deblan/pdnsmanager
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

PDO Conversion

Browse source
This commit is contained in:
lamclennan 2017-01-07 20:18:39 +10:00
parent 1aaa24280f
commit 7972a197ee
9 changed files with 218 additions and 221 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
api/add-domain.php
View file

@ -52,7 +52,7 @@ if(isset($input->action) && $input->action == "addDomain") {
$stmt->bindValue(':type', $input->type, PDO::PARAM_STR);
$stmt->execute();
$stmt = $db->prepare("SELECT id FROM domains WHERE name=:name AND type=:type LIMIT 1");
$stmt = $db->prepare("SELECT MAX(id) FROM domains WHERE name=:name AND type=:type");
$stmt->bindValue(':name', $input->name, PDO::PARAM_STR);
$stmt->bindValue(':type', $input->type, PDO::PARAM_STR);
$stmt->execute();

68
api/domains.php
View file

@ -39,9 +39,9 @@ if(isset($input->action) && $input->action == "getDomains") {
SELECT COUNT(*) AS anzahl
FROM domains D
LEFT OUTER JOIN permissions P ON D.id = P.domain
WHERE (P.user=? OR ?) AND
(D.name LIKE ? OR ?) AND
(D.type=? OR ?)
WHERE (P.user=:user1 OR :user2) AND
(D.name LIKE :name1 OR name2) AND
(D.type=:type1 OR :type2)
";
$stmt = $db->prepare($sql);
@ -65,23 +65,20 @@ if(isset($input->action) && $input->action == "getDomains") {
$type_filter_used = 1;
}
$stmt->bind_param("sisiii",
$id_filter, $id_filter_used,
$name_filter, $name_filter_used,
$type_filter, $type_filter_used
);
$stmt->bindValue(':user1', $id_filter, PDO::PARAM_STR);
$stmt->bindValue(':user2', $id_filter_used, PDO::PARAM_INT);
$stmt->bindValue(':name1', $name_filter, PDO::PARAM_STR);
$stmt->bindValue(':name2', $name_filter_used, PDO::PARAM_INT);
$stmt->bindValue(':type1', $type_filter, PDO::PARAM_INT);
$stmt->bindValue(':type2', $type_filter_used, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->get_result();
// This is the object containing the number of rows
$obj = $result->fetch_object();
$result = $stmt->fetchColumn();
// Initialize the return value
$retval = Array();
$retval['pages']['current'] = $input->page;
$retval['pages']['total'] = ceil($obj->anzahl / $config['domain_rows']);
$retval['pages']['total'] = ceil($result / $config['domain_rows']);
// Now the real search is done on the database
@ -90,11 +87,11 @@ if(isset($input->action) && $input->action == "getDomains") {
FROM domains D
LEFT OUTER JOIN records R ON D.id = R.domain_id
LEFT OUTER JOIN permissions P ON D.id = P.domain
WHERE (P.user=? OR ?)
WHERE (P.user=:user1 OR :user2)
GROUP BY D.id, D.name, D.type
HAVING
(D.name LIKE ? OR ?) AND
(D.type=? OR ?)
(D.name LIKE :name1 OR :name2) AND
(D.type=:type1 OR :type2)
";
if(isset($input->sort->field) && $input->sort->field != "") {
@ -148,16 +145,15 @@ if(isset($input->action) && $input->action == "getDomains") {
$type_filter_used = 1;
}
$stmt->bind_param("sisiii",
$id_filter, $id_filter_used,
$name_filter, $name_filter_used,
$type_filter, $type_filter_used
);
$stmt->bindValue(':user1', $id_filter, PDO::PARAM_STR);
$stmt->bindValue(':user2', $id_filter_used, PDO::PARAM_INT);
$stmt->bindValue(':name1', $name_filter, PDO::PARAM_STR);
$stmt->bindValue(':name2', $name_filter_used, PDO::PARAM_INT);
$stmt->bindValue(':type1', $type_filter, PDO::PARAM_INT);
$stmt->bindValue(':type2', $type_filter_used, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->get_result();
while($obj = $result->fetch_object()) {
while($obj = $stmt->fetchObject()) {
$retval['data'][] = $obj;
}
}
@ -165,27 +161,23 @@ if(isset($input->action) && $input->action == "getDomains") {
if(isset($input->action) && $input->action == "deleteDomain") {
$domainId = $input->id;
$db->autocommit(false);
$db->beginTransaction();
$stmt = $db->prepare("DELETE FROM permissions WHERE domain=?");
$stmt->bind_param("i", $domainId);
$stmt = $db->prepare("DELETE FROM permissions WHERE domain=:domain_id");
$stmt->bindValue(':domain_id', $domainId, PDO::PARAM_INT);
$stmt->execute();
$stmt->close();
$stmt = $db->prepare("DELETE FROM remote WHERE record IN (SELECT id FROM records WHERE domain_id=?)");
$stmt->bind_param("i", $domainId);
$stmt = $db->prepare("DELETE FROM remote WHERE record IN (SELECT id FROM records WHERE domain_id=:domain_id)");
$stmt->bindValue(':domain_id', $domainId, PDO::PARAM_INT);
$stmt->execute();
$stmt->close();
$stmt = $db->prepare("DELETE FROM records WHERE domain_id=?");
$stmt->bind_param("i", $domainId);
$stmt = $db->prepare("DELETE FROM records WHERE domain_id=:domain_id");
$stmt->bindValue(':domain_id', $domainId, PDO::PARAM_INT);
$stmt->execute();
$stmt->close();
$stmt = $db->prepare("DELETE FROM domains WHERE id=?");
$stmt->bind_param("i", $domainId);
$stmt = $db->prepare("DELETE FROM domains WHERE id=:domain_id");
$stmt->bindValue(':domain_id', $domainId, PDO::PARAM_INT);
$stmt->execute();
$stmt->close();
$db->commit();
}

