From a4957c186c6f32acbeb32e0bf6e1ac052cf22044 Mon Sep 17 00:00:00 2001
From: xamgore <xamgore@ya.ru>
Date: Tue, 9 Jun 2015 21:54:47 +0300
Subject: [PATCH] All variables at model Account are escaped
---
.../application/classes/Model/Account.php | 347 ++++++++----------
~dev_rating/application/classes/User.php | 2 +-
2 files changed, 147 insertions(+), 202 deletions(-)
diff --git a/~dev_rating/application/classes/Model/Account.php b/~dev_rating/application/classes/Model/Account.php
index 3170d4eb8..088d40b25 100644
--- a/~dev_rating/application/classes/Model/Account.php
+++ b/~dev_rating/application/classes/Model/Account.php
@@ -2,23 +2,20 @@
class Model_Account extends Model
{
- public static function setHashKey($key)
- {
- $key = Database::instance()->escape($key);
- $sql = "SELECT `SetSettings`('HashKey', '', $key) AS `Key`;";
- $res = DB::query(Database::SELECT, $sql)->execute();
- return $res->get('Key');
+ public static function setHashKey($key) {
+ $sql = "SELECT `SetSettings`('HashKey', '', :key) AS `key`;";
+ DB::query(Database::SELECT, $sql)
+ ->param(':key', $key)
+ ->execute()->get('key');
}
- public static function getHashKey()
- {
+ public static function getHashKey() {
$sql = "CALL `GetSettings`('HashKey');";
- $key = DB::query(Database::SELECT, $sql)->execute();
- return $key->get('ValS');
+ return DB::query(Database::SELECT, $sql)
+ ->execute()->get('ValS');
}
- public static function getMaintenanceInfo()
- {
+ public static function getMaintenanceInfo() {
$sql = "CALL `GetSettings`('maintenance_active');";
$key = DB::query(Database::SELECT, $sql)->execute();
$result['active'] = ($key->get('Val') == 1);
@@ -29,231 +26,179 @@ class Model_Account extends Model
}
public static function checkAuth($login, $password) {
- $db = Database::instance();
- $login = $db->escape($login);
- $password = $db->escape($password);
- $sql = "SELECT `SignIn`($login, $password) AS `ID`;";
- $res = DB::query(Database::SELECT, $sql)->execute();
- return $res->get('ID');
- }
-
-
- public static function ChangeTeacherInfo($id, $lastName, $firstName, $secondName, $degreeID, $departmentID)
- {
- $db = Database::instance();
- $lastName = $db->escape($lastName);
- $secondName = $db->escape($secondName);
- $firstName = $db->escape($firstName);
- $sql = "SELECT `ChangeTeacherInfo`('$id', $lastName, $firstName, $secondName, '$degreeID', '$departmentID') AS `UserID`;";
- $key = DB::query(Database::SELECT, $sql)->execute();
- return $key->get('UserID');
- }
-
-
- public static function createTeacher($lastName, $firstName, $secondName, $degreeID, $departmentID, $activationCode)
- {
- $db = Database::instance();
- $lastName = $db->escape($lastName);
- $secondName = $db->escape($secondName);
- $firstName = $db->escape($firstName);
- $activationCode = $db->escape($activationCode);
- $sql = "SELECT `CreateTeacher`($lastName, $firstName, $secondName, '$degreeID', '$departmentID', $activationCode) AS `UserID`;";
- $key = DB::query(Database::SELECT, $sql)->execute();
- return $key->get('UserID');
- }
-
-
- public static function createTeacherByDepName($lastName, $firstName, $secondName, $departmentID, $facultyID, $activationCode)
- {
+ $sql = "SELECT `SignIn`(:login, :pass) AS `ID`;";
+ return DB::query(Database::SELECT, $sql)
+ ->param(':login', $login)
+ ->param(':pass', $password)
+ ->execute()->get('ID');
+ }
+
+ public static function changeTeacherInfo($id, $lastName, $firstName, $secondName, $degreeID, $departmentID) {
+ $sql = "SELECT `ChangeTeacherInfo`(:id, :last, :first, :second, :degree, :department) AS `UserID`;";
+ return DB::query(Database::SELECT, $sql)
+ ->parameters([
+ ':id' => $id,
+ ':last' => $lastName,
+ ':first' => $firstName,
+ ':second' => $secondName,
+ ':degree' => $degreeID,
+ 'department' => $departmentID,
+ ])->execute()->get('UserID');
+ }
+
+ public static function createTeacher($lastName, $firstName, $secondName, $degreeID, $departmentID, $activationCode) {
