Browse Source

Use prepared queries on the wiki

biotorrents 4 years ago
parent
commit
f7c0a57e33

+ 2
- 2
sections/wiki/add_alias.php View File

@@ -9,7 +9,7 @@ if (!isset($_POST['article']) || !is_number($_POST['article'])) {
9 9
 
10 10
 $ArticleID = (int)$_POST['article'];
11 11
 
12
-$DB->query("SELECT MinClassEdit FROM wiki_articles WHERE ID = $ArticleID");
12
+$DB->prepared_query("SELECT MinClassEdit FROM wiki_articles WHERE ID = $ArticleID");
13 13
 list($MinClassEdit) = $DB->next_record();
14 14
 
15 15
 if ($MinClassEdit > $LoggedUser['EffectiveClass']) {
@@ -20,7 +20,7 @@ $NewAlias = Wiki::normalize_alias($_POST['alias']);
20 20
 $Dupe = Wiki::alias_to_id($_POST['alias']);
21 21
 
22 22
 if ($NewAlias !== '' && $NewAlias!== 'addalias' && $Dupe === false) { // Not null, and not dupe
23
-    $DB->query("INSERT INTO wiki_aliases (Alias, UserID, ArticleID) VALUES ('$NewAlias', '$LoggedUser[ID]', '$ArticleID')");
23
+    $DB->prepared_query("INSERT INTO wiki_aliases (Alias, UserID, ArticleID) VALUES ('$NewAlias', '$LoggedUser[ID]', '$ArticleID')");
24 24
 } else {
25 25
     error('The alias you attempted to add was either null or already in the database.');
26 26
 }

+ 6
- 3
sections/wiki/compare.php View File

@@ -64,7 +64,7 @@ function get_body($ID, $Rev)
64 64
     if ((int) $Rev === $Revision) {
65 65
         $Str = $Body;
66 66
     } else {
67
-        $DB->query("
67
+        $DB->prepared_query("
68 68
           SELECT Body
69 69
           FROM wiki_revisions
70 70
           WHERE ID = '$ID'
@@ -84,9 +84,12 @@ if (!isset($_GET['old'])
84 84
   || !is_number($_GET['old'])
85 85
   || !is_number($_GET['new'])
86 86
   || !is_number($_GET['id'])
87
-  || $_GET['old'] > $_GET['new']
88 87
 ) {
89
-    error(0);
88
+    error(400);
89
+}
90
+
91
+if ($_GET['old'] > $_GET['new']) {
92
+    error('The new revision compared must be newer than the old revision to compare against.');
90 93
 }
91 94
 
92 95
 $ArticleID = (int) $_GET['id'];

+ 4
- 4
sections/wiki/delete.php View File

@@ -14,7 +14,7 @@ if ($ID === INDEX_ARTICLE) {
14 14
     error('You cannot delete the main wiki article.');
15 15
 }
16 16
 
17
-$DB->query("
17
+$DB->prepared_query("
18 18
   SELECT Title
19 19
   FROM wiki_articles
20 20
   WHERE ID = $ID");
@@ -29,9 +29,9 @@ list($Title) = $DB->next_record(MYSQLI_NUM, false);
29 29
 Misc::write_log("Wiki article $ID ($Title) was deleted by ".$LoggedUser['Username']);
30 30
 
31 31
 // Delete
32
-$DB->query("DELETE FROM wiki_articles WHERE ID = $ID");
33
-$DB->query("DELETE FROM wiki_aliases WHERE ArticleID = $ID");
34
-$DB->query("DELETE FROM wiki_revisions WHERE ID = $ID");
32
+$DB->prepared_query("DELETE FROM wiki_articles WHERE ID = $ID");
33
+$DB->prepared_query("DELETE FROM wiki_aliases WHERE ArticleID = $ID");
34
+$DB->prepared_query("DELETE FROM wiki_revisions WHERE ID = $ID");
35 35
 
36 36
 Wiki::flush_aliases();
37 37
 Wiki::flush_article($ID);

