From d7cb77414c4cf074269b6812c3dd3571ee29afca Mon Sep 17 00:00:00 2001 From: svncommit Date: Tue, 25 Oct 2005 15:04:17 +0000 Subject: [PATCH] more pear/mdb2 integration --- SQL/postgres.initial.sql | 8 +- index.php | 8 +- program/include/cache.inc | 69 ++++++++--------- program/include/main.inc | 52 ++++++------- program/include/rcube_db.inc | 53 +++++++++++-- program/include/rcube_mdb2.inc | 42 ++++++++++- program/include/session.inc | 87 ++++++++++------------ program/steps/addressbook/delete.inc | 38 +++++----- program/steps/addressbook/edit.inc | 13 ++-- program/steps/addressbook/func.inc | 35 ++++----- program/steps/addressbook/list.inc | 26 +++---- program/steps/addressbook/save.inc | 49 ++++++------ program/steps/addressbook/show.inc | 13 ++-- program/steps/mail/addcontact.inc | 25 +++---- program/steps/mail/compose.inc | 34 ++++----- program/steps/mail/sendmail.inc | 14 ++-- program/steps/settings/delete_identity.inc | 12 ++- program/steps/settings/edit_identity.inc | 13 ++-- program/steps/settings/func.inc | 18 ++--- program/steps/settings/save_identity.inc | 44 +++++------ program/steps/settings/save_prefs.inc | 15 ++-- 21 files changed, 343 insertions(+), 325 deletions(-) diff --git a/SQL/postgres.initial.sql b/SQL/postgres.initial.sql index 01b36af64..29c134d14 100755 --- a/SQL/postgres.initial.sql +++ b/SQL/postgres.initial.sql @@ -117,11 +117,11 @@ CREATE TABLE identities ( del boolean DEFAULT false NOT NULL, "default" boolean DEFAULT false NOT NULL, name character varying(128) NOT NULL, - organization character varying(128) NOT NULL, + organization character varying(128), email character varying(128) NOT NULL, - "reply-to" character varying(128) NOT NULL, - bcc character varying(128) NOT NULL, - signature text NOT NULL + "reply-to" character varying(128), + bcc character varying(128), + signature text ); diff --git a/index.php b/index.php index d5b2db0e3..c80100a33 100644 --- a/index.php +++ b/index.php @@ -51,17 +51,19 @@ if ($CURRENT_PATH!='') $CURRENT_PATH.='/'; // set environment first -ini_set('include_path', ini_get('include_path').PATH_SEPARATOR.$INSTALL_PATH.PATH_SEPARATOR.$CURRENT_PATH.'program'.PATH_SEPARATOR.$CURRENT_PATH.'program/lib'); +// RC include folders MUST be included FIRST to avoid other +// possible not compatible libraries (i.e PEAR) to be included +// instead the ones provided by RC +ini_set('include_path', $INSTALL_PATH.PATH_SEPARATOR.$CURRENT_PATH.'program'.PATH_SEPARATOR.$CURRENT_PATH.'program/lib'.PATH_SEPARATOR.ini_get('include_path')); + ini_set('session.name', 'sessid'); ini_set('session.use_cookies', 1); ini_set('error_reporting', E_ALL&~E_NOTICE); - // increase maximum execution time for php scripts // (does not work in safe mode) @set_time_limit('120'); - // include base files require_once('include/rcube_shared.inc'); require_once('include/rcube_imap.inc'); diff --git a/program/include/cache.inc b/program/include/cache.inc index b1e6b9317..ec8d7c046 100644 --- a/program/include/cache.inc +++ b/program/include/cache.inc @@ -25,13 +25,12 @@ function rcube_read_cache($key) global $DB, $CACHE_KEYS; // query db - $sql_result = $DB->query(sprintf("SELECT cache_id, data - FROM %s - WHERE user_id=%d - AND cache_key='%s'", - get_table_name('cache'), - $_SESSION['user_id'], - $key)); + $sql_result = $DB->query("SELECT cache_id, data + FROM ".get_table_name('cache')." + WHERE user_id=? + AND cache_key=?", + $_SESSION['user_id'], + $key); // get cached data if ($sql_arr = $DB->fetch_assoc($sql_result)) @@ -53,13 +52,12 @@ function rcube_write_cache($key, $data, $session_cache=FALSE) // check if we already have a cache entry for this key if (!isset($CACHE_KEYS[$key])) { - $sql_result = $DB->query(sprintf("SELECT cache_id - FROM %s - WHERE user_id=%d - AND cache_key='%s'", - get_table_name('cache'), - $_SESSION['user_id'], - $key)); + $sql_result = $DB->query("SELECT cache_id + FROM ".get_table_name('cache')." + WHERE user_id=? + AND