mysql optimization: don't quote integers as strings in WHERE
authorArun Persaud <arun@nubati.net>
Tue, 26 Feb 2013 06:04:21 +0000 (22:04 -0800)
committerArun Persaud <arun@nubati.net>
Tue, 26 Feb 2013 06:04:21 +0000 (22:04 -0800)
include/cancelgame.php
include/db.php
include/functions.php
include/game.php
include/openid.php
include/preferences.php
include/user.php
rss.php

index d9b69b3..02b5a06 100644 (file)
@@ -49,7 +49,7 @@ $gameid   = DB_get_gameid_by_hash($me);
 $myname   = DB_get_name('hash',$me);
 
 /* check if game really is old enough to be canceled */
-$r = DB_query_array("SELECT mod_date from Game WHERE id='$gameid' " );
+$r = DB_query_array("SELECT mod_date from Game WHERE id=".DB_quote_smart($gameid) );
 if(time()-strtotime($r[0]) > 60*60*24*30) /* = 1 month */
   {
     /* email to all players */
index 493b93d..f9eb07a 100644 (file)
@@ -802,7 +802,7 @@ function DB_get_PREF($myid)
 
   /* get all preferences */
   $r = DB_query('SELECT pref_key, value FROM User_Prefs'.
-                     " WHERE user_id='$myid' " );
+               " WHERE user_id=".DB_quote_smart($myid) );
   while($pref = DB_fetch_array($r) )
     {
       switch($pref[0])
@@ -864,7 +864,7 @@ function DB_get_RULES($gameid)
 {
   $r = DB_query_array("SELECT * FROM Rulesets".
                      " LEFT JOIN Game ON Game.ruleset=Rulesets.id ".
-                     " WHERE Game.id='$gameid'" );
+                     " WHERE Game.id=".DB_quote_smart($gameid) );
 
   $RULES['dullen']      = $r[2];
   $RULES['schweinchen'] = $r[3];
@@ -878,7 +878,7 @@ function DB_get_email_pref_by_hash($hash)
 {
   $r = DB_query_array("SELECT value FROM Hand".
                      " LEFT JOIN User_Prefs ON Hand.user_id=User_Prefs.user_id".
-                     " WHERE hash='$hash' AND pref_key='email'" );
+                     " WHERE hash=".DB_quote_smart($hash)." AND pref_key='email'" );
   if($r)
     {
       if($r[0]=="emailaddict")
@@ -893,7 +893,7 @@ function DB_get_email_pref_by_hash($hash)
 function DB_get_email_pref_by_uid($uid)
 {
   $r = DB_query_array("SELECT value FROM User_Prefs ".
-                     " WHERE user_id='$uid' AND pref_key='email'" );
+                     " WHERE user_id=".DB_quote_smart($uid)." AND pref_key='email'" );
   if($r)
     {
       if($r[0]=="emailaddict")
@@ -928,7 +928,7 @@ function DB_get_unused_randomnumbers($userstr)
 function DB_get_number_of_passwords_recovery($user)
 {
   $r = DB_query_array("SELECT COUNT(*) FROM Recovery ".
-                     "  WHERE user_id=$user ".
+                     "  WHERE user_id=".DB_quote_smart($user).
                      "  AND DATE_SUB(CURDATE(),INTERVAL 1 DAY) <= create_date".
                      "  GROUP BY user_id " );
   if($r)
@@ -955,7 +955,7 @@ function DB_get_card_name($card)
   if($card==0)
     return 'backside';
 
-  $r = DB_query_array("SELECT strength,suite FROM Card WHERE id='$card'");
+  $r = DB_query_array("SELECT strength,suite FROM Card WHERE id=".DB_quote_smart($card));
 
   if($r)
     return $r[0]." of ".$r[1];
@@ -970,7 +970,7 @@ function DB_get_current_playid($gameid)
 
   if(!$trick) return -1;
 
