make the sql query form consistent in usage by cleaning up
instances where db_query's result was not inspected before
attempting to fetch row data from the handle
---
web/html/addvote.php | 16 +++++-
web/html/tu.php | 17 +++++-
web/lib/acctfuncs.inc | 59 +++++++++++--------
web/lib/aur.inc | 8 ++-
web/lib/pkgfuncs.inc | 116 +++++++++++++++++++++----------------
web/template/actions_form.php | 52 ++++++++++--------
web/template/pkg_search_form.php | 2 +-
web/template/tu_list.php | 8 ++-
8 files changed, 172 insertions(+), 106 deletions(-)
diff --git a/web/html/addvote.php b/web/html/addvote.php
index 5936d56..a459610 100644
--- a/web/html/addvote.php
+++ b/web/html/addvote.php
@@ -21,14 +21,26 @@ if ($atype == "Trusted User" OR $atype == "Developer") {
if (!empty($_POST['user'])) {
$qcheck = "SELECT * FROM Users WHERE Username = '" .
mysql_real_escape_string($_POST['user']) . "'";
- $check = mysql_num_rows(db_query($qcheck, $dbh));
+ $result = db_query($qcheck, $dbh);
+ if ($result) {
+ $check = mysql_num_rows($result);
+ }
+ else {
+ $check = 0;
+ }
if ($check == 0) {
$error.= __("Username does not exist.");
} else {
$qcheck = "SELECT * FROM TU_VoteInfo WHERE User
= '" . mysql_real_escape_string($_POST['user']) . "'";
$qcheck.= " AND End > UNIX_TIMESTAMP()";
- $check = mysql_num_rows(db_query($qcheck,
$dbh));
+ $result = db_query($qcheck, $dbh);
+ if ($result) {
+ $check = mysql_num_rows($result);
+ }
+ else {
+ $check = 0;
+ }
if ($check != 0) {
$error.= __("%s already has proposal
running for them.", htmlentities($_POST['user']));
diff --git a/web/html/tu.php b/web/html/tu.php
index c5cc36b..6ab8ae9 100644
--- a/web/html/tu.php
+++ b/web/html/tu.php
@@ -36,7 +36,13 @@ if ($atype == "Trusted User" OR $atype == "Developer") {
$qvoted = "SELECT * FROM TU_Votes WHERE ";
$qvoted.= "VoteID = " . $row['ID'] . " AND ";
$qvoted.= "UserID = " .
uid_from_sid($_COOKIE["AURSID"]);
- $hasvoted = mysql_num_rows(db_query($qvoted,
$dbh));
+ $result = db_query($qvoted, $dbh);
+ if ($result) {
+ $hasvoted = mysql_num_rows($result);
+ }
+ else {
+ $hasvoted = 0;
+ }
# List voters of a proposal.
$qwhoVoted = "SELECT tv.UserID,U.Username
@@ -85,10 +91,15 @@ if ($atype == "Trusted User" OR $atype == "Developer") {
$canvote = 0;
$errorvote = __("You've already
voted for this proposal.");
# Update if they voted
- $hasvoted =
mysql_num_rows(db_query($qvoted, $dbh));
+ $result = db_query($qvoted,
$dbh);
+ if ($result) {
+ $hasvoted =
mysql_num_rows($result);
+ }
$results = db_query($q, $dbh);
- $row =
mysql_fetch_assoc($results);
+ if ($results) {
+ $row =
mysql_fetch_assoc($results);
+ }
}
}
include("tu_details.php");
diff --git a/web/lib/acctfuncs.inc b/web/lib/acctfuncs.inc
index 8ffa2f7..5bcff8b 100644
--- a/web/lib/acctfuncs.inc
+++ b/web/lib/acctfuncs.inc
@@ -197,7 +197,7 @@ function
process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
}
if (!$error && !valid_username($U) && !user_is_privileged($editor_user))
- $error = __("The username is invalid.") . "<ul>\n"
+ $error = __("The username is invalid.") . "<ul>\n"
."<li>" . __("It must be between %s and %s characters
long",
USERNAME_MIN_LEN, USERNAME_MAX_LEN )
. "</li>"
@@ -718,11 +718,11 @@ function valid_user( $user )
$q = "SELECT ID FROM Users WHERE Username = '"
. mysql_real_escape_string($user). "'";
- $result = mysql_fetch_row(db_query($q, $dbh));
-
+ $result = db_query($q, $dbh);
