From cc7a82756b4f4d7ab18e928527c37489adbaf564 Mon Sep 17 00:00:00 2001 From: Marius Cramer Date: Tue, 7 Apr 2015 20:10:50 +0200 Subject: [PATCH] - rewrite of sql queries to new form --- helper_scripts/recreate_webalizer_stats.php | 4 +- .../mod_auth_external/db_auth.php | 2 +- .../mod_auth_external/db_isuser.php | 2 +- install/dist/lib/gentoo.lib.php | 23 +- install/uninstall.php | 8 - interface/lib/app.inc.php | 10 +- interface/lib/classes/aps_crawler.inc.php | 24 +- .../lib/classes/aps_guicontroller.inc.php | 70 +- interface/lib/classes/auth.inc.php | 16 +- .../lib/classes/client_templates.inc.php | 38 +- .../lib/classes/custom_datasource.inc.php | 29 +- interface/lib/classes/functions.inc.php | 35 +- interface/lib/classes/getconf.inc.php | 2 +- .../lib/classes/plugin_backuplist.inc.php | 42 +- .../classes/plugin_backuplist_mail.inc.php | 41 +- interface/lib/classes/plugin_listview.inc.php | 2 +- interface/lib/classes/quota_lib.inc.php | 14 +- interface/lib/classes/remote.d/admin.inc.php | 4 +- interface/lib/classes/remote.d/aps.inc.php | 16 +- interface/lib/classes/remote.d/client.inc.php | 87 +- interface/lib/classes/remote.d/dns.inc.php | 20 +- .../lib/classes/remote.d/domains.inc.php | 4 +- interface/lib/classes/remote.d/mail.inc.php | 28 +- interface/lib/classes/remote.d/openvz.inc.php | 73 +- interface/lib/classes/remote.d/server.inc.php | 12 +- interface/lib/classes/remote.d/sites.inc.php | 24 +- interface/lib/classes/remoting.inc.php | 41 +- interface/lib/classes/remoting_lib.inc.php | 49 +- interface/lib/classes/session.inc.php | 38 +- .../lib/classes/sites_database_plugin.inc.php | 6 +- interface/lib/classes/tform.inc.php | 4 +- interface/lib/classes/tform_actions.inc.php | 29 +- interface/lib/classes/tform_base.inc.php | 4 +- interface/lib/classes/tools_monitor.inc.php | 36 +- interface/lib/classes/tools_sites.inc.php | 8 +- interface/lib/classes/validate_client.inc.php | 16 +- interface/lib/classes/validate_dns.inc.php | 2 +- interface/lib/classes/validate_domain.inc.php | 26 +- .../lib/classes/validate_ftpuser.inc.php | 4 +- .../lib/classes/validate_systemuser.inc.php | 4 +- .../lib/plugins/dns_dns_slave_plugin.inc.php | 8 +- .../lib/plugins/dns_dns_soa_plugin.inc.php | 18 +- .../plugins/mail_mail_domain_plugin.inc.php | 34 +- .../plugins/mail_user_filter_plugin.inc.php | 6 +- .../sites_web_database_user_plugin.inc.php | 5 +- .../sites_web_vhost_domain_plugin.inc.php | 83 +- .../lib/plugins/vm_openvz_plugin.inc.php | 58 +- interface/web/admin/firewall_edit.php | 2 +- .../web/admin/remote_action_ispcupdate.php | 11 +- .../web/admin/remote_action_osupdate.php | 11 +- interface/web/admin/server_edit.php | 4 +- interface/web/admin/server_ip_edit.php | 2 +- interface/web/admin/server_php_edit.php | 2 +- .../web/admin/software_package_install.php | 13 +- interface/web/admin/software_package_list.php | 34 +- interface/web/admin/software_update_list.php | 16 +- interface/web/admin/system_config_edit.php | 16 +- interface/web/admin/tpl_default.php | 15 - interface/web/admin/users_edit.php | 27 +- interface/web/client/client_del.php | 22 +- interface/web/client/client_edit.php | 8 +- interface/web/client/client_message.php | 2 +- interface/web/client/client_template_del.php | 4 +- interface/web/client/client_template_edit.php | 9 +- interface/web/client/domain_del.php | 16 +- interface/web/client/domain_edit.php | 26 +- .../web/client/message_template_edit.php | 7 +- interface/web/client/reseller_del.php | 10 +- interface/web/client/reseller_edit.php | 8 +- interface/web/dashboard/dashboard.php | 2 +- interface/web/dashboard/dashlets/limits.php | 6 +- interface/web/dns/ajax_get_json.php | 103 -- interface/web/dns/dns_a_edit.php | 18 +- interface/web/dns/dns_aaaa_edit.php | 16 +- interface/web/dns/dns_alias_edit.php | 16 +- interface/web/dns/dns_cname_edit.php | 18 +- interface/web/dns/dns_dkim_edit.php | 10 +- interface/web/dns/dns_dmarc_edit.php | 14 +- interface/web/dns/dns_hinfo_edit.php | 16 +- interface/web/dns/dns_import.php | 18 +- interface/web/dns/dns_mx_edit.php | 21 +- interface/web/dns/dns_ns_edit.php | 16 +- interface/web/dns/dns_ptr_edit.php | 14 +- interface/web/dns/dns_rp_edit.php | 16 +- interface/web/dns/dns_rr_del.php | 2 +- interface/web/dns/dns_slave_del.php | 2 +- interface/web/dns/dns_slave_edit.php | 16 +- interface/web/dns/dns_soa_del.php | 2 +- interface/web/dns/dns_soa_edit.php | 29 +- interface/web/dns/dns_spf_edit.php | 12 +- interface/web/dns/dns_srv_edit.php | 16 +- interface/web/dns/dns_txt_edit.php | 16 +- interface/web/dns/dns_wizard.php | 18 +- interface/web/help/faq_list.php | 2 +- .../web/help/form/support_message.tform.php | 2 +- interface/web/help/support_message_edit.php | 12 +- interface/web/login/index.php | 44 +- interface/web/login/login_as.php | 8 +- interface/web/login/password_reset.php | 4 +- interface/web/mail/form/xmpp_domain.tform.php | 2 +- interface/web/mail/mail_alias_edit.php | 2 +- interface/web/mail/mail_blacklist_edit.php | 6 +- .../web/mail/mail_domain_catchall_edit.php | 2 +- interface/web/mail/mail_domain_edit.php | 6 +- interface/web/mail/mail_forward_edit.php | 2 +- interface/web/mail/mail_get_edit.php | 12 +- interface/web/mail/mail_mailinglist_edit.php | 4 +- interface/web/mail/mail_transport_edit.php | 4 +- interface/web/mail/mail_user_del.php | 4 +- interface/web/mail/mail_user_edit.php | 4 +- interface/web/mail/mail_user_filter_del.php | 27 - interface/web/mail/mail_user_filter_edit.php | 4 +- interface/web/mail/mail_whitelist_edit.php | 4 +- interface/web/mail/mailinglist.php | 4 +- .../web/mail/spamfilter_blacklist_edit.php | 24 +- interface/web/mail/spamfilter_policy_edit.php | 4 +- interface/web/mail/spamfilter_users_edit.php | 6 +- .../web/mail/spamfilter_whitelist_edit.php | 4 +- interface/web/mail/webmailer.php | 4 +- interface/web/mail/xmpp_domain_del.php | 8 +- interface/web/mail/xmpp_domain_edit.php | 8 +- interface/web/mail/xmpp_user_edit.php | 14 +- interface/web/mailuser/index.php | 8 +- .../web/mailuser/mail_user_filter_edit.php | 6 +- .../mailuser/mail_user_spamfilter_edit.php | 6 +- interface/web/monitor/log_del.php | 2 +- interface/web/monitor/show_log.php | 2 +- interface/web/monitor/show_sys_state.php | 4 +- interface/web/remote/monitor.php | 4 +- interface/web/sites/ajax_get_ip.php | 4 +- interface/web/sites/aps_do_operation.php | 12 +- interface/web/sites/aps_install_package.php | 5 +- interface/web/sites/cron_edit.php | 18 +- interface/web/sites/database_edit.php | 32 +- interface/web/sites/database_phpmyadmin.php | 6 +- interface/web/sites/database_user_del.php | 6 +- interface/web/sites/database_user_edit.php | 2 +- .../web/sites/form/web_vhost_domain.tform.php | 2 +- interface/web/sites/shell_user_edit.php | 12 +- interface/web/sites/web_childdomain_edit.php | 8 +- interface/web/sites/web_folder_del.php | 2 +- interface/web/sites/web_sites_stats.php | 16 +- interface/web/sites/web_vhost_domain_edit.php | 18 +- interface/web/tools/dns_import_tupa.php | 4 +- .../tools/form/interface_settings.tform.php | 2 +- interface/web/tools/import_plesk.php | 1430 ----------------- interface/web/tools/import_vpopmail.php | 30 +- interface/web/tools/resync.php | 12 +- interface/web/tools/user_settings.php | 2 +- interface/web/vm/ajax_get_ip.php | 4 +- interface/web/vm/openvz_vm_edit.php | 4 +- server/lib/app.inc.php | 11 +- server/lib/classes/aps_installer.inc.php | 104 +- .../classes/cron.d/100-mailbox_stats.inc.php | 38 +- .../cron.d/100-monitor_clamav_log.inc.php | 20 +- .../classes/cron.d/100-monitor_cpu.inc.php | 10 +- .../cron.d/100-monitor_database_size.inc.php | 12 +- .../cron.d/100-monitor_disk_usage.inc.php | 10 +- .../cron.d/100-monitor_email_quota.inc.php | 12 +- .../cron.d/100-monitor_fail2ban.inc.php | 10 +- .../cron.d/100-monitor_hd_quota.inc.php | 10 +- .../cron.d/100-monitor_iptables.inc.php | 10 +- .../cron.d/100-monitor_ispconfig_log.inc.php | 20 +- .../100-monitor_ispconfig_version.inc.php | 10 +- .../cron.d/100-monitor_mail_log.inc.php | 30 +- .../cron.d/100-monitor_mail_queue.inc.php | 10 +- .../cron.d/100-monitor_mem_usage.inc.php | 10 +- .../cron.d/100-monitor_mongodb.inc.php | 10 +- .../classes/cron.d/100-monitor_openvz.inc.php | 20 +- .../cron.d/100-monitor_os_version.inc.php | 10 +- .../classes/cron.d/100-monitor_raid.inc.php | 10 +- .../cron.d/100-monitor_rkhunter.inc.php | 10 +- .../classes/cron.d/100-monitor_server.inc.php | 10 +- .../cron.d/100-monitor_services.inc.php | 10 +- .../classes/cron.d/100-monitor_syslog.inc.php | 22 +- .../cron.d/100-monitor_system_update.inc.php | 10 +- server/lib/classes/cron.d/150-awstats.inc.php | 10 +- .../lib/classes/cron.d/150-webalizer.inc.php | 6 +- .../lib/classes/cron.d/200-logfiles.inc.php | 41 +- .../classes/cron.d/300-quota_notify.inc.php | 28 +- server/lib/classes/cron.d/400-openvz.inc.php | 4 +- .../classes/cron.d/500-backup_mail.inc.php | 10 +- server/lib/classes/cron.d/600-cleanup.inc.php | 2 +- server/lib/classes/cronjob.inc.php | 8 +- server/lib/classes/functions.inc.php | 2 +- server/lib/classes/getconf.inc.php | 2 +- server/lib/classes/modules.inc.php | 79 +- server/lib/classes/monitor_tools.inc.php | 10 +- .../remoteaction_core_module.inc.php | 14 +- .../plugins-available/backup_plugin.inc.php | 12 +- .../plugins-available/bind_dlz_plugin.inc.php | 2 +- server/plugins-available/bind_plugin.inc.php | 20 +- .../cron_jailkit_plugin.inc.php | 6 +- server/plugins-available/cron_plugin.inc.php | 10 +- .../ftpuser_base_plugin.inc.php | 4 +- server/plugins-available/mail_plugin.inc.php | 12 +- .../maildeliver_plugin.inc.php | 8 +- .../plugins-available/mailman_plugin.inc.php | 4 +- .../network_settings_plugin.inc.php | 4 +- .../nginx_reverseproxy_plugin.inc.php | 8 +- .../plugins-available/openvz_plugin.inc.php | 2 +- .../pma_symlink_plugin.inc.php | 4 +- .../postfix_filter_plugin.inc.php | 8 +- .../plugins-available/powerdns_plugin.inc.php | 52 +- .../shelluser_base_plugin.inc.php | 18 +- .../shelluser_jailkit_plugin.inc.php | 22 +- .../software_update_plugin.inc.php | 8 +- .../webmail_symlink_plugin.inc.php | 4 +- .../webserver_plugin.inc.php | 2 +- server/server.php | 9 +- 210 files changed, 1222 insertions(+), 3337 deletions(-) delete mode 100644 interface/web/tools/import_plesk.php diff --git a/helper_scripts/recreate_webalizer_stats.php b/helper_scripts/recreate_webalizer_stats.php index fbaef38097..5afcd9759a 100644 --- a/helper_scripts/recreate_webalizer_stats.php +++ b/helper_scripts/recreate_webalizer_stats.php @@ -5,8 +5,8 @@ //###################################################################################################### -$sql = "SELECT domain_id, domain, document_root FROM web_domain WHERE server_id = ".$conf["server_id"]; -$records = $app->db->queryAllRecords($sql); +$sql = "SELECT domain_id, domain, document_root FROM web_domain WHERE server_id = ?"; +$records = $app->db->queryAllRecords($sql, $conf["server_id"]); foreach($records as $rec) { $domain = escapeshellcmd($rec["domain"]); $logdir = escapeshellcmd($rec["document_root"].'/log'); diff --git a/install/apps/metronome_libs/mod_auth_external/db_auth.php b/install/apps/metronome_libs/mod_auth_external/db_auth.php index 086dcf6a01..3df135bc12 100644 --- a/install/apps/metronome_libs/mod_auth_external/db_auth.php +++ b/install/apps/metronome_libs/mod_auth_external/db_auth.php @@ -17,7 +17,7 @@ try{ // check for existing user $dbmail = $db->real_escape_string($arg_email); - $result = $db->query("SELECT jid, password FROM xmpp_user WHERE jid LIKE '".$dbmail."' AND active='y' AND server_id='".$isp_server_id."'"); + $result = $db->query("SELECT jid, password FROM xmpp_user WHERE jid LIKE ? AND active='y' AND server_id=?", $dbmail, $isp_server_id); result_false($result->num_rows != 1); $user = $result->fetch_object(); diff --git a/install/apps/metronome_libs/mod_auth_external/db_isuser.php b/install/apps/metronome_libs/mod_auth_external/db_isuser.php index 7a7cf861bf..e6820635bc 100644 --- a/install/apps/metronome_libs/mod_auth_external/db_isuser.php +++ b/install/apps/metronome_libs/mod_auth_external/db_isuser.php @@ -15,7 +15,7 @@ try{ // check for existing user $dbmail = $db->real_escape_string($arg_email); - $result = $db->query("SELECT jid, password FROM xmpp_user WHERE jid LIKE '".$dbmail."' AND active='y' AND server_id='".$isp_server_id."'"); + $result = $db->query("SELECT jid, password FROM xmpp_user WHERE jid LIKE ? AND active='y' AND server_id=?", $dbmail, $isp_server_id); result_false($result->num_rows != 1); result_true(); diff --git a/install/dist/lib/gentoo.lib.php b/install/dist/lib/gentoo.lib.php index 6e463ec607..e184e8cf58 100644 --- a/install/dist/lib/gentoo.lib.php +++ b/install/dist/lib/gentoo.lib.php @@ -229,7 +229,7 @@ class installer extends installer_base // check if virtual_transport must be changed if ($this->is_update) { - $tmp = $this->db->queryOneRecord("SELECT * FROM ".$conf["mysql"]["database"].".server WHERE server_id = ".$conf['server_id']); + $tmp = $this->db->queryOneRecord("SELECT * FROM ?? WHERE server_id = ?", $conf["mysql"]["database"].".server", $conf['server_id']); $ini_array = ini_to_array(stripslashes($tmp['config'])); // ini_array needs not to be checked, because already done in update.php -> updateDbAndIni() @@ -421,13 +421,13 @@ class installer extends installer_base global $conf; //* Create the database - if(!$this->db->query('CREATE DATABASE IF NOT EXISTS '.$conf['powerdns']['database'].' DEFAULT CHARACTER SET '.$conf['mysql']['charset'])) { + if(!$this->db->query('CREATE DATABASE IF NOT EXISTS ?? DEFAULT CHARACTER SET ?', $conf['powerdns']['database'], $conf['mysql']['charset'])) { $this->error('Unable to create MySQL database: '.$conf['powerdns']['database'].'.'); } //* Create the ISPConfig database user in the local database - $query = 'GRANT ALL ON `'.$conf['powerdns']['database'].'` . * TO \''.$conf['mysql']['ispconfig_user'].'\'@\'localhost\';'; - if(!$this->db->query($query)) { + $query = 'GRANT ALL ON ??.* TO ?@?'; + if(!$this->db->query($query, $conf['powerdns']['database'], $conf['mysql']['ispconfig_user'], 'localhost')) { $this->error('Unable to create user for powerdns database Error: '.$this->db->errorMessage); } @@ -537,21 +537,6 @@ class installer extends installer_base //* Copy the ISPConfig configuration include - /* - $content = $this->get_template_file('apache_ispconfig.conf', true); - - $records = $this->db->queryAllRecords("SELECT * FROM server_ip WHERE server_id = ".$conf["server_id"]." AND virtualhost = 'y'"); - if(is_array($records) && count($records) > 0) - { - foreach($records as $rec) { - $content .= "NameVirtualHost ".$rec["ip_address"].":80\n"; - $content .= "NameVirtualHost ".$rec["ip_address"].":443\n"; - } - } - - $this->write_config_file($conf['apache']['vhost_conf_dir'].'/000-ispconfig.conf', $content); - */ - $tpl = new tpl('apache_ispconfig.conf.master'); $tpl->setVar('apache_version',getapacheversion()); diff --git a/install/uninstall.php b/install/uninstall.php index 56cf0eb58b..111f574663 100644 --- a/install/uninstall.php +++ b/install/uninstall.php @@ -60,14 +60,6 @@ if($do_uninstall == 'yes') { echo "\n\n>> Uninstalling ISPConfig 3... \n\n"; - // Delete the ISPConfig database - // $app->db->query("DROP DATABASE '".$conf["db_database"]."'"); - // $app->db->query("DELETE FROM mysql.user WHERE User = 'ispconfig'"); - -// exec("/etc/init.d/mysql stop"); -// exec("rm -rf /var/lib/mysql/".$conf["db_database"]); -// exec("/etc/init.d/mysql start"); - $link = mysql_connect($clientdb_host, $clientdb_user, $clientdb_password); if (!$link) { echo "Unable to connect to the database'.mysql_error($link)"; diff --git a/interface/lib/app.inc.php b/interface/lib/app.inc.php index 75068744f9..949f1643cf 100755 --- a/interface/lib/app.inc.php +++ b/interface/lib/app.inc.php @@ -155,15 +155,15 @@ class app { public function conf($plugin, $key, $value = null) { if(is_null($value)) { - $tmpconf = $this->db->queryOneRecord("SELECT `value` FROM `sys_config` WHERE `group` = '" . $this->db->quote($plugin) . "' AND `name` = '" . $this->db->quote($key) . "'"); + $tmpconf = $this->db->queryOneRecord("SELECT `value` FROM `sys_config` WHERE `group` = ? AND `name` = ?", $plugin, $key); if($tmpconf) return $tmpconf['value']; else return null; } else { if($value === false) { - $this->db->query("DELETE FROM `sys_config` WHERE `group` = '" . $this->db->quote($plugin) . "' AND `name` = '" . $this->db->quote($key) . "'"); + $this->db->query("DELETE FROM `sys_config` WHERE `group` = ? AND `name` = ?", $plugin, $key); return null; } else { - $this->db->query("REPLACE INTO `sys_config` (`group`, `name`, `value`) VALUES ('" . $this->db->quote($plugin) . "', '" . $this->db->quote($key) . "', '" . $this->db->quote($value) . "')"); + $this->db->query("REPLACE INTO `sys_config` (`group`, `name`, `value`) VALUES (?, ?, ?)", $plugin, $key, $value); return $value; } } @@ -179,8 +179,8 @@ class app { $server_id = 0; $priority = $this->functions->intval($priority); $tstamp = time(); - $msg = $this->db->quote('[INTERFACE]: '.$msg); - $this->db->query("INSERT INTO sys_log (server_id,datalog_id,loglevel,tstamp,message) VALUES ($server_id,0,$priority,$tstamp,'$msg')"); + $msg = '[INTERFACE]: '.$msg; + $this->db->query("INSERT INTO sys_log (server_id,datalog_id,loglevel,tstamp,message) VALUES (?, 0, ?, ?, ?)", $server_id, $priority,$tstamp,$msg); /* if (is_writable($this->_conf['log_file'])) { if (!$fp = fopen ($this->_conf['log_file'], 'a')) { diff --git a/interface/lib/classes/aps_crawler.inc.php b/interface/lib/classes/aps_crawler.inc.php index 4a6409227e..5f36a5db57 100644 --- a/interface/lib/classes/aps_crawler.inc.php +++ b/interface/lib/classes/aps_crawler.inc.php @@ -356,14 +356,7 @@ class ApsCrawler extends ApsBase $old_folder = $this->interface_pkg_dir.'/'.$app_name.'-'.$ex_ver.'.app.zip'; if(file_exists($old_folder)) $this->removeDirectory($old_folder); - /* - $app->db->query("UPDATE aps_packages SET package_status = '".PACKAGE_OUTDATED."' WHERE name = '". - $app->db->quote($app_name)."' AND CONCAT(version, '-', CAST(`release` AS CHAR)) = '". - $app->db->quote($ex_ver)."';"); - */ - $tmp = $app->db->queryOneRecord("SELECT id FROM aps_packages WHERE name = '". - $app->db->quote($app_name)."' AND CONCAT(version, '-', CAST(`release` AS CHAR)) = '". - $app->db->quote($ex_ver)."';"); + $tmp = $app->db->queryOneRecord("SELECT id FROM aps_packages WHERE name = ? AND CONCAT(version, '-', CAST(`release` AS CHAR)) = ?", $app_name, $ex_ver); $app->db->datalogUpdate('aps_packages', "package_status = ".PACKAGE_OUTDATED, 'id', $tmp['id']); unset($tmp); } @@ -539,13 +532,11 @@ class ApsCrawler extends ApsBase // Get registered packages and mark non-existant packages with an error code to omit the install $existing_packages = array(); - $path_query = $app->db->queryAllRecords('SELECT path AS Path FROM aps_packages;'); + $path_query = $app->db->queryAllRecords('SELECT path AS Path FROM aps_packages'); foreach($path_query as $path) $existing_packages[] = $path['Path']; $diff = array_diff($existing_packages, $pkg_list); foreach($diff as $todelete) { - /*$app->db->query("UPDATE aps_packages SET package_status = '".PACKAGE_ERROR_NOMETA."' - WHERE path = '".$app->db->quote($todelete)."';");*/ - $tmp = $app->db->queryOneRecord("SELECT id FROM aps_packages WHERE path = '".$app->db->quote($todelete)."';"); + $tmp = $app->db->queryOneRecord("SELECT id FROM aps_packages WHERE path = ?", $todelete); $app->db->datalogUpdate('aps_packages', "package_status = ".PACKAGE_ERROR_NOMETA, 'id', $tmp['id']); unset($tmp); } @@ -576,13 +567,6 @@ class ApsCrawler extends ApsBase //$pkg_url = $this->app_download_url_list[$pkg]; $pkg_url = @file_get_contents($this->interface_pkg_dir.'/'.$pkg.'/PKG_URL'); - /* - $app->db->query("INSERT INTO `aps_packages` - (`path`, `name`, `category`, `version`, `release`, `package_status`) VALUES - ('".$app->db->quote($pkg)."', '".$app->db->quote($pkg_name)."', - '".$app->db->quote($pkg_category)."', '".$app->db->quote($pkg_version)."', - ".$app->db->quote($pkg_release).", ".PACKAGE_ENABLED.");"); - */ // Insert only if data is complete if($pkg != '' && $pkg_name != '' && $pkg_category != '' && $pkg_version != '' && $pkg_release != '' && $pkg_url){ $insert_data = "(`path`, `name`, `category`, `version`, `release`, `package_url`, `package_status`) VALUES @@ -619,7 +603,7 @@ class ApsCrawler extends ApsBase // This method must be used in interface mode if(!$this->interface_mode) return false; - $incomplete_pkgs = $app->db->queryAllRecords("SELECT * FROM aps_packages WHERE package_url = ''"); + $incomplete_pkgs = $app->db->queryAllRecords("SELECT * FROM aps_packages WHERE package_url = ?", ''); if(is_array($incomplete_pkgs) && !empty($incomplete_pkgs)){ foreach($incomplete_pkgs as $incomplete_pkg){ $pkg_url = @file_get_contents($this->interface_pkg_dir.'/'.$incomplete_pkg['path'].'/PKG_URL'); diff --git a/interface/lib/classes/aps_guicontroller.inc.php b/interface/lib/classes/aps_guicontroller.inc.php index 1f18628869..d9c347421d 100644 --- a/interface/lib/classes/aps_guicontroller.inc.php +++ b/interface/lib/classes/aps_guicontroller.inc.php @@ -100,7 +100,7 @@ class ApsGUIController extends ApsBase $customerdata = $app->db->queryOneRecord("SELECT client_id FROM sys_group, web_domain WHERE web_domain.sys_groupid = sys_group.groupid - AND web_domain.domain = '".$app->db->quote($domain)."';"); + AND web_domain.domain = ?", $domain); if(!empty($customerdata)) $customerid = $customerdata['client_id']; return $customerid; @@ -122,14 +122,14 @@ class ApsGUIController extends ApsBase $websrv = $app->db->queryOneRecord("SELECT server_id FROM web_domain WHERE domain = (SELECT value FROM aps_instances_settings - WHERE name = 'main_domain' AND instance_id = ".$app->db->quote($instanceid).");"); + WHERE name = 'main_domain' AND instance_id = ?)", $instanceid); // If $websrv is empty, an error has occured. Domain no longer existing? Settings table damaged? // Anyhow, remove this instance record because it's not useful at all if(empty($websrv)) { - $app->db->query("DELETE FROM aps_instances WHERE id = ".$app->db->quote($instanceid).";"); - $app->db->query("DELETE FROM aps_instances_settings WHERE instance_id = ".$app->db->quote($instanceid).";"); + $app->db->query("DELETE FROM aps_instances WHERE id = ?", $instanceid); + $app->db->query("DELETE FROM aps_instances_settings WHERE instance_id = ?", $instanceid); } else $webserver_id = $websrv['server_id']; @@ -154,9 +154,9 @@ class ApsGUIController extends ApsBase $result = $app->db->queryOneRecord("SELECT id, name, CONCAT(version, '-', CAST(`release` AS CHAR)) AS current_version FROM aps_packages - WHERE name = (SELECT name FROM aps_packages WHERE id = ".$app->db->quote($id).") + WHERE name = (SELECT name FROM aps_packages WHERE id = ?) AND package_status = 2 - ORDER BY REPLACE(version, '.', '')+0 DESC, `release` DESC"); + ORDER BY REPLACE(version, '.', '')+0 DESC, `release` DESC", $id); if(!empty($result) && ($id != $result['id'])) return $result['id']; @@ -180,7 +180,7 @@ class ApsGUIController extends ApsBase 'package_status = '.PACKAGE_ENABLED.' AND' : '(package_status = '.PACKAGE_ENABLED.' OR package_status = '.PACKAGE_LOCKED.') AND'; - $result = $app->db->queryOneRecord("SELECT id FROM aps_packages WHERE ".$sql_ext." id = ".$app->db->quote($id).";"); + $result = $app->db->queryOneRecord("SELECT id FROM aps_packages WHERE ".$sql_ext." id = ?", $id); if(!$result) return false; return true; @@ -203,9 +203,15 @@ class ApsGUIController extends ApsBase if(preg_match('/^[0-9]+$/', $id) != 1) return false; // Only filter if not admin - $sql_ext = (!$is_admin) ? 'customer_id = '.$app->db->quote($client_id).' AND' : ''; - - $result = $app->db->queryOneRecord('SELECT id FROM aps_instances WHERE '.$sql_ext.' id = '.$app->db->quote($id).';'); + $params = array(); + $sql_ext = ''; + if(!$is_admin) { + $sql_ext = 'customer_id = ? AND '; + $params[] = $client_id; + } + $params[] = $id; + + $result = $app->db->queryOneRecord('SELECT id FROM aps_instances WHERE '.$sql_ext.' id = ?', true, $params); if(!$result) return false; return true; @@ -226,7 +232,7 @@ class ApsGUIController extends ApsBase unset($tmp); // get information if the webserver is a db server, too - $web_server = $app->db->queryOneRecord("SELECT server_id,server_name,db_server FROM server WHERE server_id = ".$app->functions->intval($websrv['server_id'])); + $web_server = $app->db->queryOneRecord("SELECT server_id,server_name,db_server FROM server WHERE server_id = ?", $websrv['server_id']); if($web_server['db_server'] == 1) { // create database on "localhost" (webserver) $mysql_db_server_id = $app->functions->intval($websrv['server_id']); @@ -235,7 +241,7 @@ class ApsGUIController extends ApsBase $mysql_db_remote_ips = ''; } else { //* get the default database server of the client - $client = $app->db->queryOneRecord("SELECT default_dbserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ".$app->functions->intval($websrv['sys_groupid'])); + $client = $app->db->queryOneRecord("SELECT default_dbserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $websrv['sys_groupid']); if(is_array($client) && $client['default_dbserver'] > 0 && $client['default_dbserver'] != $websrv['server_id']) { $mysql_db_server_id = $app->functions->intval($client['default_dbserver']); $dbserver_config = $web_config = $app->getconf->get_server_config($app->functions->intval($mysql_db_server_id), 'server'); @@ -263,7 +269,7 @@ class ApsGUIController extends ApsBase //* Find a free db name for the app for($n = 1; $n <= 1000; $n++) { $mysql_db_name = $app->db->quote(($dbname_prefix != '' ? $dbname_prefix.'aps'.$n : uniqid('aps'))); - $tmp = $app->db->queryOneRecord("SELECT count(database_id) as number FROM web_database WHERE database_name = '".$app->db->quote($mysql_db_name)."'"); + $tmp = $app->db->queryOneRecord("SELECT count(database_id) as number FROM web_database WHERE database_name = ?", $mysql_db_name); if($tmp['number'] == 0) break; } $settings['main_database_name'] = $mysql_db_name; @@ -272,14 +278,14 @@ class ApsGUIController extends ApsBase //* Find a free db username for the app for($n = 1; $n <= 1000; $n++) { $mysql_db_user = $app->db->quote(($dbuser_prefix != '' ? $dbuser_prefix.'aps'.$n : uniqid('aps'))); - $tmp = $app->db->queryOneRecord("SELECT count(database_user_id) as number FROM web_database_user WHERE database_user = '".$app->db->quote($mysql_db_user)."'"); + $tmp = $app->db->queryOneRecord("SELECT count(database_user_id) as number FROM web_database_user WHERE database_user = ?", $mysql_db_user); if($tmp['number'] == 0) break; } $settings['main_database_login'] = $mysql_db_user; } //* Create the mysql database user if not existing - $tmp = $app->db->queryOneRecord("SELECT database_user_id FROM web_database_user WHERE database_user = '".$app->db->quote($settings['main_database_login'])."'"); + $tmp = $app->db->queryOneRecord("SELECT database_user_id FROM web_database_user WHERE database_user = ?", $settings['main_database_login']); if(!$tmp) { $insert_data = "(`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_id`, `database_user`, `database_user_prefix`, `database_password`) VALUES( ".$app->functions->intval($websrv['sys_userid']).", ".$app->functions->intval($websrv['sys_groupid']).", 'riud', '".$app->functions->intval($websrv['sys_perm_group'])."', '', 0, '".$settings['main_database_login']."', '".$app->db->quote($dbuser_prefix) . "', PASSWORD('".$settings['main_database_password']."'))"; @@ -288,7 +294,7 @@ class ApsGUIController extends ApsBase else $mysql_db_user_id = $tmp['database_user_id']; //* Create the mysql database if not existing - $tmp = $app->db->queryOneRecord("SELECT count(database_id) as number FROM web_database WHERE database_name = '".$app->db->quote($settings['main_database_name'])."'"); + $tmp = $app->db->queryOneRecord("SELECT count(database_id) as number FROM web_database WHERE database_name = ?", $settings['main_database_name']); if($tmp['number'] == 0) { $insert_data = "(`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_id`, `parent_domain_id`, `type`, `database_name`, `database_name_prefix`, `database_user_id`, `database_ro_user_id`, `database_charset`, `remote_access`, `remote_ips`, `backup_copies`, `active`, `backup_interval`) VALUES( ".$app->functions->intval($websrv['sys_userid']).", ".$app->functions->intval($websrv['sys_groupid']).", 'riud', '".$app->functions->intval($websrv['sys_perm_group'])."', '', $mysql_db_server_id, ".$app->functions->intval($websrv['domain_id']).", 'mysql', '".$settings['main_database_name']."', '" . $app->db->quote($dbname_prefix) . "', '$mysql_db_user_id', 0, '', '$mysql_db_remote_access', '$mysql_db_remote_ips', ".$app->functions->intval($websrv['backup_copies']).", 'y', '".$app->functions->intval($websrv['backup_interval'])."')"; @@ -312,7 +318,7 @@ class ApsGUIController extends ApsBase $app->uses('tools_sites'); $webserver_id = 0; - $websrv = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain = '".$app->db->quote($settings['main_domain'])."';"); + $websrv = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain = ?", $settings['main_domain']); if(!empty($websrv)) $webserver_id = $websrv['server_id']; $customerid = $this->getCustomerIDFromDomain($settings['main_domain']); @@ -336,7 +342,7 @@ class ApsGUIController extends ApsBase //* Create the MySQL database for the application if necessary - $pkg = $app->db->queryOneRecord('SELECT * FROM aps_packages WHERE id = '.$app->db->quote($packageid).';'); + $pkg = $app->db->queryOneRecord('SELECT * FROM aps_packages WHERE id = ?', $packageid); $metafile = $this->interface_pkg_dir.'/'.$pkg['path'].'/APP-META.xml'; $sxe = $this->readInMetaFile($metafile); @@ -371,24 +377,14 @@ class ApsGUIController extends ApsBase public function deleteInstance($instanceid, $keepdatabase = false) { global $app; - /* - $app->db->query("UPDATE aps_instances SET instance_status = ".INSTANCE_REMOVE." WHERE id = ".$instanceid.";"); - - $webserver_id = $this->getInstanceDataForDatalog($instanceid); - if($webserver_id == '') return; - - // Create a sys_datalog entry for deletion - $datalog = array('Instance_id' => $instanceid, 'server_id' => $webserver_id); - $app->db->datalogSave('aps', 'DELETE', 'id', $instanceid, array(), $datalog); - */ if (!$keepdatabase) { - $sql = "SELECT web_database.database_id as database_id, web_database.database_user_id as `database_user_id` FROM aps_instances_settings, web_database WHERE aps_instances_settings.value = web_database.database_name AND aps_instances_settings.name = 'main_database_name' AND aps_instances_settings.instance_id = ".$instanceid." LIMIT 0,1"; - $tmp = $app->db->queryOneRecord($sql); + $sql = "SELECT web_database.database_id as database_id, web_database.database_user_id as `database_user_id` FROM aps_instances_settings, web_database WHERE aps_instances_settings.value = web_database.database_name AND aps_instances_settings.name = 'main_database_name' AND aps_instances_settings.instance_id = ? LIMIT 0,1"; + $tmp = $app->db->queryOneRecord($sql, $instanceid); if($tmp['database_id'] > 0) $app->db->datalogDelete('web_database', 'database_id', $tmp['database_id']); $database_user = $tmp['database_user_id']; - $tmp = $app->db->queryOneRecord("SELECT COUNT(*) as `cnt` FROM `web_database` WHERE `database_user_id` = '" . $app->functions->intval($database_user) . "' OR `database_ro_user_id` = '" . $app->functions->intval($database_user) . "'"); + $tmp = $app->db->queryOneRecord("SELECT COUNT(*) as `cnt` FROM `web_database` WHERE `database_user_id` = ? OR `database_ro_user_id` = ?", $database_user, $database_user); if($tmp['cnt'] < 1) $app->db->datalogDelete('web_database_user', 'database_user_id', $database_user); } @@ -406,7 +402,7 @@ class ApsGUIController extends ApsBase { global $app; - $pkg = $app->db->queryOneRecord('SELECT * FROM aps_packages WHERE id = '.$app->db->quote($id).';'); + $pkg = $app->db->queryOneRecord('SELECT * FROM aps_packages WHERE id = ?', $id); // Load in meta file if existing and register its namespaces $metafile = $this->interface_pkg_dir.'/'.$pkg['path'].'/APP-META.xml'; @@ -528,7 +524,7 @@ class ApsGUIController extends ApsBase if(in_array($postinput['main_domain'], $domains)) { $docroot = $app->db->queryOneRecord("SELECT document_root FROM web_domain - WHERE domain = '".$app->db->quote($postinput['main_domain'])."';"); + WHERE domain = ?", $postinput['main_domain']); $new_path = $docroot['document_root']; if(substr($new_path, -1) != '/') $new_path .= '/'; $new_path .= $main_location; @@ -543,13 +539,13 @@ class ApsGUIController extends ApsBase $instance_domains = $app->db->queryAllRecords("SELECT instance_id, s.value AS domain FROM aps_instances AS i, aps_instances_settings AS s WHERE i.id = s.instance_id AND s.name = 'main_domain' - AND i.customer_id = '".$app->db->quote($customerid)."';"); + AND i.customer_id = ?", $customerid); for($i = 0; $i < count($instance_domains); $i++) { $used_path = ''; $doc_root = $app->db->queryOneRecord("SELECT document_root FROM web_domain - WHERE domain = '".$app->db->quote($instance_domains[$i]['domain'])."';"); + WHERE domain = ?", $instance_domains[$i]['domain']); // Probably the domain settings were changed later, so make sure the doc_root // is not empty for further validation @@ -560,7 +556,7 @@ class ApsGUIController extends ApsBase $location_for_domain = $app->db->queryOneRecord("SELECT value FROM aps_instances_settings WHERE name = 'main_location' - AND instance_id = '".$app->db->quote($instance_domains[$i]['instance_id'])."';"); + AND instance_id = ?", $instance_domains[$i]['instance_id']); // The location might be empty but the DB return must not be false! if($location_for_domain) $used_path .= $location_for_domain['value']; @@ -693,7 +689,7 @@ class ApsGUIController extends ApsBase { global $app; - $pkg = $app->db->queryOneRecord('SELECT * FROM aps_packages WHERE id = '.$app->db->quote($id).';'); + $pkg = $app->db->queryOneRecord('SELECT * FROM aps_packages WHERE id = ?', $id); // Load in meta file if existing and register its namespaces $metafile = $this->interface_pkg_dir.'/'.$pkg['path'].'/APP-META.xml'; diff --git a/interface/lib/classes/auth.inc.php b/interface/lib/classes/auth.inc.php index 70c1722aed..562cf40226 100644 --- a/interface/lib/classes/auth.inc.php +++ b/interface/lib/classes/auth.inc.php @@ -57,7 +57,7 @@ class auth { global $app, $conf; $userid = $app->functions->intval($userid); - $client = $app->db->queryOneRecord("SELECT client.limit_client FROM sys_user, client WHERE sys_user.userid = $userid AND sys_user.client_id = client.client_id"); + $client = $app->db->queryOneRecord("SELECT client.limit_client FROM sys_user, client WHERE sys_user.userid = ? AND sys_user.client_id = client.client_id", $userid); if($client['limit_client'] != 0) { return true; } else { @@ -73,12 +73,12 @@ class auth { $groupid = $app->functions->intval($groupid); if($userid > 0 && $groupid > 0) { - $user = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE userid = $userid"); + $user = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE userid = ?", $userid); $groups = explode(',', $user['groups']); if(!in_array($groupid, $groups)) $groups[] = $groupid; $groups_string = implode(',', $groups); - $sql = "UPDATE sys_user SET groups = '$groups_string' WHERE userid = $userid"; - $app->db->query($sql); + $sql = "UPDATE sys_user SET groups = ? WHERE userid = ?"; + $app->db->query($sql, $groups_string, $userid); return true; } else { return false; @@ -95,7 +95,7 @@ class auth { // simple query cache if($this->client_limits===null) - $this->client_limits = $app->db->queryOneRecord("SELECT client.* FROM sys_user, client WHERE sys_user.userid = $userid AND sys_user.client_id = client.client_id"); + $this->client_limits = $app->db->queryOneRecord("SELECT client.* FROM sys_user, client WHERE sys_user.userid = ? AND sys_user.client_id = client.client_id", $userid); // isn't client -> no limit if(!$this->client_limits) @@ -114,13 +114,13 @@ class auth { $groupid = $app->functions->intval($groupid); if($userid > 0 && $groupid > 0) { - $user = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE userid = $userid"); + $user = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE userid = ", $userid); $groups = explode(',', $user['groups']); $key = array_search($groupid, $groups); unset($groups[$key]); $groups_string = implode(',', $groups); - $sql = "UPDATE sys_user SET groups = '$groups_string' WHERE userid = $userid"; - $app->db->query($sql); + $sql = "UPDATE sys_user SET groups = ? WHERE userid = ?"; + $app->db->query($sql, $groups_string, $userid); return true; } else { return false; diff --git a/interface/lib/classes/client_templates.inc.php b/interface/lib/classes/client_templates.inc.php index 993936b2ce..e3141d792e 100644 --- a/interface/lib/classes/client_templates.inc.php +++ b/interface/lib/classes/client_templates.inc.php @@ -49,7 +49,7 @@ class client_templates { if($old_style == true) { // we have to take care of this in an other way - $in_db = $app->db->queryAllRecords('SELECT `assigned_template_id`, `client_template_id` FROM `client_template_assigned` WHERE `client_id` = ' . $app->functions->intval($clientId)); + $in_db = $app->db->queryAllRecords('SELECT `assigned_template_id`, `client_template_id` FROM `client_template_assigned` WHERE `client_id` = ?', $clientId); if(is_array($in_db) && count($in_db) > 0) { foreach($in_db as $item) { if(array_key_exists($item['client_template_id'], $needed_types) == false) $needed_types[$item['client_template_id']] = 0; @@ -61,24 +61,24 @@ class client_templates { if($count > 0) { // add new template to client (includes those from old-style without assigned_template_id) for($i = $count; $i > 0; $i--) { - $app->db->query('INSERT INTO `client_template_assigned` (`client_id`, `client_template_id`) VALUES (' . $app->functions->intval($clientId) . ', ' . $app->functions->intval($tpl_id) . ')'); + $app->db->query('INSERT INTO `client_template_assigned` (`client_id`, `client_template_id`) VALUES (?, ?)', $clientId, $tpl_id); } } elseif($count < 0) { // remove old ones for($i = $count; $i < 0; $i++) { - $app->db->query('DELETE FROM `client_template_assigned` WHERE client_id = ' . $app->functions->intval($clientId) . ' AND client_template_id = ' . $app->functions->intval($tpl_id) . ' LIMIT 1'); + $app->db->query('DELETE FROM `client_template_assigned` WHERE client_id = ? AND client_template_id = ? LIMIT 1', $clientId, $tpl_id); } } } } else { // we have to take care of this in an other way - $in_db = $app->db->queryAllRecords('SELECT `assigned_template_id`, `client_template_id` FROM `client_template_assigned` WHERE `client_id` = ' . $app->functions->intval($clientId)); + $in_db = $app->db->queryAllRecords('SELECT `assigned_template_id`, `client_template_id` FROM `client_template_assigned` WHERE `client_id` = ?', $clientId); if(is_array($in_db) && count($in_db) > 0) { // check which templates were removed from this client foreach($in_db as $item) { if(in_array($item['assigned_template_id'], $used_assigned) == false) { // delete this one - $app->db->query('DELETE FROM `client_template_assigned` WHERE `assigned_template_id` = ' . $app->functions->intval($item['assigned_template_id'])); + $app->db->query('DELETE FROM `client_template_assigned` WHERE `assigned_template_id` = ?', $item['assigned_template_id']); } } } @@ -86,7 +86,7 @@ class client_templates { if(count($new_tpl) > 0) { foreach($new_tpl as $item) { // add new template to client (includes those from old-style without assigned_template_id) - $app->db->query('INSERT INTO `client_template_assigned` (`client_id`, `client_template_id`) VALUES (' . $app->functions->intval($clientId) . ', ' . $app->functions->intval($item) . ')'); + $app->db->query('INSERT INTO `client_template_assigned` (`client_id`, `client_template_id`) VALUES (?, ?)', $clientId, $item); } } } @@ -106,8 +106,8 @@ class client_templates { /* * Get the master-template for the client */ - $sql = "SELECT template_master, template_additional,limit_client FROM client WHERE client_id = " . $app->functions->intval($clientId); - $record = $app->db->queryOneRecord($sql); + $sql = "SELECT template_master, template_additional,limit_client FROM client WHERE client_id = ?"; + $record = $app->db->queryOneRecord($sql, $clientId); $masterTemplateId = $record['template_master']; $is_reseller = ($record['limit_client'] != 0)?true:false; @@ -115,15 +115,15 @@ class client_templates { // we have to call the update_client_templates function $templates = explode('/', $record['template_additional']); $this->update_client_templates($clientId, $templates); - $app->db->query('UPDATE `client` SET `template_additional` = \'\' WHERE `client_id` = ' . $app->functions->intval($clientId)); + $app->db->query('UPDATE `client` SET `template_additional` = \'\' WHERE `client_id` = ?', $clientId); } /* * if the master-Template is custom there is NO changing */ if ($masterTemplateId > 0){ - $sql = "SELECT * FROM client_template WHERE template_id = " . $app->functions->intval($masterTemplateId); - $limits = $app->db->queryOneRecord($sql); + $sql = "SELECT * FROM client_template WHERE template_id = ?"; + $limits = $app->db->queryOneRecord($sql, $masterTemplateId); } else { // if there is no master template it makes NO SENSE adding sub templates. // adding subtemplates are stored in client limits, so they would add up @@ -136,11 +136,11 @@ class client_templates { * if != -1) */ $addTpl = explode('/', $additionalTemplateStr); - $addTpls = $app->db->queryAllRecords('SELECT `client_template_id` FROM `client_template_assigned` WHERE `client_id` = ' . $app->functions->intval($clientId)); + $addTpls = $app->db->queryAllRecords('SELECT `client_template_id` FROM `client_template_assigned` WHERE `client_id` = ?', $clientId); foreach ($addTpls as $addTpl){ $item = $addTpl['client_template_id']; - $sql = "SELECT * FROM client_template WHERE template_id = " . $app->functions->intval($item); - $addLimits = $app->db->queryOneRecord($sql); + $sql = "SELECT * FROM client_template WHERE template_id = ?"; + $addLimits = $app->db->queryOneRecord($sql, $item); $app->log('Template processing subtemplate ' . $item . ' for client ' . $clientId, LOGLEVEL_DEBUG); /* maybe the template is deleted in the meantime */ if (is_array($addLimits)){ @@ -232,6 +232,7 @@ class client_templates { * Write all back to the database */ $update = ''; + $update_values = array(); if(!$is_reseller) unset($limits['limit_client']); // Only Resellers may have limit_client set in template to ensure that we do not convert a client to reseller accidently. foreach($limits as $k => $v){ if (strpos($k, 'default') !== false and $v == 0) { @@ -239,13 +240,16 @@ class client_templates { } if ((strpos($k, 'limit') !== false or strpos($k, 'default') !== false or $k == 'ssh_chroot' or $k == 'web_php_options' or $k == 'force_suexec') && !is_array($v)){ if ($update != '') $update .= ', '; - $update .= '`' . $k . "`='" . $v . "'"; + $update .= '?? = ?'; + $update_values[] = $k; + $update_values[] = $v; } } + $update_values[] = $clientId; $app->log('Template processed for client ' . $clientId . ', update string: ' . $update, LOGLEVEL_DEBUG); if($update != '') { - $sql = 'UPDATE client SET ' . $update . " WHERE client_id = " . $app->functions->intval($clientId); - $app->db->query($sql); + $sql = 'UPDATE client SET ' . $update . " WHERE client_id = ?"; + $app->db->query($sql, true, $update_values); } unset($form); } diff --git a/interface/lib/classes/custom_datasource.inc.php b/interface/lib/classes/custom_datasource.inc.php index 16036f599c..92caa87182 100644 --- a/interface/lib/classes/custom_datasource.inc.php +++ b/interface/lib/classes/custom_datasource.inc.php @@ -47,12 +47,12 @@ class custom_datasource { if($_SESSION["s"]["user"]["typ"] == 'user') { // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT default_dnsserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); - $sql = "SELECT server_id,server_name FROM server WHERE server_id = ".$app->functions->intval($client['default_dnsserver']); + $client = $app->db->queryOneRecord("SELECT default_dnsserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ", $client_group_id); + $sql = "SELECT server_id,server_name FROM server WHERE server_id = ?"; } else { $sql = "SELECT server_id,server_name FROM server WHERE dns_server = 1 ORDER BY server_name"; } - $records = $app->db->queryAllRecords($sql); + $records = $app->db->queryAllRecords($sql, $client['default_dnsserver']); $records_new = array(); if(is_array($records)) { foreach($records as $rec) { @@ -69,12 +69,12 @@ class custom_datasource { if($_SESSION["s"]["user"]["typ"] == 'user') { // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT default_slave_dnsserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); - $sql = "SELECT server_id,server_name FROM server WHERE server_id = ".$app->functions->intval($client['default_slave_dnsserver']); + $client = $app->db->queryOneRecord("SELECT default_slave_dnsserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ", $client_group_id); + $sql = "SELECT server_id,server_name FROM server WHERE server_id = ?"); } else { $sql = "SELECT server_id,server_name FROM server WHERE dns_server = 1 ORDER BY server_name"; } - $records = $app->db->queryAllRecords($sql); + $records = $app->db->queryAllRecords($sql, $client['default_slave_dnsserver']); $records_new = array(); if(is_array($records)) { foreach($records as $rec) { @@ -99,7 +99,7 @@ class custom_datasource { } if(count($server_ids) == 0) return array(); $server_ids = implode(',', $server_ids); - $records = $app->db->queryAllRecords("SELECT web_domain.domain_id, CONCAT(web_domain.domain, ' :: ', server.server_name) AS parent_domain FROM web_domain, server WHERE web_domain.type = 'vhost' AND web_domain.server_id IN (".$app->db->quote($server_ids).") AND web_domain.server_id = server.server_id AND ".$app->tform->getAuthSQL('r', 'web_domain')." ORDER BY web_domain.domain"); + $records = $app->db->queryAllRecords("SELECT web_domain.domain_id, CONCAT(web_domain.domain, ' :: ', server.server_name) AS parent_domain FROM web_domain, server WHERE web_domain.type = 'vhost' AND web_domain.server_id IN ? AND web_domain.server_id = server.server_id AND ".$app->tform->getAuthSQL('r', 'web_domain')." ORDER BY web_domain.domain", $server_ids); $records_new = array(); if(is_array($records)) { @@ -159,22 +159,25 @@ class custom_datasource { if($_SESSION["s"]["user"]["typ"] == 'user') { // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $sql = "SELECT $server_type as server_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"; - $client = $app->db->queryOneRecord($sql); + $sql = "SELECT $server_type as server_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?"; + $client = $app->db->queryOneRecord($sql, $client_group_id); if($client['server_id'] > 0) { //* Select the default server for the client - $sql = "SELECT server_id,server_name FROM server WHERE server_id = ".$app->functions->intval($client['server_id']); + $sql = "SELECT server_id,server_name FROM server WHERE server_id = ?"; + $records = $app->db->queryAllRecords($sql, $client['server_id']); } else { //* Not able to find the clients defaults, use this as fallback and add a warning message to the log $app->log('Unable to find default server for client in custom_datasource.inc.php', 1); - $sql = "SELECT server_id,server_name FROM server WHERE $field = 1 ORDER BY server_name"; + $sql = "SELECT server_id,server_name FROM server WHERE ?? = 1 ORDER BY server_name"; + $records = $app->db->queryAllRecords($sql, $field); } } else { //* The logged in user is admin, so we show him all available servers of a specific type. - $sql = "SELECT server_id,server_name FROM server WHERE $field = 1 ORDER BY server_name"; + $sql = "SELECT server_id,server_name FROM server WHERE ?? = 1 ORDER BY server_name"; + $records = $app->db->queryAllRecords($sql, $field); } - $records = $app->db->queryAllRecords($sql); + $records_new = array(); if(is_array($records)) { foreach($records as $rec) { diff --git a/interface/lib/classes/functions.inc.php b/interface/lib/classes/functions.inc.php index 2be5fb7df0..5bbff40158 100644 --- a/interface/lib/classes/functions.inc.php +++ b/interface/lib/classes/functions.inc.php @@ -202,7 +202,7 @@ class functions { } $ips = array(); - $results = $app->db->queryAllRecords("SELECT ip_address AS ip, server_id FROM server_ip WHERE ip_type = '".$app->db->quote($type)."'"); + $results = $app->db->queryAllRecords("SELECT ip_address AS ip, server_id FROM server_ip WHERE ip_type = ?", $type); if(!empty($results) && is_array($results)){ foreach($results as $result){ if(preg_match($regex, $result['ip'])){ @@ -230,39 +230,6 @@ class functions { } } - /* - $results = $app->db->queryAllRecords("SELECT xfer FROM dns_slave WHERE xfer != ''"); - if(!empty($results) && is_array($results)){ - foreach($results as $result){ - $tmp_ips = explode(',', $result['xfer']); - foreach($tmp_ips as $tmp_ip){ - $tmp_ip = trim($tmp_ip); - if(preg_match($regex, $tmp_ip)) $ips[] = $tmp_ip; - } - } - } - $results = $app->db->queryAllRecords("SELECT xfer FROM dns_soa WHERE xfer != ''"); - if(!empty($results) && is_array($results)){ - foreach($results as $result){ - $tmp_ips = explode(',', $result['xfer']); - foreach($tmp_ips as $tmp_ip){ - $tmp_ip = trim($tmp_ip); - if(preg_match($regex, $tmp_ip)) $ips[] = $tmp_ip; - } - } - } - $results = $app->db->queryAllRecords("SELECT also_notify FROM dns_soa WHERE also_notify != ''"); - if(!empty($results) && is_array($results)){ - foreach($results as $result){ - $tmp_ips = explode(',', $result['also_notify']); - foreach($tmp_ips as $tmp_ip){ - $tmp_ip = trim($tmp_ip); - if(preg_match($regex, $tmp_ip)) $ips[] = $tmp_ip; - } - } - } - */ - $results = $app->db->queryAllRecords("SELECT remote_ips FROM web_database WHERE remote_ips != ''"); if(!empty($results) && is_array($results)){ foreach($results as $result){ diff --git a/interface/lib/classes/getconf.inc.php b/interface/lib/classes/getconf.inc.php index a246b1853c..ef9e0702d2 100644 --- a/interface/lib/classes/getconf.inc.php +++ b/interface/lib/classes/getconf.inc.php @@ -39,7 +39,7 @@ class getconf { if(!isset($this->config[$server_id])) { $app->uses('ini_parser'); $server_id = $app->functions->intval($server_id); - $server = $app->db->queryOneRecord('SELECT config FROM server WHERE server_id = '.$server_id); + $server = $app->db->queryOneRecord('SELECT config FROM server WHERE server_id = ?', $server_id); $this->config[$server_id] = $app->ini_parser->parse_ini_string(stripslashes($server['config'])); } return ($section == '') ? $this->config[$server_id] : $this->config[$server_id][$section]; diff --git a/interface/lib/classes/plugin_backuplist.inc.php b/interface/lib/classes/plugin_backuplist.inc.php index c399d87622..e9cd40c8c6 100644 --- a/interface/lib/classes/plugin_backuplist.inc.php +++ b/interface/lib/classes/plugin_backuplist.inc.php @@ -56,56 +56,42 @@ class plugin_backuplist extends plugin_base { $backup_id = $app->functions->intval($_GET['backup_id']); //* check if the user is owner of the parent domain - $domain_backup = $app->db->queryOneRecord("SELECT parent_domain_id FROM web_backup WHERE backup_id = ".$backup_id); + $domain_backup = $app->db->queryOneRecord("SELECT parent_domain_id FROM web_backup WHERE backup_id = ?", $backup_id); $check_perm = 'u'; if($_GET['backup_action'] == 'download') $check_perm = 'r'; // only check read permissions on download, not update permissions - $get_domain = $app->db->queryOneRecord("SELECT domain_id FROM web_domain WHERE domain_id = ".$app->functions->intval($domain_backup["parent_domain_id"])." AND ".$app->tform->getAuthSQL($check_perm)); + $get_domain = $app->db->queryOneRecord("SELECT domain_id FROM web_domain WHERE domain_id = ? AND ".$app->tform->getAuthSQL($check_perm), $domain_backup["parent_domain_id"]); if(empty($get_domain) || !$get_domain) { $app->error($app->tform->lng('no_domain_perm')); } if($_GET['backup_action'] == 'download' && $backup_id > 0) { $server_id = $this->form->dataRecord['server_id']; - $backup = $app->db->queryOneRecord("SELECT * FROM web_backup WHERE backup_id = ".$backup_id); + $backup = $app->db->queryOneRecord("SELECT * FROM web_backup WHERE backup_id = ?", $backup_id); if($backup['server_id'] > 0) $server_id = $backup['server_id']; - $sql = "SELECT count(action_id) as number FROM sys_remoteaction WHERE action_state = 'pending' AND action_type = 'backup_download' AND action_param = '$backup_id'"; - $tmp = $app->db->queryOneRecord($sql); + $sql = "SELECT count(action_id) as number FROM sys_remoteaction WHERE action_state = 'pending' AND action_type = 'backup_download' AND action_param = ?"; + $tmp = $app->db->queryOneRecord($sql, $backup_id); if($tmp['number'] == 0) { $message .= $wb['download_info_txt']; $sql = "INSERT INTO sys_remoteaction (server_id, tstamp, action_type, action_param, action_state, response) " . - "VALUES (". - (int)$server_id . ", " . - time() . ", " . - "'backup_download', " . - "'".$backup_id."', " . - "'pending', " . - "''" . - ")"; - $app->db->query($sql); + "VALUES (?, UNIX_TIMESTAMP(), 'backup_download', ?, 'pending', '')"; + $app->db->query($sql, $server_id, $backup_id); } else { $error .= $wb['download_pending_txt']; } } if($_GET['backup_action'] == 'restore' && $backup_id > 0) { $server_id = $this->form->dataRecord['server_id']; - $backup = $app->db->queryOneRecord("SELECT * FROM web_backup WHERE backup_id = ".$backup_id); + $backup = $app->db->queryOneRecord("SELECT * FROM web_backup WHERE backup_id = ?", $backup_id); if($backup['server_id'] > 0) $server_id = $backup['server_id']; $sql = "SELECT count(action_id) as number FROM sys_remoteaction WHERE action_state = 'pending' AND action_type = 'backup_restore' AND action_param = '$backup_id'"; $tmp = $app->db->queryOneRecord($sql); if($tmp['number'] == 0) { $message .= $wb['restore_info_txt']; $sql = "INSERT INTO sys_remoteaction (server_id, tstamp, action_type, action_param, action_state, response) " . - "VALUES (". - (int)$server_id . ", " . - time() . ", " . - "'backup_restore', " . - "'".$backup_id."', " . - "'pending', " . - "''" . - ")"; - $app->db->query($sql); + "VALUES (?, UNIX_TIMESTAMP(), 'backup_restore', ?, 'pending', '')"; + $app->db->query($sql, $server_id, $backup_id); } else { $error .= $wb['restore_pending_txt']; } @@ -115,8 +101,8 @@ class plugin_backuplist extends plugin_base { //* Get the data $server_ids = array_unique($server_ids); - $web = $app->db->queryOneRecord("SELECT server_id FROM web_domain WHERE domain_id = ".$app->functions->intval($this->form->id)); - $databases = $app->db->queryAllRecords("SELECT server_id FROM web_database WHERE parent_domain_id = ".$app->functions->intval($this->form->id)); + $web = $app->db->queryOneRecord("SELECT server_id FROM web_domain WHERE domain_id = ?", $this->form->id); + $databases = $app->db->queryAllRecords("SELECT server_id FROM web_database WHERE parent_domain_id = ?", $this->form->id); if($app->functions->intval($web['server_id']) > 0) $server_ids[] = $app->functions->intval($web['server_id']); if(is_array($databases) && !empty($databases)){ foreach($databases as $database){ @@ -124,8 +110,8 @@ class plugin_backuplist extends plugin_base { } } $server_ids = array_unique($server_ids); - $sql = "SELECT * FROM web_backup WHERE parent_domain_id = ".$app->functions->intval($this->form->id)." AND server_id IN (".implode(',', $server_ids).") ORDER BY tstamp DESC, backup_type ASC"; - $records = $app->db->queryAllRecords($sql); + $sql = "SELECT * FROM web_backup WHERE parent_domain_id = ? AND server_id IN ? ORDER BY tstamp DESC, backup_type ASC"; + $records = $app->db->queryAllRecords($sql, $this->form->id, $server_ids); $bgcolor = "#FFFFFF"; if(is_array($records)) { diff --git a/interface/lib/classes/plugin_backuplist_mail.inc.php b/interface/lib/classes/plugin_backuplist_mail.inc.php index 847428389e..901901a3ed 100644 --- a/interface/lib/classes/plugin_backuplist_mail.inc.php +++ b/interface/lib/classes/plugin_backuplist_mail.inc.php @@ -55,42 +55,15 @@ class plugin_backuplist_mail extends plugin_base { if(isset($_GET['backup_action'])) { $backup_id = $app->functions->intval($_GET['backup_id']); -/* - if($_GET['backup_action'] == 'download_mail' && $backup_id > 0) { - $sql = "SELECT count(action_id) as number FROM sys_remoteaction WHERE action_state = 'pending' AND action_type = 'backup_download' AND action_param = '$backup_id'"; - $tmp = $app->db->queryOneRecord($sql); - if($tmp['number'] == 0) { - $message .= $wb['download_info_txt']; - $sql = "INSERT INTO sys_remoteaction (server_id, tstamp, action_type, action_param, action_state, response) " . - "VALUES (". - (int)$this->form->dataRecord['server_id'] . ", " . - time() . ", " . - "'backup_download', " . - "'".$backup_id."', " . - "'pending', " . - "''" . - ")"; - $app->db->query($sql); - } else { - $error .= $wb['download_pending_txt']; - } - } -*/ + if($_GET['backup_action'] == 'restore_mail' && $backup_id > 0) { - $sql = "SELECT count(action_id) as number FROM sys_remoteaction WHERE action_state = 'pending' AND action_type = 'backup_restore_mail' AND action_param = '$backup_id'"; - $tmp = $app->db->queryOneRecord($sql); + $sql = "SELECT count(action_id) as number FROM sys_remoteaction WHERE action_state = 'pending' AND action_type = 'backup_restore_mail' AND action_param = ?"; + $tmp = $app->db->queryOneRecord($sql, $backup_id); if($tmp['number'] == 0) { $message .= $wb['restore_info_txt']; $sql = "INSERT INTO sys_remoteaction (server_id, tstamp, action_type, action_param, action_state, response) " . - "VALUES (". - (int)$this->form->dataRecord['server_id'] . ", " . - time() . ", " . - "'backup_restore_mail', " . - "'".$backup_id."', " . - "'pending', " . - "''" . - ")"; - $app->db->query($sql); + "VALUES (?, ? 'backup_restore_mail', ?, 'pending','')"; + $app->db->query($sql, $this->form->dataRecord['server_id'], time(), $backup_id); } else { $error .= $wb['restore_pending_txt']; } @@ -98,8 +71,8 @@ class plugin_backuplist_mail extends plugin_base { } //* Get the data - $sql = "SELECT * FROM mail_backup WHERE mailuser_id = ".$this->form->id." ORDER BY tstamp DESC"; - $records = $app->db->queryAllRecords($sql); + $sql = "SELECT * FROM mail_backup WHERE mailuser_id = ? ORDER BY tstamp DESC"; + $records = $app->db->queryAllRecords($sql, $this->form->id); $bgcolor = "#FFFFFF"; if(is_array($records)) { foreach($records as $rec) { diff --git a/interface/lib/classes/plugin_listview.inc.php b/interface/lib/classes/plugin_listview.inc.php index e7d576cd17..c50cb9177f 100644 --- a/interface/lib/classes/plugin_listview.inc.php +++ b/interface/lib/classes/plugin_listview.inc.php @@ -126,7 +126,7 @@ class plugin_listview extends plugin_base { // Get the data - $records = $app->db->queryAllRecords("SELECT * FROM ".$app->listform->listDef["table"]." WHERE $sql_where $sql_order_by $limit_sql"); + $records = $app->db->queryAllRecords("SELECT * FROM ?? WHERE $sql_where $sql_order_by $limit_sql", $app->listform->listDef["table"]); $bgcolor = "#FFFFFF"; if(is_array($records)) { diff --git a/interface/lib/classes/quota_lib.inc.php b/interface/lib/classes/quota_lib.inc.php index 794db538b9..24a3ce3d0d 100644 --- a/interface/lib/classes/quota_lib.inc.php +++ b/interface/lib/classes/quota_lib.inc.php @@ -103,9 +103,9 @@ class quota_lib { // select vhosts (belonging to client) if($clientid != null){ - $sql_where = " AND sys_groupid = (SELECT default_group FROM sys_user WHERE client_id=".$clientid.")"; + $sql_where = " AND sys_groupid = (SELECT default_group FROM sys_user WHERE client_id=?)"; } - $sites = $app->db->queryAllRecords("SELECT * FROM web_domain WHERE active = 'y' AND (type = 'vhost' OR type = 'vhostsubdomain' OR type = 'vhostalias')".$sql_where); + $sites = $app->db->queryAllRecords("SELECT * FROM web_domain WHERE active = 'y' AND (type = 'vhost' OR type = 'vhostsubdomain' OR type = 'vhostalias')".$sql_where, $clientid); $hostnames = array(); $traffic_data = array(); @@ -120,12 +120,12 @@ class quota_lib { $tmp_year = date('Y'); $tmp_month = date('m'); // This Month - $tmp_recs = $app->db->queryAllRecords("SELECT hostname, SUM(traffic_bytes) as t FROM web_traffic WHERE YEAR(traffic_date) = ? AND MONTH(traffic_date) = ? AND hostname IN ('".join("','",$hostnames)."') GROUP BY hostname", $tmp_year, $tmp_month); + $tmp_recs = $app->db->queryAllRecords("SELECT hostname, SUM(traffic_bytes) as t FROM web_traffic WHERE YEAR(traffic_date) = ? AND MONTH(traffic_date) = ? AND hostname IN ? GROUP BY hostname", $tmp_year, $tmp_month, $hostnames); foreach ($tmp_recs as $tmp_rec) { $traffic_data[$tmp_rec['hostname']]['this_month'] = $tmp_rec['t']; } // This Year - $tmp_recs = $app->db->queryAllRecords("SELECT hostname, SUM(traffic_bytes) as t FROM web_traffic WHERE YEAR(traffic_date) = ? AND hostname IN ('".join("','",$hostnames)."') GROUP BY hostname", $tmp_year); + $tmp_recs = $app->db->queryAllRecords("SELECT hostname, SUM(traffic_bytes) as t FROM web_traffic WHERE YEAR(traffic_date) = ? AND hostname IN ? GROUP BY hostname", $tmp_year, $hostnames); foreach ($tmp_recs as $tmp_rec) { $traffic_data[$tmp_rec['hostname']]['this_year'] = $tmp_rec['t']; } @@ -133,21 +133,21 @@ class quota_lib { $tmp_year = date('Y', mktime(0, 0, 0, date("m")-1, date("d"), date("Y"))); $tmp_month = date('m', mktime(0, 0, 0, date("m")-1, date("d"), date("Y"))); // Last Month - $tmp_recs = $app->db->queryAllRecords("SELECT hostname, SUM(traffic_bytes) as t FROM web_traffic WHERE YEAR(traffic_date) = ? AND MONTH(traffic_date) = ? AND hostname IN ('".join("','",$hostnames)."') GROUP BY hostname", $tmp_year, $tmp_month); + $tmp_recs = $app->db->queryAllRecords("SELECT hostname, SUM(traffic_bytes) as t FROM web_traffic WHERE YEAR(traffic_date) = ? AND MONTH(traffic_date) = ? AND hostname IN ? GROUP BY hostname", $tmp_year, $tmp_month, $hostnames); foreach ($tmp_recs as $tmp_rec) { $traffic_data[$tmp_rec['hostname']]['last_month'] = $tmp_rec['t']; } $tmp_year = date('Y', mktime(0, 0, 0, date("m"), date("d"), date("Y")-1)); // Last Year - $tmp_recs = $app->db->queryAllRecords("SELECT hostname, SUM(traffic_bytes) as t FROM web_traffic WHERE YEAR(traffic_date) = ? AND hostname IN ('".join("','",$hostnames)."') GROUP BY hostname", $tmp_year); + $tmp_recs = $app->db->queryAllRecords("SELECT hostname, SUM(traffic_bytes) as t FROM web_traffic WHERE YEAR(traffic_date) = ? AND hostname IN ? GROUP BY hostname", $tmp_year, $hostnames); foreach ($tmp_recs as $tmp_rec) { $traffic_data[$tmp_rec['hostname']]['last_year'] = $tmp_rec['t']; } if (is_int($lastdays) && ($lastdays > 0)) { // Last xx Days - $tmp_recs = $app->db->queryAllRecords("SELECT hostname, SUM(traffic_bytes) as t FROM web_traffic WHERE (traffic_date >= DATE_SUB(NOW(), INTERVAL ".$app->db->quote($lastdays)." DAY)) AND hostname IN ('".join("','",$hostnames)."') GROUP BY hostname"); + $tmp_recs = $app->db->queryAllRecords("SELECT hostname, SUM(traffic_bytes) as t FROM web_traffic WHERE (traffic_date >= DATE_SUB(NOW(), INTERVAL ? DAY)) AND hostname IN ? GROUP BY hostname", $lastdays, $hostnames); foreach ($tmp_recs as $tmp_rec) { $traffic_data[$tmp_rec['hostname']]['lastdays'] = $tmp_rec['t']; } diff --git a/interface/lib/classes/remote.d/admin.inc.php b/interface/lib/classes/remote.d/admin.inc.php index ba966fe1ab..2541ca5c19 100644 --- a/interface/lib/classes/remote.d/admin.inc.php +++ b/interface/lib/classes/remote.d/admin.inc.php @@ -60,7 +60,7 @@ class remoting_admin extends remoting { switch($key) { case 'sys_userid': // check if userid is valid - $check = $app->db->queryOneRecord('SELECT userid FROM sys_user WHERE userid = ' . $app->functions->intval($value)); + $check = $app->db->queryOneRecord('SELECT userid FROM sys_user WHERE userid = ?', $app->functions->intval($value)); if(!$check || !$check['userid']) { $this->server->fault('invalid parameters', $value . ' is no valid sys_userid.'); return false; @@ -69,7 +69,7 @@ class remoting_admin extends remoting { break; case 'sys_groupid': // check if groupid is valid - $check = $app->db->queryOneRecord('SELECT groupid FROM sys_group WHERE groupid = ' . $app->functions->intval($value)); + $check = $app->db->queryOneRecord('SELECT groupid FROM sys_group WHERE groupid = ?', $app->functions->intval($value)); if(!$check || !$check['groupid']) { $this->server->fault('invalid parameters', $value . ' is no valid sys_groupid.'); return false; diff --git a/interface/lib/classes/remote.d/aps.inc.php b/interface/lib/classes/remote.d/aps.inc.php index 78c066c5eb..b626f1b7ab 100644 --- a/interface/lib/classes/remote.d/aps.inc.php +++ b/interface/lib/classes/remote.d/aps.inc.php @@ -241,8 +241,8 @@ class remoting_aps extends remoting { return false; } - $sql = "SELECT * FROM web_domain WHERE domain = '".$app->db->quote($params['main_domain'])."'"; - $domain = $app->db->queryOneRecord($sql); + $sql = "SELECT * FROM web_domain WHERE domain = ?"; + $domain = $app->db->queryOneRecord($sql, $params['main_domain']); if (!$domain) { $this->server->fault('invalid parameters', 'No valid domain given.'); @@ -269,8 +269,8 @@ class remoting_aps extends remoting { return false; } - $sql = "SELECT * FROM aps_instances WHERE id = ".$app->functions->intval($primary_id); - $result = $app->db->queryOneRecord($sql); + $sql = "SELECT * FROM aps_instances WHERE id = ?"; + $result = $app->db->queryOneRecord($sql, $app->functions->intval($primary_id)); return $result; } @@ -283,8 +283,8 @@ class remoting_aps extends remoting { return false; } - $sql = "SELECT * FROM aps_instances_settings WHERE instance_id = ".$app->functions->intval($primary_id); - $result = $app->db->queryAllRecords($sql); + $sql = "SELECT * FROM aps_instances_settings WHERE instance_id = ?"; + $result = $app->db->queryAllRecords($sql, $app->functions->intval($primary_id)); return $result; } @@ -301,8 +301,8 @@ class remoting_aps extends remoting { $gui = new ApsGUIController($app); // Check if Instance exists - $sql = "SELECT * FROM aps_instances WHERE id = ".$app->functions->intval($primary_id); - $result = $app->db->queryOneRecord($sql); + $sql = "SELECT * FROM aps_instances WHERE id = ?"; + $result = $app->db->queryOneRecord($sql, $primary_id); if (!$result) { $this->server->fault('instance_error', 'No valid instance id given.'); diff --git a/interface/lib/classes/remote.d/client.inc.php b/interface/lib/classes/remote.d/client.inc.php index d780ec8533..f0c7b8f9f1 100644 --- a/interface/lib/classes/remote.d/client.inc.php +++ b/interface/lib/classes/remote.d/client.inc.php @@ -65,7 +65,7 @@ class remoting_client extends remoting { if(isset($data['client_id'])) { // this is a single record if($data['template_additional'] == '') { - $tpls = $app->db->queryAllRecords('SELECT CONCAT(`assigned_template_id`, \':\', `client_template_id`) as `item` FROM `client_template_assigned` WHERE `client_id` = ' . $data['client_id']); + $tpls = $app->db->queryAllRecords('SELECT CONCAT(`assigned_template_id`, \':\', `client_template_id`) as `item` FROM `client_template_assigned` WHERE `client_id` = ?', $data['client_id']); $tpl_arr = array(); if($tpls) { foreach($tpls as $tpl) $tpl_arr[] = $tpl['item']; @@ -78,7 +78,7 @@ class remoting_client extends remoting { // multiple client records foreach($data as $index => $client) { if($client['template_additional'] == '') { - $tpls = $app->db->queryAllRecords('SELECT CONCAT(`assigned_template_id`, \':\', `client_template_id`) as `item` FROM `client_template_assigned` WHERE `client_id` = ' . $client['client_id']); + $tpls = $app->db->queryAllRecords('SELECT CONCAT(`assigned_template_id`, \':\', `client_template_id`) as `item` FROM `client_template_assigned` WHERE `client_id` = ?', $client['client_id']); $tpl_arr = array(); if($tpls) { foreach($tpls as $tpl) $tpl_arr[] = $tpl['item']; @@ -104,7 +104,7 @@ class remoting_client extends remoting { $sys_userid = $app->functions->intval($sys_userid); - $rec = $app->db->queryOneRecord("SELECT client_id FROM sys_user WHERE userid = ".$sys_userid); + $rec = $app->db->queryOneRecord("SELECT client_id FROM sys_user WHERE userid = ?", $sys_userid); if(isset($rec['client_id'])) { return $app->functions->intval($rec['client_id']); } else { @@ -125,7 +125,7 @@ class remoting_client extends remoting { $client_id = $app->functions->intval($client_id); - $rec = $app->db->queryOneRecord("SELECT company_name,contact_name,gender,email,language FROM client WHERE client_id = ".$client_id); + $rec = $app->db->queryOneRecord("SELECT company_name,contact_name,gender,email,language FROM client WHERE client_id = ?", $client_id); if(is_array($rec)) { return $rec; @@ -145,7 +145,7 @@ class remoting_client extends remoting { $client_id = $app->functions->intval($client_id); - $rec = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".$client_id); + $rec = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client_id); if(isset($rec['groupid'])) { return $app->functions->intval($rec['groupid']); } else { @@ -169,7 +169,7 @@ class remoting_client extends remoting { if($params['parent_client_id']) { // check if this one is reseller - $check = $app->db->queryOneRecord('SELECT `limit_client` FROM `client` WHERE `client_id` = ' . intval($params['parent_client_id'])); + $check = $app->db->queryOneRecord('SELECT `limit_client` FROM `client` WHERE `client_id` = ?', intval($params['parent_client_id'])); if($check['limit_client'] == 0) { $this->server->fault('Invalid reseller', 'Selected client is not a reseller.'); return false; @@ -208,7 +208,7 @@ class remoting_client extends remoting { if($params['parent_client_id']) { // check if this one is reseller - $check = $app->db->queryOneRecord('SELECT `limit_client` FROM `client` WHERE `client_id` = ' . intval($params['parent_client_id'])); + $check = $app->db->queryOneRecord('SELECT `limit_client` FROM `client` WHERE `client_id` = ?', intval($params['parent_client_id'])); if($check['limit_client'] == 0) { $this->server->fault('Invalid reseller', 'Selected client is not a reseller.'); return false; @@ -221,7 +221,7 @@ class remoting_client extends remoting { } // we need the previuos templates assigned here - $this->oldTemplatesAssigned = $app->db->queryAllRecords('SELECT * FROM `client_template_assigned` WHERE `client_id` = ' . $client_id); + $this->oldTemplatesAssigned = $app->db->queryAllRecords('SELECT * FROM `client_template_assigned` WHERE `client_id` = ?', $client_id); if(!is_array($this->oldTemplatesAssigned) || count($this->oldTemplatesAssigned) < 1) { // check previous type of storing templates $tpls = explode('/', $old_rec['template_additional']); @@ -258,8 +258,8 @@ class remoting_client extends remoting { } if(@is_numeric($client_id)) { - $sql = "SELECT * FROM `client_template_assigned` WHERE `client_id` = ".