-  $r = DB_query_array("SELECT id FROM Play WHERE trick_id='$trick' ORDER BY create_date DESC LIMIT 1");
+  $r = DB_query_array("SELECT id FROM Play WHERE trick_id=".DB_quote_smart($trick)." ORDER BY create_date DESC LIMIT 1");
 
   if($r)
     return $r[0];
@@ -980,7 +980,7 @@ function DB_get_current_playid($gameid)
 
 function DB_get_call_by_hash($hash)
 {
-  $r = DB_query_array("SELECT point_call FROM Hand WHERE hash='$hash'");
+  $r = DB_query_array("SELECT point_call FROM Hand WHERE hash=".DB_quote_smart($hash));
 
   if($r)
     return $r[0];
@@ -994,7 +994,7 @@ function DB_get_partner_call_by_hash($hash)
 
   if($partner)
     {
-      $r = DB_query_array("SELECT point_call FROM Hand WHERE hash='$partner'");
+      $r = DB_query_array("SELECT point_call FROM Hand WHERE hash=".DB_quote_smart($partner));
 
       if($r)
        return $r[0];
@@ -1008,7 +1008,8 @@ function DB_get_partner_hash_by_hash($hash)
   $gameid = DB_get_gameid_by_hash($hash);
   $party  = DB_get_party_by_hash($hash);
 
-  $r = DB_query_array("SELECT hash FROM Hand WHERE game_id='$gameid' AND party='$party' AND hash<>'$hash'");
+  $r = DB_query_array("SELECT hash FROM Hand WHERE game_id=".DB_quote_smart($gameid).
+                     " AND party=".DB_quote_smart($party)." AND hash<>".DB_quote_smart($hash));
 
   if($r)
     return $r[0];
@@ -1019,22 +1020,22 @@ function DB_get_partner_hash_by_hash($hash)
 function DB_format_gameid($gameid)
 {
   /* get session and create date */
-  $r = DB_query_array("SELECT session, create_date FROM Game WHERE id='$gameid' ");
+  $r = DB_query_array("SELECT session, create_date FROM Game WHERE id=".DB_quote_smart($gameid));
   $session = $r[0];
   $date    = $r[1];
 
   /* get number of game */
   $r = DB_query_array("SELECT SUM(TIME_TO_SEC(TIMEDIFF(create_date, '$date'))<=0) ".
                      " FROM Game".
-                     " WHERE session='$session' ");
+                     " WHERE session=".DB_quote_smart($session));
   return $session.'.'.$r[0];
 }
 
 function DB_get_reminder($user,$gameid)
 {
   $r = DB_query_array("SELECT COUNT(*) FROM Reminder ".
-                     "  WHERE user_id=$user ".
-                     "  AND game_id=$gameid ".
+                     "  WHERE user_id=".DB_quote_smart($user).
+                     "  AND game_id=".DB_quote_smart($gameid).
                      "  AND DATE_SUB(CURDATE(),INTERVAL 1 DAY) <= create_date".
                      "  GROUP BY user_id " );
   if($r)
@@ -1073,11 +1074,11 @@ function DB_get_gameids_of_finished_games_by_session($session)
                                  " GROUP BY Game.id");
   else   /* return games in a session */
     $queryresult = DB_query_array_all("SELECT Game.id,SUM(IF(STRCMP(Score.party,'re'),-1,1)),Game.type FROM Game ".
-                                 " LEFT JOIN Score on game_id=Game.id".
-                                 "  WHERE session=$session ".
-                                 "   AND status='gameover' ".
-                                 " GROUP BY Game.id".
-                                 " ORDER BY Game.create_date ASC");
+                                     " LEFT JOIN Score on game_id=Game.id".
+                                     " WHERE session=".DB_quote_smart($session).
+                                     " AND status='gameover' ".
+                                     " GROUP BY Game.id".
+                                     " ORDER BY Game.create_date ASC");
 
   return $queryresult;
 }
@@ -1085,7 +1086,7 @@ function DB_get_gameids_of_finished_games_by_session($session)
 function DB_get_card_value_by_cardid($id)
 {
   $r = DB_query_array("SELECT points FROM Card ".
-                     "  WHERE id=$id ");
+                     "  WHERE id=".DB_quote_smart($id));
 
   if($r)
     return $r[0];
index 191823d..3142b02 100644 (file)
@@ -998,10 +998,10 @@ function display_table_begin ()
                     "        Hand.hash,       ".
                     "        User.timezone,    ".
                     "        User.email       ".
-                    "FROM Hand ".
-                    "LEFT JOIN User ON User.id=Hand.user_id ".
-                    "WHERE Hand.game_id='".$gameid."' ".
-                    "ORDER BY position ASC");
+                    " FROM Hand".
+                    " LEFT JOIN User ON User.id=Hand.user_id".
+                    " WHERE Hand.game_id=".DB_quote_smart($gameid).
+                    " ORDER BY position ASC");
 
