From 9a3ad8883403949a59e8935497a548ec536f1d40 Mon Sep 17 00:00:00 2001 From: Igor Scheller Date: Sat, 21 Jan 2017 13:58:53 +0100 Subject: Changed from mysqli to PDO, some refactorings, faster sql queries --- includes/pages/admin_active.php | 102 ++++++++++++++++---------- includes/pages/admin_arrive.php | 18 ++--- includes/pages/admin_free.php | 50 +++++++------ includes/pages/admin_groups.php | 69 ++++++++++-------- includes/pages/admin_import.php | 14 ++-- includes/pages/admin_news.php | 35 ++++++--- includes/pages/admin_questions.php | 39 ++++++---- includes/pages/admin_rooms.php | 41 +++++++---- includes/pages/admin_shifts.php | 45 +++++++++--- includes/pages/admin_user.php | 144 +++++++++++++++++++++++++------------ includes/pages/guest_login.php | 95 +++++++++++++++--------- includes/pages/guest_stats.php | 12 ++-- includes/pages/user_atom.php | 8 ++- includes/pages/user_messages.php | 44 +++++++++--- includes/pages/user_myshifts.php | 67 ++++++++++------- includes/pages/user_news.php | 81 ++++++++++++--------- includes/pages/user_questions.php | 34 ++++++--- includes/pages/user_settings.php | 28 +++++--- includes/pages/user_shifts.php | 67 +++++++++-------- 19 files changed, 642 insertions(+), 351 deletions(-) (limited to 'includes/pages') diff --git a/includes/pages/admin_active.php b/includes/pages/admin_active.php index c4b6e119..d3b290f9 100644 --- a/includes/pages/admin_active.php +++ b/includes/pages/admin_active.php @@ -1,5 +1,7 @@ $size, - 'needed' => sql_select_single_cell( - "SELECT count(*) FROM `User` WHERE `Size`='" . sql_escape($size) . "' AND `Gekommen`=1" - ), - 'given' => sql_select_single_cell( - "SELECT count(*) FROM `User` WHERE `Size`='" . sql_escape($size) . "' AND `Tshirt`=1" - ) + 'needed' => (int)$sc, + 'given' => (int)$gc ]; } } + + $uc = DB::select('SELECT count(*) FROM `User` WHERE `Tshirt`=1'); + $uc = array_shift($uc); + $uc = array_shift($uc); + $shirt_statistics[] = [ 'size' => '' . _('Sum') . '', 'needed' => '' . User_arrived_count() . '', - 'given' => '' . sql_select_single_cell('SELECT count(*) FROM `User` WHERE `Tshirt`=1') . '' + 'given' => '' . (int)$uc . '' ]; return page_with_title(admin_active_title(), [ diff --git a/includes/pages/admin_arrive.php b/includes/pages/admin_arrive.php index a17408e7..0080ccf9 100644 --- a/includes/pages/admin_arrive.php +++ b/includes/pages/admin_arrive.php @@ -1,5 +1,7 @@ quote($_REQUEST['angeltype']) + . ' AND `UserAngelTypes`.`user_id` = `User`.`UID`'; if (isset($_REQUEST['confirmed_only'])) { - $angeltypesearch .= ' AND `UserAngelTypes`.`confirm_user_id`'; + $angelTypeSearch .= ' AND `UserAngelTypes`.`confirm_user_id`'; } - $angeltypesearch .= ') '; + $angelTypeSearch .= ') '; } - $angel_types_source = sql_select('SELECT `id`, `name` FROM `AngelTypes` ORDER BY `name`'); + $angel_types_source = DB::select('SELECT `id`, `name` FROM `AngelTypes` ORDER BY `name`'); $angel_types = [ '' => 'alle Typen' ]; @@ -40,20 +43,27 @@ function admin_free() $angel_types[$angel_type['id']] = $angel_type['name']; } - $users = sql_select(" - SELECT `User`.* - FROM `User` - ${angeltypesearch} - LEFT JOIN `ShiftEntry` ON `User`.`UID` = `ShiftEntry`.`UID` - LEFT JOIN `Shifts` - ON ( - `ShiftEntry`.`SID` = `Shifts`.`SID` - AND `Shifts`.`start` < '" . sql_escape(time()) . "' - AND `Shifts`.`end` > '" . sql_escape(time()) . "' - ) - WHERE `User`.`Gekommen` = 1 AND `Shifts`.`SID` IS NULL - GROUP BY `User`.`UID` - ORDER BY `Nick`"); + $users = DB::select(' + SELECT `User`.* + FROM `User` + ' . $angelTypeSearch . ' + LEFT JOIN `ShiftEntry` ON `User`.`UID` = `ShiftEntry`.`UID` + LEFT JOIN `Shifts` + ON ( + `ShiftEntry`.`SID` = `Shifts`.`SID` + AND `Shifts`.`start` < ? + AND `Shifts`.`end` > ? + ) + WHERE `User`.`Gekommen` = 1 + AND `Shifts`.`SID` IS NULL + GROUP BY `User`.