126
api/edit-master.php
View file

@ -31,12 +31,11 @@ if(!isset($input->csrfToken) || $input->csrfToken !== $_SESSION['csrfToken']) {
//Permission check
if(isset($input->domain)) {
$permquery = $db->prepare("SELECT * FROM permissions WHERE user=? AND domain=?");
$permquery->bind_param("ii", $_SESSION['id'], $input->domain);
$permquery = $db->prepare("SELECT COUNT(*) FROM permissions WHERE user=:user AND domain=:domain");
$permquery->bindValue(':user', $_SESSION['id'], PDO::PARAM_INT);
$permquery->bindValue(':domain', $input->domain, PDO::PARAM_INT);
$permquery->execute();
$permquery->store_result();
if($permquery->num_rows() < 1 && $_SESSION['type'] != "admin") {
if($permquery->fetchColumn() < 1 && $_SESSION['type'] != "admin") {
echo "Permission denied!";
exit();
}
@ -53,9 +52,9 @@ if(isset($input->action) && $input->action == "getRecords") {
SELECT id,name,type,content,ttl,prio AS priority
FROM records
WHERE
(name LIKE ? OR ?) AND
(content LIKE ? OR ?) AND
(domain_id = ?) AND
(name LIKE :name1 OR :name2) AND
(content LIKE :content1 OR :content2) AND
(domain_id = :domain_id) AND
(type != 'SOA')
";
@ -114,18 +113,16 @@ if(isset($input->action) && $input->action == "getRecords") {
$domainId = (int)$input->domain;
$stmt->bind_param("sisii",
$name_filter, $name_filter_used,
$content_filter, $content_filter_used,
$domainId
);
$stmt->bindValue(':name1', $name_filter, PDO::PARAM_STR);
$stmt->bindValue(':name2', $name_filter_used, PDO::PARAM_INT);
$stmt->bindValue(':content1', $content_filter, PDO::PARAM_STR);
$stmt->bindValue(':content2', $content_filter_used, PDO::PARAM_INT);
$stmt->bindValue(':domain_id', $domainId, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->get_result();
$retval = Array();
while($obj = $result->fetch_object()) {
while($obj = $stmt->fetchObject()) {
$retval[] = $obj;
}
@ -135,12 +132,11 @@ if(isset($input->action) && $input->action == "getRecords") {
if(isset($input->action) && $input->action == "getSoa") {
$domainId = (int)$input->domain;
$stmt = $db->prepare("SELECT content FROM records WHERE type='SOA' AND domain_id=?");
$stmt->bind_param("i", $domainId);
$stmt = $db->prepare("SELECT content FROM records WHERE type='SOA' AND domain_id=:domain_id LIMIT 1");
$stmt->bindValue(':domain_id', $domainId, PDO::PARAM_INT);
$stmt->execute();
$stmt->bind_result($content);
$stmt->fetch();
$content = $stmt->fetchColumn();
$content = explode(" ", $content);
@ -157,16 +153,15 @@ if(isset($input->action) && $input->action == "getSoa") {
}
//Action for getting SOA
//Action for getting SOA Serial
if(isset($input->action) && $input->action == "getSerial") {
$domainId = (int)$input->domain;
$stmt = $db->prepare("SELECT content FROM records WHERE type='SOA' AND domain_id=?");
$stmt->bind_param("i", $domainId);
$stmt = $db->prepare("SELECT content FROM records WHERE type='SOA' AND domain_id=:domain_id LIMIT 1");
$stmt->bindValue(':domain_id', $domainId, PDO::PARAM_INT);
$stmt->execute();
$stmt->bind_result($content);
$stmt->fetch();
$content = $stmt->fetchColumn();
$content = explode(" ", $content);
@ -179,15 +174,12 @@ if(isset($input->action) && $input->action == "getSerial") {
if(isset($input->action) && $input->action == "saveSoa") {
$domainId = (int)$input->domain;
$db->autocommit(false);
$db->begin_transaction();
$db->beginTransaction();
$stmt = $db->prepare("SELECT content FROM records WHERE type='SOA' AND domain_id=?");
$stmt->bind_param("i", $domainId);
$stmt = $db->prepare("SELECT content FROM records WHERE type='SOA' AND domain_id=:domain_id");
$stmt->bindValue(':domain_id', $domainId, PDO::PARAM_INT);
$stmt->execute();
$stmt->bind_result($content);
$stmt->fetch();
$stmt->close();
$content = $stmt->fetchColumn();;
$content = explode(" ", $content);
$serial = $content[2];
@ -200,8 +192,10 @@ if(isset($input->action) && $input->action == "saveSoa") {
$newsoa .= $input->expire . " ";
$newsoa .= $input->ttl;
$stmt = $db->prepare("UPDATE records SET content=?,ttl=? WHERE type='SOA' AND domain_id=?");
$stmt->bind_param("sii", $newsoa, $input->ttl, $domainId);
