Skip to content
Snippets Groups Projects
Commit a4957c18 authored by xamgore's avatar xamgore
Browse files

All variables at model Account are escaped

parent dfbb6478
Branches
Tags
No related merge requests found
Hide whitespace changes
Inline Side-by-side
~dev_rating/application/classes/Model/Account.php
+ 146
201
View file @ a4957c18
......@@ -2,23 +2,20 @@
class Model_Account extends Model
{
public static function setHashKey($key)
{
$key = Database::instance()->escape($key);
$sql = "SELECT `SetSettings`('HashKey', '', $key) AS `Key`;";
$res = DB::query(Database::SELECT, $sql)->execute();
return $res->get('Key');
public static function setHashKey($key) {
$sql = "SELECT `SetSettings`('HashKey', '', :key) AS `key`;";
DB::query(Database::SELECT, $sql)
->param(':key', $key)
->execute()->get('key');
}
public static function getHashKey()
{
public static function getHashKey() {
$sql = "CALL `GetSettings`('HashKey');";
$key = DB::query(Database::SELECT, $sql)->execute();
return $key->get('ValS');
return DB::query(Database::SELECT, $sql)
->execute()->get('ValS');
}
public static function getMaintenanceInfo()
{
public static function getMaintenanceInfo() {
$sql = "CALL `GetSettings`('maintenance_active');";
$key = DB::query(Database::SELECT, $sql)->execute();
$result['active'] = ($key->get('Val') == 1);
......@@ -29,231 +26,179 @@ class Model_Account extends Model
}
public static function checkAuth($login, $password) {
$db = Database::instance();
$login = $db->escape($login);
$password = $db->escape($password);
$sql = "SELECT `SignIn`($login, $password) AS `ID`;";
$res = DB::query(Database::SELECT, $sql)->execute();
return $res->get('ID');
}
public static function ChangeTeacherInfo($id, $lastName, $firstName, $secondName, $degreeID, $departmentID)
{
$db = Database::instance();
$lastName = $db->escape($lastName);
$secondName = $db->escape($secondName);
$firstName = $db->escape($firstName);
$sql = "SELECT `ChangeTeacherInfo`('$id', $lastName, $firstName, $secondName, '$degreeID', '$departmentID') AS `UserID`;";
$key = DB::query(Database::SELECT, $sql)->execute();
return $key->get('UserID');
}
public static function createTeacher($lastName, $firstName, $secondName, $degreeID, $departmentID, $activationCode)
{
$db = Database::instance();
$lastName = $db->escape($lastName);
$secondName = $db->escape($secondName);
$firstName = $db->escape($firstName);
$activationCode = $db->escape($activationCode);
$sql = "SELECT `CreateTeacher`($lastName, $firstName, $secondName, '$degreeID', '$departmentID', $activationCode) AS `UserID`;";
$key = DB::query(Database::SELECT, $sql)->execute();
return $key->get('UserID');
}
public static function createTeacherByDepName($lastName, $firstName, $secondName, $departmentID, $facultyID, $activationCode)
{
$sql = "SELECT `SignIn`(:login, :pass) AS `ID`;";
return DB::query(Database::SELECT, $sql)
->param(':login', $login)
->param(':pass', $password)
->execute()->get('ID');
}
public static function changeTeacherInfo($id, $lastName, $firstName, $secondName, $degreeID, $departmentID) {
$sql = "SELECT `ChangeTeacherInfo`(:id, :last, :first, :second, :degree, :department) AS `UserID`;";
return DB::query(Database::SELECT, $sql)
->parameters([
':id' => $id,
':last' => $lastName,
':first' => $firstName,
':second' => $secondName,
':degree' => $degreeID,
'department' => $departmentID,
])->execute()->get('UserID');
}
public static function createTeacher($lastName, $firstName, $secondName, $degreeID, $departmentID, $activationCode) {
$sql = "SELECT `CreateTeacher`() AS `UserID`;";
return DB::query(Database::SELECT, $sql)
->parameters([
':last' => $lastName,