+ $sql = "SELECT `CreateTeacher`() AS `UserID`;";
+ return DB::query(Database::SELECT, $sql)
+ ->parameters([
+ ':last' => $lastName,
+ ':first' => $firstName,
+ ':second' => $secondName,
+ ':degree' => $degreeID,
+ ':department' => $departmentID,
+ ':code' => $activationCode,
+ ])->execute()->get('UserID');
+ }
+
+ public static function createTeacherByDepName($lastName, $firstName, $secondName, $departmentID, $facultyID, $activationCode) {
if ($departmentID == '') {
return -1;
}
- $db = Database::instance();
- $lastName = $db->escape($lastName);
- $secondName = $db->escape($secondName);
- $firstName = $db->escape($firstName);
- $activationCode = $db->escape($activationCode);
- $departmentID = $db->escape($departmentID);
- $sql = "SELECT `CreateTeacherByDepName`($lastName, $firstName, $secondName, $departmentID, '$facultyID', $activationCode) AS `UserID`;";
- $key = DB::query(Database::SELECT, $sql)->execute();
- return $key->get('UserID');
- }
-
- public static function createStudent($lastName, $firstName, $secondName, $grade, $groupNum, $facultyID, $activationCode)
- {
- $db = Database::instance();
- $lastName = $db->escape($lastName);
- $secondName = $db->escape($secondName);
- $firstName = $db->escape($firstName);
- $activationCode = $db->escape($activationCode);
- $sql = "SELECT `CreateStudent`($lastName, $firstName, $secondName, '$grade', '$groupNum', '$facultyID', $activationCode) AS `UserID`;";
- $key = DB::query(Database::SELECT, $sql)->execute();
- return $key->get('UserID');
- }
-
- public static function createStudentEx($lastName, $firstName, $secondName, $gradeNum, $groupNum, $degree, $specialization, $facultyID, $activationCode)
- {
- $db = Database::instance();
- $lastName = $db->escape($lastName);
- $secondName = $db->escape($secondName);
- $firstName = $db->escape($firstName);
- $activationCode = $db->escape($activationCode);
- $degree = $db->escape($degree);
- $specialization = $db->escape($specialization);
- $sql = "SELECT `CreateStudentEx`($lastName, $firstName, $secondName, '$gradeNum', '$groupNum', $degree, $specialization, '$facultyID', $activationCode) AS `UserID`;";
- $key = DB::query(Database::SELECT, $sql)->execute();
- return $key->get('UserID');
+ $sql = "SELECT `CreateTeacherByDepName`(:last, :first, :second, :department, :faculty, :code) AS `UserID`;";
+ return DB::query(Database::SELECT, $sql)
+ ->parameters([
+ ':last' => $lastName,
+ ':first' => $firstName,
+ ':second' => $secondName,
+ ':department' => $departmentID,
+ ':faculty' => $facultyID,
+ ':code' => $activationCode,
+ ])->execute()->get('UserID');
+ }
+
+ public static function createStudent($lastName, $firstName, $secondName, $grade, $groupNum, $facultyID, $activationCode) {
+ $sql = "SELECT `CreateStudent`(:last, :first, :second, :grade, :group, :faculty, :code) AS `UserID`;";
+ return DB::query(Database::SELECT, $sql)
+ ->parameters([
+ ':last' => $lastName,
+ ':first' => $firstName,
+ ':second' => $secondName,
+ ':grade' => $grade,
+ ':group' => $groupNum,
+ ':faculty' => $facultyID,
+ ':code' => $activationCode,
+ ])->execute()->get('UserID');
+ }
+
+ public static function createStudentEx($lastName, $firstName, $secondName, $gradeNum, $groupNum, $degree, $specialization, $facultyID, $activationCode) {
+ $sql = "SELECT `CreateStudentEx`(:last, :first, :second, :grade, :group, :degree, :spec, :faculty, :code) AS `UserID`;";
+ return DB::query(Database::SELECT, $sql)
+ ->parameters([
+ ':last' => $lastName,
+ ':first' => $firstName,
+ ':second' => $secondName,
+ ':grade' => $gradeNum,
+ ':group' => $groupNum,
+ ':degree' => $degree,
+ ':spec' => $specialization,
+ ':faculty' => $facultyID,
+ ':code' => $activationCode,
+ ])->execute()->get('UserID');
}
public static function getPersonalInfo($id, $semesterID = null) {
$semesterID = $semesterID ? $semesterID : User::instance()->SemesterID;
