Commit 2af58c77 authored by Marius Cramer's avatar Marius Cramer

- finished rewriting of sql statements

parent f49af084
......@@ -38,7 +38,7 @@ class installer extends installer_base {
// check if virtual_transport must be changed
if ($this->is_update) {
$tmp = $this->db->queryOneRecord("SELECT * FROM ".$conf["mysql"]["database"].".server WHERE server_id = ".$conf['server_id']);
$tmp = $this->db->queryOneRecord("SELECT * FROM ?? WHERE server_id = ?", $conf["mysql"]["database"] . ".server", $conf['server_id']);
$ini_array = ini_to_array(stripslashes($tmp['config']));
// ini_array needs not to be checked, because already done in update.php -> updateDbAndIni()
......
......@@ -182,7 +182,7 @@ class installer_dist extends installer_base {
if(!is_user($cf['vmail_username'])) caselog("$command &> /dev/null", __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
//* These postconf commands will be executed on installation and update
$server_ini_rec = $this->db->queryOneRecord("SELECT config FROM server WHERE server_id = ".$conf['server_id']);
$server_ini_rec = $this->db->queryOneRecord("SELECT config FROM server WHERE server_id = ?", $conf['server_id']);
$server_ini_array = ini_to_array(stripslashes($server_ini_rec['config']));
unset($server_ini_rec);
......@@ -396,7 +396,7 @@ class installer_dist extends installer_base {
// check if virtual_transport must be changed
if ($this->is_update) {
$tmp = $this->db->queryOneRecord("SELECT * FROM ".$conf["mysql"]["database"].".server WHERE server_id = ".$conf['server_id']);
$tmp = $this->db->queryOneRecord("SELECT * FROM ?? WHERE server_id = ?", $conf["mysql"]["database"] . ".server", $conf['server_id']);
$ini_array = ini_to_array(stripslashes($tmp['config']));
// ini_array needs not to be checked, because already done in update.php -> updateDbAndIni()
......@@ -705,7 +705,7 @@ class installer_dist extends installer_base {
$tpl = new tpl('apache_ispconfig.conf.master');
$tpl->setVar('apache_version',getapacheversion());
$records = $this->db->queryAllRecords('SELECT * FROM '.$conf['mysql']['master_database'].'.server_ip WHERE server_id = '.$conf['server_id']." AND virtualhost = 'y'");
$records = $this->db->queryAllRecords("SELECT * FROM ?? WHERE server_id = ? AND virtualhost = 'y'", $conf['mysql']['master_database'] . '.server_ip', $conf['server_id']);
$ip_addresses = array();
if(is_array($records) && count($records) > 0) {
......@@ -813,7 +813,7 @@ class installer_dist extends installer_base {
$tcp_public_services = '';
$udp_public_services = '';
$row = $this->db->queryOneRecord('SELECT * FROM '.$conf["mysql"]["database"].'.firewall WHERE server_id = '.intval($conf['server_id']));
$row = $this->db->queryOneRecord('SELECT * FROM ?? WHERE server_id = ?', $conf["mysql"]["database"] . '.firewall', $conf['server_id']);
if(trim($row["tcp_port"]) != '' || trim($row["udp_port"]) != ''){
$tcp_public_services = trim(str_replace(',', ' ', $row["tcp_port"]));
......@@ -824,7 +824,7 @@ class installer_dist extends installer_base {
}
if(!stristr($tcp_public_services, $conf['apache']['vhost_port'])) {
$tcp_public_services .= ' '.intval($conf['apache']['vhost_port']);
if($row["tcp_port"] != '') $this->db->query("UPDATE firewall SET tcp_port = tcp_port + ',".intval($conf['apache']['vhost_port'])."' WHERE server_id = ".intval($conf['server_id']));
if($row["tcp_port"] != '') $this->db->query("UPDATE firewall SET tcp_port = tcp_port + ? WHERE server_id = ?", ',' . intval($conf['apache']['vhost_port']), $conf['server_id']);
}
$content = str_replace("{TCP_PUBLIC_SERVICES}", $tcp_public_services, $content);
......@@ -1024,13 +1024,11 @@ class installer_dist extends installer_base {
$file_server_enabled = ($conf['services']['file'])?1:0;
$db_server_enabled = ($conf['services']['db'])?1:0;
$vserver_server_enabled = ($conf['services']['vserver'])?1:0;
$sql = "UPDATE `server` SET mail_server = '$mail_server_enabled', web_server = '$web_server_enabled', dns_server = '$dns_server_enabled', file_server = '$file_server_enabled', db_server = '$db_server_enabled', vserver_server = '$vserver_server_enabled' WHERE server_id = ".intval($conf['server_id']);
$sql = "UPDATE `server` SET mail_server = ?, web_server = ?, dns_server = ?, file_server = ?, db_server = ?, vserver_server = ? WHERE server_id = ?";
$this->db->query($sql, $mail_server_enabled, $web_server_enabled, $dns_server_enabled, $file_server_enabled, $db_server_enabled, $vserver_server_enabled, $conf['server_id']);
if($conf['mysql']['master_slave_setup'] == 'y') {
$this->dbmaster->query($sql);
$this->db->query($sql);
} else {
$this->db->query($sql);
$this->dbmaster->query($sql, $mail_server_enabled, $web_server_enabled, $dns_server_enabled, $file_server_enabled, $db_server_enabled, $vserver_server_enabled, $conf['server_id']);
}
// chown install dir to root and chmod 755
......