`UID` + ORDER BY `Nick` + ', + [ + time(), + time(), + ] + ); $free_users_table = []; if ($search == '') { diff --git a/includes/pages/admin_groups.php b/includes/pages/admin_groups.php index 8e578cb2..bc33a2b0 100644 --- a/includes/pages/admin_groups.php +++ b/includes/pages/admin_groups.php @@ -1,5 +1,7 @@ 0) { - $privileges = sql_select(" + $group = DB::select('SELECT * FROM `Groups` WHERE `UID`=? LIMIT 1', [$group_id]); + if (!empty($group)) { + $privileges = DB::select(' SELECT `Privileges`.*, `GroupPrivileges`.`group_id` FROM `Privileges` LEFT OUTER JOIN `GroupPrivileges` ON ( `Privileges`.`id` = `GroupPrivileges`.`privilege_id` - AND `GroupPrivileges`.`group_id`='" . sql_escape($group_id) . "' + AND `GroupPrivileges`.`group_id`=? ) ORDER BY `Privileges`.`name` - "); + ', [$group_id]); $privileges_html = ''; $privileges_form = []; - foreach ($privileges as $priv) { + foreach ($privileges as $privilege) { $privileges_form[] = form_checkbox( 'privileges[]', - $priv['desc'] . ' (' . $priv['name'] . ')', - $priv['group_id'] != '', - $priv['id'] + $privilege['desc'] . ' (' . $privilege['name'] . ')', + $privilege['group_id'] != '', + $privilege['id'] ); $privileges_html .= sprintf( ' %s %s', - $priv['id'], - ($priv['group_id'] != '' ? 'checked="checked"' : ''), - $priv['name'], - $priv['desc'] + $privilege['id'], + ($privilege['group_id'] != '' ? 'checked="checked"' : ''), + $privilege['name'], + $privilege['desc'] ); } @@ -103,20 +105,27 @@ function admin_groups() return error('Incomplete call, missing Groups ID.', true); } - $group = sql_select("SELECT * FROM `Groups` WHERE `UID`='" . sql_escape($group_id) . "' LIMIT 1"); + $group = DB::select('SELECT * FROM `Groups` WHERE `UID`=? LIMIT 1', [$group_id]); if (!is_array($_REQUEST['privileges'])) { $_REQUEST['privileges'] = []; } - if (count($group) > 0) { - list($group) = $group; - sql_query("DELETE FROM `GroupPrivileges` WHERE `group_id`='" . sql_escape($group_id) . "'"); + if (!empty($group)) { + $group = array_shift($group); + DB::delete('DELETE FROM `GroupPrivileges` WHERE `group_id`=?', [$group_id]); $privilege_names = []; - foreach ($_REQUEST['privileges'] as $priv) { - if (preg_match("/^[0-9]{1,}$/", $priv)) { - $group_privileges_source = sql_select("SELECT * FROM `Privileges` WHERE `id`='" . sql_escape($priv) . "' LIMIT 1"); - if (count($group_privileges_source) > 0) { - sql_query("INSERT INTO `GroupPrivileges` SET `group_id`='" . sql_escape($group_id) . "', `privilege_id`='" . sql_escape($priv) . "'"); - $privilege_names[] = $group_privileges_source[0]['name']; + foreach ($_REQUEST['privileges'] as $privilege) { + if (preg_match("/^[0-9]{1,}$/", $privilege)) { + $group_privileges_source = DB::select( + 'SELECT `name` FROM `Privileges` WHERE `id`=? LIMIT 1', + [$privilege] + ); + if (!empty($group_privileges_source)) { + $group_privileges_source = array_shift($group_privileges_source); + DB::insert( + 'INSERT INTO `GroupPrivileges` (`group_id`, `privilege_id`) VALUES (?, ?)', + [$group_id, $privilege] + ); + $privilege_names[] = $group_privileges_source['name']; } } } diff --git a/includes/pages/admin_import.php b/includes/pages/admin_import.php index 2e37572f..7a246b4b 100644 --- a/includes/pages/admin_import.php +++ b/includes/pages/admin_import.php @@ -1,5 +1,7 @@ 0) { return '' . _('There are unanswered questions!') . ''; @@ -39,7 +41,7 @@ function admin_questions() if (!isset($_REQUEST['action'])) { $unanswered_questions_table = []; - $questions = sql_select("SELECT * FROM `Questions` WHERE `AID` IS NULL"); + $questions = DB::select('SELECT * FROM `Questions` WHERE `AID` IS NULL'); foreach ($questions as $question) { $user_source = User($question['UID']); @@ -59,7 +61,7 @@ function admin_questions() } $answered_questions_table = []; - $questions = sql_select("SELECT * FROM `Questions` WHERE NOT `AID` IS NULL"); + $questions = DB::select('SELECT * FROM `Questions` WHERE NOT `AID` IS NULL'); foreach ($questions as $question) { $user_source = User($question['UID']); $answer_user_source = User($question['AID']); @@ -102,7 +104,10 @@ function admin_questions() return error('Incomplete call, missing Question ID.', true); } - $question = sql_select("SELECT * FROM `Questions` WHERE `QID`='" . sql_escape($question_id) . "' LIMIT 1"); + $question = DB::select( + 'SELECT * FROM `Questions` WHERE `QID`=? LIMIT 1', + [$question_id] + ); if (count($question) > 0 && $question[0]['AID'] == null) { $answer = trim( preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", @@ -111,12 +116,19 @@ function admin_questions() )); if ($answer != '') { - sql_query(" - UPDATE `Questions` - SET `AID`='" . sql_escape($user['UID']) . "', `Answer`='" . sql_escape($answer) . "' - WHERE `QID`='" . sql_escape($question_id) . "' - LIMIT 1 - "); + DB::update( + ' + UPDATE `Questions` + SET `AID`=?, `Answer`=? + WHERE `QID`=? + LIMIT 1 + ', + [ + $user['UID'], + $answer, + $question_id, + ] + ); engelsystem_log('Question ' . $question[0]['Question'] . ' answered: ' . $answer); redirect(page_link_to('admin_questions')); } else { @@ -133,9 +145,12 @@ function admin_questions() return error('Incomplete call, missing Question ID.', true); } - $question = sql_select("SELECT * FROM `Questions` WHERE `QID`='" . sql_escape($question_id) . "' LIMIT 1"); + $question = DB::select( + 'SELECT * FROM `Questions` WHERE `QID`=? LIMIT 1', + [$question_id] + ); if (count($question) > 0) { - sql_query("DELETE FROM `Questions` WHERE `QID`='" . sql_escape($question_id) . "' LIMIT 1"); + DB::delete('DELETE FROM `Questions` WHERE `QID`=? LIMIT 1', [$question_id]); engelsystem_log('Question deleted: ' . $question[0]['Question']); redirect(page_link_to('admin_questions')); } else { diff --git a/includes/pages/admin_rooms.php b/includes/pages/admin_rooms.php index 61923689..50be15f3 100644 --- a/includes/pages/admin_rooms.php +++ b/includes/pages/admin_rooms.php @@ -1,5 +1,7 @@ 0) { $name = strip_request_item('name'); - if (isset($room) && sql_num_query("SELECT * FROM `Room` WHERE `Name`='" . sql_escape($name) . "' AND NOT `RID`=" . sql_escape($room_id)) > 0) { + if ( + isset($room) + && count(DB::select( + 'SELECT RID FROM `Room` WHERE `Name`=? AND NOT `RID`=?', + [$name, $room_id] + )) > 0 + ) { $valid = false; $msg .= error(_('This name is already in use.'), true); } @@ -111,17 +122,23 @@ function admin_rooms() } if ($valid) { - if (isset($room_id)) { - sql_query(" + if (!empty($room_id)) { + DB::update(' UPDATE `Room` SET - `Name`='" . sql_escape($name) . "', - `FromPentabarf`='" . sql_escape($from_pentabarf) . "', - `show`='" . sql_escape($public) . "', - `Number`='" . sql_escape($number) . "' - WHERE `RID`='" . sql_escape($room_id) . "' + `Name`=?, + `FromPentabarf`=?, + `show`=?, + `Number`=? + WHERE `RID`=? LIMIT 1 - "); + ', [ + $name, + $from_pentabarf, + $public, + $number, + $room_id, + ]); engelsystem_log( 'Room updated: ' . $name . ', pentabarf import: ' . $from_pentabarf diff --git a/includes/pages/admin_shifts.php b/includes/pages/admin_shifts.php index 1e19c5e4..c543e827 100644 --- a/includes/pages/admin_shifts.php +++ b/includes/pages/admin_shifts.php @@ -1,5 +1,7 @@ $count) { - $angel_type_source = sql_select("SELECT * FROM `AngelTypes` WHERE `id`='" . sql_escape($type_id) . "' LIMIT 1"); - if (count($angel_type_source) > 0) { - sql_query("INSERT INTO `NeededAngelTypes` SET `shift_id`='" . sql_escape($shift_id) . "', `angel_type_id`='" . sql_escape($type_id) . "', `count`='" . sql_escape($count) . "'"); - $needed_angel_types_info[] = $angel_type_source[0]['name'] . ": " . $count; + $angel_type_source = DB::select(' + SELECT * + FROM `AngelTypes` + WHERE `id` = ? + LIMIT 1', [$type_id]); + if (!empty($angel_type_source)) { + DB::insert(' + INSERT INTO `NeededAngelTypes` (`shift_id`, `angel_type_id`, `count`) + VALUES (?, ?, ?) + ', + [ + $shift_id, + $type_id, + $count + ] + ); + $needed_angel_types_info[] = $angel_type_source[0]['name'] . ': ' . $count; } } } diff --git a/includes/pages/admin_user.php