From 5116d22ed84db0f15a7f583bcbe243ee2cd606e1 Mon Sep 17 00:00:00 2001 From: Arun Persaud Date: Mon, 25 Feb 2013 22:04:21 -0800 Subject: mysql optimization: don't quote integers as strings in WHERE --- include/cancelgame.php | 2 +- include/db.php | 41 +++++++++++++++--------------- include/functions.php | 32 ++++++++++++------------ include/game.php | 64 +++++++++++++++++++++++------------------------ include/openid.php | 9 ++++--- include/preferences.php | 66 ++++++++++++++++++++++++------------------------- include/user.php | 2 +- rss.php | 4 +-- 8 files changed, 111 insertions(+), 109 deletions(-) diff --git a/include/cancelgame.php b/include/cancelgame.php index d9b69b3..02b5a06 100644 --- a/include/cancelgame.php +++ b/include/cancelgame.php @@ -49,7 +49,7 @@ $gameid = DB_get_gameid_by_hash($me); $myname = DB_get_name('hash',$me); /* check if game really is old enough to be canceled */ -$r = DB_query_array("SELECT mod_date from Game WHERE id='$gameid' " ); +$r = DB_query_array("SELECT mod_date from Game WHERE id=".DB_quote_smart($gameid) ); if(time()-strtotime($r[0]) > 60*60*24*30) /* = 1 month */ { /* email to all players */ diff --git a/include/db.php b/include/db.php index 493b93d..f9eb07a 100644 --- a/include/db.php +++ b/include/db.php @@ -802,7 +802,7 @@ function DB_get_PREF($myid) /* get all preferences */ $r = DB_query('SELECT pref_key, value FROM User_Prefs'. - " WHERE user_id='$myid' " ); + " WHERE user_id=".DB_quote_smart($myid) ); while($pref = DB_fetch_array($r) ) { switch($pref[0]) @@ -864,7 +864,7 @@ function DB_get_RULES($gameid) { $r = DB_query_array("SELECT * FROM Rulesets". " LEFT JOIN Game ON Game.ruleset=Rulesets.id ". - " WHERE Game.id='$gameid'" ); + " WHERE Game.id=".DB_quote_smart($gameid) ); $RULES['dullen'] = $r[2]; $RULES['schweinchen'] = $r[3]; @@ -878,7 +878,7 @@ function DB_get_email_pref_by_hash($hash) { $r = DB_query_array("SELECT value FROM Hand". " LEFT JOIN User_Prefs ON Hand.user_id=User_Prefs.user_id". - " WHERE hash='$hash' AND pref_key='email'" ); + " WHERE hash=".DB_quote_smart($hash)." AND pref_key='email'" ); if($r) { if($r[0]=="emailaddict") @@ -893,7 +893,7 @@ function DB_get_email_pref_by_hash($hash) function DB_get_email_pref_by_uid($uid) { $r = DB_query_array("SELECT value FROM User_Prefs ". - " WHERE user_id='$uid' AND pref_key='email'" ); + " WHERE user_id=".DB_quote_smart($uid)." AND pref_key='email'" ); if($r) { if($r[0]=="emailaddict") @@ -928,7 +928,7 @@ function DB_get_unused_randomnumbers($userstr) function DB_get_number_of_passwords_recovery($user) { $r = DB_query_array("SELECT COUNT(*) FROM Recovery ". - " WHERE user_id=$user ". + " WHERE user_id=".DB_quote_smart($user). " AND DATE_SUB(CURDATE(),INTERVAL 1 DAY) <= create_date". " GROUP BY user_id " ); if($r) @@ -955,7 +955,7 @@ function DB_get_card_name($card) if($card==0) return 'backside'; - $r = DB_query_array("SELECT strength,suite FROM Card WHERE id='$card'"); + $r = DB_query_array("SELECT strength,suite FROM Card WHERE id=".DB_quote_smart($card)); if($r) return $r[0]." of ".$r[1]; @@ -970,7 +970,7 @@ function DB_get_current_playid($gameid) if(!