$stmt = $db->prepare("UPDATE records SET content=:content,ttl=:ttl WHERE type='SOA' AND domain_id=:domain_id");
$stmt->bindValue(':content', $newsoa, PDO::PARAM_STR);
$stmt->bindValue(':ttl', $input->ttl, PDO::PARAM_INT);
$stmt->bindValue(':domain_id', $domainId, PDO::PARAM_INT);
$stmt->execute();
$db->commit();
@ -215,13 +209,14 @@ if(isset($input->action) && $input->action == "saveSoa") {
if(isset($input->action) && $input->action == "saveRecord") {
$domainId = $input->domain;
$stmt = $db->prepare("UPDATE records SET name=?,type=?,content=?,ttl=?,prio=? WHERE id=? AND domain_id=?");
$stmt->bind_param("sssiiii",
$input->name, $input->type,
$input->content, $input->ttl,
$input->prio,
$input->id, $domainId
);
$stmt = $db->prepare("UPDATE records SET name=:name,type=:type,content=:content,ttl=:ttl,prio=:prio WHERE id=:id AND domain_id=:domain_id");
$stmt->bindValue(':name', $input->name, PDO::PARAM_STR);
$stmt->bindValue(':type', $input->type, PDO::PARAM_STR);
$stmt->bindValue(':content', $input->content, PDO::PARAM_STR);
$stmt->bindValue(':ttl', $input->ttl, PDO::PARAM_INT);
$stmt->bindValue(':prio', $input->prio, PDO::PARAM_INT);
$stmt->bindValue(':id', $input->id, PDO::PARAM_INT);
$stmt->bindValue(':domain_id', $domainId, PDO::PARAM_INT);
$stmt->execute();
update_serial($db, $domainId);
}
@ -229,22 +224,29 @@ if(isset($input->action) && $input->action == "saveRecord") {
//Action for adding Record
if(isset($input->action) && $input->action == "addRecord") {
$domainId = $input->domain;
$stmt = $db->prepare("INSERT INTO records (domain_id, name, type, content, prio, ttl) VALUES (?,?,?,?,?,?)");
$stmt->bind_param("isssii",
$domainId, $input->name,
$input->type, $input->content,
$input->prio, $input->ttl
);
$db->beginTransaction();
$stmt = $db->prepare("INSERT INTO records (domain_id, name, type, content, prio, ttl) VALUES (:domain_id,:name,:type,:content,:prio,:ttl)");
$stmt->bindValue(':domain_id', $domainId, PDO::PARAM_INT);
$stmt->bindValue(':name', $input->name, PDO::PARAM_STR);
$stmt->bindValue(':type', $input->type, PDO::PARAM_STR);
$stmt->bindValue(':content', $input->content, PDO::PARAM_STR);
$stmt->bindValue(':ttl', $input->ttl, PDO::PARAM_INT);
$stmt->bindValue(':prio', $input->prio, PDO::PARAM_INT);
$stmt->execute();
$stmt->close();
$stmt = $db->prepare("SELECT LAST_INSERT_ID()");
$stmt = $db->prepare("SELECT MAX(id) FROM records WHERE domain_id=:domain_id AND name=:name AND type=:type AND content=:content AND prio=:prio AND ttl=:ttl");
$stmt->bindValue(':domain_id', $domainId, PDO::PARAM_INT);
$stmt->bindValue(':name', $input->name, PDO::PARAM_STR);
$stmt->bindValue(':type', $input->type, PDO::PARAM_STR);
$stmt->bindValue(':content', $input->content, PDO::PARAM_STR);
$stmt->bindValue(':ttl', $input->ttl, PDO::PARAM_INT);
$stmt->bindValue(':prio', $input->prio, PDO::PARAM_INT);
$stmt->execute();
$stmt->bind_result($newId);
$stmt->fetch();
$stmt->close();
$newId = $stmt->fetchColumn();
$db->commit();
$retval = Array();
$retval['newId'] = $newId;
@ -256,10 +258,10 @@ if(isset($input->action) && $input->action == "removeRecord") {
$domainId = $input->domain;
$recordId = $input->id;
$stmt = $db->prepare("DELETE FROM records WHERE id=? AND domain_id=?");
$stmt->bind_param("ii", $recordId, $domainId);
$stmt = $db->prepare("DELETE FROM records WHERE id=:id AND domain_id=:domain_id");
$stmt->bindValue(':id', $recordId, PDO::PARAM_INT);
$stmt->bindValue(':domain_id', $domainId, PDO::PARAM_INT);
$stmt->execute();
$stmt->close();
update_serial($db, $domainId);
}
@ -268,12 +270,10 @@ if(isset($input->action) && $input->action == "removeRecord") {
if(isset($input->action) && $input->action == "getDomainName") {
$domainId = $input->domain;
$stmt = $db->prepare("SELECT name FROM domains WHERE id=?");
$stmt->bind_param("i", $domainId);
$stmt = $db->prepare("SELECT name FROM domains WHERE id=:id LIMIT 1");
$stmt->bindValue(':id', $domainId, PDO::PARAM_INT);
$stmt->execute();
$stmt->bind_result($domainName);
$stmt->fetch();
$stmt->close();
$domainName = $stmt->fetchColumn();
$retval = Array();
$retval['name'] = $domainName;