$client_id; - return $app->db->queryOneRecord($sql); + $sql = "SELECT * FROM `client_template_assigned` WHERE `client_id` = ?"; + return $app->db->queryOneRecord($sql, $client_id); } else { $this->server->fault('The ID must be an integer.'); return array(); @@ -270,10 +270,10 @@ class remoting_client extends remoting { global $app; $this->id = $client_id; - $this->dataRecord = $app->db->queryOneRecord('SELECT * FROM `client` WHERE `client_id` = ' . $client_id); + $this->dataRecord = $app->db->queryOneRecord('SELECT * FROM `client` WHERE `client_id` = ?', $client_id); $this->oldDataRecord = $this->dataRecord; - $this->oldTemplatesAssigned = $app->db->queryAllRecords('SELECT * FROM `client_template_assigned` WHERE `client_id` = ' . $client_id); + $this->oldTemplatesAssigned = $app->db->queryAllRecords('SELECT * FROM `client_template_assigned` WHERE `client_id` = ?', $client_id); if(!is_array($this->oldTemplatesAssigned) || count($this->oldTemplatesAssigned) < 1) { // check previous type of storing templates $tpls = explode('/', $this->oldDataRecord['template_additional']); @@ -297,13 +297,13 @@ class remoting_client extends remoting { if(@is_numeric($client_id) && @is_numeric($template_id)) { // check if client exists - $check = $app->db->queryOneRecord('SELECT `client_id` FROM `client` WHERE `client_id` = ' . $client_id); + $check = $app->db->queryOneRecord('SELECT `client_id` FROM `client` WHERE `client_id` = ?', $client_id); if(!$check) { $this->server->fault('Invalid client'); return false; } // check if template exists - $check = $app->db->queryOneRecord('SELECT `template_id` FROM `client_template` WHERE `template_id` = ' . $template_id); + $check = $app->db->queryOneRecord('SELECT `template_id` FROM `client_template` WHERE `template_id` = ?', $template_id); if(!$check) { $this->server->fault('Invalid template'); return false; @@ -312,8 +312,8 @@ class remoting_client extends remoting { // for the update event we have to cheat a bit $this->_set_client_formdata($client_id); - $sql = "INSERT INTO `client_template_assigned` (`client_id`, `client_template_id`) VALUES (" . $client_id . ", " . $template_id . ")"; - $app->db->query($sql); + $sql = "INSERT INTO `client_template_assigned` (`client_id`, `client_template_id`) VALUES (?, ?)"; + $app->db->query($sql, $client_id, $template_id); $insert_id = $app->db->insertID(); $app->plugin->raiseEvent('client:client:on_after_update', $this); @@ -335,13 +335,13 @@ class remoting_client extends remoting { if(@is_numeric($client_id) && @is_numeric($template_id)) { // check if client exists - $check = $app->db->queryOneRecord('SELECT `client_id` FROM `client` WHERE `client_id` = ' . $client_id); + $check = $app->db->queryOneRecord('SELECT `client_id` FROM `client` WHERE `client_id` = ?', $client_id); if(!$check) { $this->server->fault('Invalid client'); return false; } // check if template exists - $check = $app->db->queryOneRecord('SELECT `assigned_template_id` FROM `client_template_assigned` WHERE `assigned_template_id` = ' . $assigned_template_id); + $check = $app->db->queryOneRecord('SELECT `assigned_template_id` FROM `client_template_assigned` WHERE `assigned_template_id` = ?', $assigned_template_id); if(!$check) { $this->server->fault('Invalid template'); return false; @@ -350,8 +350,8 @@ class remoting_client extends remoting { // for the update event we have to cheat a bit $this->_set_client_formdata($client_id); - $sql = "DELETE FROM `client_template_assigned` WHERE `assigned_template_id` = " . $template_id . " AND `client_id` = " . $client_id; - $app->db->query($sql); + $sql = "DELETE FROM `client_template_assigned` WHERE `assigned_template_id` = ? AND `client_id` = ?"; + $app->db->query($sql, $template_id, $client_id); $affected_rows = $app->db->affectedRows(); $app->plugin->raiseEvent('client:client:on_after_update', $this); @@ -395,15 +395,15 @@ class remoting_client extends remoting { if($client_id > 0) { //* remove the group of the client from the resellers group $parent_client_id = $app->functions->intval($this->dataRecord['parent_client_id']); - $parent_user = $app->db->queryOneRecord("SELECT userid FROM sys_user WHERE client_id = $parent_client_id"); - $client_group = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = $client_id"); + $parent_user = $app->db->queryOneRecord("SELECT userid FROM sys_user WHERE client_id = ?", $parent_client_id); + $client_group = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client_id); $app->auth->remove_group_from_user($parent_user['userid'], $client_group['groupid']); //* delete the group of the client - $app->db->query("DELETE FROM sys_group WHERE client_id = $client_id"); + $app->db->query("DELETE FROM sys_group WHERE client_id = ", $client_id); //* delete the sys user(s) of the client - $app->db->query("DELETE FROM sys_user WHERE client_id = $client_id"); + $app->db->query("DELETE FROM sys_user WHERE client_id = ", $client_id); //* Delete all records (sub-clients, mail, web, etc....) of this client. $tables = 'client,dns_rr,dns_soa,dns_slave,ftp_user,mail_access,mail_content_filter,mail_domain,mail_forwarding,mail_get,mail_user,mail_user_filter,shell_user,spamfilter_users,support_message,web_database,web_database_user,web_domain,web_traffic'; @@ -413,7 +413,7 @@ class remoting_client extends remoting { if($client_group_id > 1) { foreach($tables_array as $table) { if($table != '') { - $records = $app->db->queryAllRecords("SELECT * FROM $table WHERE sys_groupid = ".$client_group_id); + $records = $app->db->queryAllRecords("SELECT * FROM $table WHERE sys_groupid = ", $client_group_id); //* find the primary ID of the table $table_info = $app->db->tableInfo($table); $index_field = ''; @@ -428,11 +428,11 @@ class remoting_client extends remoting { $app->db->datalogDelete($table, $index_field, $rec[$index_field]); //* Delete traffic records that dont have a sys_groupid column if($table == 'web_domain') { - $app->db->query("DELETE FROM web_traffic WHERE hostname = '".$app->db->quote($rec['domain'])."'"); + $app->db->query("DELETE FROM web_traffic WHERE hostname = ?", $rec['domain']); } //* Delete mail_traffic records that dont have a sys_groupid if($table == 'mail_user') { - $app->db->query("DELETE FROM mail_traffic WHERE mailuser_id = '".$app->db->quote($rec['mailuser_id'])."'"); + $app->db->query("DELETE FROM mail_traffic WHERE mailuser_id = ?", $rec['mailuser_id']); } } } @@ -469,7 +469,7 @@ class remoting_client extends remoting { return false; } $username = $app->db->quote($username); - $rec = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE username = '".$username."'"); + $rec = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE username = ?", $username); if (isset($rec)) { return $rec; } else { @@ -517,13 +517,13 @@ class remoting_client extends remoting { return false; } $client_id = $app->functions->intval($client_id); - $client = $app->db->queryOneRecord("SELECT client_id FROM client WHERE client_id = ".$client_id); + $client = $app->db->queryOneRecord("SELECT client_id FROM client WHERE client_id = ?", $client_id); if($client['client_id'] > 0) { $new_password = $app->db->quote($new_password); - $sql = "UPDATE client SET password = md5('".($new_password)."') WHERE client_id = ".$client_id; - $app->db->query($sql); - $sql = "UPDATE sys_user SET passwort = md5('".($new_password)."') WHERE client_id = ".$client_id; - $app->db->query($sql); + $sql = "UPDATE client SET password = md5(?) WHERE client_id = ?"; + $app->db->query($sql, $new_password, $client_id); + $sql = "UPDATE sys_user SET passwort = md5(?) WHERE client_id = ?"; + $app->db->query($sql, $new_password, $client_id); return true; } else { throw new SoapFault('no_client_found', 'There is no user account for this client_id'); @@ -567,8 +567,8 @@ class remoting_client extends remoting { } //* Check failed logins - $sql = "SELECT * FROM `attempts_login` WHERE `ip`= '".$app->db->quote($remote_ip)."' AND `login_time` > (NOW() - INTERVAL 1 MINUTE) LIMIT 1"; - $alreadyfailed = $app->db->queryOneRecord($sql); + $sql = "SELECT * FROM `attempts_login` WHERE `ip`= ? AND `login_time` > (NOW() - INTERVAL 1 MINUTE) LIMIT 1"; + $alreadyfailed = $app->db->queryOneRecord($sql, $remote_ip); //* too many failedlogins if($alreadyfailed['times'] > 5) { @@ -582,8 +582,8 @@ class remoting_client extends remoting { if(strstr($username,'@')) { // Check against client table - $sql = "SELECT * FROM client WHERE email = '".$app->db->quote($username)."'"; - $user = $app->db->queryOneRecord($sql); + $sql = "SELECT * FROM client WHERE email = ?"; + $user = $app->db->queryOneRecord($sql, $username); if($user) { $saved_password = stripslashes($user['password']); @@ -614,8 +614,8 @@ class remoting_client extends remoting { } else { // Check against sys_user table - $sql = "SELECT * FROM sys_user WHERE username = '".$app->db->quote($username)."'"; - $user = $app->db->queryOneRecord($sql); + $sql = "SELECT * FROM sys_user WHERE username = ?"; + $user = $app->db->queryOneRecord($sql, $username); if($user) { $saved_password = stripslashes($user['passwort']); @@ -649,15 +649,14 @@ class remoting_client extends remoting { //* Log failed login attempts if($user === false) { - $time = time(); if(!$alreadyfailed['times'] ) { //* user login the first time wrong - $sql = "INSERT INTO `attempts_login` (`ip`, `times`, `login_time`) VALUES ('".$app->db->quote($remote_ip)."', 1, NOW())"; - $app->db->query($sql); + $sql = "INSERT INTO `attempts_login` (`ip`, `times`, `login_time`) VALUES (?, 1, NOW())"; + $app->db->query($sql, $remote_ip); } elseif($alreadyfailed['times'] >= 1) { //* update times wrong - $sql = "UPDATE `attempts_login` SET `times`=`times`+1, `login_time`=NOW() WHERE `login_time` >= '".$time."' LIMIT 1"; - $app->db->query($sql); + $sql = "UPDATE `attempts_login` SET `times`=`times`+1, `login_time`=NOW() WHERE `ip` = ? AND `login_time` > (NOW() - INTERVAL 1 MINUTE) ORDER BY `login_time` DESC LIMIT 1"; + $app->db->query($sql, $remote_ip); } } diff --git a/interface/lib/classes/remote.d/dns.inc.php b/interface/lib/classes/remote.d/dns.inc.php index 1e9526a12f..f107c16767 100644 --- a/interface/lib/classes/remote.d/dns.inc.php +++ b/interface/lib/classes/remote.d/dns.inc.php @@ -50,9 +50,9 @@ class remoting_dns extends remoting { return false; } - $client = $app->db->queryOneRecord("SELECT default_dnsserver FROM client WHERE client_id = ".$app->functions->intval($client_id)); + $client = $app->db->queryOneRecord("SELECT default_dnsserver FROM client WHERE client_id = ?", $client_id); $server_id = $client["default_dnsserver"]; - $template_record = $app->db->queryOneRecord("SELECT * FROM dns_template WHERE template_id = '$template_id'"); + $template_record = $app->db->queryOneRecord("SELECT * FROM dns_template WHERE template_id = ?", $template_id); $fields = explode(',', $template_record['fields']); $tform_def_file = "../../web/dns/form/dns_soa.tform.php"; $app->uses('tform'); @@ -117,7 +117,7 @@ class remoting_dns extends remoting { if($error == '') { // Insert the soa record - $tmp = $app->db->queryOneRecord("SELECT userid,default_group FROM sys_user WHERE client_id = ".$app->functions->intval($client_id)); + $tmp = $app->db->queryOneRecord("SELECT userid,default_group FROM sys_user WHERE client_id = ?", $client_id); $sys_userid = $tmp['userid']; $sys_groupid = $tmp['default_group']; unset($tmp); @@ -180,7 +180,7 @@ class remoting_dns extends remoting { return false; } - $rec = $app->db->queryOneRecord("SELECT id FROM dns_soa WHERE origin like '".$origin."%'"); + $rec = $app->db->queryOneRecord("SELECT id FROM dns_soa WHERE origin like ?", $origin."%"); if(isset($rec['id'])) { return $app->functions->intval($rec['id']); } else { @@ -764,8 +764,8 @@ class remoting_dns extends remoting { if (!empty($client_id) && !empty($server_id)) { $server_id = $app->functions->intval($server_id); $client_id = $app->functions->intval($client_id); - $sql = "SELECT id, origin FROM dns_soa d INNER JOIN sys_user s on(d.sys_groupid = s.default_group) WHERE client_id = $client_id AND server_id = $server_id"; - $result = $app->db->queryAllRecords($sql); + $sql = "SELECT id, origin FROM dns_soa d INNER JOIN sys_user s on(d.sys_groupid = s.default_group) WHERE client_id = ? AND server_id = ?"; + $result = $app->db->queryAllRecords($sql, $client_id, $server_id); return $result; } return false; @@ -785,8 +785,8 @@ class remoting_dns extends remoting { throw new SoapFault('permission_denied', 'You do not have the permissions to access this function.'); return false; } - $sql = "SELECT * FROM dns_rr WHERE zone = ".$app->functions->intval($zone_id);; - $result = $app->db->queryAllRecords($sql); + $sql = "SELECT * FROM dns_rr WHERE zone = ?"; + $result = $app->db->queryAllRecords($sql, $zone_id); return $result; } @@ -809,8 +809,8 @@ class remoting_dns extends remoting { } else { $status = 'N'; } - $sql = "UPDATE dns_soa SET active = '$status' WHERE id = ".$app->functions->intval($primary_id); - $app->db->query($sql); + $sql = "UPDATE dns_soa SET active = ? WHERE id = ?"; + $app->db->query($sql, $status, $primary_id); $result = $app->db->affectedRows(); return $result; } else { diff --git a/interface/lib/classes/remote.d/domains.inc.php b/interface/lib/classes/remote.d/domains.inc.php index 9bba710023..33830335d8 100644 --- a/interface/lib/classes/remote.d/domains.inc.php +++ b/interface/lib/classes/remote.d/domains.inc.php @@ -86,8 +86,8 @@ class remoting_domains extends remoting { return false; } $group_id = $app->functions->intval($group_id); - $sql = "SELECT domain_id, domain FROM domain WHERE sys_groupid = $group_id "; - $all = $app->db->queryAllRecords($sql); + $sql = "SELECT domain_id, domain FROM domain WHERE sys_groupid = ?"; + $all = $app->db->queryAllRecords($sql, $group_id); return $all; } diff --git a/interface/lib/classes/remote.d/mail.inc.php b/interface/lib/classes/remote.d/mail.inc.php index 29ff0d83b5..21ccb5b1a6 100644 --- a/interface/lib/classes/remote.d/mail.inc.php +++ b/interface/lib/classes/remote.d/mail.inc.php @@ -208,7 +208,7 @@ class remoting_mail extends remoting { //* Check if mail domain exists $email_parts = explode('@', $params['email']); - $tmp = $app->db->queryOneRecord("SELECT domain FROM mail_domain WHERE domain = '".$app->db->quote($email_parts[1])."'"); + $tmp = $app->db->queryOneRecord("SELECT domain FROM mail_domain WHERE domain = ?", $email_parts[1]); if($tmp['domain'] != $email_parts[1]) { throw new SoapFault('mail_domain_does_not_exist', 'Mail domain - '.$email_parts[1].' - does not exist.'); return false; @@ -235,7 +235,7 @@ class remoting_mail extends remoting { //* Check if mail domain exists $email_parts = explode('@', $params['email']); - $tmp = $app->db->queryOneRecord("SELECT domain FROM mail_domain WHERE domain = '".$app->db->quote($email_parts[1])."'"); + $tmp = $app->db->queryOneRecord("SELECT domain FROM mail_domain WHERE domain = ?", $email_parts[1]); if($tmp['domain'] != $email_parts[1]) { throw new SoapFault('mail_domain_does_not_exist', 'Mail domain - '.$email_parts[1].' - does not exist.'); return false; @@ -320,14 +320,16 @@ class remoting_mail extends remoting { return false; } + $params = array(); if ($site_id != null) { - $sql = "SELECT * FROM mail_backup WHERE parent_domain_id = ".$app->functions->intval($site_id); + $params[] = $site_id; + $sql = "SELECT * FROM mail_backup WHERE parent_domain_id = ?"; } else { $sql = "SELECT * FROM mail_backup"; } - $result = $app->db->queryAllRecords($sql); + $result = $app->db->queryAllRecords($sql, true, $params); return $result; } @@ -342,7 +344,7 @@ class remoting_mail extends remoting { } //*Set variables - $backup_record = $app->db->queryOneRecord("SELECT * FROM `mail_backup` WHERE `backup_id`='$primary_id'"); + $backup_record = $app->db->queryOneRecord("SELECT * FROM `mail_backup` WHERE `backup_id`=?", $primary_id); $server_id = $backup_record['server_id']; //*Set default action state @@ -361,14 +363,14 @@ class remoting_mail extends remoting { } //* Validate instance - $instance_record = $app->db->queryOneRecord("SELECT * FROM `sys_remoteaction` WHERE `action_param`='$primary_id' and `action_type`='$action_type' and `action_state`='pending'"); + $instance_record = $app->db->queryOneRecord("SELECT * FROM `sys_remoteaction` WHERE `action_param`=? and `action_type`=? and `action_state`='pending'", $primary_id, $action_type); if ($instance_record['action_id'] >= 1) { $this->server->fault('duplicate_action', "There is already a pending $action_type action"); return false; } //* Save the record - if ($app->db->query("INSERT INTO `sys_remoteaction` SET `server_id` = '$server_id', `tstamp` = '$tstamp', `action_type` = '$action_type', `action_param` = '$primary_id', `action_state` = '$action_state'")) { + if ($app->db->query("INSERT INTO `sys_remoteaction` SET `server_id` = ?, `tstamp` = ?, `action_type` = ?, `action_param` = ?, `action_state` = ?"), $server_id, $tstamp, $action_type, $primary_id, $action_state) { return true; } else { return false; @@ -401,7 +403,7 @@ class remoting_mail extends remoting { } //* Check if there is no active mailbox with this address - $tmp = $app->db->queryOneRecord("SELECT count(mailuser_id) as number FROM mail_user WHERE postfix = 'y' AND email = '".$app->db->quote($params["source"])."'"); + $tmp = $app->db->queryOneRecord("SELECT count(mailuser_id) as number FROM mail_user WHERE postfix = 'y' AND email = ?", $params["source"]); if($tmp['number'] > 0) { throw new SoapFault('duplicate', 'There is already a mailbox with this email address.'); } @@ -423,7 +425,7 @@ class remoting_mail extends remoting { } //* Check if there is no active mailbox with this address - $tmp = $app->db->queryOneRecord("SELECT count(mailuser_id) as number FROM mail_user WHERE postfix = 'y' AND email = '".$app->db->quote($params["source"])."'"); + $tmp = $app->db->queryOneRecord("SELECT count(mailuser_id) as number FROM mail_user WHERE postfix = 'y' AND email = ?", $params["source"]); if($tmp['number'] > 0) { throw new SoapFault('duplicate', 'There is already a mailbox with this email address.'); } @@ -1060,8 +1062,8 @@ class remoting_mail extends remoting { } if (!empty($domain)) { $domain = $app->db->quote($domain); - $sql = "SELECT * FROM mail_domain WHERE domain = '$domain'"; - $result = $app->db->queryAllRecords($sql); + $sql = "SELECT * FROM mail_domain WHERE domain = ?"; + $result = $app->db->queryAllRecords($sql, $domain); return $result; } return false; @@ -1079,8 +1081,8 @@ class remoting_mail extends remoting { } else { $status = 'n'; } - $sql = "UPDATE mail_domain SET active = '$status' WHERE domain_id = ".$app->functions->intval($primary_id); - $app->db->query($sql); + $sql = "UPDATE mail_domain SET active = ? WHERE domain_id = ?"; + $app->db->query($sql, $status, $primary_id); $result = $app->db->affectedRows(); return $result; } else { diff --git a/interface/lib/classes/remote.d/openvz.inc.php b/interface/lib/classes/remote.d/openvz.inc.php index 4a087ccbc7..c427a1f749 100644 --- a/interface/lib/classes/remote.d/openvz.inc.php +++ b/interface/lib/classes/remote.d/openvz.inc.php @@ -159,7 +159,7 @@ class remoting_openvz extends remoting { $server_id = $app->functions->intval($server_id); if($server_id > 0) { - $tmp = $app->db->queryOneRecord("SELECT ip_address_id, server_id, ip_address FROM openvz_ip WHERE reserved = 'n' AND vm_id = 0 AND server_id = $server_id LIMIT 0,1"); + $tmp = $app->db->queryOneRecord("SELECT ip_address_id, server_id, ip_address FROM openvz_ip WHERE reserved = 'n' AND vm_id = 0 AND server_id = ? LIMIT 0,1", $server_id); } else { $tmp = $app->db->queryOneRecord("SELECT ip_address_id, server_id, ip_address FROM openvz_ip WHERE reserved = 'n' AND vm_id = 0 LIMIT 0,1"); } @@ -229,9 +229,9 @@ class remoting_openvz extends remoting { if (!empty($client_id)) { $client_id = $app->functions->intval($client_id); - $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = $client_id"); - $sql = "SELECT * FROM openvz_vm WHERE sys_groupid = ".$app->functions->intval($tmp['groupid']); - $result = $app->db->queryAllRecords($sql); + $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client_id); + $sql = "SELECT * FROM openvz_vm WHERE sys_groupid = ?"; + $result = $app->db->queryAllRecords($sql, $tmp['groupid']); return $result; } return false; @@ -272,23 +272,23 @@ class remoting_openvz extends remoting { } // Verify if template and ostemplate exist - $tmp = $app->db->queryOneRecord("SELECT template_id FROM openvz_template WHERE template_id = $template_id"); + $tmp = $app->db->queryOneRecord("SELECT template_id FROM openvz_template WHERE template_id = ?", $template_id); if(!is_array($tmp)) { throw new SoapFault('template_id_error', 'Template does not exist.'); return false; } - $tmp = $app->db->queryOneRecord("SELECT ostemplate_id FROM openvz_ostemplate WHERE ostemplate_id = $ostemplate_id"); + $tmp = $app->db->queryOneRecord("SELECT ostemplate_id FROM openvz_ostemplate WHERE ostemplate_id = ?", $ostemplate_id); if(!is_array($tmp)) { throw new SoapFault('ostemplate_id_error', 'OSTemplate does not exist.'); return false; } //* Get the template - $vtpl = $app->db->queryOneRecord("SELECT * FROM openvz_template WHERE template_id = $template_id"); + $vtpl = $app->db->queryOneRecord("SELECT * FROM openvz_template WHERE template_id = ?", $template_id); //* Get the IP address and server_id if($override_params['server_id'] > 0) { - $vmip = $app->db->queryOneRecord("SELECT ip_address_id, server_id, ip_address FROM openvz_ip WHERE reserved = 'n' AND vm_id = 0 AND server_id = ".$override_params['server_id']." LIMIT 0,1"); + $vmip = $app->db->queryOneRecord("SELECT ip_address_id, server_id, ip_address FROM openvz_ip WHERE reserved = 'n' AND vm_id = 0 AND server_id = ? LIMIT 0,1", $override_params['server_id']); } else { $vmip = $app->db->queryOneRecord("SELECT ip_address_id, server_id, ip_address FROM openvz_ip WHERE reserved = 'n' AND vm_id = 0 LIMIT 0,1"); } @@ -376,25 +376,18 @@ class remoting_openvz extends remoting { $action = 'openvz_start_vm'; $tmp = $app->db->queryOneRecord("SELECT count(action_id) as actions FROM sys_remoteaction - WHERE server_id = '".$vm['server_id']."' - AND action_type = '$action' - AND action_param = '".$vm['veid']."' - AND action_state = 'pending'"); + WHERE server_id = ? + AND action_type = ? + AND action_param = ? + AND action_state = 'pending'", $vm['server_id'], $action, $vm['veid']); if($tmp['actions'] > 0) { throw new SoapFault('action_pending', 'There is already a action pending for this VM.'); return false; } else { $sql = "INSERT INTO sys_remoteaction (server_id, tstamp, action_type, action_param, action_state, response) " . - "VALUES (". - (int)$vm['server_id'] . ", ". - time() . ", ". - "'".$action."', ". - $vm['veid'].", ". - "'pending', ". - "''". - ")"; - $app->db->query($sql); + "VALUES (?, ?, ?, ?, 'pending', '')"; + $app->db->query($sql, (int)$vm['server_id'], time(), $action, $vm['veid']); } } @@ -425,25 +418,18 @@ class remoting_openvz extends remoting { $action = 'openvz_stop_vm'; $tmp = $app->db->queryOneRecord("SELECT count(action_id) as actions FROM sys_remoteaction - WHERE server_id = '".$vm['server_id']."' - AND action_type = '$action' - AND action_param = '".$vm['veid']."' - AND action_state = 'pending'"); + WHERE server_id = ? + AND action_type = ? + AND action_param = ? + AND action_state = 'pending'", $vm['server_id'], $action, $vm['veid']); if($tmp['actions'] > 0) { throw new SoapFault('action_pending', 'There is already a action pending for this VM.'); return false; } else { $sql = "INSERT INTO sys_remoteaction (server_id, tstamp, action_type, action_param, action_state, response) " . - "VALUES (". - (int)$vm['server_id'] . ", ". - time() . ", ". - "'".$action."', ". - $vm['veid'].", ". - "'pending', ". - "''". - ")"; - $app->db->query($sql); + "VALUES (?, ?, ?, ?, 'pending', '')"; + $app->db->query($sql, (int)$vm['server_id'], time(), $action, $vm['veid']); } } @@ -474,25 +460,18 @@ class remoting_openvz extends remoting { $action = 'openvz_restart_vm'; $tmp = $app->db->queryOneRecord("SELECT count(action_id) as actions FROM sys_remoteaction - WHERE server_id = '".$vm['server_id']."' - AND action_type = '$action' - AND action_param = '".$vm['veid']."' - AND action_state = 'pending'"); + WHERE server_id = ? + AND action_type = ? + AND action_param = ? + AND action_state = 'pending'", $vm['server_id'], $action, $vm['veid']); if($tmp['actions'] > 0) { throw new SoapFault('action_pending', 'There is already a action pending for this VM.'); return false; } else { $sql = "INSERT INTO sys_remoteaction (server_id, tstamp, action_type, action_param, action_state, response) " . - "VALUES (". - (int)$vm['server_id'] . ", ". - time() . ", ". - "'".$action."', ". - $vm['veid'].", ". - "'pending', ". - "''". - ")"; - $app->db->query($sql); + "VALUES (?, ?, ?, ?, 'pending', '')"; + $app->db->query($sql, (int)$vm['server_id'], time(), $action, $vm['veid']); } } diff --git a/interface/lib/classes/remote.d/server.inc.php b/interface/lib/classes/remote.d/server.inc.php index 4035302071..eb4a8b9846 100644 --- a/interface/lib/classes/remote.d/server.inc.php +++ b/interface/lib/classes/remote.d/server.inc.php @@ -55,8 +55,8 @@ class remoting_server extends remoting { throw new SoapFault('permission_denied', 'You do not have the permissions to access this function.'); return false; } - $sql = "SELECT server_id FROM server_ip WHERE ip_address = '$ipaddress' LIMIT 1 "; - $all = $app->db->queryAllRecords($sql); + $sql = "SELECT server_id FROM server_ip WHERE ip_address = ? LIMIT 1"; + $all = $app->db->queryAllRecords($sql, $ipaddress); return $all; } @@ -178,8 +178,8 @@ class remoting_server extends remoting { return false; } if (!empty($session_id) && !empty($server_name)) { - $sql = "SELECT server_id FROM server WHERE server_name = '$server_name' LIMIT 1 "; - $all = $app->db->queryAllRecords($sql); + $sql = "SELECT server_id FROM server WHERE server_name = ? LIMIT 1"; + $all = $app->db->queryAllRecords($sql, $server_name); return $all; } else { return false; @@ -200,8 +200,8 @@ class remoting_server extends remoting { return false; } if (!empty($session_id) && !empty($server_id)) { - $sql = "SELECT mail_server, web_server, dns_server, file_server, db_server, vserver_server, proxy_server, firewall_server FROM server WHERE server_id = '$server_id' LIMIT 1 "; - $all = $app->db->queryAllRecords($sql); + $sql = "SELECT mail_server, web_server, dns_server, file_server, db_server, vserver_server, proxy_server, firewall_server FROM server WHERE server_id = ? LIMIT 1 "; + $all = $app->db->queryAllRecords($sql, $server_id); return $all; } else { return false; diff --git a/interface/lib/classes/remote.d/sites.inc.php b/interface/lib/classes/remote.d/sites.inc.php index 05ba482cba..34386cb4c9 100644 --- a/interface/lib/classes/remote.d/sites.inc.php +++ b/interface/lib/classes/remote.d/sites.inc.php @@ -114,7 +114,7 @@ class remoting_sites extends remoting { } //* Check for duplicates - $tmp = $app->db->queryOneRecord("SELECT count(database_id) as dbnum FROM web_database WHERE database_name = '".$app->db->quote($params['database_name'])."' AND server_id = '".intval($params["server_id"])."'"); + $tmp = $app->db->queryOneRecord("SELECT count(database_id) as dbnum FROM web_database WHERE database_name = ? AND server_id = ?", $params['database_name'], $params["server_id"]); if($tmp['dbnum'] > 0) { throw new SoapFault('database_name_error_unique', 'There is already a database with that name on the same server.'); return false; @@ -135,7 +135,6 @@ class remoting_sites extends remoting { $sql_set = array(); if(isset($params['backup_interval'])) $sql_set[] = "backup_interval = '".$app->db->quote($params['backup_interval'])."'"; if(isset($params['backup_copies'])) $sql_set[] = "backup_copies = ".$app->functions->intval($params['backup_copies']); - //$app->db->query("UPDATE web_database SET ".implode(', ', $sql_set)." WHERE database_id = ".$retval); $this->updateQueryExecute("UPDATE web_database SET ".implode(', ', $sql_set)." WHERE database_id = ".$retval, $retval, $params); } @@ -169,7 +168,6 @@ class remoting_sites extends remoting { $sql_set = array(); if(isset($params['backup_interval'])) $sql_set[] = "backup_interval = '".$app->db->quote($params['backup_interval'])."'"; if(isset($params['backup_copies'])) $sql_set[] = "backup_copies = ".$app->functions->intval($params['backup_copies']); - //$app->db->query("UPDATE web_database SET ".implode(', ', $sql_set)." WHERE database_id = ".$primary_id); $this->updateQueryExecute("UPDATE web_database SET ".implode(', ', $sql_set)." WHERE database_id = ".$primary_id, $primary_id, $params); } @@ -239,7 +237,7 @@ class remoting_sites extends remoting { $new_rec = $app->remoting_lib->getDataRecord($primary_id); - $records = $app->db->queryAllRecords("SELECT DISTINCT server_id FROM web_database WHERE database_user_id = '".$app->functions->intval($primary_id)."' UNION SELECT DISTINCT server_id FROM web_database WHERE database_ro_user_id = '".$app->functions->intval($primary_id)."'"); + $records = $app->db->queryAllRecords("SELECT DISTINCT server_id FROM web_database WHERE database_user_id = ? UNION SELECT DISTINCT server_id FROM web_database WHERE database_ro_user_id = ?", $primary_id, $primary_id); foreach($records as $rec) { $tmp_rec = $new_rec; $tmp_rec['server_id'] = $rec['server_id']; @@ -265,12 +263,12 @@ class remoting_sites extends remoting { $app->db->datalogDelete('web_database_user', 'database_user_id', $primary_id); $affected_rows = $this->deleteQuery('../sites/form/database_user.tform.php', $primary_id); - $records = $app->db->queryAllRecords("SELECT database_id FROM web_database WHERE database_user_id = '".$app->functions->intval($primary_id)."'"); + $records = $app->db->queryAllRecords("SELECT database_id FROM web_database WHERE database_user_id = ?", $primary_id); foreach($records as $rec) { $app->db->datalogUpdate('web_database', 'database_user_id=NULL', 'database_id', $rec['database_id']); } - $records = $app->db->queryAllRecords("SELECT database_id FROM web_database WHERE database_ro_user_id = '".$app->functions->intval($primary_id)."'"); + $records = $app->db->queryAllRecords("SELECT database_id FROM web_database WHERE database_ro_user_id = ?", $primary_id); foreach($records as $rec) { $app->db->datalogUpdate('web_database', 'database_ro_user_id=NULL', 'database_id', $rec['database_id']); } @@ -336,7 +334,7 @@ class remoting_sites extends remoting { return false; } - $data = $app->db->queryOneRecord("SELECT server_id FROM ftp_user WHERE username = '".$app->db->quote($ftp_user)."'"); + $data = $app->db->queryOneRecord("SELECT server_id FROM ftp_user WHERE username = ?", $ftp_user); //file_put_contents('/tmp/test.txt', serialize($data)); if(!isset($data['server_id'])) return false; @@ -420,7 +418,7 @@ class remoting_sites extends remoting { } if(!isset($params['client_group_id']) or (isset($params['client_group_id']) && empty($params['client_group_id']))) { - $rec = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".$app->functions->intval($client_id)); + $rec = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client_id); $params['client_group_id'] = $rec['groupid']; } @@ -437,7 +435,7 @@ class remoting_sites extends remoting { $domain_id = $this->insertQuery('../sites/form/web_domain.tform.php', $client_id, $params, 'sites:web_domain:on_after_insert'); if ($readonly === true) - $app->db->query("UPDATE web_domain SET `sys_userid` = '1' WHERE domain_id = ".$domain_id); + $app->db->query("UPDATE web_domain SET `sys_userid` = '1' WHERE domain_id = ?", $domain_id); return $domain_id; } @@ -751,7 +749,7 @@ class remoting_sites extends remoting { } // Delete all users that belong to this folder. - taken from web_folder_delete.php - $records = $app->db->queryAllRecords("SELECT web_folder_user_id FROM web_folder_user WHERE web_folder_id = '".$app->functions->intval($primary_id)."'"); + $records = $app->db->queryAllRecords("SELECT web_folder_user_id FROM web_folder_user WHERE web_folder_id = ?", $primary_id); foreach($records as $rec) { $this->deleteQuery('../sites/form/web_folder_user.tform.php', $rec['web_folder_user_id']); //$app->db->datalogDelete('web_folder_user','web_folder_user_id',$rec['web_folder_user_id']); @@ -889,8 +887,8 @@ class remoting_sites extends remoting { return false; } $client_id = $app->functions->intval($client_id); - $sql = "SELECT d.database_id, d.database_name, d.database_user_id, d.database_ro_user_id, du.database_user, du.database_password FROM web_database d LEFT JOIN web_database_user du ON (du.database_user_id = d.database_user_id) INNER JOIN sys_user s on(d.sys_groupid = s.default_group) WHERE client_id = $client_id"; - $all = $app->db->queryAllRecords($sql); + $sql = "SELECT d.database_id, d.database_name, d.database_user_id, d.database_ro_user_id, du.database_user, du.database_password FROM web_database d LEFT JOIN web_database_user du ON (du.database_user_id = d.database_user_id) INNER JOIN sys_user s on(d.sys_groupid = s.default_group) WHERE client_id = ?"; + $all = $app->db->queryAllRecords($sql, $client_id); return $all; } @@ -904,7 +902,7 @@ class remoting_sites extends remoting { return false; } - $result = $app->db->queryAllRecords("SELECT * FROM web_backup".(($site_id != null)?' WHERE parent_domain_id = ?':''), $app->functions->intval($site_id)); + $result = $app->db->queryAllRecords("SELECT * FROM web_backup".(($site_id != null)?' WHERE parent_domain_id = ?':''), $site_id); return $result; } diff --git a/interface/lib/classes/remoting.inc.php b/interface/lib/classes/remoting.inc.php index f42d22b070..a8c228cfc0 100644 --- a/interface/lib/classes/remoting.inc.php +++ b/interface/lib/classes/remoting.inc.php @@ -90,15 +90,15 @@ class remoting { } //* Delete old remoting sessions - $sql = "DELETE FROM remote_session WHERE tstamp < ".time(); + $sql = "DELETE FROM remote_session WHERE tstamp < UNIX_TIMSTAMP()"; $app->db->query($sql); $username = $app->db->quote($username); $password = $app->db->quote($password); if($client_login == true) { - $sql = "SELECT * FROM sys_user WHERE USERNAME = '$username'"; - $user = $app->db->queryOneRecord($sql); + $sql = "SELECT * FROM sys_user WHERE USERNAME = ?"; + $user = $app->db->queryOneRecord($sql, $username); if($user) { $saved_password = stripslashes($user['passwort']); @@ -127,7 +127,7 @@ class remoting { } // now we need the client data - $client = $app->db->queryOneRecord("SELECT client.can_use_api FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = " . $app->functions->intval($user['default_group'])); + $client = $app->db->queryOneRecord("SELECT client.can_use_api FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $user['default_group']); if(!$client || $client['can_use_api'] != 'y') { throw new SoapFault('client_login_failed', 'The login failed. Client may not use api.'); return false; @@ -140,13 +140,12 @@ class remoting { $remote_functions = ''; $tstamp = time() + $this->session_timeout; $sql = 'INSERT INTO remote_session (remote_session,remote_userid,remote_functions,client_login,tstamp' - .') VALUES (' - ." '$remote_session',$remote_userid,'$remote_functions',1,$tstamp)"; - $app->db->query($sql); + .') VALUES (?, ?, ?, 1, $tstamp)'; + $app->db->query($sql, $remote_session,$remote_userid,$remote_functions,$tstamp); return $remote_session; } else { - $sql = "SELECT * FROM remote_user WHERE remote_username = '$username' and remote_password = md5('$password')"; - $remote_user = $app->db->queryOneRecord($sql); + $sql = "SELECT * FROM remote_user WHERE remote_username = ? and remote_password = md5(?)"; + $remote_user = $app->db->queryOneRecord($sql, $username, $password); if($remote_user['remote_userid'] > 0) { //* Create a remote user session //srand ((double)microtime()*1000000); @@ -155,9 +154,8 @@ class remoting { $remote_functions = $remote_user['remote_functions']; $tstamp = time() + $this->session_timeout; $sql = 'INSERT INTO remote_session (remote_session,remote_userid,remote_functions,tstamp' - .') VALUES (' - ." '$remote_session',$remote_userid,'$remote_functions',$tstamp)"; - $app->db->query($sql); + .') VALUES (?, ?, ?, ?)'; + $app->db->query($sql, $remote_session,$remote_userid,$remote_functions,$tstamp); return $remote_session; } else { throw new SoapFault('login_failed', 'The login failed. Username or password wrong.'); @@ -179,8 +177,8 @@ class remoting { $session_id = $app->db->quote($session_id); - $sql = "DELETE FROM remote_session WHERE remote_session = '$session_id'"; - if($app->db->query($sql) != false) { + $sql = "DELETE FROM remote_session WHERE remote_session = ?"; + if($app->db->query($sql, $session_id) != false) { return true; } else { return false; @@ -204,7 +202,7 @@ class remoting { //* Check if no system user with that username exists $username = $app->db->quote($params["username"]); - $tmp = $app->db->queryOneRecord("SELECT count(userid) as number FROM sys_user WHERE username = '$username'"); + $tmp = $app->db->queryOneRecord("SELECT count(userid) as number FROM sys_user WHERE username = ?", $username); if($tmp['number'] > 0) $app->remoting_lib->errorMessage .= "Duplicate username
"; //* Stop on error while preparing the sql query @@ -238,7 +236,7 @@ class remoting { /* copied from the client_edit php */ exec('ssh-keygen -t rsa -C '.$username.'-rsa-key-'.time().' -f /tmp/id_rsa -N ""'); - $app->db->query("UPDATE client SET created_at = ".time().", id_rsa = '".$app->db->quote(@file_get_contents('/tmp/id_rsa'))."', ssh_rsa = '".$app->db->quote(@file_get_contents('/tmp/id_rsa.pub'))."' WHERE client_id = ".$this->id); + $app->db->query("UPDATE client SET created_at = UNIX_TIMSTAMP(), id_rsa = ?, ssh_rsa = ? WHERE client_id = ?", @file_get_contents('/tmp/id_rsa'), @file_get_contents('/tmp/id_rsa.pub'), $this->id); exec('rm -f /tmp/id_rsa /tmp/id_rsa.pub'); @@ -251,10 +249,10 @@ class remoting { $app->remoting_lib->ispconfig_sysuser_add($params, $insert_id); if($reseller_id) { - $client_group = $app->db->queryOneRecord("SELECT * FROM sys_group WHERE client_id = ".$insert_id); - $reseller_user = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE client_id = ".$reseller_id); + $client_group = $app->db->queryOneRecord("SELECT * FROM sys_group WHERE client_id = ?", $insert_id); + $reseller_user = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE client_id = ?", $reseller_id); $app->auth->add_group_to_user($reseller_user['userid'], $client_group['groupid']); - $app->db->query("UPDATE client SET parent_client_id = ".$reseller_id." WHERE client_id = ".$insert_id); + $app->db->query("UPDATE client SET parent_client_id = ? WHERE client_id = ?", $reseller_id, $insert_id); } } @@ -475,9 +473,8 @@ class remoting { $session_id = $app->db->quote($session_id); - $now = time(); - $sql = "SELECT * FROM remote_session WHERE remote_session = '$session_id' AND tstamp >= $now"; - $session = $app->db->queryOneRecord($sql); + $sql = "SELECT * FROM remote_session WHERE remote_session = ? AND tstamp >= UNIX_TIMSTAMP()"; + $session = $app->db->queryOneRecord($sql, $session_id); if($session['remote_userid'] > 0) { return $session; } else { diff --git a/interface/lib/classes/remoting_lib.inc.php b/interface/lib/classes/remoting_lib.inc.php index 0d89c1f1a1..af0143fee5 100644 --- a/interface/lib/classes/remoting_lib.inc.php +++ b/interface/lib/classes/remoting_lib.inc.php @@ -110,7 +110,7 @@ class remoting_lib extends tform_base { if(isset($_SESSION['client_login']) && isset($_SESSION['client_sys_userid']) && $_SESSION['client_login'] == 1) { $client_sys_userid = $app->functions->intval($_SESSION['client_sys_userid']); - $client = $app->db->queryOneRecord("SELECT client.client_id FROM sys_user, client WHERE sys_user.client_id = client.client_id and sys_user.userid = " . $client_sys_userid); + $client = $app->db->queryOneRecord("SELECT client.client_id FROM sys_user, client WHERE sys_user.client_id = client.client_id and sys_user.userid = ?", $client_sys_userid); $this->client_id = $client['client_id']; $client_login = true; @@ -125,23 +125,11 @@ class remoting_lib extends tform_base { $this->sys_groups = 1; $_SESSION["s"]["user"]["typ"] = 'admin'; } else { - //* load system user - try with sysuser and before with userid (workarrond) - /* - $user = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE sysuser_id = $client_id"); - if(empty($user["userid"])) { - $user = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE userid = $client_id"); - if(empty($user["userid"])) { - $this->errorMessage .= "No sysuser with the ID $client_id found."; - return false; - } - }*/ - - $user = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE client_id = $this->client_id"); + $user = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE client_id = ?", $this->client_id); $this->sys_username = $user['username']; $this->sys_userid = $user['userid']; $this->sys_default_group = $user['default_group']; $this->sys_groups = $user['groups']; - // $_SESSION["s"]["user"]["typ"] = $user['typ']; // we have to force admin priveliges for the remoting API as some function calls might fail otherwise. if($client_login == false) $_SESSION["s"]["user"]["typ"] = 'admin'; } @@ -239,8 +227,8 @@ class remoting_lib extends tform_base { return parent::getDataRecord($primary_id); } elseif($primary_id == -1) { // Return a array with all records - $sql = "SELECT * FROM ".$escape.$this->formDef['db_table'].$escape; - return $app->db->queryAllRecords($sql); + $sql = "SELECT * FROM ??"; + return $app->db->queryAllRecords($sql, $this->formDef['db_table']); } else { throw new SoapFault('invalid_id', 'The ID has to be > 0 or -1.'); return array(); @@ -263,9 +251,9 @@ class remoting_lib extends tform_base { } $sql_where = substr($sql_where, 0, -5); if($sql_where == '') $sql_where = '1'; - $sql = "SELECT * FROM ".$escape.$this->formDef['db_table'].$escape." WHERE ".$sql_where. " AND " . $this->getAuthSQL('r', $this->formDef['db_table']); + $sql = "SELECT * FROM ?? WHERE ".$sql_where. " AND " . $this->getAuthSQL('r', $this->formDef['db_table']); if($sql_offset >= 0 && $sql_limit > 0) $sql .= ' LIMIT ' . $sql_offset . ',' . $sql_limit; - return $app->db->queryAllRecords($sql); + return $app->db->queryAllRecords($sql, $this->formDef['db_table']); } else { $this->errorMessage = 'The ID must be either an integer or an array.'; return array(); @@ -303,8 +291,8 @@ class remoting_lib extends tform_base { $groups = $groupid; if(!isset($params['_ispconfig_pw_crypted']) || $params['_ispconfig_pw_crypted'] != 1) $password = $app->auth->crypt_password(stripslashes($password)); $sql1 = "INSERT INTO sys_user (username,passwort,modules,startmodule,app_theme,typ,active,language,groups,default_group,client_id) - VALUES ('$username','$password','$modules','$startmodule','$usertheme','$type','$active','$language',$groups,$groupid,$insert_id)"; - $app->db->query($sql1); + VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"; + $app->db->query($sql1, $username,$password,$modules,$startmodule,$usertheme,$type,$active,$language,$groups,$groupid,$insert_id); } function ispconfig_sysuser_update($params, $client_id){ @@ -314,18 +302,25 @@ class remoting_lib extends tform_base { $client_id = $app->functions->intval($client_id); if(!isset($params['_ispconfig_pw_crypted']) || $params['_ispconfig_pw_crypted'] != 1) $password = $app->auth->crypt_password(stripslashes($clear_password)); else $password = $clear_password; - if ($clear_password) $pwstring = ", passwort = '$password'"; else $pwstring ="" ; - $sql = "UPDATE sys_user set username = '$username' $pwstring WHERE client_id = $client_id"; - $app->db->query($sql); + $params = array($username); + if ($clear_password) { + $pwstring = ", passwort = ?"; + $params[] = $password; + } else { + $pwstring ="" ; + } + $params[] = $client_id; + $sql = "UPDATE sys_user set username = ? $pwstring WHERE client_id = ?"; + $app->db->query($sql, true, $params); } function ispconfig_sysuser_delete($client_id){ global $app; $client_id = $app->functions->intval($client_id); - $sql = "DELETE FROM sys_user WHERE client_id = $client_id"; - $app->db->query($sql); - $sql = "DELETE FROM sys_group WHERE client_id = $client_id"; - $app->db->query($sql); + $sql = "DELETE FROM sys_user WHERE client_id = ?"; + $app->db->query($sql, $client_id); + $sql = "DELETE FROM sys_group WHERE client_id = ?"; + $app->db->query($sql, $client_id); } } diff --git a/interface/lib/classes/session.inc.php b/interface/lib/classes/session.inc.php index 8b3a7cffc4..bef2a10378 100644 --- a/interface/lib/classes/session.inc.php +++ b/interface/lib/classes/session.inc.php @@ -66,9 +66,9 @@ class session { function read ($session_id) { if($this->timeout > 0) { - $rec = $this->db->queryOneRecord("SELECT * FROM sys_session WHERE session_id = '".$this->db->quote($session_id)."' AND (`permanent` = 'y' OR last_updated >= DATE_SUB(NOW(), INTERVAL " . intval($this->timeout) . " MINUTE))"); + $rec = $this->db->queryOneRecord("SELECT * FROM sys_session WHERE session_id = ? AND (`permanent` = 'y' OR last_updated >= DATE_SUB(NOW(), INTERVAL ? MINUTE))", $session_id, $this->timeout); } else { - $rec = $this->db->queryOneRecord("SELECT * FROM sys_session WHERE session_id = '".$this->db->quote($session_id)."'"); + $rec = $this->db->queryOneRecord("SELECT * FROM sys_session WHERE session_id = ?", $session_id); } if (is_array($rec)) { @@ -87,23 +87,18 @@ class session { // Dont write session_data to DB if session data has not been changed after reading it. if(isset($this->session_array['session_data']) && $this->session_array['session_data'] != '' && $this->session_array['session_data'] == $session_data) { - $session_id = $this->db->quote($session_id); - $this->db->query("UPDATE sys_session SET last_updated = NOW() WHERE session_id = '$session_id'"); + $this->db->query("UPDATE sys_session SET last_updated = NOW() WHERE session_id = ?", $session_id); return true; } if (@$this->session_array['session_id'] == '') { - $session_id = $this->db->quote($session_id); - $session_data = $this->db->quote($session_data); - $sql = "REPLACE INTO sys_session (session_id,date_created,last_updated,session_data,permanent) VALUES ('$session_id',NOW(),NOW(),'$session_data','" . ($this->permanent ? 'y' : 'n') . "')"; - $this->db->query($sql); + $sql = "REPLACE INTO sys_session (session_id,date_created,last_updated,session_data,permanent) VALUES (?,NOW(),NOW(),'$session_data',?)"; + $this->db->query($sql, $session_id, ($this->permanent ? 'y' : 'n')); } else { - $session_id = $this->db->quote($session_id); - $session_data = $this->db->quote($session_data); - $sql = "UPDATE sys_session SET last_updated = NOW(), session_data = '$session_data'" . ($this->permanent ? ", `permanent` = 'y'" : "") . " WHERE session_id = '$session_id'"; - $this->db->query($sql); + $sql = "UPDATE sys_session SET last_updated = NOW(), session_data = ?" . ($this->permanent ? ", `permanent` = 'y'" : "") . " WHERE session_id = ?"; + $this->db->query($sql, $session_data, $session_id); } @@ -112,25 +107,20 @@ class session { function destroy ($session_id) { - $session_id = $this->db->quote($session_id); - $sql = "DELETE FROM sys_session WHERE session_id = '$session_id'"; - $this->db->query($sql); + $sql = "DELETE FROM sys_session WHERE session_id = ?"; + $this->db->query($sql, $session_id); return true; } function gc ($max_lifetime) { - /*if($this->timeout > 0) { - $this->db->query("DELETE FROM sys_session WHERE last_updated < DATE_SUB(NOW(), INTERVAL " . intval($this->timeout) . " MINUTE)"); - } else {*/ - $sql = "DELETE FROM sys_session WHERE last_updated < DATE_SUB(NOW(), INTERVAL " . intval($max_lifetime) . " SECOND) AND `permanent` != 'y'"; - $this->db->query($sql); + $sql = "DELETE FROM sys_session WHERE last_updated < DATE_SUB(NOW(), INTERVAL ? SECOND) AND `permanent` != 'y'"; + $this->db->query($sql, intval($max_lifetime)); - /* delete very old even if they are permanent */ - $sql = "DELETE FROM sys_session WHERE last_updated < DATE_SUB(NOW(), INTERVAL 1 YEAR)"; - $this->db->query($sql); - //} + /* delete very old even if they are permanent */ + $sql = "DELETE FROM sys_session WHERE last_updated < DATE_SUB(NOW(), INTERVAL 1 YEAR)"; + $this->db->query($sql); return true; diff --git a/interface/lib/classes/sites_database_plugin.inc.php b/interface/lib/classes/sites_database_plugin.inc.php index bf53c61fad..f6180c2f86 100644 --- a/interface/lib/classes/sites_database_plugin.inc.php +++ b/interface/lib/classes/sites_database_plugin.inc.php @@ -40,15 +40,15 @@ class sites_database_plugin { global $app; if($form_page->dataRecord["parent_domain_id"] > 0) { - $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$app->functions->intval($form_page->dataRecord["parent_domain_id"])); + $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $form_page->dataRecord["parent_domain_id"]); //* The Database user shall be owned by the same group then the website $sys_groupid = $app->functions->intval($web['sys_groupid']); $backup_interval = $app->db->quote($web['backup_interval']); $backup_copies = $app->functions->intval($web['backup_copies']); - $sql = "UPDATE web_database SET sys_groupid = '$sys_groupid', backup_interval = '$backup_interval', backup_copies = '$backup_copies' WHERE database_id = ".$form_page->id; - $app->db->query($sql); + $sql = "UPDATE web_database SET sys_groupid = ?, backup_interval = ?, backup_copies = ? WHERE database_id = ?"; + $app->db->query($sql, $sys_groupid, $backup_interval, $backup_copies, $form_page->id); } } diff --git a/interface/lib/classes/tform.inc.php b/interface/lib/classes/tform.inc.php index 7912f537dc..8905be0f44 100644 --- a/interface/lib/classes/tform.inc.php +++ b/interface/lib/classes/tform.inc.php @@ -166,7 +166,7 @@ class tform extends tform_base { // Get the limits of the client that is currently logged in $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT $limit_name as number, parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT $limit_name as number, parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another item if($client["number"] >= 0) { @@ -188,7 +188,7 @@ class tform extends tform_base { // Get the limits of the client that is currently logged in $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); //* If the client belongs to a reseller, we will check against the reseller Limit too if($client['parent_client_id'] != 0) { diff --git a/interface/lib/classes/tform_actions.inc.php b/interface/lib/classes/tform_actions.inc.php index dfc943c882..f172fea1f4 100644 --- a/interface/lib/classes/tform_actions.inc.php +++ b/interface/lib/classes/tform_actions.inc.php @@ -82,7 +82,7 @@ class tform_actions { // check if the client is locked - he may not change anything, then. if(!$app->auth->is_admin()) { $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT client.locked FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ".$app->functions->intval($client_group_id)); + $client = $app->db->queryOneRecord("SELECT client.locked FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); if(is_array($client) && $client['locked'] == 'y') { $app->tform->errorMessage .= $app->lng("client_you_are_locked")."
"; } @@ -311,7 +311,6 @@ class tform_actions { if($app->tform->checkPerm($this->id, 'd') == false) $app->error($app->lng('error_no_delete_permission')); } - //$this->dataRecord = $app->db->queryOneRecord("SELECT * FROM ".$liste["table"]." WHERE ".$liste["table_idx"]." = ".$this->id); $this->dataRecord = $app->tform->getDataRecord($this->id); $app->plugin->raiseEvent($_SESSION['s']['module']['name'].':'.$app->tform->formDef['name'].':'.'on_check_delete', $this); @@ -324,7 +323,7 @@ class tform_actions { $app->tform->datalogSave('DELETE', $this->id, $this->dataRecord, array()); } - $app->db->query("DELETE FROM ".$app->tform->formDef['db_table']." WHERE ".$app->tform->formDef['db_table_idx']." = ".$this->id." LIMIT 1"); + $app->db->query("DELETE FROM ?? WHERE ?? = ? LIMIT 1", $app->tform->formDef['db_table'], $app->tform->formDef['db_table_idx'], $this->id); // loading plugins @@ -379,11 +378,11 @@ class tform_actions { $app->tpl->setInclude("content_tpl", $app->tform->formDef['template_print']); if($app->tform->formDef['auth'] == 'no') { - $sql = "SELECT * FROM ".$app->tform->formDef['db_table']." WHERE ".$app->tform->formDef['db_table_idx']." = ".$this->id; + $sql = "SELECT * FROM ?? WHERE ?? = ?"; } else { - $sql = "SELECT * FROM ".$app->tform->formDef['db_table']." WHERE ".$app->tform->formDef['db_table_idx']." = ".$this->id." AND ".$app->tform->getAuthSQL('r'); + $sql = "SELECT * FROM ?? WHERE ?? = ? AND ".$app->tform->getAuthSQL('r'); } - if(!$record = $app->db->queryOneRecord($sql)) $app->error($app->lng('error_no_view_permission')); + if(!$record = $app->db->queryOneRecord($sql, $app->tform->formDef['db_table'], $app->tform->formDef['db_table_idx'], $this->id)) $app->error($app->lng('error_no_view_permission')); $record["datum"] = date("d.m.Y"); @@ -423,11 +422,11 @@ class tform_actions { $app->tpl->setInclude("content_tpl", $app->tform->formDef['template_mailsend']); $app->tpl->setVar('show_mail', 1); if($app->tform->formDef['auth'] == 'no') { - $sql = "SELECT * FROM ".$app->tform->formDef['db_table']." WHERE ".$app->tform->formDef['db_table_idx']." = ".$this->id; + $sql = "SELECT * FROM ?? WHERE ?? = ?"; } else { - $sql = "SELECT * FROM ".$app->tform->formDef['db_table']." WHERE ".$app->tform->formDef['db_table_idx']." = ".$this->id." AND ".$app->tform->getAuthSQL('r'); + $sql = "SELECT * FROM ?? WHERE ?? = ? AND ".$app->tform->getAuthSQL('r'); } - if(!$record = $app->db->queryOneRecord($sql)) $app->error($app->lng('error_no_view_permission')); + if(!$record = $app->db->queryOneRecord($sql, $app->tform->formDef['db_table'], $app->tform->formDef['db_table_idx'], $this->id)) $app->error($app->lng('error_no_view_permission')); $record["datum"] = date("d.m.Y"); $record["mailmessage"] = $_POST["message"]; @@ -459,11 +458,11 @@ class tform_actions { if($app->tform->formDef['auth'] == 'no') { - $sql = "SELECT * FROM ".$app->tform->formDef['db_table']." WHERE ".$app->tform->formDef['db_table_idx']." = ".$this->id; + $sql = "SELECT * FROM ?? WHERE ?? = ?"; } else { - $sql = "SELECT * FROM ".$app->tform->formDef['db_table']." WHERE ".$app->tform->formDef['db_table_idx']." = ".$this->id." AND ".$app->tform->getAuthSQL('r'); + $sql = "SELECT * FROM ?? WHERE ?? = ? AND ".$app->tform->getAuthSQL('r'); } - if(!$record = $app->db->queryOneRecord($sql)) $app->error($app->lng('error_no_view_permission')); + if(!$record = $app->db->queryOneRecord($sql, $app->tform->formDef['db_table'], $app->tform->formDef['db_table_idx'], $this->id)) $app->error($app->lng('error_no_view_permission')); $record["datum"] = date("d.m.Y"); @@ -560,11 +559,11 @@ class tform_actions { // bestehenden Datensatz anzeigen if($app->tform->errorMessage == '') { if($app->tform->formDef['auth'] == 'yes' && $_SESSION["s"]["user"]["typ"] != 'admin') { - $sql = "SELECT * FROM ".$app->tform->formDef['db_table']." WHERE ".$app->tform->formDef['db_table_idx']." = ".$this->id." AND ".$app->tform->getAuthSQL('r'); + $sql = "SELECT * FROM ?? WHERE ?? = ? AND ".$app->tform->getAuthSQL('r'); } else { - $sql = "SELECT * FROM ".$app->tform->formDef['db_table']." WHERE ".$app->tform->formDef['db_table_idx']." = ".$this->id; + $sql = "SELECT * FROM ?? WHERE ?? = ?"; } - if(!$record = $app->db->queryOneRecord($sql)) $app->error($app->lng('error_no_view_permission')); + if(!$record = $app->db->queryOneRecord($sql, $app->tform->formDef['db_table'], $app->tform->formDef['db_table_idx'], $this->id)) $app->error($app->lng('error_no_view_permission')); } else { // $record = $app->tform->encode($_POST,$this->active_tab); $record = $app->tform->encode($this->dataRecord, $this->active_tab, false); diff --git a/interface/lib/classes/tform_base.inc.php b/interface/lib/classes/tform_base.inc.php index e27940d4f5..0924be07f0 100644 --- a/interface/lib/classes/tform_base.inc.php +++ b/interface/lib/classes/tform_base.inc.php @@ -347,7 +347,7 @@ class tform_base { return $values; } else { $client_group_id = $_SESSION["s"]["user"]["default_group"]; - $client = $app->db->queryOneRecord("SELECT ".$limit_parts[1]." as lm FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT ".$limit_parts[1]." as lm FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); $allowed = explode(',', $client['lm']); } } @@ -359,7 +359,7 @@ class tform_base { } else { //* Get the limits of the client that is currently logged in $client_group_id = $_SESSION["s"]["user"]["default_group"]; - $client = $app->db->queryOneRecord("SELECT parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); //echo "SELECT parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"; //* If the client belongs to a reseller, we will check against the reseller Limit too if($client['parent_client_id'] != 0) { diff --git a/interface/lib/classes/tools_monitor.inc.php b/interface/lib/classes/tools_monitor.inc.php index d8a09f4d6a..ad76e4effc 100644 --- a/interface/lib/classes/tools_monitor.inc.php +++ b/interface/lib/classes/tools_monitor.inc.php @@ -33,7 +33,7 @@ class tools_monitor { global $app; /* fetch the Data from the DB */ - $record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = 'server_load' and server_id = " . $_SESSION['monitor']['server_id'] . " order by created desc"); + $record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = 'server_load' AND server_id = ? ORDER BY created DESC", $_SESSION['monitor']['server_id']); if(isset($record['data'])) { $data = unserialize($record['data']); @@ -80,7 +80,7 @@ class tools_monitor { global $app; /* fetch the Data from the DB */ - $record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = 'disk_usage' and server_id = " . $_SESSION['monitor']['server_id'] . " order by created desc"); + $record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = 'disk_usage' AND server_id = ? ORDER BY created DESC", $_SESSION['monitor']['server_id']); if(isset($record['data'])) { $data = unserialize($record['data']); @@ -123,7 +123,7 @@ class tools_monitor { function showDatabaseSize () { global $app; /* fetch the Data from the DB */ - $record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = 'database_size' and server_id = " . $_SESSION['monitor']['server_id'] . " order by created desc"); + $record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = 'database_size' AND server_id = ? ORDER BY created DESC", $_SESSION['monitor']['server_id']); if(isset($record['data'])) { $data = unserialize($record['data']); //* format the data @@ -142,10 +142,12 @@ class tools_monitor { if ($line['size'] > 0) $line['size'] = $app->functions->formatBytes($line['size']); //* get the client - $line['client']=$app->db->queryOneRecord("SELECT client.username FROM web_database, sys_group, client WHERE web_database.sys_groupid = sys_group.groupid AND sys_group.client_id = client.client_id AND web_database.database_name='".$line['database_name']."'")['username']; + $tmp = $app->db->queryOneRecord("SELECT client.username FROM web_database, sys_group, client WHERE web_database.sys_groupid = sys_group.groupid AND sys_group.client_id = client.client_id AND web_database.database_name=?", $line['database_name']); + $line['client'] = $tmp['username']; //* get the domain - $line['domain']=$app->db->queryOneRecord("SELECT domain FROM web_domain WHERE domain_id=(SELECT parent_domain_id FROM web_database WHERE database_name='".$line['database_name']."')")['domain']; + $tmp = $app->db->queryOneRecord("SELECT domain FROM web_domain WHERE domain_id=(SELECT parent_domain_id FROM web_database WHERE database_name=?", $line['database_name']); + $line['domain'] = $tmp['domain']; //* remove the sys_groupid from output unset($line['sys_groupid']); @@ -166,7 +168,7 @@ class tools_monitor { global $app; /* fetch the Data from the DB */ - $record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = 'mem_usage' and server_id = " . $_SESSION['monitor']['server_id'] . " order by created desc"); + $record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = 'mem_usage' and server_id = ? ORDER BY created DESC", $_SESSION['monitor']['server_id']); if(isset($record['data'])) { $data = unserialize($record['data']); @@ -202,7 +204,7 @@ class tools_monitor { global $app; /* fetch the Data from the DB */ - $record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = 'cpu_info' and server_id = " . $_SESSION['monitor']['server_id'] . " order by created desc"); + $record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = 'cpu_info' and server_id = ? ORDER BY created DESC", $_SESSION['monitor']['server_id']); if(isset($record['data'])) { $data = unserialize($record['data']); @@ -236,7 +238,7 @@ class tools_monitor { global $app; /* fetch the Data from the DB */ - $record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = 'services' and server_id = " . $_SESSION['monitor']['server_id'] . " order by created desc"); + $record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = 'services' and server_id = ? ORDER BY created DESC", $_SESSION['monitor']['server_id']); if(isset($record['data'])) { $data = unserialize($record['data']); @@ -349,7 +351,7 @@ class tools_monitor { global $app; /* fetch the Data from the DB */ - $record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = 'system_update' and server_id = " . $_SESSION['monitor']['server_id'] . " order by created desc"); + $record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = 'system_update' and server_id = ? ORDER BY created DESC", $_SESSION['monitor']['server_id']); if(isset($record['data'])) { $html = @@ -379,7 +381,7 @@ class tools_monitor { global $app; /* fetch the Data from the DB */ - $record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = 'openvz_beancounter' and server_id = " . $_SESSION['monitor']['server_id'] . " order by created desc"); + $record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = 'openvz_beancounter' and server_id = ? ORDER BY created DESC", $_SESSION['monitor']['server_id']); if(isset($record['data'])) { $html = @@ -408,7 +410,7 @@ class tools_monitor { global $app; /* fetch the Data from the DB */ - $record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = 'raid_state' and server_id = " . $_SESSION['monitor']['server_id'] . " order by created desc"); + $record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = 'raid_state' and server_id = ? ORDER BY created DESC", $_SESSION['monitor']['server_id']); if(isset($record['data'])) { $html = @@ -441,7 +443,7 @@ class tools_monitor { global $app; /* fetch the Data from the DB */ - $record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = 'rkhunter' and server_id = " . $_SESSION['monitor']['server_id'] . " order by created desc"); + $record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = 'rkhunter' and server_id = ? ORDER BY created DESC", $_SESSION['monitor']['server_id']); if(isset($record['data'])) { $html = @@ -472,7 +474,7 @@ class tools_monitor { global $app; /* fetch the Data from the DB */ - $record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = 'log_fail2ban' and server_id = " . $_SESSION['monitor']['server_id'] . " order by created desc"); + $record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = 'log_fail2ban' and server_id = ? ORDER BY created DESC", $_SESSION['monitor']['server_id']); if(isset($record['data'])) { $html = @@ -506,7 +508,7 @@ class tools_monitor { global $app; /* fetch the Data from the DB */ - $record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = 'log_mongodb' and server_id = " . $_SESSION['monitor']['server_id'] . " order by created desc"); + $record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = 'log_mongodb' and server_id = ? ORDER BY created DESC", $_SESSION['monitor']['server_id']); if(isset($record['data'])) { $html = @@ -538,7 +540,7 @@ class tools_monitor { function showIPTables() { global $app; - $record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = 'iptables_rules' and server_id = " . $_SESSION['monitor']['server_id'] . " order by created desc"); + $record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = 'iptables_rules' and server_id = ? ORDER BY created DESC", $_SESSION['monitor']['server_id']); if(isset($record['data'])) { $html = '
@@ -562,7 +564,7 @@ class tools_monitor { global $app; /* fetch the Data from the DB */ - $record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = 'mailq' and server_id = " . $_SESSION['monitor']['server_id'] . " order by created desc"); + $record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = 'mailq' and server_id = ? ORDER BY created DESC", $_SESSION['monitor']['server_id']); if(isset($record['data'])) { $data = unserialize($record['data']); @@ -578,7 +580,7 @@ class tools_monitor { global $app; /* fetch the Data from the DB */ - $record = $app->db->queryOneRecord("SELECT created FROM monitor_data WHERE type = '" . $type . "' and server_id = " . $_SESSION['monitor']['server_id'] . " order by created desc"); + $record = $app->db->queryOneRecord("SELECT created FROM monitor_data WHERE type = ? and server_id = ? ORDER BY created DESC", $type, $_SESSION['monitor']['server_id']); /* TODO: datetimeformat should be set somewhat other way */ $dateTimeFormat = $app->lng("monitor_settings_datetimeformat_txt"); diff --git a/interface/lib/classes/tools_sites.inc.php b/interface/lib/classes/tools_sites.inc.php index 3400c5b708..989b9eae8d 100644 --- a/interface/lib/classes/tools_sites.inc.php +++ b/interface/lib/classes/tools_sites.inc.php @@ -87,7 +87,7 @@ class tools_sites { if(isset($dataRecord['client_group_id'])) { $client_group_id = $dataRecord['client_group_id']; } elseif (isset($dataRecord['parent_domain_id'])) { - $tmp = $app->db->queryOneRecord("SELECT sys_groupid FROM web_domain WHERE domain_id = " . $dataRecord['parent_domain_id']); + $tmp = $app->db->queryOneRecord("SELECT sys_groupid FROM web_domain WHERE domain_id = ?", $dataRecord['parent_domain_id']); $client_group_id = $tmp['sys_groupid']; } elseif(isset($dataRecord['sys_groupid'])) { $client_group_id = $dataRecord['sys_groupid']; @@ -96,7 +96,7 @@ class tools_sites { } } - $tmp = $app->db->queryOneRecord("SELECT name FROM sys_group WHERE groupid = " . $app->functions->intval($client_group_id)); + $tmp = $app->db->queryOneRecord("SELECT name FROM sys_group WHERE groupid = ?", $client_group_id); $clientName = $tmp['name']; if ($clientName == "") $clientName = 'default'; $clientName = $this->convertClientName($clientName); @@ -114,7 +114,7 @@ class tools_sites { if(isset($dataRecord['client_group_id'])) { $client_group_id = $dataRecord['client_group_id']; } elseif (isset($dataRecord['parent_domain_id']) && $dataRecord['parent_domain_id'] != 0) { - $tmp = $app->db->queryOneRecord("SELECT sys_groupid FROM web_domain WHERE domain_id = " . $dataRecord['parent_domain_id']); + $tmp = $app->db->queryOneRecord("SELECT sys_groupid FROM web_domain WHERE domain_id = ?", $dataRecord['parent_domain_id']); $client_group_id = $tmp['sys_groupid']; } elseif(isset($dataRecord['sys_groupid'])) { $client_group_id = $dataRecord['sys_groupid']; @@ -122,7 +122,7 @@ class tools_sites { return '[CLIENTID]'; } } - $tmp = $app->db->queryOneRecord("SELECT client_id FROM sys_group WHERE groupid = " . $app->functions->intval($client_group_id)); + $tmp = $app->db->queryOneRecord("SELECT client_id FROM sys_group WHERE groupid = ?", $client_group_id); $clientID = $tmp['client_id']; if ($clientID == '') $clientID = '0'; return $clientID; diff --git a/interface/lib/classes/validate_client.inc.php b/interface/lib/classes/validate_client.inc.php index c67601bfb7..468a022014 100644 --- a/interface/lib/classes/validate_client.inc.php +++ b/interface/lib/classes/validate_client.inc.php @@ -43,7 +43,7 @@ class validate_client { } if($client_id == 0) { - $num_rec = $app->db->queryOneRecord("SELECT count(*) as number FROM sys_user WHERE username = '".$app->db->quote($field_value)."'"); + $num_rec = $app->db->queryOneRecord("SELECT count(*) as number FROM sys_user WHERE username = ?", $field_value); if($num_rec["number"] > 0) { $errmsg = $validator['errmsg']; if(isset($app->tform->wordbook[$errmsg])) { @@ -53,7 +53,7 @@ class validate_client { } } } else { - $num_rec = $app->db->queryOneRecord("SELECT count(*) as number FROM sys_user WHERE username = '".$app->db->quote($field_value)."' AND client_id != ".$app->functions->intval($client_id)); + $num_rec = $app->db->queryOneRecord("SELECT count(*) as number FROM sys_user WHERE username = ? AND client_id != ?", $field_value, $client_id); if($num_rec["number"] > 0) { $errmsg = $validator['errmsg']; if(isset($app->tform->wordbook[$errmsg])) { @@ -108,23 +108,23 @@ class validate_client { switch ($field_name) { case 'web_servers': - $used_servers = $app->db->queryAllRecords('SELECT domain_id FROM web_domain INNER JOIN sys_user ON web_domain.sys_userid = sys_user.userid WHERE client_id = ' . $client_id . ' AND server_id NOT IN (' . implode(', ', $field_value) . ');'); + $used_servers = $app->db->queryAllRecords('SELECT domain_id FROM web_domain INNER JOIN sys_user ON web_domain.sys_userid = sys_user.userid WHERE client_id = ? AND server_id NOT IN ?', $client_id, $field_value); break; case 'dns_servers': - $used_servers = $app->db->queryAllRecords('SELECT id FROM dns_rr INNER JOIN sys_user ON dns_rr.sys_userid = sys_user.userid WHERE client_id = ' . $client_id . ' AND server_id NOT IN (' . implode(', ', $field_value) . ');'); + $used_servers = $app->db->queryAllRecords('SELECT id FROM dns_rr INNER JOIN sys_user ON dns_rr.sys_userid = sys_user.userid WHERE client_id = ? AND server_id NOT IN ?', $client_id, $field_value); break; case 'db_servers': - $used_servers = $app->db->queryAllRecords('SELECT database_id FROM web_database INNER JOIN sys_user ON web_database.sys_userid = sys_user.userid WHERE client_id = ' . $client_id . ' AND server_id NOT IN (' . implode(', ', $field_value) . ');'); + $used_servers = $app->db->queryAllRecords('SELECT database_id FROM web_database INNER JOIN sys_user ON web_database.sys_userid = sys_user.userid WHERE client_id = ? AND server_id NOT IN ?', $client_id, $field_value); break; case 'mail_servers': - $used_servers = $app->db->queryAllRecords('SELECT domain_id FROM mail_domain INNER JOIN sys_user ON mail_domain.sys_userid = sys_user.userid WHERE client_id = ' . $client_id . ' AND server_id NOT IN (' . implode(', ', $field_value) . ');'); + $used_servers = $app->db->queryAllRecords('SELECT domain_id FROM mail_domain INNER JOIN sys_user ON mail_domain.sys_userid = sys_user.userid WHERE client_id = ? AND server_id NOT IN ?', $client_id, $field_value); break; case 'xmpp_servers': - $used_servers = $app->db->queryAllRecords('SELECT domain_id FROM xmpp_domain INNER JOIN sys_user ON xmpp_domain.sys_userid = sys_user.userid WHERE client_id = ' . $client_id . ' AND server_id NOT IN (' . implode(', ', $field_value) . ');'); + $used_servers = $app->db->queryAllRecords('SELECT domain_id FROM xmpp_domain INNER JOIN sys_user ON xmpp_domain.sys_userid = sys_user.userid WHERE client_id = ? AND server_id NOT IN ?', $client_id, $field_value); break; } @@ -151,7 +151,7 @@ class validate_client { } // check if country is member of EU - $country_details = $app->db->queryOneRecord("SELECT * FROM country WHERE iso = '".$country."'"); + $country_details = $app->db->queryOneRecord("SELECT * FROM country WHERE iso = ?", $country); if($country_details['eu'] == 'y' && $vatid != ''){ $vatid = preg_replace('/\s+/', '', $vatid); diff --git a/interface/lib/classes/validate_dns.inc.php b/interface/lib/classes/validate_dns.inc.php index 212c4d75dc..a6920e0b01 100644 --- a/interface/lib/classes/validate_dns.inc.php +++ b/interface/lib/classes/validate_dns.inc.php @@ -104,7 +104,7 @@ class validate_dns { } if(substr($field, -1) == '.' && $area == 'Name'){ - $soa = $app->db->queryOneRecord("SELECT * FROM soa WHERE id = ".intval($zoneid)); + $soa = $app->db->queryOneRecord("SELECT * FROM soa WHERE id = ?", $zoneid); if(substr($field, (strlen($field) - strlen($soa['origin']))) != $soa['origin']) $error .= $desc." ".$app->tform->wordbook['error_out_of_zone']."
