Use prepared queries on the wiki

sections/wiki/add_alias.php

@@ -9,7 +9,7 @@ if (!isset($_POST['article']) || !is_number($_POST['article'])) {
 
 $ArticleID = (int)$_POST['article'];
 
-$DB->query("SELECT MinClassEdit FROM wiki_articles WHERE ID = $ArticleID");
+$DB->prepared_query("SELECT MinClassEdit FROM wiki_articles WHERE ID = $ArticleID");
 list($MinClassEdit) = $DB->next_record();
 
 if ($MinClassEdit > $LoggedUser['EffectiveClass']) {
@@ -20,7 +20,7 @@ $NewAlias = Wiki::normalize_alias($_POST['alias']);
 $Dupe = Wiki::alias_to_id($_POST['alias']);
 
 if ($NewAlias !== '' && $NewAlias!== 'addalias' && $Dupe === false) { // Not null, and not dupe
-    $DB->query("INSERT INTO wiki_aliases (Alias, UserID, ArticleID) VALUES ('$NewAlias', '$LoggedUser[ID]', '$ArticleID')");
+    $DB->prepared_query("INSERT INTO wiki_aliases (Alias, UserID, ArticleID) VALUES ('$NewAlias', '$LoggedUser[ID]', '$ArticleID')");
 } else {
     error('The alias you attempted to add was either null or already in the database.');
 }

sections/wiki/compare.php

@@ -64,7 +64,7 @@ function get_body($ID, $Rev)
     if ((int) $Rev === $Revision) {
         $Str = $Body;
     } else {
-        $DB->query("
+        $DB->prepared_query("
           SELECT Body
           FROM wiki_revisions
           WHERE ID = '$ID'
@@ -84,9 +84,12 @@ if (!isset($_GET['old'])
   || !is_number($_GET['old'])
   || !is_number($_GET['new'])
   || !is_number($_GET['id'])
-  || $_GET['old'] > $_GET['new']
 ) {
-    error(0);
+    error(400);
+}
+
+if ($_GET['old'] > $_GET['new']) {
+    error('The new revision compared must be newer than the old revision to compare against.');
 }
 
 $ArticleID = (int) $_GET['id'];

sections/wiki/delete.php

@@ -14,7 +14,7 @@ if ($ID === INDEX_ARTICLE) {
     error('You cannot delete the main wiki article.');
 }
 
-$DB->query("
+$DB->prepared_query("
   SELECT Title
   FROM wiki_articles
   WHERE ID = $ID");
@@ -29,9 +29,9 @@ list($Title) = $DB->next_record(MYSQLI_NUM, false);
 Misc::write_log("Wiki article $ID ($Title) was deleted by ".$LoggedUser['Username']);
 
 // Delete
-$DB->query("DELETE FROM wiki_articles WHERE ID = $ID");
-$DB->query("DELETE FROM wiki_aliases WHERE ArticleID = $ID");
-$DB->query("DELETE FROM wiki_revisions WHERE ID = $ID");
+$DB->prepared_query("DELETE FROM wiki_articles WHERE ID = $ID");
+$DB->prepared_query("DELETE FROM wiki_aliases WHERE ArticleID = $ID");
+$DB->prepared_query("DELETE FROM wiki_revisions WHERE ID = $ID");
 
 Wiki::flush_aliases();
 Wiki::flush_article($ID);

sections/wiki/delete_alias.php

@@ -5,12 +5,12 @@ authorize();
 
 $ArticleID = Wiki::alias_to_id($_GET['alias']);
 
-$DB->query("SELECT MinClassEdit FROM wiki_articles WHERE ID = $ArticleID");
+$DB->prepared_query("SELECT MinClassEdit FROM wiki_articles WHERE ID = $ArticleID");
 list($MinClassEdit) = $DB->next_record();
 if ($MinClassEdit > $LoggedUser['EffectiveClass']) {
     error(403);
 }
 
-$DB->query("DELETE FROM wiki_aliases WHERE Alias='".Wiki::normalize_alias($_GET['alias'])."'");
+$DB->prepared_query("DELETE FROM wiki_aliases WHERE Alias='".Wiki::normalize_alias($_GET['alias'])."'");
 Wiki::flush_article($ArticleID);
 Wiki::flush_aliases();

sections/wiki/revisions.php

@@ -58,7 +58,7 @@ View::show_header("Revisions of ".$Title);
       </tr>
 
       <?php
-$DB->query("
+$DB->prepared_query("
   SELECT
     Revision,
     Title,

sections/wiki/search.php

@@ -154,7 +154,7 @@ $DB->set_query_id($RS);
 
         <tr>
           <td colspan="4" class="center">
-            <input type="submit" value="Search" />
+            <input type="submit" class="button-primary" value="Search" />
           </td>
         </tr>
       </table>

sections/wiki/takecreate.php

@@ -14,7 +14,7 @@ $Val->SetFields('title', '1', 'string', 'The title must be between 3 and 100 cha
 $Err = $Val->ValidateForm($_POST);
 
 if (!$Err) {
-    $DB->query("
+    $DB->prepared_query("
       SELECT ID
       FROM wiki_articles
       WHERE Title = '$P[title]'");
@@ -53,7 +53,7 @@ if (check_perms('admin_manage_wiki')) {
     $Edit = 100;
 }
 
-$DB->query("
+$DB->prepared_query("
   INSERT INTO wiki_articles
     (Revision, Title, Body, MinClassRead, MinClassEdit, Date, Author)
   VALUES
@@ -64,7 +64,7 @@ $TitleAlias = Wiki::normalize_alias($_POST['title']);
 $Dupe = Wiki::alias_to_id($_POST['title']);
 
 if ($TitleAlias !== '' && $Dupe === false) {
-    $DB->query("
+    $DB->prepared_query("
       INSERT INTO wiki_aliases (Alias, ArticleID)
       VALUES ('".db_string($TitleAlias)."', '$ArticleID')");
     Wiki::flush_aliases();

sections/wiki/takeedit.php

@@ -55,7 +55,7 @@ if ($MyRevision !== $OldRevision) {
 }
 
 // Store previous revision
-$DB->query("
+$DB->prepared_query("
   INSERT INTO wiki_revisions
     (ID, Revision, Title, Body, Date, Author)
   VALUES
@@ -80,6 +80,6 @@ $SQL .= "
     Author = '$LoggedUser[ID]'
   WHERE ID = '$P[id]'";
 
-$DB->query($SQL);
+$DB->prepared_query($SQL);
 Wiki::flush_article($ArticleID);
 header("Location: wiki.php?action=article&id=$ArticleID");

sections/wiki/wiki_browse.php

@@ -29,7 +29,7 @@ if ($Letter !== '1') {
 }
 
 $sql .= " ORDER BY Title";
-$DB->query($sql);
+$DB->prepared_query($sql);
 ?>
 
 <div>