$trick) return -1; - $r = DB_query_array("SELECT id FROM Play WHERE trick_id='$trick' ORDER BY create_date DESC LIMIT 1"); + $r = DB_query_array("SELECT id FROM Play WHERE trick_id=".DB_quote_smart($trick)." ORDER BY create_date DESC LIMIT 1"); if($r) return $r[0]; @@ -980,7 +980,7 @@ function DB_get_current_playid($gameid) function DB_get_call_by_hash($hash) { - $r = DB_query_array("SELECT point_call FROM Hand WHERE hash='$hash'"); + $r = DB_query_array("SELECT point_call FROM Hand WHERE hash=".DB_quote_smart($hash)); if($r) return $r[0]; @@ -994,7 +994,7 @@ function DB_get_partner_call_by_hash($hash) if($partner) { - $r = DB_query_array("SELECT point_call FROM Hand WHERE hash='$partner'"); + $r = DB_query_array("SELECT point_call FROM Hand WHERE hash=".DB_quote_smart($partner)); if($r) return $r[0]; @@ -1008,7 +1008,8 @@ function DB_get_partner_hash_by_hash($hash) $gameid = DB_get_gameid_by_hash($hash); $party = DB_get_party_by_hash($hash); - $r = DB_query_array("SELECT hash FROM Hand WHERE game_id='$gameid' AND party='$party' AND hash<>'$hash'"); + $r = DB_query_array("SELECT hash FROM Hand WHERE game_id=".DB_quote_smart($gameid). + " AND party=".DB_quote_smart($party)." AND hash<>".DB_quote_smart($hash)); if($r) return $r[0]; @@ -1019,22 +1020,22 @@ function DB_get_partner_hash_by_hash($hash) function DB_format_gameid($gameid) { /* get session and create date */ - $r = DB_query_array("SELECT session, create_date FROM Game WHERE id='$gameid' "); + $r = DB_query_array("SELECT session, create_date FROM Game WHERE id=".DB_quote_smart($gameid)); $session = $r[0]; $date = $r[1]; /* get number of game */ $r = DB_query_array("SELECT SUM(TIME_TO_SEC(TIMEDIFF(create_date, '$date'))<=0) ". " FROM Game". - " WHERE session='$session' "); + " WHERE session=".DB_quote_smart($session)); return $session.'.'.$r[0]; } function DB_get_reminder($user,$gameid) { $r = DB_query_array("SELECT COUNT(*) FROM Reminder ". - " WHERE user_id=$user ". - " AND game_id=$gameid ". + " WHERE user_id=".DB_quote_smart($user). + " AND game_id=".DB_quote_smart($gameid). " AND DATE_SUB(CURDATE(),INTERVAL 1 DAY) <= create_date". " GROUP BY user_id " ); if($r) @@ -1073,11 +1074,11 @@ function DB_get_gameids_of_finished_games_by_session($session) " GROUP BY Game.id"); else /* return games in a session */ $queryresult = DB_query_array_all("SELECT Game.id,SUM(IF(STRCMP(Score.party,'re'),-1,1)),Game.type FROM Game ". - " LEFT JOIN Score on game_id=Game.id". - " WHERE session=$session ". - " AND status='gameover' ". - " GROUP BY Game.id". - " ORDER BY Game.create_date ASC"); + " LEFT JOIN Score on game_id=Game.id". + " WHERE session=".DB_quote_smart($session). + " AND status='gameover' ". + " GROUP BY Game.id". + " ORDER BY Game.create_date ASC"); return $queryresult; } @@ -1085,7 +1086,7 @@ function DB_get_gameids_of_finished_games_by_session($session) function DB_get_card_value_by_cardid($id) { $r = DB_query_array("SELECT points FROM Card ". - " WHERE id=$id "); + " WHERE id=".DB_quote_smart($id)); if($r) return $r[0]; diff --git a/include/functions.php b/include/functions.php index 191823d..3142b02 100644 --- a/include/functions.php +++ b/include/functions.php @@ -998,10 +998,10 @@ function display_table_begin () " Hand.hash, ". " User.timezone, ". " User.email ". - "FROM Hand ". - "LEFT JOIN User ON User.id=Hand.user_id ". - "WHERE Hand.game_id='".