\r\n"; } diff --git a/interface/lib/classes/validate_domain.inc.php b/interface/lib/classes/validate_domain.inc.php index a072412584..f3efe518b4 100644 --- a/interface/lib/classes/validate_domain.inc.php +++ b/interface/lib/classes/validate_domain.inc.php @@ -88,8 +88,8 @@ class validate_domain { $app->uses('ini_parser,getconf'); $settings = $app->getconf->get_global_config('domains'); if ($settings['use_domain_module'] == 'y') { - $sql = "SELECT domain_id, domain FROM domain WHERE domain_id = " . $app->functions->intval($check_domain); - $domain_check = $app->db->queryOneRecord($sql); + $sql = "SELECT domain_id, domain FROM domain WHERE domain_id = ?"; + $domain_check = $app->db->queryOneRecord($sql, $check_domain); if(!$domain_check) return; $check_domain = $domain_check['domain']; } @@ -157,24 +157,27 @@ class validate_domain { if($domain['ip_address'] == '' || $domain['ipv6_address'] == ''){ if($domain['parent_domain_id'] > 0){ - $parent_domain = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$app->functions->intval($domain['parent_domain_id'])); + $parent_domain = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $domain['parent_domain_id']); } } // check if domain has alias/subdomains - if we move a web to another IP, make sure alias/subdomains are checked as well - $aliassubdomains = $app->db->queryAllRecords("SELECT * FROM web_domain WHERE parent_domain_id = ".$app->functions->intval($primary_id)." AND (type = 'alias' OR type = 'subdomain' OR type = 'vhostsubdomain')"); + $aliassubdomains = $app->db->queryAllRecords("SELECT * FROM web_domain WHERE parent_domain_id = ? AND (type = 'alias' OR type = 'subdomain' OR type = 'vhostsubdomain')", $primary_id); $additional_sql1 = ''; $additional_sql2 = ''; + $domain_params = array(); if(is_array($aliassubdomains) && !empty($aliassubdomains)){ foreach($aliassubdomains as $aliassubdomain){ - $additional_sql1 .= " OR d.domain = '".$app->db->quote($aliassubdomain['domain'])."'"; - $additional_sql2 .= " OR CONCAT(d.subdomain, '.', d.domain) = '".$app->db->quote($aliassubdomain['domain'])."'"; + $additional_sql1 .= " OR d.domain = ?"; + $additional_sql2 .= " OR CONCAT(d.subdomain, '.', d.domain) = ?"; + $domain_params[] = $aliassubdomain['domain']; } } - $qrystr = "SELECT d.domain_id, IF(d.parent_domain_id != 0 AND p.domain_id IS NOT NULL, p.ip_address, d.ip_address) as `ip_address`, IF(d.parent_domain_id != 0 AND p.domain_id IS NOT NULL, p.ipv6_address, d.ipv6_address) as `ipv6_address` FROM `web_domain` as d LEFT JOIN `web_domain` as p ON (p.domain_id = d.parent_domain_id) WHERE (d.domain = '" . $app->db->quote($domain_name) . "'" . $additional_sql1 . ") AND d.server_id = " . $app->functions->intval($domain['server_id']) . " AND d.domain_id != " . $app->functions->intval($primary_id) . ($primary_id ? " AND d.parent_domain_id != " . $app->functions->intval($primary_id) : ""); - $checks = $app->db->queryAllRecords($qrystr); + $qrystr = "SELECT d.domain_id, IF(d.parent_domain_id != 0 AND p.domain_id IS NOT NULL, p.ip_address, d.ip_address) as `ip_address`, IF(d.parent_domain_id != 0 AND p.domain_id IS NOT NULL, p.ipv6_address, d.ipv6_address) as `ipv6_address` FROM `web_domain` as d LEFT JOIN `web_domain` as p ON (p.domain_id = d.parent_domain_id) WHERE (d.domain = ?" . $additional_sql1 . ") AND d.server_id = ? AND d.domain_id != ?" . ($primary_id ? " AND d.parent_domain_id != ?" : ""); + $params = array($domain_name) + $domain_params + array($domain['server_id'], $primary_id, $primary_id); + $checks = $app->db->queryAllRecords($qrystr, true, $params); if(is_array($checks) && !empty($checks)){ foreach($checks as $check){ if($domain['ip_address'] == '*') return false; @@ -185,8 +188,9 @@ class validate_domain { } if($only_domain == false) { - $qrystr = "SELECT d.domain_id, IF(d.parent_domain_id != 0 AND p.domain_id IS NOT NULL, p.ip_address, d.ip_address) as `ip_address`, IF(d.parent_domain_id != 0 AND p.domain_id IS NOT NULL, p.ipv6_address, d.ipv6_address) as `ipv6_address` FROM `web_domain` as d LEFT JOIN `web_domain` as p ON (p.domain_id = d.parent_domain_id) WHERE (CONCAT(d.subdomain, '.', d.domain)= '" . $app->db->quote($domain_name) . "'" . $additional_sql2 . ") AND d.server_id = " . $app->functions->intval($domain['server_id']) . " AND d.domain_id != " . $app->functions->intval($primary_id) . ($primary_id ? " AND d.parent_domain_id != " . $app->functions->intval($primary_id) : ""); - $checks = $app->db->queryAllRecords($qrystr); + $qrystr = "SELECT d.domain_id, IF(d.parent_domain_id != 0 AND p.domain_id IS NOT NULL, p.ip_address, d.ip_address) as `ip_address`, IF(d.parent_domain_id != 0 AND p.domain_id IS NOT NULL, p.ipv6_address, d.ipv6_address) as `ipv6_address` FROM `web_domain` as d LEFT JOIN `web_domain` as p ON (p.domain_id = d.parent_domain_id) WHERE (CONCAT(d.subdomain, '.', d.domain)= ?" . $additional_sql2 . ") AND d.server_id = ? AND d.domain_id != ?" . ($primary_id ? " AND d.parent_domain_id != ?" : ""); + $params = array($domain_name) + $domain_params + array($domain['server_id'], $primary_id, $primary_id); + $checks = $app->db->queryAllRecords($qrystr, true $params); if(is_array($checks) && !empty($checks)){ foreach($checks as $check){ if($domain['ip_address'] == '*') return false; @@ -207,7 +211,7 @@ class validate_domain { if($_SESSION["s"]["user"]["typ"] != 'admin') { // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_wildcard FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_wildcard FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); if($client["limit_wildcard"] == 'y') return true; else return false; diff --git a/interface/lib/classes/validate_ftpuser.inc.php b/interface/lib/classes/validate_ftpuser.inc.php index 8e0663ecae..da8c100adc 100644 --- a/interface/lib/classes/validate_ftpuser.inc.php +++ b/interface/lib/classes/validate_ftpuser.inc.php @@ -50,7 +50,7 @@ class validate_ftpuser { if($primary_id > 0) { //* get parent_domain_id from website - $ftp_data = $app->db->queryOneRecord("SELECT parent_domain_id FROM ftp_user WHERE ftp_user_id = '".$app->db->quote($primary_id)."'"); + $ftp_data = $app->db->queryOneRecord("SELECT parent_domain_id FROM ftp_user WHERE ftp_user_id = ?", $primary_id); if(!is_array($ftp_data) || $ftp_data["parent_domain_id"] < 1) { $errmsg = $validator['errmsg']; if(isset($app->tform->wordbook[$errmsg])) { @@ -66,7 +66,7 @@ class validate_ftpuser { $parent_domain_id = $app->functions->intval($app->remoting_lib->dataRecord['parent_domain_id']); } - $domain_data = $app->db->queryOneRecord("SELECT domain_id, document_root FROM web_domain WHERE domain_id = '".$app->db->quote($parent_domain_id)."'"); + $domain_data = $app->db->queryOneRecord("SELECT domain_id, document_root FROM web_domain WHERE domain_id = ?", $parent_domain_id); if(!is_array($domain_data) || $domain_data["domain_id"] < 1) { $errmsg = $validator['errmsg']; if(isset($app->tform->wordbook[$errmsg])) { diff --git a/interface/lib/classes/validate_systemuser.inc.php b/interface/lib/classes/validate_systemuser.inc.php index 2cab1cf444..74824b72ca 100644 --- a/interface/lib/classes/validate_systemuser.inc.php +++ b/interface/lib/classes/validate_systemuser.inc.php @@ -95,7 +95,7 @@ class validate_systemuser { if($primary_id > 0) { //* get parent_domain_id from website - $shell_data = $app->db->queryOneRecord("SELECT parent_domain_id FROM shell_user WHERE shell_user_id = '".$app->db->quote($primary_id)."'"); + $shell_data = $app->db->queryOneRecord("SELECT parent_domain_id FROM shell_user WHERE shell_user_id = ?", $primary_id); if(!is_array($shell_data) || $shell_data["parent_domain_id"] < 1) { $errmsg = $validator['errmsg']; if(isset($app->tform->wordbook[$errmsg])) { @@ -111,7 +111,7 @@ class validate_systemuser { $parent_domain_id = $app->functions->intval($app->remoting_lib->dataRecord['parent_domain_id']); } - $domain_data = $app->db->queryOneRecord("SELECT domain_id, document_root FROM web_domain WHERE domain_id = '".$app->db->quote($parent_domain_id)."'"); + $domain_data = $app->db->queryOneRecord("SELECT domain_id, document_root FROM web_domain WHERE domain_id = ?", $parent_domain_id); if(!is_array($domain_data) || $domain_data["domain_id"] < 1) { $errmsg = $validator['errmsg']; if(isset($app->tform->wordbook[$errmsg])) { diff --git a/interface/lib/plugins/dns_dns_slave_plugin.inc.php b/interface/lib/plugins/dns_dns_slave_plugin.inc.php index aa2e20f9ab..8f49ce69d0 100644 --- a/interface/lib/plugins/dns_dns_slave_plugin.inc.php +++ b/interface/lib/plugins/dns_dns_slave_plugin.inc.php @@ -30,19 +30,19 @@ class dns_dns_slave_plugin { // make sure that the record belongs to the client group and not the admin group when a dmin inserts it if($_SESSION["s"]["user"]["typ"] == 'admin' && isset($page_form->dataRecord["client_group_id"])) { $client_group_id = $app->functions->intval($page_form->dataRecord["client_group_id"]); - $app->db->query("UPDATE dns_slave SET sys_groupid = $client_group_id WHERE id = ".$page_form->id); + $app->db->query("UPDATE dns_slave SET sys_groupid = ? WHERE id = ?", $client_group_id, $page_form->id); } if($app->auth->has_clients($_SESSION['s']['user']['userid']) && isset($this->dataRecord["client_group_id"])) { $client_group_id = $app->functions->intval($this->dataRecord["client_group_id"]); - $app->db->query("UPDATE dns_slave SET sys_groupid = $client_group_id WHERE id = ".$page_form->id); + $app->db->query("UPDATE dns_slave SET sys_groupid = ? WHERE id = ?", $client_group_id, $page_form->id); } //** When the client group has changed, change also the owner of the record if the owner is not the admin user if($page_form->oldDataRecord && $page_form->oldDataRecord["client_group_id"] != $page_form->dataRecord["client_group_id"] && $page_form->dataRecord["sys_userid"] != 1) { $client_group_id = $app->functions->intval($page_form->dataRecord["client_group_id"]); - $tmp = $app->db->queryOneREcord("SELECT userid FROM sys_user WHERE default_group = ".$client_group_id); + $tmp = $app->db->queryOneREcord("SELECT userid FROM sys_user WHERE default_group = ?", $client_group_id); if($tmp["userid"] > 0) { - $app->db->query("UPDATE dns_slave SET sys_userid = ".$tmp["userid"]." WHERE id = ".$page_form->id); + $app->db->query("UPDATE dns_slave SET sys_userid = ? WHERE id = ?", $tmp["userid"], $page_form->id); } } } diff --git a/interface/lib/plugins/dns_dns_soa_plugin.inc.php b/interface/lib/plugins/dns_dns_soa_plugin.inc.php index 1cada0e932..8f047bef8b 100644 --- a/interface/lib/plugins/dns_dns_soa_plugin.inc.php +++ b/interface/lib/plugins/dns_dns_soa_plugin.inc.php @@ -31,17 +31,17 @@ class dns_dns_soa_plugin { $tmp = $app->db->diffrec($page_form->oldDataRecord, $app->tform->getDataRecord($page_form->id)); if($tmp['diff_num'] > 0) { // Update the serial number of the SOA record - $soa = $app->db->queryOneRecord("SELECT serial FROM dns_soa WHERE id = ".$page_form->id); - $app->db->query("UPDATE dns_soa SET serial = '".$app->validate_dns->increase_serial($soa["serial"])."' WHERE id = ".$page_form->id); + $soa = $app->db->queryOneRecord("SELECT serial FROM dns_soa WHERE id = ?", $page_form->id); + $app->db->query("UPDATE dns_soa SET serial = ? WHERE id = ?", $app->validate_dns->increase_serial($soa["serial"]), $page_form->id); } //** When the client group has changed, change also the owner of the record if the owner is not the admin user if($page_form->oldDataRecord["client_group_id"] != $page_form->dataRecord["client_group_id"] && $page_form->dataRecord["sys_userid"] != 1) { $client_group_id = $app->functions->intval($page_form->dataRecord["client_group_id"]); - $tmp = $app->db->queryOneREcord("SELECT userid FROM sys_user WHERE default_group = ".$client_group_id); + $tmp = $app->db->queryOneREcord("SELECT userid FROM sys_user WHERE default_group = ?", $client_group_id); if($tmp["userid"] > 0) { - $app->db->query("UPDATE dns_soa SET sys_userid = ".$tmp["userid"]." WHERE id = ".$page_form->id); - $app->db->query("UPDATE dns_rr SET sys_userid = ".$tmp["userid"]." WHERE zone = ".$page_form->id); + $app->db->query("UPDATE dns_soa SET sys_userid = ? WHERE id = ?", $tmp["userid"], $page_form->id); + $app->db->query("UPDATE dns_rr SET sys_userid = ? WHERE zone = ?", $tmp["userid"], $page_form->id); } } } @@ -49,15 +49,15 @@ class dns_dns_soa_plugin { // make sure that the record belongs to the client group and not the admin group when a dmin inserts it if($_SESSION["s"]["user"]["typ"] == 'admin' && isset($page_form->dataRecord["client_group_id"])) { $client_group_id = $app->functions->intval($page_form->dataRecord["client_group_id"]); - $app->db->query("UPDATE dns_soa SET sys_groupid = $client_group_id, sys_perm_group = 'ru' WHERE id = ".$page_form->id); + $app->db->query("UPDATE dns_soa SET sys_groupid = ?, sys_perm_group = 'ru' WHERE id = ?", $client_group_id, $page_form->id); // And we want to update all rr records too, that belong to this record - $app->db->query("UPDATE dns_rr SET sys_groupid = $client_group_id WHERE zone = ".$page_form->id); + $app->db->query("UPDATE dns_rr SET sys_groupid = ? WHERE zone = ?", $client_group_id, $page_form->id); } if($app->auth->has_clients($_SESSION['s']['user']['userid']) && isset($page_form->dataRecord["client_group_id"])) { $client_group_id = $app->functions->intval($page_form->dataRecord["client_group_id"]); - $app->db->query("UPDATE dns_soa SET sys_groupid = $client_group_id, sys_perm_group = 'riud' WHERE id = ".$page_form->id); + $app->db->query("UPDATE dns_soa SET sys_groupid = ?, sys_perm_group = 'riud' WHERE id = ?", $client_group_id, $page_form->id); // And we want to update all rr records too, that belong to this record - $app->db->query("UPDATE dns_rr SET sys_groupid = $client_group_id WHERE zone = ".$page_form->id); + $app->db->query("UPDATE dns_rr SET sys_groupid = ? WHERE zone = ?", $client_group_id, $page_form->id); } } diff --git a/interface/lib/plugins/mail_mail_domain_plugin.inc.php b/interface/lib/plugins/mail_mail_domain_plugin.inc.php index 13f6009ee5..6af0c95941 100644 --- a/interface/lib/plugins/mail_mail_domain_plugin.inc.php +++ b/interface/lib/plugins/mail_mail_domain_plugin.inc.php @@ -31,23 +31,29 @@ class mail_mail_domain_plugin { // also make sure that the user can not delete entry created by an admin if($_SESSION["s"]["user"]["typ"] == 'admin' && isset($page_form->dataRecord["client_group_id"])) { $client_group_id = $app->functions->intval($page_form->dataRecord["client_group_id"]); - $updates = "sys_groupid = $client_group_id, sys_perm_group = 'ru'"; + $updates = "sys_groupid = ?, sys_perm_group = 'ru'"; + $update_params = array($client_group_id); if ($event_name == 'mail:mail_domain:on_after_update') { - $tmp = $app->db->queryOneRecord("SELECT userid FROM sys_user WHERE default_group = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT userid FROM sys_user WHERE default_group = ?", $client_group_id); $client_user_id = ($tmp['userid'] > 0)?$tmp['userid']:1; - $updates = "sys_userid = $client_user_id, $updates"; + $updates .= ", sys_userid = ?"; + $update_params[] = $client_user_id } - $app->db->query("UPDATE mail_domain SET $updates WHERE domain_id = ".$page_form->id); + $update_params[] = $page_form->id; + $app->db->query("UPDATE mail_domain SET " . $updates . " WHERE domain_id = ?", true, $update_params); } if($app->auth->has_clients($_SESSION['s']['user']['userid']) && isset($page_form->dataRecord["client_group_id"])) { $client_group_id = $app->functions->intval($page_form->dataRecord["client_group_id"]); $updates = "sys_groupid = $client_group_id, sys_perm_group = 'riud'"; + $update_params = array($client_group_id); if ($event_name == 'mail:mail_domain:on_after_update') { - $tmp = $app->db->queryOneRecord("SELECT userid FROM sys_user WHERE default_group = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT userid FROM sys_user WHERE default_group = ?", $client_group_id); $client_user_id = ($tmp['userid'] > 0)?$tmp['userid']:1; - $updates = "sys_userid = $client_user_id, $updates"; + $updates .= ", sys_userid = ?"; + $update_params[] = $client_user_id } - $app->db->query("UPDATE mail_domain SET $updates WHERE domain_id = ".$page_form->id); + $update_params[] = $page_form->id; + $app->db->query("UPDATE mail_domain SET " . $updates . " WHERE domain_id = ?", true, $update_params); } //** If the domain name or owner has been changed, change the domain and owner in all mailbox records @@ -57,9 +63,9 @@ class mail_mail_domain_plugin { $mail_config = $app->getconf->get_server_config($page_form->dataRecord["server_id"], 'mail'); //* Update the mailboxes - $mailusers = $app->db->queryAllRecords("SELECT * FROM mail_user WHERE email like '%@".$app->db->quote($page_form->oldDataRecord['domain'])."'"); + $mailusers = $app->db->queryAllRecords("SELECT * FROM mail_user WHERE email like ?", "%@" . $page_form->oldDataRecord['domain']); $sys_groupid = $app->functions->intval((isset($page_form->dataRecord['client_group_id']))?$page_form->dataRecord['client_group_id']:$page_form->oldDataRecord['sys_groupid']); - $tmp = $app->db->queryOneRecord("SELECT userid FROM sys_user WHERE default_group = $sys_groupid"); + $tmp = $app->db->queryOneRecord("SELECT userid FROM sys_user WHERE default_group = ?", $sys_groupid); $client_user_id = $app->functions->intval(($tmp['userid'] > 0)?$tmp['userid']:1); if(is_array($mailusers)) { foreach($mailusers as $rec) { @@ -74,7 +80,7 @@ class mail_mail_domain_plugin { } //* Update the aliases - $forwardings = $app->db->queryAllRecords("SELECT * FROM mail_forwarding WHERE source like '%@".$app->db->quote($page_form->oldDataRecord['domain'])."' OR destination like '%@".$app->db->quote($page_form->oldDataRecord['domain'])."'"); + $forwardings = $app->db->queryAllRecords("SELECT * FROM mail_forwarding WHERE source LIKE ? OR destination LIKE ?", "%@" . $page_form->oldDataRecord['domain'], "%@" . $page_form->oldDataRecord['domain']); if(is_array($forwardings)) { foreach($forwardings as $rec) { $destination = $app->db->quote(str_replace($page_form->oldDataRecord['domain'], $page_form->dataRecord['domain'], $rec['destination'])); @@ -84,7 +90,7 @@ class mail_mail_domain_plugin { } //* Update the mailinglist - $mailing_lists = $app->db->queryAllRecords("SELECT mailinglist_id FROM mail_mailinglist WHERE domain = '".$app->db->quote($page_form->oldDataRecord['domain'])."'"); + $mailing_lists = $app->db->queryAllRecords("SELECT mailinglist_id FROM mail_mailinglist WHERE domain = ?", $page_form->oldDataRecord['domain']); if(is_array($mailing_lists)) { foreach($mailing_lists as $rec) { $app->db->datalogUpdate('mail_mailinglist', "sys_userid = $client_user_id, sys_groupid = '$sys_groupid'", 'mailinglist_id', $rec['mailinglist_id']); @@ -92,7 +98,7 @@ class mail_mail_domain_plugin { } //* Update the mailget records - $mail_gets = $app->db->queryAllRecords("SELECT mailget_id, destination FROM mail_get WHERE destination LIKE '%@".$app->db->quote($page_form->oldDataRecord['domain'])."'"); + $mail_gets = $app->db->queryAllRecords("SELECT mailget_id, destination FROM mail_get WHERE destination LIKE ?", "%@" . $page_form->oldDataRecord['domain']); if(is_array($mail_gets)) { foreach($mail_gets as $rec) { $destination = $app->db->quote(str_replace($page_form->oldDataRecord['domain'], $page_form->dataRecord['domain'], $rec['destination'])); @@ -102,11 +108,11 @@ class mail_mail_domain_plugin { if ($page_form->oldDataRecord["domain"] != $page_form->dataRecord['domain']) { //* Delete the old spamfilter record - $tmp = $app->db->queryOneRecord("SELECT id FROM spamfilter_users WHERE email = '@".$app->db->quote($page_form->oldDataRecord["domain"])."'"); + $tmp = $app->db->queryOneRecord("SELECT id FROM spamfilter_users WHERE email = ?", "@" . $page_form->oldDataRecord["domain"]); $app->db->datalogDelete('spamfilter_users', 'id', $tmp["id"]); unset($tmp); } - $app->db->query("UPDATE spamfilter_users SET email=REPLACE(email, '".$app->db->quote($page_form->oldDataRecord['domain'])."', '".$app->db->quote($page_form->dataRecord['domain'])."'), sys_userid = $client_user_id, sys_groupid = $sys_groupid WHERE email LIKE '%@".$app->db->quote($page_form->oldDataRecord['domain'])."'"); + $app->db->query("UPDATE spamfilter_users SET email=REPLACE(email, ?, ?), sys_userid = ?, sys_groupid = ? WHERE email LIKE ?", $page_form->oldDataRecord['domain'], $page_form->dataRecord['domain'], $client_user_id, $sys_groupid, "%@" . $page_form->oldDataRecord['domain']); } // end if domain name changed } diff --git a/interface/lib/plugins/mail_user_filter_plugin.inc.php b/interface/lib/plugins/mail_user_filter_plugin.inc.php index 8faeab5e83..d5a44305c6 100644 --- a/interface/lib/plugins/mail_user_filter_plugin.inc.php +++ b/interface/lib/plugins/mail_user_filter_plugin.inc.php @@ -61,7 +61,7 @@ class mail_user_filter_plugin { function mail_user_filter_edit($event_name, $page_form) { global $app, $conf; - $mailuser = $app->db->queryOneRecord("SELECT custom_mailfilter FROM mail_user WHERE mailuser_id = ".$page_form->dataRecord["mailuser_id"]); + $mailuser = $app->db->queryOneRecord("SELECT custom_mailfilter FROM mail_user WHERE mailuser_id = ?", $page_form->dataRecord["mailuser_id"]); $skip = false; $lines = explode("\n", $mailuser['custom_mailfilter']); $out = ''; @@ -95,7 +95,7 @@ class mail_user_filter_plugin { function mail_user_filter_del($event_name, $page_form) { global $app, $conf; - $mailuser = $app->db->queryOneRecord("SELECT custom_mailfilter FROM mail_user WHERE mailuser_id = ".$page_form->dataRecord["mailuser_id"]); + $mailuser = $app->db->queryOneRecord("SELECT custom_mailfilter FROM mail_user WHERE mailuser_id = ?", $page_form->dataRecord["mailuser_id"]); $skip = false; $lines = explode("\n", $mailuser['custom_mailfilter']); $out = ''; @@ -124,7 +124,7 @@ class mail_user_filter_plugin { global $app, $conf; $app->uses("getconf"); - $mailuser_rec = $app->db->queryOneRecord("SELECT server_id FROM mail_user WHERE mailuser_id = ".$app->functions->intval($page_form->dataRecord["mailuser_id"])); + $mailuser_rec = $app->db->queryOneRecord("SELECT server_id FROM mail_user WHERE mailuser_id = ?", $page_form->dataRecord["mailuser_id"]); $mail_config = $app->getconf->get_server_config($app->functions->intval($mailuser_rec["server_id"]), 'mail'); if($mail_config['mail_filter_syntax'] == 'sieve') { diff --git a/interface/lib/plugins/sites_web_database_user_plugin.inc.php b/interface/lib/plugins/sites_web_database_user_plugin.inc.php index 1a880a1b10..754c249ab9 100644 --- a/interface/lib/plugins/sites_web_database_user_plugin.inc.php +++ b/interface/lib/plugins/sites_web_database_user_plugin.inc.php @@ -31,13 +31,12 @@ class sites_web_database_user_plugin { // also make sure that the user can not delete entry created by an admin if($_SESSION["s"]["user"]["typ"] == 'admin' && isset($page_form->dataRecord["client_group_id"])) { $client_group_id = $app->functions->intval($page_form->dataRecord["client_group_id"]); - $app->db->query("UPDATE web_database_user SET sys_groupid = $client_group_id, sys_perm_group = 'ru' WHERE database_user_id = ".$page_form->id); + $app->db->query("UPDATE web_database_user SET sys_groupid = ?, sys_perm_group = 'ru' WHERE database_user_id = ?", $client_group_id, $page_form->id); } if($app->auth->has_clients($_SESSION['s']['user']['userid']) && isset($page_form->dataRecord["client_group_id"])) { $client_group_id = $app->functions->intval($page_form->dataRecord["client_group_id"]); - $app->db->query("UPDATE web_database_user SET sys_groupid = $client_group_id, sys_perm_group = 'riud' WHERE database_user_id = ".$page_form->id); + $app->db->query("UPDATE web_database_user SET sys_groupid = ?, sys_perm_group = 'riud' WHERE database_user_id = ?", $client_group_id, $page_form->id); } - //$app->db->query("UPDATE web_database_user SET server_id = '" . $app->functions->intval($conf['server_id']) . "' WHERE database_user_id = ".$page_form->id); } } diff --git a/interface/lib/plugins/sites_web_vhost_domain_plugin.inc.php b/interface/lib/plugins/sites_web_vhost_domain_plugin.inc.php index b65c05bf2c..3fce00ba32 100644 --- a/interface/lib/plugins/sites_web_vhost_domain_plugin.inc.php +++ b/interface/lib/plugins/sites_web_vhost_domain_plugin.inc.php @@ -51,11 +51,11 @@ class sites_web_vhost_domain_plugin { // also make sure that the user can not delete domain created by a admin if($_SESSION["s"]["user"]["typ"] == 'admin' && isset($page_form->dataRecord["client_group_id"])) { $client_group_id = $app->functions->intval($page_form->dataRecord["client_group_id"]); - $app->db->query("UPDATE web_domain SET sys_groupid = $client_group_id, sys_perm_group = 'ru' WHERE domain_id = ".$page_form->id); + $app->db->query("UPDATE web_domain SET sys_groupid = ?, sys_perm_group = 'ru' WHERE domain_id = ?", $client_group_id, $page_form->id); } if($app->auth->has_clients($_SESSION['s']['user']['userid']) && isset($page_form->dataRecord["client_group_id"])) { $client_group_id = $app->functions->intval($page_form->dataRecord["client_group_id"]); - $app->db->query("UPDATE web_domain SET sys_groupid = $client_group_id, sys_perm_group = 'riud' WHERE domain_id = ".$page_form->id); + $app->db->query("UPDATE web_domain SET sys_groupid = ?, sys_perm_group = 'riud' WHERE domain_id = ?", $client_group_id, $page_form->id); } // Get configuration for the web system $app->uses("getconf"); @@ -73,15 +73,15 @@ class sites_web_vhost_domain_plugin { // get the ID of the client if($_SESSION["s"]["user"]["typ"] != 'admin' && !$app->auth->has_clients($_SESSION['s']['user']['userid'])) { $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT client_id FROM sys_group WHERE sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT client_id FROM sys_group WHERE sys_group.groupid = ?", $client_group_id); $client_id = $app->functions->intval($client["client_id"]); } elseif (isset($page_form->dataRecord["client_group_id"])) { $client_group_id = $page_form->dataRecord["client_group_id"]; - $client = $app->db->queryOneRecord("SELECT client_id FROM sys_group WHERE sys_group.groupid = ".$app->functions->intval(@$page_form->dataRecord["client_group_id"])); + $client = $app->db->queryOneRecord("SELECT client_id FROM sys_group WHERE sys_group.groupid = ?", $app->functions->intval(@$page_form->dataRecord["client_group_id"])); $client_id = $app->functions->intval($client["client_id"]); } else { $client_group_id = $page_form->dataRecord["client_group_id"]; - $client = $app->db->queryOneRecord("SELECT client_id FROM sys_group WHERE sys_group.groupid = ".$app->functions->intval($page_form->dataRecord["client_group_id"])); + $client = $app->db->queryOneRecord("SELECT client_id FROM sys_group WHERE sys_group.groupid = ?", $app->functions->intval($page_form->dataRecord["client_group_id"])); $client_id = $app->functions->intval($client["client_id"]); } @@ -89,24 +89,23 @@ class sites_web_vhost_domain_plugin { $client_user_id = $app->functions->intval(($tmp['userid'] > 0)?$tmp['userid']:1); // Set the values for document_root, system_user and system_group - $system_user = $app->db->quote('web'.$page_form->id); - $system_group = $app->db->quote('client'.$client_id); + $system_user = 'web'.$page_form->id; + $system_group = 'client'.$client_id; $document_root = str_replace("[client_id]", $client_id, $document_root); $document_root = str_replace("[client_idhash_1]", $this->id_hash($client_id, 1), $document_root); $document_root = str_replace("[client_idhash_2]", $this->id_hash($client_id, 2), $document_root); $document_root = str_replace("[client_idhash_3]", $this->id_hash($client_id, 3), $document_root); $document_root = str_replace("[client_idhash_4]", $this->id_hash($client_id, 4), $document_root); - $document_root = $app->db->quote($document_root); if($event_name == 'sites:web_vhost_domain:on_after_update') { if(($_SESSION["s"]["user"]["typ"] == 'admin' || $app->auth->has_clients($_SESSION['s']['user']['userid'])) && isset($page_form->dataRecord["client_group_id"]) && $page_form->dataRecord["client_group_id"] != $page_form->oldDataRecord["sys_groupid"]) { - $sql = "UPDATE web_domain SET system_user = '$system_user', system_group = '$system_group', document_root = '$document_root' WHERE domain_id = ".$page_form->id; - $app->db->query($sql); + $sql = "UPDATE web_domain SET system_user = ?, system_group = ?, document_root = ? WHERE domain_id = ?"; + $app->db->query($sql, $system_user, $system_group, $document_root, $page_form->id); // Update the FTP user(s) too - $records = $app->db->queryAllRecords("SELECT ftp_user_id FROM ftp_user WHERE parent_domain_id = ".$page_form->id); + $records = $app->db->queryAllRecords("SELECT ftp_user_id FROM ftp_user WHERE parent_domain_id = ?", $page_form->id); foreach($records as $rec) { $app->db->datalogUpdate('ftp_user', "sys_userid = '".$app->functions->intval($web_rec['sys_userid'])."', sys_groupid = '".$app->functions->intval($web_rec['sys_groupid'])."', uid = '$system_user', gid = '$system_group', dir = '$document_root'", 'ftp_user_id', $app->functions->intval($rec['ftp_user_id'])); } @@ -114,7 +113,7 @@ class sites_web_vhost_domain_plugin { unset($rec); // Update the webdav user(s) too - $records = $app->db->queryAllRecords("SELECT webdav_user_id FROM webdav_user WHERE parent_domain_id = ".$page_form->id); + $records = $app->db->queryAllRecords("SELECT webdav_user_id FROM webdav_user WHERE parent_domain_id = ?", $page_form->id); foreach($records as $rec) { $app->db->datalogUpdate('webdav_user', "sys_userid = '".$app->functions->intval($web_rec['sys_userid'])."', sys_groupid = '".$app->functions->intval($web_rec['sys_groupid'])."'", 'webdav_user_id', $app->functions->intval($rec['webdav_user_id'])); } @@ -122,7 +121,7 @@ class sites_web_vhost_domain_plugin { unset($rec); // Update the web folder(s) too - $records = $app->db->queryAllRecords("SELECT web_folder_id FROM web_folder WHERE parent_domain_id = ".$page_form->id); + $records = $app->db->queryAllRecords("SELECT web_folder_id FROM web_folder WHERE parent_domain_id = ?", $page_form->id); foreach($records as $rec) { $app->db->datalogUpdate('web_folder', "sys_userid = '".$app->functions->intval($web_rec['sys_userid'])."', sys_groupid = '".$app->functions->intval($web_rec['sys_groupid'])."'", 'web_folder_id', $app->functions->intval($rec['web_folder_id'])); } @@ -130,7 +129,7 @@ class sites_web_vhost_domain_plugin { unset($rec); //* Update all web folder users - $records = $app->db->queryAllRecords("SELECT web_folder_user.web_folder_user_id FROM web_folder_user, web_folder WHERE web_folder_user.web_folder_id = web_folder.web_folder_id AND web_folder.parent_domain_id = ".$page_form->id); + $records = $app->db->queryAllRecords("SELECT web_folder_user.web_folder_user_id FROM web_folder_user, web_folder WHERE web_folder_user.web_folder_id = web_folder.web_folder_id AND web_folder.parent_domain_id = ?", $page_form->id); foreach($records as $rec) { $app->db->datalogUpdate('web_folder_user', "sys_userid = '".$app->functions->intval($web_rec['sys_userid'])."', sys_groupid = '".$app->functions->intval($web_rec['sys_groupid'])."'", 'web_folder_user_id', $app->functions->intval($rec['web_folder_user_id'])); } @@ -138,7 +137,7 @@ class sites_web_vhost_domain_plugin { unset($rec); // Update the Shell user(s) too - $records = $app->db->queryAllRecords("SELECT shell_user_id FROM shell_user WHERE parent_domain_id = ".$page_form->id); + $records = $app->db->queryAllRecords("SELECT shell_user_id FROM shell_user WHERE parent_domain_id = ?", $page_form->id); foreach($records as $rec) { $app->db->datalogUpdate('shell_user', "sys_userid = '".$web_rec['sys_userid']."', sys_groupid = '".$web_rec['sys_groupid']."', puser = '$system_user', pgroup = '$system_group', dir = '$document_root'", 'shell_user_id', $app->functions->intval($rec['shell_user_id'])); } @@ -146,7 +145,7 @@ class sites_web_vhost_domain_plugin { unset($rec); // Update the cron(s) too - $records = $app->db->queryAllRecords("SELECT id FROM cron WHERE parent_domain_id = ".$page_form->id); + $records = $app->db->queryAllRecords("SELECT id FROM cron WHERE parent_domain_id = ?", $page_form->id); foreach($records as $rec) { $app->db->datalogUpdate('cron', "sys_userid = '".$app->functions->intval($web_rec['sys_userid'])."', sys_groupid = '".$app->functions->intval($web_rec['sys_groupid'])."'", 'id', $app->functions->intval($rec['id'])); } @@ -154,7 +153,7 @@ class sites_web_vhost_domain_plugin { unset($rec); //* Update all subdomains and alias domains - $records = $app->db->queryAllRecords("SELECT domain_id, `domain`, `type`, `web_folder` FROM web_domain WHERE parent_domain_id = ".$page_form->id); + $records = $app->db->queryAllRecords("SELECT domain_id, `domain`, `type`, `web_folder` FROM web_domain WHERE parent_domain_id = ?", $page_form->id); foreach($records as $rec) { $update_columns = "sys_userid = '".$web_rec['sys_userid']."', sys_groupid = '".$web_rec['sys_groupid']."'"; if($rec['type'] == 'vhostsubdomain' || $rec['type'] == 'vhostalias') { @@ -171,13 +170,13 @@ class sites_web_vhost_domain_plugin { unset($rec); //* Update all databases - $records = $app->db->queryAllRecords("SELECT database_id FROM web_database WHERE parent_domain_id = ".$page_form->id); + $records = $app->db->queryAllRecords("SELECT database_id FROM web_database WHERE parent_domain_id = ?", $page_form->id); foreach($records as $rec) { $app->db->datalogUpdate('web_database', "sys_userid = '".$app->functions->intval($web_rec['sys_userid'])."', sys_groupid = '".$app->functions->intval($web_rec['sys_groupid'])."'", 'database_id', $app->functions->intval($rec['database_id'])); } //* Update all database users - $records = $app->db->queryAllRecords("SELECT web_database_user.database_user_id FROM web_database_user, web_database WHERE web_database_user.database_user_id IN (web_database.database_user_id, web_database.database_ro_user_id) AND web_database.parent_domain_id = ".$page_form->id); + $records = $app->db->queryAllRecords("SELECT web_database_user.database_user_id FROM web_database_user, web_database WHERE web_database_user.database_user_id IN (web_database.database_user_id, web_database.database_ro_user_id) AND web_database.parent_domain_id = ?", $page_form->id); foreach($records as $rec) { $app->db->datalogUpdate('web_database_user', "sys_userid = '".$app->functions->intval($web_rec['sys_userid'])."', sys_groupid = '".$app->functions->intval($web_rec['sys_groupid'])."'", 'database_user_id', $app->functions->intval($rec['database_user_id'])); } @@ -185,7 +184,7 @@ class sites_web_vhost_domain_plugin { unset($rec); // Update APS instances - $records = $app->db->queryAllRecords("SELECT instance_id FROM aps_instances_settings WHERE name = 'main_domain' AND value = '".$app->db->quote($page_form->oldDataRecord["domain"])."'"); + $records = $app->db->queryAllRecords("SELECT instance_id FROM aps_instances_settings WHERE name = 'main_domain' AND value = ?", $page_form->oldDataRecord["domain"]); if(is_array($records) && !empty($records)){ foreach($records as $rec){ $app->db->datalogUpdate('aps_instances', "sys_userid = '".$app->functions->intval($web_rec['sys_userid'])."', sys_groupid = '".$app->functions->intval($web_rec['sys_groupid'])."', customer_id = '".$app->functions->intval($client_id)."'", 'id', $rec['instance_id']); @@ -198,7 +197,7 @@ class sites_web_vhost_domain_plugin { //* If the domain name has been changed, we will have to change all subdomains + APS instances if(!empty($page_form->dataRecord["domain"]) && !empty($page_form->oldDataRecord["domain"]) && $page_form->dataRecord["domain"] != $page_form->oldDataRecord["domain"]) { - $records = $app->db->queryAllRecords("SELECT domain_id,domain FROM web_domain WHERE (type = 'subdomain' OR type = 'vhostsubdomain' OR type = 'vhostalias') AND domain LIKE '%.".$app->db->quote($page_form->oldDataRecord["domain"])."'"); + $records = $app->db->queryAllRecords("SELECT domain_id,domain FROM web_domain WHERE (type = 'subdomain' OR type = 'vhostsubdomain' OR type = 'vhostalias') AND domain LIKE ?", "%." . $page_form->oldDataRecord["domain"]); foreach($records as $rec) { $subdomain = $app->db->quote(str_replace($page_form->oldDataRecord["domain"], $page_form->dataRecord["domain"], $rec['domain'])); $app->db->datalogUpdate('web_domain', "domain = '".$subdomain."'", 'domain_id', $rec['domain_id']); @@ -208,7 +207,7 @@ class sites_web_vhost_domain_plugin { unset($subdomain); // Update APS instances - $records = $app->db->queryAllRecords("SELECT id, instance_id FROM aps_instances_settings WHERE name = 'main_domain' AND value = '".$app->db->quote($page_form->oldDataRecord["domain"])."'"); + $records = $app->db->queryAllRecords("SELECT id, instance_id FROM aps_instances_settings WHERE name = 'main_domain' AND value = ?", $page_form->oldDataRecord["domain"]); if(is_array($records) && !empty($records)){ foreach($records as $rec){ $app->db->datalogUpdate('aps_instances_settings', "value = '".$app->db->quote($page_form->dataRecord["domain"])."'", 'id', $rec['id']); @@ -220,8 +219,8 @@ class sites_web_vhost_domain_plugin { //* Set allow_override if empty if($web_rec['allow_override'] == '') { - $sql = "UPDATE web_domain SET allow_override = '".$app->db->quote($web_config["htaccess_allow_override"])."' WHERE domain_id = ".$page_form->id; - $app->db->query($sql); + $sql = "UPDATE web_domain SET allow_override = ? WHERE domain_id = ?"; + $app->db->query($sql, $web_config["htaccess_allow_override"], $page_form->id); } //* Set php_open_basedir if empty or domain or client has been changed @@ -229,16 +228,16 @@ class sites_web_vhost_domain_plugin { (!empty($page_form->dataRecord["domain"]) && !empty($page_form->oldDataRecord["domain"]) && $page_form->dataRecord["domain"] != $page_form->oldDataRecord["domain"])) { $php_open_basedir = $web_rec['php_open_basedir']; $php_open_basedir = $app->db->quote(str_replace($page_form->oldDataRecord['domain'], $web_rec['domain'], $php_open_basedir)); - $sql = "UPDATE web_domain SET php_open_basedir = '$php_open_basedir' WHERE domain_id = ".$page_form->id; - $app->db->query($sql); + $sql = "UPDATE web_domain SET php_open_basedir = ? WHERE domain_id = ?"; + $app->db->query($sql, $php_open_basedir, $page_form->id); } if(empty($web_rec['php_open_basedir']) || (isset($page_form->dataRecord["client_group_id"]) && $page_form->dataRecord["client_group_id"] != $page_form->oldDataRecord["sys_groupid"])) { $document_root = $app->db->quote(str_replace("[client_id]", $client_id, $document_root)); $php_open_basedir = str_replace("[website_path]", $document_root, $web_config["php_open_basedir"]); $php_open_basedir = $app->db->quote(str_replace("[website_domain]", $web_rec['domain'], $php_open_basedir)); - $sql = "UPDATE web_domain SET php_open_basedir = '$php_open_basedir' WHERE domain_id = ".$page_form->id; - $app->db->query($sql); + $sql = "UPDATE web_domain SET php_open_basedir = ? WHERE domain_id = ?"; + $app->db->query($sql, $php_open_basedir, $page_form->id); } //* Change database backup options when web backup options have been changed @@ -258,7 +257,7 @@ class sites_web_vhost_domain_plugin { //* Change vhost subdomain and alias ip/ipv6 if domain ip/ipv6 has changed if(isset($page_form->dataRecord['ip_address']) && ($page_form->dataRecord['ip_address'] != $page_form->oldDataRecord['ip_address'] || $page_form->dataRecord['ipv6_address'] != $page_form->oldDataRecord['ipv6_address'])) { - $records = $app->db->queryAllRecords("SELECT domain_id FROM web_domain WHERE (type = 'vhostsubdomain' OR type = 'vhostalias') AND parent_domain_id = ".$page_form->id); + $records = $app->db->queryAllRecords("SELECT domain_id FROM web_domain WHERE (type = 'vhostsubdomain' OR type = 'vhostalias') AND parent_domain_id = ?", $page_form->id); foreach($records as $rec) { $app->db->datalogUpdate('web_domain', "ip_address = '".$app->db->quote($web_rec['ip_address'])."', ipv6_address = '".$app->db->quote($web_rec['ipv6_address'])."'", 'domain_id', $rec['domain_id']); } @@ -267,27 +266,27 @@ class sites_web_vhost_domain_plugin { } } else { $php_open_basedir = str_replace("[website_path]", $document_root, $web_config["php_open_basedir"]); - $php_open_basedir = $app->db->quote(str_replace("[website_domain]", $page_form->dataRecord['domain'], $php_open_basedir)); - - $htaccess_allow_override = $app->db->quote($web_config["htaccess_allow_override"]); - $sql = "UPDATE web_domain SET system_user = '$system_user', system_group = '$system_group', document_root = '$document_root', allow_override = '$htaccess_allow_override', php_open_basedir = '$php_open_basedir' WHERE domain_id = ".$page_form->id; - $app->db->query($sql); + $php_open_basedir = str_replace("[website_domain]", $page_form->dataRecord['domain'], $php_open_basedir); + $htaccess_allow_override = $web_config["htaccess_allow_override"]; + + $sql = "UPDATE web_domain SET system_user = ?, system_group = ?, document_root = ?, allow_override = ?, php_open_basedir = ? WHERE domain_id = ?"; + $app->db->query($sql, $system_user, $system_group, $document_root, $htaccess_allow_override, $php_open_basedir, $page_form->id); } } else { if(isset($page_form->dataRecord["parent_domain_id"]) && $page_form->dataRecord["parent_domain_id"] != $page_form->oldDataRecord["parent_domain_id"]) { - $parent_domain = $app->db->queryOneRecord("SELECT * FROM `web_domain` WHERE `domain_id` = '" . $app->functions->intval($page_form->dataRecord['parent_domain_id']) . "'"); + $parent_domain = $app->db->queryOneRecord("SELECT * FROM `web_domain` WHERE `domain_id` = ?", $page_form->dataRecord['parent_domain_id']); // Set the values for document_root, system_user and system_group - $system_user = $app->db->quote($parent_domain['system_user']); - $system_group = $app->db->quote($parent_domain['system_group']); - $document_root = $app->db->quote($parent_domain['document_root']); + $system_user = $parent_domain['system_user']; + $system_group = $parent_domain['system_group']; + $document_root = $parent_domain['document_root']; $php_open_basedir = str_replace("[website_path]/web", $document_root.'/'.$page_form->dataRecord['web_folder'], $web_config["php_open_basedir"]); $php_open_basedir = str_replace("[website_domain]/web", $page_form->dataRecord['domain'].'/'.$page_form->dataRecord['web_folder'], $php_open_basedir); $php_open_basedir = str_replace("[website_path]", $document_root, $php_open_basedir); - $php_open_basedir = $app->db->quote(str_replace("[website_domain]", $page_form->dataRecord['domain'], $php_open_basedir)); - $htaccess_allow_override = $app->db->quote($parent_domain['allow_override']); - $sql = "UPDATE web_domain SET sys_groupid = ".$app->functions->intval($parent_domain['sys_groupid']).",system_user = '$system_user', system_group = '$system_group', document_root = '$document_root', allow_override = '$htaccess_allow_override', php_open_basedir = '$php_open_basedir' WHERE domain_id = ".$page_form->id; - $app->db->query($sql); + $php_open_basedir = str_replace("[website_domain]", $page_form->dataRecord['domain'], $php_open_basedir); + $htaccess_allow_override = $parent_domain['allow_override']; + $sql = "UPDATE web_domain SET sys_groupid = ?,system_user = ?, system_group = ?, document_root = ?, allow_override = ?, php_open_basedir = ? WHERE domain_id = ?"; + $app->db->query($sql, $parent_domain['sys_groupid'], $system_user, $system_group, $document_root, $htaccess_allow_override, $php_open_basedir, $page_form->id); } } } diff --git a/interface/lib/plugins/vm_openvz_plugin.inc.php b/interface/lib/plugins/vm_openvz_plugin.inc.php index fd44205562..278a87de31 100644 --- a/interface/lib/plugins/vm_openvz_plugin.inc.php +++ b/interface/lib/plugins/vm_openvz_plugin.inc.php @@ -41,24 +41,24 @@ class vm_openvz_plugin { // also make sure that the user can not delete domain created by a admin if($_SESSION["s"]["user"]["typ"] == 'admin' && isset($this->dataRecord["client_group_id"])) { $client_group_id = $app->functions->intval($this->dataRecord["client_group_id"]); - $app->db->query("UPDATE openvz_vm SET sys_groupid = $client_group_id WHERE vm_id = ".$this->id); + $app->db->query("UPDATE openvz_vm SET sys_groupid = ? WHERE vm_id = ?", $client_group_id, $this->id); } if($app->auth->has_clients($_SESSION['s']['user']['userid']) && isset($this->dataRecord["client_group_id"])) { $client_group_id = $app->functions->intval($this->dataRecord["client_group_id"]); - $app->db->query("UPDATE openvz_vm SET sys_groupid = $client_group_id WHERE vm_id = ".$this->id); + $app->db->query("UPDATE openvz_vm SET sys_groupid = ? WHERE vm_id = ?", $client_group_id, $this->id); } // Set the VEID $tmp = $app->db->queryOneRecord('SELECT MAX(veid) + 1 as newveid FROM openvz_vm'); $veid = ($tmp['newveid'] > 100)?$tmp['newveid']:101; - $app->db->query("UPDATE openvz_vm SET veid = ".$veid." WHERE vm_id = ".$this->id); + $app->db->query("UPDATE openvz_vm SET veid = ? WHERE vm_id = ?", $veid, $this->id); unset($tmp); // Apply template values to the advanced tab settings $this->applyTemplate(); // Set the IP address - $app->db->query("UPDATE openvz_ip SET vm_id = ".$this->id." WHERE ip_address = '".$app->db->quote($this->dataRecord['ip_address'])."'"); + $app->db->query("UPDATE openvz_ip SET vm_id = ? WHERE ip_address = ?", $this->id, $this->dataRecord['ip_address']); // Create the OpenVZ config file and store it in config field $this->makeOpenVZConfig(); @@ -82,11 +82,11 @@ class vm_openvz_plugin { // also make sure that the user can not delete domain created by a admin if($_SESSION["s"]["user"]["typ"] == 'admin' && isset($this->dataRecord["client_group_id"])) { $client_group_id = $app->functions->intval($this->dataRecord["client_group_id"]); - $app->db->query("UPDATE openvz_vm SET sys_groupid = $client_group_id WHERE vm_id = ".$this->id); + $app->db->query("UPDATE openvz_vm SET sys_groupid = ? WHERE vm_id = ?", $client_group_id, $this->id); } if($app->auth->has_clients($_SESSION['s']['user']['userid']) && isset($this->dataRecord["client_group_id"])) { $client_group_id = $app->functions->intval($this->dataRecord["client_group_id"]); - $app->db->query("UPDATE openvz_vm SET sys_groupid = $client_group_id WHERE vm_id = ".$this->id); + $app->db->query("UPDATE openvz_vm SET sys_groupid = ? WHERE vm_id = ?", $client_group_id, $this->id); } if(isset($this->dataRecord["ostemplate_id"]) && $this->oldDataRecord["ostemplate_id"] != $this->dataRecord["ostemplate_id"]) { @@ -94,7 +94,7 @@ class vm_openvz_plugin { } // Set the IP address - if(isset($this->dataRecord['ip_address'])) $app->db->query("UPDATE openvz_ip SET vm_id = ".$this->id." WHERE ip_address = '".$app->db->quote($this->dataRecord['ip_address'])."'"); + if(isset($this->dataRecord['ip_address'])) $app->db->query("UPDATE openvz_ip SET vm_id = ? WHERE ip_address = ?", $this->id, $this->dataRecord['ip_address']); // Create the OpenVZ config file and store it in config field $this->makeOpenVZConfig(); @@ -111,7 +111,7 @@ class vm_openvz_plugin { global $app, $conf; //* Free the IP address - $tmp = $app->db->queryOneRecord("SELECT ip_address_id FROM openvz_ip WHERE vm_id = ".$app->functions->intval($page_form->id)); + $tmp = $app->db->queryOneRecord("SELECT ip_address_id FROM openvz_ip WHERE vm_id = ?", $page_form->id); $app->db->datalogUpdate('openvz_ip', 'vm_id = 0', 'ip_address_id', $tmp['ip_address_id']); unset($tmp); @@ -120,29 +120,29 @@ class vm_openvz_plugin { private function applyTemplate() { global $app, $conf; - $tpl = $app->db->queryOneRecord("SELECT * FROM openvz_template WHERE template_id = ".$app->functions->intval($this->dataRecord["template_id"])); + $tpl = $app->db->queryOneRecord("SELECT * FROM openvz_template WHERE template_id = ?", $this->dataRecord["template_id"]); $sql = "UPDATE openvz_vm SET "; - $sql .= "diskspace = '".$app->db->quote($tpl['diskspace'])."', "; - $sql .= "ram = '".$app->db->quote($tpl['ram'])."', "; - $sql .= "ram_burst = '".$app->db->quote($tpl['ram_burst'])."', "; - $sql .= "cpu_units = '".$app->db->quote($tpl['cpu_units'])."', "; - $sql .= "cpu_num = '".$app->db->quote($tpl['cpu_num'])."', "; - $sql .= "cpu_limit = '".$app->db->quote($tpl['cpu_limit'])."', "; - $sql .= "io_priority = '".$app->db->quote($tpl['io_priority'])."', "; - $sql .= "nameserver = '".$app->db->quote($tpl['nameserver'])."', "; - $sql .= "create_dns = '".$app->db->quote($tpl['create_dns'])."', "; - $sql .= "capability = '".$app->db->quote($tpl['capability'])."' "; - $sql .= "WHERE vm_id = ".$app->functions->intval($this->id); - $app->db->query($sql); + $sql .= "diskspace = ?, "; + $sql .= "ram = ?, "; + $sql .= "ram_burst = ?, "; + $sql .= "cpu_units = ?, "; + $sql .= "cpu_num = ?, "; + $sql .= "cpu_limit = ?, "; + $sql .= "io_priority = ?, "; + $sql .= "nameserver = ?, "; + $sql .= "create_dns = ?, "; + $sql .= "capability = ? "; + $sql .= "WHERE vm_id = ?"; + $app->db->query($sql, $tpl['diskspace'], $tpl['ram'], $tpl['ram_burst'], $tpl['cpu_units'], $tpl['cpu_num'], $tpl['cpu_limit'], $tpl['io_priority'], $tpl['nameserver'], $tpl['create_dns'], $tpl['capability'], $this->id); } private function makeOpenVZConfig() { global $app, $conf; - $vm = $app->db->queryOneRecord("SELECT * FROM openvz_vm WHERE vm_id = ".$app->functions->intval($this->id)); - $vm_template = $app->db->queryOneRecord("SELECT * FROM openvz_template WHERE template_id = ".$app->functions->intval($vm['template_id'])); + $vm = $app->db->queryOneRecord("SELECT * FROM openvz_vm WHERE vm_id = ?",$app->functions->intval($this->id)); + $vm_template = $app->db->queryOneRecord("SELECT * FROM openvz_template WHERE template_id = ?",$app->functions->intval($vm['template_id'])); $burst_ram = $vm['ram_burst']*256; $guar_ram = $vm['ram']*256; @@ -194,12 +194,12 @@ class vm_openvz_plugin { $tpl->setVar('nameserver', $vm['nameserver']); $tpl->setVar('capability', $vm['capability']); - $tmp = $app->db->queryOneRecord("SELECT template_file FROM openvz_ostemplate WHERE ostemplate_id = ".$app->functions->intval($vm['ostemplate_id'])); + $tmp = $app->db->queryOneRecord("SELECT template_file FROM openvz_ostemplate WHERE ostemplate_id = ?", $app->functions->intval($vm['ostemplate_id'])); $tpl->setVar('ostemplate', $tmp['template_file']); unset($tmp); - $openvz_config = $app->db->quote($tpl->grab()); - $app->db->query("UPDATE openvz_vm SET config = '".$openvz_config."' WHERE vm_id = ".$app->functions->intval($this->id)); + $openvz_config = $tpl->grab(); + $app->db->query("UPDATE openvz_vm SET config = ? WHERE vm_id = ?", $openvz_config, $app->functions->intval($this->id)); unset($tpl); @@ -208,7 +208,7 @@ class vm_openvz_plugin { private function createDNS() { global $app, $conf; - $vm = $app->db->queryOneRecord("SELECT * FROM openvz_vm WHERE vm_id = ".$app->functions->intval($this->id)); + $vm = $app->db->queryOneRecord("SELECT * FROM openvz_vm WHERE vm_id = ?", $app->functions->intval($this->id)); if($vm['create_dns'] != 'y') return; @@ -220,8 +220,8 @@ class vm_openvz_plugin { unset($hostname_parts); // Find the dns zone - $zone_rec = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE origin = '".$app->db->quote($zone).".'"); - $rr_rec = $app->db->queryOneRecord("SELECT * FROM dns_rr WHERE zone = '".$app->functions->intval($zone_rec['id'])."' AND name = '".$app->db->quote($hostname)."'"); + $zone_rec = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE origin = ?", $zone); + $rr_rec = $app->db->queryOneRecord("SELECT * FROM dns_rr WHERE zone = ? AND name = ?", $zone_rec['id'], $hostname); if($zone_rec['id'] > 0) { $ip_address = $app->db->quote($vm['ip_address']); diff --git a/interface/web/admin/firewall_edit.php b/interface/web/admin/firewall_edit.php index 6c29f766d1..4dd26afbf6 100644 --- a/interface/web/admin/firewall_edit.php +++ b/interface/web/admin/firewall_edit.php @@ -56,7 +56,7 @@ class page_action extends tform_actions { //* Check if the server has been changed // We do this only for the admin or reseller users, as normal clients can not change the server ID anyway if($_SESSION["s"]["user"]["typ"] == 'admin' || $app->auth->has_clients($_SESSION['s']['user']['userid'])) { - $rec = $app->db->queryOneRecord("SELECT server_id from firewall WHERE firewall_id = ".$this->id); + $rec = $app->db->queryOneRecord("SELECT server_id from firewall WHERE firewall_id = ?", $this->id); if($rec['server_id'] != $this->dataRecord["server_id"]) { //* Add a error message and switch back to old server $app->tform->errorMessage .= $app->lng('The Server can not be changed.'); diff --git a/interface/web/admin/remote_action_ispcupdate.php b/interface/web/admin/remote_action_ispcupdate.php index 32bf0c4333..2634006658 100644 --- a/interface/web/admin/remote_action_ispcupdate.php +++ b/interface/web/admin/remote_action_ispcupdate.php @@ -80,15 +80,8 @@ if (1 == 0 && isset($_POST['server_select'])) { } foreach ($servers as $serverId) { $sql = "INSERT INTO sys_remoteaction (server_id, tstamp, action_type, action_param, action_state, response) " . - "VALUES (". - $app->functions->intval($serverId) . ", " . - time() . ", " . - "'ispc_update', " . - "'', " . - "'pending', " . - "''" . - ")"; - $app->db->query($sql); + "VALUES (?, UNIX_TIMESTAMP(), 'ispc_update', '', 'pending', '')"; + $app->db->query($sql, $serverId); } $msg = $wb['action_scheduled']; } diff --git a/interface/web/admin/remote_action_osupdate.php b/interface/web/admin/remote_action_osupdate.php index 61c6c23823..8f48e29f2d 100644 --- a/interface/web/admin/remote_action_osupdate.php +++ b/interface/web/admin/remote_action_osupdate.php @@ -76,15 +76,8 @@ if (isset($_POST['server_select'])) { } foreach ($servers as $serverId) { $sql = "INSERT INTO sys_remoteaction (server_id, tstamp, action_type, action_param, action_state, response) " . - "VALUES (". - $app->functions->intval($serverId) . ", " . - time() . ", " . - "'os_update', " . - "'', " . - "'pending', " . - "''" . - ")"; - $app->db->query($sql); + "VALUES (?, UNIX_TIMESTAMP(), 'os_update', '', 'pending', '')"; + $app->db->query($sql, $serverId); } $msg = $wb['action_scheduled']; } diff --git a/interface/web/admin/server_edit.php b/interface/web/admin/server_edit.php index 0adf313181..c2e746d5c5 100644 --- a/interface/web/admin/server_edit.php +++ b/interface/web/admin/server_edit.php @@ -55,8 +55,8 @@ class page_action extends tform_actions { global $app, $conf; // Getting Servers - $sql = "SELECT server_id,server_name FROM server WHERE server_id != ".$app->functions->intval($this->id)." ORDER BY server_name"; - $mirror_servers = $app->db->queryAllRecords($sql); + $sql = "SELECT server_id,server_name FROM server WHERE server_id != ? ORDER BY server_name"; + $mirror_servers = $app->db->queryAllRecords($sql, $this->id); $mirror_server_select = ''; if(is_array($mirror_servers)) { foreach( $mirror_servers as $mirror_server) { diff --git a/interface/web/admin/server_ip_edit.php b/interface/web/admin/server_ip_edit.php index c20f752b86..f7872f4438 100644 --- a/interface/web/admin/server_ip_edit.php +++ b/interface/web/admin/server_ip_edit.php @@ -57,7 +57,7 @@ class page_action extends tform_actions { //* Check if the server has been changed // We do this only for the admin or reseller users, as normal clients can not change the server ID anyway if($_SESSION["s"]["user"]["typ"] == 'admin' || $app->auth->has_clients($_SESSION['s']['user']['userid'])) { - $rec = $app->db->queryOneRecord("SELECT server_id from server_ip WHERE server_ip_id = ".$app->functions->intval($this->id)); + $rec = $app->db->queryOneRecord("SELECT server_id from server_ip WHERE server_ip_id = ?", $this->id); if($rec['server_id'] != $this->dataRecord["server_id"]) { //* Add a error message and switch back to old server $app->tform->errorMessage .= $app->lng('The Server can not be changed.'); diff --git a/interface/web/admin/server_php_edit.php b/interface/web/admin/server_php_edit.php index f60ae997a0..12aacf60b9 100644 --- a/interface/web/admin/server_php_edit.php +++ b/interface/web/admin/server_php_edit.php @@ -57,7 +57,7 @@ class page_action extends tform_actions { //* Check if the server has been changed // We do this only for the admin or reseller users, as normal clients can not change the server ID anyway if(($_SESSION["s"]["user"]["typ"] == 'admin' || $app->auth->has_clients($_SESSION['s']['user']['userid'])) && isset($this->dataRecord["server_id"])) { - $rec = $app->db->queryOneRecord("SELECT server_id from server_php WHERE server_php_id = ".$app->functions->intval($this->id)); + $rec = $app->db->queryOneRecord("SELECT server_id from server_php WHERE server_php_id = ?", $this->id); if($rec['server_id'] != $this->dataRecord["server_id"]) { //* Add a error message and switch back to old server $app->tform->errorMessage .= $app->lng('The Server can not be changed.'); diff --git a/interface/web/admin/software_package_install.php b/interface/web/admin/software_package_install.php index dd49f2e0b7..80e1fe6673 100644 --- a/interface/web/admin/software_package_install.php +++ b/interface/web/admin/software_package_install.php @@ -42,7 +42,7 @@ $package_name = $app->db->quote($_REQUEST['package']); $install_server_id = $app->functions->intval($_REQUEST['server_id']); $install_key = $app->db->quote(trim($_REQUEST['install_key'])); -$package = $app->db->queryOneRecord("SELECT * FROM software_package WHERE package_name = '$package_name'"); +$package = $app->db->queryOneRecord("SELECT * FROM software_package WHERE package_name = ?", $package_name); $install_key_verified = false; $message_err = ''; @@ -51,7 +51,7 @@ $message_ok = ''; //* verify the key if($package['package_installable'] == 'key' && $install_key != '') { - $repo = $app->db->queryOneRecord("SELECT * FROM software_repo WHERE software_repo_id = ".$app->db->quote($package['software_repo_id'])); + $repo = $app->db->queryOneRecord("SELECT * FROM software_repo WHERE software_repo_id = ?", $package['software_repo_id']); $client = new SoapClient(null, array('location' => $repo['repo_url'], 'uri' => $repo['repo_url'])); @@ -71,8 +71,8 @@ if($package['package_installable'] == 'key' && $install_key != '') { //* Install packages, if all requirements are fullfilled. if($install_server_id > 0 && $package_name != '' && ($package['package_installable'] == 'yes' || $install_key_verified == true)) { - $sql = "SELECT software_update_id, package_name, update_title FROM software_update WHERE type = 'full' AND package_name = '".$app->db->quote($package_name)."' ORDER BY v1 DESC, v2 DESC, v3 DESC, v4 DESC LIMIT 0,1"; - $tmp = $app->db->queryOneRecord($sql); + $sql = "SELECT software_update_id, package_name, update_title FROM software_update WHERE type = 'full' AND package_name = ? ORDER BY v1 DESC, v2 DESC, v3 DESC, v4 DESC LIMIT 0,1"; + $tmp = $app->db->queryOneRecord($sql, $package_name); $software_update_id = $tmp['software_update_id']; //* if package requires a DB and there is no data for a db in config, then we create this data now @@ -119,9 +119,8 @@ if($install_server_id > 0 && $package_name != '' && ($package['package_installab $app->db->datalogUpdate('software_package', "package_config = '".$app->db->quote($package_config_str)."'", 'package_id', $package['package_id']); $sql = "INSERT INTO `remote_user` (`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `remote_username`, `remote_password`, `remote_functions`) VALUES - (1, 1, 'riud', 'riud', '', '".$app->db->quote($remote_user)."', '".$app->db->quote($remote_password_md5)."', '".$app->db->quote($remote_functions)."');"; - - $app->db->query($sql); + (1, 1, 'riud', 'riud', '', ?, ?, ?)"; + $app->db->query($sql, $remote_user, $remote_password_md5, $remote_functions); } diff --git a/interface/web/admin/software_package_list.php b/interface/web/admin/software_package_list.php index f7bf25b9c2..c0c2f25176 100644 --- a/interface/web/admin/software_package_list.php +++ b/interface/web/admin/software_package_list.php @@ -49,7 +49,7 @@ if(is_array($repos) && isset($_GET['action']) && $_GET['action'] == 'repoupdate' if(is_array($packages)) { foreach($packages as $p) { $package_name = $app->db->quote($p['name']); - $tmp = $app->db->queryOneRecord("SELECT package_id FROM software_package WHERE package_name = '".$app->db->quote($package_name)."'"); + $tmp = $app->db->queryOneRecord("SELECT package_id FROM software_package WHERE package_name = ?", $package_name); $package_title = $app->db->quote($p['title']); $package_description = $app->db->quote($p['description']); @@ -60,14 +60,10 @@ if(is_array($repos) && isset($_GET['action']) && $_GET['action'] == 'repoupdate' $package_remote_functions = $app->db->quote($p['remote_functions']); if(empty($tmp['package_id'])) { - //$sql = "INSERT INTO software_package (software_repo_id, package_name, package_title, package_description,package_type,package_installable,package_requires_db) VALUES ($software_repo_id, '$package_name', '$package_title', '$package_description','$package_type','$package_installable','$package_requires_db')"; - //$app->db->query($sql); $insert_data = "(software_repo_id, package_name, package_title, package_description,package_type,package_installable,package_requires_db,package_remote_functions) VALUES ($software_repo_id, '$package_name', '$package_title', '$package_description','$package_type','$package_installable','$package_requires_db','$package_remote_functions')"; $app->db->datalogInsert('software_package', $insert_data, 'package_id'); $packages_added++; } else { - //$sql = "UPDATE software_package SET software_repo_id = $software_repo_id, package_title = '$package_title', package_description = '$package_description', package_type = '$package_type', package_installable = '$package_installable', package_requires_db = '$package_requires_db' WHERE package_name = '$package_name'"; - //$app->db->query($sql); $update_data = "software_repo_id = $software_repo_id, package_title = '$package_title', package_description = '$package_description', package_type = '$package_type', package_installable = '$package_installable', package_requires_db = '$package_requires_db', package_remote_functions = '$package_remote_functions'"; //echo $update_data; $app->db->datalogUpdate('software_package', $update_data, 'package_id', $tmp['package_id']); @@ -100,14 +96,9 @@ if(is_array($repos) && isset($_GET['action']) && $_GET['action'] == 'repoupdate' $type = $app->db->quote($u['type']); // Check that we do not have this update in the database yet - $sql = "SELECT * FROM software_update WHERE package_name = '$package_name' and v1 = '$v1' and v2 = '$v2' and v3 = '$v3' and v4 = '$v4'"; - $tmp = $app->db->queryOneRecord($sql); + $sql = "SELECT * FROM software_update WHERE package_name = ? and v1 = ? and v2 = ? and v3 = ? and v4 = ?"; + $tmp = $app->db->queryOneRecord($sql, $package_name, $v1, $v2, $v3, $v4); if(!isset($tmp['software_update_id'])) { - // Insert the update in the datbase - //$sql = "INSERT INTO software_update (software_repo_id, package_name, update_url, update_md5, update_dependencies, update_title, v1, v2, v3, v4, type) - //VALUES ($software_repo_id, '$package_name', '$update_url', '$update_md5', '$update_dependencies', '$update_title', '$v1', '$v2', '$v3', '$v4', '$type')"; - //die($sql); - //$app->db->query($sql); $insert_data = "(software_repo_id, package_name, update_url, update_md5, update_dependencies, update_title, v1, v2, v3, v4, type) VALUES ($software_repo_id, '$package_name', '$update_url', '$update_md5', '$update_dependencies', '$update_title', '$v1', '$v2', '$v3', '$v4', '$type')"; $app->db->datalogInsert('software_update', $insert_data, 'software_update_id'); @@ -120,23 +111,6 @@ if(is_array($repos) && isset($_GET['action']) && $_GET['action'] == 'repoupdate' } } -//* Install packages, if GET Request -/* -if(isset($_GET['action']) && $_GET['action'] == 'install' && $_GET['package'] != '' && $_GET['server_id'] > 0) { - $package_name = $app->db->quote($_GET['package']); - $server_id = $app->functions->intval($_GET['server_id']); - $sql = "SELECT software_update_id, package_name, update_title FROM software_update WHERE type = 'full' AND package_name = '$package_name' ORDER BY v1 DESC, v2 DESC, v3 DESC, v4 DESC LIMIT 0,1"; - $tmp = $app->db->queryOneRecord($sql); - $software_update_id = $tmp['software_update_id']; - - $insert_data = "(package_name, server_id, software_update_id, status) VALUES ('$package_name', '$server_id', '$software_update_id','installing')"; - // $insert_data = "(package_name, server_id, software_update_id, status) VALUES ('$package_name', '$server_id', '$software_update_id','installed')"; - $app->db->datalogInsert('software_update_inst', $insert_data, 'software_update_inst_id'); -} -*/ - - - // Show the list in the interface // Loading the template $app->uses('tpl'); @@ -150,7 +124,7 @@ if(is_array($packages) && count($packages) > 0) { foreach($packages as $key => $p) { $installed_txt = ''; foreach($servers as $s) { - $inst = $app->db->queryOneRecord("SELECT * FROM software_update, software_update_inst WHERE software_update_inst.software_update_id = software_update.software_update_id AND software_update_inst.package_name = '".$app->db->quote($p["package_name"])."' AND server_id = '".$app->functions->intval($s["server_id"])."'"); + $inst = $app->db->queryOneRecord("SELECT * FROM software_update, software_update_inst WHERE software_update_inst.software_update_id = software_update.software_update_id AND software_update_inst.package_name = ? AND server_id = ?", $p["package_name"], $s["server_id"]); $version = $inst['v1'].'.'.$inst['v2'].'.'.$inst['v3'].'.'.$inst['v4']; if($inst['status'] == 'installed') { diff --git a/interface/web/admin/software_update_list.php b/interface/web/admin/software_update_list.php index 321c42bc13..e813ded74d 100644 --- a/interface/web/admin/software_update_list.php +++ b/interface/web/admin/software_update_list.php @@ -81,14 +81,14 @@ if(is_array($repos)) { $type = $app->db->quote($u['type']); // Check that we do not have this update in the database yet - $sql = "SELECT * FROM software_update WHERE package_name = '$package_name' and v1 = '$v1' and v2 = '$v2' and v3 = '$v3' and v4 = '$v4'"; - $tmp = $app->db->queryOneRecord($sql); + $sql = "SELECT * FROM software_update WHERE package_name = ? and v1 = ? and v2 = ? and v3 = ? and v4 = ?"; + $tmp = $app->db->queryOneRecord($sql, $package_name, $v1, $v2, $v3, $v4); if(!isset($tmp['software_update_id'])) { // Insert the update in the datbase $sql = "INSERT INTO software_update (software_repo_id, package_name, update_url, update_md5, update_dependencies, update_title, v1, v2, v3, v4, type) - VALUES ($software_repo_id, '$package_name', '$update_url', '$update_md5', '$update_dependencies', '$update_title', '$v1', '$v2', '$v3', '$v4', '$type')"; + VALUES ($software_repo_id, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"; //die($sql); - $app->db->query($sql); + $app->db->query($sql, $package_name, $update_url, $update_md5, $update_dependencies, $update_title, $v1, $v2, $v3, $v4, $type); } } @@ -162,12 +162,12 @@ if(is_array($installed_packages)) { foreach($installed_packages as $ip) { // Get version number of the latest installed version - $sql = "SELECT v1, v2, v3, v4 FROM software_update, software_update_inst WHERE software_update.software_update_id = software_update_inst.software_update_id AND server_id = ".$app->functions->intval($server_id)." ORDER BY v1 DESC , v2 DESC , v3 DESC , v4 DESC LIMIT 0,1"; - $lu = $app->db->queryOneRecord($sql); + $sql = "SELECT v1, v2, v3, v4 FROM software_update, software_update_inst WHERE software_update.software_update_id = software_update_inst.software_update_id AND server_id = ? ORDER BY v1 DESC , v2 DESC , v3 DESC , v4 DESC LIMIT 0,1"; + $lu = $app->db->queryOneRecord($sql, $server_id); // Get all installable updates - $sql = "SELECT * FROM software_update WHERE v1 >= ".$app->functions->intval($lu['v1'])." AND v2 >= ".$app->functions->intval($lu['v2'])." AND v3 >= ".$app->functions->intval($lu['v3'])." AND v4 >= ".$app->functions->intval($lu['v4'])." AND package_name = '".$app->db->quote($ip['package_name'])."' ORDER BY v1 DESC , v2 DESC , v3 DESC , v4 DESC"; - $updates = $app->db->queryAllRecords($sql); + $sql = "SELECT * FROM software_update WHERE v1 >= ? AND v2 >= ? AND v3 >= ? AND v4 >= ? AND package_name = ? ORDER BY v1 DESC , v2 DESC , v3 DESC , v4 DESC"; + $updates = $app->db->queryAllRecords($sql, $lu['v1'], $lu['v2'], $lu['v3'], $lu['v4'], $ip['package_name']); //die($sql); if(is_array($updates)) { diff --git a/interface/web/admin/system_config_edit.php b/interface/web/admin/system_config_edit.php index 7108f2707a..a9e5674901 100644 --- a/interface/web/admin/system_config_edit.php +++ b/interface/web/admin/system_config_edit.php @@ -165,8 +165,6 @@ class page_action extends tform_actions { $server_config_array[$section] = $new_config; $server_config_str = $app->ini_parser->get_ini_string($server_config_array); - //$sql = "UPDATE sys_ini SET config = '".$app->db->quote($server_config_str)."' WHERE sysini_id = 1"; - //if($conf['demo_mode'] != true) $app->db->query($sql); if($conf['demo_mode'] != true) $app->db->datalogUpdate('sys_ini', "config = '".$app->db->quote($server_config_str)."'", 'sysini_id', 1); /* @@ -190,21 +188,9 @@ class page_action extends tform_actions { if($server_config_array['misc']['maintenance_mode'] == 'y'){ //print_r($_SESSION); //echo $_SESSION['s']['id']; - $app->db->query("DELETE FROM sys_session WHERE session_id != '".$app->db->quote($_SESSION['s']['id'])."'"); + $app->db->query("DELETE FROM sys_session WHERE session_id != ?", $_SESSION['s']['id']); } } - - /* - function onAfterUpdate() { - if($this->_js_changed == true) { - // not the best way, but it works - header('Content-Type: text/html'); - print ''; - exit; - } - } - */ - } $app->tform_actions = new page_action; diff --git a/interface/web/admin/tpl_default.php b/interface/web/admin/tpl_default.php index 57395cfb28..c7b79112ca 100644 --- a/interface/web/admin/tpl_default.php +++ b/interface/web/admin/tpl_default.php @@ -51,21 +51,6 @@ $app->load('tform_actions'); class page_action extends tform_actions { - // function onBeforeUpdate() { - // global $app, $conf; - // - // //* Check if the server has been changed - // // We do this only for the admin or reseller users, as normal clients can not change the server ID anyway - // if(($_SESSION["s"]["user"]["typ"] == 'admin' || $app->auth->has_clients($_SESSION['s']['user']['userid'])) && isset($this->dataRecord["server_id"])) { - // $rec = $app->db->queryOneRecord("SELECT server_id from server_php WHERE server_php_id = ".$this->id); - // if($rec['server_id'] != $this->dataRecord["server_id"]) { - // //* Add a error message and switch back to old server - // $app->tform->errorMessage .= $app->lng('The Server can not be changed.'); - // $this->dataRecord["server_id"] = $rec['server_id']; - // } - // unset($rec); - // } - // } } $page = new page_action; diff --git a/interface/web/admin/users_edit.php b/interface/web/admin/users_edit.php index 0a14ca5e1e..78a86c633b 100644 --- a/interface/web/admin/users_edit.php +++ b/interface/web/admin/users_edit.php @@ -96,16 +96,16 @@ class page_action extends tform_actions { function onAfterUpdate() { global $app, $conf; - $client = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE userid = ".$this->id); + $client = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE userid = ?", $this->id); $client_id = $app->functions->intval($client['client_id']); $username = $app->db->quote($this->dataRecord["username"]); $old_username = $app->db->quote($this->oldDataRecord['username']); // username changed if(isset($conf['demo_mode']) && $conf['demo_mode'] != true && isset($this->dataRecord['username']) && $this->dataRecord['username'] != '' && $this->oldDataRecord['username'] != $this->dataRecord['username']) { - $sql = "UPDATE client SET username = '$username' WHERE client_id = $client_id AND username = '$old_username'"; - $app->db->query($sql); - $tmp = $app->db->queryOneRecord("SELECT * FROM sys_group WHERE client_id = $client_id"); + $sql = "UPDATE client SET username = ? WHERE client_id = ? AND username = ?"; + $app->db->query($sql, $username, $client_id, $old_username); + $tmp = $app->db->queryOneRecord("SELECT * FROM sys_group WHERE client_id = ?", $client_id); $app->db->datalogUpdate("sys_group", "name = '$username'", 'groupid', $tmp['groupid']); unset($tmp); } @@ -120,28 +120,17 @@ class page_action extends tform_actions { } $salt.="$"; $password = crypt(stripslashes($password), $salt); - $sql = "UPDATE client SET password = '$password' WHERE client_id = $client_id AND username = '$username'"; - $app->db->query($sql); + $sql = "UPDATE client SET password = ? WHERE client_id = ? AND username = ?"; + $app->db->query($sql, $password, $client_id, $username); } // language changed if(isset($conf['demo_mode']) && $conf['demo_mode'] != true && isset($this->dataRecord['language']) && $this->dataRecord['language'] != '' && $this->oldDataRecord['language'] != $this->dataRecord['language']) { $language = $app->db->quote($this->dataRecord["language"]); - $sql = "UPDATE client SET language = '$language' WHERE client_id = $client_id AND username = '$username'"; - $app->db->query($sql); + $sql = "UPDATE client SET language = ? WHERE client_id = ? AND username = ?"; + $app->db->query($sql, $language, $client_id, $username); } - // reseller status changed - /* - if(isset($this->dataRecord["limit_client"]) && $this->dataRecord["limit_client"] != $this->oldDataRecord["limit_client"]) { - $modules = $conf['interface_modules_enabled']; - if($this->dataRecord["limit_client"] > 0) $modules .= ',client'; - $modules = $app->db->quote($modules); - $client_id = $this->id; - $sql = "UPDATE sys_user SET modules = '$modules' WHERE client_id = $client_id"; - $app->db->query($sql); - } - */ parent::onAfterUpdate(); } diff --git a/interface/web/client/client_del.php b/interface/web/client/client_del.php index a8cd7cc954..7817bc3729 100644 --- a/interface/web/client/client_del.php +++ b/interface/web/client/client_del.php @@ -74,11 +74,7 @@ class page_action extends tform_actions { $this->dataRecord = $app->tform->getDataRecord($this->id); $client_id = $app->functions->intval($this->dataRecord['client_id']); - - - //$parent_client_id = $app->functions->intval($this->dataRecord['parent_client_id']); - //$parent_user = $app->db->queryOneRecord("SELECT userid FROM sys_user WHERE client_id = $parent_client_id"); - $client_group = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = $client_id"); + $client_group = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ", $client_id); // Get all records (sub-clients, mail, web, etc....) of this client. $tables = 'cron,client,dns_rr,dns_soa,dns_slave,ftp_user,mail_access,mail_content_filter,mail_domain,mail_forwarding,mail_get,mail_user,mail_user_filter,shell_user,spamfilter_users,support_message,web_database,web_database_user,web_domain'; @@ -89,7 +85,7 @@ class page_action extends tform_actions { if($client_group_id > 1) { foreach($tables_array as $table) { if($table != '') { - $records = $app->db->queryAllRecords("SELECT * FROM $table WHERE sys_groupid = ".$client_group_id); + $records = $app->db->queryAllRecords("SELECT * FROM ?? WHERE sys_groupid = ?", $table, $client_group_id); $number = count($records); if($number > 0) $table_list[] = array('table' => $table."(".$number.")"); } @@ -121,15 +117,15 @@ class page_action extends tform_actions { if($client_id > 0) { // remove the group of the client from the resellers group $parent_client_id = $app->functions->intval($this->dataRecord['parent_client_id']); - $parent_user = $app->db->queryOneRecord("SELECT userid FROM sys_user WHERE client_id = $parent_client_id"); - $client_group = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = $client_id"); + $parent_user = $app->db->queryOneRecord("SELECT userid FROM sys_user WHERE client_id = ?", $parent_client_id); + $client_group = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client_id); $app->auth->remove_group_from_user($parent_user['userid'], $client_group['groupid']); // delete the group of the client - $app->db->query("DELETE FROM sys_group WHERE client_id = $client_id"); + $app->db->query("DELETE FROM sys_group WHERE client_id = ?", $client_id); // delete the sys user(s) of the client - $app->db->query("DELETE FROM sys_user WHERE client_id = $client_id"); + $app->db->query("DELETE FROM sys_user WHERE client_id = ?", $client_id); // Delete all records (sub-clients, mail, web, etc....) of this client. $tables = 'client,dns_rr,dns_soa,dns_slave,ftp_user,mail_access,mail_content_filter,mail_domain,mail_forwarding,mail_get,mail_user,mail_user_filter,shell_user,spamfilter_users,support_message,web_database,web_database_user,web_domain,web_folder,web_folder_user,domain'; @@ -138,7 +134,7 @@ class page_action extends tform_actions { if($client_group_id > 1) { foreach($tables_array as $table) { if($table != '') { - $records = $app->db->queryAllRecords("SELECT * FROM $table WHERE sys_groupid = ".$client_group_id); + $records = $app->db->queryAllRecords("SELECT * FROM ?? WHERE sys_groupid = ?", $table, $client_group_id); //* find the primary ID of the table $table_info = $app->db->tableInfo($table); $index_field = ''; @@ -152,11 +148,11 @@ class page_action extends tform_actions { $app->db->datalogDelete($table, $index_field, $rec[$index_field]); //* Delete traffic records that dont have a sys_groupid column if($table == 'web_domain') { - $app->db->query("DELETE FROM web_traffic WHERE hostname = '".$app->db->quote($rec['domain'])."'"); + $app->db->query("DELETE FROM web_traffic WHERE hostname = ?", $rec['domain']); } //* Delete mail_traffic records that dont have a sys_groupid if($table == 'mail_user') { - $app->db->query("DELETE FROM mail_traffic WHERE mailuser_id = '".$app->db->quote($rec['mailuser_id'])."'"); + $app->db->query("DELETE FROM mail_traffic WHERE mailuser_id = ?", $rec['mailuser_id']); } } } diff --git a/interface/web/client/client_edit.php b/interface/web/client/client_edit.php index 5c47fe5fa1..b03c09267d 100644 --- a/interface/web/client/client_edit.php +++ b/interface/web/client/client_edit.php @@ -59,11 +59,11 @@ class page_action extends tform_actions { // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_client FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_client FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another website. if($client["limit_client"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(client_id) as number FROM client WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(client_id) as number FROM client WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_client"]) { $app->error($app->tform->wordbook["limit_client_txt"]); } @@ -82,11 +82,11 @@ class page_action extends tform_actions { // Get the limits of the client $client_group_id = $_SESSION["s"]["user"]["default_group"]; - $client = $app->db->queryOneRecord("SELECT limit_client FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_client FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another website. if($client["limit_client"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(client_id) as number FROM client WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(client_id) as number FROM client WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_client"]) { $app->error($app->tform->wordbook["limit_client_txt"]); } diff --git a/interface/web/client/client_message.php b/interface/web/client/client_message.php index 5707e88206..3d6e1de934 100644 --- a/interface/web/client/client_message.php +++ b/interface/web/client/client_message.php @@ -60,7 +60,7 @@ if(isset($_POST) && count($_POST) > 1) { //* Send message if($error == '') { if($app->functions->intval($_POST['recipient']) > 0){ - $circle = $app->db->queryOneRecord("SELECT client_ids FROM client_circle WHERE active = 'y' AND circle_id = ".