   $row0 = DB_fetch_array($result);
   $row1 = DB_fetch_array($result);
@@ -1032,10 +1032,10 @@ function display_table_end ()
                     "        Hand.hash,       ".
                     "        User.timezone,    ".
                     "        User.email       ".
-                    "FROM Hand ".
-                    "LEFT JOIN User ON User.id=Hand.user_id ".
-                    "WHERE Hand.game_id='".$gameid."' ".
-                    "ORDER BY position ASC");
+                    " FROM Hand".
+                    " LEFT JOIN User ON User.id=Hand.user_id".
+                    " WHERE Hand.game_id=".DB_quote_smart($gameid).
+                    " ORDER BY position ASC");
 
   $row0 = DB_fetch_array($result);
   $row1 = DB_fetch_array($result);
@@ -1231,16 +1231,16 @@ function display_user_menu($id, $skiphash=NULL)
   if($skiphash)
     $result = DB_query("SELECT Hand.hash,Hand.game_id,Game.player from Hand".
                       " LEFT JOIN Game On Hand.game_id=Game.id".
-                      " WHERE Hand.user_id='$id'".
-                      " AND Hand.hash!='$skiphash'".
+                      " WHERE Hand.user_id=".DB_quote_smart($id).
+                      " AND Hand.hash!=".DB_quote_smart($skiphash).
                       " AND ( Game.player='$id' OR ISNULL(Game.player) )".
                       " AND ( Game.status='pre' OR Game.status='play' )".
                       " ORDER BY Game.session" );
   else
     $result = DB_query("SELECT Hand.hash,Hand.game_id,Game.player from Hand".
                       " LEFT JOIN Game On Hand.game_id=Game.id".
-                      " WHERE Hand.user_id='$id'".
-                      " AND ( Game.player='$id' OR ISNULL(Game.player) )".
+                      " WHERE Hand.user_id=".DB_quote_smart($id).
+                      " AND ( Game.player=".DB_quote_smart($id)." OR ISNULL(Game.player) )".
                       " AND ( Game.status='pre' OR Game.status='play' )".
                       " ORDER BY Game.session" );
 
@@ -1294,7 +1294,7 @@ function generate_score_table($session)
 
   /* get player id from the first game */
   $result = DB_query("SELECT user_id from Hand".
-                    " WHERE Hand.game_id=".$gameids[0][0]);
+                    " WHERE Hand.game_id=".DB_quote_smart($gameids[0][0]));
   while( $r = DB_fetch_array($result))
     $player[$r[0]] = 0;
 
@@ -1578,7 +1578,7 @@ function check_vacation($userid)
 {
   /* get start date */
   $result = DB_query_array("SELECT value FROM User_Prefs".
-                    " WHERE user_id='$userid' AND pref_key='vacation start'" );
+                          " WHERE user_id=".DB_quote_smart($userid)." AND pref_key='vacation start'" );
   if($result)
     $start = $result[0];
   else
@@ -1586,7 +1586,7 @@ function check_vacation($userid)
 
   /* get end date */
   $result = DB_query_array("SELECT value FROM User_Prefs".
-                    " WHERE user_id='$userid' AND pref_key='vacation stop'" );
+                          " WHERE user_id=".DB_quote_smart($userid)." AND pref_key='vacation stop'" );
   if($result)
     $stop = $result[0];
   else
@@ -1594,7 +1594,7 @@ function check_vacation($userid)
 
   /* get comment */
   $result = DB_query_array("SELECT value FROM User_Prefs".
-                    " WHERE user_id='$userid' AND pref_key='vacation comment'" );
+                          " WHERE user_id=".DB_quote_smart($userid)." AND pref_key='vacation comment'" );
   if($result)
     $comment = $result[0];
   else
index b339c03..0ca2454 100644 (file)
@@ -184,7 +184,7 @@ if( myisset('call') )
 