......@@ -540,7 +540,7 @@ class installer extends installer_base
$tpl = new tpl('apache_ispconfig.conf.master');
$tpl->setVar('apache_version',getapacheversion());
$records = $this->db->queryAllRecords('SELECT * FROM '.$conf['mysql']['master_database'].'.server_ip WHERE server_id = '.$conf['server_id']." AND virtualhost = 'y'");
$records = $this->db->queryAllRecords("SELECT * FROM ?? WHERE server_id = ? AND virtualhost = 'y'", $conf['mysql']['master_database'] . '.server_ip', $conf['server_id']);
$ip_addresses = array();
if(is_array($records) && count($records) > 0) {
......@@ -889,13 +889,11 @@ class installer extends installer_base
$db_server_enabled = ($conf['services']['db'])?1:0;
$vserver_server_enabled = ($conf['services']['vserver'])?1:0;
$sql = "UPDATE `server` SET mail_server = '$mail_server_enabled', web_server = '$web_server_enabled', dns_server = '$dns_server_enabled', file_server = '$file_server_enabled', db_server = '$db_server_enabled', vserver_server = '$vserver_server_enabled' WHERE server_id = ".intval($conf['server_id']);
$sql = "UPDATE `server` SET mail_server = ?, web_server = ?, dns_server = ?, file_server = ?, db_server = ?, vserver_server = ? WHERE server_id = ?";
$this->db->query($sql, $mail_server_enabled, $web_server_enabled, $dns_server_enabled, $file_server_enabled, $db_server_enabled, $vserver_server_enabled, $conf['server_id']);
if($conf['mysql']['master_slave_setup'] == 'y') {
$this->dbmaster->query($sql);
$this->db->query($sql);
} else {
$this->db->query($sql);
$this->dbmaster->query($sql, $mail_server_enabled, $web_server_enabled, $dns_server_enabled, $file_server_enabled, $db_server_enabled, $vserver_server_enabled, $conf['server_id']);
}
// chown install dir to root and chmod 755
......
......@@ -212,7 +212,7 @@ class installer_dist extends installer_base {
if($cf['vmail_mailbox_base'] != '' && strlen($cf['vmail_mailbox_base']) >= 10 && $this->is_update === false) exec('chown -R '.$cf['vmail_username'].':'.$cf['vmail_groupname'].' '.$cf['vmail_mailbox_base']);
//* These postconf commands will be executed on installation and update
$server_ini_rec = $this->db->queryOneRecord("SELECT config FROM server WHERE server_id = ".$conf['server_id']);
$server_ini_rec = $this->db->queryOneRecord("SELECT config FROM server WHERE server_id = ?", $conf['server_id']);
$server_ini_array = ini_to_array(stripslashes($server_ini_rec['config']));
unset($server_ini_rec);
......@@ -451,7 +451,7 @@ class installer_dist extends installer_base {
// check if virtual_transport must be changed
if ($this->is_update) {
$tmp = $this->db->queryOneRecord("SELECT * FROM ".$conf["mysql"]["database"].".server WHERE server_id = ".$conf['server_id']);
$tmp = $this->db->queryOneRecord("SELECT * FROM ?? WHERE server_id = ?", $conf["mysql"]["database"] . ".server", $conf['server_id']);
$ini_array = ini_to_array(stripslashes($tmp['config']));
// ini_array needs not to be checked, because already done in update.php -> updateDbAndIni()
......@@ -737,7 +737,7 @@ class installer_dist extends installer_base {
$tpl = new tpl('apache_ispconfig.conf.master');
$tpl->setVar('apache_version',getapacheversion());
$records = $this->db->queryAllRecords('SELECT * FROM '.$conf['mysql']['master_database'].'.server_ip WHERE server_id = '.$conf['server_id']." AND virtualhost = 'y'");
$records = $this->db->queryAllRecords("SELECT * FROM ?? WHERE server_id = ? AND virtualhost = 'y'", $conf['mysql']['master_database'] . '.server_ip', $conf['server_id']);
$ip_addresses = array();
if(is_array($records) && count($records) > 0) {
......@@ -887,7 +887,7 @@ class installer_dist extends installer_base {
$tcp_public_services = '';
$udp_public_services = '';
$row = $this->db->queryOneRecord('SELECT * FROM '.$conf["mysql"]["database"].'.firewall WHERE server_id = '.intval($conf['server_id']));
$row = $this->db->queryOneRecord('SELECT * FROM ?? WHERE server_id = ?', $conf["mysql"]["database"] . '.firewall', $conf['server_id']);
if(trim($row["tcp_port"]) != '' || trim($row["udp_port"]) != ''){