$app->functions->intval($_POST['recipient'])." AND ".$app->tform->getAuthSQL('r')); + $circle = $app->db->queryOneRecord("SELECT client_ids FROM client_circle WHERE active = 'y' AND circle_id = ? AND ".$app->tform->getAuthSQL('r'), $_POST['recipient']); if(isset($circle['client_ids']) && $circle['client_ids'] != ''){ $tmp_client_ids = explode(',', $circle['client_ids']); $where = array(); diff --git a/interface/web/client/client_template_del.php b/interface/web/client/client_template_del.php index b57224f8eb..1288354602 100644 --- a/interface/web/client/client_template_del.php +++ b/interface/web/client/client_template_del.php @@ -54,13 +54,13 @@ class page_action extends tform_actions { global $app; // check new style - $rec = $app->db->queryOneRecord("SELECT count(client_id) as number FROM client_template_assigned WHERE client_template_id = ".$this->id); + $rec = $app->db->queryOneRecord("SELECT count(client_id) as number FROM client_template_assigned WHERE client_template_id = ?", $this->id); if($rec['number'] > 0) { $app->error($app->tform->lng('template_del_aborted_txt')); } // check old style - $rec = $app->db->queryOneRecord("SELECT count(client_id) as number FROM client WHERE template_master = ".$this->id." OR template_additional like '%/".$this->id."/%'"); + $rec = $app->db->queryOneRecord("SELECT count(client_id) as number FROM client WHERE template_master = ? OR template_additional like ?", $this->id, '%/".$this->id."/%'); if($rec['number'] > 0) { $app->error($app->tform->lng('template_del_aborted_txt')); } diff --git a/interface/web/client/client_template_edit.php b/interface/web/client/client_template_edit.php index 256ff49732..a895105ef6 100644 --- a/interface/web/client/client_template_edit.php +++ b/interface/web/client/client_template_edit.php @@ -69,7 +69,7 @@ class page_action extends tform_actions { if(isset($this->dataRecord['template_type'])) { //* Check if the template_type has been changed - $rec = $app->db->queryOneRecord("SELECT template_type from client_template WHERE template_id = ".$this->id); + $rec = $app->db->queryOneRecord("SELECT template_type from client_template WHERE template_id = ?", $this->id); if($rec['template_type'] != $this->dataRecord['template_type']) { //* Add a error message and switch back to old server $app->tform->errorMessage .= $app->lng('The template type can not be changed.'); @@ -99,11 +99,12 @@ class page_action extends tform_actions { * the template has changed. apply the new data to all clients */ if ($template_type == 'm'){ - $sql = "SELECT client_id FROM client WHERE template_master = " . $this->id; + $sql = "SELECT client_id FROM client WHERE template_master = ?"; + $clients = $app->db->queryAllRecords($sql, $this->id); } else { - $sql = "SELECT client_id FROM client WHERE template_additional LIKE '%/" . $this->id . "/%' OR template_additional LIKE '" . $this->id . "/%' OR template_additional LIKE '%/" . $this->id . "' UNION SELECT client_id FROM client_template_assigned WHERE client_template_id = " . $this->id; + $sql = "SELECT client_id FROM client WHERE template_additional LIKE ? OR template_additional LIKE ? OR template_additional LIKE ? UNION SELECT client_id FROM client_template_assigned WHERE client_template_id = ?"; + $clients = $app->db->queryAllRecords($sql, '%/' . $this->id . '/%', $this->id . '/%', '%/' . $this->id, $this->id); } - $clients = $app->db->queryAllRecords($sql); if (is_array($clients)){ foreach ($clients as $client){ $app->client_templates->apply_client_templates($client['client_id']); diff --git a/interface/web/client/domain_del.php b/interface/web/client/domain_del.php index 6bc07e60dd..701b4494b8 100644 --- a/interface/web/client/domain_del.php +++ b/interface/web/client/domain_del.php @@ -62,26 +62,26 @@ class page_action extends tform_actions { */ $domain = $this->dataRecord['domain']; - $sql = "SELECT id FROM dns_soa WHERE origin = '" . $app->db->quote($domain.".") . "'"; - $res = $app->db->queryOneRecord($sql); + $sql = "SELECT id FROM dns_soa WHERE origin = ?"; + $res = $app->db->queryOneRecord($sql, $domain."."); if (is_array($res)){ $app->error($wb['error_domain_in dnsuse']); } - $sql = "SELECT id FROM dns_slave WHERE origin = '" . $app->db->quote($domain.".") . "'"; - $res = $app->db->queryOneRecord($sql); + $sql = "SELECT id FROM dns_slave WHERE origin = ?"; + $res = $app->db->queryOneRecord($sql, $domain."."); if (is_array($res)){ $app->error($wb['error_domain_in dnsslaveuse']); } - $sql = "SELECT domain_id FROM mail_domain WHERE domain = '" . $app->db->quote($domain) . "'"; - $res = $app->db->queryOneRecord($sql); + $sql = "SELECT domain_id FROM mail_domain WHERE domain = ?"; + $res = $app->db->queryOneRecord($sql, $domain); if (is_array($res)){ $app->error($wb['error_domain_in mailuse']); } - $sql = "SELECT domain_id FROM web_domain WHERE (domain = '" . $app->db->quote($domain) . "' AND type IN ('alias', 'vhost', 'vhostalias')) OR (domain LIKE '%." . $app->db->quote($domain) . "' AND type IN ('subdomain', 'vhostsubdomain'))"; - $res = $app->db->queryOneRecord($sql); + $sql = "SELECT domain_id FROM web_domain WHERE (domain = ? AND type IN ('alias', 'vhost', 'vhostalias')) OR (domain LIKE ? AND type IN ('subdomain', 'vhostsubdomain'))"; + $res = $app->db->queryOneRecord($sql, $domain, '%.' . $domain); if (is_array($res)){ $app->error($wb['error_domain_in webuse']); } diff --git a/interface/web/client/domain_edit.php b/interface/web/client/domain_edit.php index 889bb4f4bd..694746f8e5 100644 --- a/interface/web/client/domain_edit.php +++ b/interface/web/client/domain_edit.php @@ -97,13 +97,13 @@ class page_action extends tform_actions { } else { // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ", $client_group_id); // Fill the client select field - $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".$client['client_id']." ORDER BY client.company_name, client.contact_name, sys_group.name"; + $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ? ORDER BY client.company_name, client.contact_name, sys_group.name"; //die($sql); - $records = $app->db->queryAllRecords($sql); - $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".$app->functions->intval($client['client_id'])); + $records = $app->db->queryAllRecords($sql, $client['client_id']); + $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client['client_id']); $client_select = ''; //$tmp_data_record = $app->tform->getDataRecord($this->id); if(is_array($records)) { @@ -197,7 +197,7 @@ class page_action extends tform_actions { // also make sure that the user can not delete domain created by a admin if(($_SESSION["s"]["user"]["typ"] == 'admin' && isset($this->dataRecord["client_group_id"])) || ($_SESSION["s"]["user"]["typ"] != 'admin' && $app->auth->has_clients($_SESSION['s']['user']['userid']))) { $client_group_id = $app->functions->intval($this->dataRecord["client_group_id"]); - $app->db->query("UPDATE domain SET sys_groupid = $client_group_id, sys_perm_group = 'ru' WHERE domain_id = ".$this->id); + $app->db->query("UPDATE domain SET sys_groupid = ?, sys_perm_group = 'ru' WHERE domain_id = ?", $client_group_id, $this->id); } } @@ -206,23 +206,23 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin' && isset($this->dataRecord["client_group_id"])) { $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT client.client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); - $group = $app->db->queryOneRecord("SELECT sys_group.groupid FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".$client['client_id']." AND sys_group.groupid = ".$this->dataRecord["client_group_id"]." ORDER BY client.company_name, client.contact_name, sys_group.name"); + $client = $app->db->queryOneRecord("SELECT client.client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); + $group = $app->db->queryOneRecord("SELECT sys_group.groupid FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ? AND sys_group.groupid = ? ORDER BY client.company_name, client.contact_name, sys_group.name", $client['client_id'], $this->dataRecord["client_group_id"]); $this->dataRecord["client_group_id"] = $group["groupid"]; - } + } // make sure that the record belongs to the client group and not the admin group when admin inserts it // also make sure that the user can not delete domain created by a admin if(isset($this->dataRecord["client_group_id"])) { $client_group_id = $app->functions->intval($this->dataRecord["client_group_id"]); - $app->db->query("UPDATE domain SET sys_groupid = $client_group_id, sys_perm_group = 'ru' WHERE domain_id = ".$this->id); + $app->db->query("UPDATE domain SET sys_groupid = ?, sys_perm_group = 'ru' WHERE domain_id = ?", $client_group_id, $this->id); $data = new tform_actions(); $tform = $app->tform; $app->tform = new tform(); $app->tform->loadFormDef("../dns/form/dns_soa.tform.php"); - $data->oldDataRecord = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE origin LIKE '".$this->dataRecord['domain'].".'"); + $data->oldDataRecord = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE origin = ?", $this->dataRecord['domain']."."); if ($data->oldDataRecord) { $data->dataRecord = array_merge($data->oldDataRecord, array('client_group_id' => $this->dataRecord["client_group_id"])); $data->id = $data->dataRecord['id']; @@ -230,7 +230,7 @@ class page_action extends tform_actions { } $app->tform->loadFormDef("../dns/form/dns_slave.tform.php"); - $data->oldDataRecord = $app->db->queryOneRecord("SELECT * FROM dns_slave WHERE origin LIKE '".$this->dataRecord['domain'].".'"); + $data->oldDataRecord = $app->db->queryOneRecord("SELECT * FROM dns_slave WHERE origin = ?", $this->dataRecord['domain']."."); if ($data->oldDataRecord) { $data->dataRecord = array_merge($data->oldDataRecord, array('client_group_id' => $this->dataRecord["client_group_id"])); $data->id = $data->dataRecord['id']; @@ -238,7 +238,7 @@ class page_action extends tform_actions { } $app->tform->loadFormDef("../mail/form/mail_domain.tform.php"); - $data->oldDataRecord = $app->db->queryOneRecord("SELECT * FROM mail_domain WHERE domain = '".$this->dataRecord['domain']."'"); + $data->oldDataRecord = $app->db->queryOneRecord("SELECT * FROM mail_domain WHERE domain = ?", $this->dataRecord['domain']); if ($data->oldDataRecord) { $data->dataRecord = array_merge($data->oldDataRecord, array('client_group_id' => $this->dataRecord["client_group_id"])); $data->id = $data->dataRecord['domain_id']; @@ -246,7 +246,7 @@ class page_action extends tform_actions { } $app->tform->loadFormDef("../sites/form/web_vhost_domain.tform.php"); - $data->oldDataRecord = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain = '".$this->dataRecord['domain']."'"); + $data->oldDataRecord = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain = ?", $this->dataRecord['domain']); if ($data->oldDataRecord) { $data->dataRecord = array_merge($data->oldDataRecord, array('client_group_id' => $this->dataRecord["client_group_id"])); $data->id = $data->dataRecord['domain_id']; diff --git a/interface/web/client/message_template_edit.php b/interface/web/client/message_template_edit.php index 819e267657..7d285ac7ef 100644 --- a/interface/web/client/message_template_edit.php +++ b/interface/web/client/message_template_edit.php @@ -56,12 +56,11 @@ class page_action extends tform_actions { // Check for duplicates if($this->dataRecord['template_type'] == 'welcome') { $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $sql = "SELECT count(client_message_template_id) as number FROM client_message_template WHERE template_type = 'welcome' AND sys_groupid = ".$client_group_id; + $sql = "SELECT count(client_message_template_id) as number FROM client_message_template WHERE template_type = 'welcome' AND sys_groupid = ?"; if($this->id > 0) { - $sql .= " AND client_message_template_id != ".$this->id; + $sql .= " AND client_message_template_id != ?"; } - - $tmp = $app->db->queryOneRecord($sql); + $tmp = $app->db->queryOneRecord($sql, $client_group_id, $this->id); if($tmp['number'] > 0) $app->tform->errorMessage .= $app->tform->lng('duplicate_welcome_error'); } diff --git a/interface/web/client/reseller_del.php b/interface/web/client/reseller_del.php index e9d1dd32b8..55872beabd 100644 --- a/interface/web/client/reseller_del.php +++ b/interface/web/client/reseller_del.php @@ -59,7 +59,7 @@ class page_action extends tform_actions { $client_id = $app->functions->intval($this->dataRecord['client_id']); - $tmp = $app->db->queryOneRecord("SELECT count(client_id) as number FROM client WHERE parent_client_id = ".$client_id); + $tmp = $app->db->queryOneRecord("SELECT count(client_id) as number FROM client WHERE parent_client_id = ?", $client_id); if($tmp["number"] > 0) $app->error($app->lng('error_has_clients')); } @@ -74,15 +74,15 @@ class page_action extends tform_actions { // remove the group of the client from the resellers group $parent_client_id = $app->functions->intval($this->dataRecord['parent_client_id']); - $parent_user = $app->db->queryOneRecord("SELECT userid FROM sys_user WHERE client_id = $parent_client_id"); - $client_group = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = $client_id"); + $parent_user = $app->db->queryOneRecord("SELECT userid FROM sys_user WHERE client_id = ?", $parent_client_id); + $client_group = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client_id); $app->auth->remove_group_from_user($parent_user['userid'], $client_group['groupid']); // delete the group of the client - $app->db->query("DELETE FROM sys_group WHERE client_id = $client_id"); + $app->db->query("DELETE FROM sys_group WHERE client_id = ?", $client_id); // delete the sys user(s) of the client - $app->db->query("DELETE FROM sys_user WHERE client_id = $client_id"); + $app->db->query("DELETE FROM sys_user WHERE client_id = ?", $client_id); } } diff --git a/interface/web/client/reseller_edit.php b/interface/web/client/reseller_edit.php index 4a7cc87407..2c5fcbc28c 100644 --- a/interface/web/client/reseller_edit.php +++ b/interface/web/client/reseller_edit.php @@ -61,11 +61,11 @@ class page_action extends tform_actions { // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_client FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_client FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another website. if($client["limit_client"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(client_id) as number FROM client WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(client_id) as number FROM client WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_client"]) { $app->error($app->tform->wordbook["limit_client_txt"]); } @@ -84,11 +84,11 @@ class page_action extends tform_actions { // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_client FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_client FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another website. if($client["limit_client"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(client_id) as number FROM client WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(client_id) as number FROM client WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_client"]) { $app->error($app->tform->wordbook["limit_client_txt"]); } diff --git a/interface/web/dashboard/dashboard.php b/interface/web/dashboard/dashboard.php index 6c04d5877d..c806e10d47 100644 --- a/interface/web/dashboard/dashboard.php +++ b/interface/web/dashboard/dashboard.php @@ -51,7 +51,7 @@ $app->tpl_defaults(); if($_SESSION['s']['user']['typ'] == 'admin') { $name = $_SESSION['s']['user']['username']; } else { - $tmp = $app->db->queryOneRecord("SELECT contact_name FROM client WHERE username = '".$app->db->quote($_SESSION['s']['user']['username'])."'"); + $tmp = $app->db->queryOneRecord("SELECT contact_name FROM client WHERE username = ?", $_SESSION['s']['user']['username']); $name = $tmp['contact_name']; } diff --git a/interface/web/dashboard/dashlets/limits.php b/interface/web/dashboard/dashlets/limits.php index 70113f3969..2455da87bd 100644 --- a/interface/web/dashboard/dashlets/limits.php +++ b/interface/web/dashboard/dashlets/limits.php @@ -130,7 +130,7 @@ class dashlet_limits { if($user_is_admin == false) { $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT * FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT * FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); } $rows = array(); @@ -164,10 +164,10 @@ class dashlet_limits { function _get_limit_usage($limit) { global $app; - $sql = "SELECT count(sys_userid) as number FROM ".$app->db->quote($limit['db_table'])." WHERE "; + $sql = "SELECT count(sys_userid) as number FROM ?? WHERE "; if($limit['db_where'] != '') $sql .= $limit['db_where']." AND "; $sql .= $app->tform->getAuthSQL('r'); - $rec = $app->db->queryOneRecord($sql); + $rec = $app->db->queryOneRecord($sql, $limit['db_table']); return $rec['number']; } diff --git a/interface/web/dns/ajax_get_json.php b/interface/web/dns/ajax_get_json.php index 781fa8e8c1..c2da4dce63 100644 --- a/interface/web/dns/ajax_get_json.php +++ b/interface/web/dns/ajax_get_json.php @@ -34,129 +34,26 @@ require_once '../../lib/app.inc.php'; //* Check permissions for module $app->auth->check_module_permissions('dns'); -//$app->uses('tform'); - $type = $_GET["type"]; -//if($_SESSION["s"]["user"]["typ"] == 'admin') { - - if($type == 'get_ipv4'){ - //$q = $app->db->quote(trim($_GET["q"])); - //$authsql = " AND ".$app->tform->getAuthSQL('r'); - //$modules = explode(',', $_SESSION['s']['user']['modules']); - $result = array(); // ipv4 - //$result[] = _search('admin', 'server_ip', "AND ip_type = 'IPv4' AND (client_id = 0 OR client_id=".$app->functions->intval($_SESSION['s']['user']['client_id']).")"); $result[] = $app->functions->suggest_ips('IPv4'); $json = $app->functions->json_encode($result); } if($type == 'get_ipv6'){ - //$q = $app->db->quote(trim($_GET["q"])); - //$authsql = " AND ".$app->tform->getAuthSQL('r'); - //$modules = explode(',', $_SESSION['s']['user']['modules']); - $result = array(); // ipv6 - //$result[] = _search('admin', 'server_ip', "AND ip_type = 'IPv6' AND (client_id = 0 OR client_id=".$app->functions->intval($_SESSION['s']['user']['client_id']).")"); $result[] = $app->functions->suggest_ips('IPv6'); $json = $app->functions->json_encode($result); } -//} - -/* -function _search($module, $section, $additional_sql = '', $unique = false){ - global $app, $q, $authsql, $modules; - - $result_array = array('cheader' => array(), 'cdata' => array()); - if(in_array($module, $modules) || ($module == 'admin' && $section == 'server_ip')){ - $search_fields = array(); - $desc_fields = array(); - if(is_file('../'.$module.'/form/'.$section.'.tform.php')){ - include_once('../'.$module.'/form/'.$section.'.tform.php'); - - $category_title = $form["title"]; - $form_file = $form["action"]; - $db_table = $form["db_table"]; - $db_table_idx = $form["db_table_idx"]; - $order_by = $db_table_idx; - - if(is_array($form["tabs"]) && !empty($form["tabs"])){ - foreach($form["tabs"] as $tab){ - if(is_array($tab['fields']) && !empty($tab['fields'])){ - foreach($tab['fields'] as $key => $val){ - if(isset($val['searchable']) && $val['searchable'] > 0){ - $search_fields[] = $key." LIKE '%".$q."%'"; - if($val['searchable'] == 1){ - $order_by = $key; - $title_key = $key; - } - if($val['searchable'] == 2){ - $desc_fields[] = $key; - } - } - } - } - } - } - } - unset($form); - - $where_clause = ''; - if(!empty($search_fields)){ - $where_clause = implode(' OR ', $search_fields); - } else { - // valid SQL query which returns an empty result set - $where_clause = '1 = 0'; - } - if($where_clause != '') $where_clause = '('.$where_clause.')'; - if($additional_sql != '') $where_clause .= ' '.$additional_sql.' '; - $order_clause = ''; - if($order_by != '') $order_clause = ' ORDER BY '.$order_by; - - $sql = "SELECT * FROM ".$db_table." WHERE ".$where_clause.$authsql.$order_clause." LIMIT 0,10"; - $results = $app->db->queryAllRecords($sql); - - if(is_array($results) && !empty($results)){ - $lng_file = '../'.$module.'/lib/lang/'.$_SESSION['s']['language'].'_'.$section.'.lng'; - if(is_file($lng_file)) include($lng_file); - $result_array['cheader'] = array('title' => $category_title, - 'total' => count($results), - 'limit' => count($results) - ); - foreach($results as $result){ - $description = ''; - if(!empty($desc_fields)){ - $desc_items = array(); - foreach($desc_fields as $desc_field){ - if($result[$desc_field] != '') $desc_items[] = $wb[$desc_field.'_txt'].': '.$result[$desc_field]; - } - if(!empty($desc_items)) $description = implode(' - ', $desc_items); - } - - $result_array['cdata'][] = array( 'title' => $wb[$title_key.'_txt'].': '.$result[$title_key], - 'description' => $description, - 'onclick' => '', - 'fill_text' => $result[$title_key] - ); - } - if($unique === true){ - $result_array['cdata'] = array_unique($result_array['cdata']); - $result_array['cheader']['total'] = $result_array['cheader']['limit'] = count($result_array['cdata']); - } - } - } - return $result_array; -} -*/ - header('Content-type: application/json'); echo $json; ?> diff --git a/interface/web/dns/dns_a_edit.php b/interface/web/dns/dns_a_edit.php index 729c3c370f..792a90aaa3 100644 --- a/interface/web/dns/dns_a_edit.php +++ b/interface/web/dns/dns_a_edit.php @@ -58,11 +58,11 @@ class page_action extends tform_actions { // Get the limits of the client $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($client["limit_dns_record"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_dns_record"]) { $app->error($app->tform->wordbook["limit_dns_record_txt"]); } @@ -76,7 +76,7 @@ class page_action extends tform_actions { global $app, $conf; // Get the parent soa record of the domain - $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = '".$app->functions->intval($_POST["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $_POST["zone"]); // Check if Domain belongs to user if($soa["id"] != $_POST["zone"]) $app->tform->errorMessage .= $app->tform->wordbook["no_zone_perm"]; @@ -85,11 +85,11 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin // Get the limits of the client $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($this->id == 0 && $client["limit_dns_record"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_dns_record"]) { $app->error($app->tform->wordbook["limit_dns_record_txt"]); } @@ -97,7 +97,7 @@ class page_action extends tform_actions { } // end if user is not admin //* Check for duplicates where IP and hostname are the same - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE (type = 'A' AND name = '".$app->db->quote($this->dataRecord["name"])."' AND zone = '".$app->db->quote($this->dataRecord["zone"])."' and data = '".$app->db->quote($this->dataRecord["data"])."' and id != ".$this->id.") OR (type = 'CNAME' AND name = '".$app->db->quote($this->dataRecord["name"])."' AND zone = '".$app->db->quote($this->dataRecord["zone"])."' and id != ".$this->id.")"); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE (type = 'A' AND name = ? AND zone = ? and data = ? and id != ?) OR (type = 'CNAME' AND name = ? AND zone = ? and id != ?)", $this->dataRecord["name"], $this->dataRecord["zone"], $this->dataRecord["data"], $this->id, $this->dataRecord["name"], $this->dataRecord["zone"], $this->id); if($tmp['number'] > 0) $app->tform->errorMessage .= $app->tform->lng("data_error_duplicate")."
"; unset($tmp); @@ -106,7 +106,7 @@ class page_action extends tform_actions { $this->dataRecord["server_id"] = $soa["server_id"]; // Update the serial number and timestamp of the RR record - $soa = $app->db->queryOneRecord("SELECT serial FROM dns_rr WHERE id = ".$this->id); + $soa = $app->db->queryOneRecord("SELECT serial FROM dns_rr WHERE id = ?", $this->id); $this->dataRecord["serial"] = $app->validate_dns->increase_serial($soa["serial"]); $this->dataRecord["stamp"] = date('Y-m-d H:i:s'); @@ -117,7 +117,7 @@ class page_action extends tform_actions { global $app, $conf; //* Set the sys_groupid of the rr record to be the same then the sys_groupid of the soa record - $soa = $app->db->queryOneRecord("SELECT sys_groupid,serial FROM dns_soa WHERE id = '".$app->functions->intval($this->dataRecord["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $this->dataRecord["zone"]); $app->db->datalogUpdate('dns_rr', "sys_groupid = ".$soa['sys_groupid'], 'id', $this->id); //* Update the serial number of the SOA record @@ -130,7 +130,7 @@ class page_action extends tform_actions { global $app, $conf; //* Update the serial number of the SOA record - $soa = $app->db->queryOneRecord("SELECT serial FROM dns_soa WHERE id = '".$app->functions->intval($this->dataRecord["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $this->dataRecord["zone"]); $soa_id = $app->functions->intval($_POST["zone"]); $serial = $app->validate_dns->increase_serial($soa["serial"]); $app->db->datalogUpdate('dns_soa', "serial = $serial", 'id', $soa_id); diff --git a/interface/web/dns/dns_aaaa_edit.php b/interface/web/dns/dns_aaaa_edit.php index ba7ae963a9..867dabb949 100644 --- a/interface/web/dns/dns_aaaa_edit.php +++ b/interface/web/dns/dns_aaaa_edit.php @@ -58,11 +58,11 @@ class page_action extends tform_actions { // Get the limits of the client $client_group_id = $_SESSION["s"]["user"]["default_group"]; - $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($client["limit_dns_record"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_dns_record"]) { $app->error($app->tform->wordbook["limit_dns_record_txt"]); } @@ -76,7 +76,7 @@ class page_action extends tform_actions { global $app, $conf; // Get the parent soa record of the domain - $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = '".$app->functions->intval($_POST["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $_POST["zone"]); // Check if Domain belongs to user if($soa["id"] != $_POST["zone"]) $app->tform->errorMessage .= $app->tform->wordbook["no_zone_perm"]; @@ -85,11 +85,11 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin // Get the limits of the client $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($this->id == 0 && $client["limit_dns_record"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_dns_record"]) { $app->error($app->tform->wordbook["limit_dns_record_txt"]); } @@ -101,7 +101,7 @@ class page_action extends tform_actions { $this->dataRecord["server_id"] = $soa["server_id"]; // Update the serial number and timestamp of the RR record - $soa = $app->db->queryOneRecord("SELECT serial FROM dns_rr WHERE id = ".$this->id); + $soa = $app->db->queryOneRecord("SELECT serial FROM dns_rr WHERE id = ?", $this->id); $this->dataRecord["serial"] = $app->validate_dns->increase_serial($soa["serial"]); $this->dataRecord["stamp"] = date('Y-m-d H:i:s'); @@ -112,7 +112,7 @@ class page_action extends tform_actions { global $app, $conf; //* Set the sys_groupid of the rr record to be the same then the sys_groupid of the soa record - $soa = $app->db->queryOneRecord("SELECT sys_groupid,serial FROM dns_soa WHERE id = '".$app->functions->intval($this->dataRecord["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $this->dataRecord["zone"]); $app->db->datalogUpdate('dns_rr', "sys_groupid = ".intval($soa['sys_groupid']), 'id', $this->id); //* Update the serial number of the SOA record @@ -125,7 +125,7 @@ class page_action extends tform_actions { global $app, $conf; //* Update the serial number of the SOA record - $soa = $app->db->queryOneRecord("SELECT serial FROM dns_soa WHERE id = '".$app->functions->intval($this->dataRecord["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $this->dataRecord["zone"]); $soa_id = $app->functions->intval($_POST["zone"]); $serial = $app->validate_dns->increase_serial($soa["serial"]); $app->db->datalogUpdate('dns_soa', "serial = $serial", 'id', $soa_id); diff --git a/interface/web/dns/dns_alias_edit.php b/interface/web/dns/dns_alias_edit.php index 5613810e81..1c58bd8f50 100644 --- a/interface/web/dns/dns_alias_edit.php +++ b/interface/web/dns/dns_alias_edit.php @@ -58,11 +58,11 @@ class page_action extends tform_actions { // Get the limits of the client $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($client["limit_dns_record"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_dns_record"]) { $app->error($app->tform->wordbook["limit_dns_record_txt"]); } @@ -76,7 +76,7 @@ class page_action extends tform_actions { global $app, $conf; // Get the parent soa record of the domain - $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = '".$app->functions->intval($_POST["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $_POST["zone"]); // Check if Domain belongs to user if($soa["id"] != $_POST["zone"]) $app->tform->errorMessage .= $app->tform->wordbook["no_zone_perm"]; @@ -85,11 +85,11 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin // Get the limits of the client $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($client["limit_dns_record"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_dns_record"]) { $app->error($app->tform->wordbook["limit_dns_record_txt"]); } @@ -101,7 +101,7 @@ class page_action extends tform_actions { $this->dataRecord["server_id"] = $soa["server_id"]; // Update the serial number and timestamp of the RR record - $soa = $app->db->queryOneRecord("SELECT serial FROM dns_rr WHERE id = ".$this->id); + $soa = $app->db->queryOneRecord("SELECT serial FROM dns_rr WHERE id = ?", $this->id); $this->dataRecord["serial"] = $app->validate_dns->increase_serial($soa["serial"]); $this->dataRecord["stamp"] = date('Y-m-d H:i:s'); @@ -112,7 +112,7 @@ class page_action extends tform_actions { global $app, $conf; //* Set the sys_groupid of the rr record to be the same then the sys_groupid of the soa record - $soa = $app->db->queryOneRecord("SELECT sys_groupid,serial FROM dns_soa WHERE id = '".$app->functions->intval($this->dataRecord["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $this->dataRecord["zone"]); $app->db->datalogUpdate('dns_rr', "sys_groupid = ".$soa['sys_groupid'], 'id', $this->id); //* Update the serial number of the SOA record @@ -125,7 +125,7 @@ class page_action extends tform_actions { global $app, $conf; //* Update the serial number of the SOA record - $soa = $app->db->queryOneRecord("SELECT serial FROM dns_soa WHERE id = '".$app->functions->intval($this->dataRecord["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $this->dataRecord["zone"]); $soa_id = $app->functions->intval($_POST["zone"]); $serial = $app->validate_dns->increase_serial($soa["serial"]); $app->db->datalogUpdate('dns_soa', "serial = $serial", 'id', $soa_id); diff --git a/interface/web/dns/dns_cname_edit.php b/interface/web/dns/dns_cname_edit.php index 8ab1e6be91..0979b6fff0 100644 --- a/interface/web/dns/dns_cname_edit.php +++ b/interface/web/dns/dns_cname_edit.php @@ -58,11 +58,11 @@ class page_action extends tform_actions { // Get the limits of the client $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($client["limit_dns_record"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_dns_record"]) { $app->error($app->tform->wordbook["limit_dns_record_txt"]); } @@ -76,7 +76,7 @@ class page_action extends tform_actions { global $app, $conf; // Get the parent soa record of the domain - $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = '".$app->functions->intval($_POST["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $_POST["zone"]); // Check if Domain belongs to user if($soa["id"] != $_POST["zone"]) $app->tform->errorMessage .= $app->tform->wordbook["no_zone_perm"]; @@ -85,11 +85,11 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin // Get the limits of the client $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($this->id == 0 && $client["limit_dns_record"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_dns_record"]) { $app->error($app->tform->wordbook["limit_dns_record_txt"]); } @@ -97,7 +97,7 @@ class page_action extends tform_actions { } // end if user is not admin //* Check for duplicates where IP and hostname are the same - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE (type = 'A' AND name = '".$app->db->quote($this->dataRecord["name"])."' AND zone = '".$app->db->quote($this->dataRecord["zone"])."' and id != ".$this->id.") OR (type = 'CNAME' AND name = '".$app->db->quote($this->dataRecord["name"])."' AND zone = '".$app->db->quote($this->dataRecord["zone"])."' and id != ".$this->id.")"); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE (type = 'A' AND name = ? AND zone = ? and id != ?) OR (type = 'CNAME' AND name = ? AND zone = ? and id != ?)", $this->dataRecord["name"], $this->dataRecord["zone"], $this->id, $this->dataRecord["name"], $this->dataRecord["zone"], $this->id); if($tmp['number'] > 0) $app->tform->errorMessage .= $app->tform->lng("data_error_duplicate")."
"; unset($tmp); @@ -106,7 +106,7 @@ class page_action extends tform_actions { $this->dataRecord["server_id"] = $soa["server_id"]; // Update the serial number and timestamp of the RR record - $soa = $app->db->queryOneRecord("SELECT serial FROM dns_rr WHERE id = ".$this->id); + $soa = $app->db->queryOneRecord("SELECT serial FROM dns_rr WHERE id = ?", $this->id); $this->dataRecord["serial"] = $app->validate_dns->increase_serial($soa["serial"]); $this->dataRecord["stamp"] = date('Y-m-d H:i:s'); @@ -117,7 +117,7 @@ class page_action extends tform_actions { global $app, $conf; //* Set the sys_groupid of the rr record to be the same then the sys_groupid of the soa record - $soa = $app->db->queryOneRecord("SELECT sys_groupid,serial FROM dns_soa WHERE id = '".$app->functions->intval($this->dataRecord["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $this->dataRecord["zone"]); $app->db->datalogUpdate('dns_rr', "sys_groupid = ".$soa['sys_groupid'], 'id', $this->id); //* Update the serial number of the SOA record @@ -130,7 +130,7 @@ class page_action extends tform_actions { global $app, $conf; //* Update the serial number of the SOA record - $soa = $app->db->queryOneRecord("SELECT serial FROM dns_soa WHERE id = '".$app->functions->intval($this->dataRecord["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $this->dataRecord["zone"]); $soa_id = $app->functions->intval($_POST["zone"]); $serial = $app->validate_dns->increase_serial($soa["serial"]); $app->db->datalogUpdate('dns_soa', "serial = $serial", 'id', $soa_id); diff --git a/interface/web/dns/dns_dkim_edit.php b/interface/web/dns/dns_dkim_edit.php index 1a01463b9f..5756484dec 100644 --- a/interface/web/dns/dns_dkim_edit.php +++ b/interface/web/dns/dns_dkim_edit.php @@ -71,8 +71,8 @@ class page_action extends tform_actions { parent::onShowNew(); - $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND ?", $_GET['zone'], $app->tform->getAuthSQL('r')); - $sql=$app->db->queryOneRecord("SELECT dkim_public, dkim_selector FROM mail_domain WHERE domain = ? AND dkim = 'y' AND ?", substr_replace($soa['origin'],'',-1), $app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $_GET['zone']); + $sql=$app->db->queryOneRecord("SELECT dkim_public, dkim_selector FROM mail_domain WHERE domain = ? AND dkim = 'y' AND " . $app->tform->getAuthSQL('r'), substr_replace($soa['origin'],'',-1)); $public_key=str_replace(array('-----BEGIN PUBLIC KEY-----','-----END PUBLIC KEY-----',"\r","\n"),'',$sql['dkim_public']); $app->tpl->setVar('public_key', $public_key); $app->tpl->setVar('selector', $sql['dkim_selector']); @@ -83,7 +83,7 @@ class page_action extends tform_actions { function onSubmit() { global $app, $conf; // Get the parent soa record of the domain - $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND ?", $_POST["zone"], $app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $_POST["zone"]); // Check if Domain belongs to user if($soa["id"] != $_POST["zone"]) $app->tform->errorMessage .= $app->tform->wordbook["no_zone_perm"]; @@ -126,7 +126,7 @@ class page_action extends tform_actions { global $app, $conf; //* Set the sys_groupid of the rr record to be the same then the sys_groupid of the soa record - $soa = $app->db->queryOneRecord("SELECT sys_groupid,serial FROM dns_soa WHERE id = ? AND ?", $this->dataRecord["zone"], $app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT sys_groupid,serial FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $this->dataRecord["zone"]); $app->db->datalogUpdate('dns_rr', "sys_groupid = ".$soa['sys_groupid'], 'id', $this->id); //* Update the serial number of the SOA record @@ -139,7 +139,7 @@ class page_action extends tform_actions { global $app, $conf; //* Update the serial number of the SOA record - $soa = $app->db->queryOneRecord("SELECT serial FROM dns_soa WHERE id = ? AND ?", $this->dataRecord["zone"], $app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT serial FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $this->dataRecord["zone"]); $soa_id = $app->functions->intval($_POST["zone"]); $serial = $app->validate_dns->increase_serial($soa["serial"]); $app->db->datalogUpdate('dns_soa', "serial = $serial", 'id', $soa_id); diff --git a/interface/web/dns/dns_dmarc_edit.php b/interface/web/dns/dns_dmarc_edit.php index e18e91eba3..d7f684dbd3 100644 --- a/interface/web/dns/dns_dmarc_edit.php +++ b/interface/web/dns/dns_dmarc_edit.php @@ -74,8 +74,8 @@ class page_action extends tform_actions { $zone = $app->functions->intval($_GET['zone']); // get domain-name - $sql = "SELECT * FROM dns_soa WHERE id = ? AND ?"; - $rec = $app->db->queryOneRecord($sql, $zone, $app->tform->getAuthSQL('r')); + $sql = "SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'); + $rec = $app->db->queryOneRecord($sql, $zone); $domain_name = rtrim($rec['origin'], '.'); // set defaults @@ -88,8 +88,8 @@ class page_action extends tform_actions { $dmarc_sp = 'same'; //* check for an existing dmarc-record - $sql = "SELECT data, active FROM dns_rr WHERE data LIKE 'v=DMARC1%' AND zone = ? AND name = ? AND ?"; - $rec = $app->db->queryOneRecord($sql, $zone, '_dmarc.'.$domain_name.'.', $app->tform->getAuthSQL('r')); + $sql = "SELECT data, active FROM dns_rr WHERE data LIKE 'v=DMARC1%' AND zone = ? AND name = ? AND " . $app->tform->getAuthSQL('r'); + $rec = $app->db->queryOneRecord($sql, $zone, '_dmarc.'.$domain_name.'.'); if ( isset($rec) && !empty($rec) ) { $this->id = 1; $old_data = strtolower($rec['data']); @@ -204,7 +204,7 @@ class page_action extends tform_actions { global $app, $conf; // Get the parent soa record of the domain - $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND ?", $_POST['zone'], $app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $_POST['zone']); // Check if Domain belongs to user if($soa["id"] != $_POST["zone"]) $app->tform->errorMessage .= $app->tform->wordbook["no_zone_perm"]; @@ -349,7 +349,7 @@ class page_action extends tform_actions { global $app, $conf; //* Set the sys_groupid of the rr record to be the same then the sys_groupid of the soa record - $soa = $app->db->queryOneRecord("SELECT sys_groupid,serial FROM dns_soa WHERE id = ? AND ?", $app->functions->intval($this->dataRecord["zone"]), $app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT sys_groupid,serial FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $app->functions->intval($this->dataRecord["zone"])); $app->db->datalogUpdate('dns_rr', "sys_groupid = ".$soa['sys_groupid'], 'id', $this->id); //* Update the serial number of the SOA record @@ -363,7 +363,7 @@ class page_action extends tform_actions { global $app, $conf; //* Update the serial number of the SOA record - $soa = $app->db->queryOneRecord("SELECT serial FROM dns_soa WHERE id = ? AND ?", $app->functions->intval($this->dataRecord["zone"]), $app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT serial FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $app->functions->intval($this->dataRecord["zone"])); $soa_id = $app->functions->intval($_POST["zone"]); $serial = $app->validate_dns->increase_serial($soa["serial"]); $app->db->datalogUpdate('dns_soa', "serial = $serial", 'id', $soa_id); diff --git a/interface/web/dns/dns_hinfo_edit.php b/interface/web/dns/dns_hinfo_edit.php index ed25dccdb7..9a674bf2b7 100644 --- a/interface/web/dns/dns_hinfo_edit.php +++ b/interface/web/dns/dns_hinfo_edit.php @@ -58,11 +58,11 @@ class page_action extends tform_actions { // Get the limits of the client $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($client["limit_dns_record"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_dns_record"]) { $app->error($app->tform->wordbook["limit_dns_record_txt"]); } @@ -76,7 +76,7 @@ class page_action extends tform_actions { global $app, $conf; // Get the parent soa record of the domain - $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = '".$app->functions->intval($_POST["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $_POST["zone"]); // Check if Domain belongs to user if($soa["id"] != $_POST["zone"]) $app->tform->errorMessage .= $app->tform->wordbook["no_zone_perm"]; @@ -85,11 +85,11 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin // Get the limits of the client $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($this->id == 0 && $client["limit_dns_record"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_dns_record"]) { $app->error($app->tform->wordbook["limit_dns_record_txt"]); } @@ -101,7 +101,7 @@ class page_action extends tform_actions { $this->dataRecord["server_id"] = $soa["server_id"]; // Update the serial number and timestamp of the RR record - $soa = $app->db->queryOneRecord("SELECT serial FROM dns_rr WHERE id = ".$this->id); + $soa = $app->db->queryOneRecord("SELECT serial FROM dns_rr WHERE id = ?", $this->id); $this->dataRecord["serial"] = $app->validate_dns->increase_serial($soa["serial"]); $this->dataRecord["stamp"] = date('Y-m-d H:i:s'); @@ -112,7 +112,7 @@ class page_action extends tform_actions { global $app, $conf; //* Set the sys_groupid of the rr record to be the same then the sys_groupid of the soa record - $soa = $app->db->queryOneRecord("SELECT sys_groupid,serial FROM dns_soa WHERE id = '".$app->functions->intval($this->dataRecord["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $this->dataRecord["zone"]); $app->db->datalogUpdate('dns_rr', "sys_groupid = ".$soa['sys_groupid'], 'id', $this->id); //* Update the serial number of the SOA record @@ -125,7 +125,7 @@ class page_action extends tform_actions { global $app, $conf; //* Update the serial number of the SOA record - $soa = $app->db->queryOneRecord("SELECT serial FROM dns_soa WHERE id = '".$app->functions->intval($this->dataRecord["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $this->dataRecord["zone"]); $soa_id = $app->functions->intval($_POST["zone"]); $serial = $app->validate_dns->increase_serial($soa["serial"]); $app->db->datalogUpdate('dns_soa', "serial = $serial", 'id', $soa_id); diff --git a/interface/web/dns/dns_import.php b/interface/web/dns/dns_import.php index 5598b5664b..8dee39b130 100644 --- a/interface/web/dns/dns_import.php +++ b/interface/web/dns/dns_import.php @@ -106,13 +106,13 @@ if ($_SESSION["s"]["user"]["typ"] != 'admin' && $app->auth->has_clients($_SESSIO // Get the limits of the client $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // load the list of clients - $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".intval($client['client_id'])." ORDER BY client.company_name, client.contact_name, sys_group.name"; - $clients = $app->db->queryAllRecords($sql); - $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".intval($client['client_id'])); + $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ? ORDER BY client.company_name, client.contact_name, sys_group.name"; + $clients = $app->db->queryAllRecords($sql, $client['client_id']); + $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client['client_id']); $client_select = ''; if(is_array($clients)) { foreach( $clients as $client) { @@ -127,7 +127,7 @@ if ($_SESSION["s"]["user"]["typ"] != 'admin' && $app->auth->has_clients($_SESSIO if($_SESSION["s"]["user"]["typ"] != 'admin') { $client_group_id = $_SESSION["s"]["user"]["default_group"]; - $client_dns = $app->db->queryOneRecord("SELECT dns_servers FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client_dns = $app->db->queryOneRecord("SELECT dns_servers FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); $client_dns['dns_servers_ids'] = explode(',', $client_dns['dns_servers']); @@ -138,8 +138,8 @@ if($_SESSION["s"]["user"]["typ"] != 'admin') $app->tpl->setVar('server_id_value', $client_dns['dns_servers_ids'][0]); } - $sql = "SELECT server_id, server_name FROM server WHERE server_id IN (" . $client_dns['dns_servers'] . ");"; - $dns_servers = $app->db->queryAllRecords($sql); + $sql = "SELECT server_id, server_name FROM server WHERE server_id IN ?"; + $dns_servers = $app->db->queryAllRecords($sql, $client_dns['dns_servers_ids']); $options_dns_servers = ""; @@ -199,8 +199,8 @@ $app->tpl->setVar($wb); if(isset($_FILES['file']['name']) && is_uploaded_file($_FILES['file']['tmp_name'])){ $valid_zone_file = FALSE; - $sql = "SELECT server_name FROM `server` WHERE server_id=".$app->functions->intval($server_id)." OR mirror_server_id=".$app->functions->intval($server_id)." ORDER BY server_name ASC"; - $servers = $app->db->queryAllRecords($sql); + $sql = "SELECT server_name FROM `server` WHERE server_id=? OR mirror_server_id=? ORDER BY server_name ASC"; + $servers = $app->db->queryAllRecords($sql, $server_id, $server_id); for ($i=0;$idb->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($client["limit_dns_record"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_dns_record"]) { $app->error($app->tform->wordbook["limit_dns_record_txt"]); } @@ -76,7 +76,7 @@ class page_action extends tform_actions { global $app, $conf; // Get the parent soa record of the domain - $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = '".$app->functions->intval($_POST["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $_POST["zone"]); // Check if Domain belongs to user if($soa["id"] != $_POST["zone"]) $app->tform->errorMessage .= $app->tform->wordbook["no_zone_perm"]; @@ -85,11 +85,11 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin // Get the limits of the client $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($this->id == 0 && $client["limit_dns_record"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_dns_record"]) { $app->error($app->tform->wordbook["limit_dns_record_txt"]); } @@ -101,7 +101,7 @@ class page_action extends tform_actions { $this->dataRecord["server_id"] = $soa["server_id"]; // Update the serial number and timestamp of the RR record - $soa = $app->db->queryOneRecord("SELECT serial FROM dns_rr WHERE id = ".$this->id); + $soa = $app->db->queryOneRecord("SELECT serial FROM dns_rr WHERE id = ?", $this->id); $this->dataRecord["serial"] = $app->validate_dns->increase_serial($soa["serial"]); $this->dataRecord["stamp"] = date('Y-m-d H:i:s'); @@ -112,7 +112,8 @@ class page_action extends tform_actions { global $app, $conf; // Check if record is existing already - $duplicate_mx = $app->db->queryOneRecord("SELECT * FROM dns_rr WHERE zone = ".$app->functions->intval($this->dataRecord["zone"])." AND name = '".$app->db->quote($this->dataRecord["name"])."' AND type = '".$app->db->quote($this->dataRecord["type"])."' AND data = '".$app->db->quote($this->dataRecord["data"])."' AND ".$app->tform->getAuthSQL('r')); + $duplicate_mx = $app->db->queryOneRecord("SELECT * FROM dns_rr WHERE zone = ? AND name = ? AND type = ? AND data = ? AND ".$app->tform->getAuthSQL('r'), $this->dataRecord["zone"], $this->dataRecord["name"], $this->dataRecord["type"], $this->dataRecord["data"]); + if(is_array($duplicate_mx) && !empty($duplicate_mx)) $app->error($app->tform->wordbook["duplicate_mx_record_txt"]); @@ -123,7 +124,7 @@ class page_action extends tform_actions { global $app, $conf; // Check if record is existing already - $duplicate_mx = $app->db->queryOneRecord("SELECT * FROM dns_rr WHERE zone = ".$app->functions->intval($this->dataRecord["zone"])." AND name = '".$app->db->quote($this->dataRecord["name"])."' AND type = '".$app->db->quote($this->dataRecord["type"])."' AND data = '".$app->db->quote($this->dataRecord["data"])."' AND id != ".$app->functions->intval($this->dataRecord["id"])." AND ".$app->tform->getAuthSQL('r')); + $duplicate_mx = $app->db->queryOneRecord("SELECT * FROM dns_rr WHERE zone = ? AND name = ? AND type = ? AND data = ? AND id != ? AND ".$app->tform->getAuthSQL('r'), $this->dataRecord["zone"], $this->dataRecord["name"], $this->dataRecord["type"], $this->dataRecord["data"], $this->dataRecord["id"]); if(is_array($duplicate_mx) && !empty($duplicate_mx)) $app->error($app->tform->wordbook["duplicate_mx_record_txt"]); @@ -134,7 +135,7 @@ class page_action extends tform_actions { global $app, $conf; //* Set the sys_groupid of the rr record to be the same then the sys_groupid of the soa record - $soa = $app->db->queryOneRecord("SELECT sys_groupid,serial FROM dns_soa WHERE id = '".$app->functions->intval($this->dataRecord["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $this->dataRecord["zone"]); $app->db->datalogUpdate('dns_rr', "sys_groupid = ".$soa['sys_groupid'], 'id', $this->id); //* Update the serial number of the SOA record @@ -147,7 +148,7 @@ class page_action extends tform_actions { global $app, $conf; //* Update the serial number of the SOA record - $soa = $app->db->queryOneRecord("SELECT serial FROM dns_soa WHERE id = '".$app->functions->intval($this->dataRecord["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $this->dataRecord["zone"]); $soa_id = $app->functions->intval($_POST["zone"]); $serial = $app->validate_dns->increase_serial($soa["serial"]); $app->db->datalogUpdate('dns_soa', "serial = $serial", 'id', $soa_id); diff --git a/interface/web/dns/dns_ns_edit.php b/interface/web/dns/dns_ns_edit.php index b61254dac7..7ed47f0f67 100644 --- a/interface/web/dns/dns_ns_edit.php +++ b/interface/web/dns/dns_ns_edit.php @@ -58,11 +58,11 @@ class page_action extends tform_actions { // Get the limits of the client $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($client["limit_dns_record"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_dns_record"]) { $app->error($app->tform->wordbook["limit_dns_record_txt"]); } @@ -76,7 +76,7 @@ class page_action extends tform_actions { global $app, $conf; // Get the parent soa record of the domain - $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = '".$app->functions->intval($_POST["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $_POST["zone"]); // Check if Domain belongs to user if($soa["id"] != $_POST["zone"]) $app->tform->errorMessage .= $app->tform->wordbook["no_zone_perm"]; @@ -85,11 +85,11 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin // Get the limits of the client $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($this->id == 0 && $client["limit_dns_record"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_dns_record"]) { $app->error($app->tform->wordbook["limit_dns_record_txt"]); } @@ -101,7 +101,7 @@ class page_action extends tform_actions { $this->dataRecord["server_id"] = $soa["server_id"]; // Update the serial number and timestamp of the RR record - $soa = $app->db->queryOneRecord("SELECT serial FROM dns_rr WHERE id = ".$this->id); + $soa = $app->db->queryOneRecord("SELECT serial FROM dns_rr WHERE id = ?", $this->id); $this->dataRecord["serial"] = $app->validate_dns->increase_serial($soa["serial"]); $this->dataRecord["stamp"] = date('Y-m-d H:i:s'); @@ -112,7 +112,7 @@ class page_action extends tform_actions { global $app, $conf; //* Set the sys_groupid of the rr record to be the same then the sys_groupid of the soa record - $soa = $app->db->queryOneRecord("SELECT sys_groupid,serial FROM dns_soa WHERE id = '".$app->functions->intval($this->dataRecord["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $this->dataRecord["zone"]); $app->db->datalogUpdate('dns_rr', "sys_groupid = ".$soa['sys_groupid'], 'id', $this->id); //* Update the serial number of the SOA record @@ -125,7 +125,7 @@ class page_action extends tform_actions { global $app, $conf; //* Update the serial number of the SOA record - $soa = $app->db->queryOneRecord("SELECT serial FROM dns_soa WHERE id = '".$app->functions->intval($this->dataRecord["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $this->dataRecord["zone"]); $soa_id = $app->functions->intval($_POST["zone"]); $serial = $app->validate_dns->increase_serial($soa["serial"]); $app->db->datalogUpdate('dns_soa', "serial = $serial", 'id', $soa_id); diff --git a/interface/web/dns/dns_ptr_edit.php b/interface/web/dns/dns_ptr_edit.php index 4e26f226ed..016cee8d5b 100644 --- a/interface/web/dns/dns_ptr_edit.php +++ b/interface/web/dns/dns_ptr_edit.php @@ -58,11 +58,11 @@ class page_action extends tform_actions { // Get the limits of the client $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($client["limit_dns_record"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_dns_record"]) { $app->error($app->tform->wordbook["limit_dns_record_txt"]); } @@ -76,7 +76,7 @@ class page_action extends tform_actions { global $app, $conf; // Get the parent soa record of the domain - $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = '".$app->functions->intval($_POST["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $_POST["zone"]); // Check if Domain belongs to user if($soa["id"] != $_POST["zone"]) $app->tform->errorMessage .= $app->tform->wordbook["no_zone_perm"]; @@ -85,11 +85,11 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin // Get the limits of the client $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($this->id == 0 && $client["limit_dns_record"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_dns_record"]) { $app->error($app->tform->wordbook["limit_dns_record_txt"]); } @@ -112,7 +112,7 @@ class page_action extends tform_actions { global $app, $conf; //* Set the sys_groupid of the rr record to be the same then the sys_groupid of the soa record - $soa = $app->db->queryOneRecord("SELECT sys_groupid,serial FROM dns_soa WHERE id = '".$app->functions->intval($this->dataRecord["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $this->dataRecord["zone"]); $app->db->datalogUpdate('dns_rr', "sys_groupid = ".$soa['sys_groupid'], 'id', $this->id); //* Update the serial number of the SOA record @@ -125,7 +125,7 @@ class page_action extends tform_actions { global $app, $conf; //* Update the serial number of the SOA record - $soa = $app->db->queryOneRecord("SELECT serial FROM dns_soa WHERE id = '".$app->functions->intval($this->dataRecord["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $this->dataRecord["zone"]); $soa_id = $app->functions->intval($_POST["zone"]); $serial = $app->validate_dns->increase_serial($soa["serial"]); $app->db->datalogUpdate('dns_soa', "serial = $serial", 'id', $soa_id); diff --git a/interface/web/dns/dns_rp_edit.php b/interface/web/dns/dns_rp_edit.php index 62bf1a9ac6..53cd879a8a 100644 --- a/interface/web/dns/dns_rp_edit.php +++ b/interface/web/dns/dns_rp_edit.php @@ -58,11 +58,11 @@ class page_action extends tform_actions { // Get the limits of the client $client_group_id = $_SESSION["s"]["user"]["default_group"]; - $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($client["limit_dns_record"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_dns_record"]) { $app->error($app->tform->wordbook["limit_dns_record_txt"]); } @@ -76,7 +76,7 @@ class page_action extends tform_actions { global $app, $conf; // Get the parent soa record of the domain - $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = '".$app->functions->intval($_POST["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $_POST["zone"]); // Check if Domain belongs to user if($soa["id"] != $_POST["zone"]) $app->tform->errorMessage .= $app->tform->wordbook["no_zone_perm"]; @@ -85,11 +85,11 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin // Get the limits of the client $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($this->id == 0 && $client["limit_dns_record"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_dns_record"]) { $app->error($app->tform->wordbook["limit_dns_record_txt"]); } @@ -101,7 +101,7 @@ class page_action extends tform_actions { $this->dataRecord["server_id"] = $soa["server_id"]; // Update the serial number and timestamp of the RR record - $soa = $app->db->queryOneRecord("SELECT serial FROM dns_rr WHERE id = ".$this->id); + $soa = $app->db->queryOneRecord("SELECT serial FROM dns_rr WHERE id = ?", $this->id); $this->dataRecord["serial"] = $app->validate_dns->increase_serial($soa["serial"]); $this->dataRecord["stamp"] = date('Y-m-d H:i:s'); @@ -112,7 +112,7 @@ class page_action extends tform_actions { global $app, $conf; //* Set the sys_groupid of the rr record to be the same then the sys_groupid of the soa record - $soa = $app->db->queryOneRecord("SELECT sys_groupid,serial FROM dns_soa WHERE id = '".$app->functions->intval($this->dataRecord["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $this->dataRecord["zone"]); $app->db->datalogUpdate('dns_rr', "sys_groupid = ".$soa['sys_groupid'], 'id', $this->id); //* Update the serial number of the SOA record @@ -125,7 +125,7 @@ class page_action extends tform_actions { global $app, $conf; //* Update the serial number of the SOA record - $soa = $app->db->queryOneRecord("SELECT serial FROM dns_soa WHERE id = '".$app->functions->intval($this->dataRecord["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $this->dataRecord["zone"]); $soa_id = $app->functions->intval($_POST["zone"]); $serial = $app->validate_dns->increase_serial($soa["serial"]); $app->db->datalogUpdate('dns_soa', "serial = $serial", 'id', $soa_id); diff --git a/interface/web/dns/dns_rr_del.php b/interface/web/dns/dns_rr_del.php index a20c9c07d3..1098b653f3 100644 --- a/interface/web/dns/dns_rr_del.php +++ b/interface/web/dns/dns_rr_del.php @@ -54,7 +54,7 @@ class page_action extends tform_actions { global $app; $conf; //* Update the serial number of the SOA record - $soa = $app->db->queryOneRecord("SELECT serial FROM dns_soa WHERE id = '".$app->functions->intval($this->dataRecord["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $this->dataRecord["zone"]); $soa_id = $app->functions->intval($this->dataRecord["zone"]); $serial = $app->validate_dns->increase_serial($soa["serial"]); $app->db->datalogUpdate('dns_soa', "serial = $serial", 'id', $soa_id); diff --git a/interface/web/dns/dns_slave_del.php b/interface/web/dns/dns_slave_del.php index d3ca18fbc1..d8b2a243e4 100644 --- a/interface/web/dns/dns_slave_del.php +++ b/interface/web/dns/dns_slave_del.php @@ -56,7 +56,7 @@ class page_action extends tform_actions { if($app->tform->checkPerm($this->id, 'd') == false) $app->error($app->lng('error_no_delete_permission')); // Delete all records that belog to this zone. - $records = $app->db->queryAllRecords("SELECT id FROM dns_slave WHERE zone = '".$app->functions->intval($this->id)."'"); + $records = $app->db->queryAllRecords("SELECT id FROM dns_slave WHERE zone = ?", $this->id); foreach($records as $rec) { $app->db->datalogDelete('dns_slave', 'id', $rec['id']); } diff --git a/interface/web/dns/dns_slave_edit.php b/interface/web/dns/dns_slave_edit.php index 0ae2ac4c4a..44103608eb 100644 --- a/interface/web/dns/dns_slave_edit.php +++ b/interface/web/dns/dns_slave_edit.php @@ -99,12 +99,12 @@ class page_action extends tform_actions { // Get the limits of the client $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT client.client_id, sys_group.name, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT client.client_id, sys_group.name, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Fill the client select field - $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".$client['client_id']." ORDER BY client.company_name, client.contact_name, sys_group.name"; - $clients = $app->db->queryAllRecords($sql); - $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".$client['client_id']); + $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ? ORDER BY client.company_name, client.contact_name, sys_group.name"; + $clients = $app->db->queryAllRecords($sql, $client['client_id']); + $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client['client_id']); $client_select = ''; //$tmp_data_record = $app->tform->getDataRecord($this->id); if(is_array($clients)) { @@ -176,12 +176,12 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // Get the limits of the client $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_dns_slave_zone, default_slave_dnsserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_dns_slave_zone, default_slave_dnsserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // When the record is updated if($this->id > 0) { // restore the server ID if the user is not admin and record is edited - $tmp = $app->db->queryOneRecord("SELECT server_id FROM dns_slave WHERE id = ".$app->functions->intval($this->id)); + $tmp = $app->db->queryOneRecord("SELECT server_id FROM dns_slave WHERE id = ?", $this->id); $this->dataRecord["server_id"] = $tmp["server_id"]; unset($tmp); // When the record is inserted @@ -203,7 +203,7 @@ class page_action extends tform_actions { if(strlen($this->dataRecord["origin"]) > 0 && substr($this->dataRecord["origin"], -1, 1) != '.') $this->dataRecord["origin"] .= '.'; //* Check if a primary zone with the same name already exists - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_soa WHERE origin = \"".$app->db->quote($this->dataRecord["origin"])."\" AND server_id= \"".$app->db->quote($this->dataRecord["server_id"])."\""); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_soa WHERE origin = ? AND server_id = ?", $this->dataRecord["origin"], $this->dataRecord["server_id"]); if($tmp["number"] > 0) { $app->error($app->tform->wordbook["origin_error_unique"]); } @@ -215,7 +215,7 @@ class page_action extends tform_actions { global $app, $conf; // Check if record is existing already - $duplicate_slave = $app->db->queryOneRecord("SELECT * FROM dns_slave WHERE origin = '".$app->db->quote($this->dataRecord["origin"])."' AND server_id = ".$app->functions->intval($this->dataRecord["server_id"])." AND ".$app->tform->getAuthSQL('r')); + $duplicate_slave = $app->db->queryOneRecord("SELECT * FROM dns_slave WHERE origin = ? AND server_id = ? AND ".$app->tform->getAuthSQL('r'), $this->dataRecord["origin"], $this->dataRecord["server_id"]); if(is_array($duplicate_slave) && !empty($duplicate_slave)) $app->error($app->tform->wordbook["origin_error_unique"]); diff --git a/interface/web/dns/dns_soa_del.php b/interface/web/dns/dns_soa_del.php index f9a06fcfbd..fee2138f85 100644 --- a/interface/web/dns/dns_soa_del.php +++ b/interface/web/dns/dns_soa_del.php @@ -56,7 +56,7 @@ class page_action extends tform_actions { if($app->tform->checkPerm($this->id, 'd') == false) $app->error($app->lng('error_no_delete_permission')); // Delete all records that belog to this zone. - $records = $app->db->queryAllRecords("SELECT id FROM dns_rr WHERE zone = '".$app->functions->intval($this->id)."'"); + $records = $app->db->queryAllRecords("SELECT id FROM dns_rr WHERE zone = ?", $this->id); foreach($records as $rec) { $app->db->datalogDelete('dns_rr', 'id', $rec['id']); } diff --git a/interface/web/dns/dns_soa_edit.php b/interface/web/dns/dns_soa_edit.php index e39c37781d..96c20a1cb3 100644 --- a/interface/web/dns/dns_soa_edit.php +++ b/interface/web/dns/dns_soa_edit.php @@ -109,12 +109,12 @@ class page_action extends tform_actions { // Get the limits of the client $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Fill the client select field - $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".$client['client_id']." ORDER BY client.company_name, client.contact_name, sys_group.name"; - $clients = $app->db->queryAllRecords($sql); - $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".$client['client_id']); + $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ? ORDER BY client.company_name, client.contact_name, sys_group.name"; + $clients = $app->db->queryAllRecords($sql, $client['client_id']); + $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client['client_id']); $client_select = ''; //$tmp_data_record = $app->tform->getDataRecord($this->id); if(is_array($clients)) { @@ -133,7 +133,7 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { $client_group_id = $_SESSION["s"]["user"]["default_group"]; - $client_dns = $app->db->queryOneRecord("SELECT dns_servers FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client_dns = $app->db->queryOneRecord("SELECT dns_servers FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); $client_dns['dns_servers_ids'] = explode(',', $client_dns['dns_servers']); @@ -144,8 +144,8 @@ class page_action extends tform_actions { $app->tpl->setVar('server_id_value', $client_dns['dns_servers_ids'][0]); } - $sql = "SELECT server_id, server_name FROM server WHERE server_id IN (" . $client_dns['dns_servers'] . ");"; - $dns_servers = $app->db->queryAllRecords($sql); + $sql = "SELECT server_id, server_name FROM server WHERE server_id IN ?"; + $dns_servers = $app->db->queryAllRecords($sql, $client_dns['dns_servers_ids']); $options_dns_servers = ""; @@ -219,7 +219,7 @@ function onSubmit() { if($_SESSION["s"]["user"]["typ"] != 'admin') { // Get the limits of the client $client_group_id = $_SESSION["s"]["user"]["default_group"]; - $client = $app->db->queryOneRecord("SELECT limit_dns_zone, dns_servers FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_dns_zone, dns_servers FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); $client['dns_servers_ids'] = explode(',', $client['dns_servers']); @@ -231,14 +231,14 @@ function onSubmit() { // When the record is updated if($this->id > 0) { // restore the server ID if the user is not admin and record is edited - $tmp = $app->db->queryOneRecord("SELECT server_id FROM dns_soa WHERE id = ".$app->functions->intval($this->id)); + $tmp = $app->db->queryOneRecord("SELECT server_id FROM dns_soa WHERE id = ?", $this->id); $this->dataRecord["server_id"] = $tmp["server_id"]; unset($tmp); // When the record is inserted } else { // Check if the user may add another maildomain. if($client["limit_dns_zone"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_soa WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_soa WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_dns_zone"]) { $app->error($app->tform->wordbook["limit_dns_zone_txt"]); } @@ -246,13 +246,6 @@ function onSubmit() { } } - /* - // Update the serial number of the SOA record - $soa = $app->db->queryOneRecord("SELECT serial FROM dns_soa WHERE id = ".$this->id); - $this->dataRecord["serial"] = $app->validate_dns->increase_serial($soa["serial"]); - */ - - //* Check if soa, ns and mbox have a dot at the end if(strlen($this->dataRecord["origin"]) > 0 && substr($this->dataRecord["origin"], -1, 1) != '.') $this->dataRecord["origin"] .= '.'; if(strlen($this->dataRecord["ns"]) > 0 && substr($this->dataRecord["ns"], -1, 1) != '.') $this->dataRecord["ns"] .= '.'; @@ -282,7 +275,7 @@ function onBeforeUpdate () { // We do this only for the admin or reseller users, as normal clients can not change the server ID anyway if($_SESSION["s"]["user"]["typ"] != 'admin' && !$app->auth->has_clients($_SESSION['s']['user']['userid'])) { //* We do not allow users to change a domain which has been created by the admin - $rec = $app->db->queryOneRecord("SELECT origin from dns_soa WHERE id = ".$this->id); + $rec = $app->db->queryOneRecord("SELECT origin from dns_soa WHERE id = ?", $this->id); $drOrigin = (isset($this->dataRecord['origin'])) ? $app->functions->idn_encode($this->dataRecord['origin']) : false; diff --git a/interface/web/dns/dns_spf_edit.php b/interface/web/dns/dns_spf_edit.php index b20a340404..d3ddb6a254 100644 --- a/interface/web/dns/dns_spf_edit.php +++ b/interface/web/dns/dns_spf_edit.php @@ -57,7 +57,7 @@ class page_action extends tform_actions { // Get the limits of the client $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = =", $client_group_id); + $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($client["limit_dns_record"] >= 0) { @@ -77,8 +77,8 @@ class page_action extends tform_actions { $zone = $app->functions->intval($_GET['zone']); //* check for an existing spf-record - $sql = "SELECT data, active FROM dns_rr WHERE data LIKE 'v=spf1%' AND zone = ? AND ?"; - $rec = $app->db->queryOneRecord($sql, $zone, $app->tform->getAuthSQL('r')); + $sql = "SELECT data, active FROM dns_rr WHERE data LIKE 'v=spf1%' AND zone = ? AND " . $app->tform->getAuthSQL('r'); + $rec = $app->db->queryOneRecord($sql, $zone); if ( isset($rec) && !empty($rec) ) { $this->id = 1; $old_data = strtolower($rec['data']); @@ -134,7 +134,7 @@ class page_action extends tform_actions { // Get the parent soa record of the domain - $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND ?", $app->functions->intval($_POST["zone"]), $app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $app->functions->intval($_POST["zone"])); // Check if Domain belongs to user if($soa["id"] != $_POST["zone"]) $app->tform->errorMessage .= $app->tform->wordbook["no_zone_perm"]; @@ -241,7 +241,7 @@ class page_action extends tform_actions { global $app, $conf; //* Set the sys_groupid of the rr record to be the same then the sys_groupid of the soa record - $soa = $app->db->queryOneRecord("SELECT sys_groupid,serial FROM dns_soa WHERE id = ? AND ?", $app->functions->intval($this->dataRecord["zone"]), $app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT sys_groupid,serial FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $app->functions->intval($this->dataRecord["zone"])); $app->db->datalogUpdate('dns_rr', "sys_groupid = ".$soa['sys_groupid'], 'id', $this->id); //* Update the serial number of the SOA record @@ -255,7 +255,7 @@ class page_action extends tform_actions { global $app, $conf; //* Update the serial number of the SOA record - $soa = $app->db->queryOneRecord("SELECT serial FROM dns_soa WHERE id = ? AND ?", $app->functions->intval($this->dataRecord["zone"]), $app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT serial FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $app->functions->intval($this->dataRecord["zone"])); $soa_id = $app->functions->intval($_POST["zone"]); $serial = $app->validate_dns->increase_serial($soa["serial"]); $app->db->datalogUpdate('dns_soa', "serial = $serial", 'id', $soa_id); diff --git a/interface/web/dns/dns_srv_edit.php b/interface/web/dns/dns_srv_edit.php index e2d0beae20..4589834b63 100644 --- a/interface/web/dns/dns_srv_edit.php +++ b/interface/web/dns/dns_srv_edit.php @@ -58,11 +58,11 @@ class page_action extends tform_actions { // Get the limits of the client $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($client["limit_dns_record"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_dns_record"]) { $app->error($app->tform->wordbook["limit_dns_record_txt"]); } @@ -97,7 +97,7 @@ class page_action extends tform_actions { global $app, $conf; // Get the parent soa record of the domain - $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = '".$app->functions->intval($_POST["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $_POST["zone"]); // Check if Domain belongs to user if($soa["id"] != $_POST["zone"]) $app->tform->errorMessage .= $app->tform->wordbook["no_zone_perm"]; @@ -106,11 +106,11 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin // Get the limits of the client $client_group_id = $_SESSION["s"]["user"]["default_group"]; - $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($this->id == 0 && $client["limit_dns_record"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_dns_record"]) { $app->error($app->tform->wordbook["limit_dns_record_txt"]); } @@ -122,7 +122,7 @@ class page_action extends tform_actions { $this->dataRecord["server_id"] = $soa["server_id"]; // Update the serial number and timestamp of the RR record - $soa = $app->db->queryOneRecord("SELECT serial FROM dns_rr WHERE id = ".$this->id); + $soa = $app->db->queryOneRecord("SELECT serial FROM dns_rr WHERE id = ?", $this->id); $this->dataRecord["serial"] = $app->validate_dns->increase_serial($soa["serial"]); $this->dataRecord["stamp"] = date('Y-m-d H:i:s'); @@ -133,7 +133,7 @@ class page_action extends tform_actions { global $app, $conf; //* Set the sys_groupid of the rr record to be the same then the sys_groupid of the soa record - $soa = $app->db->queryOneRecord("SELECT sys_groupid,serial FROM dns_soa WHERE id = '".$app->functions->intval($this->dataRecord["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $this->dataRecord["zone"]); $app->db->datalogUpdate('dns_rr', "sys_groupid = ".$soa['sys_groupid'], 'id', $this->id); //* Update the serial number of the SOA record @@ -146,7 +146,7 @@ class page_action extends tform_actions { global $app, $conf; //* Update the serial number of the SOA record - $soa = $app->db->queryOneRecord("SELECT serial FROM dns_soa WHERE id = '".$app->functions->intval($this->dataRecord["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $this->dataRecord["zone"]); $soa_id = $app->functions->intval($_POST["zone"]); $serial = $app->validate_dns->increase_serial($soa["serial"]); $app->db->datalogUpdate('dns_soa', "serial = $serial", 'id', $soa_id); diff --git a/interface/web/dns/dns_txt_edit.php b/interface/web/dns/dns_txt_edit.php index ca5b8384c5..20e0c5e761 100644 --- a/interface/web/dns/dns_txt_edit.php +++ b/interface/web/dns/dns_txt_edit.php @@ -58,11 +58,11 @@ class page_action extends tform_actions { // Get the limits of the client $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($client["limit_dns_record"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_dns_record"]) { $app->error($app->tform->wordbook["limit_dns_record_txt"]); } @@ -76,7 +76,7 @@ class page_action extends tform_actions { global $app, $conf; // Get the parent soa record of the domain - $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = '".$app->functions->intval($_POST["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $_POST["zone"]); // Check if Domain belongs to user if($soa["id"] != $_POST["zone"]) $app->tform->errorMessage .= $app->tform->wordbook["no_zone_perm"]; @@ -85,11 +85,11 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin // Get the limits of the client $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($this->id == 0 && $client["limit_dns_record"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_dns_record"]) { $app->error($app->tform->wordbook["limit_dns_record_txt"]); } @@ -101,7 +101,7 @@ class page_action extends tform_actions { $this->dataRecord["server_id"] = $soa["server_id"]; // Update the serial number and timestamp of the RR record - $soa = $app->db->queryOneRecord("SELECT serial FROM dns_rr WHERE id = ".$this->id); + $soa = $app->db->queryOneRecord("SELECT serial FROM dns_rr WHERE id = ?", $this->id); $this->dataRecord["serial"] = $app->validate_dns->increase_serial($soa["serial"]); $this->dataRecord["stamp"] = date('Y-m-d H:i:s'); @@ -112,7 +112,7 @@ class page_action extends tform_actions { global $app, $conf; //* Set the sys_groupid of the rr record to be the same then the sys_groupid of the soa record - $soa = $app->db->queryOneRecord("SELECT sys_groupid,serial FROM dns_soa WHERE id = '".$app->functions->intval($this->dataRecord["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $this->dataRecord["zone"]); $app->db->datalogUpdate('dns_rr', "sys_groupid = ".$soa['sys_groupid'], 'id', $this->id); //* Update the serial number of the SOA record @@ -125,7 +125,7 @@ class page_action extends tform_actions { global $app, $conf; //* Update the serial number of the SOA record - $soa = $app->db->queryOneRecord("SELECT serial FROM dns_soa WHERE id = '".$app->functions->intval($this->dataRecord["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ? AND " . $app->tform->getAuthSQL('r'), $this->dataRecord["zone"]); $soa_id = $app->functions->intval($_POST["zone"]); $serial = $app->validate_dns->increase_serial($soa["serial"]); $app->db->datalogUpdate('dns_soa', "serial = $serial", 'id', $soa_id); diff --git a/interface/web/dns/dns_wizard.php b/interface/web/dns/dns_wizard.php index b27c66a673..666ff6a6b2 100644 --- a/interface/web/dns/dns_wizard.php +++ b/interface/web/dns/dns_wizard.php @@ -107,14 +107,14 @@ if ($_SESSION["s"]["user"]["typ"] != 'admin' && $app->auth->has_clients($_SESSIO // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); if ($domains_settings['use_domain_module'] != 'y') { // load the list of clients - $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".$app->functions->intval($client['client_id'])." ORDER BY client.company_name, client.contact_name, sys_group.name"; - $clients = $app->db->queryAllRecords($sql); - $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".$app->functions->intval($client['client_id'])); + $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ? ORDER BY client.company_name, client.contact_name, sys_group.name"; + $clients = $app->db->queryAllRecords($sql, $client['client_id']); + $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client['client_id']); $client_select = ''; if(is_array($clients)) { foreach( $clients as $client) { @@ -130,7 +130,7 @@ if ($_SESSION["s"]["user"]["typ"] != 'admin' && $app->auth->has_clients($_SESSIO if($_SESSION["s"]["user"]["typ"] != 'admin') { $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client_dns = $app->db->queryOneRecord("SELECT dns_servers FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client_dns = $app->db->queryOneRecord("SELECT dns_servers FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); $client_dns['dns_servers_ids'] = explode(',', $client_dns['dns_servers']); @@ -141,8 +141,8 @@ if($_SESSION["s"]["user"]["typ"] != 'admin') $app->tpl->setVar('server_id_value', $client_dns['dns_servers_ids'][0]); } - $sql = "SELECT server_id, server_name FROM server WHERE server_id IN (" . $client_dns['dns_servers'] . ");"; - $dns_servers = $app->db->queryAllRecords($sql); + $sql = "SELECT server_id, server_name FROM server WHERE server_id IN ?"; + $dns_servers = $app->db->queryAllRecords($sql, $client_dns['dns_servers_ids']); $options_dns_servers = ""; @@ -155,7 +155,7 @@ if($_SESSION["s"]["user"]["typ"] != 'admin') } -$template_record = $app->db->queryOneRecord("SELECT * FROM dns_template WHERE template_id = '".$app->functions->intval($template_id)."'"); +$template_record = $app->db->queryOneRecord("SELECT * FROM dns_template WHERE template_id = ?", $template_id); $fields = explode(',', $template_record['fields']); if(is_array($fields)) { foreach($fields as $field) { @@ -203,7 +203,7 @@ if($_POST['create'] == 1) { if ($post_server_id) { $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT dns_servers FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT dns_servers FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); $client['dns_servers_ids'] = explode(',', $client['dns_servers']); diff --git a/interface/web/help/faq_list.php b/interface/web/help/faq_list.php index 53b2992c62..128480dca2 100644 --- a/interface/web/help/faq_list.php +++ b/interface/web/help/faq_list.php @@ -29,7 +29,7 @@ if(!$hf_section) $app->listform_actions->SQLExtWhere = "help_faq.hf_section = $hf_section"; -if($hf_section) $res = $app->db->queryOneRecord("SELECT hfs_name FROM help_faq_sections WHERE hfs_id=$hf_section"); +if($hf_section) $res = $app->db->queryOneRecord("SELECT hfs_name FROM help_faq_sections WHERE hfs_id=?", $hf_section); // Start the form rendering and action ahndling echo "

FAQ: ".$res['hfs_name']."