':first' => $firstName,
':second' => $secondName,
':degree' => $degreeID,
':department' => $departmentID,
':code' => $activationCode,
])->execute()->get('UserID');
}
public static function createTeacherByDepName($lastName, $firstName, $secondName, $departmentID, $facultyID, $activationCode) {
if ($departmentID == '') {
return -1;
}
$db = Database::instance();
$lastName = $db->escape($lastName);
$secondName = $db->escape($secondName);
$firstName = $db->escape($firstName);
$activationCode = $db->escape($activationCode);
$departmentID = $db->escape($departmentID);
$sql = "SELECT `CreateTeacherByDepName`($lastName, $firstName, $secondName, $departmentID, '$facultyID', $activationCode) AS `UserID`;";
$key = DB::query(Database::SELECT, $sql)->execute();
return $key->get('UserID');
}
public static function createStudent($lastName, $firstName, $secondName, $grade, $groupNum, $facultyID, $activationCode)
{
$db = Database::instance();
$lastName = $db->escape($lastName);
$secondName = $db->escape($secondName);
$firstName = $db->escape($firstName);
$activationCode = $db->escape($activationCode);
$sql = "SELECT `CreateStudent`($lastName, $firstName, $secondName, '$grade', '$groupNum', '$facultyID', $activationCode) AS `UserID`;";
$key = DB::query(Database::SELECT, $sql)->execute();
return $key->get('UserID');
}
public static function createStudentEx($lastName, $firstName, $secondName, $gradeNum, $groupNum, $degree, $specialization, $facultyID, $activationCode)
{
$db = Database::instance();
$lastName = $db->escape($lastName);
$secondName = $db->escape($secondName);
$firstName = $db->escape($firstName);
$activationCode = $db->escape($activationCode);
$degree = $db->escape($degree);
$specialization = $db->escape($specialization);
$sql = "SELECT `CreateStudentEx`($lastName, $firstName, $secondName, '$gradeNum', '$groupNum', $degree, $specialization, '$facultyID', $activationCode) AS `UserID`;";
$key = DB::query(Database::SELECT, $sql)->execute();
return $key->get('UserID');
$sql = "SELECT `CreateTeacherByDepName`(:last, :first, :second, :department, :faculty, :code) AS `UserID`;";
return DB::query(Database::SELECT, $sql)
->parameters([
':last' => $lastName,
':first' => $firstName,
':second' => $secondName,
':department' => $departmentID,
':faculty' => $facultyID,
':code' => $activationCode,
])->execute()->get('UserID');
}
public static function createStudent($lastName, $firstName, $secondName, $grade, $groupNum, $facultyID, $activationCode) {
$sql = "SELECT `CreateStudent`(:last, :first, :second, :grade, :group, :faculty, :code) AS `UserID`;";
return DB::query(Database::SELECT, $sql)
->parameters([
':last' => $lastName,
':first' => $firstName,
':second' => $secondName,
':grade' => $grade,
':group' => $groupNum,
':faculty' => $facultyID,
':code' => $activationCode,
])->execute()->get('UserID');
}
public static function createStudentEx($lastName, $firstName, $secondName, $gradeNum, $groupNum, $degree, $specialization, $facultyID, $activationCode) {
$sql = "SELECT `CreateStudentEx`(:last, :first, :second, :grade, :group, :degree, :spec, :faculty, :code) AS `UserID`;";
return DB::query(Database::SELECT, $sql)
->parameters([
':last' => $lastName,
':first' => $firstName,
':second' => $secondName,
':grade' => $gradeNum,
':group' => $groupNum,
':degree' => $degree,
':spec' => $specialization,
':faculty' => $facultyID,
':code' => $activationCode,
])->execute()->get('UserID');
}
public static function getPersonalInfo($id, $semesterID = null) {
$semesterID = $semesterID ? $semesterID : User::instance()->SemesterID;
$sql = "CALL `GetPersonalInfo`('$id', $semesterID);";
$query = DB::query(Database::SELECT, $sql)->execute();