- $sql = "CALL `GetPersonalInfo`('$id', $semesterID);";
- $query = DB::query(Database::SELECT, $sql)->execute();
- return $query[0];
+ $sql = "CALL `GetPersonalInfo`(:id, :semester);";
+ return DB::query(Database::SELECT, $sql)
+ ->param(':semester', (int) $semesterID)
+ ->param(':id', (int) $id)
+ ->execute()[0];
}
- public static function GetAccountInfo($id)
- {
- $sql = "CALL GetAccountInfo('$id');";
- $query = DB::query(Database::SELECT, $sql)->execute();
- return $query[0];
+ public static function getAccountInfo($id) {
+ return DB::query(Database::SELECT, "CALL GetAccountInfo(:id);")
+ ->param(':id', (int) $id)->execute()[0];
}
/**
* @param int $id
- * @param string $data
- * @param string $type 'email', 'login' or 'password'
+ * @param string $value
+ * @param string $type 'email', 'login' or 'password'
+ * @return int
*/
- public static function changeAccountData($accountID, $data, $type)
- {
- $data = Database::instance()->escape($data);
- $type = Database::instance()->escape($type);
- $sql = "SELECT `ChangeAccountData`('$accountID', $data, $type) AS Num;";
- $query = DB::query(Database::SELECT, $sql)->execute();
- return $query->get('Num');
- }
-
- # TODO: deprecated (use changeAccountData instead)
- public static function changeMail($id, $mail)
- {
- $mail = Database::instance()->escape($mail);
- $sql = "SELECT `ChangeAccountData`('$id', $mail, 'email') AS Num;";
- $query = DB::query(Database::SELECT, $sql)->execute();
- return $query->get('Num');
- }
-
- # TODO: deprecated (use changeAccountData instead)
- public static function changeLogin($id, $login)
- {
- $login = Database::instance()->escape($login);
- $sql = "SELECT `ChangeAccountData`('$id', $login, 'login') AS Num;";
- $query = DB::query(Database::SELECT, $sql)->execute();
- return $query->get('Num');
- }
-
- # TODO: deprecated (use changeAccountData instead)
- public static function changePassword($id, $password)
- {
- $password = Database::instance()->escape($password);
- $sql = "SELECT `ChangeAccountData`('$id', $password, 'password') AS Num;";
- $query = DB::query(Database::SELECT, $sql)->execute();
- return $query->get('Num');
+ public static function changeAccountData($id, $value, $type) {
+ $sql = "SELECT `ChangeAccountData`(:account, :value, :type) AS Num;";
+ return DB::query(Database::SELECT, $sql)
+ ->parameters([
+ ':account' => $id,
+ ':value' => $value,
+ ':type' => $type,
+ ])->execute()->get('Num');
}
-
/**
* @param string $data
- * @param string $type 'login','email' or 'code'
+ * @param string $type 'login','email' or 'code'
+ * @return int
*/
public static function checkAccountExistence($data, $type) {
- $data = Database::instance()->escape($data);
- $type = Database::instance()->escape($type);
- $sql = "SELECT `CheckAccountExistence`($data, $type) AS Num;";
- $res = DB::query(Database::SELECT, $sql)->execute();
- return $res->get('Num');
- }
-
-
- # TODO: deprecated (use checkAccountExistence instead)
- public static function getAccNumByLogin($login)
- {
- $login = Database::instance()->escape($login);
- $sql = "SELECT `CheckAccountExistence`($login, 'login') AS Num;";
- $res = DB::query(Database::SELECT, $sql)->execute();
- return $res->get('Num');
+ $sql = "SELECT `CheckAccountExistence`(:data, :type) AS Num;";
+ return DB::query(Database::SELECT, $sql)
+ ->param(':data', $data)
+ ->param(':type', $type)
+ ->execute()->get('Num');
}
- # TODO: deprecated (use checkAccountExistence instead)
- public static function getAccNumByMail($email)
- {
- $email = Database::instance()->escape($email);
- $sql = "SELECT `CheckAccountExistence`($email, 'email') AS Num;";
- $res = DB::query(Database::SELECT, $sql)->execute();
- return $res->get('Num');
+ public static function isActivationCodeValid($code) {
+ $sql = "SELECT `CheckAccountExistence`(:acode, 'code') AS Num;";
+ $res = DB::query(Database::SELECT, $sql)
+ ->param(':acode', $code)
+ ->execute()->get('Num');
