle.php

@@ -129,7 +129,7 @@ $Validate->SetFields(
 );
 
 if (!$_POST['groupid']) {
-    # torrents_group.CatalogueNumber
+    # torrents_group.identifier
     $Validate->SetFields(
         'catalogue',
         '0',
@@ -193,7 +193,7 @@ if (!$_POST['groupid']) {
     );
 
     /* todo: Fix the year validation
-    # torrents_group.published
+    # torrents_group.year
     $Validate->SetFields(
         'year',
         '1',
@@ -432,23 +432,24 @@ if (!preg_match('/^'.IMAGE_REGEX.'$/i', $T['Image'])) {
 
 // Does it belong in a group?
 if ($T['GroupID']) {
-    $DB->query("
+    $DB->prepare_query("
     SELECT
       `id`,
       `picture`,
       `description`,
       `revision_id`,
       `title`,
-      `published`,
+      `year`,
       `tag_list`
     FROM
       `torrents_group`
     WHERE
       `id` = $T[GroupID]
     ");
+    $DB->exec_prepared_query();
 
     if ($DB->has_results()) {
-        // Don't escape tg.Name. It's written directly to the log table
+        // Don't escape tg.title. It's written directly to the log table
         list($GroupID, $WikiImage, $WikiBody, $RevisionID, $T['Title'], $T['Year'], $T['TagList']) = $DB->next_record(MYSQLI_NUM, array(4));
         $T['TagList'] = str_replace(array(' ', '.', '_'), array(', ', '.', '.'), $T['TagList']);
 
@@ -521,12 +522,12 @@ if ((!isset($GroupID) || !$GroupID)) {
 
 if (!isset($GroupID) || !$GroupID) {
     // Create torrent group
-    $DB->query(
+    $DB->prepare_query(
         "
       INSERT INTO torrents_group
-        (CategoryID, Name, Title2, NameJP, Year,
-        Series, Studio, CatalogueNumber, Time,
-        WikiBody, WikiImage)
+        (`category_id`, `title`, `subject`, `object`, `year`,
+        `location`, `workgroup`, `identifier`, `timestamp`,
+        `description`, `picture`)
       VALUES
         ( ?, ?, ?, ?, ?,
           ?, ?, ?, NOW(),
@@ -542,6 +543,7 @@ if (!isset($GroupID) || !$GroupID) {
         $Body,
         $T['Image']
     );
+    $DB->exec_prepared_query();
 
     $GroupID = $DB->inserted_id();
     foreach ($ArtistForm as $Num => $Artist) {
@@ -631,10 +633,15 @@ if (!isset($NoRevision) || !$NoRevision) {
     $RevisionID = $DB->inserted_id();
 
     // Revision ID
-    $DB->query("
-      UPDATE torrents_group
-      SET RevisionID = ?
-        WHERE ID = ?", $RevisionID, $GroupID);
+    $DB->prepare_query("
+    UPDATE
+      `torrents_group`
+    SET
+      `revision_id` = '$RevisionID'
+    WHERE
+      `id` = '$GroupID'
+    ");
+    $DB->exec_prepared_query();
 }
 
 // Tags

sections/userhistory/token_history.php

@@ -38,12 +38,9 @@ if (isset($_GET['expire'])) {
 
     $UserID = $_GET['userid'];
     $TorrentID = $_GET['torrentid'];
+    Security::checkInt($UserID, $TorrentID);
 
-    if (!is_number($UserID) || !is_number($TorrentID)) {
-        error(403);
-    }
-
-    $DB->query("
+    $DB->prepare_query("
     SELECT
       HEX(`info_hash`)
     FROM
@@ -51,9 +48,10 @@ if (isset($_GET['expire'])) {
     WHERE
       `ID` = '$TorrentID'
     ");
+    $DB->exec_prepared_query();
 
     if (list($InfoHash) = $DB->next_record(MYSQLI_NUM, false)) {
-        $DB->query("
+        $DB->prepare_query("
         UPDATE
           `users_freeleeches`
         SET
@@ -61,6 +59,7 @@ if (isset($_GET['expire'])) {
         WHERE
           `UserID` = '$UserID' AND `TorrentID` = '$TorrentID'
         ");
+        $DB->exec_prepared_query();
 
         $Cache->delete_value("users_tokens_$UserID");
         Tracker::update_tracker(
@@ -75,7 +74,7 @@ if (isset($_GET['expire'])) {
 View::show_header('Freeleech token history');
 list($Page, $Limit) = Format::page_limit(25);
 
-$DB->query("
+$DB->prepare_query("
 SELECT SQL_CALC_FOUND_ROWS
   f.`TorrentID`,
   t.`GroupID`,
@@ -99,6 +98,7 @@ ORDER BY
 DESC
 LIMIT $Limit
 ");
+$DB->exec_prepared_query();
 
 $Tokens = $DB->to_array();
 $DB->query('SELECT FOUND_ROWS()');

sphinx.conf

@@ -35,7 +35,7 @@ source torrents : torrents_base {
     sql_query_pre = INSERT INTO sphinx_tg \
         (id, name, namejp, tags, year, cnumber, catid, \
             studio, series) \
-        SELECT id, title, subject, tag_list, published, identifier, \
+        SELECT id, title, subject, tag_list, year, identifier, \
             category_id, workgroup, location \
         FROM torrents_group \
         WHERE time < @starttime