Home Explore Help
Register Sign In
biotorrents
/
Gazelle
forked from Oppaitime/Gazelle
Watch 2
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 2 Wiki Activity
Browse Source

Use prepared queries on the wiki

biotorrents 4 years ago
parent
e691b575e8
commit
f7c0a57e33
9 changed files with 22 additions and 19 deletions
Unified View Show Diff Stats
  1. 2
    2
      sections/wiki/add_alias.php
  2. 6
    3
      sections/wiki/compare.php
  3. 4
    4
      sections/wiki/delete.php
  4. 2
    2
      sections/wiki/delete_alias.php
  5. 1
    1
      sections/wiki/revisions.php
  6. 1
    1
      sections/wiki/search.php
  7. 3
    3
      sections/wiki/takecreate.php
  8. 2
    2
      sections/wiki/takeedit.php
  9. 1
    1
      sections/wiki/wiki_browse.php

+ 2
- 2
sections/wiki/add_alias.php View File

9
9
10 
 $ArticleID = (int)$_POST['article'];
 10 
 $ArticleID = (int)$_POST['article'];
11
11
12 
-$DB->query("SELECT MinClassEdit FROM wiki_articles WHERE ID = $ArticleID");
12 
+$DB->prepared_query("SELECT MinClassEdit FROM wiki_articles WHERE ID = $ArticleID");
13 
 list($MinClassEdit) = $DB->next_record();
 13 
 list($MinClassEdit) = $DB->next_record();
14
14
15 
 if ($MinClassEdit > $LoggedUser['EffectiveClass']) {
 15 
 if ($MinClassEdit > $LoggedUser['EffectiveClass']) {
20 
 $Dupe = Wiki::alias_to_id($_POST['alias']);
 20 
 $Dupe = Wiki::alias_to_id($_POST['alias']);
21
21
22 
 if ($NewAlias !== '' && $NewAlias!== 'addalias' && $Dupe === false) { // Not null, and not dupe
 22 
 if ($NewAlias !== '' && $NewAlias!== 'addalias' && $Dupe === false) { // Not null, and not dupe
23 
-    $DB->query("INSERT INTO wiki_aliases (Alias, UserID, ArticleID) VALUES ('$NewAlias', '$LoggedUser[ID]', '$ArticleID')");
23 
+    $DB->prepared_query("INSERT INTO wiki_aliases (Alias, UserID, ArticleID) VALUES ('$NewAlias', '$LoggedUser[ID]', '$ArticleID')");
24 
 } else {
 24 
 } else {
25 
     error('The alias you attempted to add was either null or already in the database.');
 25 
     error('The alias you attempted to add was either null or already in the database.');
26 
 }
 26 
 }

+ 6
- 3
sections/wiki/compare.php View File

64 
     if ((int) $Rev === $Revision) {
 64 
     if ((int) $Rev === $Revision) {
65 
         $Str = $Body;
 65 
         $Str = $Body;
66 
     } else {
 66 
     } else {
67 
-        $DB->query("
67 
+        $DB->prepared_query("
68 
           SELECT Body
 68 
           SELECT Body
69 
           FROM wiki_revisions
 69 
           FROM wiki_revisions
70 
           WHERE ID = '$ID'
 70 
           WHERE ID = '$ID'
84 
   || !is_number($_GET['old'])
 84 
   || !is_number($_GET['old'])
85 
   || !is_number($_GET['new'])
 85 
   || !is_number($_GET['new'])
86 
   || !is_number($_GET['id'])
 86 
   || !is_number($_GET['id'])
87 
-  || $_GET['old'] > $_GET['new']
88 
 ) {
 87 
 ) {
89 
-    error(0);
88 
+    error(400);
89 
+}
90 
+
91 
+if ($_GET['old'] > $_GET['new']) {
92 
+    error('The new revision compared must be newer than the old revision to compare against.');
90 
 }
 93 
 }
91
94
92 
 $ArticleID = (int) $_GET['id'];
 95 
 $ArticleID = (int) $_GET['id'];

+ 4
- 4
sections/wiki/delete.php View File

14 
     error('You cannot delete the main wiki article.');
 14 
     error('You cannot delete the main wiki article.');
15 
 }
 15 
 }
16
16
17 
-$DB->query("
17 
+$DB->prepared_query("
18 
   SELECT Title
 18 
   SELECT Title
19 
   FROM wiki_articles
 19 
   FROM wiki_articles
20 
   WHERE ID = $ID");
 20 
   WHERE ID = $ID");
29 
 Misc::write_log("Wiki article $ID ($Title) was deleted by ".$LoggedUser['Username']);
 29 
 Misc::write_log("Wiki article $ID ($Title) was deleted by ".$LoggedUser['Username']);
30
30
31 
 // Delete
 31 
 // Delete
32 
-$DB->query("DELETE FROM wiki_articles WHERE ID = $ID");
33 
-$DB->query("DELETE FROM wiki_aliases WHERE ArticleID = $ID");
34 
-$DB->query("DELETE FROM wiki_revisions WHERE ID = $ID");
32 
+$DB->prepared_query("DELETE FROM wiki_articles WHERE ID = $ID");
33 
+$DB->prepared_query("DELETE FROM wiki_aliases WHERE ArticleID = $ID");
34 
+$DB->prepared_query("DELETE FROM wiki_revisions WHERE ID = $ID");
35
35
36 
 Wiki::flush_aliases();
 36 
 Wiki::flush_aliases();
37 
 Wiki::flush_article($ID);
 37 
 Wiki::flush_article($ID);