$gameid."' ". - "ORDER BY position ASC"); + " FROM Hand". + " LEFT JOIN User ON User.id=Hand.user_id". + " WHERE Hand.game_id=".DB_quote_smart($gameid). + " ORDER BY position ASC"); $row0 = DB_fetch_array($result); $row1 = DB_fetch_array($result); @@ -1032,10 +1032,10 @@ function display_table_end () " Hand.hash, ". " User.timezone, ". " User.email ". - "FROM Hand ". - "LEFT JOIN User ON User.id=Hand.user_id ". - "WHERE Hand.game_id='".$gameid."' ". - "ORDER BY position ASC"); + " FROM Hand". + " LEFT JOIN User ON User.id=Hand.user_id". + " WHERE Hand.game_id=".DB_quote_smart($gameid). + " ORDER BY position ASC"); $row0 = DB_fetch_array($result); $row1 = DB_fetch_array($result); @@ -1231,16 +1231,16 @@ function display_user_menu($id, $skiphash=NULL) if($skiphash) $result = DB_query("SELECT Hand.hash,Hand.game_id,Game.player from Hand". " LEFT JOIN Game On Hand.game_id=Game.id". - " WHERE Hand.user_id='$id'". - " AND Hand.hash!='$skiphash'". + " WHERE Hand.user_id=".DB_quote_smart($id). + " AND Hand.hash!=".DB_quote_smart($skiphash). " AND ( Game.player='$id' OR ISNULL(Game.player) )". " AND ( Game.status='pre' OR Game.status='play' )". " ORDER BY Game.session" ); else $result = DB_query("SELECT Hand.hash,Hand.game_id,Game.player from Hand". " LEFT JOIN Game On Hand.game_id=Game.id". - " WHERE Hand.user_id='$id'". - " AND ( Game.player='$id' OR ISNULL(Game.player) )". + " WHERE Hand.user_id=".DB_quote_smart($id). + " AND ( Game.player=".DB_quote_smart($id)." OR ISNULL(Game.player) )". " AND ( Game.status='pre' OR Game.status='play' )". " ORDER BY Game.session" ); @@ -1294,7 +1294,7 @@ function generate_score_table($session) /* get player id from the first game */ $result = DB_query("SELECT user_id from Hand". - " WHERE Hand.game_id=".$gameids[0][0]); + " WHERE Hand.game_id=".DB_quote_smart($gameids[0][0])); while( $r = DB_fetch_array($result)) $player[$r[0]] = 0; @@ -1578,7 +1578,7 @@ function check_vacation($userid) { /* get start date */ $result = DB_query_array("SELECT value FROM User_Prefs". - " WHERE user_id='$userid' AND pref_key='vacation start'" ); + " WHERE user_id=".DB_quote_smart($userid)." AND pref_key='vacation start'" ); if($result) $start = $result[0]; else @@ -1586,7 +1586,7 @@ function check_vacation($userid) /* get end date */ $result = DB_query_array("SELECT value FROM User_Prefs". - " WHERE user_id='$userid' AND pref_key='vacation stop'" ); + " WHERE user_id=".DB_quote_smart($userid)." AND pref_key='vacation stop'" ); if($result) $stop = $result[0]; else @@ -1594,7 +1594,7 @@ function check_vacation($userid) /* get comment */ $result = DB_query_array("SELECT value FROM User_Prefs". - " WHERE user_id='$userid' AND pref_key='vacation comment'" ); + " WHERE user_id=".DB_quote_smart($userid)." AND pref_key='vacation comment'" ); if($result) $comment = $result[0]; else diff --git a/include/game.php b/include/game.php index b339c03..0ca2454 100644 --- a/include/game.php +++ b/include/game.php @@ -184,7 +184,7 @@ if( myisset('call') ) /* get time from the last action of the game */ -$r = DB_query_array("SELECT mod_date from Game WHERE id='$gameid' " ); +$r = DB_query_array("SELECT mod_date from Game WHERE id=".DB_quote_smart($gameid)); $gameend = time() - strtotime($r[0]); /* handle comments in case player didn't play a card, allow comments a week after the end of the game */ @@ -398,11 +398,11 @@ switch($mystatus) if(!( $mygametype == 'solo' && $mygamesolo == 'silent') ) echo "