# Is the username in the database?
- if ($result[0]) {
- return $result[0];
+ if ($result) {
+ $row = mysql_fetch_row($result);
+ return $row[0];
}
}
return;
@@ -751,25 +751,30 @@ function valid_passwd( $userID, $passwd )
$passwd_q = "SELECT ID FROM Users" .
" WHERE ID = " . $userID . " AND Passwd = '" .
salted_hash($passwd, $salt) . "'";
- $passwd_result = mysql_fetch_row(db_query($passwd_q,
$dbh));
- if ($passwd_result[0]) {
- return true;
+ $result = db_query($passwd_q, $dbh);
+ if ($result) {
+ $passwd_result = mysql_fetch_row($result);
+ if ($passwd_result[0]) {
+ return true;
+ }
}
} else {
# check without salt
$nosalt_q = "SELECT ID FROM Users".
" WHERE ID = " . $userID .
" AND Passwd = '" . md5($passwd) . "'";
- $nosalt_result = mysql_fetch_row(db_query($nosalt_q,
$dbh));
- if ($nosalt_result[0]) {
- # password correct, but salt it first
- if (!save_salt($userID, $passwd)) {
- trigger_error("Unable to salt user's
password;" .
- " ID " . $userID,
E_USER_WARNING);
- return false;
+ $result = db_query($nosalt_q, $dbh);
+ if ($result) {
+ $nosalt_row = mysql_fetch_row($result);
+ if ($nosalt_row[0]) {
+ # password correct, but salt it first
+ if (!save_salt($userID, $passwd)) {
+ trigger_error("Unable to salt
user's password;" .
+ " ID " . $userID,
E_USER_WARNING);
+ return false;
+ }
+ return true;
}
-
- return true;
}
}
}
@@ -783,9 +788,12 @@ function user_suspended( $id )
{
$dbh = db_connect();
$q = "SELECT Suspended FROM Users WHERE ID = " . $id;
- $result = mysql_fetch_row(db_query($q, $dbh));
- if ($result[0] == 1 ) {
- return true;
+ $result = db_query($q, $dbh);
+ if ($result) {
+ $row = mysql_fetch_row($result);
+ if ($result[0] == 1 ) {
+ return true;
+ }
}
return false;
}
@@ -797,7 +805,7 @@ function user_delete( $id )
{
$dbh = db_connect();
$q = "DELETE FROM Users WHERE ID = " . $id;
- $result = mysql_fetch_row(db_query($q, $dbh));
+ db_query($q, $dbh);
return;
}
@@ -809,9 +817,12 @@ function user_is_privileged( $id )
{
$dbh = db_connect();
$q = "SELECT AccountTypeID FROM Users WHERE ID = " . $id;
- $result = mysql_fetch_row(db_query($q, $dbh));
- if( $result[0] > 1) {
- return $result[0];
+ $result = db_query($q, $dbh);
+ if ($result) {
+ $row = mysql_fetch_row($result);
+ if( $result[0] > 1) {
+ return $result[0];
+ }
}
return 0;
diff --git a/web/lib/aur.inc b/web/lib/aur.inc
index 5eed8e7..fb267af 100644
--- a/web/lib/aur.inc
+++ b/web/lib/aur.inc
@@ -491,8 +491,12 @@ function get_salt($user_id)
{
$dbh = db_connect();
$salt_q = "SELECT Salt FROM Users WHERE ID = " . $user_id;
- $salt_result = mysql_fetch_row(db_query($salt_q, $dbh));
- return $salt_result[0];
+ $result = db_query($salt_q, $dbh);
+ if ($result) {
+ $salt_row = mysql_fetch_row($result);
+ return $salt_row[0];
+ }
+ return;
}
function save_salt($user_id, $passwd)
diff --git a/web/lib/pkgfuncs.inc b/web/lib/pkgfuncs.inc
index c32037e..f04ebff 100644
--- a/web/lib/pkgfuncs.inc
+++ b/web/lib/pkgfuncs.inc
@@ -316,45 +316,44 @@ function package_details($id=0, $SID="") {
* outputs the body of search/search results page
*
* parameters:
- * SID - current Session ID
+ * SID - current Session ID
* preconditions:
- * package search page has been accessed
- * request variables have not been sanitized
+ * package search page has been accessed
+ * request variables have not been sanitized
*
- * request vars:
- * O - starting result number