"; if($hf_section) $app->listform_actions->onLoad(); diff --git a/interface/web/help/form/support_message.tform.php b/interface/web/help/form/support_message.tform.php index d982712c64..d80cc15815 100644 --- a/interface/web/help/form/support_message.tform.php +++ b/interface/web/help/form/support_message.tform.php @@ -46,7 +46,7 @@ $sm_default_subject = ''; if(isset($_GET['reply'])) { $sm_msg_id = preg_replace("/[^0-9]/", "", $_GET['reply']); - $res = $app->db->queryOneRecord("SELECT sender_id, subject FROM support_message WHERE support_message_id=$sm_msg_id"); + $res = $app->db->queryOneRecord("SELECT sender_id, subject FROM support_message WHERE support_message_id=?", $sm_msg_id); if($res['sender_id']) { $sm_default_recipient_id = $res['sender_id']; diff --git a/interface/web/help/support_message_edit.php b/interface/web/help/support_message_edit.php index 2d47bbf251..4fcf5da215 100644 --- a/interface/web/help/support_message_edit.php +++ b/interface/web/help/support_message_edit.php @@ -33,8 +33,8 @@ class page_action extends tform_actions { //* Get recipient email address if($this->dataRecord['recipient_id'] > 1){ - $sql = "SELECT client.email FROM sys_user, client WHERE sys_user.userid = ".$app->functions->intval($this->dataRecord['recipient_id'])." AND sys_user.client_id = client.client_id"; - $client = $app->db->queryOneRecord($sql); + $sql = "SELECT client.email FROM sys_user, client WHERE sys_user.userid = ? AND sys_user.client_id = client.client_id"; + $client = $app->db->queryOneRecord($sql, $this->dataRecord['recipient_id']); $recipient_email = $client['email']; } else { $app->uses('ini_parser,getconf'); @@ -44,8 +44,8 @@ class page_action extends tform_actions { //* Get sender email address if($this->dataRecord['sender_id'] > 1){ - $sql = "SELECT client.email FROM sys_user, client WHERE sys_user.userid = ".$app->functions->intval($this->dataRecord['sender_id'])." AND sys_user.client_id = client.client_id"; - $client = $app->db->queryOneRecord($sql); + $sql = "SELECT client.email FROM sys_user, client WHERE sys_user.userid = ? AND sys_user.client_id = client.client_id"; + $client = $app->db->queryOneRecord($sql, $this->dataRecord['sender_id']); $sender_email = $client['email']; } else { $app->uses('ini_parser,getconf'); @@ -91,7 +91,7 @@ class page_action extends tform_actions { //* read only template if a existing message is loaded if($this->id > 0) { $app->tform->formDef['tabs']['message']['template'] = 'templates/support_message_view.htm'; - $record = $app->db->queryOneRecord("SELECT * FROM support_message WHERE support_message_id = ".$this->id); + $record = $app->db->queryOneRecord("SELECT * FROM support_message WHERE support_message_id = ?", $this->id); if ($record['tstamp'] > 0) { // is value int? if (preg_match("/^[0-9]+[\.]?[0-9]*$/", $record['tstamp'], $p)) { @@ -113,7 +113,7 @@ class page_action extends tform_actions { global $app, $conf; if($_SESSION['s']['user']['typ'] == 'admin') { - $app->db->query("UPDATE support_message SET sys_userid = ".$app->functions->intval($this->dataRecord['recipient_id'])." WHERE support_message_id = ".$this->id); + $app->db->query("UPDATE support_message SET sys_userid = ? WHERE support_message_id = ?", $this->dataRecord['recipient_id'], $this->id); } } diff --git a/interface/web/login/index.php b/interface/web/login/index.php index 80c4d17c71..1c4f20d4d9 100644 --- a/interface/web/login/index.php +++ b/interface/web/login/index.php @@ -103,13 +103,13 @@ class login_index { /* this is the one currently logged in (normal user) */ $old_client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $old_client = $app->db->queryOneRecord("SELECT client.client_id, client.parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $old_client_group_id"); + $old_client = $app->db->queryOneRecord("SELECT client.client_id, client.parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $old_client_group_id); /* this is the reseller, that shall be re-logged in */ - $sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and PASSWORT = '". $passwort. "'"; - $tmp = $app->db->queryOneRecord($sql); + $sql = "SELECT * FROM sys_user WHERE USERNAME = ? and PASSWORT = ?"; + $tmp = $app->db->queryOneRecord($sql, $username, $passwort); $client_group_id = $app->functions->intval($tmp['default_group']); - $tmp_client = $app->db->queryOneRecord("SELECT client.client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $tmp_client = $app->db->queryOneRecord("SELECT client.client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ", $client_group_id); if(!$tmp_client || $old_client["parent_client_id"] != $tmp_client["client_id"] || $tmp["default_group"] != $_SESSION["s_old"]["user"]["default_group"] ) { die("You don't have the right to 'login as' this user!"); @@ -125,12 +125,12 @@ class login_index { } elseif($_SESSION['s']['user']['typ'] != 'admin' && (!isset($_SESSION['s_old']['user']) || $_SESSION['s_old']['user']['typ'] != 'admin')) { /* a reseller wants to 'login as', we need to check if he is allowed to */ $res_client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $res_client = $app->db->queryOneRecord("SELECT client.client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $res_client_group_id"); + $res_client = $app->db->queryOneRecord("SELECT client.client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ", $res_client_group_id); /* this is the user the reseller wants to 'login as' */ - $sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and PASSWORT = '". $passwort. "'"; - $tmp = $app->db->queryOneRecord($sql); - $tmp_client = $app->db->queryOneRecord("SELECT client.client_id, client.parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = " . $app->functions->intval($tmp["default_group"])); + $sql = "SELECT * FROM sys_user WHERE USERNAME = ? and PASSWORT = ?"; + $tmp = $app->db->queryOneRecord($sql, $username, $passwort); + $tmp_client = $app->db->queryOneRecord("SELECT client.client_id, client.parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $tmp["default_group"]); if(!$tmp || $tmp_client["parent_client_id"] != $res_client["client_id"]) { die("You don't have the right to login as this user!"); @@ -147,21 +147,21 @@ class login_index { } //* Check if there are already wrong logins - $sql = "SELECT * FROM `attempts_login` WHERE `ip`= '{$ip}' AND `login_time` > (NOW() - INTERVAL 1 MINUTE) LIMIT 1"; - $alreadyfailed = $app->db->queryOneRecord($sql); + $sql = "SELECT * FROM `attempts_login` WHERE `ip`= ? AND `login_time` > (NOW() - INTERVAL 1 MINUTE) LIMIT 1"; + $alreadyfailed = $app->db->queryOneRecord($sql, $ip); //* too many failedlogins if($alreadyfailed['times'] > 5) { $error = $app->lng('error_user_too_many_logins'); } else { if ($loginAs){ - $sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and PASSWORT = '". $passwort. "'"; - $user = $app->db->queryOneRecord($sql); + $sql = "SELECT * FROM sys_user WHERE USERNAME = ? and PASSWORT = ?"; + $user = $app->db->queryOneRecord($sql, $username, $passwort); } else { if(stristr($username, '@')) { //* mailuser login - $sql = "SELECT * FROM mail_user WHERE login = '$username' or email = '$username'"; - $mailuser = $app->db->queryOneRecord($sql); + $sql = "SELECT * FROM mail_user WHERE login = ? or email = ?"; + $mailuser = $app->db->queryOneRecord($sql, $username, $username); $user = false; if($mailuser) { $saved_password = stripslashes($mailuser['password']); @@ -187,8 +187,8 @@ class login_index { } else { //* normal cp user login - $sql = "SELECT * FROM sys_user WHERE USERNAME = '$username'"; - $user = $app->db->queryOneRecord($sql); + $sql = "SELECT * FROM sys_user WHERE USERNAME = ?"; + $user = $app->db->queryOneRecord($sql, $username); if($user) { $saved_password = stripslashes($user['passwort']); @@ -225,8 +225,8 @@ class login_index { // Maintenance mode - allow logins only when maintenance mode is off or if the user is admin if(!$maintenance_mode || $user['typ'] == 'admin'){ // User login right, so attempts can be deleted - $sql = "DELETE FROM `attempts_login` WHERE `ip`='{$ip}'"; - $app->db->query($sql); + $sql = "DELETE FROM `attempts_login` WHERE `ip`=?"; + $app->db->query($sql, $ip); $user = $app->db->toLower($user); if ($loginAs) $oldSession = $_SESSION['s']; @@ -290,12 +290,12 @@ class login_index { if(!$alreadyfailed['times'] ) { //* user login the first time wrong - $sql = "INSERT INTO `attempts_login` (`ip`, `times`, `login_time`) VALUES ('{$ip}', 1, NOW())"; - $app->db->query($sql); + $sql = "INSERT INTO `attempts_login` (`ip`, `times`, `login_time`) VALUES (?, 1, NOW())"; + $app->db->query($sql, $ip); } elseif($alreadyfailed['times'] >= 1) { //* update times wrong - $sql = "UPDATE `attempts_login` SET `times`=`times`+1, `login_time`=NOW() WHERE `login_time` >= '{$time}' LIMIT 1"; - $app->db->query($sql); + $sql = "UPDATE `attempts_login` SET `times`=`times`+1, `login_time`=NOW() WHERE `ip` = ? AND `login_time` < NOW() ORDER BY `login_time` DESC LIMIT 1"; + $app->db->query($sql, $ip); } //* Incorrect login - Username and password incorrect $error = $app->lng('error_user_password_incorrect'); diff --git a/interface/web/login/login_as.php b/interface/web/login/login_as.php index bcbb10a789..85bc3662b4 100644 --- a/interface/web/login/login_as.php +++ b/interface/web/login/login_as.php @@ -54,13 +54,13 @@ if(isset($_GET['id'])) { $backlink = 'admin/users_list.php'; } else { $client_id = $app->functions->intval($_GET['cid']); - $tmp_client = $app->db->queryOneRecord("SELECT username, parent_client_id FROM client WHERE client_id = $client_id"); - $tmp_sys_user = $app->db->queryOneRecord("SELECT userid FROM sys_user WHERE username = '".$app->db->quote($tmp_client['username'])."'"); + $tmp_client = $app->db->queryOneRecord("SELECT username, parent_client_id FROM client WHERE client_id = ?", $client_id); + $tmp_sys_user = $app->db->queryOneRecord("SELECT userid FROM sys_user WHERE username = ?", $tmp_client['username']); $userId = $app->functions->intval($tmp_sys_user['userid']); /* check if this client belongs to reseller that tries to log in, if we are not admin */ if($_SESSION["s"]["user"]["typ"] != 'admin') { $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT client.client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT client.client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); if(!$client || $tmp_client["parent_client_id"] != $client["client_id"]) { die("You don't have the right to login as this user!"); } @@ -76,7 +76,7 @@ if(isset($_GET['id'])) { * Get the data to login as user x */ $dbData = $app->db->queryOneRecord( - "SELECT username, passwort FROM sys_user WHERE userid = " . $userId); + "SELECT username, passwort FROM sys_user WHERE userid = ?", $userId); /* * Now generate the login-Form diff --git a/interface/web/login/password_reset.php b/interface/web/login/password_reset.php index 5eac46a79e..a83e6854bb 100644 --- a/interface/web/login/password_reset.php +++ b/interface/web/login/password_reset.php @@ -65,8 +65,8 @@ if(isset($_POST['username']) && $_POST['username'] != '' && $_POST['email'] != ' $new_password_encrypted = $app->db->quote($new_password_encrypted); $username = $app->db->quote($client['username']); - $app->db->query("UPDATE sys_user SET passwort = '$new_password_encrypted' WHERE username = '$username'"); - $app->db->query("UPDATE client SET password = '$new_password_encrypted' WHERE username = '$username'"); + $app->db->query("UPDATE sys_user SET passwort = ? WHERE username = ?", $new_password_encrypted, $username); + $app->db->query("UPDATE client SET password = ? WHERE username = ?", $new_password_encrypted, $username); $app->tpl->setVar("message", $wb['pw_reset']); $app->uses('getconf,ispcmail'); diff --git a/interface/web/mail/form/xmpp_domain.tform.php b/interface/web/mail/form/xmpp_domain.tform.php index 3fe62a2ac3..095c72fba2 100644 --- a/interface/web/mail/form/xmpp_domain.tform.php +++ b/interface/web/mail/form/xmpp_domain.tform.php @@ -58,7 +58,7 @@ $form["auth_preset"]["perm_other"] = ''; //r = read, i = insert, u = update, d = $muc_available = $muc_pastebin_available = $muc_httparchive_available = $anon_available = $vjud_available = $proxy_available = $status_available = true; if(!$app->auth->is_admin()) { $client_group_id = $_SESSION["s"]["user"]["default_group"]; - $client = $app->db->queryOneRecord("SELECT limit_xmpp_muc, limit_xmpp_anon, limit_xmpp_vjud, limit_xmpp_proxy, limit_xmpp_status, limit_xmpp_pastebin, limit_xmpp_httparchive FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_xmpp_muc, limit_xmpp_anon, limit_xmpp_vjud, limit_xmpp_proxy, limit_xmpp_status, limit_xmpp_pastebin, limit_xmpp_httparchive FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); if($client['limit_xmpp_muc'] != 'y') $muc_available = false; if($client['limit_xmpp_pastebin'] != 'y' || $client['limit_xmpp_muc'] != 'y') $muc_pastebin_available = false; diff --git a/interface/web/mail/mail_alias_edit.php b/interface/web/mail/mail_alias_edit.php index ba08717a2d..4e1b358c3d 100644 --- a/interface/web/mail/mail_alias_edit.php +++ b/interface/web/mail/mail_alias_edit.php @@ -108,7 +108,7 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_mailalias FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_mailalias FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($this->id == 0 && $client["limit_mailalias"] >= 0) { diff --git a/interface/web/mail/mail_blacklist_edit.php b/interface/web/mail/mail_blacklist_edit.php index 23f7516cdf..b4a2a22693 100644 --- a/interface/web/mail/mail_blacklist_edit.php +++ b/interface/web/mail/mail_blacklist_edit.php @@ -73,7 +73,7 @@ class page_action extends tform_actions { //* Check if the server has been changed // We do this only for the admin or reseller users, as normal clients can not change the server ID anyway if($_SESSION["s"]["user"]["typ"] == 'admin' || $app->auth->has_clients($_SESSION['s']['user']['userid'])) { - $rec = $app->db->queryOneRecord("SELECT server_id from mail_access WHERE access_id = ".$this->id); + $rec = $app->db->queryOneRecord("SELECT server_id from mail_access WHERE access_id = ?", $this->id); if($rec['server_id'] != $this->dataRecord["server_id"]) { //* Add a error message and switch back to old server $app->tform->errorMessage .= $app->lng('The Server can not be changed.'); @@ -90,11 +90,11 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_mailfilter FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_mailfilter FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?" , $client_group_id); // Check if the user may add another mailbox. if($this->id == 0 && $client["limit_mailfilter"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(access_id) as number FROM mail_access WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(access_id) as number FROM mail_access WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_mailfilter"]) { $app->tform->errorMessage .= $app->tform->wordbook["limit_mailfilter_txt"]."
"; } diff --git a/interface/web/mail/mail_domain_catchall_edit.php b/interface/web/mail/mail_domain_catchall_edit.php index 80729493f9..e6844c2fc9 100644 --- a/interface/web/mail/mail_domain_catchall_edit.php +++ b/interface/web/mail/mail_domain_catchall_edit.php @@ -101,7 +101,7 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_mailcatchall FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_mailcatchall FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another catchall if($this->id == 0 && $client["limit_mailcatchall"] >= 0) { diff --git a/interface/web/mail/mail_domain_edit.php b/interface/web/mail/mail_domain_edit.php index d7716ab923..5e037b7661 100644 --- a/interface/web/mail/mail_domain_edit.php +++ b/interface/web/mail/mail_domain_edit.php @@ -122,7 +122,7 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { $client_group_id = $_SESSION["s"]["user"]["default_group"]; - $client_mail = $app->db->queryOneRecord("SELECT mail_servers FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client_mail = $app->db->queryOneRecord("SELECT mail_servers FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); $client_mail['mail_servers_ids'] = explode(',', $client_mail['mail_servers']); @@ -241,7 +241,7 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_maildomain, default_mailserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_maildomain, default_mailserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // When the record is updated if($this->id > 0) { // restore the server ID if the user is not admin and record is edited @@ -258,7 +258,7 @@ class page_action extends tform_actions { } if($client["limit_maildomain"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(domain_id) as number FROM mail_domain WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(domain_id) as number FROM mail_domain WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_maildomain"]) { $app->error($app->tform->wordbook["limit_maildomain_txt"]); } diff --git a/interface/web/mail/mail_forward_edit.php b/interface/web/mail/mail_forward_edit.php index 8add1480fe..76e4a5e6f1 100644 --- a/interface/web/mail/mail_forward_edit.php +++ b/interface/web/mail/mail_forward_edit.php @@ -100,7 +100,7 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_mailforward FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_mailforward FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($this->id == 0 && $client["limit_mailforward"] >= 0) { diff --git a/interface/web/mail/mail_get_edit.php b/interface/web/mail/mail_get_edit.php index 70d1fb25e0..fded96b6b2 100644 --- a/interface/web/mail/mail_get_edit.php +++ b/interface/web/mail/mail_get_edit.php @@ -71,7 +71,7 @@ class page_action extends tform_actions { //* Check if destination email belongs to user if(isset($_POST["destination"])) { - $email = $app->db->queryOneRecord("SELECT email FROM mail_user WHERE email = '".$app->db->quote($app->functions->idn_encode($_POST["destination"]))."' AND ".$app->tform->getAuthSQL('r')); + $email = $app->db->queryOneRecord("SELECT email FROM mail_user WHERE email = ? AND ".$app->tform->getAuthSQL('r'), $app->functions->idn_encode($_POST["destination"])); if($email["email"] != $app->functions->idn_encode($_POST["destination"])) $app->tform->errorMessage .= $app->tform->lng("no_destination_perm"); } @@ -79,11 +79,11 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_fetchmail FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_fetchmail FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another transport. if($this->id == 0 && $client["limit_fetchmail"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(mailget_id) as number FROM mail_get WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(mailget_id) as number FROM mail_get WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_fetchmail"]) { $app->tform->errorMessage .= $app->tform->wordbook["limit_fetchmail_txt"]."
"; } @@ -93,7 +93,7 @@ class page_action extends tform_actions { // Set the server ID according to the selected destination - $tmp = $app->db->queryOneRecord("SELECT server_id FROM mail_user WHERE email = '".$app->db->quote($this->dataRecord["destination"])."'"); + $tmp = $app->db->queryOneRecord("SELECT server_id FROM mail_user WHERE email = ?", $this->dataRecord["destination"]); $this->dataRecord["server_id"] = $tmp["server_id"]; unset($tmp); @@ -108,8 +108,8 @@ class page_action extends tform_actions { function onAfterInsert() { global $app; - $tmp = $app->db->queryOneRecord("SELECT sys_groupid FROM mail_user WHERE email = '".$app->db->quote($this->dataRecord["destination"])."'"); - $app->db->query("update mail_get SET sys_groupid = ".$app->functions->intval($tmp['sys_groupid'])." WHERE mailget_id = ".$this->id); + $tmp = $app->db->queryOneRecord("SELECT sys_groupid FROM mail_user WHERE email = ?", $this->dataRecord["destination"]); + $app->db->query("update mail_get SET sys_groupid = ? WHERE mailget_id = ?", $tmp['sys_groupid'], $this->id); } diff --git a/interface/web/mail/mail_mailinglist_edit.php b/interface/web/mail/mail_mailinglist_edit.php index 1e03ea6a26..124b8d8faf 100644 --- a/interface/web/mail/mail_mailinglist_edit.php +++ b/interface/web/mail/mail_mailinglist_edit.php @@ -138,7 +138,7 @@ class page_action extends tform_actions { // Get the limits of the client $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_mailmailinglist, default_mailserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_mailmailinglist, default_mailserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); //* Check if Domain belongs to user if(isset($_POST["domain"])) { @@ -166,7 +166,7 @@ class page_action extends tform_actions { // Check if the user may add another mail_domain if($client["limit_mailmailinglist"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(mailinglist_id) as number FROM mail_mailinglist WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(mailinglist_id) as number FROM mail_mailinglist WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_mailmailinglist"]) { $app->error($app->tform->wordbook["limit_mailmailinglist_txt"]); } diff --git a/interface/web/mail/mail_transport_edit.php b/interface/web/mail/mail_transport_edit.php index b47869d392..9707d2fce0 100644 --- a/interface/web/mail/mail_transport_edit.php +++ b/interface/web/mail/mail_transport_edit.php @@ -136,11 +136,11 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_mailrouting FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_mailrouting FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another transport. if($this->id == 0 && $client["limit_mailrouting"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(transport_id) as number FROM mail_transport WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(transport_id) as number FROM mail_transport WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_mailrouting"]) { $app->tform->errorMessage .= $app->tform->wordbook["limit_mailrouting_txt"]."
"; } diff --git a/interface/web/mail/mail_user_del.php b/interface/web/mail/mail_user_del.php index 6b309f88f1..dc92047331 100644 --- a/interface/web/mail/mail_user_del.php +++ b/interface/web/mail/mail_user_del.php @@ -54,10 +54,10 @@ class page_action extends tform_actions { function onBeforeDelete() { global $app; $conf; - $tmp_user = $app->db->queryOneRecord("SELECT id FROM spamfilter_users WHERE email = '".$app->db->quote($this->dataRecord["email"])."'"); + $tmp_user = $app->db->queryOneRecord("SELECT id FROM spamfilter_users WHERE email = ?", $this->dataRecord["email"]); $app->db->datalogDelete('spamfilter_users', 'id', $tmp_user["id"]); - $tmp_filters = $app->db->queryAllRecords("SELECT filter_id FROM mail_user_filter WHERE mailuser_id = '".$this->id."'"); + $tmp_filters = $app->db->queryAllRecords("SELECT filter_id FROM mail_user_filter WHERE mailuser_id = ?", $this->id); if(is_array($tmp_filters)) { foreach($tmp_filters as $tmp) { $app->db->datalogDelete('mail_user_filter', 'filter_id', $tmp["filter_id"]); diff --git a/interface/web/mail/mail_user_edit.php b/interface/web/mail/mail_user_edit.php index ddc0ceb893..a96ece0086 100644 --- a/interface/web/mail/mail_user_edit.php +++ b/interface/web/mail/mail_user_edit.php @@ -153,12 +153,12 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_mailbox, limit_mailquota, parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_mailbox, limit_mailquota, parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($this->id == 0 && $client["limit_mailbox"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(mailuser_id) as number FROM mail_user WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(mailuser_id) as number FROM mail_user WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_mailbox"]) { $app->tform->errorMessage .= $app->tform->lng("limit_mailbox_txt")."
"; } diff --git a/interface/web/mail/mail_user_filter_del.php b/interface/web/mail/mail_user_filter_del.php index e352a8e736..254e9f1e94 100644 --- a/interface/web/mail/mail_user_filter_del.php +++ b/interface/web/mail/mail_user_filter_del.php @@ -51,33 +51,6 @@ $app->load('tform_actions'); class page_action extends tform_actions { - /* - //* Code moved to mailfilter plugin - function onAfterDelete() { - global $app, $conf; - - $mailuser = $app->db->queryOneRecord("SELECT custom_mailfilter FROM mail_user WHERE mailuser_id = ".$this->dataRecord["mailuser_id"]); - $skip = false; - $lines = explode("\n",$mailuser['custom_mailfilter']); - $out = ''; - - foreach($lines as $line) { - $line = trim($line); - if($line == '### BEGIN FILTER_ID:'.$this->id) { - $skip = true; - } - if($skip == false && $line != '') $out .= $line ."\n"; - if($line == '### END FILTER_ID:'.$this->id) { - $skip = false; - } - } - - $out = $app->db->quote($out); - $app->db->datalogUpdate('mail_user', "custom_mailfilter = '$out'", 'mailuser_id', $this->dataRecord["mailuser_id"]); - - } - */ - } $page = new page_action; diff --git a/interface/web/mail/mail_user_filter_edit.php b/interface/web/mail/mail_user_filter_edit.php index c4331a2acb..1f3953b711 100644 --- a/interface/web/mail/mail_user_filter_edit.php +++ b/interface/web/mail/mail_user_filter_edit.php @@ -85,11 +85,11 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_mailfilter FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_mailfilter FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another filter if($this->id == 0 && $client["limit_mailfilter"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(filter_id) as number FROM mail_user_filter WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(filter_id) as number FROM mail_user_filter WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_mailfilter"]) { $app->tform->errorMessage .= $app->tform->lng("limit_mailfilter_txt")."
"; } diff --git a/interface/web/mail/mail_whitelist_edit.php b/interface/web/mail/mail_whitelist_edit.php index b55db9c793..cd28f84a2a 100644 --- a/interface/web/mail/mail_whitelist_edit.php +++ b/interface/web/mail/mail_whitelist_edit.php @@ -89,11 +89,11 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_mailfilter FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_mailfilter FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($this->id == 0 && $client["limit_mailfilter"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(access_id) as number FROM mail_access WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(access_id) as number FROM mail_access WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_mailfilter"]) { $app->tform->errorMessage .= $app->tform->wordbook["limit_mailfilter_txt"]."
"; } diff --git a/interface/web/mail/mailinglist.php b/interface/web/mail/mailinglist.php index 6ef779cbd6..15f61c9399 100644 --- a/interface/web/mail/mailinglist.php +++ b/interface/web/mail/mailinglist.php @@ -43,13 +43,13 @@ $listId = $app->functions->intval($_GET['id']); /* * Get the data to connect to the database */ -$dbData = $app->db->queryAllRecords("SELECT server_id, listname FROM mail_mailinglist WHERE mailinglist_id = " . $listId); +$dbData = $app->db->queryAllRecords("SELECT server_id, listname FROM mail_mailinglist WHERE mailinglist_id = ?", $listId); $serverId = $app->functions->intval($dbData[0]['server_id']); if ($serverId == 0){ die ("No List - Server found!"); } -$serverData = $app->db->queryOneRecord("SELECT server_name FROM server WHERE server_id = ".$serverId); +$serverData = $app->db->queryOneRecord("SELECT server_name FROM server WHERE server_id = ?", $serverId); $app->uses('getconf'); $global_config = $app->getconf->get_global_config('mail'); diff --git a/interface/web/mail/spamfilter_blacklist_edit.php b/interface/web/mail/spamfilter_blacklist_edit.php index b7b6391f41..b76334b387 100644 --- a/interface/web/mail/spamfilter_blacklist_edit.php +++ b/interface/web/mail/spamfilter_blacklist_edit.php @@ -65,24 +65,6 @@ class page_action extends tform_actions { parent::onShowNew(); } - /* - function onBeforeUpdate() { - global $app, $conf; - - //* Check if the server has been changed - // We do this only for the admin or reseller users, as normal clients can not change the server ID anyway - if($_SESSION["s"]["user"]["typ"] == 'admin' || $app->auth->has_clients($_SESSION['s']['user']['userid'])) { - $rec = $app->db->queryOneRecord("SELECT server_id from spamfilter_wblist WHERE id = ".$this->id); - if($rec['server_id'] != $this->dataRecord["server_id"]) { - //* Add a error message and switch back to old server - $app->tform->errorMessage .= $app->lng('The Server can not be changed.'); - $this->dataRecord["server_id"] = $rec['server_id']; - } - unset($rec); - } - } - */ - function onSubmit() { global $app, $conf; @@ -90,11 +72,11 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_spamfilter_wblist FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_spamfilter_wblist FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($this->id == 0 && $client["limit_spamfilter_wblist"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(wblist_id) as number FROM spamfilter_wblist WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(wblist_id) as number FROM spamfilter_wblist WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_spamfilter_wblist"]) { $app->tform->errorMessage .= $app->tform->wordbook["limit_spamfilter_wblist_txt"]."
"; } @@ -103,7 +85,7 @@ class page_action extends tform_actions { } // end if user is not admin // Select and set the server_id so it matches the server_id of the spa,filter_users record - $tmp = $app->db->queryOneRecord("SELECT server_id FROM spamfilter_users WHERE id = ".$app->functions->intval($this->dataRecord["rid"])); + $tmp = $app->db->queryOneRecord("SELECT server_id FROM spamfilter_users WHERE id = ?", $this->dataRecord["rid"]); $this->dataRecord["server_id"] = $tmp["server_id"]; unset($tmp); diff --git a/interface/web/mail/spamfilter_policy_edit.php b/interface/web/mail/spamfilter_policy_edit.php index 0b94d5d065..5320506846 100644 --- a/interface/web/mail/spamfilter_policy_edit.php +++ b/interface/web/mail/spamfilter_policy_edit.php @@ -72,11 +72,11 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_spamfilter_policy FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_spamfilter_policy FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($this->id == 0 && $client["limit_spamfilter_policy"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM spamfilter_policy WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM spamfilter_policy WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_spamfilter_policy"]) { $app->tform->errorMessage .= $app->tform->wordbook["limit_spamfilter_policy_txt"]."
"; } diff --git a/interface/web/mail/spamfilter_users_edit.php b/interface/web/mail/spamfilter_users_edit.php index 488d951c75..b8bc9316c5 100644 --- a/interface/web/mail/spamfilter_users_edit.php +++ b/interface/web/mail/spamfilter_users_edit.php @@ -71,7 +71,7 @@ class page_action extends tform_actions { //* Check if the server has been changed // We do this only for the admin or reseller users, as normal clients can not change the server ID anyway if($_SESSION["s"]["user"]["typ"] == 'admin' || $app->auth->has_clients($_SESSION['s']['user']['userid'])) { - $rec = $app->db->queryOneRecord("SELECT server_id from spamfilter_users WHERE id = ".$this->id); + $rec = $app->db->queryOneRecord("SELECT server_id from spamfilter_users WHERE id = ?", $this->id); if($rec['server_id'] != $this->dataRecord["server_id"]) { //* Add a error message and switch back to old server $app->tform->errorMessage .= $app->lng('The Server can not be changed.'); @@ -88,11 +88,11 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_spamfilter_user FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_spamfilter_user FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($this->id == 0 && $client["limit_spamfilter_user"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM spamfilter_users WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM spamfilter_users WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_spamfilter_user"]) { $app->tform->errorMessage .= $app->tform->wordbook["limit_spamfilter_user_txt"]."
"; } diff --git a/interface/web/mail/spamfilter_whitelist_edit.php b/interface/web/mail/spamfilter_whitelist_edit.php index 227f538be3..00ce0d4e3a 100644 --- a/interface/web/mail/spamfilter_whitelist_edit.php +++ b/interface/web/mail/spamfilter_whitelist_edit.php @@ -90,11 +90,11 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_spamfilter_wblist FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_spamfilter_wblist FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($this->id == 0 && $client["limit_spamfilter_wblist"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(wblist_id) as number FROM spamfilter_wblist WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(wblist_id) as number FROM spamfilter_wblist WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_spamfilter_wblist"]) { $app->tform->errorMessage .= $app->tform->wordbook["limit_spamfilter_wblist_txt"]."
"; } diff --git a/interface/web/mail/webmailer.php b/interface/web/mail/webmailer.php index 3a10c0fde2..d6f73cc45b 100644 --- a/interface/web/mail/webmailer.php +++ b/interface/web/mail/webmailer.php @@ -43,13 +43,13 @@ $emailId = $app->functions->intval($_GET['id']); /* * Get the data to connect to the database */ -$dbData = $app->db->queryOneRecord("SELECT server_id FROM mail_user WHERE mailuser_id = " . $emailId); +$dbData = $app->db->queryOneRecord("SELECT server_id FROM mail_user WHERE mailuser_id = ?", $emailId); $serverId = $app->functions->intval($dbData['server_id']); if ($serverId == 0){ die ("No E-Mail - Server found!"); } -$serverData = $app->db->queryOneRecord("SELECT server_name FROM server WHERE server_id = ".$serverId); +$serverData = $app->db->queryOneRecord("SELECT server_name FROM server WHERE server_id = ?", $serverId); $app->uses('getconf'); $global_config = $app->getconf->get_global_config('mail'); diff --git a/interface/web/mail/xmpp_domain_del.php b/interface/web/mail/xmpp_domain_del.php index da481c8f2b..5e4c826fd0 100644 --- a/interface/web/mail/xmpp_domain_del.php +++ b/interface/web/mail/xmpp_domain_del.php @@ -67,8 +67,8 @@ class page_action extends tform_actions { private function delete_accounts($domain){ global $app; // get all accounts - $sql = "SELECT * FROM xmpp_user WHERE jid LIKE ? AND ?"; - $users = $app->db->queryAllRecords($sql, '%@'.$domain, $app->tform->getAuthSQL('d')); + $sql = "SELECT * FROM xmpp_user WHERE jid LIKE ? AND " . $app->tform->getAuthSQL('d'); + $users = $app->db->queryAllRecords($sql, '%@'.$domain); foreach($users AS $u) $app->db->datalogDelete('xmpp_user', 'xmppuser_id', $u['xmppuser_id']); } @@ -77,8 +77,8 @@ class page_action extends tform_actions { global $app; // purge all xmpp related rr-record - $sql = "SELECT * FROM dns_rr WHERE zone = ? AND (name IN ? AND type = 'CNAME' OR name LIKE ? AND type = 'SRV') AND ? ORDER BY serial DESC"; - $rec = $app->db->queryAllRecords($sql, $new_rr['zone'], array('xmpp', 'pubsub', 'proxy', 'anon', 'vjud', 'muc'), '_xmpp-%', $app->tform->getAuthSQL('r')); + $sql = "SELECT * FROM dns_rr WHERE zone = ? AND (name IN ? AND type = 'CNAME' OR name LIKE ? AND type = 'SRV') AND " . $app->tform->getAuthSQL('r') . " ORDER BY serial DESC"; + $rec = $app->db->queryAllRecords($sql, $new_rr['zone'], array('xmpp', 'pubsub', 'proxy', 'anon', 'vjud', 'muc'), '_xmpp-%'); if (is_array($rec[1])) { for ($i=0; $i < count($rec); ++$i) $app->db->datalogDelete('dns_rr', 'id', $rec[$i]['id']); diff --git a/interface/web/mail/xmpp_domain_edit.php b/interface/web/mail/xmpp_domain_edit.php index 1213a91e6a..91566dc6a5 100644 --- a/interface/web/mail/xmpp_domain_edit.php +++ b/interface/web/mail/xmpp_domain_edit.php @@ -95,7 +95,7 @@ class page_action extends tform_actions { $read_limits = array('limit_xmpp_pastebin', 'limit_xmpp_httparchive', 'limit_xmpp_anon', 'limit_xmpp_vjud', 'limit_xmpp_proxy', 'limit_xmpp_status'); if($_SESSION["s"]["user"]["typ"] != 'admin') { $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT client." . implode(", client.", $read_limits) . " FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT client." . implode(", client.", $read_limits) . " FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // add limits to template to be able to hide settings foreach($read_limits as $limit) $app->tpl->setVar($limit, $client[$limit]); }else{ @@ -145,7 +145,7 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { $client_group_id = $_SESSION["s"]["user"]["default_group"]; - $client_xmpp = $app->db->queryOneRecord("SELECT xmpp_servers FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client_xmpp = $app->db->queryOneRecord("SELECT xmpp_servers FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); $client_xmpp['xmpp_servers_ids'] = explode(',', $client_xmpp['xmpp_servers']); @@ -239,7 +239,7 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_xmpp_domain FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_xmpp_domain FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // When the record is updated if($this->id > 0) { // restore the server ID if the user is not admin and record is edited @@ -256,7 +256,7 @@ class page_action extends tform_actions { } if($client["limit_xmpp_domain"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(domain_id) as number FROM xmpp_domain WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(domain_id) as number FROM xmpp_domain WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_xmpp_domain"]) { $app->error($app->tform->wordbook["limit_xmppdomain_txt"]); } diff --git a/interface/web/mail/xmpp_user_edit.php b/interface/web/mail/xmpp_user_edit.php index 6ad6161b4a..c1b9eedf59 100644 --- a/interface/web/mail/xmpp_user_edit.php +++ b/interface/web/mail/xmpp_user_edit.php @@ -98,7 +98,7 @@ class page_action extends tform_actions { global $app, $conf; //* Check if Domain belongs to user if(isset($_POST["jid_domain"])) { - $domain = $app->db->queryOneRecord("SELECT server_id, domain FROM xmpp_domain WHERE domain = '".$app->db->quote($app->functions->idn_encode($_POST["jid_domain"]))."' AND ".$app->tform->getAuthSQL('r')); + $domain = $app->db->queryOneRecord("SELECT server_id, domain FROM xmpp_domain WHERE domain = ? AND ".$app->tform->getAuthSQL('r'), $app->functions->idn_encode($_POST["jid_domain"])); if($domain["domain"] != $app->functions->idn_encode($_POST["jid_domain"])) $app->tform->errorMessage .= $app->tform->lng("no_domain_perm"); } @@ -112,12 +112,12 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_xmpp_user, parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_xmpp_user, parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ", $client_group_id); // Check if the user may add another xmpp user. if($this->id == 0 && $client["limit_xmpp_user"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(xmppuser_id) as number FROM xmpp_user WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(xmppuser_id) as number FROM xmpp_user WHERE sys_groupid = ", $client_group_id); if($tmp["number"] >= $client["limit_xmpp_user"]) { $app->tform->errorMessage .= $app->tform->lng("limit_xmpp_user_txt")."
"; } @@ -148,8 +148,8 @@ class page_action extends tform_actions { global $app, $conf; // Set the domain owner as xmpp user owner - $domain = $app->db->queryOneRecord("SELECT sys_groupid, server_id FROM xmpp_domain WHERE domain = '".$app->db->quote($app->functions->idn_encode($_POST["jid_domain"]))."' AND ".$app->tform->getAuthSQL('r')); - $app->db->query("UPDATE xmpp_user SET sys_groupid = ".$app->functions->intval($domain["sys_groupid"])." WHERE xmppuser_id = ".$this->id); + $domain = $app->db->queryOneRecord("SELECT sys_groupid, server_id FROM xmpp_domain WHERE domain = ? AND ".$app->tform->getAuthSQL('r'), $app->functions->idn_encode($_POST["jid_domain"])); + $app->db->query("UPDATE xmpp_user SET sys_groupid = ? WHERE xmppuser_id = ?", $domain["sys_groupid"], $this->id); } @@ -158,8 +158,8 @@ class page_action extends tform_actions { // Set the domain owner as mailbox owner if(isset($_POST["xmpp_domain"])) { - $domain = $app->db->queryOneRecord("SELECT sys_groupid, server_id FROM xmpp_domain WHERE domain = '".$app->db->quote($app->functions->idn_encode($_POST["jid_domain"]))."' AND ".$app->tform->getAuthSQL('r')); - $app->db->query("UPDATE xmpp_user SET sys_groupid = ".$app->functions->intval($domain["sys_groupid"])." WHERE xmppuser_id = ".$this->id); + $domain = $app->db->queryOneRecord("SELECT sys_groupid, server_id FROM xmpp_domain WHERE domain = ? AND ".$app->tform->getAuthSQL('r'), $app->functions->idn_encode($_POST["jid_domain"])); + $app->db->query("UPDATE xmpp_user SET sys_groupid = ? WHERE xmppuser_id = ?", $domain["sys_groupid"], $this->id); } } diff --git a/interface/web/mailuser/index.php b/interface/web/mailuser/index.php index 73505ae646..b7748ac1cc 100644 --- a/interface/web/mailuser/index.php +++ b/interface/web/mailuser/index.php @@ -17,8 +17,8 @@ $lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_index.lng'; include $lng_file; $app->tpl->setVar($wb); -$sql = "SELECT * FROM mail_user WHERE mailuser_id = ".$app->functions->intval($_SESSION['s']['user']['mailuser_id']); -$rec = $app->db->queryOneRecord($sql); +$sql = "SELECT * FROM mail_user WHERE mailuser_id = ?"; +$rec = $app->db->queryOneRecord($sql, $_SESSION['s']['user']['mailuser_id']); if($rec['quota'] == 0) { $rec['quota'] = $wb['unlimited_txt']; @@ -30,8 +30,8 @@ if($rec['cc'] == '') $rec['cc'] = $wb['none_txt']; $app->tpl->setVar($rec); -$sql2 = "SELECT * FROM server WHERE server_id = ".$app->functions->intval($rec['server_id']); -$rec2 = $app->db->queryOneRecord($sql2); +$sql2 = "SELECT * FROM server WHERE server_id = ?"; +$rec2 = $app->db->queryOneRecord($sql2, $rec['server_id']); $app->tpl->setVar($rec2); diff --git a/interface/web/mailuser/mail_user_filter_edit.php b/interface/web/mailuser/mail_user_filter_edit.php index ff93bd9d6c..d398b65166 100644 --- a/interface/web/mailuser/mail_user_filter_edit.php +++ b/interface/web/mailuser/mail_user_filter_edit.php @@ -71,7 +71,7 @@ class page_action extends tform_actions { global $app, $conf; // Get the parent mail_user record - $mailuser = $app->db->queryOneRecord("SELECT * FROM mail_user WHERE mailuser_id = '".$app->functions->intval($_SESSION['s']['user']['mailuser_id'])."'"); + $mailuser = $app->db->queryOneRecord("SELECT * FROM mail_user WHERE mailuser_id = ?", $_SESSION['s']['user']['mailuser_id']); // Set the mailuser_id $this->dataRecord["mailuser_id"] = $mailuser["mailuser_id"]; @@ -84,11 +84,11 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["default_group"] > 0) { // if user is not admin // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_mailfilter FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_mailfilter FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another filter if($this->id == 0 && $client["limit_mailfilter"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(filter_id) as number FROM mail_user_filter WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(filter_id) as number FROM mail_user_filter WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_mailfilter"]) { $app->tform->errorMessage .= $app->tform->lng("limit_mailfilter_txt")."
"; } diff --git a/interface/web/mailuser/mail_user_spamfilter_edit.php b/interface/web/mailuser/mail_user_spamfilter_edit.php index 3ea2aa57d5..335aaece01 100644 --- a/interface/web/mailuser/mail_user_spamfilter_edit.php +++ b/interface/web/mailuser/mail_user_spamfilter_edit.php @@ -74,11 +74,11 @@ class page_action extends tform_actions { $rec = $app->tform->getDataRecord($this->id); $email_parts = explode('@', $rec['email']); $email_domain = $email_parts[1]; - $domain = $app->db->queryOneRecord("SELECT sys_userid, sys_groupid, server_id FROM mail_domain WHERE domain = '".$app->db->quote($email_domain)."'"); + $domain = $app->db->queryOneRecord("SELECT sys_userid, sys_groupid, server_id FROM mail_domain WHERE domain = ?", $email_domain); // Spamfilter policy $policy_id = $app->functions->intval($this->dataRecord["policy"]); - $tmp_user = $app->db->queryOneRecord("SELECT id FROM spamfilter_users WHERE email = '".$app->db->quote($rec["email"])."'"); + $tmp_user = $app->db->queryOneRecord("SELECT id FROM spamfilter_users WHERE email = ?", $rec["email"]); if($policy_id > 0) { if($tmp_user["id"] > 0) { // There is already a record that we will update @@ -104,7 +104,7 @@ class page_action extends tform_actions { $app->tpl->setVar("email", $rec['email']); // Get the spamfilter policys for the user - $tmp_user = $app->db->queryOneRecord("SELECT policy_id FROM spamfilter_users WHERE email = '".$app->db->quote($rec['email'])."'"); + $tmp_user = $app->db->queryOneRecord("SELECT policy_id FROM spamfilter_users WHERE email = ?", $rec['email']); $sql = "SELECT id, policy_name FROM spamfilter_policy WHERE ".$app->tform->getAuthSQL('r'); $policys = $app->db->queryAllRecords($sql); $policy_select = ""; diff --git a/interface/web/monitor/log_del.php b/interface/web/monitor/log_del.php index 04d11e9665..40fe185977 100644 --- a/interface/web/monitor/log_del.php +++ b/interface/web/monitor/log_del.php @@ -35,7 +35,7 @@ require_once '../../lib/app.inc.php'; $app->auth->check_module_permissions('monitor'); $syslog_id = $app->functions->intval($_GET['id']); -$app->db->query("UPDATE sys_log SET loglevel = 0 WHERE syslog_id = '$syslog_id'"); +$app->db->query("UPDATE sys_log SET loglevel = 0 WHERE syslog_id = ?", $syslog_id); header('Location: log_list.php'); exit; diff --git a/interface/web/monitor/show_log.php b/interface/web/monitor/show_log.php index 96217dada1..e8f3acc735 100644 --- a/interface/web/monitor/show_log.php +++ b/interface/web/monitor/show_log.php @@ -120,7 +120,7 @@ $app->tpl->setVar("refresh", $tmp); /* fetch the Data from the DB */ -$record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = '" . $app->db->quote($logId) . "' and server_id = " . $_SESSION['monitor']['server_id'] . " order by created desc"); +$record = $app->db->queryOneRecord("SELECT data, state FROM monitor_data WHERE type = ? and server_id = ? order by created desc", $logId, $_SESSION['monitor']['server_id']); if(isset($record['data'])) { $data = unserialize($record['data']); diff --git a/interface/web/monitor/show_sys_state.php b/interface/web/monitor/show_sys_state.php index 480dd17d28..53997bc207 100644 --- a/interface/web/monitor/show_sys_state.php +++ b/interface/web/monitor/show_sys_state.php @@ -191,7 +191,7 @@ function _getServerState($serverId, $serverName) { /* * Get all monitoring-data from the server and process then */ - $records = $app->db->queryAllRecords("SELECT DISTINCT type, data FROM monitor_data WHERE server_id = " . $serverId); + $records = $app->db->queryAllRecords("SELECT DISTINCT type, data FROM monitor_data WHERE server_id = ?", $serverId); $osData = null; $veInfo = null; $ispcData = null; @@ -320,7 +320,7 @@ function _processDbState($type, $serverId, $serverState, $messages) { * state */ // get the State from the DB - $record = $app->db->queryOneRecord("SELECT state FROM monitor_data WHERE type = '" . $type . "' and server_id = " . $serverId . " order by created desc"); + $record = $app->db->queryOneRecord("SELECT state FROM monitor_data WHERE type = ? and server_id = ? order by created desc", $type, $serverId); // change the new state to the highest state /* diff --git a/interface/web/remote/monitor.php b/interface/web/remote/monitor.php index 9cc0084bba..132bcf29a5 100644 --- a/interface/web/remote/monitor.php +++ b/interface/web/remote/monitor.php @@ -30,7 +30,7 @@ if($token == '' or $secret == '' or $token != $secret) { $sql = 'SELECT server_id, server_name FROM server WHERE 1 ORDER BY server_id'; $records = $app->db->queryAllRecords($sql); foreach($records as $index => $rec) { - $rec = $app->db->queryOneRecord("SELECT * FROM monitor_data WHERE server_id = " . $rec['server_id'] . " AND state NOT IN ('ok', 'no_state', 'info')"); + $rec = $app->db->queryOneRecord("SELECT * FROM monitor_data WHERE server_id = ? AND state NOT IN ('ok', 'no_state', 'info')", $rec['server_id']); if($rec) $records[$index]['state'] = 'warn'; else $records[$index]['state'] = 'ok'; } @@ -38,7 +38,7 @@ if($token == '' or $secret == '' or $token != $secret) { $out['data'] = $records; $out['time'] = date('Y-m-d H:i', $rec['created']); } else { - $rec = $app->db->queryOneRecord("SELECT * FROM monitor_data WHERE type = '$type' AND server_id = $server_id"); + $rec = $app->db->queryOneRecord("SELECT * FROM monitor_data WHERE type = ? AND server_id = ?", $type, $server_id); if(is_array($rec)) { $out['state'] = $rec['state']; $out['data'] = unserialize(stripslashes($rec['data'])); diff --git a/interface/web/sites/ajax_get_ip.php b/interface/web/sites/ajax_get_ip.php index 4101a807e1..c50c1ba3c2 100644 --- a/interface/web/sites/ajax_get_ip.php +++ b/interface/web/sites/ajax_get_ip.php @@ -44,8 +44,8 @@ if($_SESSION["s"]["user"]["typ"] == 'admin' or $app->auth->has_clients($_SESSION //* Get global web config $web_config = $app->getconf->get_server_config($server_id, 'web'); - $sql = "SELECT ip_address FROM server_ip WHERE ip_type = '$ip_type' AND server_id = $server_id"; - $ips = $app->db->queryAllRecords($sql); + $sql = "SELECT ip_address FROM server_ip WHERE ip_type = ? AND server_id = ?"; + $ips = $app->db->queryAllRecords($sql, $ip_type, $server_id); // $ip_select = ""; if($ip_type == 'IPv4'){ $ip_select = ($web_config['enable_ip_wildcard'] == 'y')?"*#":""; diff --git a/interface/web/sites/aps_do_operation.php b/interface/web/sites/aps_do_operation.php index ffc8c031d7..ff0705f9bb 100644 --- a/interface/web/sites/aps_do_operation.php +++ b/interface/web/sites/aps_do_operation.php @@ -50,15 +50,15 @@ if($_GET['action'] == 'change_status') if(!$gui->isValidPackageID($_GET['id'], true)) die($app->lng('Invalid ID')); // Change the existing status to the opposite - $get_status = $app->db->queryOneRecord("SELECT package_status FROM aps_packages WHERE id = '".$app->functions->intval($_GET['id'])."';"); + $get_status = $app->db->queryOneRecord("SELECT package_status FROM aps_packages WHERE id = ?", $_GET['id']); if($get_status['package_status'] == strval(PACKAGE_LOCKED)) { - $app->db->query("UPDATE aps_packages SET package_status = ".PACKAGE_ENABLED." WHERE id = '".$app->functions->intval($_GET['id'])."';"); + $app->db->query("UPDATE aps_packages SET package_status = ? WHERE id = ?", PACKAGE_ENABLED, $_GET['id']); echo '
'.$app->lng('Yes').'
'; } else { - $app->db->query("UPDATE aps_packages SET Package_status = ".PACKAGE_LOCKED." WHERE id = '".$app->functions->intval($_GET['id'])."';"); + $app->db->query("UPDATE aps_packages SET Package_status = ? WHERE id = ?", PACKAGE_LOCKED, $_GET['id']); echo '
'.$app->lng('No').'
'; } } @@ -69,7 +69,7 @@ else if($_GET['action'] == 'delete_instance') $is_admin = ($_SESSION['s']['user']['typ'] == 'admin') ? true : false; if(!$is_admin) { - $cid = $app->db->queryOneRecord("SELECT client_id FROM client WHERE username = '".$app->db->quote($_SESSION['s']['user']['username'])."';"); + $cid = $app->db->queryOneRecord("SELECT client_id FROM client WHERE username = ?", $_SESSION['s']['user']['username']); $client_id = $cid['client_id']; } @@ -78,8 +78,8 @@ else if($_GET['action'] == 'delete_instance') // Only delete the instance if the status is "installed" or "flawed" $check = $app->db->queryOneRecord("SELECT id FROM aps_instances - WHERE id = ".$app->db->quote($_GET['id'])." AND - (instance_status = ".INSTANCE_SUCCESS." OR instance_status = ".INSTANCE_ERROR.");"); + WHERE id = ? AND + (instance_status = ? OR instance_status = ?)", $_GET['id'], INSTANCE_SUCCESS, INSTANCE_ERROR); if($check['id'] > 0) $gui->deleteInstance($_GET['id']); //echo $app->lng('Installation_remove'); @header('Location:aps_installedpackages_list.php'); diff --git a/interface/web/sites/aps_install_package.php b/interface/web/sites/aps_install_package.php index 5d62322690..0c19af8c97 100644 --- a/interface/web/sites/aps_install_package.php +++ b/interface/web/sites/aps_install_package.php @@ -85,9 +85,8 @@ if(isset($settings['error'])) $app->error($settings['error']); // Get domain list $domains = array(); $domain_for_user = ''; -if(!$adminflag) $domain_for_user = "AND (sys_userid = '".$app->db->quote($_SESSION['s']['user']['userid'])."' - OR sys_groupid = '".$app->db->quote($_SESSION['s']['user']['default_group'])."' )"; -$domains_assoc = $app->db->queryAllRecords("SELECT domain FROM web_domain WHERE document_root != '' AND (type = 'vhost' OR type = 'vhostsubdomain' OR type = 'vhostalias') AND active = 'y' ".$domain_for_user." ORDER BY domain;"); +if(!$adminflag) $domain_for_user = "AND (sys_userid = ? OR sys_groupid = ?)"; +$domains_assoc = $app->db->queryAllRecords("SELECT domain FROM web_domain WHERE document_root != '' AND (type = 'vhost' OR type = 'vhostsubdomain' OR type = 'vhostalias') AND active = 'y' ".$domain_for_user." ORDER BY domain", $_SESSION['s']['user']['userid'], $_SESSION['s']['user']['default_group']); if(!empty($domains_assoc)) foreach($domains_assoc as $domain) $domains[] = $domain['domain']; // If data has been submitted, validate it diff --git a/interface/web/sites/cron_edit.php b/interface/web/sites/cron_edit.php index 6ec02c7433..2b3c1391b1 100644 --- a/interface/web/sites/cron_edit.php +++ b/interface/web/sites/cron_edit.php @@ -87,7 +87,7 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_cron, limit_cron_type FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_cron, limit_cron_type FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ", $client_group_id); // When the record is updated if($this->id > 0) { @@ -95,7 +95,7 @@ class page_action extends tform_actions { } else { // Check if the user may add another cron job. if($client["limit_cron"] >= 0) { - $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM cron WHERE sys_groupid = $client_group_id"); + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM cron WHERE sys_groupid = ", $client_group_id); if($tmp["number"] >= $client["limit_cron"]) { $app->error($app->tform->wordbook["limit_cron_txt"]); } @@ -104,7 +104,7 @@ class page_action extends tform_actions { } // Get the record of the parent domain - $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ".$app->functions->intval(@$this->dataRecord["parent_domain_id"]) . " AND ".$app->tform->getAuthSQL('r')); + $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ? AND ".$app->tform->getAuthSQL('r'), @$this->dataRecord["parent_domain_id"]); if(!$parent_domain || $parent_domain['domain_id'] != @$this->dataRecord['parent_domain_id']) $app->tform->errorMessage .= $app->tform->lng("no_domain_perm"); // Set fixed values @@ -115,7 +115,7 @@ class page_action extends tform_actions { if(preg_match("'^http(s)?:\/\/'i", $command)) { $this->dataRecord["type"] = 'url'; } else { - $domain_owner = $app->db->queryOneRecord("SELECT limit_cron_type FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ".$app->functions->intval($parent_domain["sys_groupid"])); + $domain_owner = $app->db->queryOneRecord("SELECT limit_cron_type FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $parent_domain["sys_groupid"]); //* True when the site is assigned to a client if(isset($domain_owner["limit_cron_type"])) { if($domain_owner["limit_cron_type"] == 'full') { @@ -140,7 +140,7 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_cron_frequency, limit_cron_type FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_cron_frequency, limit_cron_type FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); if($client["limit_cron_frequency"] > 1) { if($app->tform->cron_min_freq < $client["limit_cron_frequency"]) { @@ -170,7 +170,7 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_cron_frequency, limit_cron_type FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_cron_frequency, limit_cron_type FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); if($client["limit_cron_frequency"] > 1) { if($app->tform->cron_min_freq < $client["limit_cron_frequency"]) { @@ -196,14 +196,14 @@ class page_action extends tform_actions { function onAfterInsert() { global $app, $conf; - $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$app->functions->intval($this->dataRecord["parent_domain_id"])); + $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $this->dataRecord["parent_domain_id"]); $server_id = $web["server_id"]; // The cron shall be owned by the same group then the website $sys_groupid = $app->functions->intval($web['sys_groupid']); - $sql = "UPDATE cron SET server_id = $server_id, sys_groupid = '$sys_groupid' WHERE id = ".$this->id; - $app->db->query($sql); + $sql = "UPDATE cron SET server_id = ?, sys_groupid = ? WHERE id = ?"; + $app->db->query($sql, $server_id, $sys_groupid, $this->id); } function onAfterUpdate() { diff --git a/interface/web/sites/database_edit.php b/interface/web/sites/database_edit.php index 9494cd3360..01497ab84b 100644 --- a/interface/web/sites/database_edit.php +++ b/interface/web/sites/database_edit.php @@ -79,7 +79,7 @@ class page_action extends tform_actions { $client = $app->db->queryOneRecord("SELECT db_servers FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Set the webserver to the default server of the client - $tmp = $app->db->queryAllRecords("SELECT server_id, server_name FROM server WHERE server_id IN ($client[db_servers])"); + $tmp = $app->db->queryAllRecords("SELECT server_id, server_name FROM server WHERE server_id IN ?", explode(',', $client['db_servers'])); $only_one_server = count($tmp) === 1; $app->tpl->setVar('only_one_server', $only_one_server); @@ -102,7 +102,7 @@ class page_action extends tform_actions { $client = $app->db->queryOneRecord("SELECT client.client_id, limit_web_domain, db_servers, contact_name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Set the webserver to the default server of the client - $tmp = $app->db->queryAllRecords("SELECT server_id, server_name FROM server WHERE server_id IN ($client[db_servers])"); + $tmp = $app->db->queryAllRecords("SELECT server_id, server_name FROM server WHERE server_id IN ?", explode(',', $client['db_servers'])); $only_one_server = count($tmp) === 1; $app->tpl->setVar('only_one_server', $only_one_server); @@ -168,13 +168,13 @@ class page_action extends tform_actions { function onSubmit() { global $app, $conf; - $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ".$app->functions->intval(@$this->dataRecord["parent_domain_id"]) . " AND ".$app->tform->getAuthSQL('r')); + $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ? AND ".$app->tform->getAuthSQL('r'), @$this->dataRecord["parent_domain_id"]); if(!$parent_domain || $parent_domain['domain_id'] != @$this->dataRecord['parent_domain_id']) $app->tform->errorMessage .= $app->tform->lng("no_domain_perm"); if($_SESSION["s"]["user"]["typ"] != 'admin') { // Get the limits of the client $client_group_id = $_SESSION["s"]["user"]["default_group"]; - $client = $app->db->queryOneRecord("SELECT db_servers, limit_database, limit_database_quota, parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT db_servers, limit_database, limit_database_quota, parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.groupid = ", $client_group_id); // When the record is updated if($this->id > 0) { @@ -207,7 +207,7 @@ class page_action extends tform_actions { if($client['parent_client_id'] > 0) { // Get the limits of the reseller - $reseller = $app->db->queryOneRecord("SELECT limit_database, limit_database_quota FROM client WHERE client_id = ".$client['parent_client_id']); + $reseller = $app->db->queryOneRecord("SELECT limit_database, limit_database_quota FROM client WHERE client_id = ?", $client['parent_client_id']); //* Check the website quota of the client if ($reseller['limit_database_quota'] >= 0) { @@ -265,15 +265,15 @@ class page_action extends tform_actions { } } else { // check if client of database parent domain is client of db user! - $web_group = $app->db->queryOneRecord("SELECT sys_groupid FROM web_domain WHERE domain_id = '".$app->functions->intval($this->dataRecord['parent_domain_id'])."'"); + $web_group = $app->db->queryOneRecord("SELECT sys_groupid FROM web_domain WHERE domain_id = ?", $this->dataRecord['parent_domain_id']); if($this->dataRecord['database_user_id']) { - $group = $app->db->queryOneRecord("SELECT sys_groupid FROM web_database_user WHERE database_user_id = '".$app->functions->intval($this->dataRecord['database_user_id'])."'"); + $group = $app->db->queryOneRecord("SELECT sys_groupid FROM web_database_user WHERE database_user_id = ?", $this->dataRecord['database_user_id']); if($group['sys_groupid'] != $web_group['sys_groupid']) { $app->error($app->tform->wordbook['database_client_differs_txt']); } } if($this->dataRecord['database_ro_user_id']) { - $group = $app->db->queryOneRecord("SELECT sys_groupid FROM web_database_user WHERE database_user_id = '".$app->functions->intval($this->dataRecord['database_ro_user_id'])."'"); + $group = $app->db->queryOneRecord("SELECT sys_groupid FROM web_database_user WHERE database_user_id = ?", $this->dataRecord['database_ro_user_id']); if($group['sys_groupid'] != $web_group['sys_groupid']) { $app->error($app->tform->wordbook['database_client_differs_txt']); } @@ -340,11 +340,11 @@ class page_action extends tform_actions { } //* Check for duplicates - $tmp = $app->db->queryOneRecord("SELECT count(database_id) as dbnum FROM web_database WHERE database_name = '".$app->db->quote($this->dataRecord['database_name'])."' AND server_id = '".$app->functions->intval($this->dataRecord["server_id"])."' AND database_id != '".$this->id."'"); + $tmp = $app->db->queryOneRecord("SELECT count(database_id) as dbnum FROM web_database WHERE database_name = ? AND server_id = ? AND database_id != ?", $this->dataRecord['database_name'], $this->dataRecord["server_id"], $this->id); if($tmp['dbnum'] > 0) $app->tform->errorMessage .= $app->lng('database_name_error_unique').'
'; // get the web server ip (parent domain) - $tmp = $app->db->queryOneRecord("SELECT server_id FROM web_domain WHERE domain_id = '".$app->functions->intval($this->dataRecord['parent_domain_id'])."'"); + $tmp = $app->db->queryOneRecord("SELECT server_id FROM web_domain WHERE domain_id = ?", $this->dataRecord['parent_domain_id']); if($tmp['server_id'] && $tmp['server_id'] != $this->dataRecord['server_id']) { // we need remote access rights for this server, so get it's ip address $server_config = $app->getconf->get_server_config($tmp['server_id'], 'server'); @@ -369,7 +369,7 @@ class page_action extends tform_actions { if ($app->tform->errorMessage == '') { // force update of the used database user if($this->dataRecord['database_user_id']) { - $user_old_rec = $app->db->queryOneRecord('SELECT * FROM `web_database_user` WHERE `database_user_id` = ' . $app->functions->intval($this->dataRecord['database_user_id'])); + $user_old_rec = $app->db->queryOneRecord('SELECT * FROM `web_database_user` WHERE `database_user_id` = ?', $this->dataRecord['database_user_id']); if($user_old_rec) { $user_new_rec = $user_old_rec; $user_new_rec['server_id'] = $this->dataRecord['server_id']; @@ -377,7 +377,7 @@ class page_action extends tform_actions { } } if($this->dataRecord['database_ro_user_id']) { - $user_old_rec = $app->db->queryOneRecord('SELECT * FROM `web_database_user` WHERE `database_user_id` = ' . $app->functions->intval($this->dataRecord['database_ro_user_id'])); + $user_old_rec = $app->db->queryOneRecord('SELECT * FROM `web_database_user` WHERE `database_user_id` = ?', $this->dataRecord['database_ro_user_id']); if($user_old_rec) { $user_new_rec = $user_old_rec; $user_new_rec['server_id'] = $this->dataRecord['server_id']; @@ -419,11 +419,11 @@ class page_action extends tform_actions { } //* Check for duplicates - $tmp = $app->db->queryOneRecord("SELECT count(database_id) as dbnum FROM web_database WHERE database_name = '".$app->db->quote($this->dataRecord['database_name'])."' AND server_id = '".$app->functions->intval($this->dataRecord["server_id"])."'"); + $tmp = $app->db->queryOneRecord("SELECT count(database_id) as dbnum FROM web_database WHERE database_name = ? AND server_id = ?", $this->dataRecord['database_name'], $this->dataRecord["server_id"]); if($tmp['dbnum'] > 0) $app->tform->errorMessage .= $app->tform->lng('database_name_error_unique').'