b/includes/pages/admin_user.php index 8e11c5f3..192becb0 100644 --- a/includes/pages/admin_user.php +++ b/includes/pages/admin_user.php @@ -1,5 +1,7 @@ '; - $my_highest_group = sql_select("SELECT * FROM `UserGroups` WHERE `uid`='" . sql_escape($user['UID']) . "' ORDER BY `group_id` LIMIT 1"); + $my_highest_group = DB::select( + 'SELECT group_id FROM `UserGroups` WHERE `uid`=? ORDER BY `group_id` LIMIT 1', + [$user['UID']] + ); if (count($my_highest_group) > 0) { $my_highest_group = $my_highest_group[0]['group_id']; } - $his_highest_group = sql_select("SELECT * FROM `UserGroups` WHERE `uid`='" . sql_escape($user_id) . "' ORDER BY `group_id` LIMIT 1"); + $his_highest_group = DB::select( + 'SELECT `group_id` FROM `UserGroups` WHERE `uid`=? ORDER BY `group_id` LIMIT 1', + [$user_id] + ); if (count($his_highest_group) > 0) { $his_highest_group = $his_highest_group[0]['group_id']; } @@ -121,16 +129,21 @@ function admin_user() . page_link_to('admin_user') . '&action=save_groups&id=' . $user_id . '" method="post">' . "\n"; $html .= ''; - $groups = sql_select(" - SELECT * - FROM `Groups` - LEFT OUTER JOIN `UserGroups` ON ( - `UserGroups`.`group_id` = `Groups`.`UID` - AND `UserGroups`.`uid` = '" . sql_escape($user_id) . "' - ) - WHERE `Groups`.`UID` >= '" . sql_escape($my_highest_group) . "' - ORDER BY `Groups`.`Name` - "); + $groups = DB::select(' + SELECT * + FROM `Groups` + LEFT OUTER JOIN `UserGroups` ON ( + `UserGroups`.`group_id` = `Groups`.`UID` + AND `UserGroups`.`uid` = ? + ) + WHERE `Groups`.`UID` >= ? + ORDER BY `Groups`.`Name` + ', + [ + $user_id, + $my_highest_group, + ] + ); foreach ($groups as $group) { $html .= '
0 && (count($his_highest_group) == 0 || ($my_highest_group[0]['group_id'] <= $his_highest_group[0]['group_id']))) { - $groups_source = sql_select(" - SELECT * - FROM `Groups` - LEFT OUTER JOIN `UserGroups` ON ( - `UserGroups`.`group_id` = `Groups`.`UID` - AND `UserGroups`.`uid` = '" . sql_escape($user_id) . "' - ) - WHERE `Groups`.`UID` >= '" . sql_escape($my_highest_group[0]['group_id']) . "' - ORDER BY `Groups`.`Name` - "); + $my_highest_group = DB::select( + 'SELECT * FROM `UserGroups` WHERE `uid`=? ORDER BY `group_id`', + [$user['UID']] + ); + $his_highest_group = DB::select( + 'SELECT * FROM `UserGroups` WHERE `uid`=? ORDER BY `group_id`', + [$user_id] + ); + + if ( + count($my_highest_group) > 0 + && ( + count($his_highest_group) == 0 + || ($my_highest_group[0]['group_id'] <= $his_highest_group[0]['group_id']) + ) + ) { + $groups_source = DB::select(' + SELECT * + FROM `Groups` + LEFT OUTER JOIN `UserGroups` ON ( + `UserGroups`.`group_id` = `Groups`.`UID` + AND `UserGroups`.`uid` = ? + ) + WHERE `Groups`.`UID` >= ? + ORDER BY `Groups`.`Name` + ', + [ + $user_id, + $my_highest_group[0]['group_id'], + ] + ); $groups = []; $grouplist = []; foreach ($groups_source as $group) { @@ -179,11 +209,14 @@ function admin_user() $_REQUEST['groups'] = []; } - sql_query("DELETE FROM `UserGroups` WHERE `uid`='" . sql_escape($user_id) . "'"); + DB::delete('DELETE FROM `UserGroups` WHERE `uid`=?', [$user_id]); $user_groups_info = []; foreach ($_REQUEST['groups'] as $group) { if (in_array($group, $grouplist)) { - sql_query("INSERT INTO `UserGroups` SET `uid`='" . sql_escape($user_id) . "', `group_id`='" . sql_escape($group) . "'"); + DB::insert( + 'INSERT INTO `UserGroups` (`uid`, `group_id`) VALUES (?, ?)', + [$user_id, $group] + ); $user_groups_info[] = $groups[$group]['Name']; } } @@ -206,25 +239,42 @@ function admin_user() if (in_array('admin_active', $privileges)) { $force_active = $_REQUEST['force_active']; } - $SQL = "UPDATE `User` SET - `Nick` = '" . sql_escape($_POST["eNick"]) . "', - `Name` = '" . sql_escape($_POST["eName"]) . "', - `Vorname` = '" . sql_escape($_POST["eVorname"]) . "', - `Telefon` = '" . sql_escape($_POST["eTelefon"]) . "', - `Handy` = '" . sql_escape($_POST["eHandy"]) . "', - `Alter` = '" . sql_escape($_POST["eAlter"]) . "', - `DECT` = '" . sql_escape($_POST["eDECT"]) . "', - " . ($user_source['email_by_human_allowed'] ? "`email` = '" . sql_escape($_POST["eemail"]) . "'," : "") . " - `jabber` = '" . sql_escape($_POST["ejabber"]) . "', - `Size` = '" . sql_escape($_POST["eSize"]) . "', - `Gekommen`= '" . sql_escape($_POST["eGekommen"]) . "', - `Aktiv`= '" . sql_escape($_POST["eAktiv"]) . "', - `force_active`= " . sql_escape($force_active) . ", - `Tshirt` = '" . sql_escape($_POST["eTshirt"]) . "', - `Hometown` = '" . sql_escape($_POST["Hometown"]) . "' - WHERE `UID` = '" . sql_escape($user_id) . "' - LIMIT 1"; - sql_query($SQL); + $sql = ' + UPDATE `User` SET + `Nick` = ?, + `Name` = ?, + `Vorname` = ?, + `Telefon` = ?, + `Handy` = ?, + `Alter` =?, + `DECT` = ?, + ' . ($user_source['email_by_human_allowed'] ? '`email` = ' . DB::getPdo()->quote($_POST["eemail"]) . ',' : '') . ' + `jabber` = ?, + `Size` = ?, + `Gekommen`= ?, + `Aktiv`= ?, + `force_active`= ?, + `Tshirt` = ?, + `Hometown` = ? + WHERE `UID` = ? + LIMIT 1'; + DB::update($sql, [ + $_POST['eNick'], + $_POST['eName'], + $_POST['eVorname'], + $_POST['eTelefon'], + $_POST['eHandy'], + $_POST['eAlter'], + $_POST['eDECT'], + $_POST['ejabber'], + $_POST['eSize'], + $_POST['eGekommen'], + $_POST['eAktiv'], + $force_active, + $_POST['eTshirt'], + $_POST['Hometown'], + $user_id, + ]); engelsystem_log( 'Updated user: ' . $_POST['eNick'] . ', ' . $_POST['eSize'] . ', arrived: ' . $_POST['eGekommen'] diff --git a/includes/pages/guest_login.php b/includes/pages/guest_login.php index d202d92d..f08f9260 100644 --- a/includes/pages/guest_login.php +++ b/includes/pages/guest_login.php @@ -1,5 +1,7 @@ 1) { $nick = User_validate_Nick($_REQUEST['nick']); - if (sql_num_query("SELECT * FROM `User` WHERE `Nick`='" . sql_escape($nick) . "' LIMIT 1") > 0) { + if (count(DB::select('SELECT `UID` FROM `User` WHERE `Nick`=? LIMIT 1', [$nick])) > 0) { $valid = false; $msg .= error(sprintf(_('Your nick "%s" already exists.'), $nick), true); } @@ -148,10 +150,10 @@ function guest_register() // Trivia if (isset($_REQUEST['lastname'])) { - $lastname = strip_request_item('lastname'); + $lastName = strip_request_item('lastname'); } if (isset($_REQUEST['prename'])) { - $prename = strip_request_item('prename'); + $preName = strip_request_item('prename'); } if (isset($_REQUEST['age']) && preg_match("/^[0-9]{0,4}$/", $_REQUEST['age'])) { $age = strip_request_item('age'); @@ -173,38 +175,65 @@ function guest_register() } if ($valid) { - sql_query(" - INSERT INTO `User` SET - `color`='" . sql_escape($default_theme) . "', - `Nick`='" . sql_escape($nick) . "', - `Vorname`='" . sql_escape($prename) . "', - `Name`='" . sql_escape($lastname) . "', - `Alter`='" . sql_escape($age) . "', - `Telefon`='" . sql_escape($tel) . "', - `DECT`='" . sql_escape($dect) . "', - `Handy`='" . sql_escape($mobile) . "', - `email`='" . sql_escape($mail) . "', - `email_shiftinfo`=" . sql_bool($email_shiftinfo) . ", - `email_by_human_allowed`=" . sql_bool($email_by_human_allowed) . ", - `jabber`='" . sql_escape($jabber) . "', - `Size`='" . sql_escape($tshirt_size) . "', - `Passwort`='" . sql_escape($password_hash) . "', - `kommentar`='" . sql_escape($comment) . "', - `Hometown`='" . sql_escape($hometown) . "', - `CreateDate`=NOW(), - `Sprache`='" . sql_escape($_SESSION["locale"]) . "', - `arrival_date`=NULL, - `planned_arrival_date`='" . sql_escape($planned_arrival_date) . "'"); + DB::insert(' + INSERT INTO `User` ( + `color`, + `Nick`, + `Vorname`, + `Name`, + `Alter`, + `Telefon`, + `DECT`, + `Handy`, + `email`, + `email_shiftinfo`, + `email_by_human_allowed`, + `jabber`, + `Size`, + `Passwort`, + `kommentar`, + `Hometown`, + `CreateDate`, + `Sprache`, + `arrival_date`, + `planned_arrival_date` + ) + VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW(), ?, NULL, ?) + ', + [ + $default_theme, + $nick, + $preName, + $lastName, + $age, + $tel, + $dect, + $mobile, + $mail, + (bool)$email_shiftinfo, + (bool)$email_by_human_allowed, + $jabber, + $tshirt_size, + $password_hash, + $comment, + $hometown, + $_SESSION['locale'], + $planned_arrival_date, + ] + ); // Assign user-group and set password - $user_id = sql_id(); - sql_query("INSERT INTO `UserGroups` SET `uid`='" . sql_escape($user_id) . "', `group_id`=-2"); + $user_id = DB::getPdo()->lastInsertId(); + DB::insert('INSERT INTO `UserGroups` (`uid`, `group_id`) VALUES (?, -2)', [$user_id]); set_password($user_id, $_REQUEST['password']); // Assign angel-types $user_angel_types_info = []; foreach ($selected_angel_types as $selected_angel_type_id) { - sql_query("INSERT INTO `UserAngelTypes` SET `user_id`='" . sql_escape($user_id) . "', `angeltype_id`='" . sql_escape($selected_angel_type_id) . "'"); + DB::insert( + 'INSERT INTO `UserAngelTypes` (`user_id`, `angeltype_id`) VALUES (?, ?)', + [$user_id, $selected_angel_type_id] + ); $user_angel_types_info[] = $angel_types[$selected_angel_type_id]; } @@ -316,10 +345,10 @@ function guest_register() form_text('jabber', _('Jabber'), $jabber), div('row', [ div('col-sm-6', [ - form_text('prename', _('First name'), $prename) + form_text('prename', _('First name'), $preName) ]), div('col-sm-6', [ - form_text('lastname', _('Last name'), $lastname) + form_text('lastname', _('Last name'), $lastName) ]) ]), div('row', [ @@ -361,7 +390,7 @@ function guest_login() if (isset($_REQUEST['submit'])) { if (isset($_REQUEST['nick']) && strlen(User_validate_Nick($_REQUEST['nick'])) > 0) { $nick = User_validate_Nick($_REQUEST['nick']); - $login_user = sql_select("SELECT * FROM `User` WHERE `Nick`='" . sql_escape($nick) . "'"); + $login_user = DB::select('SELECT * FROM `User` WHERE `Nick`=?', [$nick]); if (count($login_user) > 0) { $login_user = $login_user[0]; if (isset($_REQUEST['password'])) { diff --git a/includes/pages/guest_stats.php b/includes/pages/guest_stats.php index c4e1af74..4add3e97 100644 --- a/includes/pages/guest_stats.php +++ b/includes/pages/guest_stats.php @@ -1,5 +1,7 @@ 0) { return ' ' . $new_messages . ''; } @@ -32,7 +37,10 @@ function user_messages() global $user; if (!isset($_REQUEST['action'])) { - $users = sql_select("SELECT * FROM `User` WHERE NOT `UID`='" . sql_escape($user['UID']) . "' ORDER BY `Nick`"); + $users = DB::select( + 'SELECT `UID`, `Nick` FROM `User` WHERE NOT `UID`=? ORDER BY `Nick`', + [$user['UID']] + ); $to_select_data = [ '' => _('Select recipient...') @@ -44,13 +52,18 @@ function user_messages() $to_select = html_select_key('to', 'to', $to_select_data, ''); - $messages = sql_select(" + $messages = DB::select(' SELECT * FROM `Messages` - WHERE `SUID`='" . sql_escape($user['UID']) . "' - OR `RUID`='" . sql_escape($user['UID']) . "' + WHERE `SUID`=? + OR `RUID`=? ORDER BY `isRead`,`Datum` DESC - "); + ', + [ + $user['UID'], + $user['UID'], + ] + ); $messages_table = [ [ @@ -116,9 +129,15 @@ function user_messages() return error(_('Incomplete call, missing Message ID.'), true); } - $message = sql_select("SELECT * FROM `Messages` WHERE `id`='" . sql_escape($message_id) . "' LIMIT 1"); + $message = DB::select( + 'SELECT `RUID` FROM `Messages` WHERE `id`=? LIMIT 1', + [$message_id] + ); if (count($message) > 0 && $message[0]['RUID'] == $user['UID']) { - sql_query("UPDATE `Messages` SET `isRead`='Y' WHERE `id`='" . sql_escape($message_id) . "' LIMIT 1"); + DB::update( + 'UPDATE `Messages` SET `isRead`=\'Y\' WHERE `id`=? LIMIT 1', + [$message_id] + ); redirect(page_link_to('user_messages')); } else { return error(_('No Message found.'), true); @@ -132,9 +151,12 @@ function user_messages() return error(_('Incomplete call, missing Message ID.'), true); } - $message = sql_select("SELECT * FROM `Messages` WHERE `id`='" . sql_escape($message_id) . "' LIMIT 1"); + $message = DB::select( + 'SELECT `SUID` FROM `Messages` WHERE `id`=? LIMIT 1', + [$message_id] + ); if (count($message) > 0 && $message[0]['SUID'] == $user['UID']) { - sql_query("DELETE