- * PP - number of search hits per page
- * C - package category ID number
- * K - package search string
- * SO - search hit sort order:
- * values: a - ascending
- * d - descending
- * SB - sort search hits by:
- * values: c - package category
- * n - package name
- * v - number of votes
- * m - maintainer username
- * SeB- property that search string (K) represents
- * values: n - package name
- * nd - package name & description
- * x - package name (exact match)
- * m - package maintainer's username
- * s - package submitter's username
- * do_Orphans - boolean. whether to search packages
- * without a maintainer
+ * request vars:
+ * O - starting result number
+ * PP - number of search hits per page
+ * C - package category ID number
+ * K - package search string
+ * SO - search hit sort order:
+ * values: a - ascending
+ * d - descending
+ * SB - sort search hits by:
+ * values: c - package category
+ * n - package name
+ * v - number of votes
+ * m - maintainer username
+ * SeB- property that search string (K) represents
+ * values: n - package name
+ * nd - package name & description
+ * x - package name (exact match)
+ * m - package maintainer's username
+ * do_Orphans - boolean. whether to search packages
+ * without a maintainer
*
*
- * These two are actually handled in packages.php.
+ * These two are actually handled in packages.php.
*
- * IDs- integer array of ticked packages' IDs
- * action - action to be taken on ticked packages
- * values: do_Flag - Flag out-of-date
- * do_UnFlag - Remove out-of-date flag
- * do_Adopt - Adopt
- * do_Disown - Disown
- * do_Delete - Delete (requires confirm_Delete to be set)
- * do_Notify - Enable notification
- * do_UnNotify - Disable notification
+ * IDs- integer array of ticked packages' IDs
+ * action - action to be taken on ticked packages
+ * values: do_Flag - Flag out-of-date
+ * do_UnFlag - Remove out-of-date flag
+ * do_Adopt - Adopt
+ * do_Disown - Disown
+ * do_Delete - Delete (requires confirm_Delete to be set)
+ * do_Notify - Enable notification
+ * do_UnNotify - Disable notification
*/
function pkg_search_page($SID="") {
// establish a db connection
@@ -391,15 +390,15 @@ function pkg_search_page($SID="") {
}
// FIXME: pull out DB-related code. all of it.
- // this one's worth a choco-chip cookie,
- // one of those nice big soft ones
+ // this one's worth a choco-chip cookie,
+ // one of those nice big soft ones
// build the package search query
//
$q_select = "SELECT ";
if ($SID) {
$q_select .= "CommentNotify.UserID AS Notify,
- PackageVotes.UsersID AS Voted, ";
+ PackageVotes.UsersID AS Voted, ";
}
$q_select .= "Users.Username AS Maintainer,
PackageCategories.Category,
@@ -422,7 +421,7 @@ function pkg_search_page($SID="") {
$q_where = "WHERE 1 = 1 ";
// TODO: possibly do string matching on category
- // to make request variable values more sensible
+ // to make request variable values more sensible
if (isset($_GET["C"]) && intval($_GET["C"])) {
$q_where .= "AND Packages.CategoryID = ".intval($_GET["C"])." ";
}
@@ -499,7 +498,13 @@ function pkg_search_page($SID="") {
$q_total = "SELECT COUNT(*) " . $q_from . $q_where;
$result = db_query($q, $dbh);
- $total = mysql_result(db_query($q_total, $dbh), 0);
+ $result_t = db_query($q_total, $dbh);
+ if ($result_t) {
+ $total = mysql_result($result_t, 0);
+ }
+ else {
+ $total = 0;