$tcp_public_services = trim(str_replace(',', ' ', $row["tcp_port"]));
......@@ -899,7 +899,7 @@ class installer_dist extends installer_base {
if(!stristr($tcp_public_services, $conf['apache']['vhost_port'])) {
$tcp_public_services .= ' '.intval($conf['apache']['vhost_port']);
if($row["tcp_port"] != '') $this->db->query("UPDATE firewall SET tcp_port = tcp_port + ',".intval($conf['apache']['vhost_port'])."' WHERE server_id = ".intval($conf['server_id']));
if($row["tcp_port"] != '') $this->db->query("UPDATE firewall SET tcp_port = tcp_port + ? WHERE server_id = ?", ',' . intval($conf['apache']['vhost_port']), $conf['server_id']);
}
$content = str_replace("{TCP_PUBLIC_SERVICES}", $tcp_public_services, $content);
......@@ -1097,13 +1097,11 @@ class installer_dist extends installer_base {
$file_server_enabled = ($conf['services']['file'])?1:0;
$db_server_enabled = ($conf['services']['db'])?1:0;
$vserver_server_enabled = ($conf['services']['vserver'])?1:0;
$sql = "UPDATE `server` SET mail_server = '$mail_server_enabled', web_server = '$web_server_enabled', dns_server = '$dns_server_enabled', file_server = '$file_server_enabled', db_server = '$db_server_enabled', vserver_server = '$vserver_server_enabled' WHERE server_id = ".intval($conf['server_id']);
$sql = "UPDATE `server` SET mail_server = ?, web_server = ?, dns_server = ?, file_server = ?, db_server = ?, vserver_server = ? WHERE server_id = ?";
$this->db->query($sql, $mail_server_enabled, $web_server_enabled, $dns_server_enabled, $file_server_enabled, $db_server_enabled, $vserver_server_enabled, $conf['server_id']););
if($conf['mysql']['master_slave_setup'] == 'y') {
$this->dbmaster->query($sql);
$this->db->query($sql);
} else {
$this->db->query($sql);
$this->dbmaster->query($sql, $mail_server_enabled, $web_server_enabled, $dns_server_enabled, $file_server_enabled, $db_server_enabled, $vserver_server_enabled, $conf['server_id']););
}
// chown install dir to root and chmod 755
......
This diff is collapsed.
This diff is collapsed.
......@@ -124,7 +124,7 @@ function updateDbAndIni() {
global $inst, $conf;
//* Update $conf array with values from the server.ini that shall be preserved
$tmp = $inst->db->queryOneRecord("SELECT * FROM ".$conf["mysql"]["database"].".server WHERE server_id = ".$conf['server_id']);
$tmp = $inst->db->queryOneRecord("SELECT * FROM ?? WHERE server_id = ?", $conf["mysql"]["database"] . '.server', $conf['server_id']);
$ini_array = ini_to_array(stripslashes($tmp['config']));
$current_db_version = (isset($tmp['dbversion']))?intval($tmp['dbversion']):0;
......@@ -218,8 +218,8 @@ function updateDbAndIni() {
}
//* update the database version in server table
$inst->db->query("UPDATE ".$conf["mysql"]["database"].".server SET dbversion = '".$current_db_version."' WHERE server_id = ".$conf['server_id']);
if($inst->db->dbHost != $inst->dbmaster->dbHost) $inst->dbmaster->query("UPDATE ".$conf["mysql"]["master_database"].".server SET dbversion = '".$current_db_version."' WHERE server_id = ".$conf['server_id']);
$inst->db->query("UPDATE ?? SET dbversion = ? WHERE server_id = ?", $conf["mysql"]["database"] . ".server", $current_db_version, $conf['server_id']);
if($inst->db->dbHost != $inst->dbmaster->dbHost) $inst->dbmaster->query("UPDATE ?? SET dbversion = ? WHERE server_id = ?", $conf["mysql"]["master_database"] . ".server", $current_db_version, $conf['server_id']);
//* If ISPConfig Version < 3.0.3, we will do a full db update
......@@ -228,7 +228,7 @@ function updateDbAndIni() {
swriteln($inst->lng('Starting full database update.'));
//** Delete the old database
if( !$inst->db->query('DROP DATABASE IF EXISTS '.$conf['mysql']['database']) ) {
if( !$inst->db->query('DROP DATABASE IF EXISTS ??', $conf['mysql']['database']) ) {
$inst->error('Unable to drop MySQL database: '.$conf['mysql']['database'].'.');
}
......@@ -239,7 +239,7 @@ function updateDbAndIni() {
$db_tables = $inst->db->getTables();
foreach($db_tables as $table) {
$inst->db->query("TRUNCATE $table");
$inst->db->query("TRUNCATE ??", $table);
}
//** load old data back into database