return $query[0];
$sql = "CALL `GetPersonalInfo`(:id, :semester);";
return DB::query(Database::SELECT, $sql)
->param(':semester', (int) $semesterID)
->param(':id', (int) $id)
->execute()[0];
}
public static function GetAccountInfo($id)
{
$sql = "CALL GetAccountInfo('$id');";
$query = DB::query(Database::SELECT, $sql)->execute();
return $query[0];
public static function getAccountInfo($id) {
return DB::query(Database::SELECT, "CALL GetAccountInfo(:id);")
->param(':id', (int) $id)->execute()[0];
}
/**
* @param int $id
* @param string $data
* @param string $type 'email', 'login' or 'password'
* @param string $value
* @param string $type 'email', 'login' or 'password'
* @return int
*/
public static function changeAccountData($accountID, $data, $type)
{
$data = Database::instance()->escape($data);
$type = Database::instance()->escape($type);
$sql = "SELECT `ChangeAccountData`('$accountID', $data, $type) AS Num;";
$query = DB::query(Database::SELECT, $sql)->execute();
return $query->get('Num');
}
# TODO: deprecated (use changeAccountData instead)
public static function changeMail($id, $mail)
{
$mail = Database::instance()->escape($mail);
$sql = "SELECT `ChangeAccountData`('$id', $mail, 'email') AS Num;";
$query = DB::query(Database::SELECT, $sql)->execute();
return $query->get('Num');
}
# TODO: deprecated (use changeAccountData instead)
public static function changeLogin($id, $login)
{
$login = Database::instance()->escape($login);
$sql = "SELECT `ChangeAccountData`('$id', $login, 'login') AS Num;";
$query = DB::query(Database::SELECT, $sql)->execute();
return $query->get('Num');
}
# TODO: deprecated (use changeAccountData instead)
public static function changePassword($id, $password)
{
$password = Database::instance()->escape($password);
$sql = "SELECT `ChangeAccountData`('$id', $password, 'password') AS Num;";
$query = DB::query(Database::SELECT, $sql)->execute();
return $query->get('Num');
public static function changeAccountData($id, $value, $type) {
$sql = "SELECT `ChangeAccountData`(:account, :value, :type) AS Num;";
return DB::query(Database::SELECT, $sql)
->parameters([
':account' => $id,
':value' => $value,
':type' => $type,
])->execute()->get('Num');
}
/**
* @param string $data
* @param string $type 'login','email' or 'code'
* @param string $type 'login','email' or 'code'
* @return int
*/
public static function checkAccountExistence($data, $type) {
$data = Database::instance()->escape($data);
$type = Database::instance()->escape($type);
$sql = "SELECT `CheckAccountExistence`($data, $type) AS Num;";
$res = DB::query(Database::SELECT, $sql)->execute();
return $res->get('Num');
}
# TODO: deprecated (use checkAccountExistence instead)
public static function getAccNumByLogin($login)
{
$login = Database::instance()->escape($login);
$sql = "SELECT `CheckAccountExistence`($login, 'login') AS Num;";
$res = DB::query(Database::SELECT, $sql)->execute();
return $res->get('Num');
$sql = "SELECT `CheckAccountExistence`(:data, :type) AS Num;";
return DB::query(Database::SELECT, $sql)
->param(':data', $data)
->param(':type', $type)
->execute()->get('Num');
}
# TODO: deprecated (use checkAccountExistence instead)
public static function getAccNumByMail($email)
{
$email = Database::instance()->escape($email);
$sql = "SELECT `CheckAccountExistence`($email, 'email') AS Num;";
$res = DB::query(Database::SELECT, $sql)->execute();
return $res->get('Num');
public static function isActivationCodeValid($code) {
$sql = "SELECT `CheckAccountExistence`(:acode, 'code') AS Num;";
$res = DB::query(Database::SELECT, $sql)
->param(':acode', $code)
->execute()->get('Num');