+ }
if ($result && $total > 0) {
if (isset($_GET["SO"]) && $_GET["SO"] == "d"){
@@ -851,7 +856,13 @@ function pkg_notify ($atype, $ids, $action = True) {
# format in which it's sent requires this.
foreach ($ids as $pid) {
$q = "SELECT Name FROM Packages WHERE ID = $pid";
- $pkgname = mysql_result(db_query($q, $dbh), 0);
+ $result = db_query($q, $dbh);
+ if ($result) {
+ $pkgname = mysql_result($result , 0);
+ }
+ else {
+ $pkgname = '';
+ }
if ($first)
$first = False;
@@ -864,7 +875,8 @@ function pkg_notify ($atype, $ids, $action = True) {
$q .= " AND PkgID = $pid";
# Notification already added. Don't add again.
- if (!mysql_num_rows(db_query($q, $dbh))) {
+ $result = db_query($q, $dbh);
+ if (!mysql_num_rows($result)) {
$q = "INSERT INTO CommentNotify (PkgID, UserID)
VALUES ($pid, $uid)";
db_query($q, $dbh);
}
@@ -913,14 +925,14 @@ function pkg_delete_comment($atype) {
$uid = uid_from_sid($_COOKIE["AURSID"]);
if (canDeleteComment($comment_id, $atype, $uid)) {
- $dbh = db_connect();
- $q = "UPDATE PackageComments ";
- $q.= "SET DelUsersID = ".$uid." ";
- $q.= "WHERE ID = ".intval($comment_id);
- db_query($q, $dbh);
- return __("Comment has been deleted.");
+ $dbh = db_connect();
+ $q = "UPDATE PackageComments ";
+ $q.= "SET DelUsersID = ".$uid." ";
+ $q.= "WHERE ID = ".intval($comment_id);
+ db_query($q, $dbh);
+ return __("Comment has been deleted.");
} else {
- return __("You are not allowed to delete this comment.");
+ return __("You are not allowed to delete this comment.");
}
}
@@ -959,8 +971,12 @@ function pkg_change_category($atype) {
$q.= "FROM Packages ";
$q.= "WHERE Packages.ID = ".$pid;
$result = db_query($q, $dbh);
- echo mysql_error();
- $pkg = mysql_fetch_assoc($result);
+ if ($result) {
+ $pkg = mysql_fetch_assoc($result);
+ }
+ else {
+ return __("You are not allowed to change this package
category.");
+ }
$uid = uid_from_sid($_COOKIE["AURSID"]);
if ($uid == $pkg["MaintainerUID"] or
diff --git a/web/template/actions_form.php b/web/template/actions_form.php
index 45bc09b..058002f 100644
--- a/web/template/actions_form.php
+++ b/web/template/actions_form.php
@@ -8,39 +8,45 @@
#
$q = "SELECT * FROM PackageVotes WHERE UsersID = ". $uid;
$q.= " AND PackageID = ".$row["ID"];
- if (!mysql_num_rows(db_query($q, $dbh))) {
- echo " <input type='submit' class='button'
name='do_Vote'";
- echo " value='".__("Vote")."' /> ";
- } else {
- echo "<input type='submit' class='button'
name='do_UnVote'";
- echo " value='".__("UnVote")."' /> ";
+ $result = db_query($q, $dbh);
+ if ($result) {
+ if (!mysql_num_rows($result)) {
+ echo " <input type='submit' class='button'
name='do_Vote'";
+ echo " value='".__("Vote")."' /> ";
+ } else {
+ echo "<input type='submit' class='button'
name='do_UnVote'";
+ echo " value='".__("UnVote")."' /> ";
+ }
}
# Comment Notify Button
#
$q = "SELECT * FROM CommentNotify WHERE UserID = ". $uid;
$q.= " AND PkgID = ".$row["ID"];
- if (!mysql_num_rows(db_query($q, $dbh))) {
- echo "<input type='submit' class='button'
name='do_Notify'";
- echo " value='".__("Notify")."' title='".__("New
Comment Notification")."' /> ";
- } else {
- echo "<input type='submit' class='button'
name='do_UnNotify'";
- echo " value='".__("UnNotify")."' title='".__("No New
Comment Notification")."' /> ";
+ $result = db_query($q, $dbh);
+ if ($result) {
+ if (!mysql_num_rows($result)) {
+ echo "<input type='submit' class='button'
name='do_Notify'";
+ echo " value='".__("Notify")."'
