From 7972a197ee5d50f3c2b8271a8c6a785d5fe8b01b Mon Sep 17 00:00:00 2001 From: lamclennan Date: Sat, 7 Jan 2017 20:18:39 +1000 Subject: [PATCH] PDO Conversion --- api/add-domain.php | 2 +- api/domains.php | 68 +++++++++++------------- api/edit-master.php | 126 ++++++++++++++++++++++---------------------- api/edit-remote.php | 60 +++++++++++---------- api/edit-user.php | 72 +++++++++++++------------ api/index.php | 11 ++-- api/password.php | 6 +-- api/remote.php | 66 +++++++++++------------ api/users.php | 28 +++++----- 9 files changed, 218 insertions(+), 221 deletions(-) diff --git a/api/add-domain.php b/api/add-domain.php index 2818d8f..6254d82 100644 --- a/api/add-domain.php +++ b/api/add-domain.php @@ -52,7 +52,7 @@ if(isset($input->action) && $input->action == "addDomain") { $stmt->bindValue(':type', $input->type, PDO::PARAM_STR); $stmt->execute(); - $stmt = $db->prepare("SELECT id FROM domains WHERE name=:name AND type=:type LIMIT 1"); + $stmt = $db->prepare("SELECT MAX(id) FROM domains WHERE name=:name AND type=:type"); $stmt->bindValue(':name', $input->name, PDO::PARAM_STR); $stmt->bindValue(':type', $input->type, PDO::PARAM_STR); $stmt->execute(); diff --git a/api/domains.php b/api/domains.php index fc02d87..26943be 100644 --- a/api/domains.php +++ b/api/domains.php @@ -39,9 +39,9 @@ if(isset($input->action) && $input->action == "getDomains") { SELECT COUNT(*) AS anzahl FROM domains D LEFT OUTER JOIN permissions P ON D.id = P.domain - WHERE (P.user=? OR ?) AND - (D.name LIKE ? OR ?) AND - (D.type=? OR ?) + WHERE (P.user=:user1 OR :user2) AND + (D.name LIKE :name1 OR name2) AND + (D.type=:type1 OR :type2) "; $stmt = $db->prepare($sql); @@ -65,23 +65,20 @@ if(isset($input->action) && $input->action == "getDomains") { $type_filter_used = 1; } - $stmt->bind_param("sisiii", - $id_filter, $id_filter_used, - $name_filter, $name_filter_used, - $type_filter, $type_filter_used - ); + $stmt->bindValue(':user1', $id_filter, PDO::PARAM_STR); + $stmt->bindValue(':user2', $id_filter_used, PDO::PARAM_INT); + $stmt->bindValue(':name1', $name_filter, PDO::PARAM_STR); + $stmt->bindValue(':name2', $name_filter_used, PDO::PARAM_INT); + $stmt->bindValue(':type1', $type_filter, PDO::PARAM_INT); + $stmt->bindValue(':type2', $type_filter_used, PDO::PARAM_INT); $stmt->execute(); - - $result = $stmt->get_result(); - - // This is the object containing the number of rows - $obj = $result->fetch_object(); + $result = $stmt->fetchColumn(); // Initialize the return value $retval = Array(); $retval['pages']['current'] = $input->page; - $retval['pages']['total'] = ceil($obj->anzahl / $config['domain_rows']); + $retval['pages']['total'] = ceil($result / $config['domain_rows']); // Now the real search is done on the database @@ -90,11 +87,11 @@ if(isset($input->action) && $input->action == "getDomains") { FROM domains D LEFT OUTER JOIN records R ON D.id = R.domain_id LEFT OUTER JOIN permissions P ON D.id = P.domain - WHERE (P.user=? OR ?) + WHERE (P.user=:user1 OR :user2) GROUP BY D.id, D.name, D.type HAVING - (D.name LIKE ? OR ?) AND - (D.type=? OR ?) + (D.name LIKE :name1 OR :name2) AND + (D.type=:type1 OR :type2) "; if(isset($input->sort->field) && $input->sort->field != "") { @@ -148,16 +145,15 @@ if(isset($input->action) && $input->action == "getDomains") { $type_filter_used = 1; } - $stmt->bind_param("sisiii", - $id_filter, $id_filter_used, - $name_filter, $name_filter_used, - $type_filter, $type_filter_used - ); + $stmt->bindValue(':user1', $id_filter, PDO::PARAM_STR); + $stmt->bindValue(':user2', $id_filter_used, PDO::PARAM_INT); + $stmt->bindValue(':name1', $name_filter, PDO::PARAM_STR); + $stmt->bindValue(':name2', $name_filter_used, PDO::PARAM_INT); + $stmt->bindValue(':type1', $type_filter, PDO::PARAM_INT); + $stmt->bindValue(':type2', $type_filter_used, PDO::PARAM_INT); $stmt->execute(); - $result = $stmt->get_result(); - - while($obj = $result->fetch_object()) { + while($obj = $stmt->fetchObject()) { $retval['data'][] = $obj; } } @@ -165,27 +161,23 @@ if(isset($input->action) && $input->action == "getDomains") { if(isset($input->action) && $input->action == "deleteDomain") { $domainId = $input->id; - $db->autocommit(false); + $db->beginTransaction(); - $stmt = $db->prepare("DELETE FROM permissions WHERE domain=?"); - $stmt->bind_param("i", $domainId); + $stmt = $db->prepare("DELETE FROM permissions WHERE domain=:domain_id"); + $stmt->bindValue(':domain_id', $domainId, PDO::PARAM_INT); $stmt->execute(); - $stmt->close(); - $stmt = $db->prepare("DELETE FROM remote WHERE record IN (SELECT id FROM records WHERE domain_id=?)"); - $stmt->bind_param("i", $domainId); + $stmt = $db->prepare("DELETE FROM remote WHERE record IN (SELECT id FROM records WHERE domain_id=:domain_id)"); + $stmt->bindValue(':domain_id', $domainId, PDO::PARAM_INT); $stmt->execute(); - $stmt->close(); - $stmt = $db->prepare("DELETE FROM records WHERE domain_id=?"); - $stmt->bind_param("i", $domainId); + $stmt = $db->prepare("DELETE FROM records WHERE domain_id=:domain_id"); + $stmt->bindValue(':domain_id', $domainId, PDO::PARAM_INT); $stmt->execute(); - $stmt->close(); - $stmt = $db->prepare("DELETE FROM domains WHERE id=?"); - $stmt->bind_param("i", $domainId); + $stmt = $db->prepare("DELETE FROM domains WHERE id=:domain_id"); + $stmt->bindValue(':domain_id', $domainId, PDO::PARAM_INT); $stmt->execute(); - $stmt->close(); $db->commit(); } diff --git a/api/edit-master.php b/api/edit-master.php index 0a3b7f8..adb5e82 100644 --- a/api/edit-master.php +++ b/api/edit-master.php @@ -31,12 +31,11 @@ if(!isset($input->csrfToken) || $input->csrfToken !== $_SESSION['csrfToken']) { //Permission check if(isset($input->domain)) { - $permquery = $db->prepare("SELECT * FROM permissions WHERE user=? AND domain=?"); - - $permquery->bind_param("ii", $_SESSION['id'], $input->domain); + $permquery = $db->prepare("SELECT COUNT(*) FROM permissions WHERE user=:user AND domain=:domain"); + $permquery->bindValue(':user', $_SESSION['id'], PDO::PARAM_INT); + $permquery->bindValue(':domain', $input->domain, PDO::PARAM_INT); $permquery->execute(); - $permquery->store_result(); - if($permquery->num_rows() < 1 && $_SESSION['type'] != "admin") { + if($permquery->fetchColumn() < 1 && $_SESSION['type'] != "admin") { echo "Permission denied!"; exit(); } @@ -53,9 +52,9 @@ if(isset($input->action) && $input->action == "getRecords") { SELECT id,name,type,content,ttl,prio AS priority FROM records WHERE - (name LIKE ? OR ?) AND - (content LIKE ? OR ?) AND - (domain_id = ?) AND + (name LIKE :name1 OR :name2) AND + (content LIKE :content1 OR :content2) AND + (domain_id = :domain_id) AND (type != 'SOA') "; @@ -114,18 +113,16 @@ if(isset($input->action) && $input->action == "getRecords") { $domainId = (int)$input->domain; - $stmt->bind_param("sisii", - $name_filter, $name_filter_used, - $content_filter, $content_filter_used, - $domainId - ); + $stmt->bindValue(':name1', $name_filter, PDO::PARAM_STR); + $stmt->bindValue(':name2', $name_filter_used, PDO::PARAM_INT); + $stmt->bindValue(':content1', $content_filter, PDO::PARAM_STR); + $stmt->bindValue(':content2', $content_filter_used, PDO::PARAM_INT); + $stmt->bindValue(':domain_id', $domainId, PDO::PARAM_INT); $stmt->execute(); - $result = $stmt->get_result(); - $retval = Array(); - while($obj = $result->fetch_object()) { + while($obj = $stmt->fetchObject()) { $retval[] = $obj; } @@ -135,12 +132,11 @@ if(isset($input->action) && $input->action == "getRecords") { if(isset($input->action) && $input->action == "getSoa") { $domainId = (int)$input->domain; - $stmt = $db->prepare("SELECT content FROM records WHERE type='SOA' AND domain_id=?"); - $stmt->bind_param("i", $domainId); + $stmt = $db->prepare("SELECT content FROM records WHERE type='SOA' AND domain_id=:domain_id LIMIT 1"); + $stmt->bindValue(':domain_id', $domainId, PDO::PARAM_INT); $stmt->execute(); - $stmt->bind_result($content); - $stmt->fetch(); + $content = $stmt->fetchColumn(); $content = explode(" ", $content); @@ -157,16 +153,15 @@ if(isset($input->action) && $input->action == "getSoa") { } -//Action for getting SOA +//Action for getting SOA Serial if(isset($input->action) && $input->action == "getSerial") { $domainId = (int)$input->domain; - $stmt = $db->prepare("SELECT content FROM records WHERE type='SOA' AND domain_id=?"); - $stmt->bind_param("i", $domainId); + $stmt = $db->prepare("SELECT content FROM records WHERE type='SOA' AND domain_id=:domain_id LIMIT 1"); + $stmt->bindValue(':domain_id', $domainId, PDO::PARAM_INT); $stmt->execute(); - $stmt->bind_result($content); - $stmt->fetch(); + $content = $stmt->fetchColumn(); $content = explode(" ", $content); @@ -179,15 +174,12 @@ if(isset($input->action) && $input->action == "getSerial") { if(isset($input->action) && $input->action == "saveSoa") { $domainId = (int)$input->domain; - $db->autocommit(false); - $db->begin_transaction(); + $db->beginTransaction(); - $stmt = $db->prepare("SELECT content FROM records WHERE type='SOA' AND domain_id=?"); - $stmt->bind_param("i", $domainId); + $stmt = $db->prepare("SELECT content FROM records WHERE type='SOA' AND domain_id=:domain_id"); + $stmt->bindValue(':domain_id', $domainId, PDO::PARAM_INT); $stmt->execute(); - $stmt->bind_result($content); - $stmt->fetch(); - $stmt->close(); + $content = $stmt->fetchColumn();; $content = explode(" ", $content); $serial = $content[2]; @@ -200,8 +192,10 @@ if(isset($input->action) && $input->action == "saveSoa") { $newsoa .= $input->expire . " "; $newsoa .= $input->ttl; - $stmt = $db->prepare("UPDATE records SET content=?,ttl=? WHERE type='SOA' AND domain_id=?"); - $stmt->bind_param("sii", $newsoa, $input->ttl, $domainId); + $stmt = $db->prepare("UPDATE records SET content=:content,ttl=:ttl WHERE type='SOA' AND domain_id=:domain_id"); + $stmt->bindValue(':content', $newsoa, PDO::PARAM_STR); + $stmt->bindValue(':ttl', $input->ttl, PDO::PARAM_INT); + $stmt->bindValue(':domain_id', $domainId, PDO::PARAM_INT); $stmt->execute(); $db->commit(); @@ -215,13 +209,14 @@ if(isset($input->action) && $input->action == "saveSoa") { if(isset($input->action) && $input->action == "saveRecord") { $domainId = $input->domain; - $stmt = $db->prepare("UPDATE records SET name=?,type=?,content=?,ttl=?,prio=? WHERE id=? AND domain_id=?"); - $stmt->bind_param("sssiiii", - $input->name, $input->type, - $input->content, $input->ttl, - $input->prio, - $input->id, $domainId - ); + $stmt = $db->prepare("UPDATE records SET name=:name,type=:type,content=:content,ttl=:ttl,prio=:prio WHERE id=:id AND domain_id=:domain_id"); + $stmt->bindValue(':name', $input->name, PDO::PARAM_STR); + $stmt->bindValue(':type', $input->type, PDO::PARAM_STR); + $stmt->bindValue(':content', $input->content, PDO::PARAM_STR); + $stmt->bindValue(':ttl', $input->ttl, PDO::PARAM_INT); + $stmt->bindValue(':prio', $input->prio, PDO::PARAM_INT); + $stmt->bindValue(':id', $input->id, PDO::PARAM_INT); + $stmt->bindValue(':domain_id', $domainId, PDO::PARAM_INT); $stmt->execute(); update_serial($db, $domainId); } @@ -229,22 +224,29 @@ if(isset($input->action) && $input->action == "saveRecord") { //Action for adding Record if(isset($input->action) && $input->action == "addRecord") { $domainId = $input->domain; - - $stmt = $db->prepare("INSERT INTO records (domain_id, name, type, content, prio, ttl) VALUES (?,?,?,?,?,?)"); - $stmt->bind_param("isssii", - $domainId, $input->name, - $input->type, $input->content, - $input->prio, $input->ttl - ); + $db->beginTransaction(); + + $stmt = $db->prepare("INSERT INTO records (domain_id, name, type, content, prio, ttl) VALUES (:domain_id,:name,:type,:content,:prio,:ttl)"); + $stmt->bindValue(':domain_id', $domainId, PDO::PARAM_INT); + $stmt->bindValue(':name', $input->name, PDO::PARAM_STR); + $stmt->bindValue(':type', $input->type, PDO::PARAM_STR); + $stmt->bindValue(':content', $input->content, PDO::PARAM_STR); + $stmt->bindValue(':ttl', $input->ttl, PDO::PARAM_INT); + $stmt->bindValue(':prio', $input->prio, PDO::PARAM_INT); $stmt->execute(); - $stmt->close(); - - $stmt = $db->prepare("SELECT LAST_INSERT_ID()"); + + $stmt = $db->prepare("SELECT MAX(id) FROM records WHERE domain_id=:domain_id AND name=:name AND type=:type AND content=:content AND prio=:prio AND