  • Pre
  • \n"; - $result = DB_query('SELECT Trick.id '. - 'FROM Trick '. - "WHERE Trick.game_id='".$gameid."' ". - 'GROUP BY Trick.id '. - 'ORDER BY Trick.id ASC'); + $result = DB_query('SELECT Trick.id'. + ' FROM Trick'. + " WHERE Trick.game_id=".DB_quote_smart($gameid). + ' GROUP BY Trick.id'. + ' ORDER BY Trick.id ASC'); $trickNR = 1; $lasttrick = DB_get_max_trickid($gameid); @@ -945,7 +945,7 @@ switch($mystatus) if($exchange >0) { $result = DB_query("UPDATE Hand_Card SET hand_id='$partnerhand'". - " WHERE hand_id='$myhand' AND card_id=".DB_quote_smart($exchange)); + " WHERE hand_id=".DB_quote_smart($myhand)." AND card_id=".DB_quote_smart($exchange)); DB_add_exchanged_card(DB_quote_smart($exchange),$myhand,$partnerhand); }; } @@ -1100,7 +1100,7 @@ switch($mystatus) DB_add_exchanged_card($card,$userhand,$myhand); /* copy trump from player A to B */ - $result = DB_query("UPDATE Hand_Card SET hand_id='$myhand' WHERE hand_id='$userhand' AND card_id<'27'" ); + $result = DB_query("UPDATE Hand_Card SET hand_id='$myhand' WHERE hand_id=".DB_quote_smart($userhand)." AND card_id<'27'" ); /* reload cards */ $mycards = DB_get_hand($me); @@ -1290,20 +1290,20 @@ switch($mystatus) $result = DB_query('SELECT Hand_Card.card_id as card,'. ' Hand.position as position,'. ' Play.sequence as sequence, '. - ' Trick.id, '. + ' Trick.id,'. " GROUP_CONCAT(CONCAT('',User.fullname,': ',Comment.comment,'')". " SEPARATOR '\n' ), ". - ' Play.create_date, '. - ' Hand.user_id '. - 'FROM Trick '. - 'LEFT JOIN Play ON Trick.id=Play.trick_id '. - 'LEFT JOIN Hand_Card ON Play.hand_card_id=Hand_Card.id '. - 'LEFT JOIN Hand ON Hand_Card.hand_id=Hand.id '. - 'LEFT JOIN Comment ON Play.id=Comment.play_id '. - 'LEFT JOIN User On User.id=Comment.user_id '. - "WHERE Trick.game_id='".$gameid."' ". - 'GROUP BY Trick.id, sequence '. - 'ORDER BY Trick.id, sequence ASC'); + ' Play.create_date,'. + ' Hand.user_id'. + ' FROM Trick'. + ' LEFT JOIN Play ON Trick.id=Play.trick_id'. + ' LEFT JOIN Hand_Card ON Play.hand_card_id=Hand_Card.id'. + ' LEFT JOIN Hand ON Hand_Card.hand_id=Hand.id'. + ' LEFT JOIN Comment ON Play.id=Comment.play_id'. + ' LEFT JOIN User On User.id=Comment.user_id'. + " WHERE Trick.game_id=".DB_quote_smart($gameid). + ' GROUP BY Trick.id, sequence'. + ' ORDER BY Trick.id, sequence ASC'); $trickNR = 0; $lasttrick = DB_get_max_trickid($gameid); @@ -1457,7 +1457,7 @@ switch($mystatus) DB_update_game_timestamp($gameid); /* mark card as played */ - DB_query("UPDATE Hand_Card SET played='true' WHERE hand_id='$handid' AND card_id=". + DB_query("UPDATE Hand_Card SET played='true' WHERE hand_id=".DB_quote_smart($handid)." AND card_id=". DB_quote_smart($card)); /* get trick id or start new trick */ @@ -1623,7 +1623,7 @@ switch($mystatus) */ if($winner>0) - DB_query("UPDATE