cache_key=?", + $_SESSION['user_id'], + $key); if ($sql_arr = $DB->fetch_assoc($sql_result)) $CACHE_KEYS[$key] = $sql_arr['cache_id']; @@ -70,27 +68,25 @@ function rcube_write_cache($key, $data, $session_cache=FALSE) // update existing cache record if ($CACHE_KEYS[$key]) { - $DB->query(sprintf("UPDATE %s - SET created=NOW(), - data='%s' - WHERE user_id=%d - AND cache_key='%s'", - get_table_name('cache'), - addslashes($data), - $_SESSION['user_id'], - $key)); + $DB->query("UPDATE ".get_table_name('cache')." + SET created=NOW(), + data=? + WHERE user_id=? + AND cache_key=?", + $data, + $_SESSION['user_id'], + $key); } // add new cache record else { - $DB->query(sprintf("INSERT INTO %s - (created, user_id, session_id, cache_key, data) - VALUES (NOW(), %d, %s, '%s', '%s')", - get_table_name('cache'), - $_SESSION['user_id'], - $session_cache ? "'$sess_id'" : 'NULL', - $key, - addslashes($data))); + $DB->query("INSERT INTO ".get_table_name('cache')." + (created, user_id, session_id, cache_key, data) + VALUES (NOW(), ?, ?, ?', ?)", + $_SESSION['user_id'], + $session_cache ? $sess_id : 'NULL', + $key, + $data); } } @@ -100,12 +96,11 @@ function rcube_clear_cache($key) { global $DB; - $DB->query(sprintf("DELETE FROM %s - WHERE user_id=%d - AND cache_key='%s'", - get_table_name('cache'), - $_SESSION['user_id'], - $key)); + $DB->query("DELETE FROM ".get_table_name('cache')." + WHERE user_id=? + AND cache_key=?", + $_SESSION['user_id'], + $key); } diff --git a/program/include/main.inc b/program/include/main.inc index a7020c75f..0e206166e 100644 --- a/program/include/main.inc +++ b/program/include/main.inc @@ -263,13 +263,12 @@ function rcmail_login($user, $pass, $host=NULL) } // query if user already registered - $sql_result = $DB->query(sprintf("SELECT user_id, username, language, preferences - FROM %s - WHERE mail_host='%s' AND (username='%s' OR alias='%s')", - get_table_name('users'), - addslashes($host), - addslashes($user), - addslashes($user))); + $sql_result = $DB->query("SELECT user_id, username, language, preferences + FROM ".get_table_name('users')." + WHERE mail_host=? AND (username=? OR alias=?)", + $host, + $user, + $user); // user already registered -> overwrite username if ($sql_arr = $DB->fetch_assoc($sql_result)) @@ -299,11 +298,10 @@ function rcmail_login($user, $pass, $host=NULL) $sess_user_lang = $_SESSION['user_lang'] = $sql_arr['language']; // update user's record - $DB->query(sprintf("UPDATE %s - SET last_login=NOW() - WHERE user_id=%d", - get_table_name('users'), - $user_id)); + $DB->query("UPDATE ".get_table_name('users')." + SET last_login=NOW() + WHERE user_id=?", + $user_id); } // create new system user else if ($CONFIG['auto_create_user']) @@ -336,27 +334,25 @@ function rcmail_create_user($user, $host) { global $DB, $CONFIG, $IMAP; - $DB->query(sprintf("INSERT INTO %s - (created, last_login, username, mail_host, language) - VALUES (NOW(), NOW(), '%s', '%s', '%s')", - get_table_name('users'), - addslashes($user), - addslashes($host), - $_SESSION['user_lang'])); - - if ($user_id = $DB->insert_id()) + $DB->query("INSERT INTO ".get_table_name('users')." + (created, last_login, username, mail_host, language) + VALUES (NOW(), NOW(), ?, ?, ?)", + $user, + $host, + $_SESSION['user_lang']); + + if ($user_id = $DB->insert_id('user_ids')) { $user_email = strstr($user, '@') ? $user : sprintf('%s@%s', $user, $host); $user_name = $user!