......@@ -262,15 +262,15 @@ function updateDbAndIni() {
}
//* update the database version in server table
$inst->db->query("UPDATE ".$conf["mysql"]["database"].".server SET dbversion = '".$current_db_version."' WHERE server_id = ".$conf['server_id']);
if($inst->db->dbHost != $inst->dbmaster->dbHost) $inst->dbmaster->query("UPDATE ".$conf["mysql"]["master_database"].".server SET dbversion = '".$current_db_version."' WHERE server_id = ".$conf['server_id']);
$inst->db->query("UPDATE ?? SET dbversion = ? WHERE server_id = ?", $conf["mysql"]["database"] . ".server", $current_db_version, $conf['server_id']);
if($inst->db->dbHost != $inst->dbmaster->dbHost) $inst->dbmaster->query("UPDATE ?? SET dbversion = ? WHERE server_id = ?", $conf["mysql"]["master_database"] . ".server", $current_db_version, $conf['server_id']);
if ($conf['powerdns']['installed']) {
swriteln($inst->lng('Starting full PowerDNS database update.'));
//** Delete the old PowerDNS database
if( !$inst->db->query('DROP DATABASE IF EXISTS '.$conf['powerdns']['database']) ) {
if( !$inst->db->query('DROP DATABASE IF EXISTS ??', $conf['powerdns']['database']) ) {
$inst->error('Unable to drop MySQL database: '.$conf['powerdns']['database'].'.');
}
......@@ -288,7 +288,7 @@ function updateDbAndIni() {
//** Update server ini
$tmp_server_rec = $inst->db->queryOneRecord("SELECT config FROM ".$conf["mysql"]["database"].".server WHERE server_id = ".$conf['server_id']);
$tmp_server_rec = $inst->db->queryOneRecord("SELECT config FROM ?? WHERE server_id = ?", $conf["mysql"]["database"] . ".server", $conf['server_id']);
$old_ini_array = ini_to_array(stripslashes($tmp_server_rec['config']));
unset($tmp_server_rec);
$tpl_ini_array = ini_to_array(rf('tpl/server.ini.master'));
......@@ -344,12 +344,12 @@ function updateDbAndIni() {
}
$new_ini = array_to_ini($tpl_ini_array);
$sql = "UPDATE ".$conf["mysql"]["database"].".server SET config = '".mysql_real_escape_string($new_ini)."' WHERE server_id = ".$conf['server_id'];
$inst->db->query($sql);
$sql = "UPDATE ?? SET config = ? WHERE server_id = ?";
$inst->db->query($sql, $conf["mysql"]["database"] . ".server", $new_ini, $conf['server_id']);
if($inst->db->dbHost != $inst->dbmaster->dbHost) {
$sql = "UPDATE ".$conf["mysql"]["master_database"].".server SET config = '".mysql_real_escape_string($new_ini)."' WHERE server_id = ".$conf['server_id'];
$inst->dbmaster->query($sql);
$sql = "UPDATE ?? SET config = ? WHERE server_id = ?";
$inst->dbmaster->query($sql, $conf["mysql"]["master_database"].".server", $new_ini, $conf['server_id']);
}
unset($old_ini_array);
unset($tpl_ini_array);
......@@ -357,7 +357,7 @@ function updateDbAndIni() {
//** Update system ini
$tmp_server_rec = $inst->db->queryOneRecord("SELECT config FROM ".$conf["mysql"]["database"].".sys_ini WHERE sysini_id = 1");
$tmp_server_rec = $inst->db->queryOneRecord("SELECT config FROM ?? WHERE sysini_id = 1", $conf["mysql"]["database"] . ".sys_ini");
$old_ini_array = ini_to_array(stripslashes($tmp_server_rec['config']));
unset($tmp_server_rec);
$tpl_ini_array = ini_to_array(rf('tpl/system.ini.master'));
......@@ -372,11 +372,11 @@ function updateDbAndIni() {
}
$new_ini = array_to_ini($tpl_ini_array);
$tmp = $inst->db->queryOneRecord('SELECT count(sysini_id) as number FROM '.$conf["mysql"]["database"].'.sys_ini WHERE 1');
$tmp = $inst->db->queryOneRecord('SELECT count(sysini_id) as number FROM ?? WHERE 1', $conf["mysql"]["database"] . '.sys_ini');
if($tmp['number'] == 0) {
$inst->db->query("INSERT INTO ".$conf["mysql"]["database"].".sys_ini (sysini_id, config) VALUES (1,'".mysql_real_escape_string($new_ini)."')");
$inst->db->query("INSERT INTO ?? (sysini_id, config) VALUES (1,?)", $conf["mysql"]["database"] . ".sys_ini", $new_ini);
} else {
$inst->db->query("UPDATE ".$conf["mysql"]["database"].".sys_ini SET config = '".mysql_real_escape_string($new_ini)."' WHERE sysini_id = 1");
$inst->db->query("UPDATE ?? SET config = ? WHERE sysini_id = 1", $conf["mysql"]["database"] . ".sys_ini", $new_ini);
}
unset($old_ini_array);
unset($tpl_ini_array);
......