'; // get the web server ip (parent domain) - $tmp = $app->db->queryOneRecord("SELECT server_id FROM web_domain WHERE domain_id = '".$app->functions->intval($this->dataRecord['parent_domain_id'])."'"); + $tmp = $app->db->queryOneRecord("SELECT server_id FROM web_domain WHERE domain_id = ?", $this->dataRecord['parent_domain_id']); if($tmp['server_id'] && $tmp['server_id'] != $this->dataRecord['server_id']) { // we need remote access rights for this server, so get it's ip address $server_config = $app->getconf->get_server_config($tmp['server_id'], 'server'); @@ -448,7 +448,7 @@ class page_action extends tform_actions { if ($app->tform->errorMessage == '') { // force update of the used database user if($this->dataRecord['database_user_id']) { - $user_old_rec = $app->db->queryOneRecord('SELECT * FROM `web_database_user` WHERE `database_user_id` = ' . $app->functions->intval($this->dataRecord['database_user_id'])); + $user_old_rec = $app->db->queryOneRecord('SELECT * FROM `web_database_user` WHERE `database_user_id` = ?', $this->dataRecord['database_user_id']); if($user_old_rec) { $user_new_rec = $user_old_rec; $user_new_rec['server_id'] = $this->dataRecord['server_id']; @@ -456,7 +456,7 @@ class page_action extends tform_actions { } } if($this->dataRecord['database_ro_user_id']) { - $user_old_rec = $app->db->queryOneRecord('SELECT * FROM `web_database_user` WHERE `database_user_id` = ' . $app->functions->intval($this->dataRecord['database_ro_user_id'])); + $user_old_rec = $app->db->queryOneRecord('SELECT * FROM `web_database_user` WHERE `database_user_id` = ?', $this->dataRecord['database_ro_user_id']); if($user_old_rec) { $user_new_rec = $user_old_rec; $user_new_rec['server_id'] = $this->dataRecord['server_id']; diff --git a/interface/web/sites/database_phpmyadmin.php b/interface/web/sites/database_phpmyadmin.php index 5e640dfea4..481b4ea600 100644 --- a/interface/web/sites/database_phpmyadmin.php +++ b/interface/web/sites/database_phpmyadmin.php @@ -45,14 +45,12 @@ $databaseId = $app->functions->intval($_GET['id']); /* * Get the data to connect to the database */ -$dbData = $app->db->queryOneRecord("SELECT server_id, database_name FROM web_database WHERE database_id = " . $databaseId); +$dbData = $app->db->queryOneRecord("SELECT server_id, database_name FROM web_database WHERE database_id = ?", $databaseId); $serverId = $app->functions->intval($dbData['server_id']); if ($serverId == 0){ die ("No DB-Server found!"); } -$serverData = $app->db->queryOneRecord( - "SELECT server_name FROM server WHERE server_id = " . - $serverId); +$serverData = $app->db->queryOneRecord("SELECT server_name FROM server WHERE server_id = ?", $serverId); $app->uses('getconf'); $global_config = $app->getconf->get_global_config('sites'); diff --git a/interface/web/sites/database_user_del.php b/interface/web/sites/database_user_del.php index 3667539c7a..2ca1ef58b1 100644 --- a/interface/web/sites/database_user_del.php +++ b/interface/web/sites/database_user_del.php @@ -55,7 +55,7 @@ class page_action extends tform_actions { $old_record = $app->tform->getDataRecord($this->id); /* we cannot use datalogDelete here, as we need to set server_id to 0 */ - $app->db->query("DELETE FROM `web_database_user` WHERE $index_field = '$index_value'"); + $app->db->query("DELETE FROM `web_database_user` WHERE ?? = ?", $index_field, $index_value); $new_rec = array(); $old_record['server_id'] = 0; $app->db->datalogSave('web_database_user', 'DELETE', 'database_user_id', $this->id, $old_record, $new_rec); @@ -65,12 +65,12 @@ class page_action extends tform_actions { global $app; $conf; //* Update all records that belog to this user - $records = $app->db->queryAllRecords("SELECT database_id FROM web_database WHERE database_user_id = '".$app->functions->intval($this->id)."'"); + $records = $app->db->queryAllRecords("SELECT database_id FROM web_database WHERE database_user_id = ?", $this->id); foreach($records as $rec) { $app->db->datalogUpdate('web_database', 'database_user_id=NULL', 'database_id', $rec['database_id']); } - $records = $app->db->queryAllRecords("SELECT database_id FROM web_database WHERE database_ro_user_id = '".$app->functions->intval($this->id)."'"); + $records = $app->db->queryAllRecords("SELECT database_id FROM web_database WHERE database_ro_user_id = ?", $this->id); foreach($records as $rec) { $app->db->datalogUpdate('web_database', 'database_ro_user_id=NULL', 'database_id', $rec['database_id']); } diff --git a/interface/web/sites/database_user_edit.php b/interface/web/sites/database_user_edit.php index 18b46b90e1..ff366a3740 100644 --- a/interface/web/sites/database_user_edit.php +++ b/interface/web/sites/database_user_edit.php @@ -66,7 +66,7 @@ class page_action extends tform_actions { if ($_SESSION["s"]["user"]["typ"] != 'admin' && $app->auth->has_clients($_SESSION['s']['user']['userid'])) { // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT client.company_name, client.contact_name, client.client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT client.company_name, client.contact_name, client.client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Fill the client select field $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".$app->functions->intval($client['client_id'])." ORDER BY client.company_name, client.contact_name, sys_group.name"; diff --git a/interface/web/sites/form/web_vhost_domain.tform.php b/interface/web/sites/form/web_vhost_domain.tform.php index c342605c9a..47f8f65ad3 100644 --- a/interface/web/sites/form/web_vhost_domain.tform.php +++ b/interface/web/sites/form/web_vhost_domain.tform.php @@ -85,7 +85,7 @@ $ssl_available = true; $backup_available = ($vhostdomain_type == 'domain'); if(!$app->auth->is_admin()) { $client_group_id = $_SESSION["s"]["user"]["default_group"]; - $client = $app->db->queryOneRecord("SELECT limit_wildcard, limit_ssl, limit_backup FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_wildcard, limit_ssl, limit_backup FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); if($client['limit_wildcard'] != 'y') $wildcard_available = false; if($client['limit_ssl'] != 'y') $ssl_available = false; diff --git a/interface/web/sites/shell_user_edit.php b/interface/web/sites/shell_user_edit.php index 8de6be755f..1370d22a32 100644 --- a/interface/web/sites/shell_user_edit.php +++ b/interface/web/sites/shell_user_edit.php @@ -103,14 +103,12 @@ class page_action extends tform_actions { global $app, $conf; // Get the record of the parent domain - //$parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ".$app->functions->intval(@$this->dataRecord["parent_domain_id"]) . " AND ".$app->tform->getAuthSQL('r')); - //if(!$parent_domain || $parent_domain['domain_id'] != @$this->dataRecord['parent_domain_id']) $app->tform->errorMessage .= $app->tform->lng("no_domain_perm"); if(isset($this->dataRecord["parent_domain_id"])) { - $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ".$app->functions->intval(@$this->dataRecord["parent_domain_id"]) . " AND ".$app->tform->getAuthSQL('r')); + $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ? AND ".$app->tform->getAuthSQL('r'), @$this->dataRecord["parent_domain_id"]); if(!$parent_domain || $parent_domain['domain_id'] != @$this->dataRecord['parent_domain_id']) $app->tform->errorMessage .= $app->tform->lng("no_domain_perm"); } else { $tmp = $app->tform->getDataRecord($this->id); - $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ".$app->functions->intval($tmp["parent_domain_id"]) . " AND ".$app->tform->getAuthSQL('r')); + $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ? AND ".$app->tform->getAuthSQL('r'), $tmp["parent_domain_id"]); if(!$parent_domain) $app->tform->errorMessage .= $app->tform->lng("no_domain_perm"); unset($tmp); } @@ -163,7 +161,7 @@ class page_action extends tform_actions { function onAfterInsert() { global $app, $conf; - $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$app->functions->intval($this->dataRecord["parent_domain_id"])); + $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $this->dataRecord["parent_domain_id"]); $server_id = $app->functions->intval($web["server_id"]); $dir = $app->db->quote($web["document_root"]); @@ -178,8 +176,8 @@ class page_action extends tform_actions { // The FTP user shall be owned by the same group then the website $sys_groupid = $app->functions->intval($web['sys_groupid']); - $sql = "UPDATE shell_user SET server_id = $server_id, dir = '$dir', puser = '$uid', pgroup = '$gid', sys_groupid = '$sys_groupid' WHERE shell_user_id = ".$this->id; - $app->db->query($sql); + $sql = "UPDATE shell_user SET server_id = ?, dir = ?, puser = ?, pgroup = ?, sys_groupid = ? WHERE shell_user_id = ?"; + $app->db->query($sql, $server_id, $dir, $uid, $gid, $sys_groupid, $this->id); } diff --git a/interface/web/sites/web_childdomain_edit.php b/interface/web/sites/web_childdomain_edit.php index a2a20ca11a..33c2422f45 100644 --- a/interface/web/sites/web_childdomain_edit.php +++ b/interface/web/sites/web_childdomain_edit.php @@ -136,7 +136,7 @@ class page_action extends tform_actions { } else { if($this->_childdomain_type == 'subdomain') { // Get the record of the parent domain - $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ".$app->functions->intval(@$this->dataRecord["parent_domain_id"])); + $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ?", @$this->dataRecord["parent_domain_id"]); // remove the parent domain part of the domain name before we show it in the text field. $this->dataRecord["domain"] = str_replace('.'.$parent_domain["domain"], '', $this->dataRecord["domain"]); @@ -168,13 +168,13 @@ class page_action extends tform_actions { // Get the record of the parent domain if(!@$this->dataRecord["parent_domain_id"] && $this->id) { - $tmp = $app->db->queryOneRecord("SELECT parent_domain_id FROM web_domain WHERE domain_id = ".$app->functions->intval($this->id)); + $tmp = $app->db->queryOneRecord("SELECT parent_domain_id FROM web_domain WHERE domain_id = ?", $this->id); if($tmp) $this->dataRecord["parent_domain_id"] = $tmp['parent_domain_id']; unset($tmp); } // Get the record of the parent domain - $parent_domain = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$app->functions->intval(@$this->dataRecord["parent_domain_id"]) . " AND ".$app->tform->getAuthSQL('r')); + $parent_domain = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ? AND ".$app->tform->getAuthSQL('r'), @$this->dataRecord["parent_domain_id"]); if(!$parent_domain || $parent_domain['domain_id'] != @$this->dataRecord['parent_domain_id']) $app->tform->errorMessage .= $app->tform->lng("no_domain_perm"); /* check if the domain module is used - and check if the selected domain can be used! */ $app->uses('ini_parser,getconf'); @@ -236,7 +236,7 @@ class page_action extends tform_actions { //* Update the old website, so that the vhost alias gets removed //* We force the update by inserting a transaction record without changes manually. - $old_website = $app->db->queryOneRecord('SELECT * FROM web_domain WHERE domain_id = '.$app->functions->intval($this->oldDataRecord['domain_id'])); + $old_website = $app->db->queryOneRecord('SELECT * FROM web_domain WHERE domain_id = ?', $this->oldDataRecord['domain_id']); $app->db->datalogSave('web_domain', 'UPDATE', 'domain_id', $app->functions->intval($this->oldDataRecord['parent_domain_id']), $old_website, $old_website, true); } diff --git a/interface/web/sites/web_folder_del.php b/interface/web/sites/web_folder_del.php index ec13c35a85..c7b60382d4 100644 --- a/interface/web/sites/web_folder_del.php +++ b/interface/web/sites/web_folder_del.php @@ -56,7 +56,7 @@ class page_action extends tform_actions { if($app->tform->checkPerm($this->id, 'd') == false) $app->error($app->lng('error_no_delete_permission')); // Delete all users that belong to this folder. - $records = $app->db->queryAllRecords("SELECT web_folder_user_id FROM web_folder_user WHERE web_folder_id = '".$app->functions->intval($this->id)."'"); + $records = $app->db->queryAllRecords("SELECT web_folder_user_id FROM web_folder_user WHERE web_folder_id = ?", $this->id); foreach($records as $rec) { $app->db->datalogDelete('web_folder_user', 'web_folder_user_id', $rec['web_folder_user_id']); } diff --git a/interface/web/sites/web_sites_stats.php b/interface/web/sites/web_sites_stats.php index 4e5535e0df..a6af3dc8a0 100644 --- a/interface/web/sites/web_sites_stats.php +++ b/interface/web/sites/web_sites_stats.php @@ -40,34 +40,26 @@ class list_action extends listform_actions { //** Traffic of the current month $tmp_year = date('Y'); $tmp_month = date('m'); - $tmp_rec = $app->db->queryOneRecord("SELECT SUM(traffic_bytes) as t FROM web_traffic WHERE hostname = '".$app->db->quote($rec['domain'])."' AND YEAR(traffic_date) = '$tmp_year' AND MONTH(traffic_date) = '$tmp_month'"); -// $rec['this_month'] = number_format($tmp_rec['t']/1024/1024, 0, '.', ' '); -// $this->sum_this_month += ($tmp_rec['t']/1024/1024); + $tmp_rec = $app->db->queryOneRecord("SELECT SUM(traffic_bytes) as t FROM web_traffic WHERE hostname = ? AND YEAR(traffic_date) = ? AND MONTH(traffic_date) = ?", $rec['domain'], $tmp_year, $tmp_month); $rec['this_month'] = $app->functions->formatBytes($tmp_rec['t']); $this->sum_this_month += $app->functions->formatBytes($tmp_rec['t']); //** Traffic of the current year - $tmp_rec = $app->db->queryOneRecord("SELECT sum(traffic_bytes) as t FROM web_traffic WHERE hostname = '".$app->db->quote($rec['domain'])."' AND YEAR(traffic_date) = '$tmp_year'"); -// $rec['this_year'] = number_format($tmp_rec['t']/1024/1024, 0, '.', ' '); -// $this->sum_this_year += ($tmp_rec['t']/1024/1024); + $tmp_rec = $app->db->queryOneRecord("SELECT sum(traffic_bytes) as t FROM web_traffic WHERE hostname = ? AND YEAR(traffic_date) = ?", $rec['domain'], $tmp_year); $rec['this_year'] = $app->functions->formatBytes($tmp_rec['t']); $this->sum_this_year += $app->functions->formatBytes($tmp_rec['t']); //** Traffic of the last month $tmp_year = date('Y', mktime(0, 0, 0, date("m")-1, date("d"), date("Y"))); $tmp_month = date('m', mktime(0, 0, 0, date("m")-1, date("d"), date("Y"))); - $tmp_rec = $app->db->queryOneRecord("SELECT sum(traffic_bytes) as t FROM web_traffic WHERE hostname = '".$app->db->quote($rec['domain'])."' AND YEAR(traffic_date) = '$tmp_year' AND MONTH(traffic_date) = '$tmp_month'"); -// $rec['last_month'] = number_format($tmp_rec['t']/1024/1024, 0, '.', ' '); -// $this->sum_last_month += ($tmp_rec['t']/1024/1024); + $tmp_rec = $app->db->queryOneRecord("SELECT sum(traffic_bytes) as t FROM web_traffic WHERE hostname = ? AND YEAR(traffic_date) = ? AND MONTH(traffic_date) = ?", $rec['domain'], $tmp_year, $tmp_month); $rec['last_month'] = $app->functions->formatBytes($tmp_rec['t']); $this->sum_last_month += $app->functions->formatBytes($tmp_rec['t']); //** Traffic of the last year $tmp_year = date('Y', mktime(0, 0, 0, date("m"), date("d"), date("Y")-1)); - $tmp_rec = $app->db->queryOneRecord("SELECT sum(traffic_bytes) as t FROM web_traffic WHERE hostname = '".$app->db->quote($rec['domain'])."' AND YEAR(traffic_date) = '$tmp_year'"); -// $rec['last_year'] = number_format($tmp_rec['t']/1024/1024, 0, '.', ' '); -// $this->sum_last_year += ($tmp_rec['t']/1024/1024); + $tmp_rec = $app->db->queryOneRecord("SELECT sum(traffic_bytes) as t FROM web_traffic WHERE hostname = ? AND YEAR(traffic_date) = ?", $rec['domain'], $tmp_year); $rec['last_year'] = $app->functions->formatBytes($tmp_rec['t']); $this->sum_last_year += $app->functions->formatBytes($tmp_rec['t']); diff --git a/interface/web/sites/web_vhost_domain_edit.php b/interface/web/sites/web_vhost_domain_edit.php index 6e7d4347ff..f53a843521 100644 --- a/interface/web/sites/web_vhost_domain_edit.php +++ b/interface/web/sites/web_vhost_domain_edit.php @@ -111,7 +111,7 @@ class page_action extends tform_actions { } // Get the limits of the client $client_group_id = $_SESSION["s"]["user"]["default_group"]; - $client = $app->db->queryOneRecord("SELECT client.web_servers FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT client.web_servers FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); $web_servers = explode(',', $client['web_servers']); $server_id = $web_servers[0]; $app->tpl->setVar("server_id_value", $server_id); @@ -141,7 +141,7 @@ class page_action extends tform_actions { $read_limits = array('limit_cgi', 'limit_ssi', 'limit_perl', 'limit_ruby', 'limit_python', 'force_suexec', 'limit_hterror', 'limit_wildcard', 'limit_ssl'); - if($this->_vhostdomain_type != 'domain') $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ".$app->functions->intval(@$this->dataRecord["parent_domain_id"])); + if($this->_vhostdomain_type != 'domain') $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ?", @$this->dataRecord["parent_domain_id"]); $is_admin = false; @@ -151,11 +151,11 @@ class page_action extends tform_actions { // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); if($this->_vhostdomain_type == 'domain') { - $client = $app->db->queryOneRecord("SELECT client.limit_web_domain, client.web_servers, client." . implode(", client.", $read_limits) . " FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT client.limit_web_domain, client.web_servers, client." . implode(", client.", $read_limits) . " FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); } elseif($this->_vhostdomain_type == 'subdomain') { - $client = $app->db->queryOneRecord("SELECT client.limit_web_subdomain, client.web_servers, client.default_webserver, client." . implode(", client.", $read_limits) . " FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT client.limit_web_subdomain, client.web_servers, client.default_webserver, client." . implode(", client.", $read_limits) . " FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); } elseif($this->_vhostdomain_type == 'aliasdomain') { - $client = $app->db->queryOneRecord("SELECT client.limit_web_aliasdomain, client.web_servers, client.default_webserver, client." . implode(", client.", $read_limits) . " FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT client.limit_web_aliasdomain, client.web_servers, client.default_webserver, client." . implode(", client.", $read_limits) . " FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); } $client['web_servers_ids'] = explode(',', $client['web_servers']); @@ -276,12 +276,12 @@ class page_action extends tform_actions { $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); if($this->_vhostdomain_type == 'domain') { - $client = $app->db->queryOneRecord("SELECT client.client_id, client.limit_web_domain, client.web_servers, client.default_webserver, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name, client." . implode(", client.", $read_limits) . " FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT client.client_id, client.limit_web_domain, client.web_servers, client.default_webserver, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name, client." . implode(", client.", $read_limits) . " FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); $app->tpl->setVar('only_one_server', $only_one_server); } elseif($this->_vhostdomain_type == 'subdomain') { - $client = $app->db->queryOneRecord("SELECT client.client_id, client.limit_web_subdomain, client.web_servers, client.default_webserver, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name, client." . implode(", client.", $read_limits) . " FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT client.client_id, client.limit_web_subdomain, client.web_servers, client.default_webserver, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name, client." . implode(", client.", $read_limits) . " FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); } elseif($this->_vhostdomain_type == 'aliasdomain') { - $client = $app->db->queryOneRecord("SELECT client.client_id, client.limit_web_aliasdomain, client.web_servers, client.default_webserver, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name, client." . implode(", client.", $read_limits) . " FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT client.client_id, client.limit_web_aliasdomain, client.web_servers, client.default_webserver, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name, client." . implode(", client.", $read_limits) . " FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); } $client['web_servers_ids'] = explode(',', $client['web_servers']); @@ -816,7 +816,7 @@ class page_action extends tform_actions { if($_SESSION["s"]["user"]["typ"] != 'admin') { // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT limit_traffic_quota, limit_web_domain, limit_web_aliasdomain, limit_web_subdomain, web_servers, parent_client_id, limit_web_quota, client." . implode(", client.", $read_limits) . " FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT limit_traffic_quota, limit_web_domain, limit_web_aliasdomain, limit_web_subdomain, web_servers, parent_client_id, limit_web_quota, client." . implode(", client.", $read_limits) . " FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); $client['web_servers_ids'] = explode(',', $client['web_servers']); diff --git a/interface/web/tools/dns_import_tupa.php b/interface/web/tools/dns_import_tupa.php index 775d515289..b33b978da1 100644 --- a/interface/web/tools/dns_import_tupa.php +++ b/interface/web/tools/dns_import_tupa.php @@ -86,7 +86,7 @@ if(isset($_POST['start']) && $_POST['start'] == 1) { $domains = $exdb->queryAllRecords("SELECT * FROM domains WHERE type = 'MASTER'"); if(is_array($domains)) { foreach($domains as $domain) { - $soa = $exdb->queryOneRecord("SELECT * FROM records WHERE type = 'SOA' AND domain_id = ".$domain['id']); + $soa = $exdb->queryOneRecord("SELECT * FROM records WHERE type = 'SOA' AND domain_id = ?", $domain['id']); if(is_array($soa)) { $parts = explode(' ', $soa['content']); $origin = $app->db->quote(addot($soa['name'])); @@ -106,7 +106,7 @@ if(isset($_POST['start']) && $_POST['start'] == 1) { $msg .= 'Import Zone: '.$soa['name'].'
'; //* Process the other records - $records = $exdb->queryAllRecords("SELECT * FROM records WHERE type != 'SOA' AND domain_id = ".$domain['id']); + $records = $exdb->queryAllRecords("SELECT * FROM records WHERE type != 'SOA' AND domain_id = ?", $domain['id']); if(is_array($records)) { foreach($records as $rec) { $rr = array(); diff --git a/interface/web/tools/form/interface_settings.tform.php b/interface/web/tools/form/interface_settings.tform.php index f81ce2d157..f213605bf7 100644 --- a/interface/web/tools/form/interface_settings.tform.php +++ b/interface/web/tools/form/interface_settings.tform.php @@ -96,7 +96,7 @@ if($_SESSION["s"]["user"]["typ"] == 'admin') { } } } else { - $tmp = $app->db->queryOneRecord("SELECT * FROM sys_user where username = '".$_SESSION["s"]["user"]['username']."'"); + $tmp = $app->db->queryOneRecord("SELECT * FROM sys_user where username = ?", $_SESSION["s"]["user"]['username']); $modules = $tmp['modules']; //$modules = $conf['interface_modules_enabled']; if($_SESSION["s"]["user"]["typ"] != 'admin' && $app->auth->has_clients($_SESSION['s']['user']['userid'])) { diff --git a/interface/web/tools/import_plesk.php b/interface/web/tools/import_plesk.php deleted file mode 100644 index f6e2890ea1..0000000000 --- a/interface/web/tools/import_plesk.php +++ /dev/null @@ -1,1430 +0,0 @@ -queryAllRecords("SELECT l.id, l.limit_name, l.value FROM Limits as l"); - foreach($limit_data as $entry) { - if(array_key_exists($entry['id'], $limits) == false) $limits[$entry['id']] = array(); - $limits[$entry['id']][$entry['limit_name']] = $entry['value']; - - // limits that are there: - /* - disk_space - disk_space_soft - expiration - max_box - max_db - max_dom_aliases - max_maillists - max_mn - max_site - max_site_builder - max_subdom - max_subftp_users - max_traffic - max_traffic_soft - max_unity_mobile_sites - max_webapps - max_wu - mbox_quota - */ - } - - return $limits; -} - - -/** - * - * @param array $limits - * @param int $id - * @param string $limit - * @param mixed $default - * @return mixed - */ -function get_limit($limits, $id, $limit, $default = false) { - $ret = $default; - if(isset($limits[$id][$limit])) $ret = $limits[$id][$limit]; - - return $ret; -} - -function get_option($options, $option, $default = false) { - $ret = $default; - if(isset($options[$option])) $ret = $options[$option]; - - return $ret; -} - -function add_dot($string) { - if(strlen($string) > 0 && substr($string, -1, 1) !== '.') $string .= '.'; - return $string; -} - -function byte_to_mbyte($byte) { - if($byte <= 0) return $byte; // limit = -1 -> unlimited - return round($byte / (1024*1024)); -} - -function yes_no($num, $reverse = false) { - return ($num == 1 && !$reverse) || ($num != 1 && $reverse) ? 'y' : 'n'; -} - -// taken from the web_domain_edit.php -function id_hash($id, $levels) { - $hash = "" . $id % 10 ; - $id /= 10 ; - $levels -- ; - while ( $levels > 0 ) { - $hash .= "/" . $id % 10 ; - $id /= 10 ; - $levels-- ; - } - return $hash; -} - -$COMMANDS = 'unset HISTFILE -MYSERVER="192.168.1.10" -MYSQL_EXPORT_USER="root" -MYSQL_EXPORT_PASS="" -MYSQL_IMPORT_USER="root" -MYSQL_IMPORT_PASS="" -'; - -function add_command($cmd) { - global $COMMANDS; - - $COMMANDS .= $cmd . "\n"; -} - - -/* TODO: document root rewrite on ftp account and other home directories */ - -//* Check permissions for module -$app->auth->check_module_permissions('admin'); - -//* This is only allowed for administrators -if(!$app->auth->is_admin()) die('only allowed for administrators.'); - -$app->uses('tpl,getconf'); -$app->load('importer'); - -$app->tpl->newTemplate('form.tpl.htm'); -$app->tpl->setInclude('content_tpl', 'templates/import_plesk.htm'); -$msg = ''; -$error = ''; - -// Start migrating plesk data -if(isset($_POST['start']) && $_POST['start'] == 1) { - - //* Set variable sin template - $app->tpl->setVar('dbhost', $_POST['dbhost']); - $app->tpl->setVar('dbname', $_POST['dbname']); - $app->tpl->setVar('dbuser', $_POST['dbuser']); - $app->tpl->setVar('dbpassword', $_POST['dbpassword']); - $app->tpl->setVar('webcontent', $_POST['webcontent']); - $app->tpl->setVar('mailcontent', $_POST['mailcontent']); - - //* Establish connection to external database - $msg .= 'Connecting to external database...
'; - - //* Backup DB login details - /*$conf_bak['db_host'] = $conf['db_host']; - $conf_bak['db_database'] = $conf['db_database']; - $conf_bak['db_user'] = $conf['db_user']; - $conf_bak['db_password'] = $conf['db_password'];*/ - - //* Set external Login details - $conf['imp_db_host'] = $_POST['dbhost']; - $conf['imp_db_database'] = $_POST['dbname']; - $conf['imp_db_user'] = $_POST['dbuser']; - $conf['imp_db_password'] = $_POST['dbpassword']; - $conf['imp_db_charset'] = $conf['db_charset']; - $conf['imp_db_new_link'] = $conf['db_new_link']; - $conf['imp_db_client_flags'] = $conf['db_client_flags']; - - //* create new db object - $exdb = new db('imp'); - - $msg .= 'db object created...
'; - - $importer = new importer(); - $session_id = 'ISPC3'; // set dummy session id for remoting lib - $msg .= 'importer object created...
'; - - // import on server - $server_id = 1; - - //* Connect to DB - if($exdb !== false) { - $msg .= 'Connecting to external database done...
'; - - $limits = read_limit_data($exdb); - - $msg .= 'read all limit data...
'; - - // param_id -> cl_params table - not needed for import - // tpye = admin, reseller, client - $admins = $exdb->queryAllRecords("SELECT c.id, c.parent_id, c.type, c.cr_date, c.cname, c.pname, c.login, c.account_id, a.password, a.type as `pwtype`, c.status, c.phone, c.fax, c.email, c.address, c.city, c.state, c.pcode, c.country, c.locale, c.limits_id, c.params_id, c.perm_id, c.pool_id, c.logo_id, c.tmpl_id, c.guid, c.overuse, c.vendor_id, c.external_id FROM clients as c LEFT JOIN accounts as a ON (a.id = c.account_id) WHERE c.type = 'admin' ORDER BY c.parent_id, c.id"); - $resellers = $exdb->queryAllRecords("SELECT c.id, c.parent_id, c.type, c.cr_date, c.cname, c.pname, c.login, c.account_id, a.password, a.type as `pwtype`, c.status, c.phone, c.fax, c.email, c.address, c.city, c.state, c.pcode, c.country, c.locale, c.limits_id, c.params_id, c.perm_id, c.pool_id, c.logo_id, c.tmpl_id, c.guid, c.overuse, c.vendor_id, c.external_id FROM clients as c LEFT JOIN accounts as a ON (a.id = c.account_id) WHERE c.type = 'reseller' ORDER BY c.parent_id, c.id"); - $clients = $exdb->queryAllRecords("SELECT c.id, c.parent_id, c.type, c.cr_date, c.cname, c.pname, c.login, c.account_id, a.password, a.type as `pwtype`, c.status, c.phone, c.fax, c.email, c.address, c.city, c.state, c.pcode, c.country, c.locale, c.limits_id, c.params_id, c.perm_id, c.pool_id, c.logo_id, c.tmpl_id, c.guid, c.overuse, c.vendor_id, c.external_id FROM clients as c LEFT JOIN accounts as a ON (a.id = c.account_id) WHERE c.type = 'client' ORDER BY c.parent_id, c.id"); - - $users = array_merge($admins, $resellers, $clients); - $msg .= 'read all users (' . count($users) . ')...
'; - - - $plesk_ispc_ids = array(); // array with key = plesk id, value = ispc id - - $phpopts = array('no', 'fast-cgi', 'cgi', 'mod', 'suphp', 'php-fpm'); - - // import admins / resellers - for($i = 0; $i < count($users); $i++) { - $entry = $users[$i]; - - $old_client = $importer->client_get_by_username($session_id, $entry['login']); - if($old_client) { - if($old_client['client_id'] == 0) { - $entry['login'] = 'psa_' . $entry['login']; - $old_client = $importer->client_get_by_username($session_id, $entry['login']); - if($old_client) { - $msg .= $entry['login'] . ' existed, updating id ' . $old_client['client_id'] . '
'; - } - } else { - $msg .= $entry['login'] . ' existed, updating id ' . $old_client['client_id'] . '
'; - } - } - $params = array( - 'company_name' => $entry['cname'], - 'contact_name' => $entry['pname'], - 'customer_no' => 'Plesk' . $entry['id'], - 'username' => $entry['login'], - 'password' => $entry['password'], - 'language' => substr($entry['locale'], 0, 2), // plesk stores as de-DE or en-US - //'usertheme' => '', - 'street' => $entry['address'], - 'zip' => $entry['pcode'], - 'city' => $entry['city'], - 'state' => $entry['state'], - 'country' => $entry['country'], - 'telephone' => $entry['phone'], - //'mobile' => $entry[''], - 'fax' => $entry['fax'], - 'email' => $entry['email'], - //'internet' => $entry[''], - //'icq' => $entry[''], - //'vat_id' => $entry[''], - //'company_id' => $entry[''], - //'bank_account_number' => $entry[''], - //'bank_code' => $entry[''], - //'bank_name' => $entry[''], - //'bank_account_iban' => $entry[''], - //'bank_account_swift' => $entry[''], - 'notes' => 'imported from Plesk id ' . $entry['id'], - //'template_master' => $entry[''], - //'template_additional' => $entry[''], - //'default_mailserver' => $entry[''], - 'limit_maildomain' => get_limit($limits, $entry['id'], 'max_site', -1), - 'limit_mailbox' => get_limit($limits, $entry['id'], 'max_box', -1), - 'limit_mailalias' => get_limit($limits, $entry['id'], 'max_mn', -1), - 'limit_mailaliasdomain' => get_limit($limits, $entry['id'], 'max_dom_aliases', -1), - 'limit_mailmailinglist' => get_limit($limits, $entry['id'], 'max_maillists', -1), - 'limit_mailforward' => get_limit($limits, $entry['id'], 'max_mn', -1), - 'limit_mailcatchall' => 1, - 'limit_mailrouting' => 0, - 'limit_mailfilter' => 0, - 'limit_fetchmail' => 0, - 'limit_mailquota' => get_limit($limits, $entry['id'], 'mbox_quota', -1), - 'limit_spamfilter_wblist' => 0, - 'limit_spamfilter_user' => 0, - 'limit_spamfilter_policy' => 0, - //'default_webserver' => '', - 'limit_web_domain' => get_limit($limits, $entry['id'], 'max_site', -1), - 'limit_web_quota' => intval(get_limit($limits, $entry['id'], 'disk_space', -1)), - 'web_php_options' => implode(',', $phpopts), - 'limit_web_aliasdomain' => get_limit($limits, $entry['id'], 'max_dom_aliases', -1), - 'limit_web_subdomain' => get_limit($limits, $entry['id'], 'max_subdom', -1), - 'limit_ftp_user' => (string)($app->functions->intval(get_limit($limits, $entry['id'], 'max_subftp_users', -2)) + 1), - 'limit_shell_user' => 0, - 'ssh_chroot' => 'no,jailkit', - 'limit_webdav_user' => get_limit($limits, $entry['id'], 'max_wu', 0), - //'default_dnsserver' => '', - 'limit_dns_zone' => -1, - 'limit_dns_slave_zone' => -1, - 'limit_dns_record' => -1, - 'limit_client' => ($entry['type'] == 'client' ? 0 : -1), - //'default_dbserver' => '', - 'limit_database' => get_limit($limits, $entry['id'], 'max_db', -1), - 'limit_cron' => 0, - 'limit_cron_type' => 'url', - 'limit_cron_frequency' => '5', - 'limit_traffic_quota' => intval(get_limit($limits, $entry['id'], 'max_traffic', -1)), - 'limit_openvz_vm' => 0, - 'limit_openvz_vm_template_id' => '' - ); - $reseller_id = 0; - if($entry['parent_id'] != 0) { - if(array_key_exists($entry['parent_id'], $plesk_ispc_ids)) { - $reseller_id = $plesk_ispc_ids[$entry['parent_id']]; - } - } - - if($old_client) { - $new_id = $old_client['client_id']; - $ok = $importer->client_update($session_id, $old_client['client_id'], $reseller_id, array_merge($old_client, $params)); - if($ok === false) { - - } - } else { - $new_id = $importer->client_add($session_id, $reseller_id, $params); - } - if($new_id === false) { - //something went wrong here... - $msg .= "Client " . $entry['id'] . " (" . $entry['pname'] . ") could not be inserted/updated.
"; - $msg .= "  Error: " . $importer->getFault() . "
"; - } else { - $msg .= "Client " . $entry['id'] . " (" . $entry['pname'] . ") inserted/updated.
"; - } - - $plesk_ispc_ids[$entry['id']] = $new_id; - } - unset($users); - unset($clients); - unset($resellers); - unset($admins); - - $web_config = $app->getconf->get_server_config($server_id, 'web'); - - $domains = $exdb->queryAllRecords("SELECT d.id, d.cr_date, d.name, d.displayName, d.dns_zone_id, d.status, d.htype, d.real_size, d.cl_id, d.limits_id, d.params_id, d.guid, d.overuse, d.gl_filter, d.vendor_id, d.webspace_id, d.webspace_status, d.permissions_id, d.external_id FROM domains as d WHERE d.parentDomainId = 0"); - $dom_ftp_users = array(); - $domain_ids = array(); - $domain_roots = array(); - $domain_owners = array(); - $dns_domain_ids = array(); - $maildomain_ids = array(); - foreach($domains as $entry) { - $res = $exdb->query("SELECT d.dom_id, d.param, d.val FROM dom_param as d WHERE d.dom_id = '" . $entry['id'] . "'"); - $options = array(); - while($opt = $res->get()) { - $options[$opt['param']] = $opt['val']; - } - - /* TODO: options that might be used later: - * OveruseBlock true/false - * OveruseNotify true/false - * OveruseSuspend true/false - * wu_script true/false (webusers allowed to use scripts?) - * webmail string (webmailer used - horde) - */ - - $redir_type = ''; - $redir_path = ''; - - if($entry['htype'] === 'std_fwd') { - // redirection - $redir = $exdb->queryOneRecord("SELECT f.dom_id, f.ip_address_id, f.redirect FROM forwarding as f WHERE f.dom_id = '" . $entry['id'] . "'"); - $redir_type = 'R,L'; - $redir_path = $redir['redirect']; - } elseif($entry['htype'] === 'vrt_hst') { - // default virtual hosting (vhost) - } else { - /* TODO: unknown type */ - } - - $hosting = $exdb->queryOneRecord("SELECT h.dom_id, h.sys_user_id, h.ip_address_id, h.real_traffic, h.fp, h.fp_ssl, h.fp_enable, h.fp_adm, h.fp_pass, h.ssi, h.php, h.cgi, h.perl, h.python, h.fastcgi, h.miva, h.coldfusion, h.asp, h.asp_dot_net, h.ssl, h.webstat, h.same_ssl, h.traffic_bandwidth, h.max_connection, h.php_handler_type, h.www_root, h.maintenance_mode, h.certificate_id, s.login, s.account_id, s.home, s.shell, s.quota, s.mapped_to, a.password, a.type as `pwtype` FROM hosting as h LEFT JOIN sys_users as s ON (s.id = h.sys_user_id) LEFT JOIN accounts as a ON (s.account_id = a.id) WHERE h.dom_id = '" . $entry['id'] . "'"); - if($hosting['sys_user_id']) { - $dom_ftp_users[] = array('id' => 0, - 'dom_id' => $hosting['dom_id'], - 'sys_user_id' => $hosting['sys_user_id'], - 'login' => $hosting['login'], - 'account_id' => $hosting['account_id'], - 'home' => $hosting['home'], - 'shell' => $hosting['shell'], - 'quota' => $hosting['quota'], - 'mapped_to' => $hosting['mapped_to'], - 'password' => $hosting['password'], - 'pwtype' => $hosting['pwtype'] - ); - } - - $phpmode = 'no'; - if(get_option($hosting, 'php', 'false') === 'true') { - $mode = get_option($hosting, 'php_handler_type', 'module'); - if($mode === 'module') $phpmode = 'mod'; - else $phpmode = 'fast-cgi'; - /* TODO: what other options could be in "php_handler_type"? */ - } - - /* TODO: plesk offers some more options: - * sys_user_id -> owner of files? - * ip_address_id - needed? - * fp - frontpage extensions - * miva - ? - * coldfusion - * asp - * asp_dot_net - * traffic_bandwidth - * max_connections - */ - $params = array( - 'server_id' => $server_id, - 'ip_address' => '*', - //'ipv6_address' => '', - 'domain' => $entry['name'], - 'type' => 'vhost', // can be vhost or alias - 'parent_domain_id' => '', // only if alias - 'vhost_type' => 'name', // or ip (-based) - 'hd_quota' => byte_to_mbyte(get_limit($limits, $entry['id'], 'disk_space', -1)), - 'traffic_quota' => byte_to_mbyte(get_limit($limits, $entry['id'], 'max_traffic', -1)), - 'cgi' => yes_no(get_option($hosting, 'cgi', 'false') === 'true' ? 1 : 0), - 'ssi' => yes_no(get_option($hosting, 'ssi', 'false') === 'true' ? 1 : 0), - 'suexec' => yes_no(1), // does plesk use this?! - 'errordocs' => get_option($options, 'apacheErrorDocs', 'false') === 'true' ? 1 : 0, - 'subdomain' => 'www', // plesk always uses this option - 'ssl' => yes_no(get_option($hosting, 'ssl', 'false') === 'true' ? 1 : 0), - 'php' => $phpmode, - 'fastcgi_php_version' => '', // plesk has no different php versions - 'ruby' => yes_no(0), // plesk has no ruby support - 'python' => yes_no(get_option($hosting, 'python', 'false') === 'true' ? 1 : 0), - 'active' => yes_no(($entry['status'] == 0 && get_option($hosting, 'maintenance_mode', 'false') !== 'true') ? 1 : 0), - 'redirect_type' => $redir_type, - 'redirect_path' => $redir_path, - 'seo_redirect' => '', - 'ssl_state' => $entry[''], - 'ssl_locality' => $entry[''], - 'ssl_organisation' => $entry[''], - 'ssl_organisation_unit' => $entry[''], - 'ssl_country' => $entry[''], - 'ssl_domain' => $entry[''], - 'ssl_request' => $entry[''], - 'ssl_cert' => $entry[''], - 'ssl_bundle' => $entry[''], - 'ssl_action' => $entry[''], - 'stats_password' => '', - 'stats_type' => get_option($hosting, 'webstat', 'webalizer') === 'awstats' ? 'awstats' : 'webalizer', - 'backup_interval' => 'none', - 'backup_copies' => 1, - 'allow_override' => 'All', - 'pm_process_idle_timeout' => 10, - 'pm_max_requests' => 0 - ); - - // find already inserted domain - $old_domain = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain = '" . $entry['name'] . "'"); - if(!$old_domain) $old_domain = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE CONCAT(subdomain, '.', domain) = '" . $entry['name'] . "'"); - if($old_domain) { - $new_id = $old_domain['domain_id']; - $msg .= "Found domain with id " . $new_id . ", updating it.
"; - $params = array_merge($old_domain, $params); - $ok = $importer->sites_web_domain_update($session_id, $plesk_ispc_ids[$entry['cl_id']], $new_id, $params); - if($ok === false) $msg .= "  Error: " . $importer->getFault() . "
"; - } else { - $new_id = $importer->sites_web_domain_add($session_id, $plesk_ispc_ids[$entry['cl_id']], $params, true); // read only... - } - - $domain_ids[$entry['id']] = $new_id; - $domain_roots[$entry['id']] = $entry['www_root']; - $domain_owners[$entry['id']] = $entry['cl_id']; - $dns_domain_ids[$entry['dns_zone_id']] = $entry['id']; - - if($new_id === false) { - //something went wrong here... - $msg .= "Domain " . $entry['id'] . " (" . $entry['name'] . ") could not be inserted.
"; - $msg .= "  Error: " . $importer->getFault() . "
"; - } else { - $msg .= "Domain " . $entry['id'] . " (" . $entry['name'] . ") inserted -> " . $new_id . ".
"; - - $cmd_data = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = '" . $new_id . "'"); - $path = $cmd_data['document_root']; - add_command('chattr -i ' . escapeshellarg($path)); - add_command('if [[ -f ' . $path . '/web/index.html ]] ; then rm ' . $path . '/web/index.html ; fi'); - add_command('rsync -av --modify-window 10 --progress -e ssh root@${MYSERVER}:' . $hosting['www_root'] . '/ ' . $path . '/web/'); - add_command('chown -R ' . $cmd_data['system_user'] . ':' . $cmd_data['system_group'] . ' ' . escapeshellarg($path)); - add_command('grep ' . escapeshellarg($hosting['www_root']) . ' ' . $path . '/web -r -l | xargs replace ' . escapeshellarg($hosting['www_root']) . ' ' . escapeshellarg($path . '/web') . ' --'); - add_command('chown -R root:root ' . escapeshellarg($path . '/log') . ' ' . escapeshellarg($path . '/ssl') . ' ' . escapeshellarg($path . '/web/stats')); - add_command('chattr +i ' . escapeshellarg($path)); - } - - // add domain to mail domains too - $params = array( - 'server_id' => $server_id, - 'domain' => $entry['name'], - 'active' => yes_no(($entry['status'] == 0 ? 1 : 0)) - ); - $old_domain = $app->db->queryOneRecord("SELECT * FROM mail_domain WHERE domain = '" . $entry['name'] . "'"); - if($old_domain) { - $new_id = $old_domain['domain_id']; - $params = array_merge($old_domain, $params); - $msg .= "Found maildomain with id " . $new_id . ", updating it.
"; - $ok = $importer->mail_domain_update($session_id, $plesk_ispc_ids[$entry['cl_id']], $new_id, $params); - if($ok === false) $msg .= "  Error: " . $importer->getFault() . "
"; - } else { - $msg .= "Inserting new maildomain " . $entry['name'] . ".
"; - $new_id = $importer->mail_domain_add($session_id, $plesk_ispc_ids[$entry['cl_id']], $params); - } - - $maildomain_ids[$entry['id']] = $new_id; - if($new_id === false) { - //something went wrong here... - $msg .= "Maildomain (" . $entry['name'] . ") could not be inserted.
"; - $msg .= "  Error: " . $importer->getFault() . "
"; - } else { - $msg .= "Maildomain " . $new_id . " (" . $entry['name'] . ") inserted.
"; - } - - } - - $domain_aliases = $exdb->queryAllRecords("SELECT da.id, da.name, da.displayName, da.dns, da.mail, da.web, da.dom_id, da.status FROM domainaliases as da"); - foreach($domain_aliases as $entry) { - $params = array( - 'server_id' => $server_id, - 'domain' => $entry['name'], - 'type' => 'alias', - 'parent_domain_id' => $domain_ids[$entry['dom_id']], - 'redirect_type' => '', - 'redirect_path' => '', - 'subdomain' => 'www', - 'active' => yes_no(($entry['status'] == 0 && $entry['web'] === 'true') ? 1 : 0) - ); - - $old_domain = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain = '" . $entry['name'] . "'"); - if(!$old_domain) $old_domain = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE CONCAT(subdomain, '.', domain) = '" . $entry['name'] . "'"); - if($old_domain) { - $new_id = $old_domain['domain_id']; - $params = array_merge($old_domain, $params); - $msg .= "Found domain with id " . $new_id . ", updating it.
"; - $ok = $importer->sites_web_aliasdomain_update($session_id, $plesk_ispc_ids[$domain_owners[$entry['dom_id']]], $new_id, $params); - if($ok === false) $msg .= "  Error: " . $importer->getFault() . "
"; - } else { - $new_id = $importer->sites_web_aliasdomain_add($session_id, $plesk_ispc_ids[$domain_owners[$entry['dom_id']]], $params); - } - - if($new_id === false) { - //something went wrong here... - $msg .= "Aliasdomain " . $entry['id'] . " (" . $entry['name'] . ") could not be inserted.
"; - $msg .= "  Error: " . $importer->getFault() . "
"; - } else { - $msg .= "Aliasdomain " . $entry['id'] . " (" . $entry['name'] . ") inserted.
"; - } - - // add alias to mail domains, too - $params = array( - 'server_id' => $server_id, - 'domain' => $entry['name'], - 'active' => yes_no(($entry['status'] == 0 && $entry['mail'] === 'true') ? 1 : 0) - ); - - $old_domain = $app->db->queryOneRecord("SELECT * FROM mail_domain WHERE domain = '" . $entry['name'] . "'"); - if($old_domain) { - $new_id = $old_domain['domain_id']; - $params = array_merge($old_domain, $params); - $msg .= "Found mail domain with id " . $new_id . ", updating it.
"; - $ok = $importer->mail_domain_update($session_id, $plesk_ispc_ids[$domain_owners[$entry['dom_id']]], $new_id, $params); - if($ok === false) $msg .= "  Error: " . $importer->getFault() . "
"; - } else { - $new_id = $importer->mail_domain_add($session_id, $plesk_ispc_ids[$domain_owners[$entry['dom_id']]], $params); - } - - $maildomain_ids[$entry['id']] = $new_id; - if($new_id === false) { - //something went wrong here... - $msg .= "Aliasmaildomain " . $entry['id'] . " (" . $entry['name'] . ") could not be inserted.
"; - $msg .= "  Error: " . $importer->getFault() . "
"; - } else { - $msg .= "Aliasmaildomain " . $entry['id'] . " (" . $entry['name'] . ") inserted.
"; - } - } - - $subdomain_ids = array(); - $subdomain_roots = array(); - $subdomain_owners = array(); - - $subdomains = $exdb->queryAllRecords("SELECT d.id, d.cr_date, d.name, d.displayName, d.dns_zone_id, d.status, d.htype, d.real_size, d.cl_id, d.limits_id, d.params_id, d.guid, d.overuse, d.gl_filter, d.vendor_id, d.webspace_id, d.webspace_status, d.permissions_id, d.external_id, d.parentDomainId FROM domains as d WHERE d.parentDomainId != 0"); - foreach($subdomains as $entry) { - $res = $exdb->query("SELECT d.dom_id, d.param, d.val FROM dom_param as d WHERE d.dom_id = '" . $entry['id'] . "'"); - $options = array(); - while($opt = $exdb->nextRecord()) { - $options[$opt['param']] = $opt['val']; - } - - $parent_domain = $exdb->queryOneRecord("SELECT d.id, d.cl_id, d.name FROM domains as d WHERE d.id = '" . $entry['parentDomainId'] . "'"); - $redir_type = ''; - $redir_path = ''; - - if($entry['htype'] === 'std_fwd') { - // redirection - $redir = $exdb->queryOneRecord("SELECT f.dom_id, f.ip_address_id, f.redirect FROM forwarding as f WHERE f.dom_id = '" . $entry['id'] . "'"); - $redir_type = 'R,L'; - $redir_path = $redir['redirect']; - } elseif($entry['htype'] === 'vrt_hst') { - // default virtual hosting (vhost) - } else { - /* TODO: unknown type */ - } - - $hosting = $exdb->queryOneRecord("SELECT h.dom_id, h.sys_user_id, h.ip_address_id, h.real_traffic, h.fp, h.fp_ssl, h.fp_enable, h.fp_adm, h.fp_pass, h.ssi, h.php, h.cgi, h.perl, h.python, h.fastcgi, h.miva, h.coldfusion, h.asp, h.asp_dot_net, h.ssl, h.webstat, h.same_ssl, h.traffic_bandwidth, h.max_connection, h.php_handler_type, h.www_root, h.maintenance_mode, h.certificate_id, s.login, s.account_id, s.home, s.shell, s.quota, s.mapped_to, a.password, a.type as `pwtype` FROM hosting as h LEFT JOIN sys_users as s ON (s.id = h.sys_user_id) LEFT JOIN accounts as a ON (s.account_id = a.id) WHERE h.dom_id = '" . $entry['id'] . "'"); - if($hosting['sys_user_id']) { - $dom_ftp_users[] = array('id' => 0, - 'dom_id' => $hosting['dom_id'], - 'sys_user_id' => $hosting['sys_user_id'], - 'login' => $hosting['login'], - 'account_id' => $hosting['account_id'], - 'home' => $hosting['home'], - 'shell' => $hosting['shell'], - 'quota' => $hosting['quota'], - 'mapped_to' => $hosting['mapped_to'], - 'password' => $hosting['password'], - 'pwtype' => $hosting['pwtype'] - ); - } - - $phpmode = 'no'; - if(get_option($hosting, 'php', 'false') === 'true') { - $mode = get_option($hosting, 'php_handler_type', 'module'); - if($mode === 'module') $phpmode = 'mod'; - else $phpmode = 'fast-cgi'; - /* TODO: what other options could be in "php_handler_type"? */ - } - /* TODO: plesk offers some more options: - * sys_user_id -> owner of files? - * ip_address_id - needed? - * fp - frontpage extensions - * miva - ? - * coldfusion - * asp - * asp_dot_net - * traffic_bandwidth - * max_connections - */ - - $web_folder = $hosting['www_root']; - $web_folder = preg_replace('/^\/(var|srv)\/www\/(vhosts\/)?[^\/]+\/(.*)\/httpdocs.*/', '$3', $web_folder); - - //if(substr($web_folder, 0, 1) === '/') $web_folder = substr($web_folder, 1); - //if(substr($web_folder, -1, 1) === '/') $web_folder = substr($web_folder, 0, -1); - $params = array( - 'server_id' => $server_id, - 'ip_address' => '*', - //'ipv6_address' => '', - 'domain' => $entry['name'], - 'web_folder' => $web_folder, - 'type' => 'vhostsubdomain', // can be vhost or alias - 'parent_domain_id' => $domain_ids[$entry['parentDomainId']], - 'vhost_type' => 'name', // or ip (-based) - 'hd_quota' => byte_to_mbyte(get_limit($limits, $entry['dom_id'], 'disk_space', -1)), - 'traffic_quota' => byte_to_mbyte(get_limit($limits, $entry['dom_id'], 'max_traffic', -1)), - 'cgi' => yes_no(get_option($hosting, 'cgi', 'false') === 'true' ? 1 : 0), - 'ssi' => yes_no(get_option($hosting, 'ssi', 'false') === 'true' ? 1 : 0), - 'suexec' => yes_no(1), // does plesk use this?! - 'errordocs' => get_option($options, 'apacheErrorDocs', 'false') === 'true' ? 1 : 0, - 'subdomain' => '', // plesk always uses this option - 'ssl' => yes_no(get_option($hosting, 'ssl', 'false') === 'true' ? 1 : 0), - 'php' => $phpmode, - 'fastcgi_php_version' => '', // plesk has no different php versions - 'ruby' => yes_no(0), // plesk has no ruby support - 'python' => yes_no(get_option($hosting, 'python', 'false') === 'true' ? 1 : 0), - 'active' => yes_no(($entry['status'] == 0 && get_option($hosting, 'maintenance_mode', 'false') !== 'true') ? 1 : 0), - 'redirect_type' => $redir_type, - 'redirect_path' => $redir_path, - 'seo_redirect' => '', - 'ssl_state' => $entry[''], - 'ssl_locality' => $entry[''], - 'ssl_organisation' => $entry[''], - 'ssl_organisation_unit' => $entry[''], - 'ssl_country' => $entry[''], - 'ssl_domain' => $entry[''], - 'ssl_request' => $entry[''], - 'ssl_cert' => $entry[''], - 'ssl_bundle' => $entry[''], - 'ssl_action' => $entry[''], - 'stats_password' => '', - 'stats_type' => get_option($hosting, 'webstat', 'webalizer') === 'awstats' ? 'awstats' : 'webalizer', - 'backup_interval' => 'none', - 'backup_copies' => 1, - 'allow_override' => 'All', - 'pm_process_idle_timeout' => 10, - 'pm_max_requests' => 0 - ); - - $old_domain = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain = '" . $entry['name'] . "'"); - if(!$old_domain) $old_domain = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE CONCAT(subdomain, '.', domain) = '" . $entry['name'] . "'"); - if($old_domain) { - $new_id = $old_domain['domain_id']; - $params = array_merge($old_domain, $params); - $msg .= "Found domain " . $entry['name'] . " with id " . $new_id . ", updating it.
"; - $ok = $importer->sites_web_vhost_subdomain_update($session_id, $plesk_ispc_ids[$parent_domain['cl_id']], $new_id, $params); - if($ok === false) $msg .= "  Error: " . $importer->getFault() . "
"; - } else { - $new_id = $importer->sites_web_vhost_subdomain_add($session_id, $plesk_ispc_ids[$parent_domain['cl_id']], $params, true); // read only... - } - - $subdomain_ids[$entry['id']] = $new_id; - $subdomain_roots[$entry['id']] = $hosting['www_root']; - $subdomain_owners[$entry['id']] = $entry['cl_id']; - if($new_id === false) { - //something went wrong here... - $msg .= "Subdomain " . $entry['id'] . " (" . $entry['name'] . ") with folder \"" . $web_folder . "\" could not be inserted.
"; - $msg .= "  Error: " . $importer->getFault() . "
"; - } else { - $msg .= "Subdomain " . $entry['id'] . " (" . $entry['name'] . ") inserted.
"; - - $cmd_data = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = '" . $new_id . "'"); - $path = $cmd_data['document_root']; - add_command('chattr -i ' . escapeshellarg($path)); - add_command('if [[ -f ' . $path . '/' . $web_folder . '/index.html ]] ; then rm ' . $path . '/' . $web_folder . '/index.html ; fi'); - add_command('rsync -av --modify-window 10 --progress -e ssh root@${MYSERVER}:' . $hosting['www_root'] . '/ ' . $path . '/' . $web_folder . '/'); - add_command('chown -R ' . $cmd_data['system_user'] . ':' . $cmd_data['system_group'] . ' ' . escapeshellarg($path)); - add_command('grep ' . escapeshellarg($hosting['www_root']) . ' ' . $path . '/web -r -l | xargs replace ' . escapeshellarg($hosting['www_root']) . ' ' . escapeshellarg($path . '/web') . ' --'); - add_command('chown -R root:root ' . escapeshellarg($path . '/log') . ' ' . escapeshellarg($path . '/ssl') . ' ' . escapeshellarg($path . '/web/stats')); - add_command('chattr +i ' . escapeshellarg($path)); - - } - $domain_ids[$entry['id']] = $new_id; - } - - // subdomains in plesk are real vhosts, so we have to treat them as vhostsubdomains - $subdomains = $exdb->queryAllRecords("SELECT d.id, d.dom_id, d.name, d.displayName, d.sys_user_id, d.ssi, d.php, d.cgi, d.perl, d.python, d.fastcgi, d.miva, d.coldfusion, d.asp, d.asp_dot_net, d.ssl, d.same_ssl, d.php_handler_type, d.www_root, d.maintenance_mode, d.certificate_id FROM subdomains as d"); - foreach($subdomains as $entry) { - $res = $exdb->query("SELECT d.dom_id, d.param, d.val FROM dom_param as d WHERE d.dom_id = '" . $entry['dom_id'] . "'"); - $options = array(); - while($opt = $res->get()) { - $options[$opt['param']] = $opt['val']; - } - - $parent_domain = $exdb->queryOneRecord("SELECT d.id, d.cl_id, d.name FROM domains as d WHERE d.id = '" . $entry['dom_id'] . "'"); - - /* TODO: options that might be used later: - * OveruseBlock true/false - * OveruseNotify true/false - * OveruseSuspend true/false - * wu_script true/false (webusers allowed to use scripts?) - * webmail string (webmailer used - horde) - */ - - $redir_type = ''; - $redir_path = ''; - - if($entry['htype'] === 'std_fwd') { - // redirection - $redir = $exdb->queryOneRecord("SELECT f.dom_id, f.ip_address_id, f.redirect FROM forwarding as f WHERE f.dom_id = '" . $entry['id'] . "'"); - $redir_type = 'R,L'; - $redir_path = $redir['redirect']; - } elseif($entry['htype'] === 'vrt_hst') { - // default virtual hosting (vhost) - } else { - /* TODO: unknown type */ - } - - $hosting = $exdb->queryOneRecord("SELECT h.dom_id, h.sys_user_id, h.ip_address_id, h.real_traffic, h.fp, h.fp_ssl, h.fp_enable, h.fp_adm, h.fp_pass, h.ssi, h.php, h.cgi, h.perl, h.python, h.fastcgi, h.miva, h.coldfusion, h.asp, h.asp_dot_net, h.ssl, h.webstat, h.same_ssl, h.traffic_bandwidth, h.max_connection, h.php_handler_type, h.www_root, h.maintenance_mode, h.certificate_id FROM hosting as h WHERE h.dom_id = '" . $entry['dom_id'] . "'"); - $hosting = array_merge($hosting, $entry); //settings from subdomain override parent settings - - $phpmode = 'no'; - if(get_option($hosting, 'php', 'false') === 'true') { - $mode = get_option($hosting, 'php_handler_type', 'module'); - if($mode === 'module') $phpmode = 'mod'; - else $phpmode = 'fast-cgi'; - /* TODO: what other options could be in "php_handler_type"? */ - } - /* TODO: plesk offers some more options: - * sys_user_id -> owner of files? - * ip_address_id - needed? - * fp - frontpage extensions - * miva - ? - * coldfusion - * asp - * asp_dot_net - * traffic_bandwidth - * max_connections - */ - - $web_folder = $entry['www_root']; - $web_folder = preg_replace('/^\/(var|srv)\/www\/(vhosts\/)?[^\/]+\/(.*)\/httpdocs.*/', '$3', $web_folder); - - $params = array( - 'server_id' => $server_id, - 'ip_address' => '*', - //'ipv6_address' => '', - 'domain' => $entry['name'] . '.' . $parent_domain['name'], - 'web_folder' => $web_folder, - 'type' => 'vhostsubdomain', // can be vhost or alias - 'parent_domain_id' => $domain_ids[$entry['dom_id']], - 'vhost_type' => 'name', // or ip (-based) - 'hd_quota' => byte_to_mbyte(get_limit($limits, $entry['dom_id'], 'disk_space', -1)), - 'traffic_quota' => byte_to_mbyte(get_limit($limits, $entry['dom_id'], 'max_traffic', -1)), - 'cgi' => yes_no(get_option($hosting, 'cgi', 'false') === 'true' ? 1 : 0), - 'ssi' => yes_no(get_option($hosting, 'ssi', 'false') === 'true' ? 1 : 0), - 'suexec' => yes_no(1), // does plesk use this?! - 'errordocs' => get_option($options, 'apacheErrorDocs', 'false') === 'true' ? 1 : 0, - 'subdomain' => '', // plesk always uses this option - 'ssl' => yes_no(get_option($hosting, 'ssl', 'false') === 'true' ? 1 : 0), - 'php' => $phpmode, - 'fastcgi_php_version' => '', // plesk has no different php versions - 'ruby' => yes_no(0), // plesk has no ruby support - 'python' => yes_no(get_option($hosting, 'python', 'false') === 'true' ? 1 : 0), - 'active' => yes_no(($entry['status'] == 0 && get_option($hosting, 'maintenance_mode', 'false') !== 'true') ? 1 : 0), - 'redirect_type' => $redir_type, - 'redirect_path' => $redir_path, - 'seo_redirect' => '', - 'ssl_state' => $entry[''], - 'ssl_locality' => $entry[''], - 'ssl_organisation' => $entry[''], - 'ssl_organisation_unit' => $entry[''], - 'ssl_country' => $entry[''], - 'ssl_domain' => $entry[''], - 'ssl_request' => $entry[''], - 'ssl_cert' => $entry[''], - 'ssl_bundle' => $entry[''], - 'ssl_action' => $entry[''], - 'stats_password' => '', - 'stats_type' => get_option($hosting, 'webstat', 'webalizer') === 'awstats' ? 'awstats' : 'webalizer', - 'backup_interval' => 'none', - 'backup_copies' => 1, - 'allow_override' => 'All', - 'pm_process_idle_timeout' => 10, - 'pm_max_requests' => 0 - ); - - $old_domain = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain = '" . $entry['name'] . '.' . $parent_domain['name'] . "'"); - if(!$old_domain) $old_domain = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE CONCAT(subdomain, '.', domain) = '" . $entry['name'] . "'"); - if($old_domain) { - $new_id = $old_domain['domain_id']; - $params = array_merge($old_domain, $params); - $msg .= "Found domain with id " . $new_id . ", updating it.
"; - $ok = $importer->sites_web_vhost_subdomain_update($session_id, $plesk_ispc_ids[$parent_domain['cl_id']], $new_id, $params); - if($ok === false) $msg .= "  Error: " . $importer->getFault() . "
"; - } else { - $new_id = $importer->sites_web_vhost_subdomain_add($session_id, $plesk_ispc_ids[$parent_domain['cl_id']], $params, true); // read only... - } - - $subdomain_ids[$entry['id']] = $new_id; - $subdomain_roots[$entry['id']] = $entry['www_root']; - $subdomain_owners[$entry['id']] = $entry['cl_id']; - if($new_id === false) { - //something went wrong here... - $msg .= "Subdomain " . $entry['id'] . " (" . $entry['name'] . ") could not be inserted.
"; - $msg .= "  Error: " . $importer->getFault() . "
"; - } else { - $msg .= "Subdomain " . $entry['id'] . " (" . $entry['name'] . ") inserted.
"; - - $cmd_data = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = '" . $new_id . "'"); - $path = $cmd_data['document_root']; - add_command('chattr -i ' . escapeshellarg($path)); - add_command('if [[ -f ' . $path . '/' . $web_folder . '/index.html ]] ; then rm ' . $path . '/' . $web_folder . '/index.html ; fi'); - add_command('rsync -av --modify-window 10 --progress -e ssh root@${MYSERVER}:' . $entry['www_root'] . '/ ' . $path . '/' . $web_folder . '/'); - add_command('chown -R ' . $cmd_data['system_user'] . ':' . $cmd_data['system_group'] . ' ' . escapeshellarg($path)); - add_command('chown -R root:root ' . escapeshellarg($path . '/log') . ' ' . escapeshellarg($path . '/ssl') . ' ' . escapeshellarg($path . '/web/stats')); - add_command('chattr +i ' . escapeshellarg($path)); - } - } - - // dns have to be done AFTER domains due to missing client info - /* - $dns_zone_ids = array(); - $dns_zone_serials = array(); - $dns_zones = $exdb->queryAllRecords("SELECT d.id, d.name, d.displayName, d.status, d.email, d.type, d.ttl, d.ttl_unit, d.refresh, d.refresh_unit, d.retry, d.retry_unit, d.expire, d.expire_unit, d.minimum, d.minimum_unit, d.serial_format, d.serial FROM dns_zone as d"); - foreach($dns_zones as $entry) { - $ns = $exdb->queryOneRecord("SELECT d.id, d.val FROM dns_recs as d WHERE d.dns_zone_id = '" . $entry['id'] . "' AND d.type = 'NS'"); - if(!$ns) $ns = array('id' => 0, 'val' => 'ns.' . $entry['name']); - - $dom_id = $dns_domain_ids[$entry['id']]; - $client_id = $plesk_ispc_ids[$domain_owners[$entry['dom_id']]]; - if(!$client_id) $client_id = 0; - - $params = array( - 'server_id' => $server_id, - 'origin' => add_dot($entry['name']), // what to put here? - 'ns' => add_dot($ns['val']), // what to put here? - 'mbox' => str_replace('@', '.', add_dot($entry['email'])), - 'serial' => $entry['serial'], - 'refresh' => $entry['refresh'], - 'retry' => $entry['retry'], - 'expire' => $entry['expire'], - 'minimum' => $entry['minimum'], - 'ttl' => $entry['ttl'], - 'xfer' => '', - 'also_notify' => '', - 'update_acl' => '', - 'active' => yes_no(($entry['status'] == 0 ? 1 : 0)) - ); - - $old_dns = $app->db->queryOneRecord("SELECT id FROM dns_soa WHERE origin = '" . add_dot($entry['name']) . "'"); - if($old_dns) $old_id = $old_dns['id']; - if($old_id) { - $new_id = $old_id; - $ok = $importer->dns_zone_update($session_id, $client_id, $old_id, $params); - /if($ok === false) { - // $msg .= "DNS " . $entry['id'] . " (" . $entry['name'] . ") could not be updated.
"; - // $msg .= "  Error: " . $importer->getFault() . "
"; - //} else { - $msg .= "DNS " . $entry['id'] . " (" . $entry['name'] . ") updated.
"; - //} - } else { - $new_id = $importer->dns_zone_add($session_id, $client_id, $params); - if($new_id === false) { - //something went wrong here... - $msg .= "DNS " . $entry['id'] . " (" . $entry['name'] . ") could not be inserted.
"; - $msg .= "  Error: " . $importer->getFault() . "
"; - } else { - $msg .= "DNS " . $entry['id'] . " (" . $entry['name'] . ") inserted.
"; - } - } - $dns_zone_ids[$entry['id']] = $new_id; - $dns_zone_serials[$entry['id']] = $entry['serial']; - } - unset($dns_zones); - */ - /* types: - * PTR, NS, A, CNAME, MX, TXT, AAAA - *//* - $dns_records = $exdb->queryAllRecords("SELECT d.id, d.dns_zone_id, d.type, d.displayHost, d.host, d.displayVal, d.val, d.opt, d.time_stamp FROM dns_recs as d"); - foreach($dns_records as $entry) { - $dns_id = (array_key_exists($entry['dns_zone_id'], $dns_zone_ids) ? $dns_zone_ids[$entry['dns_zone_id']] : 0); - if(!$dns_id) { - // entry for missing dns zone...? - continue; - } - - $dom_id = $dns_domain_ids[$entry['dns_zone_id']]; - $client_id = $plesk_ispc_ids[$domain_owners[$entry['dom_id']]]; - if(!$client_id) $client_id = 0; - - $params = array( - 'server_id' => $server_id, - 'zone' => $dns_id, - 'name' => add_dot($entry['host']), - 'type' => $entry['type'], - 'data' => $entry['val'], - //'ttl' => '', - 'active' => yes_no(1), - 'stamp' => $entry['time_stamp'], - //'serial' => $dns_zone_serials[$entry['id']] - ); - - - $record = $app->db->queryOneRecord("SELECT id FROM dns_rr WHERE zone = '" . $dns_zone_ids[$entry['dns_zone_id']] . "' AND name = '" . add_dot($entry['host']) . "' AND type = '" . $entry['type'] . "'"); - $old_id = 0; - if($record) { - $old_id = $record['id']; - } - - $new_id = false; - if($entry['type'] === 'MX') { - $params['aux'] = $entry['opt']; - if($old_id) { - $ok = $importer->dns_mx_update($session_id, $client_id, $old_id, $params); - if($ok !== false) $new_id = $old_id; - } else { - $new_id = $importer->dns_mx_add($session_id, $client_id, $params); - } - } elseif($entry['type'] === 'PTR') { - if($old_id) { - $ok = $importer->dns_ptr_update($session_id, $client_id, $old_id, $params); - if($ok !== false) $new_id = $old_id; - } else { - $new_id = $importer->dns_ptr_add($session_id, $client_id, $params); - } - } elseif($entry['type'] === 'A') { - if($old_id) { - $ok = $importer->dns_a_update($session_id, $client_id, $old_id, $params); - if($ok !== false) $new_id = $old_id; - } else { - $new_id = $importer->dns_a_add($session_id, $client_id, $params); - } - } elseif($entry['type'] === 'AAAA') { - if($old_id) { - $ok = $importer->dns_aaaa_update($session_id, $client_id, $old_id, $params); - if($ok !== false) $new_id = $old_id; - } else { - $new_id = $importer->dns_aaaa_add($session_id, $client_id, $params); - } - } elseif($entry['type'] === 'TXT') { - if($old_id) { - $ok = $importer->dns_txt_update($session_id, $client_id, $old_id, $params); - if($ok !== false) $new_id = $old_id; - } else { - $new_id = $importer->dns_txt_add($session_id, $client_id, $params); - } - } elseif($entry['type'] === 'CNAME') { - if($old_id) { - $ok = $importer->dns_cname_update($session_id, $client_id, $old_id, $params); - if($ok !== false) $new_id = $old_id; - } else { - $new_id = $importer->dns_cname_add($session_id, $client_id, $params); - } - } elseif($entry['type'] === 'NS') { - if($old_id) { - $ok = $importer->dns_ns_update($session_id, $client_id, $old_id, $params); - if($ok !== false) $new_id = $old_id; - } else { - $new_id = $importer->dns_ns_add($session_id, $client_id, $params); - } - } - if($new_id === false) { - //something went wrong here... - $msg .= "DNS " . $entry['id'] . " (" . $entry['name'] . ") could not be inserted/updated.
"; - $msg .= "  Error: " . $importer->getFault() . "
" . var_export($params, true) . '
'; - } else { - $msg .= "DNS " . $entry['id'] . " (" . $entry['name'] . ") inserted/updated.
"; - } - - } - unset($dns_records); - */ - - $folder_ids = array(); - /* web_folder creation*/ - $protected_dirs = $exdb->queryAllRecords("SELECT `id`, `non_ssl`, `ssl`, `cgi_bin`, `realm`, `path`, `dom_id` FROM protected_dirs"); - foreach($protected_dirs as $entry) { - if($entry['path'] == 'plesk-stat') continue; - - $params = array('server_id' => $server_id, - 'parent_domain_id' => $domain_ids[$entry['dom_id']], - 'path' => $entry['path'], - 'active' => 'y'); - - $client_id = $plesk_ispc_ids[$domain_owners[$entry['dom_id']]]; - - $folder_id = 0; - $check = $app->db->queryOneRecord('SELECT * FROM `web_folder` WHERE `parent_domain_id` = \'' . $domain_ids[$entry['dom_id']] . '\' AND `path` = \'' . $app->db->quote($entry['path']) . '\''); - if($check) { - $ok = $importer->sites_web_folder_update($session_id, $client_id, $check['web_folder_id'], array_merge($check, $params)); - if($ok === false) $msg .= "  Error: " . $importer->getFault() . "
"; - $folder_id = $check['web_folder_id']; - $msg .= 'Updated HTTP AUTH folder (' . $folder_id . '): ' . $entry['path'] . '
'; - } else { - $folder_id = $importer->sites_web_folder_add($session_id, $client_id, $params); - $msg .= 'Created HTTP AUTH folder (' . $folder_id . '): ' . $entry['path'] . '
'; - if(!$folder_id) $msg .= "  Error: " . $importer->getFault() . "
" . var_export($params, true) . '
'; - } - - $folder_ids[$entry['id']] = $folder_id; - } - - $pd_users = $exdb->queryAllRecords("SELECT u.id, u.login, u.account_id, u.pd_id, a.password, d.dom_id FROM pd_users as u INNER JOIN protected_dirs as d ON (d.id = u.pd_id) INNER JOIN accounts as a ON (a.id = u.account_id)"); - foreach($pd_users as $entry) { - $params = array('server_id' => $server_id, - 'web_folder_id' => $folder_ids[$entry['pd_id']], - 'username' => $entry['login'], - 'password' => $entry['password'], - 'active' => 'y'); - if($entry['login'] == '' || !isset($folder_ids[$entry['pd_id']])) { - $msg .= 'Skipping Folder user because of missing data.
'; - continue; - } - $client_id = $plesk_ispc_ids[$domain_owners[$entry['dom_id']]]; - - $check = $app->db->queryOneRecord('SELECT * FROM `web_folder_user` WHERE `web_folder_id` = ' . intval($folder_ids[$entry['pd_id']]) . ' AND `username` = \'' . $entry['login'] . '\''); - if($check) { - $ok = $importer->sites_web_folder_user_update($session_id, $client_id, $check['web_folder_user_id'], array_merge($check, $params)); - if($ok === false) $msg .= "  Error: " . $importer->getFault() . "
"; - $msg .= 'Updated HTTP AUTH folder user (' . $fu_id . '): ' . $entry['login'] . '
'; - } else { - $fu_id = $importer->sites_web_folder_user_add($session_id, $client_id, $params); - $msg .= 'Created HTTP AUTH folder user (' . $fu_id . '): ' . $entry['login'] . '
'; - if(!$fu_id) $msg .= "  Error: " . $importer->getFault() . "
" . var_export($params, true) . '
'; - } - } - - /*$web_users = $exdb->queryAllRecords("SELECT id, dom_id, sys_user_id, ssi, php, cgi, perl, python, fastcgi, asp, asp_dot_net FROM web_users"); - foreach($web_users as $entry) { - $params = - } - */ - - - $ftp_users = $exdb->queryAllRecords("SELECT f.id, f.dom_id, f.sys_user_id, s.login, s.account_id, s.home, s.shell, s.quota, s.mapped_to, a.password, a.type as `pwtype` FROM ftp_users as f INNER JOIN sys_users as s ON (s.id = f.sys_user_id) INNER JOIN accounts as a ON (a.id = s.account_id)"); - $ftp_users = array_merge($ftp_users, $dom_ftp_users); - foreach($ftp_users as $entry) { - $parent_domain = $exdb->queryOneRecord("SELECT d.id, d.cl_id, d.name FROM domains as d WHERE d.id = '" . $entry['dom_id'] . "'"); - if(!$entry['id']) continue; - $ispc_dom_id = $domain_ids[$entry['dom_id']]; - $client_id = $plesk_ispc_ids[$domain_owners[$entry['dom_id']]]; - if(!$client_id) $client_id = 0; - - $document_root = str_replace("[website_id]", $ispc_dom_id, $web_config["website_path"]); - $document_root = str_replace("[website_idhash_1]", id_hash($ispc_dom_id, 1), $document_root); - $document_root = str_replace("[website_idhash_2]", id_hash($ispc_dom_id, 1), $document_root); - $document_root = str_replace("[website_idhash_3]", id_hash($ispc_dom_id, 1), $document_root); - $document_root = str_replace("[website_idhash_4]", id_hash($ispc_dom_id, 1), $document_root); - - // Set the values for document_root, system_user and system_group - $system_user = 'web'.$ispc_dom_id; - $system_group = 'client'.$client_id; - $document_root = str_replace("[client_id]", $client_id, $document_root); - $document_root = str_replace("[client_idhash_1]", id_hash($client_id, 1), $document_root); - $document_root = str_replace("[client_idhash_2]", id_hash($client_id, 2), $document_root); - $document_root = str_replace("[client_idhash_3]", id_hash($client_id, 3), $document_root); - $document_root = str_replace("[client_idhash_4]", id_hash($client_id, 4), $document_root); - - $uid = $system_user; - $gid = $system_group; - - $sys_grp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = '" . $client_id . "'"); - if(!$sys_grp) $sys_grp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = 0"); - - if(!$sys_grp) $sys_groupid = 1; - else $sys_groupid = $sys_grp['groupid']; - - $params = array( - 'server_id' => $server_id, - 'parent_domain_id' => $domain_ids[$entry['dom_id']], - 'username' => $entry['login'], - 'password' => $entry['password'], - 'quota_size' => byte_to_mbyte(($entry['quota'] == 0 ? -1 : $entry['quota'])), - 'active' => yes_no(1), - 'uid' => $uid, - 'gid' => $gid, - 'dir' => $document_root . (substr($document_root, -1) !== '/' ? '/' : ''), - 'sys_groupid' => $sys_groupid - //'quota_files' => $entry[''], - //'ul_ratio' => $entry[''], - //'dl_ratio' => $entry[''], - //'ul_bandwidth' => $entry[''], - //'dl_bandwidth' => $entry[''] - ); - $new_id = false; - $old_ftp = $app->db->queryOneRecord("SELECT ftp_user_id, parent_domain_id FROM ftp_user WHERE username = '" . $entry['login'] ."'"); - if($old_ftp) { - if($old_ftp['parent_domain_id'] != $domain_ids[$entry['dom_id']]) { - $msg .= "FTP Account conflicts with other domain!
"; - } else { - $new_id = $old_ftp['ftp_user_id']; - $ok = $importer->sites_ftp_user_update($session_id, $client_id, $new_id, array_merge($old_ftp, $params)); - if($ok === false) $msg .= "  Error: " . $importer->getFault() . "
"; - } - } else { - $new_id = $importer->sites_ftp_user_add($session_id, $client_id, $params); - } - if($new_id === false) { - //something went wrong here... - $msg .= "FTP " . $entry['id'] . " (" . $entry['login'] . ") could not be inserted.
"; - $msg .= "  Error: " . $importer->getFault() . "
"; - $msg .= "Params: " . var_export($params, true) . "
"; - } else { - $msg .= "FTP Account " . $entry['id'] . " (" . $entry['login'] . ") inserted.
"; - } - } - - $mail_config = $app->getconf->get_server_config($server_id, 'mail'); - - $mail_addresses = $exdb->queryAllRecords("SELECT m.id, m.mail_name, m.perm_id, m.postbox, m.account_id, m.redirect, m.redir_addr, m.mail_group, m.autoresponder, m.spamfilter, m.virusfilter, m.mbox_quota, m.dom_id, m.userId, a.password, a.type as `pwtype` FROM mail as m LEFT JOIN accounts as a ON (a.id = m.account_id) "); - $mail_ids = array(); - foreach($mail_addresses as $entry) { - - $parent_domain = $exdb->queryOneRecord("SELECT d.id, d.cl_id, d.name FROM domains as d WHERE d.id = '" . $entry['dom_id'] . "'"); - if(!$parent_domain) { - $msg .= "Could not insert/update mail address " . $entry['mail_name'] . " as domain is missing.
"; - continue; - } - - /* postbox true/false - * mail_group true/false - * spamfilter true/false - */ - - - $has_responder = false; - if($entry['autoresponder'] === 'true') { - $responder = $exdb->queryOneRecord("SELECT id, mn_id, resp_name, keystr, key_where, subject, reply_to, content_type, charset, text, resp_on, ans_freq, mem_limit FROM mail_resp WHERE mn_id = '" . $entry['id'] . "'"); - if($responder) $has_responder = true; - } - - $maildir = str_replace("[domain]", $parent_domain["name"], $mail_config["maildir_path"]); - $maildir = str_replace("[localpart]", strtolower($entry["mail_name"]), $maildir); - - - $params = array( - 'server_id' => $server_id, - 'email' => $entry['mail_name'] . "@" . $parent_domain['name'], - 'login' => strtolower($entry['mail_name'] . "@" . $parent_domain['name']), - 'password' => $entry['password'], - 'name' => $entry[''], - 'quota' => ($entry['mbox_quota'] == -1 ? 0 : $entry['mbox_quota']), // in bytes! - 'cc' => $entry['redir_addr'], - 'maildir' => $maildir, - 'homedir' => $mail_config["homedir_path"], - 'uid' => $mail_config["mailuser_uid"], - 'gid' => $mail_config["mailuser_gid"], - 'postfix' => yes_no(1), - 'disableimap' => yes_no(0), - 'disablepop3' => yes_no(0), - 'autoresponder_subject' => ($has_responder ? $responder['subject'] : ''), - 'autoresponder_text' => ($has_responder ? $responder['text'] : ''), - 'autoresponder' => yes_no($has_responder ? 1 : 0), - 'autoresponder_start_date' => ($has_responder && $responder['resp_on'] === 'true' ? strftime('%Y-%m-%d', time()) : strftime('%Y-%m-%d', time() - (3600*24))), - 'autoresponder_end_date' => ($has_responder && $responder['resp_on'] === 'true' ? strftime('%Y-%m-%d', time() + (3600*24*365)) : strftime('%Y-%m-%d', time())), - 'move_junk' => yes_no(0) - ); - $client_id = $plesk_ispc_ids[$domain_owners[$entry['dom_id']]]; - - // if this is no postbox we do not need to create a mailuser - if($entry['postbox'] !== 'false') { - $old_mail = $app->db->queryOneRecord("SELECT mailuser_id FROM mail_user WHERE email = '" . $entry['mail_name'] . "@" . $parent_domain['name'] . "'"); - if($old_mail) { - $new_id = $old_mail['mailuser_id']; - $ok = $importer->mail_user_update($session_id, $client_id, $new_id, array_merge($old_mail, $params)); - if($ok === false) $msg .= "  Error: " . $importer->getFault() . "
"; - } else { - $new_id = $importer->mail_user_add($session_id, $client_id, $params); - } - - if($new_id === false) { - //something went wrong here... - $msg .= "Mail" . $entry['id'] . " (" . $entry['mail_name'] . "@" . $parent_domain['name'] . ") could not be inserted/updated.
"; - $msg .= "  Error: " . $importer->getFault() . "
"; - } else { - $msg .= "Mail " . $entry['id'] . " (" . $entry['mail_name'] . "@" . $parent_domain['name'] . ") inserted/updated.
"; - - add_command('rsync -av --delete-after --modify-window 10 --progress -e ssh root@${MYSERVER}:/var/qmail/mailnames/' . $parent_domain['name'] . '/' . strtolower($entry['mail_name']) . '/Maildir/ ' . $maildir . '/Maildir/'); - add_command('chown -R vmail:vmail ' . $maildir); - add_command('chmod 744 ' . $maildir . '/Maildir/subscriptions'); - add_command('chmod 600 ' . $maildir . '/Maildir/dovecot-*'); - add_command('chmod 700 ' . $maildir . '/Maildir/cur ' . $maildir . '/Maildir/new ' . $maildir . '/Maildir/tmp'); - add_command('chmod 600 ' . $maildir . '/Maildir/cur/* ' . $maildir . '/Maildir/new/* ' . $maildir . '/Maildir/tmp/*'); - } - $mail_ids[$entry['id']] = $new_id; - } - - // select all redirs for this address - $mail_redir = $exdb->queryAllRecords("SELECT id, mn_id, address FROM mail_redir WHERE mn_id = '" . $entry['id'] . "'"); - foreach($mail_redir as $redir) { - $params = array( - 'server_id' => $server_id, - 'source' => $entry['mail_name'] . "@" . $parent_domain['name'], - 'destination' => $redir['address'], - 'type' => 'forward', // or forward - 'active' => yes_no(1) - ); - - $old_mail = $app->db->queryOneRecord("SELECT forwarding_id FROM mail_forwarding WHERE source = '" . $entry['mail_name'] . "@" . $parent_domain['name'] . "' AND destination = '" . $redir['address'] . "'"); - if($old_mail) { - $new_id = $old_mail['forwarding_id']; - $ok = $importer->mail_forward_update($session_id, $client_id, $new_id, array_merge($old_mail, $params)); - if($ok === false) $msg .= "  Error: " . $importer->getFault() . "
"; - } else { - $new_id = $importer->mail_forward_add($session_id, $client_id, $params); - } - - if($new_id === false) { - //something went wrong here... - $msg .= "Mail redirect " . $entry['id'] . " (" . $entry['mail_name'] . "@" . $parent_domain['name'] . " to " . $redir['address'] . ") could not be inserted/updated.
"; - $msg .= "  Error: " . $importer->getFault() . "
"; - } else { - $msg .= "Mail redirect " . $entry['id'] . " (" . $entry['mail_name'] . "@" . $parent_domain['name'] . " to " . $redir['address'] . ") inserted/updated.
"; - } - } - unset($mail_redir); - } - unset($mail_addresses); - - $mail_aliases = $exdb->queryAllRecords("SELECT a.id, a.mn_id, a.alias, m.dom_id, m.mail_name FROM mail_aliases as a INNER JOIN mail as m ON (m.id = a.mn_id)"); - foreach($mail_aliases as $entry) { - - $parent_domain = $exdb->queryOneRecord("SELECT d.id, d.cl_id, d.name FROM domains as d WHERE d.id = '" . $entry['dom_id'] . "'"); - if(!$parent_domain) { - $msg .= "Could not insert/update mail alias " . $entry['alias'] . " as domain is missing.
"; - continue; - } - - $params = array( - 'server_id' => $server_id, - 'source' => $entry['alias'] . "@" . $parent_domain['name'], - 'destination' => $entry['mail_name'] . "@" . $parent_domain['name'], - 'type' => 'alias', // or forward - 'active' => yes_no(1) - ); - $client_id = $plesk_ispc_ids[$domain_owners[$entry['dom_id']]]; - - $old_mail = $app->db->queryOneRecord("SELECT forwarding_id FROM mail_forwarding WHERE source = '" . $entry['alias'] . "@" . $parent_domain['name'] . "' AND destination = '" . $entry['mail_name'] . "@" . $parent_domain['name'] . "'"); - if($old_mail) { - $new_id = $old_mail['forwarding_id']; - $ok = $importer->mail_alias_update($session_id, $client_id, $new_id, array_merge($old_mail, $params)); - if($ok === false) $msg .= "  Error: " . $importer->getFault() . "
"; - } else { - $new_id = $importer->mail_alias_add($session_id, $client_id, $params); - } - - if($new_id === false) { - //something went wrong here... - $msg .= "Mail alias " . $entry['id'] . " (" . $entry['alias'] . "@" . $parent_domain['name'] . ") could not be inserted/updated.
"; - $msg .= "  Error: " . $importer->getFault() . "
"; - } else { - $msg .= "Mail alias " . $entry['id'] . " (" . $entry['alias'] . "@" . $parent_domain['name'] . ") inserted/updated.