=$user_email ? $user : ''; // also create a new identity record - $DB->query(sprintf("INSERT INTO %s - (user_id, `default`, name, email) - VALUES (%d, '1', '%s', '%s')", - get_table_name('identities'), - $user_id, - addslashes($user_name), - addslashes($user_email))); + $DB->query("INSERT INTO ".get_table_name('identities')." + (user_id, `default`, name, email) + VALUES (?, '1', ?, ?)", + $user_id, + $user_name, + $user_email); // get existing mailboxes $a_mailboxes = $IMAP->list_mailboxes(); diff --git a/program/include/rcube_db.inc b/program/include/rcube_db.inc index f732da298..e83565843 100755 --- a/program/include/rcube_db.inc +++ b/program/include/rcube_db.inc @@ -101,9 +101,27 @@ class rcube_db $this->db_connected = true; } - // Query database (read operations) + // Query database - function query($query, $offset=0, $numrows=0) + function query() + { + $params = func_get_args(); + $query = array_shift($params); + + return $this->_query($query, 0, 0, $params); + } + + function limitquery() + { + $params = func_get_args(); + $query = array_shift($params); + $offset = array_shift($params); + $numrows = array_shift($params); + + return $this->_query($query, $offset, $numrows, $params); + } + + function _query($query, $offset, $numrows, $params) { // Read or write ? if (strtolower(trim(substr($query,0,6)))=='select') @@ -118,18 +136,21 @@ class rcube_db if ($numrows || $offset) { - $result = $this->db_handle->limitQuery($query,$offset,$numrows); + $result = $this->db_handle->limitQuery($query,$offset,$numrows,$params); } else - $result = $this->db_handle->query($query); - + $result = $this->db_handle->query($query,$params); + if (DB::isError($result)) + { raise_error(array('code' => 500, 'type' => 'db', 'line' => __LINE__, 'file' => __FILE__, 'message' => $result->getMessage()), TRUE, FALSE); - + return false; + } + return $this->_add_result($result, $query); } @@ -196,6 +217,26 @@ class rcube_db return $result->fetchRow(DB_FETCHMODE_ASSOC); } + function quoteIdentifier ( $str ) + { + if (!$this->db_handle) + $this->db_connect('r'); + + return $this->db_handle->quoteIdentifier($str); + } + + function unixtimestamp($field) + { + switch($this->db_provider) + { + case 'pgsql': + return "EXTRACT (EPOCH FROM $field)"; + break; + default: + return "UNIX_TIMESTAMP($field)"; + } + } + function _add_result($res, $query) { // sql error occured diff --git a/program/include/rcube_mdb2.inc b/program/include/rcube_mdb2.inc index cd394a878..a61f0b899 100755 --- a/program/include/rcube_mdb2.inc +++ b/program/include/rcube_mdb2.inc @@ -101,9 +101,27 @@ class rcube_db $this->db_connected = true; } - // Query database (read operations) + // Query database - function query($query, $offset=0, $numrows=0) + function query() + { + $params = func_get_args(); + $query = array_shift($params); + + return $this->_query($query, 0, 0, $params); + } + + function limitquery() + { + $params = func_get_args(); + $query = array_shift($params); + $offset = array_shift($params); + $numrows = array_shift($params); + + return $this->_query($query, $offset, $numrows, $params); + } + + function _query($query, $offset, $numrows, $params) { // Read or write ? if (strtolower(trim(substr($query,0,6)))=='select') @@ -175,6 +193,26 @@ class rcube_db return $result->fetchRow(MDB2_FETCHMODE_ASSOC); } + function quoteIdentifier ( $str ) + { + if (!$this->db_handle) + $this->db_connect('r'); + + return $this->db_handle->quoteIdentifier($str); + } + + function unixtimestamp($field) + { + switch($this->db_provider) + { + case 'pgsql': + return "EXTRACT (EPOCH FROM $field)"; + break; + default: + return "UNIX_TIMESTAMP($field)"; + } + } + function _add_result($res, $query) { // sql error occured diff --git a/program/include/session.inc b/program/include/session.inc index ca2b0b4ce..ccca0a920 100644 --- a/program/include/session.inc +++ b/program/include/session.inc @@ -38,11 +38,10 @@ function sess_read($key) { global $DB, $SESS_CHANGED; - $sql_result = $DB->query(sprintf("SELECT vars, ip, UNIX_TIMESTAMP(changed) AS changed - FROM %s - WHERE sess_id='%s'", - get_table_name('session'), - $key)); + $sql_result = $DB->query("SELECT vars, ip, ".