60
api/edit-remote.php
View file

@ -29,12 +29,11 @@ if(!isset($input->csrfToken) || $input->csrfToken !== $_SESSION['csrfToken']) {
//Permission check
if(isset($input->record)) {
$permquery = $db->prepare("SELECT * FROM records JOIN permissions ON records.domain_id=permissions.domain WHERE user=? AND records.id=?");
$permquery->bind_param("ii", $_SESSION['id'], $input->record);
$permquery = $db->prepare("SELECT COUNT(*) FROM records JOIN permissions ON records.domain_id=permissions.domain WHERE user=:user AND records.id=:id");
$permquery->bindValue(':user', $_SESSION['id'], PDO::PARAM_INT);
$permquery->bindValue(':id', $input->record, PDO::PARAM_INT);
$permquery->execute();
$permquery->store_result();
if($permquery->num_rows() < 1 && $_SESSION['type'] != "admin") {
if($permquery->fetchColumn() < 1 && $_SESSION['type'] != "admin") {
echo "Permission denied!";
exit();
}
@ -46,17 +45,15 @@ if(isset($input->record)) {
//Action for getting permission
if(isset($input->action) && $input->action == "getPermissions") {
$sql = "SELECT id, description, type FROM remote WHERE record=?";
$sql = "SELECT id, description, type FROM remote WHERE record=:record";
$stmt = $db->prepare($sql);
$stmt->bind_param("i",$input->record);
$stmt->bindValue(':record', $input->record, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->get_result();
$retval = Array();
while($obj = $result->fetch_object()) {
while($obj = $stmt->fetchObject()) {
$retval[] = $obj;
}
@ -66,19 +63,23 @@ if(isset($input->action) && $input->action == "getPermissions") {
if(isset($input->action) && $input->action == "addPassword") {
$passwordHash = password_hash($input->password, PASSWORD_DEFAULT);
$sql = "INSERT INTO remote(record,description,type,security) VALUES (?,?,'password',?)";
$sql = "INSERT INTO remote(record,description,type,security) VALUES (:record,:description,'password',:security)";
$stmt = $db->prepare($sql);
$stmt->bind_param("iss",$input->record, $input->description, $passwordHash);
$stmt->bindValue(':record', $input->record, PDO::PARAM_INT);
$stmt->bindValue(':description', $input->description, PDO::PARAM_STR);
$stmt->bindValue(':security', $passwordHash, PDO::PARAM_STR);
$stmt->execute();
}
//Action for adding key
if(isset($input->action) && $input->action == "addKey") {
$sql = "INSERT INTO remote(record,description,type,security) VALUES (?,?,'key',?)";
$sql = "INSERT INTO remote(record,description,type,security) VALUES (:record,:description,'key',:security)";
$stmt = $db->prepare($sql);
$stmt->bind_param("iss",$input->record, $input->description, $input->key);
$stmt->bindValue(':record', $input->record, PDO::PARAM_INT);
$stmt->bindValue(':description', $input->description, PDO::PARAM_STR);
$stmt->bindValue(':security', $input->key, PDO::PARAM_STR);
$stmt->execute();
}
@ -86,36 +87,39 @@ if(isset($input->action) && $input->action == "addKey") {
if(isset($input->action) && $input->action == "changePassword") {
if(isset($input->password)) {
$passwordHash = password_hash($input->password, PASSWORD_DEFAULT);
$sql = "UPDATE remote SET description=?,security=? WHERE id=?";
$sql = "UPDATE remote SET description=:description,security=:security WHERE id=:id";
$stmt = $db->prepare($sql);
$stmt->bind_param("ssi",$input->description, $passwordHash, $input->permission);
$stmt->bindValue(':description', $input->description, PDO::PARAM_STR);
$stmt->bindValue(':security', $passwordHash, PDO::PARAM_STR);
$stmt->bindValue(':id', $input->permission, PDO::PARAM_INT);
$stmt->execute();
} else {
$sql = "UPDATE remote SET description=? WHERE id=?";
$sql = "UPDATE remote SET description=:description WHERE id=:id";
$stmt = $db->prepare($sql);
$stmt->bind_param("ssi",$input->description, $input->permission);
$stmt->bindValue(':description', $input->description, PDO::PARAM_STR);
$stmt->bindValue(':id', $input->permission, PDO::PARAM_INT);
$stmt->execute();
}
}
//Action for updating key
if(isset($input->action) && $input->action == "changeKey") {
$sql = "UPDATE remote SET description=?,security=? WHERE id=?";
$sql = "UPDATE remote SET description=:description,security=:security WHERE id=:id";
$stmt = $db->prepare($sql);
$stmt->bind_param("ssi",$input->description, $input->key, $input->permission);
$stmt->bindValue(':description', $input->description, PDO::PARAM_STR);
$stmt->bindValue(':security', $input->key, PDO::PARAM_STR);
$stmt->bindValue(':id', $input->permission, PDO::PARAM_INT);
$stmt->execute();
}
//Action for getting key
if(isset($input->action) && $input->action == "getKey") {
$sql = "SELECT security FROM remote WHERE id=? AND type='key'";
$sql = "SELECT security FROM remote WHERE id=:id AND type='key' LIMIT 1";
$stmt = $db->prepare($sql);
$stmt->bind_param("i",$input->permission);
$stmt->bindValue(':id', $input->permission, PDO::PARAM_INT);
$stmt->execute();
$stmt->bind_result($key);
$stmt->fetch();
$key = $stmt->fetchColumn();
$retval = Array();
$retval['key'] = $key;
@ -123,10 +127,10 @@ if(isset($input->action) && $input->action == "getKey") {
//Action for deleting permission
if(isset($input->action) && $input->action == "deletePermission") {
$sql = "DELETE FROM remote WHERE id=?";
$sql = "DELETE FROM remote WHERE id=:id";
$stmt = $db->prepare($sql);
$stmt->bind_param("i",$input->permission);
$stmt->bindValue(':id', $input->permission, PDO::PARAM_INT);
$stmt->execute();
}