"; - } - } - unset($mail_aliases); - - //spamfilter // preferences = true/false, username = email address, can be *@* - //id, username, preferences - - //spamfilter_preferences - //prefid, spamfilter_id, preference, value - - - - //$client_traffic = $exdb->queryAllRecords("SELECT t.cl_id, t.date, t.http_in, t.http_out, t.ftp_in, t.ftp_out, t.smtp_in, t.smtp_out, t.pop3_imap_in, t.pop3_imap_out FROM ClientsTraffic as t"); - - $db_userids = array(); - - $db_users = $exdb->queryAllRecords("SELECT u.id, u.login, u.account_id, u.db_id, a.password, a.type as `pwtype`, d.dom_id FROM db_users as u INNER JOIN data_bases as d ON (d.id = u.db_id) LEFT JOIN accounts as a ON (a.id = u.account_id)"); - foreach($db_users as $db_user) { - // database user - $params = array('server_id' => $server_id, - 'database_user' => $db_user['login'], - 'database_password' => $db_user['password']); - - $client_id = $plesk_ispc_ids[$domain_owners[$db_user['dom_id']]]; - - $check = $app->db->queryOneRecord('SELECT * FROM `web_database_user` WHERE `database_user` = \'' . $app->db->quote($db_user['login']) . '\''); - $db_user_id = 0; - if($check) { - $ok = $importer->sites_database_user_update($session_id, $client_id, $check['database_user_id'], array_merge($check, $params)); - if($ok === false) $msg .= "  Error: " . $importer->getFault() . "
"; - $db_user_id = $check['database_user_id']; - } else { - $db_user_id = $importer->sites_database_user_add($session_id, $client_id, $params); - } - - if(!isset($db_userids[$db_user['db_id']])) $db_userids[$db_user['db_id']] = $db_user_id; - $msg .= 'Created / updated database user: ' . $db_user['login'] . '
'; - } - - add_command('# DATABASES'); - - $databases = $exdb->queryAllRecords("SELECT d.id, d.name, d.type, d.dom_id, d.db_server_id, d.default_user_id FROM `data_bases` as d"); - foreach($databases as $database) { - $params = array('server_id' => $server_id, - 'parent_domain_id' => $domain_ids[$database['dom_id']], - 'type' => 'mysql', - 'database_name' => $database['name'], - 'database_user_id' => $db_userids[$database['id']], - 'database_ro_user_id' => 0, - 'database_charset' => 'utf8', - 'remote_access' => 'n', - 'active' => 'y', - 'remote_ips' => ''); - - $client_id = $plesk_ispc_ids[$domain_owners[$database['dom_id']]]; - - $check = $app->db->queryOneRecord('SELECT * FROM `web_database` WHERE `database_name` = \'' . $app->db->quote($database['name']) . '\''); - if($check) { - $ok = $importer->sites_database_update($session_id, $client_id, $check['database_id'], array_merge($check, $params)); - if($ok === false) $msg .= "  Error: " . $importer->getFault() . "
"; - } else { - $importer->sites_database_add($session_id, $client_id, $params); - } - - add_command('for T in `mysql -u ${MYSQL_IMPORT_USER} -p${MYSQL_IMPORT_PASS} ' . $database['name'] . ' -e \'show tables\' | awk \'{ print $1}\' | grep -v \'^Tables\'` ; do echo "DROP TABLE \\`$T\\`" ; mysql -u ${MYSQL_IMPORT_USER} -p${MYSQL_IMPORT_PASS} ' . $database['name'] . ' -e "DROP TABLE \\`$T\\`" ; done'); - add_command('mysqldump -cCQ --quote-names --hex-blob -h ${MYSERVER} -u ${MYSQL_EXPORT_USER} -p${MYSQL_EXPORT_PASS} ' . $database['name'] . ' | mysql -D ' . $database['name'] . ' -u ${MYSQL_IMPORT_USER} -p${MYSQL_IMPORT_PASS}'); - - $msg .= 'Created / updated database: ' . $database['name'] . '
'; - } - - // do we need table disk_usage for import? i think we don't - - // name is domain name, displayName is including "Umlaute" - //$anon_ftp = $exdb->queryAllRecords("SELECT f.id, f.dom_id, f.max_conn, f.bandwidth, f.incoming, f.incoming_readable, f.incoming_subdirs, f.status, f.quota, f.display_login, f.login_text FROM anon_ftp as f"); - - - //DomainServices - //id, dom_id, type, status, parameters_id, ipCollectionId - - //DomainsTraffic - //dom_id, date, http_in, http_out, ftp_in, ftp_out, smtp_in, smtp_out, pop3_imap_in, pop3_imap_out - - - //IP_Adresses - //id, ip_address, mask, iface, ssl_certificate_id, default_domain_id, ftps, main, status - - //ip_pool - //id, ip_address_id, type - - /* TODO: - */ - //misc // needed? global settings - //param, val - - //Permissions - //id, permission, value - - //smb_users // pass is base64 encoded plaintext - //id, login, password, contactName, email, companyName, phone, fax, address, city, state, zip, country, creationDate, isBuiltIn, roleId, uuid, isLocked, authCookie, sessionId, externalId, ownerId, isDomainAdmin, additionalInfo, imNumber, imType, isLegacyUser - - /* TODO: - sys_users // mapped_to = parent_id - id, login, account_id, home, shell, quota, mapped_to - - */ - add_command('unset MYSERVER'); - add_command('unset MYSQL_EXPORT_USER'); - add_command('unset MYSQL_EXPORT_PASS'); - add_command('unset MYSQL_IMPORT_USER'); - add_command('unset MYSQL_IMPORT_PASS'); - add_command('# END'); - file_put_contents('/tmp/plesk_import_commands.sh', $COMMANDS); - } else { - $msg .= 'Connecting to external database failed!
'; - $msg .= $exdb->connect_error; - $msg .= substr($exdb->errorMessage, 0, 25); - - $error .= $exdb->errorMessage; - } - - //* restore db login details - /*$conf['db_host'] = $conf_bak['db_host']; - $conf['db_database'] = $conf_bak['db_database']; - $conf['db_user'] = $conf_bak['db_user']; - $conf['db_password'] = $conf_bak['db_password'];*/ - -} - -$app->tpl->setVar('msg', $msg); -$app->tpl->setVar('error', $error); - - -$app->tpl_defaults(); -$app->tpl->pparse(); - - -?> diff --git a/interface/web/tools/import_vpopmail.php b/interface/web/tools/import_vpopmail.php index 119bfb87aa..b5db9affb2 100644 --- a/interface/web/tools/import_vpopmail.php +++ b/interface/web/tools/import_vpopmail.php @@ -68,7 +68,7 @@ if(isset($_POST['db_hostname']) && $_POST['db_hostname'] != '') { $msg .= 'Databse connection succeeded
'; $local_server_id = intval($_POST['local_server_id']); - $tmp = $app->db->queryOneRecord("SELECT mail_server FROM server WHERE server_id = $local_server_id"); + $tmp = $app->db->queryOneRecord("SELECT mail_server FROM server WHERE server_id = ?", $local_server_id); if($tmp['mail_server'] == 1) { start_import(); @@ -106,15 +106,15 @@ function start_import() { foreach($records as $rec) { $pw_domain = $rec['pw_domain']; //* Check if we have a client with that username already - $tmp = $app->db->queryOneRecord("SELECT count(client_id) as number FROM client WHERE username = '$pw_domain'"); + $tmp = $app->db->queryOneRecord("SELECT count(client_id) as number FROM client WHERE username = ?", $pw_domain); if($tmp['number'] == 0) { $pw_crypt_password = $app->auth->crypt_password($rec['pw_clear_passwd']); $country = 'FI'; //* add client $sql = "INSERT INTO `client` (`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `company_name`, `company_id`, `contact_name`, `customer_no`, `vat_id`, `street`, `zip`, `city`, `state`, `country`, `telephone`, `mobile`, `fax`, `email`, `internet`, `icq`, `notes`, `bank_account_owner`, `bank_account_number`, `bank_code`, `bank_name`, `bank_account_iban`, `bank_account_swift`, `default_mailserver`, `limit_maildomain`, `limit_mailbox`, `limit_mailalias`, `limit_mailaliasdomain`, `limit_mailforward`, `limit_mailcatchall`, `limit_mailrouting`, `limit_mailfilter`, `limit_fetchmail`, `limit_mailquota`, `limit_spamfilter_wblist`, `limit_spamfilter_user`, `limit_spamfilter_policy`, `default_webserver`, `limit_web_ip`, `limit_web_domain`, `limit_web_quota`, `web_php_options`, `limit_cgi`, `limit_ssi`, `limit_perl`, `limit_ruby`, `limit_python`, `force_suexec`, `limit_hterror`, `limit_wildcard`, `limit_ssl`, `limit_web_subdomain`, `limit_web_aliasdomain`, `limit_ftp_user`, `limit_shell_user`, `ssh_chroot`, `limit_webdav_user`, `limit_aps`, `default_dnsserver`, `limit_dns_zone`, `limit_dns_slave_zone`, `limit_dns_record`, `default_dbserver`, `limit_database`, `limit_cron`, `limit_cron_type`, `limit_cron_frequency`, `limit_traffic_quota`, `limit_client`, `limit_mailmailinglist`, `limit_openvz_vm`, `limit_openvz_vm_template_id`, `parent_client_id`, `username`, `password`, `language`, `usertheme`, `template_master`, `template_additional`, `created_at`, `id_rsa`, `ssh_rsa`) - VALUES(1, 1, 'riud', 'riud', '', '', '', '$pw_domain', '', '', '', '', '', '', '$country', '', '', '', '', 'http://', '', '', '', '', '', '', '', '', 1, -1, -1, -1, -1, -1, -1, 0, -1, -1, -1, 0, 0, 0, 1, NULL, -1, -1, 'no,fast-cgi,cgi,mod,suphp', 'n', 'n', 'n', 'n', 'n', 'y', 'n', 'n', 'n', -1, -1, -1, 0, 'no,jailkit', 0, 0, 1, -1, -1, -1, 1, -1, 0, 'url', 5, -1, 0, -1, 0, 0, 0, '$pw_domain', '$pw_crypt_password', '".$conf['language']."', 'default', 0, '', NOW(), '', '')"; - $app->db->query($sql); + VALUES(1, 1, 'riud', 'riud', '', '', '', ?, '', '', '', '', '', '', ?, '', '', '', '', 'http://', '', '', '', '', '', '', '', '', 1, -1, -1, -1, -1, -1, -1, 0, -1, -1, -1, 0, 0, 0, 1, NULL, -1, -1, 'no,fast-cgi,cgi,mod,suphp', 'n', 'n', 'n', 'n', 'n', 'y', 'n', 'n', 'n', -1, -1, -1, 0, 'no,jailkit', 0, 0, 1, -1, -1, -1, 1, -1, 0, 'url', 5, -1, 0, -1, 0, 0, 0, ?, ?, ?, 'default', 0, '', NOW(), '', '')"; + $app->db->query($sql, $pw_domain,$country, $pw_domain, $pw_crypt_password, $conf['language']); $client_id = $app->db->insertID(); //* add sys_group @@ -134,13 +134,13 @@ function start_import() { // Create the controlpaneluser for the client //Generate ssh-rsa-keys exec('ssh-keygen -t rsa -C '.$username.'-rsa-key-'.time().' -f /tmp/id_rsa -N ""'); - $app->db->query("UPDATE client SET created_at = ".time().", id_rsa = '".$app->db->quote(@file_get_contents('/tmp/id_rsa'))."', ssh_rsa = '".$app->db->quote(@file_get_contents('/tmp/id_rsa.pub'))."' WHERE client_id = ".$client_id); + $app->db->query("UPDATE client SET created_at = UNIX_TIMESTAMP(), id_rsa = ?, ssh_rsa = ? WHERE client_id = ?", @file_get_contents('/tmp/id_rsa'), @file_get_contents('/tmp/id_rsa.pub'), $client_id); exec('rm -f /tmp/id_rsa /tmp/id_rsa.pub'); // Create the controlpaneluser for the client $sql = "INSERT INTO sys_user (username,passwort,modules,startmodule,app_theme,typ,active,language,groups,default_group,client_id) - VALUES ('$username','$password','$modules','$startmodule','$usertheme','$type','$active','$language',$groups,$groupid,".$client_id.")"; - $app->db->query($sql); + VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"; + $app->db->query($sql, $username,$password,$modules,$startmodule,$usertheme,$type,$active,$language,$groups,$groupid,$client_id); //* Set the default servers $tmp = $app->db->queryOneRecord('SELECT server_id FROM server WHERE mail_server = 1 AND mirror_server_id = 0 LIMIT 0,1'); @@ -152,8 +152,8 @@ function start_import() { $tmp = $app->db->queryOneRecord('SELECT server_id FROM server WHERE db_server = 1 AND mirror_server_id = 0 LIMIT 0,1'); $default_dbserver = $app->functions->intval($tmp['server_id']); - $sql = "UPDATE client SET default_mailserver = $default_mailserver, default_webserver = $default_webserver, default_dnsserver = $default_dnsserver, default_dbserver = $default_dbserver WHERE client_id = ".$client_id; - $app->db->query($sql); + $sql = "UPDATE client SET default_mailserver = ?, default_webserver = ?, default_dnsserver = ?, default_dbserver = ? WHERE client_id = ?"; + $app->db->query($sql, $default_mailserver, $default_webserver, $default_dnsserver, $default_dbserver, $client_id); $msg .= "Added Client $username.
"; } else { @@ -169,9 +169,9 @@ function start_import() { $domain = $rec['pw_domain']; //* Check if domain exists already - $tmp = $app->db->queryOneRecord("SELECT count(domain_id) as number FROM mail_domain WHERE domain = '$domain'"); + $tmp = $app->db->queryOneRecord("SELECT count(domain_id) as number FROM mail_domain WHERE domain = ?", $domain); if($tmp['number'] == 0) { - $user_rec = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE username = '$domain'"); + $user_rec = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE username = ?", $domain); $sys_userid = ($user_rec['userid'] > 0)?$user_rec['userid']:1; $sys_groupid = ($user_rec['default_group'] > 0)?$user_rec['default_group']:1; @@ -193,12 +193,12 @@ function start_import() { $email = $rec['pw_name'].'@'.$rec['pw_domain']; //* Check for duplicate mailboxes - $tmp = $app->db->queryOneRecord("SELECT count(mailuser_id) as number FROM mail_user WHERE email = '".$app->db->quote($email)."'"); + $tmp = $app->db->queryOneRecord("SELECT count(mailuser_id) as number FROM mail_user WHERE email = ?", $email); if($tmp['number'] == 0) { //* get the mail domain for the mailbox - $domain_rec = $app->db->queryOneRecord("SELECT * FROM mail_domain WHERE domain = '$domain'"); + $domain_rec = $app->db->queryOneRecord("SELECT * FROM mail_domain WHERE domain = ?", $domain); if(is_array($domain_rec)) { $pw_crypt_password = $app->auth->crypt_password($rec['pw_clear_passwd']); @@ -242,12 +242,12 @@ function start_import() { } //* Check for duplicate forwards - $tmp = $app->db->queryOneRecord("SELECT count(forwarding_id) as number FROM mail_forwarding WHERE source = '".$app->db->quote($email)."' AND destination = '".$app->db->quote($target)."'"); + $tmp = $app->db->queryOneRecord("SELECT count(forwarding_id) as number FROM mail_forwarding WHERE source = ? AND destination = ?", $email, $target); if($tmp['number'] == 0 && $target != '') { //* get the mail domain - $domain_rec = $app->db->queryOneRecord("SELECT * FROM mail_domain WHERE domain = '".$rec['domain']."'"); + $domain_rec = $app->db->queryOneRecord("SELECT * FROM mail_domain WHERE domain = ?", $rec['domain']); if(is_array($domain_rec)) { $sql = "(`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_id`, `source`, `destination`, `type`, `active`) diff --git a/interface/web/tools/resync.php b/interface/web/tools/resync.php index 6a85b186a1..6738843bc4 100644 --- a/interface/web/tools/resync.php +++ b/interface/web/tools/resync.php @@ -182,8 +182,8 @@ class page_action extends tform_actions { //* firewall $array_out = array(); foreach($server_data as $db_table => $data) { - $sql = @(isset($data['server_id']))?"SELECT * FROM $db_table WHERE server_id = $server_id":"SELECT * FROM $db_table";; - $records = $app->db->queryAllRecords($sql); + $sql = @(isset($data['server_id']))?"SELECT * FROM ?? WHERE server_id = ":"SELECT * FROM ??"; + $records = $app->db->queryAllRecords($sql, $db_table, $server_id); if (!empty($records)) array_push($array_out, $db_table); } @@ -377,7 +377,7 @@ class page_action extends tform_actions { $server_name = array(); if ( $server_id == 0 ) { //* resync multiple server - $temp = $app->db->queryAllRecords("SELECT server_id, server_name FROM server WHERE ".$server_type."_server = 1 AND active = 1 AND mirror_server_id = 0"); + $temp = $app->db->queryAllRecords("SELECT server_id, server_name FROM server WHERE ?? = 1 AND active = 1 AND mirror_server_id = 0", $server_type."_server"); foreach ($temp as $server) { $temp_id .= $server['server_id'].','; $server_name[$server['server_id']] = $server['server_name']; @@ -389,11 +389,11 @@ class page_action extends tform_actions { unset($temp); if ( isset($temp_id) ) $server_id = rtrim($temp_id,','); - $sql = "SELECT * FROM $db_table"; + $sql = "SELECT * FROM ??"; if ($db_table != "mail_user_filter") $sql .= " WHERE server_id IN (".$server_id.") "; $sql .= $opt; if ($active) $sql .= " AND active = 'y'"; - $records = $app->db->queryAllRecords($sql); + $records = $app->db->queryAllRecords($sql, $db_table); return array($records, $server_name); } @@ -529,7 +529,7 @@ class page_action extends tform_actions { if($this->dataRecord['resync_client'] == 1) { $db_table = 'client'; $index_field = 'client_id'; - $records = $app->db->queryAllRecords("SELECT * FROM ".$db_table); + $records = $app->db->queryAllRecords("SELECT * FROM ??", $db_table); $msg .= ''.$app->tform->wordbook['do_clients_txt'].'
'; if(!empty($records)) { $tform_def_file = '../client/form/client.tform.php'; diff --git a/interface/web/tools/user_settings.php b/interface/web/tools/user_settings.php index 02fc4f73d2..57542458ef 100644 --- a/interface/web/tools/user_settings.php +++ b/interface/web/tools/user_settings.php @@ -102,7 +102,7 @@ class page_action extends tform_actions { global $app; if($_POST['passwort'] != '') { - $tmp_user = $app->db->queryOneRecord("SELECT passwort FROM sys_user WHERE userid = '".$app->functions->intval($_SESSION['s']['user']['userid'])."'"); + $tmp_user = $app->db->queryOneRecord("SELECT passwort FROM sys_user WHERE userid = ?", $_SESSION['s']['user']['userid']); $_SESSION['s']['user']['passwort'] = $tmp_user['passwort']; unset($tmp_user); } diff --git a/interface/web/vm/ajax_get_ip.php b/interface/web/vm/ajax_get_ip.php index 64400775ee..3ff5c0d294 100644 --- a/interface/web/vm/ajax_get_ip.php +++ b/interface/web/vm/ajax_get_ip.php @@ -38,8 +38,8 @@ $server_id = $app->functions->intval($_GET["server_id"]); if($_SESSION["s"]["user"]["typ"] == 'admin' or $app->auth->has_clients($_SESSION['s']['user']['userid'])) { - $sql = "SELECT ip_address FROM openvz_ip WHERE reserved = 'n' AND server_id = $server_id"; - $ips = $app->db->queryAllRecords($sql); + $sql = "SELECT ip_address FROM openvz_ip WHERE reserved = 'n' AND server_id = ?"; + $ips = $app->db->queryAllRecords($sql, $server_id); $ip_select = ""; if(is_array($ips)) { foreach( $ips as $ip) { diff --git a/interface/web/vm/openvz_vm_edit.php b/interface/web/vm/openvz_vm_edit.php index bd7c1d2158..d6f06db3e3 100644 --- a/interface/web/vm/openvz_vm_edit.php +++ b/interface/web/vm/openvz_vm_edit.php @@ -74,7 +74,7 @@ class page_action extends tform_actions { //* Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); - $client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, client.limit_openvz_vm_template_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, client.limit_openvz_vm_template_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); //* Fill the template_id field if($client['limit_openvz_vm_template_id'] == 0) { @@ -96,7 +96,7 @@ class page_action extends tform_actions { //* Get the limits of the client $client_group_id = $_SESSION["s"]["user"]["default_group"]; - $client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, client.limit_openvz_vm_template_id, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, client.limit_openvz_vm_template_id, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); //* Fill the client select field diff --git a/server/lib/app.inc.php b/server/lib/app.inc.php index a9d47a5578..213712acdd 100755 --- a/server/lib/app.inc.php +++ b/server/lib/app.inc.php @@ -151,19 +151,18 @@ class app { if(isset($this->dbmaster)) { $server_id = $conf['server_id']; $loglevel = $priority; - $tstamp = time(); $message = $this->dbmaster->quote($msg); $datalog_id = (isset($this->modules->current_datalog_id) && $this->modules->current_datalog_id > 0)?$this->modules->current_datalog_id:0; if($datalog_id > 0) { - $tmp_rec = $this->dbmaster->queryOneRecord("SELECT count(syslog_id) as number FROM sys_log WHERE datalog_id = $datalog_id AND loglevel = ".LOGLEVEL_ERROR); + $tmp_rec = $this->dbmaster->queryOneRecord("SELECT count(syslog_id) as number FROM sys_log WHERE datalog_id = ? AND loglevel = ?", $datalog_id, LOGLEVEL_ERROR); //* Do not insert duplicate errors into the web log. if($tmp_rec['number'] == 0) { - $sql = "INSERT INTO sys_log (server_id,datalog_id,loglevel,tstamp,message) VALUES ('$server_id',$datalog_id,'$loglevel','$tstamp','$message')"; - $this->dbmaster->query($sql); + $sql = "INSERT INTO sys_log (server_id,datalog_id,loglevel,tstamp,message) VALUES (?, ?, ?, UNIX_TIMESTAMP(), ?)"; + $this->dbmaster->query($sql, $server_id, $datalog_id, $loglevel, $message); } } else { - $sql = "INSERT INTO sys_log (server_id,datalog_id,loglevel,tstamp,message) VALUES ('$server_id',0,'$loglevel','$tstamp','$message')"; - $this->dbmaster->query($sql); + $sql = "INSERT INTO sys_log (server_id,datalog_id,loglevel,tstamp,message) VALUES (?, 0, ?, UNIX_TIMESTAMP(), ?)"; + $this->dbmaster->query($sql, $server_id, $loglevel, $message); } } diff --git a/server/lib/classes/aps_installer.inc.php b/server/lib/classes/aps_installer.inc.php index 1b01821485..2a51fc5e09 100644 --- a/server/lib/classes/aps_installer.inc.php +++ b/server/lib/classes/aps_installer.inc.php @@ -259,18 +259,15 @@ class ApsInstaller extends ApsBase // Get the domain name to use for the installation // Would be possible in one query too, but we use 2 for easier debugging - $main_domain = $app->db->queryOneRecord("SELECT value FROM aps_instances_settings - WHERE name = 'main_domain' AND instance_id = '".$app->db->quote($task['instance_id'])."';"); + $main_domain = $app->db->queryOneRecord("SELECT value FROM aps_instances_settings WHERE name = 'main_domain' AND instance_id = ?", $task['instance_id']); $this->domain = $main_domain['value']; // Get the document root - $domain_res = $app->db->queryOneRecord("SELECT document_root, web_folder, type FROM web_domain - WHERE domain = '".$app->db->quote($this->domain)."';"); + $domain_res = $app->db->queryOneRecord("SELECT document_root, web_folder, type FROM web_domain WHERE domain = ?", $this->domain); $this->document_root = $domain_res['document_root']; // Get the sub location - $location_res = $app->db->queryOneRecord("SELECT value FROM aps_instances_settings - WHERE name = 'main_location' AND instance_id = '".$app->db->quote($task['instance_id'])."';"); + $location_res = $app->db->queryOneRecord("SELECT value FROM aps_instances_settings WHERE name = 'main_location' AND instance_id = ?", $task['instance_id']); $this->sublocation = $location_res['value']; // Make sure the document_root ends with / @@ -309,67 +306,19 @@ class ApsInstaller extends ApsBase $db_id = parent::getXPathValue($sxe, '//db:id'); if(empty($db_id)) return; // No database needed - /* WARNING: if this will ever be uncommented please check the updated prefix handling for user and db names!!! - * - // Set the database owner to the domain owner - // ISPConfig identifies the owner by the sys_groupid (not sys_userid!) - // so sys_userid can be set to any value - $perm = $app->db->queryOneRecord("SELECT sys_groupid, server_id FROM web_domain - WHERE domain = '".$this->domain."';"); - $task['sys_groupid'] = $perm['sys_groupid']; - $serverid = $perm['server_id']; - - // Get the database prefix and db user prefix - $app->uses('getconf'); - $global_config = $app->getconf->get_global_config('sites'); - $dbname_prefix = str_replace('[CLIENTID]', '', $global_config['dbname_prefix']); - $dbuser_prefix = str_replace('[CLIENTID]', '', $global_config['dbuser_prefix']); - $this->dbhost = DB_HOST; // Taken from config.inc.php - if(empty($this->dbhost)) $this->dbhost = 'localhost'; // Just to ensure any hostname... ;) - - $this->newdb_name = $dbname_prefix.$task['CustomerID'].'aps'.$task['InstanceID']; - $this->newdb_user = $dbuser_prefix.$task['CustomerID'].'aps'.$task['InstanceID']; - $dbpw_res = $app->db->queryOneRecord("SELECT Value FROM aps_instances_settings - WHERE Name = 'main_database_password' AND InstanceID = '".$app->db->quote($task['InstanceID'])."';"); - $newdb_pw = $dbpw_res['Value']; - - // In any case delete an existing database (install and removal procedure) - $app->db->query('DROP DATABASE IF EXISTS `'.$app->db->quote($this->newdb_name).'`;'); - // Delete an already existing database with this name - $app->db->query("DELETE FROM web_database WHERE database_name = '".$app->db->quote($this->newdb_name)."';"); - - - // Create the new database and assign it to a user - if($this->handle_type == 'install') - { - $app->db->query('CREATE DATABASE IF NOT EXISTS `'.$app->db->quote($this->newdb_name).'`;'); - $app->db->query('GRANT ALL PRIVILEGES ON '.$app->db->quote($this->newdb_name).'.* TO '.$app->db->quote($this->newdb_user).'@'.$app->db->quote($this->dbhost).' IDENTIFIED BY \'password\';'); - $app->db->query('SET PASSWORD FOR '.$app->db->quote($this->newdb_user).'@'.$app->db->quote($this->dbhost).' = PASSWORD(\''.$newdb_pw.'\');'); - $app->db->query('FLUSH PRIVILEGES;'); - - // Add the new database to the customer databases - // Assumes: charset = utf8 - $app->db->query('INSERT INTO web_database (sys_userid, sys_groupid, sys_perm_user, sys_perm_group, sys_perm_other, server_id, - type, database_name, database_user, database_password, database_charset, remote_access, remote_ips, active) - VALUES ('.$task['sys_userid'].', '.$task['sys_groupid'].', "'.$task['sys_perm_user'].'", "'.$task['sys_perm_group'].'", - "'.$task['sys_perm_other'].'", '.$app->db->quote($serverid).', "mysql", "'.$app->db->quote($this->newdb_name).'", - "'.$app->db->quote($this->newdb_user).'", "'.$app->db->quote($newdb_pw).'", "utf8", "n", "", "y");'); - } - */ - $mysqlver_res = $app->db->queryOneRecord('SELECT VERSION() as ver;'); $mysqlver = $mysqlver_res['ver']; - $tmp = $app->db->queryOneRecord("SELECT value FROM aps_instances_settings WHERE name = 'main_database_password' AND instance_id = '".$app->db->quote($task['instance_id'])."';"); + $tmp = $app->db->queryOneRecord("SELECT value FROM aps_instances_settings WHERE name = 'main_database_password' AND instance_id = ?", $task['instance_id']); $newdb_pw = $tmp['value']; - $tmp = $app->db->queryOneRecord("SELECT value FROM aps_instances_settings WHERE name = 'main_database_host' AND instance_id = '".$app->db->quote($task['instance_id'])."';"); + $tmp = $app->db->queryOneRecord("SELECT value FROM aps_instances_settings WHERE name = 'main_database_host' AND instance_id = ?", $task['instance_id']); $newdb_host = $tmp['value']; - $tmp = $app->db->queryOneRecord("SELECT value FROM aps_instances_settings WHERE name = 'main_database_name' AND instance_id = '".$app->db->quote($task['instance_id'])."';"); + $tmp = $app->db->queryOneRecord("SELECT value FROM aps_instances_settings WHERE name = 'main_database_name' AND instance_id = ?", $task['instance_id']); $newdb_name = $tmp['value']; - $tmp = $app->db->queryOneRecord("SELECT value FROM aps_instances_settings WHERE name = 'main_database_login' AND instance_id = '".$app->db->quote($task['instance_id'])."';"); + $tmp = $app->db->queryOneRecord("SELECT value FROM aps_instances_settings WHERE name = 'main_database_login' AND instance_id = ?", $task['instance_id']); $newdb_login = $tmp['value']; /* Test if the new mysql connection is laready working to ensure that db servers in multiserver @@ -470,10 +419,8 @@ class ApsInstaller extends ApsBase $this->processMappings($mapping, $mapping_url, $this->local_installpath); // Set the appropriate file owner - $main_domain = $app->db->queryOneRecord("SELECT value FROM aps_instances_settings - WHERE name = 'main_domain' AND instance_id = '".$app->db->quote($task['instance_id'])."';"); - $owner_res = $app->db->queryOneRecord("SELECT system_user, system_group FROM web_domain - WHERE domain = '".$app->db->quote($main_domain['value'])."';"); + $main_domain = $app->db->queryOneRecord("SELECT value FROM aps_instances_settings WHERE name = 'main_domain' AND instance_id = ?", $task['instance_id']); + $owner_res = $app->db->queryOneRecord("SELECT system_user, system_group FROM web_domain WHERE domain = ?", $main_domain['value']); $this->file_owner_user = $owner_res['system_user']; $this->file_owner_group = $owner_res['system_group']; exec('chown -R '.$this->file_owner_user.':'.$this->file_owner_group.' '.escapeshellarg($this->local_installpath)); @@ -486,8 +433,7 @@ class ApsInstaller extends ApsBase } catch(Exception $e) { - $app->dbmaster->query('UPDATE aps_instances SET instance_status = "'.INSTANCE_ERROR.'" - WHERE id = "'.$app->db->quote($task['instance_id']).'";'); + $app->dbmaster->query('UPDATE aps_instances SET instance_status = ? WHERE id = ?', INSTANCE_ERROR, $task['instance_id']); $app->log($e->getMessage(), 1); return false; } @@ -506,8 +452,7 @@ class ApsInstaller extends ApsBase { global $app; - $userdata = $app->db->queryAllRecords("SELECT name, value FROM aps_instances_settings - WHERE instance_id = '".$app->db->quote($task['instance_id'])."';"); + $userdata = $app->db->queryAllRecords("SELECT name, value FROM aps_instances_settings WHERE instance_id = ?", $task['instance_id']); if(empty($userdata)) return false; foreach($userdata as $data) @@ -628,15 +573,13 @@ class ApsInstaller extends ApsBase exec('chown -R root:root '.escapeshellarg($this->local_installpath.'stats')); } - $app->dbmaster->query('UPDATE aps_instances SET instance_status = "'.INSTANCE_SUCCESS.'" - WHERE id = "'.$app->db->quote($task['instance_id']).'";'); + $app->dbmaster->query('UPDATE aps_instances SET instance_status = ? WHERE id = ?', INSTANCE_SUCCESS, $task['instance_id']); } } catch(Exception $e) { - $app->dbmaster->query('UPDATE aps_instances SET instance_status = "'.INSTANCE_ERROR.'" - WHERE id = "'.$app->db->quote($task['instance_id']).'";'); + $app->dbmaster->query('UPDATE aps_instances SET instance_status = ? WHERE id = ?', INSTANCE_ERROR, $task['instance_id']); $app->log($e->getMessage(), 1); return false; } @@ -675,15 +618,7 @@ class ApsInstaller extends ApsBase else return false; // Get all instance metadata - /* - $task = $app->db->queryOneRecord("SELECT * FROM aps_instances AS i - INNER JOIN aps_packages AS p ON i.package_id = p.id - INNER JOIN client AS c ON i.customer_id = c.client_id - WHERE i.id = ".$instanceid.";"); - */ - $task = $app->db->queryOneRecord("SELECT * FROM aps_instances AS i - INNER JOIN aps_packages AS p ON i.package_id = p.id - WHERE i.id = ".$instanceid.";"); + $task = $app->db->queryOneRecord("SELECT * FROM aps_instances AS i INNER JOIN aps_packages AS p ON i.package_id = p.id WHERE i.id = ?", $instanceid); if(!$task) return false; // formerly: throw new Exception('The InstanceID doesn\'t exist.'); if(!isset($task['instance_id'])) $task['instance_id'] = $instanceid; @@ -720,8 +655,7 @@ class ApsInstaller extends ApsBase // Check if the meta file is existing if(!$metafile) { - $app->dbmaster->query('UPDATE aps_instances SET instance_status = "'.INSTANCE_ERROR.'" - WHERE id = "'.$app->db->quote($task['instance_id']).'";'); + $app->dbmaster->query('UPDATE aps_instances SET instance_status = ? WHERE id = ?', INSTANCE_ERROR, $task['instance_id']); $app->log('Unable to find the meta data file of package '.$task['path'], 1); return false; } @@ -754,11 +688,11 @@ class ApsInstaller extends ApsBase // Finally delete the instance entry + settings if($this->handle_type == 'delete') { - $app->db->query('DELETE FROM aps_instances WHERE id = "'.$app->db->quote($task['instance_id']).'";'); - $app->db->query('DELETE FROM aps_instances_settings WHERE instance_id = "'.$app->db->quote($task['instance_id']).'";'); + $app->db->query('DELETE FROM aps_instances WHERE id = ?', $task['instance_id']); + $app->db->query('DELETE FROM aps_instances_settings WHERE instance_id = ?', $task['instance_id']); if ($app->dbmaster != $app->db) { - $app->dbmaster->query('DELETE FROM aps_instances WHERE id = "'.$app->db->quote($task['instance_id']).'";'); - $app->dbmaster->query('DELETE FROM aps_instances_settings WHERE instance_id = "'.$app->db->quote($task['instance_id']).'";'); + $app->dbmaster->query('DELETE FROM aps_instances WHERE id = ?', $task['instance_id']); + $app->dbmaster->query('DELETE FROM aps_instances_settings WHERE instance_id = ?', $task['instance_id']); } } diff --git a/server/lib/classes/cron.d/100-mailbox_stats.inc.php b/server/lib/classes/cron.d/100-mailbox_stats.inc.php index 750849055f..259535ffda 100644 --- a/server/lib/classes/cron.d/100-mailbox_stats.inc.php +++ b/server/lib/classes/cron.d/100-mailbox_stats.inc.php @@ -57,8 +57,8 @@ class cronjob_mailbox_stats extends cronjob { //###################################################################################################### $parse_mail_log = false; - $sql = "SELECT mailuser_id,maildir FROM mail_user WHERE server_id = ".$conf['server_id']; - $records = $app->db->queryAllRecords($sql); + $sql = "SELECT mailuser_id,maildir FROM mail_user WHERE server_id = ?"; + $records = $app->db->queryAllRecords($sql, $conf['server_id']); if(count($records) > 0) $parse_mail_log = true; foreach($records as $rec) { @@ -82,16 +82,17 @@ class cronjob_mailbox_stats extends cronjob { // Save the traffic stats in the sql database $tstamp = date('Y-m'); - $sql = "SELECT * FROM mail_traffic WHERE month = '$tstamp' AND mailuser_id = ".$rec['mailuser_id']; - $tr = $app->dbmaster->queryOneRecord($sql); + $sql = "SELECT * FROM mail_traffic WHERE month = '$tstamp' AND mailuser_id = ?"; + $tr = $app->dbmaster->queryOneRecord($sql, $rec['mailuser_id']); $mail_traffic += $tr['traffic']; if($tr['traffic_id'] > 0) { - $sql = "UPDATE mail_traffic SET traffic = $mail_traffic WHERE traffic_id = ".$tr['traffic_id']; + $sql = "UPDATE mail_traffic SET traffic = ? WHERE traffic_id = ?"; + $app->dbmaster->query($sql, $mail_traffic, $tr['traffic_id']); } else { - $sql = "INSERT INTO mail_traffic (month,mailuser_id,traffic) VALUES ('$tstamp',".$rec['mailuser_id'].",$mail_traffic)"; + $sql = "INSERT INTO mail_traffic (month,mailuser_id,traffic) VALUES (?,?,?)"; + $app->dbmaster->query($sql, $tstamp, $rec['mailuser_id'], $mail_traffic); } - $app->dbmaster->query($sql); //echo $sql; } @@ -140,13 +141,13 @@ class cronjob_mailbox_stats extends cronjob { } } - $sql = "SELECT email FROM mail_user WHERE server_id = ".$conf['server_id']; - $records = $app->db->queryAllRecords($sql); + $sql = "SELECT email FROM mail_user WHERE server_id = ?"; + $records = $app->db->queryAllRecords($sql, $conf['server_id']); foreach($records as $record) { $mail_boxes[] = $record['email']; } - $sql = "SELECT source, destination FROM mail_forwarding WHERE server_id = ".$conf['server_id']; - $records = $app->db->queryAllRecords($sql); + $sql = "SELECT source, destination FROM mail_forwarding WHERE server_id = ?"; + $records = $app->db->queryAllRecords($sql, $conf['server_id']); foreach($records as $record) { $targets = preg_split('/[\n,]+/', $record['destination']); foreach($targets as $target) { @@ -231,20 +232,21 @@ class cronjob_mailbox_stats extends cronjob { // Save the traffic stats in the sql database $tstamp = date('Y-m'); - $sql = "SELECT mailuser_id,email FROM mail_user WHERE server_id = ".$conf['server_id']; - $records = $app->db->queryAllRecords($sql); + $sql = "SELECT mailuser_id,email FROM mail_user WHERE server_id = ?"; + $records = $app->db->queryAllRecords($sql, $conf['server_id']); foreach($records as $rec) { if(array_key_exists($rec['email'], $mailbox_traffic)) { - $sql = "SELECT * FROM mail_traffic WHERE month = '$tstamp' AND mailuser_id = ".$rec['mailuser_id']; - $tr = $app->dbmaster->queryOneRecord($sql); + $sql = "SELECT * FROM mail_traffic WHERE month = ? AND mailuser_id = ?"; + $tr = $app->dbmaster->queryOneRecord($sql, $tstamp, $rec['mailuser_id']); $mail_traffic = $tr['traffic'] + $mailbox_traffic[$rec['email']]; if($tr['traffic_id'] > 0) { - $sql = "UPDATE mail_traffic SET traffic = $mail_traffic WHERE traffic_id = ".$tr['traffic_id']; + $sql = "UPDATE mail_traffic SET traffic = ? WHERE traffic_id = ?"; + $app->dbmaster->query($sql, $mail_traffic, $tr['traffic_id']); } else { - $sql = "INSERT INTO mail_traffic (month,mailuser_id,traffic) VALUES ('$tstamp',".$rec['mailuser_id'].",$mail_traffic)"; + $sql = "INSERT INTO mail_traffic (month,mailuser_id,traffic) VALUES (?,?,?)"; + $app->dbmaster->query($sql, $tstamp, $rec['mailuser_id'], $mail_traffic); } - $app->dbmaster->query($sql); //echo $sql; } } diff --git a/server/lib/classes/cron.d/100-monitor_clamav_log.inc.php b/server/lib/classes/cron.d/100-monitor_clamav_log.inc.php index 25f7448cbe..208161cc0f 100644 --- a/server/lib/classes/cron.d/100-monitor_clamav_log.inc.php +++ b/server/lib/classes/cron.d/100-monitor_clamav_log.inc.php @@ -82,14 +82,8 @@ class cronjob_monitor_clamav_log extends cronjob { * Insert the data into the database */ $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (' . - $res['server_id'] . ', ' . - "'" . $app->dbmaster->quote($res['type']) . "', " . - 'UNIX_TIMESTAMP(), ' . - "'" . $app->dbmaster->quote(serialize($res['data'])) . "', " . - "'" . $res['state'] . "'" . - ')'; - $app->dbmaster->query($sql); + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); /* The new data is written, now we can delete the old one */ $this->_tools->delOldRecords($res['type'], $res['server_id']); @@ -158,14 +152,8 @@ class cronjob_monitor_clamav_log extends cronjob { * Insert the data into the database */ $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (' . - $res['server_id'] . ', ' . - "'" . $app->dbmaster->quote($res['type']) . "', " . - 'UNIX_TIMESTAMP(), ' . - "'" . $app->dbmaster->quote(serialize($res['data'])) . "', " . - "'" . $res['state'] . "'" . - ')'; - $app->dbmaster->query($sql); + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); /* The new data is written, now we can delete the old one */ $this->_tools->delOldRecords($res['type'], $res['server_id']); diff --git a/server/lib/classes/cron.d/100-monitor_cpu.inc.php b/server/lib/classes/cron.d/100-monitor_cpu.inc.php index 3cbf5b1f32..f570eeb819 100644 --- a/server/lib/classes/cron.d/100-monitor_cpu.inc.php +++ b/server/lib/classes/cron.d/100-monitor_cpu.inc.php @@ -111,14 +111,8 @@ class cronjob_monitor_cpu extends cronjob { * Insert the data into the database */ $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (' . - $res['server_id'] . ', ' . - "'" . $app->dbmaster->quote($res['type']) . "', " . - 'UNIX_TIMESTAMP(), ' . - "'" . $app->dbmaster->quote(serialize($res['data'])) . "', " . - "'" . $res['state'] . "'" . - ')'; - $app->dbmaster->query($sql); + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); /* The new data is written, now we can delete the old one */ $this->_tools->delOldRecords($res['type'], $res['server_id']); diff --git a/server/lib/classes/cron.d/100-monitor_database_size.inc.php b/server/lib/classes/cron.d/100-monitor_database_size.inc.php index c03b82de02..3e9cecf465 100644 --- a/server/lib/classes/cron.d/100-monitor_database_size.inc.php +++ b/server/lib/classes/cron.d/100-monitor_database_size.inc.php @@ -78,7 +78,7 @@ class cronjob_monitor_database_size extends cronjob { $state = 'ok'; /** Fetch the data of all databases into an array */ - $databases = $app->db->queryAllRecords("SELECT database_name, sys_groupid FROM web_database WHERE server_id = $server_id GROUP BY sys_groupid, database_name ASC"); + $databases = $app->db->queryAllRecords("SELECT database_name, sys_groupid FROM web_database WHERE server_id = ? GROUP BY sys_groupid, database_name ASC", $server_id); if(is_array($databases) && !empty($databases)) { @@ -98,14 +98,8 @@ class cronjob_monitor_database_size extends cronjob { //* Insert the data into the database $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (' . - $res['server_id'] . ', ' . - "'" . $app->dbmaster->quote($res['type']) . "', " . - 'UNIX_TIMESTAMP(), ' . - "'" . $app->dbmaster->quote(serialize($res['data'])) . "', " . - "'" . $res['state'] . "'" . - ')'; - $app->dbmaster->query($sql); + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); //* The new data is written, now we can delete the old one $this->_tools->delOldRecords($res['type'], $res['server_id']); diff --git a/server/lib/classes/cron.d/100-monitor_disk_usage.inc.php b/server/lib/classes/cron.d/100-monitor_disk_usage.inc.php index 2af40411e1..eb92c2de9d 100644 --- a/server/lib/classes/cron.d/100-monitor_disk_usage.inc.php +++ b/server/lib/classes/cron.d/100-monitor_disk_usage.inc.php @@ -142,14 +142,8 @@ class cronjob_monitor_disk_usage extends cronjob { * Insert the data into the database */ $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (' . - $res['server_id'] . ', ' . - "'" . $app->dbmaster->quote($res['type']) . "', " . - 'UNIX_TIMESTAMP(), ' . - "'" . $app->dbmaster->quote(serialize($res['data'])) . "', " . - "'" . $res['state'] . "'" . - ')'; - $app->dbmaster->query($sql); + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); /* The new data is written, now we can delete the old one */ $this->_tools->delOldRecords($res['type'], $res['server_id']); diff --git a/server/lib/classes/cron.d/100-monitor_email_quota.inc.php b/server/lib/classes/cron.d/100-monitor_email_quota.inc.php index 5d0c7a0bc4..75014c347d 100644 --- a/server/lib/classes/cron.d/100-monitor_email_quota.inc.php +++ b/server/lib/classes/cron.d/100-monitor_email_quota.inc.php @@ -75,7 +75,7 @@ class cronjob_monitor_email_quota extends cronjob { //* The state of the email_quota. $state = 'ok'; - $mailboxes = $app->db->queryAllRecords("SELECT email,maildir FROM mail_user WHERE server_id = $server_id"); + $mailboxes = $app->db->queryAllRecords("SELECT email,maildir FROM mail_user WHERE server_id = ?", $server_id); if(is_array($mailboxes)) { //* with dovecot we can use doveadm instead of 'du -s' @@ -134,14 +134,8 @@ class cronjob_monitor_email_quota extends cronjob { * Insert the data into the database */ $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (' . - $res['server_id'] . ', ' . - "'" . $app->dbmaster->quote($res['type']) . "', " . - 'UNIX_TIMESTAMP(), ' . - "'" . $app->dbmaster->quote(serialize($res['data'])) . "', " . - "'" . $res['state'] . "'" . - ')'; - $app->dbmaster->query($sql); + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); /* The new data is written, now we can delete the old one */ $this->_tools->delOldRecords($res['type'], $res['server_id']); diff --git a/server/lib/classes/cron.d/100-monitor_fail2ban.inc.php b/server/lib/classes/cron.d/100-monitor_fail2ban.inc.php index ffc93a45cd..5c4ba80561 100644 --- a/server/lib/classes/cron.d/100-monitor_fail2ban.inc.php +++ b/server/lib/classes/cron.d/100-monitor_fail2ban.inc.php @@ -102,14 +102,8 @@ class cronjob_monitor_fail2ban extends cronjob { * Insert the data into the database */ $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (' . - $res['server_id'] . ', ' . - "'" . $app->dbmaster->quote($res['type']) . "', " . - 'UNIX_TIMESTAMP(), ' . - "'" . $app->dbmaster->quote(serialize($res['data'])) . "', " . - "'" . $res['state'] . "'" . - ')'; - $app->dbmaster->query($sql); + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); /* The new data is written, now we can delete the old one */ $this->_tools->delOldRecords($res['type'], $res['server_id']); diff --git a/server/lib/classes/cron.d/100-monitor_hd_quota.inc.php b/server/lib/classes/cron.d/100-monitor_hd_quota.inc.php index 888dd153ea..a4971eb532 100644 --- a/server/lib/classes/cron.d/100-monitor_hd_quota.inc.php +++ b/server/lib/classes/cron.d/100-monitor_hd_quota.inc.php @@ -134,14 +134,8 @@ class cronjob_monitor_hd_quota extends cronjob { * Insert the data into the database */ $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (' . - $res['server_id'] . ', ' . - "'" . $app->dbmaster->quote($res['type']) . "', " . - 'UNIX_TIMESTAMP(), ' . - "'" . $app->dbmaster->quote(serialize($res['data'])) . "', " . - "'" . $res['state'] . "'" . - ')'; - $app->dbmaster->query($sql); + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); /* The new data is written, now we can delete the old one */ $this->_tools->delOldRecords($res['type'], $res['server_id']); diff --git a/server/lib/classes/cron.d/100-monitor_iptables.inc.php b/server/lib/classes/cron.d/100-monitor_iptables.inc.php index a5a1c26029..1ad11d9ecc 100644 --- a/server/lib/classes/cron.d/100-monitor_iptables.inc.php +++ b/server/lib/classes/cron.d/100-monitor_iptables.inc.php @@ -107,14 +107,8 @@ class cronjob_monitor_iptables extends cronjob { * Insert the data into the database */ $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (' . - $res['server_id'] . ', ' . - "'" . $app->dbmaster->quote($res['type']) . "', " . - 'UNIX_TIMESTAMP(), ' . - "'" . $app->dbmaster->quote(serialize($res['data'])) . "', " . - "'" . $res['state'] . "'" . - ')'; - $app->dbmaster->query($sql); + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); /* The new data is written, now we can delete the old one */ $this->_tools->delOldRecords($res['type'], $res['server_id']); diff --git a/server/lib/classes/cron.d/100-monitor_ispconfig_log.inc.php b/server/lib/classes/cron.d/100-monitor_ispconfig_log.inc.php index 1df3b02e02..0f29b0c489 100644 --- a/server/lib/classes/cron.d/100-monitor_ispconfig_log.inc.php +++ b/server/lib/classes/cron.d/100-monitor_ispconfig_log.inc.php @@ -82,14 +82,8 @@ class cronjob_monitor_ispconfig_log extends cronjob { * Insert the data into the database */ $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (' . - $res['server_id'] . ', ' . - "'" . $app->dbmaster->quote($res['type']) . "', " . - 'UNIX_TIMESTAMP(), ' . - "'" . $app->dbmaster->quote(serialize($res['data'])) . "', " . - "'" . $res['state'] . "'" . - ')'; - $app->dbmaster->query($sql); + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); /* The new data is written, now we can delete the old one */ $this->_tools->delOldRecords($res['type'], $res['server_id']); @@ -123,14 +117,8 @@ class cronjob_monitor_ispconfig_log extends cronjob { * Insert the data into the database */ $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (' . - $res['server_id'] . ', ' . - "'" . $app->dbmaster->quote($res['type']) . "', " . - 'UNIX_TIMESTAMP(), ' . - "'" . $app->dbmaster->quote(serialize($res['data'])) . "', " . - "'" . $res['state'] . "'" . - ')'; - $app->dbmaster->query($sql); + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); /* The new data is written, now we can delete the old one */ $this->_tools->delOldRecords($res['type'], $res['server_id']); diff --git a/server/lib/classes/cron.d/100-monitor_ispconfig_version.inc.php b/server/lib/classes/cron.d/100-monitor_ispconfig_version.inc.php index e24a4cb206..0b44065b2b 100644 --- a/server/lib/classes/cron.d/100-monitor_ispconfig_version.inc.php +++ b/server/lib/classes/cron.d/100-monitor_ispconfig_version.inc.php @@ -85,14 +85,8 @@ class cronjob_monitor_ispconfig_version extends cronjob { * Insert the data into the database */ $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (' . - $res['server_id'] . ', ' . - "'" . $app->dbmaster->quote($res['type']) . "', " . - 'UNIX_TIMESTAMP(), ' . - "'" . $app->dbmaster->quote(serialize($res['data'])) . "', " . - "'" . $res['state'] . "'" . - ')'; - $app->dbmaster->query($sql); + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); /* The new data is written, now we can delete the old one */ $this->_tools->delOldRecords($res['type'], $res['server_id']); diff --git a/server/lib/classes/cron.d/100-monitor_mail_log.inc.php b/server/lib/classes/cron.d/100-monitor_mail_log.inc.php index d5613a137b..5c41105d3c 100644 --- a/server/lib/classes/cron.d/100-monitor_mail_log.inc.php +++ b/server/lib/classes/cron.d/100-monitor_mail_log.inc.php @@ -88,14 +88,8 @@ class cronjob_monitor_mail_log extends cronjob { * Insert the data into the database */ $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (' . - $res['server_id'] . ', ' . - "'" . $app->dbmaster->quote($res['type']) . "', " . - 'UNIX_TIMESTAMP(), ' . - "'" . $app->dbmaster->quote(serialize($res['data'])) . "', " . - "'" . $res['state'] . "'" . - ')'; - $app->dbmaster->query($sql); + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); /* The new data is written, now we can delete the old one */ $this->_tools->delOldRecords($res['type'], $res['server_id']); @@ -122,14 +116,8 @@ class cronjob_monitor_mail_log extends cronjob { * Insert the data into the database */ $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (' . - $res['server_id'] . ', ' . - "'" . $app->dbmaster->quote($res['type']) . "', " . - 'UNIX_TIMESTAMP(), ' . - "'" . $app->dbmaster->quote(serialize($res['data'])) . "', " . - "'" . $res['state'] . "'" . - ')'; - $app->dbmaster->query($sql); + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); /* The new data is written, now we can delete the old one */ $this->_tools->delOldRecords($res['type'], $res['server_id']); @@ -156,14 +144,8 @@ class cronjob_monitor_mail_log extends cronjob { * Insert the data into the database */ $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (' . - $res['server_id'] . ', ' . - "'" . $app->dbmaster->quote($res['type']) . "', " . - 'UNIX_TIMESTAMP(), ' . - "'" . $app->dbmaster->quote(serialize($res['data'])) . "', " . - "'" . $res['state'] . "'" . - ')'; - $app->dbmaster->query($sql); + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); /* The new data is written, now we can delete the old one */ $this->_tools->delOldRecords($res['type'], $res['server_id']); diff --git a/server/lib/classes/cron.d/100-monitor_mail_queue.inc.php b/server/lib/classes/cron.d/100-monitor_mail_queue.inc.php index b1f7089abe..b259904d55 100644 --- a/server/lib/classes/cron.d/100-monitor_mail_queue.inc.php +++ b/server/lib/classes/cron.d/100-monitor_mail_queue.inc.php @@ -113,14 +113,8 @@ class cronjob_monitor_mail_queue extends cronjob { * Insert the data into the database */ $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (' . - $res['server_id'] . ', ' . - "'" . $app->dbmaster->quote($res['type']) . "', " . - 'UNIX_TIMESTAMP(), ' . - "'" . $app->dbmaster->quote(serialize($res['data'])) . "', " . - "'" . $res['state'] . "'" . - ')'; - $app->dbmaster->query($sql); + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); /* The new data is written, now we can delete the old one */ $this->_tools->delOldRecords($res['type'], $res['server_id']); diff --git a/server/lib/classes/cron.d/100-monitor_mem_usage.inc.php b/server/lib/classes/cron.d/100-monitor_mem_usage.inc.php index 05b196a395..73567478dc 100644 --- a/server/lib/classes/cron.d/100-monitor_mem_usage.inc.php +++ b/server/lib/classes/cron.d/100-monitor_mem_usage.inc.php @@ -99,14 +99,8 @@ class cronjob_monitor_mem_usage extends cronjob { * Insert the data into the database */ $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (' . - $res['server_id'] . ', ' . - "'" . $app->dbmaster->quote($res['type']) . "', " . - 'UNIX_TIMESTAMP(), ' . - "'" . $app->dbmaster->quote(serialize($res['data'])) . "', " . - "'" . $res['state'] . "'" . - ')'; - $app->dbmaster->query($sql); + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); /* The new data is written, now we can delete the old one */ $this->_tools->delOldRecords($res['type'], $res['server_id']); diff --git a/server/lib/classes/cron.d/100-monitor_mongodb.inc.php b/server/lib/classes/cron.d/100-monitor_mongodb.inc.php index 23f31718c6..244cb65eb1 100644 --- a/server/lib/classes/cron.d/100-monitor_mongodb.inc.php +++ b/server/lib/classes/cron.d/100-monitor_mongodb.inc.php @@ -102,14 +102,8 @@ class cronjob_monitor_mongodb extends cronjob { * Insert the data into the database */ $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (' . - $res['server_id'] . ', ' . - "'" . $app->dbmaster->quote($res['type']) . "', " . - 'UNIX_TIMESTAMP(), ' . - "'" . $app->dbmaster->quote(serialize($res['data'])) . "', " . - "'" . $res['state'] . "'" . - ')'; - $app->dbmaster->query($sql); + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); /* The new data is written, now we can delete the old one */ $this->_tools->delOldRecords($res['type'], $res['server_id']); diff --git a/server/lib/classes/cron.d/100-monitor_openvz.inc.php b/server/lib/classes/cron.d/100-monitor_openvz.inc.php index 08d155fae7..30b51b4b5f 100644 --- a/server/lib/classes/cron.d/100-monitor_openvz.inc.php +++ b/server/lib/classes/cron.d/100-monitor_openvz.inc.php @@ -86,14 +86,8 @@ class cronjob_monitor_openvz extends cronjob { * Insert the data into the database */ $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (' . - $res['server_id'] . ', ' . - "'" . $app->dbmaster->quote($res['type']) . "', " . - 'UNIX_TIMESTAMP(), ' . - "'" . $app->dbmaster->quote(serialize($res['data'])) . "', " . - "'" . $res['state'] . "'" . - ')'; - $app->dbmaster->query($sql); + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); /* The new data is written, now we can delete the old one */ $this->_tools->delOldRecords($res['type'], $res['server_id']); @@ -158,14 +152,8 @@ class cronjob_monitor_openvz extends cronjob { * Insert the data into the database */ $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (' . - $res['server_id'] . ', ' . - "'" . $app->dbmaster->quote($res['type']) . "', " . - 'UNIX_TIMESTAMP(), ' . - "'" . $app->dbmaster->quote(serialize($res['data'])) . "', " . - "'" . $res['state'] . "'" . - ')'; - $app->dbmaster->query($sql); + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); /* The new data is written, now we can delete the old one */ $this->_tools->delOldRecords($res['type'], $res['server_id']); diff --git a/server/lib/classes/cron.d/100-monitor_os_version.inc.php b/server/lib/classes/cron.d/100-monitor_os_version.inc.php index b9978eaeb2..3876621021 100644 --- a/server/lib/classes/cron.d/100-monitor_os_version.inc.php +++ b/server/lib/classes/cron.d/100-monitor_os_version.inc.php @@ -87,14 +87,8 @@ class cronjob_monitor_os_version extends cronjob { * Insert the data into the database */ $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (' . - $res['server_id'] . ', ' . - "'" . $app->dbmaster->quote($res['type']) . "', " . - 'UNIX_TIMESTAMP(), ' . - "'" . $app->dbmaster->quote(serialize($res['data'])) . "', " . - "'" . $res['state'] . "'" . - ')'; - $app->dbmaster->query($sql); + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); /* The new data is written, now we can delete the old one */ $this->_tools->delOldRecords($res['type'], $res['server_id']); diff --git a/server/lib/classes/cron.d/100-monitor_raid.inc.php b/server/lib/classes/cron.d/100-monitor_raid.inc.php index 86a6908ab4..439ab8ce52 100644 --- a/server/lib/classes/cron.d/100-monitor_raid.inc.php +++ b/server/lib/classes/cron.d/100-monitor_raid.inc.php @@ -240,14 +240,8 @@ class cronjob_monitor_raid extends cronjob { * Insert the data into the database */ $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (' . - $res['server_id'] . ', ' . - "'" . $app->dbmaster->quote($res['type']) . "', " . - 'UNIX_TIMESTAMP(), ' . - "'" . $app->dbmaster->quote(serialize($res['data'])) . "', " . - "'" . $res['state'] . "'" . - ')'; - $app->dbmaster->query($sql); + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); /* The new data is written, now we can delete the old one */ $this->_tools->delOldRecords($res['type'], $res['server_id']); diff --git a/server/lib/classes/cron.d/100-monitor_rkhunter.inc.php b/server/lib/classes/cron.d/100-monitor_rkhunter.inc.php index 5d99d7f4e4..d5beee70bc 100644 --- a/server/lib/classes/cron.d/100-monitor_rkhunter.inc.php +++ b/server/lib/classes/cron.d/100-monitor_rkhunter.inc.php @@ -102,14 +102,8 @@ class cronjob_monitor_rkhunter extends cronjob { * Insert the data into the database */ $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (' . - $res['server_id'] . ', ' . - "'" . $app->dbmaster->quote($res['type']) . "', " . - 'UNIX_TIMESTAMP(), ' . - "'" . $app->dbmaster->quote(serialize($res['data'])) . "', " . - "'" . $res['state'] . "'" . - ')'; - $app->dbmaster->query($sql); + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); /* The new data is written, now we can delete the old one */ $this->_tools->delOldRecords($res['type'], $res['server_id']); diff --git a/server/lib/classes/cron.d/100-monitor_server.inc.php b/server/lib/classes/cron.d/100-monitor_server.inc.php index 6ceb584cf5..5a053f430e 100644 --- a/server/lib/classes/cron.d/100-monitor_server.inc.php +++ b/server/lib/classes/cron.d/100-monitor_server.inc.php @@ -108,14 +108,8 @@ class cronjob_monitor_server extends cronjob { * Insert the data into the database */ $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (' . - $res['server_id'] . ', ' . - "'" . $app->dbmaster->quote($res['type']) . "', " . - 'UNIX_TIMESTAMP(), ' . - "'" . $app->dbmaster->quote(serialize($res['data'])) . "', " . - "'" . $res['state'] . "'" . - ')'; - $app->dbmaster->query($sql); + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); /* The new data is written, now we can delete the old one */ $this->_tools->delOldRecords($res['type'], $res['server_id']); diff --git a/server/lib/classes/cron.d/100-monitor_services.inc.php b/server/lib/classes/cron.d/100-monitor_services.inc.php index 3235ee781f..2c169a2de8 100644 --- a/server/lib/classes/cron.d/100-monitor_services.inc.php +++ b/server/lib/classes/cron.d/100-monitor_services.inc.php @@ -67,14 +67,8 @@ class cronjob_monitor_services extends cronjob { * Insert the data into the database */ $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (' . - $res['server_id'] . ', ' . - "'" . $app->dbmaster->quote($res['type']) . "', " . - 'UNIX_TIMESTAMP(), ' . - "'" . $app->dbmaster->quote(serialize($res['data'])) . "', " . - "'" . $res['state'] . "'" . - ')'; - $app->dbmaster->query($sql); + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); /* The new data is written, now we can delete the old one */ $this->_tools->delOldRecords($res['type'], $res['server_id']); diff --git a/server/lib/classes/cron.d/100-monitor_syslog.inc.php b/server/lib/classes/cron.d/100-monitor_syslog.inc.php index b62112179c..c101de0087 100644 --- a/server/lib/classes/cron.d/100-monitor_syslog.inc.php +++ b/server/lib/classes/cron.d/100-monitor_syslog.inc.php @@ -70,7 +70,7 @@ class cronjob_monitor_syslog extends cronjob { * is there any warning or error for this server? */ $state = 'ok'; - $dbData = $app->dbmaster->queryAllRecords('SELECT loglevel FROM sys_log WHERE server_id = ' . $server_id . ' AND loglevel > 0'); + $dbData = $app->dbmaster->queryAllRecords('SELECT loglevel FROM sys_log WHERE server_id = ? AND loglevel > 0', $server_id); if (is_array($dbData)) { foreach ($dbData as $item) { if ($item['loglevel'] == 1) @@ -93,14 +93,8 @@ class cronjob_monitor_syslog extends cronjob { * Insert the data into the database */ $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (' . - $res['server_id'] . ', ' . - "'" . $app->dbmaster->quote($res['type']) . "', " . - 'UNIX_TIMESTAMP(), ' . - "'" . $app->dbmaster->quote(serialize($res['data'])) . "', " . - "'" . $res['state'] . "'" . - ')'; - $app->dbmaster->query($sql); + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); /* The new data is written, now we can delete the old one */ $this->_tools->delOldRecords($res['type'], $res['server_id']); @@ -127,14 +121,8 @@ class cronjob_monitor_syslog extends cronjob { * Insert the data into the database */ $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (' . - $res['server_id'] . ', ' . - "'" . $app->dbmaster->quote($res['type']) . "', " . - 'UNIX_TIMESTAMP(), ' . - "'" . $app->dbmaster->quote(serialize($res['data'])) . "', " . - "'" . $res['state'] . "'" . - ')'; - $app->dbmaster->query($sql); + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); /* The new data is written, now we can delete the old one */ $this->_tools->delOldRecords($res['type'], $res['server_id']); diff --git a/server/lib/classes/cron.d/100-monitor_system_update.inc.php b/server/lib/classes/cron.d/100-monitor_system_update.inc.php index 33c5c1f02f..35338dc21d 100644 --- a/server/lib/classes/cron.d/100-monitor_system_update.inc.php +++ b/server/lib/classes/cron.d/100-monitor_system_update.inc.php @@ -187,14 +187,8 @@ class cronjob_monitor_system_update extends cronjob { * Insert the data into the database */ $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (' . - $res['server_id'] . ', ' . - "'" . $app->dbmaster->quote($res['type']) . "', " . - 'UNIX_TIMESTAMP(), ' . - "'" . $app->dbmaster->quote(serialize($res['data'])) . "', " . - "'" . $res['state'] . "'" . - ')'; - $app->dbmaster->query($sql); + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); /* The new data is written, now we can delete the old one */ $this->_tools->delOldRecords($res['type'], $res['server_id']); diff --git a/server/lib/classes/cron.d/150-awstats.inc.php b/server/lib/classes/cron.d/150-awstats.inc.php index 9803a89f13..ea0c64f67a 100644 --- a/server/lib/classes/cron.d/150-awstats.inc.php +++ b/server/lib/classes/cron.d/150-awstats.inc.php @@ -54,8 +54,8 @@ class cronjob_awstats extends cronjob { // Create awstats statistics //###################################################################################################### - $sql = "SELECT domain_id, domain, document_root, web_folder, type, system_user, system_group, parent_domain_id FROM web_domain WHERE (type = 'vhost' or type = 'vhostsubdomain' or type = 'vhostalias') and stats_type = 'awstats' AND server_id = ".$conf['server_id']; - $records = $app->db->queryAllRecords($sql); + $sql = "SELECT domain_id, domain, document_root, web_folder, type, system_user, system_group, parent_domain_id FROM web_domain WHERE (type = 'vhost' or type = 'vhostsubdomain' or type = 'vhostalias') and stats_type = 'awstats' AND server_id = ?"; + $records = $app->db->queryAllRecords($sql, $conf['server_id']); $web_config = $app->getconf->get_server_config($conf['server_id'], 'web'); @@ -65,7 +65,7 @@ class cronjob_awstats extends cronjob { $log_folder = 'log'; if($rec['type'] == 'vhostsubdomain' || $rec['type'] == 'vhostalias') { - $tmp = $app->db->queryOneRecord('SELECT `domain` FROM web_domain WHERE domain_id = '.intval($rec['parent_domain_id'])); + $tmp = $app->db->queryOneRecord('SELECT `domain` FROM web_domain WHERE domain_id = ?', $rec['parent_domain_id']); $subdomain_host = preg_replace('/^(.*)\.' . preg_quote($tmp['domain'], '/') . '$/', '$1', $rec['domain']); if($subdomain_host == '') $subdomain_host = 'web'.$rec['domain_id']; $log_folder .= '/' . $subdomain_host; @@ -89,8 +89,8 @@ class cronjob_awstats extends cronjob { if(is_file($awstats_website_conf_file)) unlink($awstats_website_conf_file); - $sql = "SELECT domain FROM web_domain WHERE (type = 'alias' OR type = 'subdomain') AND parent_domain_id = ".$rec['domain_id']; - $aliases = $app->db->queryAllRecords($sql); + $sql = "SELECT domain FROM web_domain WHERE (type = 'alias' OR type = 'subdomain') AND parent_domain_id = ?"; + $aliases = $app->db->queryAllRecords($sql, $rec['domain_id']); $aliasdomain = ''; if(is_array($aliases)) { diff --git a/server/lib/classes/cron.d/150-webalizer.inc.php b/server/lib/classes/cron.d/150-webalizer.inc.php index 1f9a921f0d..b850003200 100644 --- a/server/lib/classes/cron.d/150-webalizer.inc.php +++ b/server/lib/classes/cron.d/150-webalizer.inc.php @@ -79,8 +79,8 @@ class cronjob_webalizer extends cronjob { } - $sql = "SELECT domain_id, domain, document_root, web_folder, type, parent_domain_id FROM web_domain WHERE (type = 'vhost' or type = 'vhostsubdomain' or type = 'vhostalias') and stats_type = 'webalizer' AND server_id = ".$conf['server_id']; - $records = $app->db->queryAllRecords($sql); + $sql = "SELECT domain_id, domain, document_root, web_folder, type, parent_domain_id FROM web_domain WHERE (type = 'vhost' or type = 'vhostsubdomain' or type = 'vhostalias') and stats_type = 'webalizer' AND server_id = ?"; + $records = $app->db->queryAllRecords($sql, $conf['server_id']); foreach($records as $rec) { //$yesterday = date('Ymd',time() - 86400); @@ -88,7 +88,7 @@ class cronjob_webalizer extends cronjob { $log_folder = 'log'; if($rec['type'] == 'vhostsubdomain' || $rec['type'] == 'vhostalias') { - $tmp = $app->db->queryOneRecord('SELECT `domain` FROM web_domain WHERE domain_id = '.intval($rec['parent_domain_id'])); + $tmp = $app->db->queryOneRecord('SELECT `domain` FROM web_domain WHERE domain_id = ?', $rec['parent_domain_id']); $subdomain_host = preg_replace('/^(.*)\.' . preg_quote($tmp['domain'], '/') . '$/', '$1', $rec['domain']); if($subdomain_host == '') $subdomain_host = 'web'.$rec['domain_id']; $log_folder .= '/' . $subdomain_host; diff --git a/server/lib/classes/cron.d/200-logfiles.inc.php b/server/lib/classes/cron.d/200-logfiles.inc.php index a802ff9eee..9eaa3d7580 100644 --- a/server/lib/classes/cron.d/200-logfiles.inc.php +++ b/server/lib/classes/cron.d/200-logfiles.inc.php @@ -60,7 +60,7 @@ class cronjob_logfiles extends cronjob { // Manage and compress web logfiles and create traffic statistics //###################################################################################################### - $sql = "SELECT domain_id, domain, type, document_root, web_folder, parent_domain_id FROM web_domain WHERE (type = 'vhost' or type = 'vhostsubdomain' or type = 'vhostalias') AND server_id = ".$conf['server_id']; + $sql = "SELECT domain_id, domain, type, document_root, web_folder, parent_domain_id FROM web_domain WHERE (type = 'vhost' or type = 'vhostsubdomain' or type = 'vhostalias') AND server_id = ?", $conf['server_id']; $records = $app->db->queryAllRecords($sql); foreach($records as $rec) { @@ -69,7 +69,7 @@ class cronjob_logfiles extends cronjob { $log_folder = 'log'; if($rec['type'] == 'vhostsubdomain' || $rec['type'] == 'vhostalias') { - $tmp = $app->db->queryOneRecord('SELECT `domain` FROM web_domain WHERE domain_id = '.intval($rec['parent_domain_id'])); + $tmp = $app->db->queryOneRecord('SELECT `domain` FROM web_domain WHERE domain_id = ?', $rec['parent_domain_id']); $subdomain_host = preg_replace('/^(.*)\.' . preg_quote($tmp['domain'], '/') . '$/', '$1', $rec['domain']); if($subdomain_host == '') $subdomain_host = 'web'.$rec['domain_id']; $log_folder .= '/' . $subdomain_host; @@ -89,16 +89,14 @@ class cronjob_logfiles extends cronjob { //* Insert / update traffic in master database $traffic_date = date('Y-m-d', time() - 86400); - $tmp = $app->dbmaster->queryOneRecord("select hostname from web_traffic where hostname='".$rec['domain']."' and traffic_date='".$traffic_date."'"); + $tmp = $app->dbmaster->queryOneRecord("select hostname from web_traffic where hostname=? and traffic_date=?", $rec['domain'], $traffic_date); if(is_array($tmp) && count($tmp) > 0) { - $sql = "update web_traffic set traffic_bytes=traffic_bytes+" - . $total_bytes - . " where hostname='" . $rec['domain'] - . "' and traffic_date='" . $traffic_date . "'"; + $sql = "UPDATE web_traffic SET traffic_bytes=traffic_bytes + ? WHERE hostname = ? AND traffic_date = ?"; + $app->dbmaster->query($sql, $total_bytes, $rec['domain'], $traffic_date); } else { - $sql = "insert into web_traffic (hostname, traffic_date, traffic_bytes) values ('".$rec['domain']."', '".$traffic_date."', '".$total_bytes."')"; + $sql = "INSERT INTO web_traffic (hostname, traffic_date, traffic_bytes) VALUES (?, ?, ?)"; + $app->dbmaster->query($sql, $rec['domain'], $traffic_date, $total_bytes); } - $app->dbmaster->query($sql); fclose($handle); } @@ -197,8 +195,8 @@ class cronjob_logfiles extends cronjob { // Cleanup website tmp directories //###################################################################################################### - $sql = "SELECT domain_id, domain, document_root, system_user FROM web_domain WHERE server_id = ".$conf['server_id']; - $records = $app->db->queryAllRecords($sql); + $sql = "SELECT domain_id, domain, document_root, system_user FROM web_domain WHERE server_id = ?"; + $records = $app->db->queryAllRecords($sql, $conf['server_id']); $app->uses('system'); if(is_array($records)) { foreach($records as $rec){ @@ -225,8 +223,8 @@ class cronjob_logfiles extends cronjob { * if they are NOT ok, the server will try to process them in 1 minute and so the * error appears again after 1 minute. So it is no problem to delete the old one! */ - $sql = "DELETE FROM sys_log WHERE tstamp < " . $tstamp . " AND server_id != 0"; - $app->dbmaster->query($sql); + $sql = "DELETE FROM sys_log WHERE tstamp < ? AND server_id != 0"; + $app->dbmaster->query($sql, $tstamp); /* * Delete all remote-actions "done" and older than 7 days @@ -236,11 +234,8 @@ class cronjob_logfiles extends cronjob { $sql = "SELECT max(action_id) FROM sys_remoteaction"; $res = $app->dbmaster->queryOneRecord($sql); $maxId = $res['max(action_id)']; - $sql = "DELETE FROM sys_remoteaction " . - "WHERE tstamp < " . $tstamp . " " . - " AND action_state = 'ok' " . - " AND action_id <" . intval($maxId); - $app->dbmaster->query($sql); + $sql = "DELETE FROM sys_remoteaction WHERE tstamp < ? AND action_state = 'ok' AND action_id < ?"; + $app->dbmaster->query($sql, $tstamp, $maxId); /* * The sys_datalog is more difficult. @@ -270,14 +265,10 @@ class cronjob_logfiles extends cronjob { foreach($records as $server) { $tmp_server_id = intval($server['server_id']); if($tmp_server_id > 0) { - $sql = "DELETE FROM sys_datalog " . - "WHERE tstamp < " . $tstamp . - " AND server_id = " . intval($server['server_id']) . - " AND datalog_id < " . intval($server['updated']) . - " AND datalog_id < " . intval($maxId); + $sql = "DELETE FROM sys_datalog WHERE tstamp < ? AND server_id = ? AND datalog_id < ? AND datalog_id < ?"; + // echo $sql . "\n"; + $app->dbmaster->query($sql, $tstamp, $server['server_id'], $server['updated'], $maxId); } - // echo $sql . "\n"; - $app->dbmaster->query($sql); } } diff --git a/server/lib/classes/cron.d/300-quota_notify.inc.php b/server/lib/classes/cron.d/300-quota_notify.inc.php index f18394c58c..5345f588ba 100644 --- a/server/lib/classes/cron.d/300-quota_notify.inc.php +++ b/server/lib/classes/cron.d/300-quota_notify.inc.php @@ -69,24 +69,10 @@ class cronjob_quota_notify extends cronjob { $web_traffic_quota = $rec['traffic_quota']; $domain = $rec['domain']; - // get the client - /* - $client_group_id = $rec["sys_groupid"]; - $client = $app->db->queryOneRecord("SELECT limit_traffic_quota,parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); - $reseller = $app->db->queryOneRecord("SELECT limit_traffic_quota FROM client WHERE client_id = ".intval($client['parent_client_id'])); - - $client_traffic_quota = intval($client['limit_traffic_quota']); - $reseller_traffic_quota = intval($reseller['limit_traffic_quota']); - */ - //* get the traffic $tmp = $app->db->queryOneRecord("SELECT SUM(traffic_bytes) As total_traffic_bytes FROM web_traffic WHERE traffic_date like '$current_month%' AND hostname = '$domain'"); $web_traffic = round($tmp['total_traffic_bytes']/1024/1024); - //* Website is over quota, we will disable it - /*if( ($web_traffic_quota > 0 && $web_traffic > $web_traffic_quota) || - ($client_traffic_quota > 0 && $web_traffic > $client_traffic_quota) || - ($reseller_traffic_quota > 0 && $web_traffic > $reseller_traffic_quota)) {*/ if($web_traffic_quota > 0 && $web_traffic > $web_traffic_quota) { $app->dbmaster->datalogUpdate('web_domain', "traffic_quota_lock = 'y',active = 'n'", 'domain_id', $rec['domain_id']); $app->log('Traffic quota for '.