title='".__("New Comment Notification")."' /> ";
+ } else {
+ echo "<input type='submit' class='button'
name='do_UnNotify'";
+ echo " value='".__("UnNotify")."'
title='".__("No New Comment Notification")."' /> ";
+ }
}
-if ($row["OutOfDateTS"] === NULL) {
- echo "<input type='submit' class='button' name='do_Flag'";
- echo " value='".__("Flag Out-of-date")."' />\n";
-} else {
- echo "<input type='submit' class='button' name='do_UnFlag'";
- echo " value='".__("UnFlag Out-of-date")."' />\n";
+ if ($row["OutOfDateTS"] === NULL) {
+ echo "<input type='submit' class='button'
name='do_Flag'";
+ echo " value='".__("Flag Out-of-date")."' />\n";
+ } else {
+ echo "<input type='submit' class='button'
name='do_UnFlag'";
+ echo " value='".__("UnFlag Out-of-date")."' />\n";
}
-if ($row["MaintainerUID"] === NULL) {
- echo "<input type='submit' class='button' name='do_Adopt'";
- echo " value='".__("Adopt Packages")."' />\n";
-} else if ($uid == $row["MaintainerUID"] ||
- $atype == "Trusted User" || $atype == "Developer") {
+ if ($row["MaintainerUID"] === NULL) {
+ echo "<input type='submit' class='button'
name='do_Adopt'";
+ echo " value='".__("Adopt Packages")."' />\n";
+ } else if ($uid == $row["MaintainerUID"] ||
+ $atype == "Trusted User" || $atype == "Developer") {
echo "<input type='submit' class='button'
name='do_Disown'";
echo " value='".__("Disown Packages")."' />\n";
}
diff --git a/web/template/pkg_search_form.php b/web/template/pkg_search_form.php
index 281cdc3..e25bdfd 100644
--- a/web/template/pkg_search_form.php
+++ b/web/template/pkg_search_form.php
@@ -38,7 +38,7 @@
<label><?php print __("Search by");
?></label>
<select name='SeB'>
<?php
- $searchby = array('nd'
=> __('Name, Description'), 'n' => __('Name Only'), 'x' => __('Exact name'),
'm' => __('Maintainer'), 's' => __('Submitter'));
+ $searchby = array('nd'
=> __('Name, Description'), 'n' => __('Name Only'), 'x' => __('Exact name'),
'm' => __('Maintainer'));
foreach ($searchby as
$k => $v):
if
(isset($_REQUEST['SeB']) && $_REQUEST['SeB'] == $k):
?>
diff --git a/web/template/tu_list.php b/web/template/tu_list.php
index 3a927d9..75d9414 100644
--- a/web/template/tu_list.php
+++ b/web/template/tu_list.php
@@ -40,7 +40,13 @@
<td class='<?php print $c ?>'>
<?php
$q = "SELECT * FROM TU_Votes
WHERE VoteID = " . $row['ID'] . " AND UserID = " .
uid_from_sid($_COOKIE["AURSID"]);
- $hasvoted =
mysql_num_rows(db_query($q, $dbh));
+ $result_tulist = db_query($q,
$dbh);
+ if ($result_tulist) {
+ $hasvoted =
mysql_num_rows($result_tulist);
+ }
+ else {
+ $hasvoted = 0;
+ }
?>
<span class='f5'><span
class='blue'>
<?php if ($hasvoted == 0) { ?>
--
1.7.2.5