72
api/edit-user.php
View file

@ -35,18 +35,21 @@ if(!isset($_SESSION['type']) || $_SESSION['type'] != "admin") {
if(isset($input->action) && $input->action == "addUser") {
$passwordHash = password_hash($input->password, PASSWORD_DEFAULT);
$db->autocommit(false);
$db->beginTransaction();
$stmt = $db->prepare("INSERT INTO user(name,password,type) VALUES (?,?,?)");
$stmt->bind_param("sss", $input->name, $passwordHash, $input->type);
$stmt = $db->prepare("INSERT INTO user(name,password,type) VALUES (:name,:password,:type)");
$stmt->bindValue(':name', $input->name, PDO::PARAM_STR);
$stmt->bindValue(':password', $passwordHash, PDO::PARAM_STR);
$stmt->bindValue(':type', $input->type, PDO::PARAM_STR);
$stmt->execute();
$stmt->close();
$stmt = $db->prepare("SELECT LAST_INSERT_ID()");
$stmt = $db->prepare("SELECT MAX(id) FROM user WHERE name=:name AND password=:password AND type=:type");
$stmt->bindValue(':name', $input->name, PDO::PARAM_STR);
$stmt->bindValue(':password', $passwordHash, PDO::PARAM_STR);
$stmt->bindValue(':type', $input->type, PDO::PARAM_STR);
$stmt->execute();
$stmt->bind_result($newUserId);
$stmt->fetch();
$stmt->close();
$newUserId = $stmt->fetchColumn();
$db->commit();
@ -55,12 +58,12 @@ if(isset($input->action) && $input->action == "addUser") {
}
if(isset($input->action) && $input->action == "getUserData") {
$stmt = $db->prepare("SELECT name,type FROM user WHERE id=?");
$stmt->bind_param("i", $input->id);
$stmt = $db->prepare("SELECT name,type FROM user WHERE id=:id LIMIT 1");
$stmt->bindValue(':id', $input->id, PDO::PARAM_INT);
$stmt->execute();
$stmt->bind_result($userName, $userType);
$stmt->fetch();
$stmt->close();
$stmt->bindColumn('name', $userName);
$stmt->bindColumn('type', $userType);
$stmt->fetch(PDO::FETCH_BOUND);
$retval = Array();
$retval['name'] = $userName;
@ -70,15 +73,18 @@ if(isset($input->action) && $input->action == "getUserData") {
if(isset($input->action) && $input->action == "saveUserChanges") {
if(isset($input->password)) {
$passwordHash = password_hash($input->password, PASSWORD_DEFAULT);
$stmt = $db->prepare("UPDATE user SET name=?,password=?,type=? WHERE id=?");
$stmt->bind_param("sssi", $input->name, $passwordHash, $input->type, $input->id);
$stmt = $db->prepare("UPDATE user SET name=:name,password=:password,type=:type WHERE id=:id");
$stmt->bindValue(':name', $input->name, PDO::PARAM_STR);
$stmt->bindValue(':password', $passwordHash, PDO::PARAM_STR);
$stmt->bindValue(':type', $input->type, PDO::PARAM_STR);
$stmt->bindValue(':id', $input->id, PDO::PARAM_INT);
$stmt->execute();
$stmt->close();
} else {
$stmt = $db->prepare("UPDATE user SET name=?,type=? WHERE id=?");
$stmt->bind_param("ssi", $input->name, $input->type, $input->id);
$stmt = $db->prepare("UPDATE user SET name=:name,type=:type WHERE id=:id");
$stmt->bindValue(':name', $input->name, PDO::PARAM_STR);
$stmt->bindValue(':type', $input->type, PDO::PARAM_STR);
$stmt->bindValue(':id', $input->id, PDO::PARAM_INT);
$stmt->execute();
$stmt->close();
}
}
@ -88,50 +94,50 @@ if(isset($input->action) && $input->action == "getPermissions") {
SELECT D.id,D.name
FROM permissions P
JOIN domains D ON P.domain=D.id
WHERE P.user=?
WHERE P.user=:user
");
$stmt->bind_param("i", $input->id);
$stmt->bindValue(':user', $input->id, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->get_result();
$retval = Array();
while($obj = $result->fetch_object()) {
while($obj = $stmt->fetchObject()) {
$retval[] = $obj;
}
}
if(isset($input->action) && $input->action == "removePermission") {
$stmt = $db->prepare("DELETE FROM permissions WHERE user=? AND domain=?");
$stmt = $db->prepare("DELETE FROM permissions WHERE user=:user AND domain=:domain");
$stmt->bind_param("ii", $input->userId, $input->domainId);
$stmt->bindValue(':user', $input->userId, PDO::PARAM_INT);
$stmt->bindValue(':domain', $input->domainId, PDO::PARAM_INT);
$stmt->execute();
}
if(isset($input->action) && $input->action == "searchDomains" && isset($input->term)) {
$stmt = $db->prepare("SELECT id,name AS text FROM domains WHERE name LIKE ? AND id NOT IN(SELECT domain FROM permissions WHERE user=?)");
$stmt = $db->prepare("SELECT id,name AS text FROM domains WHERE name LIKE :name AND id NOT IN(SELECT domain FROM permissions WHERE user=:user)");
$searchTerm = "%" . $input->term . "%";
$stmt->bind_param("si", $searchTerm, $input->userId);
$stmt->execute();
$result = $stmt->get_result();
$stmt->bindValue(':name', $searchTerm, PDO::PARAM_STR);
$stmt->bindValue(':user', $input->userId, PDO::PARAM_INT);
$stmt->execute();
$retval = Array();
while($obj = $result->fetch_object()) {
while($obj = $stmt->fetchObject()) {
$retval[] = $obj;
}
}
if(isset($input->action) && $input->action == "addPermissions") {
$stmt = $db->prepare("INSERT INTO permissions(user,domain) VALUES (?,?)");
$stmt = $db->prepare("INSERT INTO permissions(user,domain) VALUES (:user,:domain)");
foreach($input->domains as $domain) {
$stmt->bind_param("ii", $input->userId, $domain);
$stmt->bindValue(':user', $input->userId, PDO::PARAM_INT);
$stmt->bindValue(':domain', $domain, PDO::PARAM_INT);
$stmt->execute();
}
}