Trick SET winner='$winner' WHERE id='$trickid'"); + DB_query("UPDATE Trick SET winner='$winner' WHERE id=".DB_quote_smart($trickid)); else $messages[] = "ERROR during scoring"; @@ -1717,7 +1717,7 @@ switch($mystatus) ' LEFT JOIN Play ON Trick.id=Play.trick_id'. ' LEFT JOIN Hand_Card ON Hand_Card.id=Play.hand_card_id'. ' LEFT JOIN Card ON Card.id=Hand_Card.card_id'. - " WHERE Hand.game_id='$gameid'". + " WHERE Hand.game_id=".DB_quote_smart($gameid). ' GROUP BY User.fullname' ); $email_message = _("The game is over. Thanks for playing :)")."\n"; $email_message .= _("Final score:")."\n"; @@ -1730,7 +1730,7 @@ switch($mystatus) ' LEFT JOIN Play ON Trick.id=Play.trick_id'. ' LEFT JOIN Hand_Card ON Hand_Card.id=Play.hand_card_id'. ' LEFT JOIN Card ON Card.id=Hand_Card.card_id'. - " WHERE Hand.game_id='$gameid'". + " WHERE Hand.game_id=".DB_quote_smart($gameid). ' GROUP BY Hand.party' ); $email_message .= "\n"._("Totals:")."\n"; $re = 0; @@ -1910,7 +1910,7 @@ switch($mystatus) $Tpoint = 0; $email_message .= " "._("Points Re:")." \n"; $queryresult = DB_query('SELECT score FROM Score '. - " WHERE game_id=$gameid AND party='re'"); + " WHERE game_id=".DB_quote_smart($gameid)." AND party='re'"); while($r = DB_fetch_array($queryresult) ) { $email_message .= ' '.$r[0]."\n"; @@ -1918,7 +1918,7 @@ switch($mystatus) } $email_message .= " "._("Points Contra:")." \n"; $queryresult = DB_query('SELECT score FROM Score '. - " WHERE game_id=$gameid AND party='contra'"); + " WHERE game_id=".DB_quote_smart($gameid)." AND party='contra'"); while($r = DB_fetch_array($queryresult) ) { $email_message .= ' '.$r[0]."\n"; @@ -1975,7 +1975,7 @@ switch($mystatus) ' LEFT JOIN Play ON Trick.id=Play.trick_id'. ' LEFT JOIN Hand_Card ON Hand_Card.id=Play.hand_card_id'. ' LEFT JOIN Card ON Card.id=Hand_Card.card_id'. - " WHERE Hand.game_id='$gameid'". + " WHERE Hand.game_id=".DB_quote_smart($gameid). ' GROUP BY User.fullname' ); while( $r = DB_fetch_array($result)) echo '
    \n". @@ -1989,27 +1989,27 @@ switch($mystatus) ' LEFT JOIN Play ON Trick.id=Play.trick_id'. ' LEFT JOIN Hand_Card ON Hand_Card.id=Play.hand_card_id'. ' LEFT JOIN Card ON Card.id=Hand_Card.card_id'. - " WHERE Hand.game_id='$gameid'". + " WHERE Hand.game_id=".DB_quote_smart($gameid). ' GROUP BY Hand.party' ); echo "
    \n Totals:
    \n"; while( $r = DB_fetch_array($result)) echo ' '.$r[0].' '.$r[1]."
    \n"; $queryresult = DB_query('SELECT timediff(mod_date,create_date) '. - " FROM Game WHERE id='$gameid'"); + " FROM Game WHERE id=".DB_quote_smart($gameid)); $r = DB_fetch_array($queryresult); echo '

    This game took '.$r[0]." hours.

    \n"; echo "
    \n Points Re:
    \n"; $queryresult = DB_query('SELECT score FROM Score '. - " WHERE game_id=$gameid AND party='re'"); + " WHERE game_id=".DB_quote_smart($gameid)." AND party='re'"); while($r = DB_fetch_array($queryresult) ) echo ' '.$r[0]."
    \n"; echo "
    \n"; echo "
    \n Points Contra:
    \n"; $queryresult = DB_query('SELECT score FROM Score '. - " WHERE game_id=$gameid AND party='contra'"); + " WHERE game_id=".DB_quote_smart($gameid)." AND party='contra'"); while($r = DB_fetch_array($queryresult) ) echo ' '.$r[0]."