 
 /* get time from the last action of the game */
-$r = DB_query_array("SELECT mod_date from Game WHERE id='$gameid' " );
+$r = DB_query_array("SELECT mod_date from Game WHERE id=".DB_quote_smart($gameid));
 $gameend = time() - strtotime($r[0]);
 
 /* handle comments in case player didn't play a card, allow comments a week after the end of the game */
@@ -398,11 +398,11 @@ switch($mystatus)
       if(!( $mygametype == 'solo' && $mygamesolo == 'silent') )
        echo "  <li onclick=\"hl(0);\" class=\"old\"><a href=\"#\">Pre</a></li>\n";
 
-    $result = DB_query('SELECT Trick.id '.
-                      'FROM Trick '.
-                      "WHERE Trick.game_id='".$gameid."' ".
-                      'GROUP BY Trick.id '.
-                      'ORDER BY Trick.id ASC');
+    $result = DB_query('SELECT Trick.id'.
+                      ' FROM Trick'.
+                      " WHERE Trick.game_id=".DB_quote_smart($gameid).
+                      ' GROUP BY Trick.id'.
+                      ' ORDER BY Trick.id ASC');
     $trickNR   = 1;
     $lasttrick = DB_get_max_trickid($gameid);
 
@@ -945,7 +945,7 @@ switch($mystatus)
        if($exchange >0)
          {
            $result = DB_query("UPDATE Hand_Card SET hand_id='$partnerhand'".
-                              " WHERE hand_id='$myhand' AND card_id=".DB_quote_smart($exchange));
+                              " WHERE hand_id=".DB_quote_smart($myhand)." AND card_id=".DB_quote_smart($exchange));
            DB_add_exchanged_card(DB_quote_smart($exchange),$myhand,$partnerhand);
          };
       }
@@ -1100,7 +1100,7 @@ switch($mystatus)
                DB_add_exchanged_card($card,$userhand,$myhand);
 
            /* copy trump from player A to B */
-           $result = DB_query("UPDATE Hand_Card SET hand_id='$myhand' WHERE hand_id='$userhand' AND card_id<'27'" );
+           $result = DB_query("UPDATE Hand_Card SET hand_id='$myhand' WHERE hand_id=".DB_quote_smart($userhand)." AND card_id<'27'" );
 
            /* reload cards */
            $mycards = DB_get_hand($me);
@@ -1290,20 +1290,20 @@ switch($mystatus)
     $result = DB_query('SELECT Hand_Card.card_id as card,'.
                       '       Hand.position as position,'.
                       '       Play.sequence as sequence, '.
-                      '       Trick.id, '.
+                      '       Trick.id,'.
                       "       GROUP_CONCAT(CONCAT('<span>',User.fullname,': ',Comment.comment,'</span>')".
                       "                    SEPARATOR '\n' ), ".
-                      '       Play.create_date, '.
-                      '       Hand.user_id '.
-                      'FROM Trick '.
-                      'LEFT JOIN Play ON Trick.id=Play.trick_id '.
-                      'LEFT JOIN Hand_Card ON Play.hand_card_id=Hand_Card.id '.
-                      'LEFT JOIN Hand ON Hand_Card.hand_id=Hand.id '.
-                      'LEFT JOIN Comment ON Play.id=Comment.play_id '.
-                      'LEFT JOIN User On User.id=Comment.user_id '.
-                      "WHERE Trick.game_id='".$gameid."' ".
-                      'GROUP BY Trick.id, sequence '.
-                      'ORDER BY Trick.id, sequence ASC');
+                      '       Play.create_date,'.
+                      '       Hand.user_id'.
+                      ' FROM Trick'.
+                      ' LEFT JOIN Play ON Trick.id=Play.trick_id'.
+                      ' LEFT JOIN Hand_Card ON Play.hand_card_id=Hand_Card.id'.
+                      ' LEFT JOIN Hand ON Hand_Card.hand_id=Hand.id'.
+                      ' LEFT JOIN Comment ON Play.id=Comment.play_id'.
+                      ' LEFT JOIN User On User.id=Comment.user_id'.
+                      " WHERE Trick.game_id=".DB_quote_smart($gameid).
+                      ' GROUP BY Trick.id, sequence'.
+                      ' ORDER BY Trick.id, sequence ASC');
     $trickNR   = 0;
     $lasttrick = DB_get_max_trickid($gameid);
 