+ return $res == 1;
}
- public static function isActivationCodeValid($code)
- {
- $code = Database::instance()->escape($code);
- $sql = "SELECT `CheckAccountExistence`($code, 'code') AS Num;";
- $res = DB::query(Database::SELECT, $sql)->execute();
-
- $count = $res->get('Num');
- return $count == 1;
- }
-
- public static function createRecoveryToken($email, $token)
- {
- $db = Database::instance();
- $email = $db->escape($email);
- $token = $db->escape($token);
- $sql = "SELECT `CreateRecoveryToken`($email, $token) AS UserName;";
- $res = DB::query(Database::SELECT, $sql)->execute();
- return $res->get('UserName');
+ public static function createRecoveryToken($email, $token) {
+ $sql = "SELECT `CreateRecoveryToken`(:email, :token) AS UserName;";
+ return DB::query(Database::SELECT, $sql)
+ ->param(':email', $email)
+ ->param(':token', $token)
+ ->execute()->get('UserName');
}
- public static function getRecoveryInfoByEMail($email)
- {
- $email = Database::instance()->escape($email);
- $sql = "CALL GetRecoveryInfoByEMail($email);";
- $query = DB::query(Database::SELECT, $sql)->execute();
- return $query;
+ public static function getRecoveryInfoByEMail($email) {
+ $sql = "CALL GetRecoveryInfoByEMail(:email);";
+ return DB::query(Database::SELECT, $sql)
+ ->param(':email', $email)
+ ->execute();
}
- public static function getRecoveryInfoByToken($token)
- {
- $token = Database::instance()->escape($token);
- $sql = "CALL GetRecoveryInfoByToken($token);";
- $query = DB::query(Database::SELECT, $sql)->execute();
- return $query;
+ public static function getRecoveryInfoByToken($token) {
+ $sql = "CALL GetRecoveryInfoByToken(:token);";
+ return DB::query(Database::SELECT, $sql)
+ ->param(':token', $token)->execute();
}
- public static function useRecoveryToken($token)
- {
- $token = Database::instance()->escape($token);
- $sql = "SELECT `UseRecoveryToken`($token) AS Num;";
- $email = DB::query(Database::SELECT, $sql)->execute();
- return $email->get('Num');
+ public static function useRecoveryToken($token) {
+ $sql = "SELECT `UseRecoveryToken`(:token) AS Num;";
+ return DB::query(Database::SELECT, $sql)
+ ->param(':token', $token)
+ ->execute()->get('Num');
}
- public static function activateAccount($login, $password, $email, $code)
- {
- $db = Database::instance();
- $login = $db->escape($login);
- $password = $db->escape($password);
- $email = $db->escape($email);
- $code = $db->escape($code);
- $sql = "SELECT `ActivateAccount` ($code, $login, $email, $password) AS `Num`; ";
- $res = DB::query(Database::SELECT, $sql)->execute();
- return $res->get('Num');
+ public static function activateAccount($login, $password, $email, $code) {
+ $sql = "SELECT `ActivateAccount`(:code, :login, :email, :pass) AS `Num`;";
+ return DB::query(Database::SELECT, $sql)
+ ->parameters([
+ ':code' => $code,
+ ':login' => $login,
+ ':email' => $email,
+ ':pass' => $password,
+ ])->execute()->get('Num');
}
public static function getCurSemesterID() {
$sql = "CALL `GetSettings`('SemesterID');";
- $res = DB::query(Database::SELECT, $sql)->execute();
- $id = null;
- return $res->get('Val');
+ return DB::query(Database::SELECT, $sql)
+ ->execute()->get('Val');
}
-
}
\ No newline at end of file
diff --git a/~dev_rating/application/classes/User.php b/~dev_rating/application/classes/User.php
index c28b613fa..dc87bac8f 100644
--- a/~dev_rating/application/classes/User.php
+++ b/~dev_rating/application/classes/User.php
@@ -244,7 +244,7 @@ class User implements ArrayAccess
public function changeProfile($data) {
if ($this->Type == 'teacher') {
- Model_Account::ChangeTeacherInfo($this['TeacherID'], $data['lastName'], $data['firstName'], $data['secondName'], $data['jobPositionID'], $data['departmentID']);
+ Model_Account::changeTeacherInfo($this['TeacherID'], $data['lastName'], $data['firstName'], $data['secondName'], $data['jobPositionID'], $data['departmentID']);
}
}
--
GitLab