+ 2
- 2
sections/wiki/delete_alias.php View File

5
5
6 
 $ArticleID = Wiki::alias_to_id($_GET['alias']);
 6 
 $ArticleID = Wiki::alias_to_id($_GET['alias']);
7
7
8 
-$DB->query("SELECT MinClassEdit FROM wiki_articles WHERE ID = $ArticleID");
8 
+$DB->prepared_query("SELECT MinClassEdit FROM wiki_articles WHERE ID = $ArticleID");
9 
 list($MinClassEdit) = $DB->next_record();
 9 
 list($MinClassEdit) = $DB->next_record();
10 
 if ($MinClassEdit > $LoggedUser['EffectiveClass']) {
 10 
 if ($MinClassEdit > $LoggedUser['EffectiveClass']) {
11 
     error(403);
 11 
     error(403);
12 
 }
 12 
 }
13
13
14 
-$DB->query("DELETE FROM wiki_aliases WHERE Alias='".Wiki::normalize_alias($_GET['alias'])."'");
14 
+$DB->prepared_query("DELETE FROM wiki_aliases WHERE Alias='".Wiki::normalize_alias($_GET['alias'])."'");
15 
 Wiki::flush_article($ArticleID);
 15 
 Wiki::flush_article($ArticleID);
16 
 Wiki::flush_aliases();
 16 
 Wiki::flush_aliases();

+ 1
- 1
sections/wiki/revisions.php View File

58 
       </tr>
 58 
       </tr>
59
59
60 
       <?php
 60 
       <?php
61 
-$DB->query("
61 
+$DB->prepared_query("
62 
   SELECT
 62 
   SELECT
63 
     Revision,
 63 
     Revision,
64 
     Title,
 64 
     Title,

+ 1
- 1
sections/wiki/search.php View File

154
154
155 
         <tr>
 155 
         <tr>
156 
           <td colspan="4" class="center">
 156 
           <td colspan="4" class="center">
157 
-            <input type="submit" value="Search" />
157 
+            <input type="submit" class="button-primary" value="Search" />
158 
           </td>
 158 
           </td>
159 
         </tr>
 159 
         </tr>
160 
       </table>
 160 
       </table>

+ 3
- 3
sections/wiki/takecreate.php View File

14 
 $Err = $Val->ValidateForm($_POST);
 14 
 $Err = $Val->ValidateForm($_POST);
15
15
16 
 if (!$Err) {
 16 
 if (!$Err) {
17 
-    $DB->query("
17 
+    $DB->prepared_query("
18 
       SELECT ID
 18 
       SELECT ID
19 
       FROM wiki_articles
 19 
       FROM wiki_articles
20 
       WHERE Title = '$P[title]'");
 20 
       WHERE Title = '$P[title]'");
53 
     $Edit = 100;
 53 
     $Edit = 100;
54 
 }
 54 
 }
55
55
56 
-$DB->query("
56 
+$DB->prepared_query("
57 
   INSERT INTO wiki_articles
 57 
   INSERT INTO wiki_articles
58 
     (Revision, Title, Body, MinClassRead, MinClassEdit, Date, Author)
 58 
     (Revision, Title, Body, MinClassRead, MinClassEdit, Date, Author)
59 
   VALUES
 59 
   VALUES
64 
 $Dupe = Wiki::alias_to_id($_POST['title']);
 64 
 $Dupe = Wiki::alias_to_id($_POST['title']);
65
65
66 
 if ($TitleAlias !== '' && $Dupe === false) {
 66 
 if ($TitleAlias !== '' && $Dupe === false) {
67 
-    $DB->query("
67 
+    $DB->prepared_query("
68 
       INSERT INTO wiki_aliases (Alias, ArticleID)
 68 
       INSERT INTO wiki_aliases (Alias, ArticleID)
69 
       VALUES ('".db_string($TitleAlias)."', '$ArticleID')");
 69 
       VALUES ('".db_string($TitleAlias)."', '$ArticleID')");
70 
     Wiki::flush_aliases();
 70 
     Wiki::flush_aliases();

+ 2
- 2
sections/wiki/takeedit.php View File

55 
 }
 55 
 }
56
56
57 
 // Store previous revision
 57 
 // Store previous revision
58 
-$DB->query("
58 
+$DB->prepared_query("
59 
   INSERT INTO wiki_revisions
 59 
   INSERT INTO wiki_revisions
60 
     (ID, Revision, Title, Body, Date, Author)
 60 
     (ID, Revision, Title, Body, Date, Author)
61 
   VALUES
 61 
   VALUES
80 
     Author = '$LoggedUser[ID]'
 80 
     Author = '$LoggedUser[ID]'
81 
   WHERE ID = '$P[id]'";
 81 
   WHERE ID = '$P[id]'";
82
82
83 
-$DB->query($SQL);
83 
+$DB->prepared_query($SQL);
84 
 Wiki::flush_article($ArticleID);
 84 
 Wiki::flush_article($ArticleID);
85 
 header("Location: wiki.php?action=article&id=$ArticleID");
 85 
 header("Location: wiki.php?action=article&id=$ArticleID");

+ 1
- 1
sections/wiki/wiki_browse.php View File

29 
 }
 29 
 }
30
30
31 
 $sql .= " ORDER BY Title";
 31 
 $sql .= " ORDER BY Title";
32 
-$DB->query($sql);
32 
+$DB->prepared_query($sql);
33 
 ?>
 33 
 ?>
34
34
35 
 <div>
 35 
 <div>

Write Preview
Loading…
Cancel
Save