$rec['domain'].' exceeded. Disabling website.', LOGLEVEL_DEBUG); @@ -106,7 +92,7 @@ class cronjob_quota_notify extends cronjob { //* Send email to client if($web_config['overtraffic_notify_client'] == 'y') { $client_group_id = $rec["sys_groupid"]; - $client = $app->db->queryOneRecord("SELECT client.email FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT client.email FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); if($client['email'] != '') { $recipients[] = $client['email']; } @@ -227,7 +213,7 @@ class cronjob_quota_notify extends cronjob { //* Send email to client if($web_config['overquota_notify_client'] == 'y') { $client_group_id = $rec["sys_groupid"]; - $client = $app->db->queryOneRecord("SELECT client.email FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT client.email FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); if($client['email'] != '') { $recipients[] = $client['email']; } @@ -262,7 +248,7 @@ class cronjob_quota_notify extends cronjob { //* Send email to client if($web_config['overquota_notify_client'] == 'y') { $client_group_id = $rec["sys_groupid"]; - $client = $app->db->queryOneRecord("SELECT client.email FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT client.email FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); if($client['email'] != '') { $recipients[] = $client['email']; } @@ -355,7 +341,7 @@ class cronjob_quota_notify extends cronjob { //* Send email to client if($mail_config['overquota_notify_client'] == 'y') { $client_group_id = $rec["sys_groupid"]; - $client = $app->db->queryOneRecord("SELECT client.email FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT client.email FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); if($client['email'] != '') { $recipients[] = $client['email']; } @@ -390,7 +376,7 @@ class cronjob_quota_notify extends cronjob { //* Send email to client if($mail_config['overquota_notify_client'] == 'y') { $client_group_id = $rec["sys_groupid"]; - $client = $app->db->queryOneRecord("SELECT client.email FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + $client = $app->db->queryOneRecord("SELECT client.email FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); if($client['email'] != '') { $recipients[] = $client['email']; } @@ -427,7 +413,7 @@ class cronjob_quota_notify extends cronjob { } //* get databases - $database_records = $app->db->queryAllRecords("SELECT database_id,sys_groupid,database_name,database_quota,last_quota_notification,DATEDIFF(CURDATE(), last_quota_notification) as `notified_before` FROM web_database;"); + $database_records = $app->db->queryAllRecords("SELECT database_id,sys_groupid,database_name,database_quota,last_quota_notification,DATEDIFF(CURDATE(), last_quota_notification) as `notified_before` FROM web_database"); if(is_array($database_records) && !empty($database_records) && is_array($monitor_data) && !empty($monitor_data)) { //* check database-quota @@ -442,7 +428,7 @@ class cronjob_quota_notify extends cronjob { if ($monitor['database_name'] == $database) { //* get the client - $client = $app->db->queryOneRecord("SELECT client.username, client.email FROM web_database, sys_group, client WHERE web_database.sys_groupid = sys_group.groupid AND sys_group.client_id = client.client_id AND web_database.database_name='".$database."'"); + $client = $app->db->queryOneRecord("SELECT client.username, client.email FROM web_database, sys_group, client WHERE web_database.sys_groupid = sys_group.groupid AND sys_group.client_id = client.client_id AND web_database.database_name=?", $database); //* check quota if ($quota > 0) $used_ratio = $monitor['size'] / $quota; diff --git a/server/lib/classes/cron.d/400-openvz.inc.php b/server/lib/classes/cron.d/400-openvz.inc.php index 18f4598be2..ec2b4de632 100644 --- a/server/lib/classes/cron.d/400-openvz.inc.php +++ b/server/lib/classes/cron.d/400-openvz.inc.php @@ -55,10 +55,8 @@ class cronjob_openvz extends cronjob { //###################################################################################################### if ($app->dbmaster == $app->db) { - $current_date = date('Y-m-d'); - //* Check which virtual machines have to be deactivated - $sql = "SELECT * FROM openvz_vm WHERE active = 'y' AND active_until_date != '0000-00-00' AND active_until_date < '$current_date'"; + $sql = "SELECT * FROM openvz_vm WHERE active = 'y' AND active_until_date != '0000-00-00' AND active_until_date < CURDATE()"; $records = $app->db->queryAllRecords($sql); if(is_array($records)) { foreach($records as $rec) { diff --git a/server/lib/classes/cron.d/500-backup_mail.inc.php b/server/lib/classes/cron.d/500-backup_mail.inc.php index 81e39ed0cc..be45cf4aa5 100644 --- a/server/lib/classes/cron.d/500-backup_mail.inc.php +++ b/server/lib/classes/cron.d/500-backup_mail.inc.php @@ -64,7 +64,7 @@ class cronjob_backup_mail extends cronjob { //* mount backup directory, if necessary if( $server_config['backup_dir_is_mount'] == 'y' && !$app->system->mount_backup_dir($backup_dir) ) $run_backups = false; - $records = $app->db->queryAllRecords("SELECT * FROM mail_user WHERE server_id = ? AND maildir <> ''", intval($conf['server_id'])); + $records = $app->db->queryAllRecords("SELECT * FROM mail_user WHERE server_id = ? AND maildir != ''", intval($conf['server_id'])); if(is_array($records) && $run_backups) { if(!is_dir($backup_dir)) { @@ -87,13 +87,13 @@ class cronjob_backup_mail extends cronjob { if ($global_config['backups_include_into_web_quota'] == 'y') { // this only works, if mail and webdomains are on the same server // find webdomain fitting to maildomain - $sql = "SELECT * FROM web_domain WHERE domain = '".$domain_rec['domain']."'"; - $webdomain = $app->db->queryOneRecord($sql); + $sql = "SELECT * FROM web_domain WHERE domain = ?"; + $webdomain = $app->db->queryOneRecord($sql, $domain_rec['domain']); // if this is not also the website, find website now if ($webdomain && ($webdomain['parent_domain_id'] != 0)) { do { - $sql = "SELECT * FROM web_domain WHERE domain_id = ".$webdomain['parent_domain_id']; - $webdomain = $app->db->queryOneRecord($sql); + $sql = "SELECT * FROM web_domain WHERE domain_id = ?"; + $webdomain = $app->db->queryOneRecord($sql, $webdomain['parent_domain_id']); } while ($webdomain && ($webdomain['parent_domain_id'] != 0)); } // if webdomain is found, change username/group now diff --git a/server/lib/classes/cron.d/600-cleanup.inc.php b/server/lib/classes/cron.d/600-cleanup.inc.php index 8222fe54d0..903a20f597 100644 --- a/server/lib/classes/cron.d/600-cleanup.inc.php +++ b/server/lib/classes/cron.d/600-cleanup.inc.php @@ -58,7 +58,7 @@ class cronjob_cleanup extends cronjob { $records = $app->db->queryAllRecords("SELECT s.instance_id, s.name, s.value FROM `aps_instances_settings` as s INNER JOIN `aps_instances` as i ON (i.id = s.instance_id) WHERE s.value != '' AND s.name IN ('main_database_password', 'admin_password') AND i.instance_status > 1"); if(is_array($records)) { foreach($records as $rec) { - $tmp = $app->db->queryOneRecord("SELECT id FROM aps_instances_settings WHERE instance_id = '".$app->db->quote($rec['instance_id'])."' AND name = '".$app->db->quote($rec['name'])."'"); + $tmp = $app->db->queryOneRecord("SELECT id FROM aps_instances_settings WHERE instance_id = ? AND name = ?", $rec['instance_id'], $rec['name']); $app->db->datalogUpdate('aps_instances_settings', "value = ''", 'id', $tmp['id']); } } diff --git a/server/lib/classes/cronjob.inc.php b/server/lib/classes/cronjob.inc.php index 7fe90c2fd6..03e36e774d 100644 --- a/server/lib/classes/cronjob.inc.php +++ b/server/lib/classes/cronjob.inc.php @@ -76,7 +76,7 @@ class cronjob { // check the run time and values for this job // get previous run data - $data = $app->db->queryOneRecord("SELECT `last_run`, `next_run`, `running` FROM `sys_cron` WHERE `name` = '" . $app->db->quote(get_class($this)) . "'"); + $data = $app->db->queryOneRecord("SELECT `last_run`, `next_run`, `running` FROM `sys_cron` WHERE `name` = ?", get_class($this)); if($data) { if($data['last_run']) $this->_last_run = $data['last_run']; if($data['next_run']) $this->_next_run = $data['next_run']; @@ -90,7 +90,7 @@ class cronjob { $next_run = $app->cron->getNextRun(ISPConfigDateTime::dbtime()); $this->_next_run = $next_run; - $app->db->query("REPLACE INTO `sys_cron` (`name`, `last_run`, `next_run`, `running`) VALUES ('" . $app->db->quote(get_class($this)) . "', " . ($this->_last_run ? "'" . $app->db->quote($this->_last_run) . "'" : "NULL") . ", " . ($next_run === false ? "NULL" : "'" . $app->db->quote($next_run) . "'") . ", " . ($this->_running == true ? "1" : "0") . ")"); + $app->db->query("REPLACE INTO `sys_cron` (`name`, `last_run`, `next_run`, `running`) VALUES (?, ?, ?, ?)", get_class($this), ($this->_last_run ? $this->_last_run : "#NULL#"), ($next_run === false ? "#NULL#" : $next_run . "'"), ($this->_running == true ? "1" : "0")); } } } @@ -131,7 +131,7 @@ class cronjob { print "Jobs next run is now " . $next_run . "\n"; - $app->db->query("REPLACE INTO `sys_cron` (`name`, `last_run`, `next_run`, `running`) VALUES ('" . $app->db->quote(get_class($this)) . "', NOW(), " . ($next_run === false ? "NULL" : "'" . $app->db->quote($next_run) . "'") . ", 1)"); + $app->db->query("REPLACE INTO `sys_cron` (`name`, `last_run`, `next_run`, `running`) VALUES (?, NOW(), ?, 1)", get_class($this), ($next_run === false ? "#NULL#" : $next_run)); return true; } @@ -154,7 +154,7 @@ class cronjob { global $app; print "Called onCompleted() for class " . get_class($this) . "\n"; - $app->db->query("UPDATE `sys_cron` SET `running` = 0 WHERE `name` = '" . $app->db->quote(get_class($this)) . "'"); + $app->db->query("UPDATE `sys_cron` SET `running` = 0 WHERE `name` = ?", get_class($this)); } } diff --git a/server/lib/classes/functions.inc.php b/server/lib/classes/functions.inc.php index be555031fd..5632a58753 100644 --- a/server/lib/classes/functions.inc.php +++ b/server/lib/classes/functions.inc.php @@ -237,7 +237,7 @@ class functions { } $ips = array(); - $results = $app->db->queryAllRecords("SELECT ip_address AS ip FROM server_ip WHERE ip_type = '".$type."'"); + $results = $app->db->queryAllRecords("SELECT ip_address AS ip FROM server_ip WHERE ip_type = ?", $type); if(!empty($results) && is_array($results)){ foreach($results as $result){ if(preg_match($regex, $result['ip'])) $ips[] = $result['ip']; diff --git a/server/lib/classes/getconf.inc.php b/server/lib/classes/getconf.inc.php index 768ea2cabd..2c20971adb 100644 --- a/server/lib/classes/getconf.inc.php +++ b/server/lib/classes/getconf.inc.php @@ -38,7 +38,7 @@ class getconf { if(!is_array($this->config[$server_id])) { $app->uses('ini_parser'); $server_id = intval($server_id); - $server = $app->db->queryOneRecord('SELECT config FROM server WHERE server_id = '.$server_id); + $server = $app->db->queryOneRecord('SELECT config FROM server WHERE server_id = ?', $server_id); $this->config[$server_id] = $app->ini_parser->parse_ini_string(stripslashes($server['config'])); } diff --git a/server/lib/classes/modules.inc.php b/server/lib/classes/modules.inc.php index 194bf4f51a..e5ccaaf114 100644 --- a/server/lib/classes/modules.inc.php +++ b/server/lib/classes/modules.inc.php @@ -85,12 +85,12 @@ class modules { //* If its a multiserver setup if($app->db->dbHost != $app->dbmaster->dbHost || ($app->db->dbHost == $app->dbmaster->dbHost && $app->db->dbName != $app->dbmaster->dbName)) { if($conf['mirror_server_id'] > 0) { - $sql = "SELECT * FROM sys_datalog WHERE datalog_id > ".$conf['last_datalog_id']." AND (server_id = ".$conf['server_id']." OR server_id = ".$conf['mirror_server_id']." OR server_id = 0) ORDER BY datalog_id LIMIT 0,1000"; + $sql = "SELECT * FROM sys_datalog WHERE datalog_id > ? AND (server_id = ? OR server_id = ? OR server_id = 0) ORDER BY datalog_id LIMIT 0,1000"; } else { - $sql = "SELECT * FROM sys_datalog WHERE datalog_id > ".$conf['last_datalog_id']." AND (server_id = ".$conf['server_id']." OR server_id = 0) ORDER BY datalog_id LIMIT 0,1000"; + $sql = "SELECT * FROM sys_datalog WHERE datalog_id > ? AND (server_id = ? OR server_id = 0) ORDER BY datalog_id LIMIT 0,1000"; } - $records = $app->dbmaster->queryAllRecords($sql); + $records = $app->dbmaster->queryAllRecords($sql, $conf['last_datalog_id'], $conf['server_id'], $conf['mirror_server_id']); foreach($records as $d) { //** encode data to utf-8 and unserialize it @@ -133,46 +133,38 @@ class modules { $idx = explode(':', $d['dbidx']); $tmp_sql1 = ''; $tmp_sql2 = ''; + $f_params = array($d['dbtable']); + $params = array(); foreach($data['new'] as $fieldname => $val) { - $tmp_sql1 .= "`$fieldname`,"; - $tmp_sql2 .= "'".$app->db->quote($val)."',"; + $tmp_sql1 .= "??,"; + $tmp_sql2 .= "?,"; + $f_params[] = $fieldname; + $params[] = $val; } + $params = $f_params + $params; + unset($f_params); + $tmp_sql1 = substr($tmp_sql1, 0, -1); $tmp_sql2 = substr($tmp_sql2, 0, -1); //$tmp_sql1 .= "$idx[0]"; //$tmp_sql2 .= "$idx[1]"; - $sql = "REPLACE INTO $d[dbtable] ($tmp_sql1) VALUES ($tmp_sql2)"; + $sql = "REPLACE INTO ?? ($tmp_sql1) VALUES ($tmp_sql2)"; $app->db->errorNumber = 0; $app->db->errorMessage = ''; - $app->db->query($sql); + $app->db->query($sql, true, $params); + unset($params); if($app->db->errorNumber > 0) { $replication_error = true; $app->log("Replication failed. Error: (" . $d['dbtable'] . ") in MySQL server: (".$app->db->dbHost.") " . $app->db->errorMessage . " # SQL: " . $sql, LOGLEVEL_ERROR); } $app->log('Replicated from master: '.$sql, LOGLEVEL_DEBUG); } - /* - if($d["action"] == 'u') { - $sql = "UPDATE $d[dbtable] SET "; - foreach($data['new'] as $fieldname => $val) { - $sql .= "`$fieldname` = '$val',"; - } - $sql = substr($sql,0,-1); - $idx = explode(":",$d["dbidx"]); - $sql .= " WHERE $idx[0] = $idx[1]"; - $app->db->query($sql); - if($app->db->errorNumber > 0) { - $replication_error = true; - $app->log("Replication failed. Error: (" . $d[dbtable] . ") " . $app->db->errorMessage . " # SQL: " . $sql,LOGLEVEL_ERROR); - } - $app->log("Replicated from master: ".$sql,LOGLEVEL_DEBUG); - } - */ + if($d['action'] == 'd') { $idx = explode(':', $d['dbidx']); - $sql = "DELETE FROM $d[dbtable] "; - $sql .= " WHERE $idx[0] = $idx[1]"; - $app->db->query($sql); + $sql = "DELETE FROM ?? "; + $sql .= " WHERE ?? = ?"; + $app->db->query($sql, $d['dbtable'], $idx[0], $idx[1]); if($app->db->errorNumber > 0) { $replication_error = true; $app->log("Replication failed. Error: (" . $d[dbtable] . ") " . $app->db->errorMessage . " # SQL: " . $sql, LOGLEVEL_ERROR); @@ -183,12 +175,12 @@ class modules { if($replication_error == false) { if(is_array($data['old']) || is_array($data['new'])) { - $app->db->query("UPDATE server SET updated = ".$d["datalog_id"]." WHERE server_id = ".$conf['server_id']); + $app->db->query("UPDATE server SET updated = ? WHERE server_id = ?", $d["datalog_id"], $conf['server_id']); $this->raiseTableHook($d['dbtable'], $d['action'], $data); } else { $app->log('Data array was empty for datalog_id '.$d['datalog_id'], LOGLEVEL_WARN); } - $app->dbmaster->query("UPDATE server SET updated = ".$d["datalog_id"]." WHERE server_id = ".$conf['server_id']); + $app->dbmaster->query("UPDATE server SET updated = ? WHERE server_id = ?", $d["datalog_id"], $conf['server_id']); $app->log('Processed datalog_id '.$d['datalog_id'], LOGLEVEL_DEBUG); } else { $app->log('Error in Replication, changes were not processed.', LOGLEVEL_ERROR); @@ -205,23 +197,14 @@ class modules { //* if we have a single server setup } else { - $sql = "SELECT * FROM sys_datalog WHERE datalog_id > ".$conf['last_datalog_id']." AND (server_id = ".$conf['server_id']." OR server_id = 0) ORDER BY datalog_id LIMIT 0,1000"; - $records = $app->db->queryAllRecords($sql); + $sql = "SELECT * FROM sys_datalog WHERE datalog_id > ? AND (server_id = ? OR server_id = 0) ORDER BY datalog_id LIMIT 0,1000"; + $records = $app->db->queryAllRecords($sql, $conf['last_datalog_id'], $conf['server_id']); foreach($records as $d) { //** encode data to utf-8 to be able to unserialize it and then unserialize it if(!$data = unserialize(stripslashes($d['data']))) { $data = unserialize($d['data']); } - //** decode data back to current locale - /* - foreach($data['old'] as $key => $val) { - $data['old'][$key] = utf8_decode($val); - } - foreach($data['new'] as $key => $val) { - $data['new'][$key] = utf8_decode($val); - } - */ //* Data on a single server is never mirrored $data['mirrored'] = false; @@ -232,9 +215,7 @@ class modules { } else { $app->log('Data array was empty for datalog_id '.$d['datalog_id'], LOGLEVEL_WARN); } - //$app->db->query("DELETE FROM sys_datalog WHERE datalog_id = ".$rec["datalog_id"]); - //$app->log("Deleting sys_datalog ID ".$rec["datalog_id"],LOGLEVEL_DEBUG); - $app->db->query("UPDATE server SET updated = ".$d['datalog_id']." WHERE server_id = ".$conf['server_id']); + $app->db->query("UPDATE server SET updated = ? WHERE server_id = ?", $d['datalog_id'], $conf['server_id']); $app->log('Processed datalog_id '.$d['datalog_id'], LOGLEVEL_DEBUG); } } @@ -251,11 +232,11 @@ class modules { //* SQL query to get all pending actions $sql = "SELECT action_id, action_type, action_param " . "FROM sys_remoteaction " . - "WHERE server_id = " . $server_id . " ". - " AND action_id > " . intval($maxid_remote_action) . " ". + "WHERE server_id = ? ". + " AND action_id > ? ". "ORDER BY action_id"; - $actions = $app->dbmaster->queryAllRecords($sql); + $actions = $app->dbmaster->queryAllRecords($sql, $server_id, $maxid_remote_action); if(is_array($actions)) { foreach($actions as $action) { @@ -265,9 +246,9 @@ class modules { //* Update the action state $sql = "UPDATE sys_remoteaction " . - "SET action_state = '" . $app->dbmaster->quote($state) . "' " . - "WHERE action_id = " . intval($action['action_id']); - $app->dbmaster->query($sql); + "SET action_state = ? " . + "WHERE action_id = ?"; + $app->dbmaster->query($sql, $state, $action['action_id']); /* * Then save the maxid for the next time... diff --git a/server/lib/classes/monitor_tools.inc.php b/server/lib/classes/monitor_tools.inc.php index 50eb45b0dd..13c0f8dcbb 100644 --- a/server/lib/classes/monitor_tools.inc.php +++ b/server/lib/classes/monitor_tools.inc.php @@ -259,7 +259,7 @@ class monitor_tools { $server_id = intval($conf['server_id']); /** get the "active" Services of the server from the DB */ - $services = $app->db->queryOneRecord('SELECT * FROM server WHERE server_id = ' . $server_id); + $services = $app->db->queryOneRecord('SELECT * FROM server WHERE server_id = ?', $server_id); /* * If the DB is down, we have to set the db to "yes". * If we don't do this, then the monitor will NOT monitor, that the db is down and so the @@ -670,12 +670,12 @@ class monitor_tools { */ $sql = 'DELETE FROM monitor_data ' . 'WHERE ' . - ' type =' . "'" . $app->dbmaster->quote($type) . "' " . + ' type = ?' . 'AND ' . - ' created < ' . $old . ' ' . + ' created < ? ' . 'AND ' . - ' server_id = ' . $serverId; - $app->dbmaster->query($sql); + ' server_id = ?'; + $app->dbmaster->query($sql, $type, $old, $serverId); } public function send_notification_email($template, $placeholders, $recipients) { diff --git a/server/mods-available/remoteaction_core_module.inc.php b/server/mods-available/remoteaction_core_module.inc.php index 08649531b5..807de5060a 100644 --- a/server/mods-available/remoteaction_core_module.inc.php +++ b/server/mods-available/remoteaction_core_module.inc.php @@ -62,10 +62,8 @@ class remoteaction_core_module { * First set the state */ global $app; - $sql = "UPDATE sys_remoteaction " . - "SET action_state = '" . $app->dbmaster->quote($state) . "' " . - "WHERE action_id = " . intval($id); - $app->dbmaster->query($sql); + $sql = "UPDATE sys_remoteaction SET action_state = ? WHERE action_id = ?"; + $app->dbmaster->query($sql, $state, $id); /* * Then save the maxid for the next time... @@ -103,12 +101,8 @@ class remoteaction_core_module { /* * Get all actions this server should execute */ - $sql = "SELECT action_id, action_type, action_param " . - "FROM sys_remoteaction " . - "WHERE server_id = " . $server_id . " ". - " AND action_id > " . intval($maxid_remote_action) . " ". - "ORDER BY action_id"; - $actions = $app->dbmaster->queryAllRecords($sql); + $sql = "SELECT action_id, action_type, action_param FROM sys_remoteaction WHERE server_id = ? AND action_id > ? ORDER BY action_id"; + $actions = $app->dbmaster->queryAllRecords($sql, $server_id, $maxid_remote_action); /* * process all actions diff --git a/server/plugins-available/backup_plugin.inc.php b/server/plugins-available/backup_plugin.inc.php index 5b46930b10..975a5dd4ed 100644 --- a/server/plugins-available/backup_plugin.inc.php +++ b/server/plugins-available/backup_plugin.inc.php @@ -63,13 +63,13 @@ class backup_plugin { global $app, $conf; $backup_id = intval($data); - $backup = $app->dbmaster->queryOneRecord("SELECT * FROM web_backup WHERE backup_id = $backup_id"); + $backup = $app->dbmaster->queryOneRecord("SELECT * FROM web_backup WHERE backup_id = ?", $backup_id); if(is_array($backup)) { $app->uses('ini_parser,file,getconf,system'); - $web = $app->dbmaster->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$backup['parent_domain_id']); + $web = $app->dbmaster->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $backup['parent_domain_id']); $server_config = $app->getconf->get_server_config($conf['server_id'], 'server'); $backup_dir = $server_config['backup_dir'].'/web'.$web['domain_id']; @@ -172,7 +172,7 @@ class backup_plugin { global $app, $conf; $backup_id = intval($data); - $mail_backup = $app->dbmaster->queryOneRecord("SELECT * FROM mail_backup WHERE backup_id = $backup_id"); + $mail_backup = $app->dbmaster->queryOneRecord("SELECT * FROM mail_backup WHERE backup_id = ?", $backup_id); if (is_array($mail_backup) && $action_name == 'backup_restore_mail') { $app->uses('ini_parser,file,getconf'); @@ -186,13 +186,13 @@ class backup_plugin { if($backup_dir_is_ready){ $mail_config = $app->getconf->get_server_config($conf['server_id'], 'mail'); - $domain_rec = $app->db->queryOneRecord("SELECT * FROM mail_domain WHERE domain_id = ".intval($mail_backup['parent_domain_id'])); + $domain_rec = $app->db->queryOneRecord("SELECT * FROM mail_domain WHERE domain_id = ?", $mail_backup['parent_domain_id']); $backup_dir = $server_config['backup_dir'].'/mail'.$domain_rec['domain_id']; $mail_backup_file = $backup_dir.'/'.$mail_backup['filename']; - $sql = "SELECT * FROM mail_user WHERE server_id = '".$conf['server_id']."' AND mailuser_id = ".intval($mail_backup['mailuser_id']); - $record = $app->db->queryOneRecord($sql); + $sql = "SELECT * FROM mail_user WHERE server_id = ? AND mailuser_id = ?"; + $record = $app->db->queryOneRecord($sql, $conf['server_id'], $mail_backup['mailuser_id']); //* strip mailbox from maildir $domain_dir=explode('/',$record['maildir']); diff --git a/server/plugins-available/bind_dlz_plugin.inc.php b/server/plugins-available/bind_dlz_plugin.inc.php index 63abcc48ce..9de0775d5b 100644 --- a/server/plugins-available/bind_dlz_plugin.inc.php +++ b/server/plugins-available/bind_dlz_plugin.inc.php @@ -121,7 +121,7 @@ class bind_dlz_plugin { $origin = substr($data["new"]["origin"], 0, -1); $ispconfig_id = $data["new"]["id"]; - $serial = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ".$ispconfig_id); + $serial = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ?", $ispconfig_id); $ttl = $data["new"]["ttl"]; diff --git a/server/plugins-available/bind_plugin.inc.php b/server/plugins-available/bind_plugin.inc.php index 2f7f932224..3b55dbcc31 100644 --- a/server/plugins-available/bind_plugin.inc.php +++ b/server/plugins-available/bind_plugin.inc.php @@ -102,7 +102,7 @@ class bind_plugin { $zone = $data['new']; $tpl->setVar($zone); - $records = $app->db->queryAllRecords("SELECT * FROM dns_rr WHERE zone = ".$zone['id']." AND active = 'Y'"); + $records = $app->db->queryAllRecords("SELECT * FROM dns_rr WHERE zone = ? AND active = 'Y'", $zone['id']); if(is_array($records) && !empty($records)){ for($i=0;$idb->queryOneRecord("SELECT * FROM dns_soa WHERE id = ".$data['new']['zone']); + $tmp = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ?", $data['new']['zone']); $data["new"] = $tmp; $data["old"] = $tmp; $this->action = 'update'; @@ -293,7 +293,7 @@ class bind_plugin { global $app, $conf; //* Get the data of the soa and call soa_update - $tmp = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ".$data['new']['zone']); + $tmp = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ?", $data['new']['zone']); $data["new"] = $tmp; $data["old"] = $tmp; $this->action = 'update'; @@ -305,7 +305,7 @@ class bind_plugin { global $app, $conf; //* Get the data of the soa and call soa_update - $tmp = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ".intval($data['old']['zone'])); + $tmp = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ?", $data['old']['zone']); $data["new"] = $tmp; $data["old"] = $tmp; $this->action = 'update'; @@ -319,18 +319,10 @@ class bind_plugin { global $app, $conf; //* Only write the master file for the current server - $tmps = $app->db->queryAllRecords("SELECT origin, xfer, also_notify, update_acl FROM dns_soa WHERE active = 'Y' AND server_id=".$conf["server_id"]); + $tmps = $app->db->queryAllRecords("SELECT origin, xfer, also_notify, update_acl FROM dns_soa WHERE active = 'Y' AND server_id=?", $conf["server_id"]); $zones = array(); //* Check if the current zone that triggered this function has at least one NS record - /* Has been replaced by a better zone check - $rec_num = $app->db->queryOneRecord("SELECT count(id) as ns FROM dns_rr WHERE type = 'NS' AND zone = ".intval($data['new']['id'])." AND active = 'Y'"); - if($rec_num['ns'] == 0) { - $exclude_zone = $data['new']['origin']; - } else { - $exclude_zone = ''; - } - */ //TODO : change this when distribution information has been integrated into server record if (file_exists('/etc/gentoo-release')) { @@ -370,7 +362,7 @@ class bind_plugin { $tpl->setLoop('zones', $zones); //* And loop through the secondary zones, but only for the current server - $tmps_sec = $app->db->queryAllRecords("SELECT origin, xfer, ns FROM dns_slave WHERE active = 'Y' AND server_id=".$conf["server_id"]); + $tmps_sec = $app->db->queryAllRecords("SELECT origin, xfer, ns FROM dns_slave WHERE active = 'Y' AND server_id=?", $conf["server_id"]); $zones_sec = array(); foreach($tmps_sec as $tmp) { diff --git a/server/plugins-available/cron_jailkit_plugin.inc.php b/server/plugins-available/cron_jailkit_plugin.inc.php index 4c95b83c2b..c652f299eb 100644 --- a/server/plugins-available/cron_jailkit_plugin.inc.php +++ b/server/plugins-available/cron_jailkit_plugin.inc.php @@ -76,7 +76,7 @@ class cron_jailkit_plugin { } //* get data from web - $parent_domain = $app->db->queryOneRecord("SELECT `domain_id`, `system_user`, `system_group`, `document_root`, `domain` FROM `web_domain` WHERE `domain_id` = ".intval($data["new"]["parent_domain_id"])); + $parent_domain = $app->db->queryOneRecord("SELECT `domain_id`, `system_user`, `system_group`, `document_root`, `domain` FROM `web_domain` WHERE `domain_id` = ?", $data["new"]["parent_domain_id"]); if(!$parent_domain["domain_id"]) { $app->log("Parent domain not found", LOGLEVEL_WARN); return 0; @@ -155,7 +155,7 @@ class cron_jailkit_plugin { return 0; } //* get data from web - $parent_domain = $app->db->queryOneRecord("SELECT `domain_id`, `system_user`, `system_group`, `document_root`, `domain` FROM `web_domain` WHERE `domain_id` = ".intval($data["new"]["parent_domain_id"])); + $parent_domain = $app->db->queryOneRecord("SELECT `domain_id`, `system_user`, `system_group`, `document_root`, `domain` FROM `web_domain` WHERE `domain_id` = ?", $data["new"]["parent_domain_id"]); if(!$parent_domain["domain_id"]) { $app->log("Parent domain not found", LOGLEVEL_WARN); return 0; @@ -333,7 +333,7 @@ class cron_jailkit_plugin { $web_config = $app->getconf->get_server_config($conf["server_id"], 'web'); // Get the parent website of this shell user - $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$this->data['new']['parent_domain_id']); + $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $this->data['new']['parent_domain_id']); //* If the security level is set to high if($web_config['security_level'] == 20 && is_array($web)) { diff --git a/server/plugins-available/cron_plugin.inc.php b/server/plugins-available/cron_plugin.inc.php index 9bda43345e..307762d78f 100644 --- a/server/plugins-available/cron_plugin.inc.php +++ b/server/plugins-available/cron_plugin.inc.php @@ -92,7 +92,7 @@ class cron_plugin { } //* get data from web - $parent_domain = $app->db->queryOneRecord("SELECT `domain_id`, `system_user`, `system_group`, `document_root`, `hd_quota` FROM `web_domain` WHERE `domain_id` = ".intval($data["new"]["parent_domain_id"])); + $parent_domain = $app->db->queryOneRecord("SELECT `domain_id`, `system_user`, `system_group`, `document_root`, `hd_quota` FROM `web_domain` WHERE `domain_id` = ?", $data["new"]["parent_domain_id"]); if(!$parent_domain["domain_id"]) { $app->log("Parent domain not found", LOGLEVEL_WARN); return 0; @@ -105,7 +105,7 @@ class cron_plugin { } // Get the client ID - $client = $app->dbmaster->queryOneRecord("SELECT client_id FROM sys_group WHERE sys_group.groupid = ".intval($data["new"]["sys_groupid"])); + $client = $app->dbmaster->queryOneRecord("SELECT client_id FROM sys_group WHERE sys_group.groupid = ?", $data["new"]["sys_groupid"]); $client_id = intval($client["client_id"]); unset($client); @@ -161,14 +161,14 @@ class cron_plugin { global $app, $conf; //* get data from web - $parent_domain = $app->db->queryOneRecord("SELECT `domain_id`, `system_user`, `system_group`, `document_root`, `hd_quota` FROM `web_domain` WHERE `domain_id` = ".intval($data["old"]["parent_domain_id"])); + $parent_domain = $app->db->queryOneRecord("SELECT `domain_id`, `system_user`, `system_group`, `document_root`, `hd_quota` FROM `web_domain` WHERE `domain_id` = ?", $data["old"]["parent_domain_id"]); if(!$parent_domain["domain_id"]) { $app->log("Parent domain not found", LOGLEVEL_WARN); return 0; } // Get the client ID - $client = $app->dbmaster->queryOneRecord("SELECT client_id FROM sys_group WHERE sys_group.groupid = ".intval($data["old"]["sys_groupid"])); + $client = $app->dbmaster->queryOneRecord("SELECT client_id FROM sys_group WHERE sys_group.groupid = ?", $data["old"]["sys_groupid"]); $client_id = intval($client["client_id"]); unset($client); @@ -196,7 +196,7 @@ class cron_plugin { $chr_cmd_count = 0; //* read all active cron jobs from database and write them to file - $cron_jobs = $app->db->queryAllRecords("SELECT c.`run_min`, c.`run_hour`, c.`run_mday`, c.`run_month`, c.`run_wday`, c.`command`, c.`type`, c.`log`, `web_domain`.`domain` as `domain` FROM `cron` as c INNER JOIN `web_domain` ON `web_domain`.`domain_id` = c.`parent_domain_id` WHERE c.`parent_domain_id` = ".intval($this->parent_domain["domain_id"]) . " AND c.`active` = 'y'"); + $cron_jobs = $app->db->queryAllRecords("SELECT c.`run_min`, c.`run_hour`, c.`run_mday`, c.`run_month`, c.`run_wday`, c.`command`, c.`type`, c.`log`, `web_domain`.`domain` as `domain` FROM `cron` as c INNER JOIN `web_domain` ON `web_domain`.`domain_id` = c.`parent_domain_id` WHERE c.`parent_domain_id` = ? AND c.`active` = 'y'", $this->parent_domain["domain_id"]); if($cron_jobs && count($cron_jobs) > 0) { foreach($cron_jobs as $job) { if($job['run_month'] == '@reboot') { diff --git a/server/plugins-available/ftpuser_base_plugin.inc.php b/server/plugins-available/ftpuser_base_plugin.inc.php index d46936100d..484a0f7da4 100644 --- a/server/plugins-available/ftpuser_base_plugin.inc.php +++ b/server/plugins-available/ftpuser_base_plugin.inc.php @@ -74,7 +74,7 @@ class ftpuser_base_plugin { if(!is_dir($data['new']['dir'])) { $app->log("FTP User directory '".$data['new']['dir']."' does not exist. Creating it now.", LOGLEVEL_DEBUG); - $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id'])); + $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $data['new']['parent_domain_id']); //* Check if the resulting path is inside the docroot if(substr($data['new']['dir'], 0, strlen($web['document_root'])) != $web['document_root']) { @@ -100,7 +100,7 @@ class ftpuser_base_plugin { if(!is_dir($data['new']['dir'])) { $app->log("FTP User directory '".$data['new']['dir']."' does not exist. Creating it now.", LOGLEVEL_DEBUG); - $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id'])); + $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $data['new']['parent_domain_id']); //* Check if the resulting path is inside the docroot if(substr($data['new']['dir'], 0, strlen($web['document_root'])) != $web['document_root']) { diff --git a/server/plugins-available/mail_plugin.inc.php b/server/plugins-available/mail_plugin.inc.php index 9b94fc20ce..74d2b53504 100644 --- a/server/plugins-available/mail_plugin.inc.php +++ b/server/plugins-available/mail_plugin.inc.php @@ -98,10 +98,10 @@ class mail_plugin { if ($mail_config["mailbox_virtual_uidgid_maps"] == 'y') { $app->log('Map uid to linux-user',LOGLEVEL_DEBUG); $email_parts = explode('@',$data['new']['email']); - $webdomain = $app->db->queryOneRecord("SELECT domain_id, server_id, system_user, parent_domain_id FROM web_domain WHERE domain = '".$app->db->quote($email_parts[1])."'"); + $webdomain = $app->db->queryOneRecord("SELECT domain_id, server_id, system_user, parent_domain_id FROM web_domain WHERE domain = ?", $email_parts[1]); if ($webdomain) { while (($webdomain['system_user'] == null) && ($webdomain['parent_domain_id'] != 0)) { - $webdomain = $app->db->queryOneRecord("SELECT domain_id, server_id, system_user, parent_domain_id FROM web_domain WHERE domain_id = '".$webdomain['parent_domain_id']."'"); + $webdomain = $app->db->queryOneRecord("SELECT domain_id, server_id, system_user, parent_domain_id FROM web_domain WHERE domain_id = ?", $webdomain['parent_domain_id']); } $app->log($data['new']['server_id'].' == '.$webdomain['server_id'],LOGLEVEL_DEBUG); @@ -118,7 +118,7 @@ class mail_plugin { $app->log('Mailuser uid: '.$data['new']['uid'].', gid: '.$data['new']['gid'],LOGLEVEL_DEBUG); // update DB if values changed - $app->db->query("UPDATE mail_user SET uid = ".$data['new']['uid'].", gid = ".$data['new']['gid']." WHERE mailuser_id = ".$data['new']['mailuser_id']); + $app->db->query("UPDATE mail_user SET uid = ?, gid = ? WHERE mailuser_id = ?", $data['new']['uid'], $data['new']['gid'], $data['new']['mailuser_id']); // now get names of uid and gid $user = $app->system->getuser($data['new']['uid']); @@ -264,10 +264,10 @@ class mail_plugin { if ($mail_config["mailbox_virtual_uidgid_maps"] == 'y') { $app->log('Map uid to linux-user',LOGLEVEL_DEBUG); $email_parts = explode('@',$data['new']['email']); - $webdomain = $app->db->queryOneRecord("SELECT domain_id, server_id, system_user, parent_domain_id FROM web_domain WHERE domain = '".$app->db->quote($email_parts[1])."'"); + $webdomain = $app->db->queryOneRecord("SELECT domain_id, server_id, system_user, parent_domain_id FROM web_domain WHERE domain = ?", $email_parts[1]); if ($webdomain) { while ($webdomain['parent_domain_id'] != 0) { - $webdomain = $app->db->queryOneRecord("SELECT domain_id, server_id, system_user, parent_domain_id FROM web_domain WHERE domain_id = '".$webdomain['parent_domain_id']."'"); + $webdomain = $app->db->queryOneRecord("SELECT domain_id, server_id, system_user, parent_domain_id FROM web_domain WHERE domain_id = ?", $webdomain['parent_domain_id']); } $app->log($data['new']['server_id'].' == '.$webdomain['server_id'],LOGLEVEL_DEBUG); @@ -284,7 +284,7 @@ class mail_plugin { $app->log('Mailuser uid: '.$data['new']['uid'].', gid: '.$data['new']['gid'],LOGLEVEL_DEBUG); // update DB if values changed - $app->db->query("UPDATE mail_user SET uid = ".$data['new']['uid'].", gid = ".$data['new']['gid']." WHERE mailuser_id = ".$data['new']['mailuser_id']); + $app->db->query("UPDATE mail_user SET uid = ?, gid = ? WHERE mailuser_id = ?", $data['new']['uid'], $data['new']['gid'], $data['new']['mailuser_id']); $user = $app->system->getuser($data['new']['uid']); $group = $app->system->getgroup($data['new']['gid']); diff --git a/server/plugins-available/maildeliver_plugin.inc.php b/server/plugins-available/maildeliver_plugin.inc.php index 85293ae408..a6f9ae567e 100644 --- a/server/plugins-available/maildeliver_plugin.inc.php +++ b/server/plugins-available/maildeliver_plugin.inc.php @@ -165,8 +165,8 @@ class maildeliver_plugin { $tpl->setVar('autoresponder_text', $data["new"]["autoresponder_text"]); //* Set alias addresses for autoresponder - $sql = "SELECT * FROM mail_forwarding WHERE type = 'alias' AND destination = '".$app->db->quote($data["new"]["email"])."'"; - $records = $app->db->queryAllRecords($sql); + $sql = "SELECT * FROM mail_forwarding WHERE type = 'alias' AND destination = ?"; + $records = $app->db->queryAllRecords($sql, $data["new"]["email"]); $addresses = array(); $addresses[] = $data["new"]["email"]; @@ -181,8 +181,8 @@ class maildeliver_plugin { $alias_addresses = array(); $email_parts = explode('@', $data["new"]["email"]); - $sql = "SELECT * FROM mail_forwarding WHERE type = 'aliasdomain' AND destination = '@".$app->db->quote($email_parts[1])."'"; - $records = $app->db->queryAllRecords($sql); + $sql = "SELECT * FROM mail_forwarding WHERE type = 'aliasdomain' AND destination = ?"; + $records = $app->db->queryAllRecords($sql, '@'.$email_parts[1]); if(is_array($records) && count($records) > 0) { $app->log("Found " . count($records) . " records (aliasdomains).", LOGLEVEL_DEBUG); foreach($records as $rec) { diff --git a/server/plugins-available/mailman_plugin.inc.php b/server/plugins-available/mailman_plugin.inc.php index acf4eb9363..9ebb2aa9a7 100644 --- a/server/plugins-available/mailman_plugin.inc.php +++ b/server/plugins-available/mailman_plugin.inc.php @@ -78,7 +78,7 @@ class mailman_plugin { if(is_file('/var/lib/mailman/data/transport-mailman')) exec('postmap /var/lib/mailman/data/transport-mailman'); exec('nohup '.$conf['init_scripts'] . '/' . 'mailman reload >/dev/null 2>&1 &'); - $app->db->query("UPDATE mail_mailinglist SET password = '' WHERE mailinglist_id = ".$app->db->quote($data["new"]['mailinglist_id'])); + $app->db->query("UPDATE mail_mailinglist SET password = '' WHERE mailinglist_id = ?", $data["new"]['mailinglist_id']); } @@ -91,7 +91,7 @@ class mailman_plugin { if($data["new"]["password"] != $data["old"]["password"] && $data["new"]["password"] != '') { exec("nohup /usr/lib/mailman/bin/change_pw -l ".escapeshellcmd($data["new"]["listname"])." -p ".escapeshellcmd($data["new"]["password"])." >/dev/null 2>&1 &"); exec('nohup '.$conf['init_scripts'] . '/' . 'mailman reload >/dev/null 2>&1 &'); - $app->db->query("UPDATE mail_mailinglist SET password = '' WHERE mailinglist_id = ".$app->db->quote($data["new"]['mailinglist_id'])); + $app->db->query("UPDATE mail_mailinglist SET password = '' WHERE mailinglist_id = ?", $data["new"]['mailinglist_id']); } if(is_file('/var/lib/mailman/data/virtual-mailman')) exec('postmap /var/lib/mailman/data/virtual-mailman'); diff --git a/server/plugins-available/network_settings_plugin.inc.php b/server/plugins-available/network_settings_plugin.inc.php index 46242d9840..13dbf3c8c1 100644 --- a/server/plugins-available/network_settings_plugin.inc.php +++ b/server/plugins-available/network_settings_plugin.inc.php @@ -101,7 +101,7 @@ class network_settings_plugin { $network_tpl->setVar('broadcast', $this->broadcast($server_config['ip_address'], $server_config['netmask'])); $network_tpl->setVar('network', $this->network($server_config['ip_address'], $server_config['netmask'])); - $records = $app->db->queryAllRecords("SELECT ip_address FROM server_ip WHERE server_id = ".intval($conf['server_id']) . ' ORDER BY server_ip_id ASC'); + $records = $app->db->queryAllRecords("SELECT ip_address FROM server_ip WHERE server_id = ? ORDER BY server_ip_id ASC", $conf['server_id']); $ip_records = array(); $additionl_ip_records = 0; $n = 0; @@ -179,7 +179,7 @@ class network_settings_plugin { $network_tpl->setVar('gateway', $server_config['gateway']); $network_tpl->setVar('broadcast', $this->broadcast($server_config['ip_address'], $server_config['netmask'])); - $records = $app->db->queryAllRecords("SELECT ip_address FROM server_ip WHERE server_id = ".intval($conf['server_id']) . " order by ip_address"); + $records = $app->db->queryAllRecords("SELECT ip_address FROM server_ip WHERE server_id = ? order by ip_address", $conf['server_id']); $ip_records = array(); $additionl_ip_records = 0; $n = 0; diff --git a/server/plugins-available/nginx_reverseproxy_plugin.inc.php b/server/plugins-available/nginx_reverseproxy_plugin.inc.php index 1f68649fbf..b5881dbf24 100644 --- a/server/plugins-available/nginx_reverseproxy_plugin.inc.php +++ b/server/plugins-available/nginx_reverseproxy_plugin.inc.php @@ -70,7 +70,7 @@ class nginx_reverseproxy_plugin { // If the parent_domain_id has been chenged, we will have to update the old site as well. if($this->action == 'update' && $data['new']['parent_domain_id'] != $data['old']['parent_domain_id']) { - $tmp = $app->dbmaster->queryOneRecord('SELECT * FROM web_domain WHERE domain_id = '.$old_parent_domain_id." AND active = 'y'"); + $tmp = $app->dbmaster->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ? AND active = 'y'", $old_parent_domain_id); $data['new'] = $tmp; $data['old'] = $tmp; $this->action = 'update'; @@ -78,7 +78,7 @@ class nginx_reverseproxy_plugin { } // This is not a vhost, so we need to update the parent record instead. - $tmp = $app->dbmaster->queryOneRecord('SELECT * FROM web_domain WHERE domain_id = '.$new_parent_domain_id." AND active = 'y'"); + $tmp = $app->dbmaster->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ? AND active = 'y'", $new_parent_domain_id); $data['new'] = $tmp; $data['old'] = $tmp; $this->action = 'update'; @@ -130,7 +130,7 @@ class nginx_reverseproxy_plugin { // get alias domains (co-domains and subdomains) - $aliases = $app->dbmaster->queryAllRecords('SELECT * FROM web_domain WHERE parent_domain_id = '.$data['new']['domain_id']." AND (type != 'vhostsubdomain' OR type != 'vhostalias') AND active = 'y'"); + $aliases = $app->dbmaster->queryAllRecords("SELECT * FROM web_domain WHERE parent_domain_id = ? AND (type != 'vhostsubdomain' OR type != 'vhostalias') AND active = 'y'", $data['new']['domain_id']); $server_alias = array(); switch($data['new']['subdomain']) { case 'www': @@ -243,7 +243,7 @@ class nginx_reverseproxy_plugin { //* Save a SSL certificate to disk if($data["new"]["ssl_action"] == 'save') { - $web = $app->masterdb->queryOneRecord("select wd.document_root, sp.ip_address from web_domain wd INNER JOIN server_ip sp USING(server_id) WHERE domain = '".$data['new']['domain']."'"); + $web = $app->masterdb->queryOneRecord("select wd.document_root, sp.ip_address from web_domain wd INNER JOIN server_ip sp USING(server_id) WHERE domain = ?", $data['new']['domain']); $src_ssl_dir = $web["document_root"]."/ssl"; //$domain = $data["new"]["ssl_domain"]; diff --git a/server/plugins-available/openvz_plugin.inc.php b/server/plugins-available/openvz_plugin.inc.php index a50c3def49..d6abced17f 100644 --- a/server/plugins-available/openvz_plugin.inc.php +++ b/server/plugins-available/openvz_plugin.inc.php @@ -85,7 +85,7 @@ class openvz_plugin { return; } - $tmp = $app->db->queryOneRecord("SELECT template_file FROM openvz_ostemplate WHERE ostemplate_id = ".$data['new']['ostemplate_id']); + $tmp = $app->db->queryOneRecord("SELECT template_file FROM openvz_ostemplate WHERE ostemplate_id = ?", $data['new']['ostemplate_id']); $ostemplate = escapeshellcmd($tmp['template_file']); unset($tmp); diff --git a/server/plugins-available/pma_symlink_plugin.inc.php b/server/plugins-available/pma_symlink_plugin.inc.php index db9b6f7f62..6b9b4fb264 100644 --- a/server/plugins-available/pma_symlink_plugin.inc.php +++ b/server/plugins-available/pma_symlink_plugin.inc.php @@ -81,7 +81,7 @@ class pma_symlink_plugin { // If the parent_domain_id has been chenged, we will have to update the old site as well. if($this->action == 'update' && $data["new"]["parent_domain_id"] != $data["old"]["parent_domain_id"]) { - $tmp = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$old_parent_domain_id." AND active = 'y'"); + $tmp = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ? AND active = 'y'", $old_parent_domain_id); $data["new"] = $tmp; $data["old"] = $tmp; $this->action = 'update'; @@ -89,7 +89,7 @@ class pma_symlink_plugin { } // This is not a vhost, so we need to update the parent record instead. - $tmp = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$new_parent_domain_id." AND active = 'y'"); + $tmp = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ? AND active = 'y'", $new_parent_domain_id); $data["new"] = $tmp; $data["old"] = $tmp; $this->action = 'update'; diff --git a/server/plugins-available/postfix_filter_plugin.inc.php b/server/plugins-available/postfix_filter_plugin.inc.php index 867df253a5..9c97ff1fa8 100644 --- a/server/plugins-available/postfix_filter_plugin.inc.php +++ b/server/plugins-available/postfix_filter_plugin.inc.php @@ -80,8 +80,8 @@ class postfix_filter_plugin { $type = $data["new"]["type"]; if($type != '') { - $sql = "SELECT * FROM mail_content_filter WHERE server_id = ".intval($conf["server_id"])." AND type = '".$app->db->quote($type)."' AND active = 'y'"; - $rules = $app->db->queryAllRecords($sql); + $sql = "SELECT * FROM mail_content_filter WHERE server_id = ? AND type = ?' AND active = 'y'"; + $rules = $app->db->queryAllRecords($sql, $conf["server_id"], $type); $content = ''; foreach($rules as $rule) { $content .= $rule["pattern"]; @@ -111,8 +111,8 @@ class postfix_filter_plugin { $type = $data["old"]["type"]; if($type != '') { - $sql = "SELECT * FROM mail_content_filter WHERE server_id = ".intval($conf["server_id"])." AND type = '".$app->db->quote($type)."' AND active = 'y'"; - $rules = $app->db->queryAllRecords($sql); + $sql = "SELECT * FROM mail_content_filter WHERE server_id = ? AND type = ? AND active = 'y'"; + $rules = $app->db->queryAllRecords($sql, $conf["server_id"], $type); $content = ''; foreach($rules as $rule) { $content .= $rule["pattern"]; diff --git a/server/plugins-available/powerdns_plugin.inc.php b/server/plugins-available/powerdns_plugin.inc.php index 14c244714b..412050d009 100644 --- a/server/plugins-available/powerdns_plugin.inc.php +++ b/server/plugins-available/powerdns_plugin.inc.php @@ -132,9 +132,9 @@ class powerdns_plugin { $origin = substr($data["new"]["origin"], 0, -1); $ispconfig_id = $data["new"]["id"]; - $serial = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ".$ispconfig_id); + $serial = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ?", $ispconfig_id); $serial_id = $serial["serial"]; - $app->db->query("INSERT INTO powerdns.domains (name, type, notified_serial, ispconfig_id) VALUES ('$origin', 'MASTER', $serial_id, $ispconfig_id)"); + $app->db->query("INSERT INTO powerdns.domains (name, type, notified_serial, ispconfig_id) VALUES (?, ?, ?, ?)", $origin, 'MASTER', $serial_id, $ispconfig_id); $zone_id = $app->db->insertID(); if(substr($data["new"]["ns"], -1) == '.'){ $ns = substr($data["new"]["ns"], 0, -1); @@ -147,7 +147,7 @@ class powerdns_plugin { $content = $ns.' '.$hostmaster.' '.$data["new"]["serial"].' '.$data["new"]["refresh"].' '.$data["new"]["retry"].' '.$data["new"]["expire"].' '.$data["new"]["minimum"]; $ttl = $data["new"]["ttl"]; - $app->db->query("INSERT INTO powerdns.records (domain_id, name, type, content, ttl, prio, change_date, ispconfig_id) VALUES ($zone_id, '$origin', 'SOA', '$content', $ttl, 0, ".time().", $ispconfig_id)"); + $app->db->query("INSERT INTO powerdns.records (domain_id, name, type, content, ttl, prio, change_date, ispconfig_id) VALUES (?, ?, 'SOA', ?, ?, 0, UNIX_TIMESTAMP(), ?)", $zone_id, $origin, $content, $ttl, $ispconfig_id); //* tell pdns to rediscover zones in DB $this->zoneRediscover(); @@ -164,7 +164,7 @@ class powerdns_plugin { if($data["old"]["active"] != 'Y') return; $this->soa_delete($event_name, $data); } else { - $exists = $app->db->queryOneRecord("SELECT * FROM powerdns.domains WHERE ispconfig_id = ".$data["new"]["id"]); + $exists = $app->db->queryOneRecord("SELECT * FROM powerdns.domains WHERE ispconfig_id = ?", $data["new"]["id"]); if($data["old"]["active"] == 'Y' && is_array($exists)){ $origin = substr($data["new"]["origin"], 0, -1); $ispconfig_id = $data["new"]["id"]; @@ -179,7 +179,7 @@ class powerdns_plugin { $hostmaster = substr($data["new"]["mbox"], 0, -1); $content = $ns.' '.$hostmaster.' '.$data["new"]["serial"].' '.$data["new"]["refresh"].' '.$data["new"]["retry"].' '.$data["new"]["expire"].' '.$data["new"]["minimum"]; $ttl = $data["new"]["ttl"]; - $app->db->query("UPDATE powerdns.records SET name = '$origin', content = '$content', ttl = $ttl, change_date = ".time()." WHERE ispconfig_id = ".$data["new"]["id"]." AND type = 'SOA'"); + $app->db->query("UPDATE powerdns.records SET name = ?, content = ?, ttl = ?, change_date = UNIX_TIMESTAMP() WHERE ispconfig_id = ? AND type = 'SOA'", $origin, $content, $ttl, $data["new"]["id"]); //* tell pdns to use 'pdnssec rectify' on the new zone $this->rectifyZone($data); @@ -188,7 +188,7 @@ class powerdns_plugin { } else { $this->soa_insert($event_name, $data); $ispconfig_id = $data["new"]["id"]; - if($records = $app->db->queryAllRecords("SELECT * FROM dns_rr WHERE zone = $ispconfig_id AND active = 'Y'")){ + if($records = $app->db->queryAllRecords("SELECT * FROM dns_rr WHERE zone = ? AND active = 'Y'", $ispconfig_id)){ foreach($records as $record){ foreach($record as $key => $val){ $data["new"][$key] = $val; @@ -207,10 +207,10 @@ class powerdns_plugin { function soa_delete($event_name, $data) { global $app, $conf; - $zone = $app->db->queryOneRecord("SELECT * FROM powerdns.domains WHERE ispconfig_id = ".$data["old"]["id"]." AND type = 'MASTER'"); + $zone = $app->db->queryOneRecord("SELECT * FROM powerdns.domains WHERE ispconfig_id = ? AND type = 'MASTER'", $data["old"]["id"]); $zone_id = $zone["id"]; - $app->db->query("DELETE FROM powerdns.records WHERE domain_id = $zone_id"); - $app->db->query("DELETE FROM powerdns.domains WHERE id = $zone_id"); + $app->db->query("DELETE FROM powerdns.records WHERE domain_id = ?", $zone_id); + $app->db->query("DELETE FROM powerdns.domains WHERE id = ?", $zone_id); } function slave_insert($event_name, $data) { @@ -222,7 +222,7 @@ class powerdns_plugin { $ispconfig_id = $data["new"]["id"]; $master_ns = $data["new"]["ns"]; - $app->db->query("INSERT INTO powerdns.domains (name, type, master, ispconfig_id) VALUES ('$origin', 'SLAVE', '$master_ns', $ispconfig_id)"); + $app->db->query("INSERT INTO powerdns.domains (name, type, master, ispconfig_id) VALUES (?, ?, ?, ?)", $origin, 'SLAVE', $master_ns, $ispconfig_id); $zone_id = $app->db->insertID(); @@ -243,12 +243,12 @@ class powerdns_plugin { $ispconfig_id = $data["new"]["id"]; $master_ns = $data["new"]["ns"]; - $app->db->query("UPDATE powerdns.domains SET name = '$origin', type = 'SLAVE', master = '$master_ns' WHERE ispconfig_id=$ispconfig_id AND type = 'SLAVE'"); + $app->db->query("UPDATE powerdns.domains SET name = ?, type = 'SLAVE', master = ? WHERE ispconfig_id=? AND type = 'SLAVE'", $origin, $master_ns, $ispconfig_id); $zone_id = $app->db->insertID(); - $zone = $app->db->queryOneRecord("SELECT * FROM powerdns.domains WHERE ispconfig_id = ".$ispconfig_id." AND type = 'SLAVE'"); + $zone = $app->db->queryOneRecord("SELECT * FROM powerdns.domains WHERE ispconfig_id = ? AND type = 'SLAVE'", $ispconfig_id); $zone_id = $zone["id"]; - $app->db->query("DELETE FROM powerdns.records WHERE domain_id = $zone_id AND ispconfig_id = 0"); + $app->db->query("DELETE FROM powerdns.records WHERE domain_id = ? AND ispconfig_id = 0", $zone_id); //* tell pdns to fetch zone from master server $this->fetchFromMaster($data); @@ -264,21 +264,21 @@ class powerdns_plugin { function slave_delete($event_name, $data) { global $app, $conf; - $zone = $app->db->queryOneRecord("SELECT * FROM powerdns.domains WHERE ispconfig_id = ".$data["old"]["id"]." AND type = 'SLAVE'"); + $zone = $app->db->queryOneRecord("SELECT * FROM powerdns.domains WHERE ispconfig_id = ? AND type = 'SLAVE'", $data["old"]["id"]); $zone_id = $zone["id"]; - $app->db->query("DELETE FROM powerdns.records WHERE domain_id = $zone_id"); - $app->db->query("DELETE FROM powerdns.domains WHERE id = $zone_id"); + $app->db->query("DELETE FROM powerdns.records WHERE domain_id = ?", $zone_id); + $app->db->query("DELETE FROM powerdns.domains WHERE id = ?", $zone_id); } function rr_insert($event_name, $data) { global $app, $conf; if($data["new"]["active"] != 'Y') return; - $exists = $app->db->queryOneRecord("SELECT * FROM powerdns.records WHERE ispconfig_id = ".$data["new"]["id"]); + $exists = $app->db->queryOneRecord("SELECT * FROM powerdns.records WHERE ispconfig_id = ?", $data["new"]["id"]); if ( is_array($exists) ) return; - $zone = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ".$data["new"]["zone"]); + $zone = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ?", $data["new"]["zone"]); $origin = substr($zone["origin"], 0, -1); - $powerdns_zone = $app->db->queryOneRecord("SELECT * FROM powerdns.domains WHERE ispconfig_id = ".$data["new"]["zone"]." AND type = 'MASTER'"); + $powerdns_zone = $app->db->queryOneRecord("SELECT * FROM powerdns.domains WHERE ispconfig_id = ? AND type = 'MASTER'", $data["new"]["zone"]); $zone_id = $powerdns_zone["id"]; $type = $data["new"]["type"]; @@ -327,7 +327,7 @@ class powerdns_plugin { $change_date = time(); $ispconfig_id = $data["new"]["id"]; - $app->db->query("INSERT INTO powerdns.records (domain_id, name, type, content, ttl, prio, change_date, ispconfig_id) VALUES ($zone_id, '$name', '$type', '$content', $ttl, $prio, $change_date, $ispconfig_id)"); + $app->db->query("INSERT INTO powerdns.records (domain_id, name, type, content, ttl, prio, change_date, ispconfig_id) VALUES (?, ?, ?, ?, ?, ?, ?, ?)", $zone_id, $name, $type, $content, $ttl, $prio, $change_date, $ispconfig_id); //* tell pdns to use 'pdnssec rectify' on the new zone $this->rectifyZone($data); @@ -340,11 +340,11 @@ class powerdns_plugin { if($data["old"]["active"] != 'Y') return; $this->rr_delete($event_name, $data); } else { - $exists = $app->db->queryOneRecord("SELECT * FROM powerdns.records WHERE ispconfig_id = ".$data["new"]["id"]); + $exists = $app->db->queryOneRecord("SELECT * FROM powerdns.records WHERE ispconfig_id = ?", $data["new"]["id"]); if($data["old"]["active"] == 'Y' && is_array($exists)){ - $zone = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ".$data["new"]["zone"]); + $zone = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ?", $data["new"]["zone"]); $origin = substr($zone["origin"], 0, -1); - $powerdns_zone = $app->db->queryOneRecord("SELECT * FROM powerdns.domains WHERE ispconfig_id = ".$data["new"]["zone"]." AND type = 'MASTER'"); + $powerdns_zone = $app->db->queryOneRecord("SELECT * FROM powerdns.domains WHERE ispconfig_id = ? AND type = 'MASTER'", $data["new"]["zone"]); $zone_id = $powerdns_zone["id"]; $type = $data["new"]["type"]; @@ -392,7 +392,7 @@ class powerdns_plugin { $prio = $data["new"]["aux"]; $change_date = time(); $ispconfig_id = $data["new"]["id"]; - $app->db->query("UPDATE powerdns.records SET name = '$name', type = '$type', content = '$content', ttl = $ttl, prio = $prio, change_date = ".time()." WHERE ispconfig_id = $ispconfig_id AND type != 'SOA'"); + $app->db->query("UPDATE powerdns.records SET name = ?, type = ?, content = ?, ttl = ?, prio = ?, change_date = UNIX_TIMESTAMP() WHERE ispconfig_id = ? AND type != 'SOA'", $name, $type, $content, $ttl, $prio, $ispconfig_id); //* tell pdns to use 'pdnssec rectify' on the new zone $this->rectifyZone($data); @@ -406,7 +406,7 @@ class powerdns_plugin { global $app, $conf; $ispconfig_id = $data["old"]["id"]; - $app->db->query("DELETE FROM powerdns.records WHERE ispconfig_id = $ispconfig_id AND type != 'SOA'"); + $app->db->query("DELETE FROM powerdns.records WHERE ispconfig_id = ? AND type != 'SOA'", $ispconfig_id); } function find_pdns_control() { @@ -475,7 +475,7 @@ class powerdns_plugin { exec($pdns_pdnssec . ' rectify-zone ' . rtrim($data["new"]["origin"],".")); } else { // get origin from DB for all other recordtypes - $zn = $app->db->queryOneRecord("SELECT d.name AS name FROM powerdns.domains d, powerdns.records r WHERE r.ispconfig_id=".$data["new"]["id"]." AND r.domain_id = d.id"); + $zn = $app->db->queryOneRecord("SELECT d.name AS name FROM powerdns.domains d, powerdns.records r WHERE r.ispconfig_id=? AND r.domain_id = d.id", $data["new"]["id"]); exec($pdns_pdnssec . ' rectify-zone ' . trim($zn["name"])); } } diff --git a/server/plugins-available/shelluser_base_plugin.inc.php b/server/plugins-available/shelluser_base_plugin.inc.php index e19796cfca..6105f7bed5 100755 --- a/server/plugins-available/shelluser_base_plugin.inc.php +++ b/server/plugins-available/shelluser_base_plugin.inc.php @@ -79,7 +79,7 @@ class shelluser_base_plugin { } //* Check if the resulting path is inside the docroot - $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id'])); + $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $data['new']['parent_domain_id']); if(substr($data['new']['dir'],0,strlen($web['document_root'])) != $web['document_root']) { $app->log('Directory of the shell user is outside of website docroot.',LOGLEVEL_WARN); return false; @@ -163,7 +163,7 @@ class shelluser_base_plugin { } //* Check if the resulting path is inside the docroot - $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id'])); + $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $data['new']['parent_domain_id']); if(substr($data['new']['dir'],0,strlen($web['document_root'])) != $web['document_root']) { $app->log('Directory of the shell user is outside of website docroot.',LOGLEVEL_WARN); return false; @@ -252,10 +252,10 @@ class shelluser_base_plugin { $userid = intval($app->system->getuid($data['old']['username'])); if($userid > $this->min_uid) { // check if we have to delete the dir - $check = $app->db->queryOneRecord('SELECT shell_user_id FROM `shell_user` WHERE `dir` = \'' . $app->db->quote($data['old']['dir']) . '\''); + $check = $app->db->queryOneRecord('SELECT shell_user_id FROM `shell_user` WHERE `dir` = ?', $data['old']['dir']); if(!$check && is_dir($data['old']['dir'])) { - $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['old']['parent_domain_id'])); + $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $data['old']['parent_domain_id']); $app->system->web_folder_protection($web['document_root'], false); @@ -311,11 +311,11 @@ class shelluser_base_plugin { global $app; $this->app->log("ssh-rsa setup shelluser_base", LOGLEVEL_DEBUG); // Get the client ID, username, and the key - $domain_data = $this->app->db->queryOneRecord('SELECT sys_groupid FROM web_domain WHERE web_domain.domain_id = '.intval($this->data['new']['parent_domain_id'])); - $sys_group_data = $this->app->db->queryOneRecord('SELECT * FROM sys_group WHERE sys_group.groupid = '.intval($domain_data['sys_groupid'])); + $domain_data = $this->app->db->queryOneRecord('SELECT sys_groupid FROM web_domain WHERE web_domain.domain_id = ?', $this->data['new']['parent_domain_id']); + $sys_group_data = $this->app->db->queryOneRecord('SELECT * FROM sys_group WHERE sys_group.groupid = ?', $domain_data['sys_groupid']); $id = intval($sys_group_data['client_id']); $username= $sys_group_data['name']; - $client_data = $this->app->db->queryOneRecord('SELECT * FROM client WHERE client.client_id = '.$id); + $client_data = $this->app->db->queryOneRecord('SELECT * FROM client WHERE client.client_id = ?', $id); $userkey = $client_data['ssh_rsa']; unset($domain_data); unset($client_data); @@ -323,7 +323,7 @@ class shelluser_base_plugin { // ssh-rsa authentication variables //$sshrsa = $this->data['new']['ssh_rsa']; $sshrsa = ''; - $ssh_users = $app->db->queryAllRecords("SELECT ssh_rsa FROM shell_user WHERE parent_domain_id = ".intval($this->data['new']['parent_domain_id'])); + $ssh_users = $app->db->queryAllRecords("SELECT ssh_rsa FROM shell_user WHERE parent_domain_id = ?", $this->data['new']['parent_domain_id']); if(is_array($ssh_users)) { foreach($ssh_users as $sshu) { if($sshu['ssh_rsa'] != '') $sshrsa .= "\n".$sshu['ssh_rsa']; @@ -347,7 +347,7 @@ class shelluser_base_plugin { $userkey = $app->system->file_get_contents('/tmp/id_rsa.pub'); // save keypair in client table - $this->app->db->query("UPDATE client SET created_at = ".time().", id_rsa = '".$app->db->quote($app->system->file_get_contents('/tmp/id_rsa'))."', ssh_rsa = '".$app->db->quote($userkey)."' WHERE client_id = ".$id); + $this->app->db->query("UPDATE client SET created_at = UNIX_TIMESTAMP(), id_rsa = ?, ssh_rsa = ? WHERE client_id = ?", $app->system->file_get_contents('/tmp/id_rsa'), $userkey, $id); $app->system->unlink('/tmp/id_rsa'); $app->system->unlink('/tmp/id_rsa.pub'); diff --git a/server/plugins-available/shelluser_jailkit_plugin.inc.php b/server/plugins-available/shelluser_jailkit_plugin.inc.php index 3c8e2948a1..aabbcde234 100755 --- a/server/plugins-available/shelluser_jailkit_plugin.inc.php +++ b/server/plugins-available/shelluser_jailkit_plugin.inc.php @@ -80,7 +80,7 @@ class shelluser_jailkit_plugin { } - $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$data['new']['parent_domain_id']); + $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $data['new']['parent_domain_id']); if(!$app->system->is_allowed_user($data['new']['username'], false, false) || !$app->system->is_allowed_user($data['new']['puser'], true, true) @@ -159,7 +159,7 @@ class shelluser_jailkit_plugin { return false; } - $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$data['new']['parent_domain_id']); + $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $data['new']['parent_domain_id']); if(!$app->system->is_allowed_user($data['new']['username'], false, false) || !$app->system->is_allowed_user($data['new']['puser'], true, true) @@ -232,7 +232,7 @@ class shelluser_jailkit_plugin { return false; } - $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$data['old']['parent_domain_id']); + $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $data['old']['parent_domain_id']); if ($data['old']['chroot'] == "jailkit") { @@ -284,7 +284,7 @@ class shelluser_jailkit_plugin { //add bash.bashrc script //we need to collect the domain name to be used as the HOSTNAME in the bashrc script - $web = $this->app->db->queryOneRecord("SELECT domain FROM web_domain WHERE domain_id = ".intval($this->data['new']["parent_domain_id"])); + $web = $this->app->db->queryOneRecord("SELECT domain FROM web_domain WHERE domain_id = ?", $this->data['new']["parent_domain_id"]); $this->app->load('tpl'); @@ -407,7 +407,7 @@ class shelluser_jailkit_plugin { $web_config = $app->getconf->get_server_config($conf["server_id"], 'web'); // Get the parent website of this shell user - $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$this->data['new']['parent_domain_id']); + $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $this->data['new']['parent_domain_id']); //* If the security level is set to high if($web_config['security_level'] == 20 && is_array($web)) { @@ -431,11 +431,11 @@ class shelluser_jailkit_plugin { global $app; $this->app->log("ssh-rsa setup shelluser_jailkit", LOGLEVEL_DEBUG); // Get the client ID, username, and the key - $domain_data = $this->app->db->queryOneRecord('SELECT sys_groupid FROM web_domain WHERE web_domain.domain_id = '.intval($this->data['new']['parent_domain_id'])); - $sys_group_data = $this->app->db->queryOneRecord('SELECT * FROM sys_group WHERE sys_group.groupid = '.intval($domain_data['sys_groupid'])); + $domain_data = $this->app->db->queryOneRecord('SELECT sys_groupid FROM web_domain WHERE web_domain.domain_id = ?', $this->data['new']['parent_domain_id']); + $sys_group_data = $this->app->db->queryOneRecord('SELECT * FROM sys_group WHERE sys_group.groupid = ?', $domain_data['sys_groupid']); $id = intval($sys_group_data['client_id']); $username= $sys_group_data['name']; - $client_data = $this->app->db->queryOneRecord('SELECT * FROM client WHERE client.client_id = '.$id); + $client_data = $this->app->db->queryOneRecord('SELECT * FROM client WHERE client.client_id = ?', $id); $userkey = $client_data['ssh_rsa']; unset($domain_data); unset($client_data); @@ -459,7 +459,7 @@ class shelluser_jailkit_plugin { $userkey = $app->system->file_get_contents('/tmp/id_rsa.pub'); // save keypair in client table - $this->app->db->query("UPDATE client SET created_at = ".time().", id_rsa = '".$app->db->quote($app->system->file_get_contents('/tmp/id_rsa'))."', ssh_rsa = '".$app->db->quote($userkey)."' WHERE client_id = ".$id); + $this->app->db->query("UPDATE client SET created_at = UNIX_TIMESTAMP(), id_rsa = ? ssh_rsa = ? WHERE client_id = ?", $app->system->file_get_contents('/tmp/id_rsa'), $userkey, $id); $app->system->unlink('/tmp/id_rsa'); $app->system->unlink('/tmp/id_rsa.pub'); @@ -532,10 +532,10 @@ class shelluser_jailkit_plugin { global $app, $conf; // check if we have to delete the dir - $check = $app->db->queryOneRecord('SELECT shell_user_id FROM `shell_user` WHERE `dir` = \'' . $app->db->quote($homedir) . '\''); + $check = $app->db->queryOneRecord('SELECT shell_user_id FROM `shell_user` WHERE `dir` = ?', $homedir); if(!$check && is_dir($homedir)) { - $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($parent_domain_id)); + $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $parent_domain_id); $app->system->web_folder_protection($web['document_root'], false); // delete dir diff --git a/server/plugins-available/software_update_plugin.inc.php b/server/plugins-available/software_update_plugin.inc.php index 6f12bf890a..ae6b79cfc4 100644 --- a/server/plugins-available/software_update_plugin.inc.php +++ b/server/plugins-available/software_update_plugin.inc.php @@ -67,8 +67,8 @@ class software_update_plugin { private function set_install_status($inst_id, $status) { global $app; - $app->db->query("UPDATE software_update_inst SET status = '{$status}' WHERE software_update_inst_id = '{$inst_id}'"); - $app->dbmaster->query("UPDATE software_update_inst SET status = '{$status}' WHERE software_update_inst_id = '{$inst_id}'"); + $app->db->query("UPDATE software_update_inst SET status = ? WHERE software_update_inst_id = ?", $status, $inst_id); + $app->dbmaster->query("UPDATE software_update_inst SET status = ? WHERE software_update_inst_id = ?", $status, $inst_id); } public function process($event_name, $data) { @@ -76,8 +76,8 @@ class software_update_plugin { //* Get the info of the package: $software_update_id = intval($data["new"]["software_update_id"]); - $software_update = $app->db->queryOneRecord("SELECT * FROM software_update WHERE software_update_id = '$software_update_id'"); - $software_package = $app->db->queryOneRecord("SELECT * FROM software_package WHERE package_name = '".$app->db->quote($software_update['package_name'])."'"); + $software_update = $app->db->queryOneRecord("SELECT * FROM software_update WHERE software_update_id = ?", $software_update_id); + $software_package = $app->db->queryOneRecord("SELECT * FROM software_package WHERE package_name = ?", $software_update['package_name']); if($software_package['package_type'] == 'ispconfig' && !$conf['software_updates_enabled'] == true) { $app->log('Software Updates not enabled on this server. To enable updates, set $conf["software_updates_enabled"] = true; in config.inc.php', LOGLEVEL_WARN); diff --git a/server/plugins-available/webmail_symlink_plugin.inc.php b/server/plugins-available/webmail_symlink_plugin.inc.php index 43cca9b357..c64b706d7e 100644 --- a/server/plugins-available/webmail_symlink_plugin.inc.php +++ b/server/plugins-available/webmail_symlink_plugin.inc.php @@ -81,7 +81,7 @@ class webmail_symlink_plugin { // If the parent_domain_id has been chenged, we will have to update the old site as well. if($this->action == 'update' && $data["new"]["parent_domain_id"] != $data["old"]["parent_domain_id"]) { - $tmp = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$old_parent_domain_id." AND active = 'y'"); + $tmp = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ? AND active = 'y'", $old_parent_domain_id); $data["new"] = $tmp; $data["old"] = $tmp; $this->action = 'update'; @@ -89,7 +89,7 @@ class webmail_symlink_plugin { } // This is not a vhost, so we need to update the parent record instead. - $tmp = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$new_parent_domain_id." AND active = 'y'"); + $tmp = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ? AND active = 'y'", $new_parent_domain_id); $data["new"] = $tmp; $data["old"] = $tmp; $this->action = 'update'; diff --git a/server/plugins-available/webserver_plugin.inc.php b/server/plugins-available/webserver_plugin.inc.php index dd5a50b056..cca339ace0 100644 --- a/server/plugins-available/webserver_plugin.inc.php +++ b/server/plugins-available/webserver_plugin.inc.php @@ -107,7 +107,7 @@ class webserver_plugin { //** read additional php versions of this server - $php_versions = $app->db->queryAllRecords('SELECT server_php_id, php_fastcgi_ini_dir, php_fpm_ini_dir FROM server_php WHERE server_id = ' . intval($conf['server_id'])); + $php_versions = $app->db->queryAllRecords('SELECT server_php_id, php_fastcgi_ini_dir, php_fpm_ini_dir FROM server_php WHERE server_id = ?', $conf['server_id']); foreach($php_versions as $php) { if($php['php_fastcgi_ini_dir'] && $php['php_fastcgi_ini_dir'] . '/php.ini' != $web_config['php_ini_path_cgi']) { $check_files[] = array('file' => $php['php_fastcgi_ini_dir'] . '/php.ini', diff --git a/server/server.php b/server/server.php index 4cf1d353b7..4479b147c5 100644 --- a/server/server.php +++ b/server/server.php @@ -43,14 +43,14 @@ $conf['server_id'] = intval($conf['server_id']); * Try to Load the server configuration from the master-db */ if ($app->dbmaster->connect_error == NULL) { - $server_db_record = $app->dbmaster->queryOneRecord("SELECT * FROM server WHERE server_id = " . $conf['server_id']); + $server_db_record = $app->dbmaster->queryOneRecord("SELECT * FROM server WHERE server_id = ?", $conf['server_id']); if(!is_array($server_db_record)) die('Unable to load the server configuration from database.'); //* Get the number of the last processed datalog_id, if the id of the local server //* is > then the one of the remote system, then use the local ID as we might not have //* reached the remote server during the last run then. - $local_server_db_record = $app->db->queryOneRecord("SELECT * FROM server WHERE server_id = " . $conf['server_id']); + $local_server_db_record = $app->db->queryOneRecord("SELECT * FROM server WHERE server_id = ?", $conf['server_id']); $conf['last_datalog_id'] = (int) max($server_db_record['updated'], $local_server_db_record['updated']); unset($local_server_db_record); @@ -73,7 +73,6 @@ if ($app->dbmaster->connect_error == NULL) { unset($server_db_record); // retrieve admin email address for notifications - //$sys_ini = $app->dbmaster->queryOneRecord("SELECT * FROM sys_ini WHERE sysini_id = 1"); $sys_ini = $app->db->queryOneRecord("SELECT * FROM sys_ini WHERE sysini_id = 1"); $conf['sys_ini'] = $app->ini_parser->parse_ini_string(stripslashes($sys_ini['config'])); $conf['admin_mail'] = $conf['sys_ini']['mail']['admin_mail']; @@ -156,9 +155,9 @@ if ($app->db->connect_error == NULL && $app->dbmaster->connect_error == NULL) { // Check if there is anything to update if ($conf['mirror_server_id'] > 0) { - $tmp_rec = $app->dbmaster->queryOneRecord("SELECT count(server_id) as number from sys_datalog WHERE datalog_id > " . $conf['last_datalog_id'] . " AND (server_id = " . $conf['server_id'] . " OR server_id = " . $conf['mirror_server_id'] . " OR server_id = 0)"); + $tmp_rec = $app->dbmaster->queryOneRecord("SELECT count(server_id) as number from sys_datalog WHERE datalog_id > ? AND (server_id = ? OR server_id = ? OR server_id = 0)", $conf['last_datalog_id'], $conf['server_id'], $conf['mirror_server_id']); } else { - $tmp_rec = $app->dbmaster->queryOneRecord("SELECT count(server_id) as number from sys_datalog WHERE datalog_id > " . $conf['last_datalog_id'] . " AND (server_id = " . $conf['server_id'] . " OR server_id = 0)"); + $tmp_rec = $app->dbmaster->queryOneRecord("SELECT count(server_id) as number from sys_datalog WHERE datalog_id > ? AND (server_id = ? OR server_id = 0)", $conf['last_datalog_id'], $conf['server_id']); } $tmp_num_records = $tmp_rec['number']; -- GitLab