11
api/index.php
View file

@ -21,12 +21,13 @@ require_once '../lib/database.php';
$input = json_decode(file_get_contents('php://input'));
$sql = $db->prepare("SELECT id,password,type FROM user WHERE name=?");
$sql->bind_param("s", $input->user);
$sql = $db->prepare("SELECT id,password,type FROM user WHERE name=:name LIMIT 1");
$stmt->bindValue(':name', $input->user, PDO::PARAM_STR);
$sql->execute();
$sql->bind_result($id, $password, $type);
$sql->fetch();
$stmt->bindColumn('id', $id);
$stmt->bindColumn('password', $password);
$stmt->bindColumn('type', $type);
$stmt->fetch(PDO::FETCH_BOUND);
if (password_verify($input->password, $password)) {
$retval['status'] = "success";

6
api/password.php
View file

@ -30,10 +30,10 @@ if(!isset($input->csrfToken) || $input->csrfToken !== $_SESSION['csrfToken']) {
if(isset($input->action) && $input->action == "changePassword") {
$passwordHash = password_hash($input->password, PASSWORD_DEFAULT);
$stmt = $db->prepare("UPDATE user SET password=? WHERE id=?");
$stmt->bind_param("si", $passwordHash, $_SESSION['id']);
$stmt = $db->prepare("UPDATE user SET password=:password WHERE id=:id");
$stmt->bindValue(':password', $passwordHash, PDO::PARAM_STR);
$stmt->bindValue(':id', $_SESSION['id'], PDO::PARAM_INT);
$stmt->execute();
$stmt->close();
}
if(isset($retval)) {

66
api/remote.php
View file

@ -27,12 +27,12 @@ if(filter_input(INPUT_SERVER, "REQUEST_METHOD") == "GET") {
$input_password = filter_input(INPUT_GET, "password");
$input_content = filter_input(INPUT_GET, "content");
$stmt = $db->prepare("SELECT security,record FROM remote WHERE type='password' AND id=?");
$stmt->bind_param("i", $input_id);
$stmt = $db->prepare("SELECT security,record FROM remote WHERE type='password' AND id=:id LIMIT 1");
$stmt->bindValue(':id', $input_id, PDO::PARAM_INT);
$stmt->execute();
$stmt->bind_result($passwordHash, $record);
$stmt->fetch();
$stmt->close();
$stmt->bindColumn('security', $passwordHash);
$stmt->bindColumn('record', $record);
$stmt->fetch(PDO::FETCH_BOUND);
if(!password_verify($input_password, $passwordHash)) {
$return['status'] = "error";
@ -41,17 +41,16 @@ if(filter_input(INPUT_SERVER, "REQUEST_METHOD") == "GET") {
exit();
}
$stmt = $db->prepare("UPDATE records SET content=? WHERE name=? AND id=?");
$stmt->bind_param("ssi", $input_content, $input_domain, $record);
$stmt = $db->prepare("UPDATE records SET content=:content WHERE name=:name AND id=:id");
$stmt->bindValue(':content', $input_content, PDO::PARAM_STR);
$stmt->bindValue(':name', $input_domain, PDO::PARAM_STR);
$stmt->bindValue(':id', $record, PDO::PARAM_INT);
$stmt->execute();
$stmt->close();
$stmt = $db->prepare("SELECT domain_id FROM records WHERE id=?");
$stmt->bind_param("i",$record);
$stmt = $db->prepare("SELECT domain_id FROM records WHERE id=:id LIMIT 1");
$stmt->bindValue(':id', $record, PDO::PARAM_INT);
$stmt->execute();