FROM `Messages` WHERE `id`='" . sql_escape($message_id) . "' LIMIT 1"); + DB::delete('DELETE FROM `Messages` WHERE `id`=? LIMIT 1', [$message_id]); redirect(page_link_to('user_messages')); } else { return error(_('No Message found.'), true); @@ -142,7 +164,7 @@ function user_messages() break; case 'send': - if (Message_send($_REQUEST['to'], $_REQUEST['text']) === true) { + if (Message_send($_REQUEST['to'], $_REQUEST['text'])) { redirect(page_link_to('user_messages')); } else { return error(_('Transmitting was terminated with an Error.'), true); diff --git a/includes/pages/user_myshifts.php b/includes/pages/user_myshifts.php index 2079c789..76b79032 100644 --- a/includes/pages/user_myshifts.php +++ b/includes/pages/user_myshifts.php @@ -1,5 +1,7 @@ 0 + && count(DB::select('SELECT `UID` FROM `User` WHERE `UID`=?', [$_REQUEST['id']])) > 0 ) { $user_id = $_REQUEST['id']; } else { $user_id = $user['UID']; } - list($shifts_user) = sql_select("SELECT * FROM `User` WHERE `UID`='" . sql_escape($user_id) . "' LIMIT 1"); + $shifts_user = DB::select('SELECT * FROM `User` WHERE `UID`=? LIMIT 1', [$user_id]); + $shifts_user = array_shift($shifts_user); if (isset($_REQUEST['reset'])) { if ($_REQUEST['reset'] == 'ack') { @@ -46,24 +49,32 @@ function user_myshifts() ]); } elseif (isset($_REQUEST['edit']) && preg_match('/^[0-9]*$/', $_REQUEST['edit'])) { $user_id = $_REQUEST['edit']; - $shift = sql_select("SELECT - `ShiftEntry`.`freeloaded`, - `ShiftEntry`.`freeload_comment`, - `ShiftEntry`.`Comment`, - `ShiftEntry`.`UID`, - `ShiftTypes`.`name`, - `Shifts`.*, - `Room`.`Name`, - `AngelTypes`.`name` AS `angel_type` - FROM `ShiftEntry` - JOIN `AngelTypes` ON (`ShiftEntry`.`TID` = `AngelTypes`.`id`) - JOIN `Shifts` ON (`ShiftEntry`.`SID` = `Shifts`.`SID`) - JOIN `ShiftTypes` ON (`ShiftTypes`.`id` = `Shifts`.`shifttype_id`) - JOIN `Room` ON (`Shifts`.`RID` = `Room`.`RID`) - WHERE `ShiftEntry`.`id`='" . sql_escape($user_id) . "' - AND `UID`='" . sql_escape($shifts_user['UID']) . "' LIMIT 1"); + $shift = DB::select(' + SELECT + `ShiftEntry`.`freeloaded`, + `ShiftEntry`.`freeload_comment`, + `ShiftEntry`.`Comment`, + `ShiftEntry`.`UID`, + `ShiftTypes`.`name`, + `Shifts`.*, + `Room`.`Name`, + `AngelTypes`.`name` AS `angel_type` + FROM `ShiftEntry` + JOIN `AngelTypes` ON (`ShiftEntry`.`TID` = `AngelTypes`.`id`) + JOIN `Shifts` ON (`ShiftEntry`.`SID` = `Shifts`.`SID`) + JOIN `ShiftTypes` ON (`ShiftTypes`.`id` = `Shifts`.`shifttype_id`) + JOIN `Room` ON (`Shifts`.`RID` = `Room`.`RID`) + WHERE `ShiftEntry`.`id`=? + AND `UID`=? + LIMIT 1 + ', + [ + $user_id, + $shifts_user['UID'], + ] + ); if (count($shift) > 0) { - $shift = $shift[0]; + $shift = array_shift($shift); $freeloaded = $shift['freeloaded']; $freeload_comment = $shift['freeload_comment']; @@ -120,13 +131,19 @@ function user_myshifts() } } elseif (isset($_REQUEST['cancel']) && preg_match('/^[0-9]*$/', $_REQUEST['cancel'])) { $user_id = $_REQUEST['cancel']; - $shift = sql_select(" - SELECT * - FROM `Shifts` - INNER JOIN `ShiftEntry` USING (`SID`) - WHERE `ShiftEntry`.`id`='" . sql_escape($user_id) . "' AND `UID`='" . sql_escape($shifts_user['UID']) . "'"); + $shift = DB::select(' + SELECT * + FROM `Shifts` + INNER JOIN `ShiftEntry` USING (`SID`) + WHERE `ShiftEntry`.`id`=? AND `UID`=? + ', + [ + $user_id, + $shifts_user['UID'], + ] + ); if (count($shift) > 0) { - $shift = $shift[0]; + $shift = array_shift($shift); if (($shift['start'] > time() + $last_unsubscribe * 3600) || in_array('user_shifts_admin', $privileges)) { $result = ShiftEntry_delete($user_id); if ($result === false) { diff --git a/includes/pages/user_news.php b/includes/pages/user_news.php index ceed75f2..3828e293 100644 --- a/includes/pages/user_news.php +++ b/includes/pages/user_news.php @@ -1,5 +1,7 @@ ' . '