return $res == 1;
}
public static function isActivationCodeValid($code)
{
$code = Database::instance()->escape($code);
$sql = "SELECT `CheckAccountExistence`($code, 'code') AS Num;";
$res = DB::query(Database::SELECT, $sql)->execute();
$count = $res->get('Num');
return $count == 1;
}
public static function createRecoveryToken($email, $token)
{
$db = Database::instance();
$email = $db->escape($email);
$token = $db->escape($token);
$sql = "SELECT `CreateRecoveryToken`($email, $token) AS UserName;";
$res = DB::query(Database::SELECT, $sql)->execute();
return $res->get('UserName');
public static function createRecoveryToken($email, $token) {
$sql = "SELECT `CreateRecoveryToken`(:email, :token) AS UserName;";
return DB::query(Database::SELECT, $sql)
->param(':email', $email)
->param(':token', $token)
->execute()->get('UserName');
}
public static function getRecoveryInfoByEMail($email)
{
$email = Database::instance()->escape($email);
$sql = "CALL GetRecoveryInfoByEMail($email);";
$query = DB::query(Database::SELECT, $sql)->execute();
return $query;
public static function getRecoveryInfoByEMail($email) {
$sql = "CALL GetRecoveryInfoByEMail(:email);";
return DB::query(Database::SELECT, $sql)
->param(':email', $email)
->execute();
}
public static function getRecoveryInfoByToken($token)
{
$token = Database::instance()->escape($token);
$sql = "CALL GetRecoveryInfoByToken($token);";
$query = DB::query(Database::SELECT, $sql)->execute();
return $query;
public static function getRecoveryInfoByToken($token) {
$sql = "CALL GetRecoveryInfoByToken(:token);";
return DB::query(Database::SELECT, $sql)
->param(':token', $token)->execute();
}
public static function useRecoveryToken($token)
{
$token = Database::instance()->escape($token);
$sql = "SELECT `UseRecoveryToken`($token) AS Num;";
$email = DB::query(Database::SELECT, $sql)->execute();
return $email->get('Num');
public static function useRecoveryToken($token) {
$sql = "SELECT `UseRecoveryToken`(:token) AS Num;";
return DB::query(Database::SELECT, $sql)
->param(':token', $token)
->execute()->get('Num');
}
public static function activateAccount($login, $password, $email, $code)
{
$db = Database::instance();
$login = $db->escape($login);
$password = $db->escape($password);
$email = $db->escape($email);
$code = $db->escape($code);
$sql = "SELECT `ActivateAccount` ($code, $login, $email, $password) AS `Num`; ";
$res = DB::query(Database::SELECT, $sql)->execute();
return $res->get('Num');
public static function activateAccount($login, $password, $email, $code) {
$sql = "SELECT `ActivateAccount`(:code, :login, :email, :pass) AS `Num`;";
return DB::query(Database::SELECT, $sql)
->parameters([
':code' => $code,
':login' => $login,
':email' => $email,
':pass' => $password,
])->execute()->get('Num');
}
public static function getCurSemesterID() {
$sql = "CALL `GetSettings`('SemesterID');";
$res = DB::query(Database::SELECT, $sql)->execute();
$id = null;
return $res->get('Val');
return DB::query(Database::SELECT, $sql)
->execute()->get('Val');
}
}
\ No newline at end of file
~dev_rating/application/classes/User.php
+ 1
1
View file @ a4957c18
......@@ -244,7 +244,7 @@ class User implements ArrayAccess
public function changeProfile($data) {
if ($this->Type == 'teacher') {
Model_Account::ChangeTeacherInfo($this['TeacherID'], $data['lastName'], $data['firstName'], $data['secondName'], $data['jobPositionID'], $data['departmentID']);
Model_Account::changeTeacherInfo($this['TeacherID'], $data['lastName'], $data['firstName'], $data['secondName'], $data['jobPositionID'], $data['departmentID']);
}
}
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment