Browse Source

#378 - Sécurisation des requêtes MYSQL

cobalt74 7 years ago
parent
commit
981c3b4376
7 changed files with 28 additions and 28 deletions
  1. 3 3
      Event.class.php
  2. 2 2
      Feed.class.php
  3. 2 2
      Folder.class.php
  4. 4 4
      MysqlEntity.class.php
  5. 1 1
      action.php
  6. 8 8
      article.php
  7. 8 8
      index.php

+ 3 - 3
Event.class.php

@@ -51,7 +51,7 @@ class Event extends MysqlEntity{
 
     function getEventCountPerFolder(){
         $events = array();
-        $results = $this->customQuery('SELECT COUNT('.MYSQL_PREFIX.$this->TABLE_NAME.'.id),'.MYSQL_PREFIX.'feed.folder FROM '.MYSQL_PREFIX.$this->TABLE_NAME.' INNER JOIN '.MYSQL_PREFIX.'feed ON ('.MYSQL_PREFIX.'event.feed = '.MYSQL_PREFIX.'feed.id) WHERE '.MYSQL_PREFIX.$this->TABLE_NAME.'.unread=1 GROUP BY '.MYSQL_PREFIX.'feed.folder');
+        $results = $this->customQuery('SELECT COUNT(`'.MYSQL_PREFIX.$this->TABLE_NAME.'`.`id`),`'.MYSQL_PREFIX.'feed`.`folder` FROM `'.MYSQL_PREFIX.$this->TABLE_NAME.'` INNER JOIN `'.MYSQL_PREFIX.'feed` ON (`'.MYSQL_PREFIX.'event`.`feed` = `'.MYSQL_PREFIX.'feed`.`id`) WHERE `'.MYSQL_PREFIX.$this->TABLE_NAME.'`.`unread`=1 GROUP BY `'.MYSQL_PREFIX.'feed`.`folder`');
         while($item = mysql_fetch_array($results)){
             $events[$item[1]] = $item[0];
         }
@@ -60,7 +60,7 @@ class Event extends MysqlEntity{
     }
 
     function getEventCountNotVerboseFeed(){
-        $results = $this->customQuery('SELECT COUNT(1) FROM '.MYSQL_PREFIX.$this->TABLE_NAME.' INNER JOIN '.MYSQL_PREFIX.'feed ON ('.MYSQL_PREFIX.'event.feed = '.MYSQL_PREFIX.'feed.id) WHERE '.MYSQL_PREFIX.$this->TABLE_NAME.'.unread=1 AND '.MYSQL_PREFIX.'feed.isverbose=0');
+        $results = $this->customQuery('SELECT COUNT(1) FROM `'.MYSQL_PREFIX.$this->TABLE_NAME.'` INNER JOIN `'.MYSQL_PREFIX.'feed` ON (`'.MYSQL_PREFIX.'event`.`feed` = `'.MYSQL_PREFIX.'feed`.`id`) WHERE `'.MYSQL_PREFIX.$this->TABLE_NAME.'`.`unread`=1 AND `'.MYSQL_PREFIX.'feed`.`isverbose`=0');
         while($item = mysql_fetch_array($results)){
             $nbitem =  $item[0];
         }
@@ -71,7 +71,7 @@ class Event extends MysqlEntity{
     function getEventsNotVerboseFeed($start=0,$limit=10000,$order,$columns='*'){
         $eventManager = new Event();
         $objects = array();
-        $results = $this->customQuery('SELECT '.$columns.' FROM '.MYSQL_PREFIX.'event INNER JOIN '.MYSQL_PREFIX.'feed ON ('.MYSQL_PREFIX.'event.feed = '.MYSQL_PREFIX.'feed.id) WHERE '.MYSQL_PREFIX.'event.unread=1 AND '.MYSQL_PREFIX.'feed.isverbose = 0 ORDER BY '.$order.' LIMIT '.$start.','.$limit);
+        $results = $this->customQuery('SELECT '.$columns.' FROM `'.MYSQL_PREFIX.'event` INNER JOIN `'.MYSQL_PREFIX.'feed` ON (`'.MYSQL_PREFIX.'event`.`feed` = `'.MYSQL_PREFIX.'feed`.`id`) WHERE `'.MYSQL_PREFIX.'event`.`unread`=1 AND `'.MYSQL_PREFIX.'feed`.`isverbose` = 0 ORDER BY '.$order.' LIMIT '.$start.','.$limit);
         if($results!=false){
             while($item = mysql_fetch_array($results)){
                 $object = new Event();

+ 2 - 2
Feed.class.php

@@ -243,7 +243,7 @@ class Feed extends MysqlEntity{
 
     function countUnreadEvents(){
         $unreads = array();
-        $results = Feed::customQuery("SELECT COUNT(".MYSQL_PREFIX."event.id), ".MYSQL_PREFIX."event.feed FROM ".MYSQL_PREFIX."event WHERE ".MYSQL_PREFIX."event.unread = 1 GROUP BY ".MYSQL_PREFIX."event.feed") ;
+        $results = Feed::customQuery("SELECT COUNT(`".MYSQL_PREFIX."event`.`id`), `".MYSQL_PREFIX."event`.`feed` FROM `".MYSQL_PREFIX."event` WHERE `".MYSQL_PREFIX."event`.`unread` = 1 GROUP BY `".MYSQL_PREFIX."event`.`feed`") ;
         if($results!=false){
             $total = 0;
             while($item = mysql_fetch_array($results)){
@@ -259,7 +259,7 @@ class Feed extends MysqlEntity{
         $feedsFolderMap = array();
         $feedsIdMap = array();
 
-        $results = Feed::customQuery("SELECT ".MYSQL_PREFIX."feed.name AS name, ".MYSQL_PREFIX."feed.id   AS id, ".MYSQL_PREFIX."feed.url  AS url, ".MYSQL_PREFIX."folder.id AS folder FROM ".MYSQL_PREFIX."feed INNER JOIN ".MYSQL_PREFIX."folder ON ( ".MYSQL_PREFIX."feed.folder = ".MYSQL_PREFIX."folder.id ) ORDER BY ".MYSQL_PREFIX."feed.name ;");
+        $results = Feed::customQuery("SELECT `".MYSQL_PREFIX."feed`.`name` AS name, `".MYSQL_PREFIX."feed`.`id`   AS id, `".MYSQL_PREFIX."feed`.`url`  AS url, `".MYSQL_PREFIX."folder`.`id` AS folder FROM `".MYSQL_PREFIX."feed` INNER JOIN `".MYSQL_PREFIX."folder` ON ( `".MYSQL_PREFIX."feed`.`folder` = `".MYSQL_PREFIX."folder`.`id` ) ORDER BY `".MYSQL_PREFIX."feed`.`name` ;");
         if($results!=false){
             while($item = mysql_fetch_array($results)){
                 $name = $item['name'];

+ 2 - 2
Folder.class.php

@@ -20,7 +20,7 @@ class Folder extends MysqlEntity{
     );
 
     function unreadCount(){
-        $results = $this->customQuery('SELECT COUNT('.MYSQL_PREFIX.'event.id) FROM '.MYSQL_PREFIX.'event INNER JOIN '.MYSQL_PREFIX.'feed ON ('.MYSQL_PREFIX.'event.feed = '.MYSQL_PREFIX.'feed.id) WHERE '.MYSQL_PREFIX.'event.unread=1 AND '.MYSQL_PREFIX.'feed.folder = '.$this->getId());
+        $results = $this->customQuery('SELECT COUNT(`'.MYSQL_PREFIX.'event`.`id`) FROM `'.MYSQL_PREFIX.'event` INNER JOIN `'.MYSQL_PREFIX.'feed` ON (`'.MYSQL_PREFIX.'event`.`feed` = `'.MYSQL_PREFIX.'feed`.`id`) WHERE `'.MYSQL_PREFIX.'event`.`unread`=1 AND `'.MYSQL_PREFIX.'feed`.`folder` = '.$this->getId());
         $number = mysql_fetch_array($results);
         return $number[0];
     }
@@ -29,7 +29,7 @@ class Folder extends MysqlEntity{
     function getEvents($start=0,$limit=10000,$order,$columns='*'){
         $eventManager = new Event();
         $objects = array();
-        $results = $this->customQuery('SELECT '.$columns.' FROM '.MYSQL_PREFIX.'event INNER JOIN '.MYSQL_PREFIX.'feed ON ('.MYSQL_PREFIX.'event.feed = '.MYSQL_PREFIX.'feed.id) WHERE '.MYSQL_PREFIX.'event.unread=1 AND '.MYSQL_PREFIX.'feed.folder = '.$this->getId().' ORDER BY '.$order.' LIMIT '.$start.','.$limit);
+        $results = $this->customQuery('SELECT '.$columns.' FROM `'.MYSQL_PREFIX.'event` INNER JOIN `'.MYSQL_PREFIX.'feed` ON (`'.MYSQL_PREFIX.'event`.`feed` = `'.MYSQL_PREFIX.'feed`.`id`) WHERE `'.MYSQL_PREFIX.'event`.`unread`=1 AND `'.MYSQL_PREFIX.'feed`.`folder` = '.$this->getId().' ORDER BY '.$order.' LIMIT '.$start.','.$limit);
         if($results!=false){
             while($item = mysql_fetch_array($results)){
                 $object = new Event();