$DB->unixtimestamp('changed')." AS changed + FROM ".get_table_name('session')." + WHERE sess_id=?", + $key); if ($sql_arr = $DB->fetch_assoc($sql_result)) { @@ -61,32 +60,29 @@ function sess_write($key, $vars) { global $DB; - $sql_result = $DB->query(sprintf("SELECT 1 - FROM %s - WHERE sess_id='%s'", - get_table_name('session'), - $key)); + $sql_result = $DB->query("SELECT 1 + FROM ".get_table_name('session')." + WHERE sess_id=?", + $key); if ($DB->num_rows($sql_result)) { session_decode($vars); - $DB->query(sprintf("UPDATE %s - SET vars='%s', - changed=NOW() - WHERE sess_id='%s'", - get_table_name('session'), - $vars, - $key)); + $DB->query("UPDATE ".get_table_name('session')." + SET vars=?, + changed=NOW() + WHERE sess_id=?", + $vars, + $key); } else { - $DB->query(sprintf("INSERT INTO %s - (sess_id, vars, ip, created, changed) - VALUES ('%s', '%s', '%s', NOW(), NOW())", - get_table_name('session'), - $key, - $vars, - $_SERVER['REMOTE_ADDR'])); + $DB->query("INSERT INTO ".get_table_name('session')." + (sess_id, vars, ip, created, changed) + VALUES (?, ?, ?, NOW(), NOW())", + $key, + $vars, + $_SERVER['REMOTE_ADDR']); } return TRUE; @@ -98,16 +94,14 @@ function sess_destroy($key) { global $DB; - $DB->query(sprintf("DELETE FROM %s - WHERE sess_id='%s'", - get_table_name('session'), - $key)); - - // also delete session entries in cache table - $DB->query(sprintf("DELETE FROM %s - WHERE session_id='%s'", - get_table_name('cache'), - $key)); + // delete session entries in cache table + $DB->query("DELETE FROM ".get_table_name('cache')." + WHERE session_id=?", + $key); + + $DB->query("DELETE FROM ".get_table_name('session')." + WHERE sess_id=?", + $key); return TRUE; } @@ -119,11 +113,10 @@ function sess_gc($maxlifetime) global $DB; // get all expired sessions - $sql_result = $DB->query(sprintf("SELECT sess_id - FROM %s - WHERE UNIX_TIMESTAMP(NOW())-UNIX_TIMESTAMP(created) > %d", - get_table_name('session'), - $maxlifetime)); + $sql_result = $DB->query("SELECT sess_id + FROM ".get_table_name('session')." + WHERE ".$DB->unixtimestamp('NOW()')."-".$DB->unixtimestamp('created')." > ?", + $maxlifetime); $a_exp_sessions = array(); while ($sql_arr = $DB->fetch_assoc($sql_result)) @@ -132,17 +125,13 @@ function sess_gc($maxlifetime) if (sizeof($a_exp_sessions)) { + // delete session cache records + $DB->query("DELETE FROM ".get_table_name('cache')." + WHERE session_id IN ('".join("','", $a_exp_sessions)."')"); + // delete session records - $DB->query(sprintf("DELETE FROM %s - WHERE sess_id IN ('%s')", - get_table_name('session'), - join("','", $a_exp_sessions))); - - // also delete session cache records - $DB->query(sprintf("DELETE FROM %s - WHERE session_id IN ('%s')", - get_table_name('cache'), - join("','", $a_exp_sessions))); + $DB->query("DELETE FROM ".get_table_name('session')." + WHERE sess_id IN ('".join("','", $a_exp_sessions)."')"); } return TRUE; diff --git a/program/steps/addressbook/delete.inc b/program/steps/addressbook/delete.inc index e988f5569..a3fcefbf7 100644 --- a/program/steps/addressbook/delete.inc +++ b/program/steps/addressbook/delete.inc @@ -23,13 +23,11 @@ $REMOTE_REQUEST = TRUE; if ($_GET['_cid']) { - $DB->query(sprintf("UPDATE %s - SET del='1' - WHERE user_id=%d - AND contact_id IN (%s)", - get_table_name('contacts'), - $_SESSION['user_id'], - $_GET['_cid'])); + $DB->query("UPDATE ".get_table_name('contacts')." + SET del='1' + WHERE user_id=? + AND contact_id IN (".$_GET['_cid'].")", + $_SESSION['user_id']); $count = $DB->affected_rows(); if (!$count) @@ -40,12 +38,11 @@ if ($_GET['_cid']) // count contacts for this user - $sql_result = $DB->query(sprintf("SELECT COUNT(contact_id) AS rows - FROM %s - WHERE del!='1' - AND user_id=%d", - get_table_name('contacts'), - $_SESSION['user_id'])); + $sql_result = $DB->query("SELECT COUNT(contact_id) AS rows + FROM ".get_table_name('contacts')." + WHERE del<>'1' + AND user_id=?", + $_SESSION['user_id']); $sql_arr = $DB->fetch_assoc($sql_result); $rowcount = $sql_arr['rows']; @@ -62,14 +59,13 @@ if ($_GET['_cid']) $start_row = ($_SESSION['page'] * $CONFIG['pagesize']) - $count; // get contacts from DB - $sql_result = $DB->query(sprintf("SELECT * FROM %s - WHERE del!