......@@ -608,7 +608,7 @@ class ApsCrawler extends ApsBase
foreach($incomplete_pkgs as $incomplete_pkg){
$pkg_url = @file_get_contents($this->interface_pkg_dir.'/'.$incomplete_pkg['path'].'/PKG_URL');
if($pkg_url != ''){
$app->db->datalogUpdate('aps_packages', "package_url = '".$app->db->quote($pkg_url)."'", 'id', $incomplete_pkg['id']);
$app->db->datalogUpdate('aps_packages', array("package_url" => $pkg_url), 'id', $incomplete_pkg['id']);
}
}
}
......
......@@ -268,7 +268,7 @@ class ApsGUIController extends ApsBase
if (empty($settings['main_database_name'])) {
//* Find a free db name for the app
for($n = 1; $n <= 1000; $n++) {
$mysql_db_name = $app->db->quote(($dbname_prefix != '' ? $dbname_prefix.'aps'.$n : uniqid('aps')));
$mysql_db_name = ($dbname_prefix != '' ? $dbname_prefix.'aps'.$n : uniqid('aps'));
$tmp = $app->db->queryOneRecord("SELECT count(database_id) as number FROM web_database WHERE database_name = ?", $mysql_db_name);
if($tmp['number'] == 0) break;
}
......@@ -277,7 +277,7 @@ class ApsGUIController extends ApsBase
if (empty($settings['main_database_login'])) {
//* Find a free db username for the app
for($n = 1; $n <= 1000; $n++) {
$mysql_db_user = $app->db->quote(($dbuser_prefix != '' ? $dbuser_prefix.'aps'.$n : uniqid('aps')));
$mysql_db_user = ($dbuser_prefix != '' ? $dbuser_prefix.'aps'.$n : uniqid('aps'));
$tmp = $app->db->queryOneRecord("SELECT count(database_user_id) as number FROM web_database_user WHERE database_user = ?", $mysql_db_user);
if($tmp['number'] == 0) break;
}
......@@ -287,8 +287,16 @@ class ApsGUIController extends ApsBase
//* Create the mysql database user if not existing
$tmp = $app->db->queryOneRecord("SELECT database_user_id FROM web_database_user WHERE database_user = ?", $settings['main_database_login']);
if(!$tmp) {
$insert_data = "(`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_id`, `database_user`, `database_user_prefix`, `database_password`)
VALUES( ".$app->functions->intval($websrv['sys_userid']).", ".$app->functions->intval($websrv['sys_groupid']).", 'riud', '".$app->functions->intval($websrv['sys_perm_group'])."', '', 0, '".$settings['main_database_login']."', '".$app->db->quote($dbuser_prefix) . "', PASSWORD('".$settings['main_database_password']."'))";
$insert_data = array("sys_userid" => $websrv['sys_userid'],
"sys_groupid" => $websrv['sys_groupid'],
"sys_perm_user" => 'riud',
"sys_perm_group" => $websrv['sys_perm_group'],
"sys_perm_other" => '',
"server_id" => 0,
"database_user" => $settings['main_database_login'],
"database_user_prefix" => $dbuser_prefix,
"database_password" => "PASSWORD('" . $settings['main_database_password'] . "')"
);
$mysql_db_user_id = $app->db->datalogInsert('web_database_user', $insert_data, 'database_user_id');
}
else $mysql_db_user_id = $tmp['database_user_id'];
......@@ -296,8 +304,25 @@ class ApsGUIController extends ApsBase
//* Create the mysql database if not existing
$tmp = $app->db->queryOneRecord("SELECT count(database_id) as number FROM web_database WHERE database_name = ?", $settings['main_database_name']);
if($tmp['number'] == 0) {
$insert_data = "(`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_id`, `parent_domain_id`, `type`, `database_name`, `database_name_prefix`, `database_user_id`, `database_ro_user_id`, `database_charset`, `remote_access`, `remote_ips`, `backup_copies`, `active`, `backup_interval`)
VALUES( ".$app->functions->intval($websrv['sys_userid']).", ".$app->functions->intval($websrv['sys_groupid']).", 'riud', '".$app->functions->intval($websrv['sys_perm_group'])."', '', $mysql_db_server_id, ".$app->functions->intval($websrv['domain_id']).", 'mysql', '".$settings['main_database_name']."', '" . $app->db->quote($dbname_prefix) . "', '$mysql_db_user_id', 0, '', '$mysql_db_remote_access', '$mysql_db_remote_ips', ".$app->functions->intval($websrv['backup_copies']).", 'y', '".$app->functions->intval($websrv['backup_interval'])."')";