ttl=:ttl"); + $stmt->bindValue(':domain_id', $domainId, PDO::PARAM_INT); + $stmt->bindValue(':name', $input->name, PDO::PARAM_STR); + $stmt->bindValue(':type', $input->type, PDO::PARAM_STR); + $stmt->bindValue(':content', $input->content, PDO::PARAM_STR); + $stmt->bindValue(':ttl', $input->ttl, PDO::PARAM_INT); + $stmt->bindValue(':prio', $input->prio, PDO::PARAM_INT); $stmt->execute(); - $stmt->bind_result($newId); - $stmt->fetch(); - $stmt->close(); - + $newId = $stmt->fetchColumn(); + + $db->commit(); + $retval = Array(); $retval['newId'] = $newId; @@ -256,10 +258,10 @@ if(isset($input->action) && $input->action == "removeRecord") { $domainId = $input->domain; $recordId = $input->id; - $stmt = $db->prepare("DELETE FROM records WHERE id=? AND domain_id=?"); - $stmt->bind_param("ii", $recordId, $domainId); + $stmt = $db->prepare("DELETE FROM records WHERE id=:id AND domain_id=:domain_id"); + $stmt->bindValue(':id', $recordId, PDO::PARAM_INT); + $stmt->bindValue(':domain_id', $domainId, PDO::PARAM_INT); $stmt->execute(); - $stmt->close(); update_serial($db, $domainId); } @@ -268,12 +270,10 @@ if(isset($input->action) && $input->action == "removeRecord") { if(isset($input->action) && $input->action == "getDomainName") { $domainId = $input->domain; - $stmt = $db->prepare("SELECT name FROM domains WHERE id=?"); - $stmt->bind_param("i", $domainId); + $stmt = $db->prepare("SELECT name FROM domains WHERE id=:id LIMIT 1"); + $stmt->bindValue(':id', $domainId, PDO::PARAM_INT); $stmt->execute(); - $stmt->bind_result($domainName); - $stmt->fetch(); - $stmt->close(); + $domainName = $stmt->fetchColumn(); $retval = Array(); $retval['name'] = $domainName; diff --git a/api/edit-remote.php b/api/edit-remote.php index 1d7e415..8867699 100644 --- a/api/edit-remote.php +++ b/api/edit-remote.php @@ -29,12 +29,11 @@ if(!isset($input->csrfToken) || $input->csrfToken !== $_SESSION['csrfToken']) { //Permission check if(isset($input->record)) { - $permquery = $db->prepare("SELECT * FROM records JOIN permissions ON records.domain_id=permissions.domain WHERE user=? AND records.id=?"); - - $permquery->bind_param("ii", $_SESSION['id'], $input->record); + $permquery = $db->prepare("SELECT COUNT(*) FROM records JOIN permissions ON records.domain_id=permissions.domain WHERE user=:user AND records.id=:id"); + $permquery->bindValue(':user', $_SESSION['id'], PDO::PARAM_INT); + $permquery->bindValue(':id', $input->record, PDO::PARAM_INT); $permquery->execute(); - $permquery->store_result(); - if($permquery->num_rows() < 1 && $_SESSION['type'] != "admin") { + if($permquery->fetchColumn() < 1 && $_SESSION['type'] != "admin") { echo "Permission denied!"; exit(); } @@ -46,17 +45,15 @@ if(isset($input->record)) { //Action for getting permission if(isset($input->action) && $input->action == "getPermissions") { - $sql = "SELECT id, description, type FROM remote WHERE record=?"; + $sql = "SELECT id, description, type FROM remote WHERE record=:record"; $stmt = $db->prepare($sql); - $stmt->bind_param("i",$input->record); + $stmt->bindValue(':record', $input->record, PDO::PARAM_INT); $stmt->execute(); - $result = $stmt->get_result(); - $retval = Array(); - while($obj = $result->fetch_object()) { + while($obj = $stmt->fetchObject()) { $retval[] = $obj; } @@ -66,19 +63,23 @@ if(isset($input->action) && $input->action == "getPermissions") { if(isset($input->action) && $input->action == "addPassword") { $passwordHash = password_hash($input->password, PASSWORD_DEFAULT); - $sql = "INSERT INTO remote(record,description,type,security) VALUES (?,?,'password',?)"; + $sql = "INSERT INTO remote(record,description,type,security) VALUES (:record,:description,'password',:security)"; $stmt = $db->prepare($sql); - $stmt->bind_param("iss",$input->record, $input->description, $passwordHash); + $stmt->bindValue(':record', $input->record, PDO::PARAM_INT); + $stmt->bindValue(':description', $input->description, PDO::PARAM_STR); + $stmt->bindValue(':security', $passwordHash, PDO::PARAM_STR); $stmt->execute(); } //Action for adding key if(isset($input->action) && $input->action == "addKey") { - $sql = "INSERT INTO remote(record,description,type,security) VALUES (?,?,'key',?)"; + $sql = "INSERT INTO remote(record,description,type,security) VALUES (:record,:description,'key',:security)"; $stmt = $db->prepare($sql); - $stmt->bind_param("iss",$input->record, $input->description, $input->key); + $stmt->bindValue(':record', $input->record, PDO::PARAM_INT); + $stmt->bindValue(':description', $input->description, PDO::PARAM_STR); + $stmt->bindValue(':security', $input->key, PDO::PARAM_STR); $stmt->execute(); } @@ -86,36 +87,39 @@ if(isset($input->action) && $input->action == "addKey") { if(isset($input->action) && $input->action == "changePassword") { if(isset($input->password)) { $passwordHash = password_hash($input->password, PASSWORD_DEFAULT); - $sql = "UPDATE remote SET description=?,security=? WHERE id=?"; + $sql = "UPDATE remote SET description=:description,security=:security WHERE id=:id"; $stmt = $db->prepare($sql); - $stmt->bind_param("ssi",$input->description, $passwordHash, $input->permission); + $stmt->bindValue(':description', $input->description, PDO::PARAM_STR); + $stmt->bindValue(':security', $passwordHash, PDO::PARAM_STR); + $stmt->bindValue(':id', $input->permission, PDO::PARAM_INT); $stmt->execute(); } else { - $sql = "UPDATE remote SET description=? WHERE id=?"; + $sql = "UPDATE remote SET description=:description WHERE id=:id"; $stmt = $db->prepare($sql); - $stmt->bind_param("ssi",$input->description, $input->permission); + $stmt->bindValue(':description', $input->description, PDO::PARAM_STR); + $stmt->bindValue(':id', $input->permission, PDO::PARAM_INT); $stmt->execute(); } } //Action for updating key if(isset($input->action) && $input->action == "changeKey") { - $sql = "UPDATE remote SET description=?,security=? WHERE id=?"; + $sql = "UPDATE remote SET description=:description,security=:security WHERE id=:id"; $stmt = $db->prepare($sql); - - $stmt->bind_param("ssi",$input->description, $input->key, $input->permission); + + $stmt->bindValue(':description', $input->description, PDO::PARAM_STR); + $stmt->bindValue(':security', $input->key, PDO::PARAM_STR); + $stmt->bindValue(':id', $input->permission, PDO::PARAM_INT); $stmt->execute(); } //Action for getting key if(isset($input->action) && $input->action == "getKey") { - $sql = "SELECT security FROM remote WHERE id=? AND type='key'"; + $sql = "SELECT security FROM remote WHERE id=:id AND type='key' LIMIT 1"; $stmt = $db->prepare($sql); - - $stmt->bind_param("i",$input->permission); + $stmt->bindValue(':id', $input->permission, PDO::PARAM_INT); $stmt->execute(); - $stmt->bind_result($key); - $stmt->fetch(); + $key = $stmt->fetchColumn(); $retval = Array(); $retval['key'] = $key; @@ -123,10 +127,10 @@ if(isset($input->action) && $input->action == "getKey") { //Action for deleting permission if(isset($input->action) && $input->action == "deletePermission") { - $sql = "DELETE FROM remote WHERE id=?"; + $sql = "DELETE FROM remote WHERE id=:id"; $stmt = $db->prepare($sql); - $stmt->bind_param("i",$input->permission); + $stmt->bindValue(':id', $input->permission, PDO::PARAM_INT); $stmt->execute(); } diff --git a/api/edit-user.php b/api/edit-user.php index a07fa84..befab23 100644 --- a/api/edit-user.php +++ b/api/edit-user.php @@ -35,18 +35,21 @@ if(!isset($_SESSION['type']) || $_SESSION['type'] != "admin") { if(isset($input->action) && $input->action == "addUser") { $passwordHash = password_hash($input->password, PASSWORD_DEFAULT); - $db->autocommit(false); + $db->beginTransaction(); - $stmt = $db->prepare("INSERT INTO user(name,password,type) VALUES (?,?,?)"); - $stmt->bind_param("sss", $input->name, $passwordHash, $input->type); + $stmt = $db->prepare("INSERT INTO user(name,password,type) VALUES (:name,:password,:type)"); + + $stmt->bindValue(':name', $input->name, PDO::PARAM_STR); + $stmt->bindValue(':password', $passwordHash, PDO::PARAM_STR); + $stmt->bindValue(':type', $input->type, PDO::PARAM_STR); $stmt->execute(); - $stmt->close(); - $stmt = $db->prepare("SELECT LAST_INSERT_ID()"); + $stmt = $db->prepare("SELECT MAX(id) FROM user WHERE name=:name AND password=:password AND