+ 2
- 2
sections/wiki/delete_alias.php View File

@@ -5,12 +5,12 @@ authorize();
5 5
 
6 6
 $ArticleID = Wiki::alias_to_id($_GET['alias']);
7 7
 
8
-$DB->query("SELECT MinClassEdit FROM wiki_articles WHERE ID = $ArticleID");
8
+$DB->prepared_query("SELECT MinClassEdit FROM wiki_articles WHERE ID = $ArticleID");
9 9
 list($MinClassEdit) = $DB->next_record();
10 10
 if ($MinClassEdit > $LoggedUser['EffectiveClass']) {
11 11
     error(403);
12 12
 }
13 13
 
14
-$DB->query("DELETE FROM wiki_aliases WHERE Alias='".Wiki::normalize_alias($_GET['alias'])."'");
14
+$DB->prepared_query("DELETE FROM wiki_aliases WHERE Alias='".Wiki::normalize_alias($_GET['alias'])."'");
15 15
 Wiki::flush_article($ArticleID);
16 16
 Wiki::flush_aliases();

+ 1
- 1
sections/wiki/revisions.php View File

@@ -58,7 +58,7 @@ View::show_header("Revisions of ".$Title);
58 58
       </tr>
59 59
 
60 60
       <?php
61
-$DB->query("
61
+$DB->prepared_query("
62 62
   SELECT
63 63
     Revision,
64 64
     Title,

+ 1
- 1
sections/wiki/search.php View File

@@ -154,7 +154,7 @@ $DB->set_query_id($RS);
154 154
 
155 155
         <tr>
156 156
           <td colspan="4" class="center">
157
-            <input type="submit" value="Search" />
157
+            <input type="submit" class="button-primary" value="Search" />
158 158
           </td>
159 159
         </tr>
160 160
       </table>

+ 3
- 3
sections/wiki/takecreate.php View File

@@ -14,7 +14,7 @@ $Val->SetFields('title', '1', 'string', 'The title must be between 3 and 100 cha
14 14
 $Err = $Val->ValidateForm($_POST);
15 15
 
16 16
 if (!$Err) {
17
-    $DB->query("
17
+    $DB->prepared_query("
18 18
       SELECT ID
19 19
       FROM wiki_articles
20 20
       WHERE Title = '$P[title]'");
@@ -53,7 +53,7 @@ if (check_perms('admin_manage_wiki')) {
53 53
     $Edit = 100;
54 54
 }
55 55
 
56
-$DB->query("
56
+$DB->prepared_query("
57 57
   INSERT INTO wiki_articles
58 58
     (Revision, Title, Body, MinClassRead, MinClassEdit, Date, Author)
59 59
   VALUES
@@ -64,7 +64,7 @@ $TitleAlias = Wiki::normalize_alias($_POST['title']);
64 64
 $Dupe = Wiki::alias_to_id($_POST['title']);
65 65
 
66 66
 if ($TitleAlias !== '' && $Dupe === false) {
67
-    $DB->query("
67
+    $DB->prepared_query("
68 68
       INSERT INTO wiki_aliases (Alias, ArticleID)
69 69
       VALUES ('".db_string($TitleAlias)."', '$ArticleID')");
70 70
     Wiki::flush_aliases();

+ 2
- 2
sections/wiki/takeedit.php View File

@@ -55,7 +55,7 @@ if ($MyRevision !== $OldRevision) {
55 55
 }
56 56
 
57 57
 // Store previous revision
58
-$DB->query("
58
+$DB->prepared_query("
59 59
   INSERT INTO wiki_revisions
60 60
     (ID, Revision, Title, Body, Date, Author)
61 61
   VALUES
@@ -80,6 +80,6 @@ $SQL .= "
80 80
     Author = '$LoggedUser[ID]'
81 81
   WHERE ID = '$P[id]'";
82 82
 
83
-$DB->query($SQL);
83
+$DB->prepared_query($SQL);
84 84
 Wiki::flush_article($ArticleID);
85 85
 header("Location: wiki.php?action=article&id=$ArticleID");

+ 1
- 1
sections/wiki/wiki_browse.php View File

@@ -29,7 +29,7 @@ if ($Letter !== '1') {
29 29
 }
30 30
 
31 31
 $sql .= " ORDER BY Title";
32
-$DB->query($sql);
32
+$DB->prepared_query($sql);
33 33
 ?>
34 34
 
35 35
 <div>

Loading…
Cancel
Save