$stmt->bind_result($domain_id);
$stmt->fetch();
$stmt->close();
$domain_id = $stmt->fetchColumn();
update_serial($db, $domain_id);
@ -74,12 +73,12 @@ if(filter_input(INPUT_SERVER, "REQUEST_METHOD") == "GET") {
$input = json_decode(file_get_contents('php://input'));
if(isset($input->domain) && isset($input->id) && isset($input->content)) {
$stmt = $db->prepare("SELECT E.name,E.id FROM remote R JOIN records E ON R.record = E.id WHERE R.id=?");
$stmt->bind_param("i", $input->id);
$stmt = $db->prepare("SELECT E.name,E.id FROM remote R JOIN records E ON R.record = E.id WHERE R.id=:id LIMIT 1");
$stmt->bindValue(':id', $input->id, PDO::PARAM_INT);
$stmt->execute();
$stmt->bind_result($domainName, $record);
$stmt->fetch();
$stmt->close();
$stmt->bindColumn('E.name', $domainName);
$stmt->bindColumn('E.id', $record);
$stmt->fetch(PDO::FETCH_BOUND);
if($domainName != $input->domain) {
$return['status'] = "error";
@ -92,21 +91,21 @@ if(filter_input(INPUT_SERVER, "REQUEST_METHOD") == "GET") {
$newNonce = base64_encode(openssl_random_pseudo_bytes(32));
$dbNonce = $newNonce . ":" . time();
$stmt = $db->prepare("UPDATE remote SET nonce=? WHERE id=?");
$stmt->bind_param("si", $dbNonce, $input->id);
$stmt = $db->prepare("UPDATE remote SET nonce=:nonce WHERE id=:id");
$stmt->bindValue(':nonce', $dbNonce, PDO::PARAM_STR);
$stmt->bindValue(':id', $input->id, PDO::PARAM_INT);
$stmt->execute();
$stmt->close();
$return['nonce'] = $newNonce;
echo json_encode($return);
exit();
} else if(isset($_GET['editRecord'])) {
$stmt = $db->prepare("SELECT security,nonce FROM remote WHERE id=?");
$stmt->bind_param("i", $input->id);
$stmt = $db->prepare("SELECT security,nonce FROM remote WHERE id=:id LIMIT 1");
$stmt->bindValue(':id', $input->id, PDO::PARAM_INT);
$stmt->execute();
$stmt->bind_result($pubkey, $dbNonce);
$stmt->fetch();
$stmt->close();
$stmt->bindColumn('security', $pubkey);
$stmt->bindColumn('nonce', $dbNonce);
$stmt->fetch(PDO::FETCH_BOUND);
$nonce = explode(":", $dbNonce);
@ -127,17 +126,16 @@ if(filter_input(INPUT_SERVER, "REQUEST_METHOD") == "GET") {
exit();
}
$stmt = $db->prepare("UPDATE records SET content=? WHERE name=? AND id=?");
$stmt->bind_param("ssi", $input->content, $input->domain, $record);
$stmt = $db->prepare("UPDATE records SET content=:content WHERE name=:name AND id=:id");
$stmt->bindValue(':content', $input->content, PDO::PARAM_STR);
$stmt->bindValue(':name', $input->domain, PDO::PARAM_STR);
$stmt->bindValue(':id', $record, PDO::PARAM_INT);
$stmt->execute();
$stmt->close();
$stmt = $db->prepare("SELECT domain_id FROM records WHERE id=?");
$stmt->bind_param("i",$record);
$stmt = $db->prepare("SELECT domain_id FROM records WHERE id=:id LIMIT 1");
$stmt->bindValue(':id', $record, PDO::PARAM_INT);
$stmt->execute();
$stmt->bind_result($domain_id);
$stmt->fetch();
$stmt->close();
$domain_id = $stmt->fetchColumn();
update_serial($db, $domain_id);

28
api/users.php
View file

@ -38,8 +38,8 @@ if(isset($input->action) && $input->action == "getUsers") {
SELECT id,name,type
FROM user
WHERE
(name LIKE ? OR ?) AND
(type=? OR ?)
(name LIKE :name1 OR :name2) AND
(type=:type1 OR :type2)
";
if(isset($input->sort->field) && $input->sort->field != "") {
@ -78,17 +78,15 @@ if(isset($input->action) && $input->action == "getUsers") {
$type_filter_used = 1;
}
$stmt->bind_param("sisi",
$name_filter, $name_filter_used,
$type_filter, $type_filter_used
);
$stmt->bindValue(':name1', $name_filter, PDO::PARAM_STR);
$stmt->bindValue(':name2', $name_filter_used, PDO::PARAM_INT);
$stmt->bindValue(':type1', $type_filter, PDO::PARAM_INT);
$stmt->bindValue(':type2', $type_filter_used, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->get_result();
$retval = Array();
while($obj = $result->fetch_object()) {
while($obj = $stmt->fetchObject()) {
$retval[] = $obj;
}
}
@ -96,17 +94,15 @@ if(isset($input->action) && $input->action == "getUsers") {
if(isset($input->action) && $input->action == "deleteUser") {
$userId = $input->id;
$db->autocommit(false);
$db->beginTransaction();
$stmt = $db->prepare("DELETE FROM permissions WHERE user=?");
$stmt->bind_param("i", $userId);
$stmt = $db->prepare("DELETE FROM permissions WHERE user=:userid");
$stmt->bindValue(':userid', $userId, PDO::PARAM_INT);
$stmt->execute();
$stmt->close();
$stmt = $db->prepare("DELETE FROM user WHERE id=?");
$stmt->bind_param("i", $userId);
$stmt = $db->prepare("DELETE FROM user WHERE id=:id");
$stmt->bindValue(':id', $userId, PDO::PARAM_INT);
$stmt->execute();
$stmt->close();
$db->commit();
}