type=:type"); + $stmt->bindValue(':name', $input->name, PDO::PARAM_STR); + $stmt->bindValue(':password', $passwordHash, PDO::PARAM_STR); + $stmt->bindValue(':type', $input->type, PDO::PARAM_STR); $stmt->execute(); - $stmt->bind_result($newUserId); - $stmt->fetch(); - $stmt->close(); + $newUserId = $stmt->fetchColumn(); $db->commit(); @@ -55,12 +58,12 @@ if(isset($input->action) && $input->action == "addUser") { } if(isset($input->action) && $input->action == "getUserData") { - $stmt = $db->prepare("SELECT name,type FROM user WHERE id=?"); - $stmt->bind_param("i", $input->id); + $stmt = $db->prepare("SELECT name,type FROM user WHERE id=:id LIMIT 1"); + $stmt->bindValue(':id', $input->id, PDO::PARAM_INT); $stmt->execute(); - $stmt->bind_result($userName, $userType); - $stmt->fetch(); - $stmt->close(); + $stmt->bindColumn('name', $userName); + $stmt->bindColumn('type', $userType); + $stmt->fetch(PDO::FETCH_BOUND); $retval = Array(); $retval['name'] = $userName; @@ -70,15 +73,18 @@ if(isset($input->action) && $input->action == "getUserData") { if(isset($input->action) && $input->action == "saveUserChanges") { if(isset($input->password)) { $passwordHash = password_hash($input->password, PASSWORD_DEFAULT); - $stmt = $db->prepare("UPDATE user SET name=?,password=?,type=? WHERE id=?"); - $stmt->bind_param("sssi", $input->name, $passwordHash, $input->type, $input->id); + $stmt = $db->prepare("UPDATE user SET name=:name,password=:password,type=:type WHERE id=:id"); + $stmt->bindValue(':name', $input->name, PDO::PARAM_STR); + $stmt->bindValue(':password', $passwordHash, PDO::PARAM_STR); + $stmt->bindValue(':type', $input->type, PDO::PARAM_STR); + $stmt->bindValue(':id', $input->id, PDO::PARAM_INT); $stmt->execute(); - $stmt->close(); } else { - $stmt = $db->prepare("UPDATE user SET name=?,type=? WHERE id=?"); - $stmt->bind_param("ssi", $input->name, $input->type, $input->id); + $stmt = $db->prepare("UPDATE user SET name=:name,type=:type WHERE id=:id"); + $stmt->bindValue(':name', $input->name, PDO::PARAM_STR); + $stmt->bindValue(':type', $input->type, PDO::PARAM_STR); + $stmt->bindValue(':id', $input->id, PDO::PARAM_INT); $stmt->execute(); - $stmt->close(); } } @@ -88,50 +94,50 @@ if(isset($input->action) && $input->action == "getPermissions") { SELECT D.id,D.name FROM permissions P JOIN domains D ON P.domain=D.id - WHERE P.user=? + WHERE P.user=:user "); - $stmt->bind_param("i", $input->id); + $stmt->bindValue(':user', $input->id, PDO::PARAM_INT); $stmt->execute(); - $result = $stmt->get_result(); - $retval = Array(); - while($obj = $result->fetch_object()) { + while($obj = $stmt->fetchObject()) { $retval[] = $obj; } } if(isset($input->action) && $input->action == "removePermission") { - $stmt = $db->prepare("DELETE FROM permissions WHERE user=? AND domain=?"); + $stmt = $db->prepare("DELETE FROM permissions WHERE user=:user AND domain=:domain"); - $stmt->bind_param("ii", $input->userId, $input->domainId); + $stmt->bindValue(':user', $input->userId, PDO::PARAM_INT); + $stmt->bindValue(':domain', $input->domainId, PDO::PARAM_INT); $stmt->execute(); } if(isset($input->action) && $input->action == "searchDomains" && isset($input->term)) { - $stmt = $db->prepare("SELECT id,name AS text FROM domains WHERE name LIKE ? AND id NOT IN(SELECT domain FROM permissions WHERE user=?)"); + $stmt = $db->prepare("SELECT id,name AS text FROM domains WHERE name LIKE :name AND id NOT IN(SELECT domain FROM permissions WHERE user=:user)"); $searchTerm = "%" . $input->term . "%"; - $stmt->bind_param("si", $searchTerm, $input->userId); - $stmt->execute(); - $result = $stmt->get_result(); + $stmt->bindValue(':name', $searchTerm, PDO::PARAM_STR); + $stmt->bindValue(':user', $input->userId, PDO::PARAM_INT); + $stmt->execute(); $retval = Array(); - while($obj = $result->fetch_object()) { + while($obj = $stmt->fetchObject()) { $retval[] = $obj; } } if(isset($input->action) && $input->action == "addPermissions") { - $stmt = $db->prepare("INSERT INTO permissions(user,domain) VALUES (?,?)"); + $stmt = $db->prepare("INSERT INTO permissions(user,domain) VALUES (:user,:domain)"); foreach($input->domains as $domain) { - $stmt->bind_param("ii", $input->userId, $domain); + $stmt->bindValue(':user', $input->userId, PDO::PARAM_INT); + $stmt->bindValue(':domain', $domain, PDO::PARAM_INT); $stmt->execute(); } } diff --git a/api/index.php b/api/index.php index 4933f6f..36dea56 100644 --- a/api/index.php +++ b/api/index.php @@ -21,12 +21,13 @@ require_once '../lib/database.php'; $input = json_decode(file_get_contents('php://input')); -$sql = $db->prepare("SELECT id,password,type FROM user WHERE name=?"); -$sql->bind_param("s", $input->user); +$sql = $db->prepare("SELECT id,password,type FROM user WHERE name=:name LIMIT 1"); +$stmt->bindValue(':name', $input->user, PDO::PARAM_STR); $sql->execute(); - -$sql->bind_result($id, $password, $type); -$sql->fetch(); +$stmt->bindColumn('id', $id); +$stmt->bindColumn('password', $password); +$stmt->bindColumn('type', $type); +$stmt->fetch(PDO::FETCH_BOUND); if (password_verify($input->password, $password)) { $retval['status'] = "success"; diff --git a/api/password.php b/api/password.php index 63c615f..d81b5e9 100644 --- a/api/password.php +++ b/api/password.php @@ -30,10 +30,10 @@ if(!isset($input->csrfToken) || $input->csrfToken !== $_SESSION['csrfToken']) { if(isset($input->action) && $input->action == "changePassword") { $passwordHash = password_hash($input->password, PASSWORD_DEFAULT); - $stmt = $db->prepare("UPDATE user SET password=? WHERE id=?"); - $stmt->bind_param("si", $passwordHash, $_SESSION['id']); + $stmt = $db->prepare("UPDATE user SET password=:password WHERE id=:id"); + $stmt->bindValue(':password', $passwordHash, PDO::PARAM_STR); + $stmt->bindValue(':id', $_SESSION['id'], PDO::PARAM_INT); $stmt->execute(); - $stmt->close(); } if(isset($retval)) { diff --git a/api/remote.php b/api/remote.php index 6c3a198..3ca5a71 100644 --- a/api/remote.php +++ b/api/remote.php @@ -27,12 +27,12 @@ if(filter_input(INPUT_SERVER, "REQUEST_METHOD") == "GET") { $input_password = filter_input(INPUT_GET, "password"); $input_content = filter_input(INPUT_GET, "content"); - $stmt = $db->prepare("SELECT security,record FROM remote WHERE type='password' AND id=?"); - $stmt->bind_param("i", $input_id); + $stmt = $db->prepare("SELECT security,record FROM remote WHERE type='password' AND id=:id LIMIT 1"); + $stmt->bindValue(':id', $input_id, PDO::PARAM_INT); $stmt->execute(); - $stmt->bind_result($passwordHash, $record); - $stmt->fetch(); - $stmt->close(); + $stmt->bindColumn('security', $passwordHash); + $stmt->bindColumn('record', $record); + $stmt->fetch(PDO::FETCH_BOUND); if(!password_verify($input_password, $passwordHash)) { $return['status'] = "error"; @@ -41,17 +41,16 @@ if(filter_input(INPUT_SERVER, "REQUEST_METHOD") == "GET") { exit(); } - $stmt = $db->prepare("UPDATE records SET content=? WHERE name=? AND id=?"); - $stmt->bind_param("ssi", $input_content, $input_domain, $record); + $stmt = $db->prepare("UPDATE records SET content=:content WHERE name=:name AND id=:id"); + $stmt->bindValue(':content', $input_content, PDO::PARAM_STR); + $stmt->bindValue(':name', $input_domain, PDO::PARAM_STR); + $stmt->bindValue(':id', $record, PDO::PARAM_INT); $stmt->execute(); - $stmt->close(); - $stmt = $db->prepare("SELECT domain_id FROM records WHERE id=?"); - $stmt->bind_param("i",$record); + $stmt = $db->prepare("SELECT domain_id FROM records WHERE id=:id LIMIT 1"); + $stmt->bindValue(':id', $record, PDO::PARAM_INT); $stmt->execute(); - $stmt->bind_result($domain_id); - $stmt->fetch(); - $stmt->close(); + $domain_id = $stmt->fetchColumn(); update_serial($db, $domain_id); @@ -74,12 +73,12 @@ if(filter_input(INPUT_SERVER, "REQUEST_METHOD") == "GET") { $input = json_decode(file_get_contents('php://input')); if(isset($input->domain) && isset($input->id) && isset($input->content)) { - $stmt = $db->prepare("SELECT E.name,E.id FROM remote R JOIN records E ON R.record = E.id WHERE R.id=?"); - $stmt->bind_param("i", $input->id); + $stmt = $db->prepare("SELECT E.name,E.id FROM remote R JOIN records E ON R.record = E.id WHERE R.id=:id LIMIT 