='1' - AND user_id=%d - ORDER BY name", - get_table_name('contacts'), - $_SESSION['user_id']), - $start_row, - $count); + $sql_result = $DB->limitquery("SELECT * FROM ".get_table_name('contacts')." + WHERE del<>'1' + AND user_id=? + ORDER BY name", + $start_row, + $count, + $_SESSION['user_id']); $commands .= rcmail_js_contacts_list($sql_result); diff --git a/program/steps/addressbook/edit.inc b/program/steps/addressbook/edit.inc index 3c5a544d3..24300bfce 100644 --- a/program/steps/addressbook/edit.inc +++ b/program/steps/addressbook/edit.inc @@ -23,13 +23,12 @@ if (($_GET['_cid'] || $_POST['_cid']) && $_action=='edit') { $cid = $_POST['_cid'] ? $_POST['_cid'] : $_GET['_cid']; - $DB->query(sprintf("SELECT * FROM %s - WHERE contact_id=%d - AND user_id=%d - AND del!='1'", - get_table_name('contacts'), - $cid, - $_SESSION['user_id'])); + $DB->query("SELECT * FROM ".get_table_name('contacts')." + WHERE contact_id=? + AND user_id=? + AND del<>'1'", + $cid, + $_SESSION['user_id']); $CONTACT_RECORD = $DB->fetch_assoc(); diff --git a/program/steps/addressbook/func.inc b/program/steps/addressbook/func.inc index 53628162b..4cc79bad6 100644 --- a/program/steps/addressbook/func.inc +++ b/program/steps/addressbook/func.inc @@ -41,12 +41,11 @@ function rcmail_contacts_list($attrib) //$image_tag = '%s'; // count contacts for this user - $sql_result = $DB->query(sprintf("SELECT COUNT(contact_id) AS rows - FROM %s - WHERE del!='1' - AND user_id=%d", - get_table_name('contacts'), - $_SESSION['user_id'])); + $sql_result = $DB->query("SELECT COUNT(contact_id) AS rows + FROM ".get_table_name('contacts')." + WHERE del<>'1' + AND user_id=?", + $_SESSION['user_id']); $sql_arr = $DB->fetch_assoc($sql_result); $rowcount = $sql_arr['rows']; @@ -56,14 +55,13 @@ function rcmail_contacts_list($attrib) $start_row = ($CONTACTS_LIST['page']-1) * $CONFIG['pagesize']; // get contacts from DB - $sql_result = $DB->query(sprintf("SELECT * FROM %s - WHERE del!='1' - AND user_id=%d - ORDER BY name", - get_table_name('contacts'), - $_SESSION['user_id']), - $start_row, - $CONFIG['pagesize']); + $sql_result = $DB->limitquery("SELECT * FROM ".get_table_name('contacts')." + WHERE del<>'1' + AND user_id= ? + ORDER BY name", + $start_row, + $CONFIG['pagesize'], + $_SESSION['user_id']); } else $sql_result = NULL; @@ -174,11 +172,10 @@ function rcmail_get_rowcount_text($max=NULL) // get nr of contacts if ($max===NULL) { - $sql_result = $DB->query(sprintf("SELECT 1 FROM %s - WHERE del!='1' - AND user_id=%d", - get_table_name('contacts'), - $_SESSION['user_id'])); + $sql_result = $DB->query("SELECT 1 FROM ".get_table_name('contacts')." + WHERE del<>'1' + AND user_id=?", + $_SESSION['user_id']); $max = $DB->num_rows($sql_result); } diff --git a/program/steps/addressbook/list.inc b/program/steps/addressbook/list.inc index 4ed092541..ecb634b6f 100644 --- a/program/steps/addressbook/list.inc +++ b/program/steps/addressbook/list.inc @@ -22,12 +22,11 @@ $REMOTE_REQUEST = TRUE; // count contacts for this user -$sql_result = $DB->query(sprintf("SELECT COUNT(contact_id) AS rows - FROM %s - WHERE del!='1' - AND user_id=%d", - get_table_name('contacts'), - $_SESSION['user_id'])); +$sql_result = $DB->query("SELECT COUNT(contact_id) AS rows + FROM ".get_table_name('contacts')." + WHERE del<>'1' + AND user_id=?", + $_SESSION['user_id']); $sql_arr = $DB->fetch_assoc($sql_result); $rowcount = $sql_arr['rows']; @@ -40,14 +39,13 @@ $commands .= sprintf("this.set_env('pagecount', %d);\n", $pages); $start_row = ($CONTACTS_LIST['page']-1) * $CONFIG['pagesize']; // get contacts from DB -$sql_result = $DB->query(sprintf("SELECT * FROM %s - WHERE del!='1' - AND user_id=%d - ORDER BY name", - get_table_name('contacts'), - $_SESSION['user_id']), - $start_row, - $CONFIG['pagesize']); +$sql_result = $DB->limitquery("SELECT * FROM ".get_table_name('contacts')." + WHERE del<>'1' + AND user_id=? + ORDER BY name", + $start_row, + $CONFIG['pagesize'], + $_SESSION['user_id']); $commands .