+ 4 - 4
MysqlEntity.class.php

@@ -95,7 +95,7 @@ class MysqlEntity
     */
     public function destroy($debug=false)
     {
-        $query = 'DROP TABLE IF EXISTS '.MYSQL_PREFIX.$this->TABLE_NAME.';';
+        $query = 'DROP TABLE IF EXISTS `'.MYSQL_PREFIX.$this->TABLE_NAME.'`;';
         if($this->debug)echo '<hr>'.$this->CLASS_NAME.' ('.__METHOD__ .') : Requete --> '.$query.'<br>'.mysql_error();
         $myQuery = $this->customQuery($query);
     }
@@ -109,7 +109,7 @@ class MysqlEntity
     */
     public function truncate($debug=false)
     {
-        $query = 'TRUNCATE TABLE '.MYSQL_PREFIX.$this->TABLE_NAME.';';
+        $query = 'TRUNCATE TABLE `'.MYSQL_PREFIX.$this->TABLE_NAME.'`;';
         if($this->debug)echo '<hr>'.$this->CLASS_NAME.' ('.__METHOD__ .') : Requete --> '.$query.'<br>'.mysql_error();
         $myQuery = $this->customQuery($query);
     }
@@ -357,7 +357,7 @@ class MysqlEntity
                 $whereClause .= '`'.$column.'`="'.$this->secure($value, $column).'"';
             }
         }
-        $query = 'SELECT COUNT(1) FROM '.MYSQL_PREFIX.$this->TABLE_NAME.$whereClause;
+        $query = 'SELECT COUNT(1) FROM `'.MYSQL_PREFIX.$this->TABLE_NAME.'`'.$whereClause;
         if($this->debug)echo '<hr>'.$this->CLASS_NAME.' ('.__METHOD__ .') : Requete --> '.$query.'<br>'.mysql_error();
         $myQuery = $this->customQuery($query);
         $number = mysql_fetch_array($myQuery);
@@ -440,7 +440,7 @@ class MysqlEntity
     */
 
     public function tableExists() {
-        $table = MYSQL_PREFIX.$this->TABLE_NAME;
+        $table = '`'.MYSQL_PREFIX.$this->TABLE_NAME.'';
         $result = $this->customQuery("SHOW TABLES LIKE '$table'");
         $assoc = mysql_fetch_assoc($result);
         return false===$assoc ? false : true;

+ 1 - 1
action.php

@@ -418,7 +418,7 @@ switch ($action){
     case 'removeFolder':
         if($myUser==false) exit(_t('YOU_MUST_BE_CONNECTED_ACTION'));
         if(isset($_['id']) && is_numeric($_['id']) && $_['id']>0){
-            $eventManager->customExecute('DELETE FROM '.MYSQL_PREFIX.'event WHERE '.MYSQL_PREFIX.'event.feed in (SELECT '.MYSQL_PREFIX.'feed.id FROM '.MYSQL_PREFIX.'feed WHERE '.MYSQL_PREFIX.'feed.folder =\''.intval($_['id']).'\') ;');
+            $eventManager->customExecute('DELETE FROM `'.MYSQL_PREFIX.'event` WHERE `'.MYSQL_PREFIX.'event`.`feed` in (SELECT `'.MYSQL_PREFIX.'feed`.`id` FROM `'.MYSQL_PREFIX.'feed` WHERE `'.MYSQL_PREFIX.'feed`.`folder` =\''.intval($_['id']).'\') ;');
             $feedManager->delete(array('folder'=>$_['id']));
             $folderManager->delete(array('id'=>$_['id']));
         }

+ 8 - 8
article.php

@@ -36,13 +36,13 @@ $tpl->assign('hightlighted',$hightlighted);
 
 $tpl->assign('time',$_SERVER['REQUEST_TIME']);
 