    \n"; echo "
    \n"; @@ -2293,7 +2293,7 @@ if($commentCall != '') echo "
    \n"; /* get time from the last action of the game */ -$r = DB_query_array("SELECT mod_date from Game WHERE id='$gameid' " ); +$r = DB_query_array("SELECT mod_date from Game WHERE id=".DB_quote_smart($gameid)); $gameend = time() - strtotime($r[0]); /* comment box */ diff --git a/include/openid.php b/include/openid.php index 16c59f4..14024b8 100644 --- a/include/openid.php +++ b/include/openid.php @@ -142,22 +142,23 @@ function DB_GetUserId($openid_url) function DB_GetOpenIDsByUser($user_id) { - return DB_query_array_all("SELECT openid_url FROM user_openids WHERE user_id = '$user_id'"); + return DB_query_array_all("SELECT openid_url FROM user_openids WHERE user_id =".DB_quote_smart($user_id)); } function DB_AttachOpenID($openid_url, $user_id) { - DB_query("INSERT INTO user_openids VALUES (".DB_quote_smart(OpenIDUrlEncode($openid_url)).", '$user_id')"); + DB_query("INSERT INTO user_openids VALUES (".DB_quote_smart(OpenIDUrlEncode($openid_url)).", ".DB_quote_smart($user_id).")"); } function DB_DetachOpenID($openid_url, $user_id) { - DB_query("DELETE FROM user_openids WHERE openid_url = ".DB_quote_smart(OpenIDUrlEncode($openid_url))." AND user_id = '$user_id'"); + DB_query("DELETE FROM user_openids WHERE openid_url = ".DB_quote_smart(OpenIDUrlEncode($openid_url)). + " AND user_id = ".DB_quote_smart($user_id)); } function DB_DetachOpenIDsByUser($user_id) { - DB_query("DELETE FROM user_openids WHERE user_id = '$user_id'"); + DB_query("DELETE FROM user_openids WHERE user_id = ".DB_quote_smart($user_id)); } ?> \ No newline at end of file diff --git a/include/preferences.php b/include/preferences.php index 5aafcd3..f0b33da 100644 --- a/include/preferences.php +++ b/include/preferences.php @@ -92,11 +92,11 @@ if(myisset('vacation_start','vacation_stop','vacation_comment') && if($_REQUEST['vacation_start'] == $_REQUEST['vacation_stop']) { $result = DB_query("DELETE FROM User_Prefs". - " WHERE user_id='$myid' AND pref_key='vacation start'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation start'" ); $result = DB_query("DELETE FROM User_Prefs". - " WHERE user_id='$myid' AND pref_key='vacation stop'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation stop'" ); $result = DB_query("DELETE FROM User_Prefs". - " WHERE user_id='$myid' AND pref_key='vacation comment'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation comment'" ); $changed_vacation = 1; } /* change in database if format is ok */ @@ -106,12 +106,12 @@ if(myisset('vacation_start','vacation_stop','vacation_comment') && if($vacation_start!=$PREF['vacation_start']) { $result = DB_query("SELECT * from User_Prefs". - " WHERE user_id='$myid' AND pref_key='vacation start'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation start'" ); if( DB_fetch_array($result)) $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($vacation_start). - " WHERE user_id='$myid' AND pref_key='vacation start'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation start'" ); else - $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','vacation start',". + $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'vacation start',". DB_quote_smart($vacation_start).")"); $changed_vacation = 1; @@ -121,12 +121,12 @@ if(myisset('vacation_start','vacation_stop','vacation_comment') && if($vacation_stop!=$PREF['vacation_stop']) { $result = DB_query("SELECT * from User_Prefs". - " WHERE user_id='$myid' AND pref_key='vacation stop'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation stop'" ); if( DB_fetch_array($result)) $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($vacation_stop). - " WHERE user_id='$myid' AND pref_key='vacation stop'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation stop'" ); else - $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','vacation stop',". + $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'vacation stop',". DB_quote_smart($vacation_stop).")"); $changed_vacation = 1; @@ -136,12 +136,12 @@ if(myisset('vacation_start','vacation_stop','vacation_comment') && if($vacation_comment!=$PREF['vacation_comment']) { $result = DB_query("SELECT * from User_Prefs". - " WHERE user_id='$myid' AND pref_key='vacation comment'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation comment'" ); if( DB_fetch_array($result)) $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($vacation_comment). - " WHERE user_id='$myid' AND pref_key='vacation comment'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation comment'" ); else - $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','vacation comment',". + $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'vacation comment',". DB_quote_smart($vacation_comment).")"); $changed_vacation = 1; @@ -167,12 +167,12 @@ if(myisset("cards")) { /* check if we already have an entry for the user, if so change it, if not create new one */ $result = DB_query("SELECT * from User_Prefs". - " WHERE user_id='$myid' AND pref_key='cardset'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='cardset'" ); if( DB_fetch_array($result)) $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($cards). - " WHERE user_id='$myid' AND pref_key='cardset'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='cardset'" ); else - $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','cardset',". + $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'cardset',". DB_quote_smart($cards).")"); $changed_cards = 1; } @@ -185,12 +185,12 @@ if(myisset("notify")) { /* check if we already have an entry for the user, if so change it, if not create new one */ $result = DB_query("SELECT * from User_Prefs". - " WHERE user_id='$myid' AND pref_key='email'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='email'" ); if( DB_fetch_array($result)) $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($notify). - " WHERE user_id='$myid' AND pref_key='email'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='email'" ); else - $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','email',". + $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'email',". DB_quote_smart($notify).")"); $changed_notify=1; } @@ -203,12 +203,12 @@ if(myisset("digest")) { /* check if we already have an entry for the user, if so change it, if not create new one */ $result = DB_query("SELECT * from User_Prefs". - " WHERE user_id='$myid' AND pref_key='digest'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='digest'" ); if( DB_fetch_array($result)) $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($digest). - " WHERE user_id='$myid' AND pref_key='digest'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='digest'" ); else - $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','digest',". + $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'digest',". DB_quote_smart($digest).")"); $changed_digest=1; } @@ -221,12 +221,12 @@ if(myisset("autosetup")) { /* check if we already have an entry for the user, if so change it, if not create new one */ $result = DB_query("SELECT * from User_Prefs". - " WHERE user_id='$myid' AND pref_key='autosetup'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='autosetup'" ); if( DB_fetch_array($result)) $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($autosetup). - " WHERE user_id='$myid' AND pref_key='autosetup'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='autosetup'" ); else - $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','autosetup',". + $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'autosetup',". DB_quote_smart($autosetup).")"); $changed_autosetup=1; } @@ -239,12 +239,12 @@ if(myisset("sorting")) { /* check if we already have an entry for the user, if so change it, if not create new one */ $result = DB_query("SELECT * from User_Prefs". - " WHERE user_id='$myid' AND pref_key='sorting'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='sorting'" ); if( DB_fetch_array($result)) $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($sorting). - " WHERE user_id='$myid' AND pref_key='sorting'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='sorting'" ); else - $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','sorting',". + $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'sorting',". DB_quote_smart($sorting).")"); $changed_sorting=1; } @@ -257,12 +257,12 @@ if(myisset("open_for_games")) { /* check if we already have an entry for the user, if so change it, if not create new one */ $result = DB_query("SELECT * from User_Prefs". - " WHERE user_id='$myid' AND pref_key='open for games'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='open for games'" ); if( DB_fetch_array($result)) $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($openforgames). - " WHERE user_id='$myid' AND pref_key='open for games'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='open for games'" ); else - $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','open for games',". + $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'open for games',". DB_quote_smart($openforgames).")"); $changed_openforgames=1; } @@ -319,12 +319,12 @@ if(myisset("language")) { /* check if we already have an entry for the user, if so change it, if not create new one */ $result = DB_query("SELECT * from User_Prefs". - " WHERE user_id='$myid' AND pref_key='language'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='language'" ); if( DB_fetch_array($result)) $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($language). - " WHERE user_id='$myid' AND pref_key='language'" ); + " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='language'" ); else - $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','language',". + $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'language',". DB_quote_smart($language).")"); $changed_language = 1; } diff --git a/include/user.php b/include/user.php index 546ea8d..65544f5 100644 --- a/include/user.php +++ b/include/user.php @@ -160,7 +160,7 @@ else " G.session". " FROM Hand". " LEFT JOIN Game G ON G.id=Hand.game_id". - " WHERE user_id='$myid'". + " WHERE user_id=".DB_quote_smart($myid). " ORDER BY G.session,G.create_date" ); /* sort into active and passive sessions */ diff --git a/rss.php b/rss.php index a6e5d1b..e6db287 100644 --- a/rss.php +++ b/rss.php @@ -100,8 +100,8 @@ echo "\n\n"; $result = DB_query("SELECT Hand.hash,Hand.game_id,Game.player from Hand". " LEFT JOIN Game On Hand.game_id=Game.id". - " WHERE Hand.user_id='$id'". - " AND ( Game.player='$id' OR ISNULL(Game.player) )". + " WHERE Hand.user_id=".DB_quote_smart($id). + " AND ( Game.player=".DB_quote_smart($id)." OR ISNULL(Game.player) )". " AND ( Game.status='pre' OR Game.status='play' )". " ORDER BY Game.session" ); -- cgit v1.2.3-18-g5258