@@ -1457,7 +1457,7 @@ switch($mystatus)
            DB_update_game_timestamp($gameid);
 
            /* mark card as played */
-           DB_query("UPDATE Hand_Card SET played='true' WHERE hand_id='$handid' AND card_id=".
+           DB_query("UPDATE Hand_Card SET played='true' WHERE hand_id=".DB_quote_smart($handid)." AND card_id=".
                     DB_quote_smart($card));
 
            /* get trick id or start new trick */
@@ -1623,7 +1623,7 @@ switch($mystatus)
                 */
 
                if($winner>0)
-                 DB_query("UPDATE Trick SET winner='$winner' WHERE id='$trickid'");
+                 DB_query("UPDATE Trick SET winner='$winner' WHERE id=".DB_quote_smart($trickid));
                else
                  $messages[] = "ERROR during scoring";
 
@@ -1717,7 +1717,7 @@ switch($mystatus)
                                   ' LEFT JOIN Play ON Trick.id=Play.trick_id'.
                                   ' LEFT JOIN Hand_Card ON Hand_Card.id=Play.hand_card_id'.
                                   ' LEFT JOIN Card ON Card.id=Hand_Card.card_id'.
-                                  " WHERE Hand.game_id='$gameid'".
+                                  " WHERE Hand.game_id=".DB_quote_smart($gameid).
                                   ' GROUP BY User.fullname' );
                $email_message  = _("The game is over. Thanks for playing :)")."\n";
                $email_message .= _("Final score:")."\n";
@@ -1730,7 +1730,7 @@ switch($mystatus)
                                   ' LEFT JOIN Play ON Trick.id=Play.trick_id'.
                                   ' LEFT JOIN Hand_Card ON Hand_Card.id=Play.hand_card_id'.
                                   ' LEFT JOIN Card ON Card.id=Hand_Card.card_id'.
-                                  " WHERE Hand.game_id='$gameid'".
+                                  " WHERE Hand.game_id=".DB_quote_smart($gameid).
                                   ' GROUP BY Hand.party' );
                $email_message .= "\n"._("Totals:")."\n";
                $re     = 0;
@@ -1910,7 +1910,7 @@ switch($mystatus)
                  $Tpoint = 0;
                  $email_message .= " "._("Points Re:")." \n";
                  $queryresult = DB_query('SELECT score FROM Score '.
-                                         "  WHERE game_id=$gameid AND party='re'");
+                                         "  WHERE game_id=".DB_quote_smart($gameid)." AND party='re'");
                  while($r = DB_fetch_array($queryresult) )
                    {
                      $email_message .= '   '.$r[0]."\n";
@@ -1918,7 +1918,7 @@ switch($mystatus)
                    }
                  $email_message .= " "._("Points Contra:")." \n";
                  $queryresult = DB_query('SELECT score FROM Score '.
-                                         "  WHERE game_id=$gameid AND party='contra'");
+                                         "  WHERE game_id=".DB_quote_smart($gameid)." AND party='contra'");
                  while($r = DB_fetch_array($queryresult) )
                    {
                      $email_message .= '   '.$r[0]."\n";
@@ -1975,7 +1975,7 @@ switch($mystatus)
                           ' LEFT JOIN Play ON Trick.id=Play.trick_id'.
                           ' LEFT JOIN Hand_Card ON Hand_Card.id=Play.hand_card_id'.
                           ' LEFT JOIN Card ON Card.id=Hand_Card.card_id'.
-                          " WHERE Hand.game_id='$gameid'".
+                          " WHERE Hand.game_id=".DB_quote_smart($gameid).
                           ' GROUP BY User.fullname' );
        while( $r = DB_fetch_array($result))
          echo '      <div class="card'.($r[3]-1)."\">\n".
@@ -1989,27 +1989,27 @@ switch($mystatus)
                           ' LEFT JOIN Play ON Trick.id=Play.trick_id'.
                           ' LEFT JOIN Hand_Card ON Hand_Card.id=Play.hand_card_id'.
                           ' LEFT JOIN Card ON Card.id=Hand_Card.card_id'.
-                          " WHERE Hand.game_id='$gameid'".
+                          " WHERE Hand.game_id=".DB_quote_smart($gameid).
                           ' GROUP BY Hand.party' );
        echo "    <div class=\"total\">\n  Totals:<br />\n";
        while( $r = DB_fetch_array($result))
          echo '      '.$r[0].' '.$r[1]."<br />\n";
 