-$target = MYSQL_PREFIX.'event.title,'.MYSQL_PREFIX.'event.unread,'.MYSQL_PREFIX.'event.favorite,'.MYSQL_PREFIX.'event.feed,';
-if($articleDisplayMode=='summary') $target .= MYSQL_PREFIX.'event.description,';
-if($articleDisplayMode=='content') $target .= MYSQL_PREFIX.'event.content,';
-if($articleDisplayLink) $target .= MYSQL_PREFIX.'event.link,';
-if($articleDisplayDate) $target .= MYSQL_PREFIX.'event.pubdate,';
-if($articleDisplayAuthor) $target .= MYSQL_PREFIX.'event.creator,';
-$target .= MYSQL_PREFIX.'event.id';
+$target = '`'.MYSQL_PREFIX.'event`.`title`,`'.MYSQL_PREFIX.'event`.`unread`,`'.MYSQL_PREFIX.'event`.`favorite`,`'.MYSQL_PREFIX.'event`.`feed`,';
+if($articleDisplayMode=='summary') $target .= '`'.MYSQL_PREFIX.'event`.`description`,';
+if($articleDisplayMode=='content') $target .= '`'.MYSQL_PREFIX.'event`.`content`,';
+if($articleDisplayLink) $target .= '`'.MYSQL_PREFIX.'event`.`link`,';
+if($articleDisplayDate) $target .= '`'.MYSQL_PREFIX.'event`.`pubdate`,';
+if($articleDisplayAuthor) $target .= '`'.MYSQL_PREFIX.'event`.`creator`,';
+$target .= '`'.MYSQL_PREFIX.'event`.`id`';
 
 $startArticle = ($_['scroll']*$articlePerPages)-$_['nblus'];
 if ($startArticle < 0) $startArticle=0;
@@ -67,7 +67,7 @@ switch($action){
     /* AFFICHAGE DES EVENEMENTS D'UN DOSSIER EN PARTICULIER */
     case 'selectedFolder':
         $currentFolder = $folderManager->getById($_['folder']);
-        if($articleDisplayFolderSort) {$order = MYSQL_PREFIX.'event.pubdate desc';} else {$order = MYSQL_PREFIX.'event.pubdate asc';}
+        if($articleDisplayFolderSort) {$order = '`'.MYSQL_PREFIX.'event`.`pubdate` desc';} else {$order = '`'.MYSQL_PREFIX.'event`.`pubdate` asc';}
         $events = $currentFolder->getEvents($startArticle,$articlePerPages,$order,$target);
     break;
     /* AFFICHAGE DES EVENEMENTS FAVORIS */

+ 8 - 8
index.php

@@ -51,13 +51,13 @@ $tpl->assign('articlePerPages',$articlePerPages);
 $tpl->assign('displayOnlyUnreadFeedFolder',$displayOnlyUnreadFeedFolder);
 $tpl->assign('displayOnlyUnreadFeedFolder_reverse',$displayOnlyUnreadFeedFolder_reverse);
 
-$target = MYSQL_PREFIX.'event.title,'.MYSQL_PREFIX.'event.unread,'.MYSQL_PREFIX.'event.favorite,'.MYSQL_PREFIX.'event.feed,';
-if($articleDisplayMode=='summary') $target .= MYSQL_PREFIX.'event.description,';
-if($articleDisplayMode=='content') $target .= MYSQL_PREFIX.'event.content,';
-if($articleDisplayLink) $target .= MYSQL_PREFIX.'event.link,';
-if($articleDisplayDate) $target .= MYSQL_PREFIX.'event.pubdate,';
-if($articleDisplayAuthor) $target .= MYSQL_PREFIX.'event.creator,';
-$target .= MYSQL_PREFIX.'event.id';
+$target = '`'.MYSQL_PREFIX.'event`.`title`,`'.MYSQL_PREFIX.'event`.`unread`,`'.MYSQL_PREFIX.'event`.`favorite`,`'.MYSQL_PREFIX.'event`.`feed`,';
+if($articleDisplayMode=='summary') $target .= '`'.MYSQL_PREFIX.'event`.`description`,';
+if($articleDisplayMode=='content') $target .= '`'.MYSQL_PREFIX.'event`.`content`,';
+if($articleDisplayLink) $target .= '`'.MYSQL_PREFIX.'event`.`link`,';
+if($articleDisplayDate) $target .= '`'.MYSQL_PREFIX.'event`.`pubdate`,';
+if($articleDisplayAuthor) $target .= '`'.MYSQL_PREFIX.'event`.`creator`,';
+$target .= '`'.MYSQL_PREFIX.'event`.`id`';
 
 $tpl->assign('target',$target);
 $tpl->assign('feeds','');
@@ -102,7 +102,7 @@ switch($action){
         $page = (isset($_['page'])?$_['page']:1);
         $pages = ceil($numberOfItem/$articlePerPages);
         $startArticle = ($page-1)*$articlePerPages;
-        if($articleDisplayFolderSort) {$order = MYSQL_PREFIX.'event.pubdate desc';} else {$order = MYSQL_PREFIX.'event.pubdate asc';}
+        if($articleDisplayFolderSort) {$order = '`'.MYSQL_PREFIX.'event`.`pubdate` desc';} else {$order = '`'.MYSQL_PREFIX.'event`.`pubdate` asc';}
         $events = $currentFolder->getEvents($startArticle,$articlePerPages,$order,$target);