= rcmail_js_contacts_list($sql_result); diff --git a/program/steps/addressbook/save.inc b/program/steps/addressbook/save.inc index 62cc5d8a6..814f50a34 100644 --- a/program/steps/addressbook/save.inc +++ b/program/steps/addressbook/save.inc @@ -39,15 +39,13 @@ if ($_POST['_cid']) if (sizeof($a_write_sql)) { - $DB->query(sprintf("UPDATE %s - SET %s - WHERE contact_id=%d - AND user_id=%d - AND del!='1'", - get_table_name('contacts'), - join(', ', $a_write_sql), - $_POST['_cid'], - $_SESSION['user_id'])); + $DB->query("UPDATE ".get_table_name('contacts')." + SET ".join(', ', $a_write_sql)." + WHERE contact_id=? + AND user_id=? + AND del<>'1'", + $_POST['_cid'], + $_SESSION['user_id']); $updated = $DB->affected_rows(); } @@ -63,13 +61,12 @@ if ($_POST['_cid']) $a_show_cols = array('name', 'email'); $a_js_cols = array(); - $sql_result = $DB->query(sprintf("SELECT * FROM %s - WHERE contact_id=%d - AND user_id=%d - AND del!='1'", - get_table_name('contacts'), + $sql_result = $DB->query("SELECT * FROM ".get_table_name('contacts')." + WHERE contact_id=? + AND user_id=? + AND del<>'1'", $_POST['_cid'], - $_SESSION['user_id'])); + $_SESSION['user_id']); $sql_arr = $DB->fetch_assoc($sql_result); foreach ($a_show_cols as $col) @@ -111,13 +108,10 @@ else if (sizeof($a_insert_cols)) { - $DB->query(sprintf("INSERT INTO %s - (user_id, %s) - VALUES (%d, %s)", - get_table_name('contacts'), - join(', ', $a_insert_cols), - $_SESSION['user_id'], - join(', ', $a_insert_values))); + $DB->query("INSERT INTO ".get_table_name('contacts')." + (user_id, ".join(', ', $a_insert_cols).") + VALUES (?, ".join(', ', $a_insert_values).")", + $_SESSION['user_id']); $insert_id = $DB->insert_id(); } @@ -131,12 +125,11 @@ else { // add contact row or jump to the page where it should appear $commands = sprintf("if(parent.%s)parent.", $JS_OBJECT_NAME); - $sql_result = $DB->query(sprintf("SELECT * FROM %s - WHERE contact_id=%d - AND user_id=%d", - get_table_name('contacts'), - $insert_id, - $_SESSION['user_id'])); + $sql_result = $DB->query("SELECT * FROM ".get_table_name('contacts')." + WHERE contact_id=? + AND user_id=?", + $insert_id, + $_SESSION['user_id']); $commands .= rcmail_js_contacts_list($sql_result, $JS_OBJECT_NAME); $commands .= sprintf("if(parent.%s)parent.%s.select('%d');\n", diff --git a/program/steps/addressbook/show.inc b/program/steps/addressbook/show.inc index 4129cd27f..83db486cc 100644 --- a/program/steps/addressbook/show.inc +++ b/program/steps/addressbook/show.inc @@ -23,13 +23,12 @@ if ($_GET['_cid'] || $_POST['_cid']) { $cid = $_POST['_cid'] ? $_POST['_cid'] : $_GET['_cid']; - $DB->query(sprintf("SELECT * FROM %s - WHERE contact_id=%d - AND user_id=%d - AND del!='1'", - get_table_name('contacts'), - $cid, - $_SESSION['user_id'])); + $DB->query("SELECT * FROM ".get_table_name('contacts')." + WHERE contact_id=? + AND user_id=? + AND del<>'1'", + $cid, + $_SESSION['user_id']); $CONTACT_RECORD = $DB->fetch_assoc(); diff --git a/program/steps/mail/addcontact.inc b/program/steps/mail/addcontact.inc index 465ed3125..6ead67812 100644 --- a/program/steps/mail/addcontact.inc +++ b/program/steps/mail/addcontact.inc @@ -29,13 +29,11 @@ if ($_GET['_address']) $contact = $contact_arr[1]; if ($contact['mailto']) - $sql_result = $DB->query(sprintf("SELECT 1 FROM %s - WHERE user_id=%d - AND email='%s' - AND del!='1'", - get_table_name('contacts'), - $_SESSION['user_id'], - $contact['mailto'])); + $sql_result = $DB->query("SELECT 1 FROM ".get_table_name('contacts')." + WHERE user_id=? + AND email=? + AND del<>'1'", + $_SESSION['user_id'],$contact['mailto']); // contact entry with this mail address exists if ($sql_result && $DB->num_rows($sql_result)) @@ -43,13 +41,12 @@ if ($_GET['_address']) else if ($contact['mailto']) { - $DB->query(sprintf("INSERT INTO %s - (user_id, name, email) - VALUES (%d, '%s', '%s')", - get_table_name('contacts'), - $_SESSION['user_id'], - $contact['name'], - $contact['mailto'])); + $DB->query("INSERT INTO ".get_table_name('contacts')." + (user_id, name, email) + VALUES (?, ?, ?)", + $_SESSION['user_id'], + $contact['name'], + $contact['mailto']); $added = $DB->insert_id(); } diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc index f7e094aa0..f70759914 100644 --- a/program/steps/mail/compose.inc +++ b/program/steps/mail/compose.inc @@ -87,13 +87,11 @@ function rcmail_compose_headers($attrib) $field_attrib[$attr] = $value; // get this user's identities - $sql_result = $DB->query(sprintf("SELECT identity_id, name, email - FROM %s - WHERE user_id=%d - AND del!