$insert_data = array("sys_userid" => $websrv['sys_userid'],
"sys_groupid" => $websrv['sys_groupid'],
"sys_perm_user" => 'riud',
"sys_perm_group" => $websrv['sys_perm_group'],
"sys_perm_other" => '',
"server_id" => $mysql_db_server_id,
"parent_domain_id" => $websrv['domain_id'],
"type" => 'mysql',
"database_name" => $settings['main_database_name'],
"database_name_prefix" => $dbname_prefix,
"database_user_id" => $mysql_db_user_id,
"database_ro_user_id" => 0,
"database_charset" => '',
"remote_access" => $mysql_db_remote_access,
"remote_ips" => $mysql_db_remote_ips,
"backup_copies" => $websrv['backup_copies'],
"active" => 'y',
"backup_interval" => $websrv['backup_interval']
);
$app->db->datalogInsert('web_database', $insert_data, 'database_id');
}
......@@ -351,7 +376,7 @@ class ApsGUIController extends ApsBase
// mysql-database-name is updated inside if not set already
if (!$this->createDatabaseForPackageInstance($settings, $websrv)) return false;
}
//* Insert new package instance
$insert_data = "(`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_id`, `customer_id`, `package_id`, `instance_status`) VALUES (".$app->functions->intval($websrv['sys_userid']).", ".$app->functions->intval($websrv['sys_groupid']).", 'riud', '".$app->db->quote($websrv['sys_perm_group'])."', '', ".$app->db->quote($webserver_id).",".$app->db->quote($customerid).", ".$app->db->quote($packageid).", ".INSTANCE_PENDING.")";
$InstanceID = $app->db->datalogInsert('aps_instances', $insert_data, 'id');
......
......@@ -626,20 +626,26 @@ class db extends mysqli
if(is_array($insert_data)) {
$key_str = '';
$val_str = '';
$params = array($tablename);
$v_params = array();
foreach($insert_data as $key => $val) {
$key_str .= "`".$key ."`,";
$val_str .= "'".$this->escape($val)."',";
$key_str .= '??,'
$params[] = $key;
$val_str .= '?,';
$v_params[] = $val;
}
$key_str = substr($key_str, 0, -1);
$val_str = substr($val_str, 0, -1);
$insert_data_str = '('.$key_str.') VALUES ('.$val_str.')';
$this->query("INSERT INTO ?? $insert_data_str", true, $params + $v_params);
} else {
/* TODO: deprecate this method! */
$insert_data_str = $insert_data;
$this->query("INSERT INTO ?? $insert_data_str", $tablename);
}
/* TODO: reduce risk of insert_data_str! */
$old_rec = array();
$this->query("INSERT INTO ?? $insert_data_str", $tablename);
$index_value = $this->insertID();
$new_rec = $this->queryOneRecord("SELECT * FROM ?? WHERE ? = ?", $tablename, $index_field, $index_value);
$this->datalogSave($tablename, 'INSERT', $index_field, $index_value, $old_rec, $new_rec);
......@@ -658,17 +664,23 @@ class db extends mysqli
$old_rec = $this->queryOneRecord("SELECT * FROM ?? WHERE ?? = ?", $tablename, $index_field, $index_value);
if(is_array($update_data)) {
$params = array($tablename);
$update_data_str = '';
foreach($update_data as $key => $val) {
$update_data_str .= "`".$key ."` = '".$this->escape($val)."',";
$update_data_str .= '?? = ?,';
$params[] = $key;
$params[] = $val;
}
$params[] = $index_field;
$params[] = $index_value;
$update_data_str = substr($update_data_str, 0, -1);
$this->query("UPDATE ?? SET $update_data_str WHERE ?? = ?", true, $params);
} else {
/* TODO: deprecate this method! */
$update_data_str = $update_data;
$this->query("UPDATE ?? SET $update_data_str WHERE ?? = ?", $tablename, $index_field, $index_value);
}
/* TODO: reduce risk of update_data_str */
$this->query("UPDATE ?? SET $update_data_str WHERE ?? = ?", $tablename, $index_field, $index_value);
$new_rec = $this->queryOneRecord("SELECT * FROM ?? WHERE ?? = ?", $tablename, $index_field, $index_value);
$this->datalogSave($tablename, 'UPDATE', $index_field, $index_value, $old_rec, $new_rec, $force_update);
......