    '; for ($i = 0; $i < $dis_rows; $i++) { if (isset($_REQUEST['page']) && $i == $_REQUEST['page']) { @@ -98,7 +102,7 @@ function display_news($news) . ' ' . _('Comments') . ' » ' . '' - . sql_num_query("SELECT * FROM `NewsComments` WHERE `Refid`='" . sql_escape($news['ID']) . "'") + . count(DB::select('SELECT `ID` FROM `NewsComments` WHERE `Refid`=?', [$news['ID']])) . ''; } $html .= ''; @@ -117,28 +121,34 @@ function user_news_comments() if ( isset($_REQUEST['nid']) && preg_match('/^[0-9]{1,}$/', $_REQUEST['nid']) - && sql_num_query("SELECT * FROM `News` WHERE `ID`='" . sql_escape($_REQUEST['nid']) . "' LIMIT 1") > 0 + && count(DB::select('SELECT `ID` FROM `News` WHERE `ID`=? LIMIT 1', [$_REQUEST['nid']])) > 0 ) { $nid = $_REQUEST['nid']; - list($news) = sql_select("SELECT * FROM `News` WHERE `ID`='" . sql_escape($nid) . "' LIMIT 1"); + $news = DB::select('SELECT * FROM `News` WHERE `ID`=? LIMIT 1', [$nid]); + $news = array_shift($news); if (isset($_REQUEST['text'])) { $text = preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", '', strip_tags($_REQUEST['text'])); - sql_query(" - INSERT INTO `NewsComments` (`Refid`, `Datum`, `Text`, `UID`) - VALUES ( - '" . sql_escape($nid) . "', - '" . date("Y-m-d H:i:s") . "', - '" . sql_escape($text) . "', - '" . sql_escape($user["UID"]) . "' - ) - "); + DB::insert(' + INSERT INTO `NewsComments` (`Refid`, `Datum`, `Text`, `UID`) + VALUES (?, ?, ?, ?) + ', + [ + $nid, + date("Y-m-d H:i:s"), + $text, + $user["UID"], + ] + ); engelsystem_log('Created news_comment: ' . $text); $html .= success(_('Entry saved.'), true); } $html .= display_news($news); - $comments = sql_select("SELECT * FROM `NewsComments` WHERE `Refid`='" . sql_escape($nid) . "' ORDER BY 'ID'"); + $comments = DB::select( + 'SELECT * FROM `NewsComments` WHERE `Refid`=? ORDER BY \'ID\'', + [$nid] + ); foreach ($comments as $comment) { $user_source = User($comment['UID']); @@ -176,16 +186,18 @@ function user_news() if (!isset($_POST['treffen']) || !in_array('admin_news', $privileges)) { $_POST['treffen'] = 0; } - sql_query(" + DB::insert(' INSERT INTO `News` (`Datum`, `Betreff`, `Text`, `UID`, `Treffen`) - VALUES ( - '" . sql_escape(time()) . "', - '" . sql_escape($_POST["betreff"]) . "', - '" . sql_escape($_POST["text"]) . "', - '" . sql_escape($user['UID']) . "', - '" . sql_escape($_POST["treffen"]) . "' - ) - "); + VALUES (?, ?, ?, ?, ?) + ', + [ + time(), + $_POST['betreff'], + $_POST['text'], + $user['UID'], + $_POST['treffen'], + ] + ); engelsystem_log('Created news: ' . $_POST['betreff'] . ', treffen: ' . $_POST['treffen']); success(_('Entry saved.')); redirect(page_link_to('news')); @@ -197,17 +209,20 @@ function user_news() $page = 0; } - $news = sql_select(" - SELECT * - FROM `News` - ORDER BY `Datum` - DESC LIMIT " . sql_escape($page * $display_news) . ", " . sql_escape($display_news) - ); + $news = DB::select(sprintf(' + SELECT * + FROM `News` + ORDER BY `Datum` + DESC LIMIT %u, %u + ', + $page * $display_news, + $display_news + )); foreach ($news as $entry) { $html .= display_news($entry); } - $dis_rows = ceil(sql_num_query('SELECT * FROM `News`') / $display_news); + $dis_rows = ceil(count(DB::select('SELECT `ID` FROM `News`')) / $display_news); $html .= '
    ' . '
      '; for ($i = 0; $i < $dis_rows; $i++) { if (isset($_REQUEST['page']) && $i == $_REQUEST['page']) { diff --git a/includes/pages/user_questions.php b/includes/pages/user_questions.php index b8ebe92d..04ae8914 100644 --- a/includes/pages/user_questions.php +++ b/includes/pages/user_questions.php @@ -1,5 +1,7 @@ 0 && $question[0]['UID'] == $user['UID']) { - sql_query("DELETE FROM `Questions` WHERE `QID`='" . sql_escape($question_id) . "' LIMIT 1"); + DB::delete( + 'DELETE FROM `Questions` WHERE `QID`=? LIMIT 1', + [$question_id] + ); redirect(page_link_to('user_questions')); } else { return page_with_title(questions_title(), [ diff --git a/includes/pages/user_settings.php b/includes/pages/user_settings.php index b848ff5f..5d4ba368 100644 --- a/includes/pages/user_settings.php +++ b/includes/pages/user_settings.php @@ -1,5 +1,7 @@