1"); + $stmt->bindValue(':id', $input->id, PDO::PARAM_INT); $stmt->execute(); - $stmt->bind_result($domainName, $record); - $stmt->fetch(); - $stmt->close(); + $stmt->bindColumn('E.name', $domainName); + $stmt->bindColumn('E.id', $record); + $stmt->fetch(PDO::FETCH_BOUND); if($domainName != $input->domain) { $return['status'] = "error"; @@ -92,21 +91,21 @@ if(filter_input(INPUT_SERVER, "REQUEST_METHOD") == "GET") { $newNonce = base64_encode(openssl_random_pseudo_bytes(32)); $dbNonce = $newNonce . ":" . time(); - $stmt = $db->prepare("UPDATE remote SET nonce=? WHERE id=?"); - $stmt->bind_param("si", $dbNonce, $input->id); + $stmt = $db->prepare("UPDATE remote SET nonce=:nonce WHERE id=:id"); + $stmt->bindValue(':nonce', $dbNonce, PDO::PARAM_STR); + $stmt->bindValue(':id', $input->id, PDO::PARAM_INT); $stmt->execute(); - $stmt->close(); $return['nonce'] = $newNonce; echo json_encode($return); exit(); } else if(isset($_GET['editRecord'])) { - $stmt = $db->prepare("SELECT security,nonce FROM remote WHERE id=?"); - $stmt->bind_param("i", $input->id); + $stmt = $db->prepare("SELECT security,nonce FROM remote WHERE id=:id LIMIT 1"); + $stmt->bindValue(':id', $input->id, PDO::PARAM_INT); $stmt->execute(); - $stmt->bind_result($pubkey, $dbNonce); - $stmt->fetch(); - $stmt->close(); + $stmt->bindColumn('security', $pubkey); + $stmt->bindColumn('nonce', $dbNonce); + $stmt->fetch(PDO::FETCH_BOUND); $nonce = explode(":", $dbNonce); @@ -127,17 +126,16 @@ if(filter_input(INPUT_SERVER, "REQUEST_METHOD") == "GET") { exit(); } - $stmt = $db->prepare("UPDATE records SET content=? WHERE name=? AND id=?"); - $stmt->bind_param("ssi", $input->content, $input->domain, $record); + $stmt = $db->prepare("UPDATE records SET content=:content WHERE name=:name AND id=:id"); + $stmt->bindValue(':content', $input->content, PDO::PARAM_STR); + $stmt->bindValue(':name', $input->domain, PDO::PARAM_STR); + $stmt->bindValue(':id', $record, PDO::PARAM_INT); $stmt->execute(); - $stmt->close(); - $stmt = $db->prepare("SELECT domain_id FROM records WHERE id=?"); - $stmt->bind_param("i",$record); + $stmt = $db->prepare("SELECT domain_id FROM records WHERE id=:id LIMIT 1"); + $stmt->bindValue(':id', $record, PDO::PARAM_INT); $stmt->execute(); - $stmt->bind_result($domain_id); - $stmt->fetch(); - $stmt->close(); + $domain_id = $stmt->fetchColumn(); update_serial($db, $domain_id); diff --git a/api/users.php b/api/users.php index 8de5ec8..b5cdc24 100644 --- a/api/users.php +++ b/api/users.php @@ -38,8 +38,8 @@ if(isset($input->action) && $input->action == "getUsers") { SELECT id,name,type FROM user WHERE - (name LIKE ? OR ?) AND - (type=? OR ?) + (name LIKE :name1 OR :name2) AND + (type=:type1 OR :type2) "; if(isset($input->sort->field) && $input->sort->field != "") { @@ -78,17 +78,15 @@ if(isset($input->action) && $input->action == "getUsers") { $type_filter_used = 1; } - $stmt->bind_param("sisi", - $name_filter, $name_filter_used, - $type_filter, $type_filter_used - ); + $stmt->bindValue(':name1', $name_filter, PDO::PARAM_STR); + $stmt->bindValue(':name2', $name_filter_used, PDO::PARAM_INT); + $stmt->bindValue(':type1', $type_filter, PDO::PARAM_INT); + $stmt->bindValue(':type2', $type_filter_used, PDO::PARAM_INT); $stmt->execute(); - $result = $stmt->get_result(); - $retval = Array(); - while($obj = $result->fetch_object()) { + while($obj = $stmt->fetchObject()) { $retval[] = $obj; } } @@ -96,17 +94,15 @@ if(isset($input->action) && $input->action == "getUsers") { if(isset($input->action) && $input->action == "deleteUser") { $userId = $input->id; - $db->autocommit(false); + $db->beginTransaction(); - $stmt = $db->prepare("DELETE FROM permissions WHERE user=?"); - $stmt->bind_param("i", $userId); + $stmt = $db->prepare("DELETE FROM permissions WHERE user=:userid"); + $stmt->bindValue(':userid', $userId, PDO::PARAM_INT); $stmt->execute(); - $stmt->close(); - $stmt = $db->prepare("DELETE FROM user WHERE id=?"); - $stmt->bind_param("i", $userId); + $stmt = $db->prepare("DELETE FROM user WHERE id=:id"); + $stmt->bindValue(':id', $userId, PDO::PARAM_INT); $stmt->execute(); - $stmt->close(); $db->commit(); }