......@@ -246,6 +246,7 @@ class listform {
return $this->pagingValues[$key];
}
/* TODO: maybe rewrite sql */
public function getPagingSQL($sql_where = '1')
{
global $app, $conf;
......@@ -283,7 +284,7 @@ class listform {
if($this->searchChanged == 1) $_SESSION['search'][$list_name]['page'] = 0;
$sql_von = $app->functions->intval($_SESSION['search'][$list_name]['page'] * $records_per_page);
$record_count = $app->db->queryOneRecord("SELECT count(*) AS anzahl FROM $table".($app->listform->listDef['additional_tables'] != ''? ','.$app->listform->listDef['additional_tables'] : '')." WHERE $sql_where");
$record_count = $app->db->queryOneRecord("SELECT count(*) AS anzahl FROM ??".($app->listform->listDef['additional_tables'] != ''? ','.$app->listform->listDef['additional_tables'] : '')." WHERE $sql_where", $table);
$pages = $app->functions->intval(($record_count['anzahl'] - 1) / $records_per_page);
......@@ -482,7 +483,8 @@ class listform {
}
return $record;
}
/* TODO: check double quoting of SQL */
public function encode($record)
{
global $app;
......
......@@ -190,6 +190,7 @@ class listform_actions {
return $rec;
}
/* TODO: maybe rewrite SQL */
public function getQueryString($no_limit = false) {
global $app;
$sql_where = '';
......
......@@ -47,12 +47,13 @@ class plugin_dbhistory extends plugin_base {
$db_table_idx = $app->tform->formDef["db_table_idx"];
$primary_id = $this->form->id;
if($_SESSION["s"]["user"]["typ"] == 'admin') {
$sql = "SELECT action, tstamp, user, data FROM sys_datalog WHERE dbtable = '".$db_table."' AND dbidx = '".$db_table_idx.":".$primary_id."'";
$sql = "SELECT action, tstamp, user, data FROM sys_datalog WHERE dbtable = ? AND dbidx = ?";
$records = $app->db->queryAllRecords($sql, $db_table, $db_table_idx.":".$primary_id);
} else {
$sql = "SELECT action, tstamp, user, data FROM sys_datalog WHERE user = '".$_SESSION["s"]["user"]["username"]."' dbtable = '".$db_table."' AND dbidx = '".$db_table_idx.":".$primary_id."'";
$sql = "SELECT action, tstamp, user, data FROM sys_datalog WHERE user = ? AND dbtable = ? AND dbidx = ?";
$records = $app->db->queryAllRecords($sql, $_SESSION["s"]["user"]["username"], $db_table, $db_table_idx.":".$primary_id);
}
$records = $app->db->queryAllRecords($sql);
if(is_array($records)) {
$content .= '<table>';
foreach($records as $rec) {
......
......@@ -468,7 +468,6 @@ class remoting_client extends remoting {
throw new SoapFault('permission_denied', 'You do not have the permissions to access this function.');
return false;
}
$username = $app->db->quote($username);
$rec = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE username = ?", $username);
if (isset($rec)) {
return $rec;
......@@ -519,7 +518,6 @@ class remoting_client extends remoting {
$client_id = $app->functions->intval($client_id);
$client = $app->db->queryOneRecord("SELECT client_id FROM client WHERE client_id = ?", $client_id);
if($client['client_id'] > 0) {
$new_password = $app->db->quote($new_password);
$sql = "UPDATE client SET password = md5(?) WHERE client_id = ?";
$app->db->query($sql, $new_password, $client_id);
$sql = "UPDATE sys_user SET passwort = md5(?) WHERE client_id = ?";
......
......@@ -1061,7 +1061,6 @@ class remoting_mail extends remoting {
return false;
}
if (!empty($domain)) {
$domain = $app->db->quote($domain);
$sql = "SELECT * FROM mail_domain WHERE domain = ?";
$result = $app->db->queryAllRecords($sql, $domain);
return $result;
......
......@@ -102,7 +102,8 @@ class remoting_sites extends remoting {
$app->remoting_lib->loadFormDef('../sites/form/database.tform.php');
return $app->remoting_lib->getDataRecord($primary_id);
}
/* TODO: secure queries! */
//* Add a record
public function sites_database_add($session_id, $client_id, $params)
{
......
......@@ -93,9 +93,6 @@ class remoting {
$sql = "DELETE FROM remote_session WHERE tstamp < UNIX_TIMSTAMP()";
$app->db->query($sql);
$username = $app->db->quote($username);
$password = $app->db->quote($password);
if($client_login == true) {
$sql = "SELECT * FROM sys_user WHERE USERNAME = ?";
$user = $app->db->queryOneRecord($sql, $username);
......@@ -175,8 +172,6 @@ class remoting {
return false;
}
$session_id = $app->db->quote($session_id);
$sql = "DELETE FROM remote_session WHERE remote_session = ?";
if($app->db->query($sql, $session_id) != false) {
return true;
......@@ -201,7 +196,7 @@ class remoting {
$sql = $app->remoting_lib->getSQL($params, 'INSERT', 0);
//* Check if no system user with that username exists
$username = $app->db->quote($params["username"]);
$username = $params["username"];
$tmp = $app->db->queryOneRecord("SELECT count(userid) as number FROM sys_user WHERE username = ?", $username);
if($tmp['number'] > 0) $app->remoting_lib->errorMessage .= "Duplicate username<br />";
......@@ -471,8 +466,6 @@ class remoting {
return false;
}
$session_id = $app->db->quote($session_id);
$sql = "SELECT * FROM remote_session WHERE remote_session = ? AND tstamp >= UNIX_TIMSTAMP()";
$session = $app->db->queryOneRecord($sql, $session_id);
if($session['remote_userid'] > 0) {
......