='1' - ORDER BY `default` DESC, name ASC", - get_table_name('identities'), - $_SESSION['user_id'])); + $sql_result = $DB->query("SELECT identity_id, name, email + FROM ".get_table_name('identities')." WHERE user_id=? + AND del<>'1' + ORDER BY ".$DB->quoteIdentifier('default')." DESC, name ASC", + $_SESSION['user_id']); if ($DB->num_rows($sql_result)) { @@ -123,14 +121,11 @@ function rcmail_compose_headers($attrib) if (!empty($_GET['_to']) && preg_match('/[0-9]+,?/', $_GET['_to'])) { $a_recipients = array(); - $sql_result = $DB->query(sprintf("SELECT name, email - FROM %s - WHERE user_id=%d - AND del!='1' - AND contact_id IN (%s)", - get_table_name('contacts'), - $_SESSION['user_id'], - $_GET['_to'])); + $sql_result = $DB->query("SELECT name, email + FROM ".get_table_name('contacts')." WHERE user_id=? + AND del<>'1' + AND contact_id IN (".$_GET['_to'].")", + $_SESSION['user_id']); while ($sql_arr = $DB->fetch_assoc($sql_result)) $a_recipients[] = format_email_recipient($sql_arr['email'], $sql_arr['name']); @@ -559,12 +554,9 @@ function format_email_recipient($email, $name='') /****** get contacts for this user and add them to client scripts ********/ -$sql_result = $DB->query(sprintf("SELECT name, email - FROM %s - WHERE user_id=%d - AND del!='1'", - get_table_name('contacts'), - $_SESSION['user_id'])); +$sql_result = $DB->query("SELECT name, email + FROM ".get_table_name('contacts')." WHERE user_id=? + AND del<>'1'",$_SESSION['user_id']); if ($DB->num_rows($sql_result)) { diff --git a/program/steps/mail/sendmail.inc b/program/steps/mail/sendmail.inc index bacb1b1e8..ddd08f11e 100644 --- a/program/steps/mail/sendmail.inc +++ b/program/steps/mail/sendmail.inc @@ -42,14 +42,12 @@ function rcmail_get_identity($id) global $DB; // get identity record - $sql_result = $DB->query(sprintf("SELECT *, email AS mailto - FROM %s - WHERE identity_id=%d - AND user_id=%d - AND del!='1'", - get_table_name('identities'), - $id, - $_SESSION['user_id'])); + $sql_result = $DB->query("SELECT *, email AS mailto + FROM ".get_table_name('identities')." + WHERE identity_id=? + AND user_id=? + AND del<>'1'", + $id,$_SESSION['user_id']); if ($DB->num_rows($sql_result)) { diff --git a/program/steps/settings/delete_identity.inc b/program/steps/settings/delete_identity.inc index 58fda4970..3bca860b3 100644 --- a/program/steps/settings/delete_identity.inc +++ b/program/steps/settings/delete_identity.inc @@ -23,13 +23,11 @@ $REMOTE_REQUEST = $_GET['_remote'] ? TRUE : FALSE; if ($_GET['_iid']) { - $DB->query(sprintf("UPDATE %s - SET del='1' - WHERE user_id=%d - AND identity_id IN (%s)", - get_table_name('identities'), - $_SESSION['user_id'], - $_GET['_iid'])); + $DB->query("UPDATE ".get_table_name('identities')." + SET del='1' + WHERE user_id=? + AND identity_id IN (".$_GET['_iid'].")", + $_SESSION['user_id']); $count = $DB->affected_rows(); if ($count) diff --git a/program/steps/settings/edit_identity.inc b/program/steps/settings/edit_identity.inc index e0f649cdc..dc2f14990 100644 --- a/program/steps/settings/edit_identity.inc +++ b/program/steps/settings/edit_identity.inc @@ -22,13 +22,12 @@ if (($_GET['_iid'] || $_POST['_iid']) && $_action=='edit-identity') { $id = $_POST['_iid'] ? $_POST['_iid'] : $_GET['_iid']; - $DB->query(sprintf("SELECT * FROM %s - WHERE identity_id=%d - AND user_id=%d - AND del!='1'", - get_table_name('identities'), - $id, - $_SESSION['user_id'])); + $DB->query("SELECT * FROM ".get_table_name('identities')." + WHERE identity_id=? + AND user_id=? + AND del<>'1'", + $id, + $_SESSION['user_id']); $IDENTITY_RECORD = $DB->fetch_assoc(); diff --git a/program/steps/settings/func.inc b/program/steps/settings/func.inc index 621acd96c..9b7ef002b 100644 --- a/program/steps/settings/func.inc +++ b/program/steps/settings/func.inc @@ -21,10 +21,9 @@ // get user record -$sql_result = $DB->query(sprintf("SELECT username, mail_host FROM %s - WHERE user_id=%d", - get_table_name('users'), - $_SESSION['user_id'])); +$sql_result = $DB->query("SELECT username, mail_host FROM ".get_table_name('users')." + WHERE user_id=?", + $_SESSION['user_id']); if ($USER_DATA = $DB->fetch_assoc($sql_result)) $PAGE_TITLE = sprintf('%s %s@%s', rcube_label('settingsfor'), $USER_DATA['username'], $USER_DATA['mail_host']); @@ -143,12 +142,11 @@ function rcmail_identities_list($attrib) // get contacts from DB - $sql_result = $DB->query(sprintf("SELECT * FROM %s - WHERE del!='1' - AND user_id=%d - ORDER BY `default` DESC, name ASC", - get_table_name('identities'), - $_SESSION['user_id'])); + $sql_result = $DB->query("SELECT * FROM ".get_table_name('identities')." + WHERE del<>'1' + AND user_id=? + ORDER BY ".$DB->quoteIdentifier('default')." DESC, name ASC", + $_SESSION['user_id']); // add id to message list table if not specified diff --git a/program/steps/settings/save_identity.inc b/program/steps/settings/save_identity.inc index 39bf8fa84..680833d7c 100644 --- a/program/steps/settings/save_identity.inc +++ b/program/steps/settings/save_identity.inc @@ -38,15 +38,13 @@ if ($_POST['_iid']) if (sizeof($a_write_sql)) { - $DB->query(sprintf("UPDATE %s - SET %s - WHERE identity_id=%d - AND user_id=%d - AND del!='1'", - get_table_name('identities'), - join(', ', $a_write_sql), - $_POST['_iid'], - $_SESSION['user_id'])); + $DB->query("UPDATE ".get_table_name('identities')." + SET ".join(', ', $a_write_sql)." + WHERE identity_id=? + AND user_id=? + AND del<>'1'", + $_POST['_iid'], + $_SESSION['user_id']); $updated = $DB->affected_rows(); } @@ -56,14 +54,13 @@ if ($_POST['_iid']) show_message('successfullysaved', 'confirmation'); // mark all other identities as 'not-default' - $DB->query(sprintf("UPDATE %s - SET `default`='0' - WHERE identity_id!=%d - AND user_id=%d - AND del!='1'", - get_table_name('identities'), - $_POST['_iid'], - $_SESSION['user_id'])); + $DB->query("UPDATE ".get_table_name('identities')." + SET ".$DB->quoteIdentifier('default')."='0' + WHERE identity_id!=? + AND user_id=? + AND del<>'1'", + $_POST['_iid'], + $_SESSION['user_id']); if ($_POST['_framed']) { @@ -89,19 +86,16 @@ else if (!isset($_POST[$fname])) continue; - $a_insert_cols[] = "`$col`"; + $a_insert_cols[] = $DB->quoteIdentifier($col); $a_insert_values[] = sprintf("'%s'", addslashes($_POST[$fname])); } if (sizeof($a_insert_cols)) { - $DB->query(sprintf("INSERT INTO %s - (user_id, %s) - VALUES (%d, %s)", - get_table_name('identities'), - join(', ', $a_insert_cols), - $_SESSION['user_id'], - join(', ', $a_insert_values))); + $DB->query("INSERT INTO ".get_table_name('identities')." + (user_id, ".join(', ', $a_insert_cols).") + VALUES (?, ".join(', ', $a_insert_values).")", + $_SESSION['user_id']); $insert_id = $DB->insert_id(); } diff --git a/program/steps/settings/save_prefs.inc b/program/steps/settings/save_prefs.inc index 7cc327028..1322acaf7 100644 --- a/program/steps/settings/save_prefs.inc +++ b/program/steps/settings/save_prefs.inc @@ -35,14 +35,13 @@ if (isset($_POST['_language'])) $sess_user_lang = $_SESSION['user_lang'] = $_POST['_language']; -$DB->query(sprintf("UPDATE %s - SET preferences='%s', - language='%s' - WHERE user_id=%d", - get_table_name('users'), - addslashes(serialize($a_user_prefs)), - $sess_user_lang, - $_SESSION['user_id'])); +$DB->query("UPDATE ".get_table_name('users')." + SET preferences=?, + language=? + WHERE user_id=?", + serialize($a_user_prefs), + $sess_user_lang, + $_SESSION['user_id']); if ($DB->affected_rows()) {