......@@ -262,12 +262,12 @@ class remoting_lib extends tform_base {
function ispconfig_sysuser_add($params, $insert_id){
global $conf, $app, $sql1;
$username = $app->db->quote($params["username"]);
$password = $app->db->quote($params["password"]);
$username = $params["username"];
$password = $params["password"];
if(!isset($params['modules'])) {
$modules = $conf['interface_modules_enabled'];
} else {
$modules = $app->db->quote($params['modules']);
$modules = $params['modules'];
}
if(isset($params['limit_client']) && $params['limit_client'] > 0) {
$modules .= ',client';
......@@ -276,18 +276,18 @@ class remoting_lib extends tform_base {
if(!isset($params['startmodule'])) {
$startmodule = 'dashboard';
} else {
$startmodule = $app->db->quote($params["startmodule"]);
$startmodule = $params["startmodule"];
if(!preg_match('/'.$startmodule.'/', $modules)) {
$_modules = explode(',', $modules);
$startmodule=$_modules[0];
}
}
$usertheme = $app->db->quote($params["usertheme"]);
$usertheme = $params["usertheme"];
$type = 'user';
$active = 1;
$insert_id = $app->functions->intval($insert_id);
$language = $app->db->quote($params["language"]);
$groupid = $app->db->datalogInsert('sys_group', "(name,description,client_id) VALUES ('$username','','$insert_id')", 'groupid');
$language = $params["language"];
$groupid = $app->db->datalogInsert('sys_group', array("name" => $username, "description" => "", "client_id" => $insert_id), 'groupid');
$groups = $groupid;
if(!isset($params['_ispconfig_pw_crypted']) || $params['_ispconfig_pw_crypted'] != 1) $password = $app->auth->crypt_password(stripslashes($password));
$sql1 = "INSERT INTO sys_user (username,passwort,modules,startmodule,app_theme,typ,active,language,groups,default_group,client_id)
......@@ -297,8 +297,8 @@ class remoting_lib extends tform_base {
function ispconfig_sysuser_update($params, $client_id){
global $app;
$username = $app->db->quote($params["username"]);
$clear_password = $app->db->quote($params["password"]);
$username = $params["username"];
$clear_password = $params["password"];
$client_id = $app->functions->intval($client_id);
if(!isset($params['_ispconfig_pw_crypted']) || $params['_ispconfig_pw_crypted'] != 1) $password = $app->auth->crypt_password(stripslashes($clear_password));
else $password = $clear_password;
......
......@@ -177,7 +177,7 @@ class searchform {
if($this->searchChanged == 1) $_SESSION['search'][$list_name]['page'] = 0;
$sql_von = $_SESSION['search'][$list_name]['page'] * $records_per_page;
$record_count = $app->db->queryOneRecord("SELECT count(*) AS anzahl FROM $table WHERE $sql_where");
$record_count = $app->db->queryOneRecord("SELECT count(*) AS anzahl FROM ?? WHERE $sql_where", $table);
$pages = $app->functions->intval(($record_count['anzahl'] - 1) / $records_per_page);
$vars['list_file'] = $this->listDef['file'];
......@@ -247,7 +247,7 @@ class searchform {
$list_name = $this->listDef['name'];
$settings = $_SESSION['search'][$list_name];
unset($settings['page']);
$data = $app->db->quote(serialize($settings));
$data = serialize($settings);
$userid = $_SESSION['s']['user']['userid'];
$groupid = $_SESSION['s']['user']['default_group'];
......@@ -260,9 +260,8 @@ class searchform {
$sql = 'INSERT INTO `searchform` ( '
.'`sys_userid` , `sys_groupid` , `sys_perm_user` , `sys_perm_group` , `sys_perm_other` , `module` , `searchform` , `title` , `data` '
.')VALUES ('
."'$userid', '$groupid', '$sys_perm_user', '$sys_perm_group', '$sys_perm_other', '$module', '$searchform', '$title', '$data')";
$app->db->query($sql);
.')VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)';
$app->db->query($sql, $userid, $groupid, $sys_perm_user, $sys_perm_group, $sys_perm_other, $module, $searchform, $title, $data);
}
public function decode($record)
......@@ -303,6 +302,7 @@ class searchform {
return $record;
}
/* TODO: check for double quoting mysql value */
public function encode($record)
{
global $app;
......
......@@ -44,7 +44,7 @@ class sites_database_plugin {
//* The Database user shall be owned by the same group then the website
$sys_groupid = $app->functions->intval($web['sys_groupid']);
$backup_interval = $app->db