        $queryresult = DB_query('SELECT timediff(mod_date,create_date) '.
-                               " FROM Game WHERE id='$gameid'");
+                               " FROM Game WHERE id=".DB_quote_smart($gameid));
        $r = DB_fetch_array($queryresult);
        echo '      <p>This game took '.$r[0]." hours.</p>\n";
 
        echo "      <div class=\"re\">\n   Points Re: <br />\n";
        $queryresult = DB_query('SELECT score FROM Score '.
-                               "  WHERE game_id=$gameid AND party='re'");
+                               "  WHERE game_id=".DB_quote_smart($gameid)." AND party='re'");
        while($r = DB_fetch_array($queryresult) )
          echo '       '.$r[0]."<br />\n";
        echo "      </div>\n";
 
        echo "      <div class=\"contra\">\n   Points Contra: <br />\n";
        $queryresult = DB_query('SELECT score FROM Score '.
-                               "  WHERE game_id=$gameid AND party='contra'");
+                               "  WHERE game_id=".DB_quote_smart($gameid)." AND party='contra'");
        while($r = DB_fetch_array($queryresult) )
          echo '       '.$r[0]."<br />\n";
        echo "      </div>\n";
@@ -2293,7 +2293,7 @@ if($commentCall != '')
 echo "<div class=\"gameinfo\">\n";
 
 /* get time from the last action of the game */
-$r = DB_query_array("SELECT mod_date from Game WHERE id='$gameid' " );
+$r = DB_query_array("SELECT mod_date from Game WHERE id=".DB_quote_smart($gameid));
 $gameend = time() - strtotime($r[0]);
 
 /* comment box */
index 16c59f4..14024b8 100644 (file)
@@ -142,22 +142,23 @@ function DB_GetUserId($openid_url)
 
 function DB_GetOpenIDsByUser($user_id)
 {
-  return DB_query_array_all("SELECT openid_url FROM user_openids WHERE user_id = '$user_id'");
+  return DB_query_array_all("SELECT openid_url FROM user_openids WHERE user_id =".DB_quote_smart($user_id));
 }
 
 function DB_AttachOpenID($openid_url, $user_id)
 {
-  DB_query("INSERT INTO user_openids VALUES (".DB_quote_smart(OpenIDUrlEncode($openid_url)).", '$user_id')");
+  DB_query("INSERT INTO user_openids VALUES (".DB_quote_smart(OpenIDUrlEncode($openid_url)).", ".DB_quote_smart($user_id).")");
 }
 
 function DB_DetachOpenID($openid_url, $user_id)
 {
-  DB_query("DELETE FROM user_openids WHERE openid_url = ".DB_quote_smart(OpenIDUrlEncode($openid_url))." AND user_id = '$user_id'");
+  DB_query("DELETE FROM user_openids WHERE openid_url = ".DB_quote_smart(OpenIDUrlEncode($openid_url)).
+          " AND user_id = ".DB_quote_smart($user_id));
 }
 
 function DB_DetachOpenIDsByUser($user_id)
 {
-  DB_query("DELETE FROM user_openids WHERE user_id = '$user_id'");
+  DB_query("DELETE FROM user_openids WHERE user_id = ".DB_quote_smart($user_id));
 }
 
 ?>
\ No newline at end of file
index 5aafcd3..f0b33da 100644 (file)
@@ -92,11 +92,11 @@ if(myisset('vacation_start','vacation_stop','vacation_comment') &&
     if($_REQUEST['vacation_start'] == $_REQUEST['vacation_stop'])
       {
        $result = DB_query("DELETE FROM User_Prefs".
-                          " WHERE user_id='$myid' AND pref_key='vacation start'" );
+                          " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation start'" );
        $result = DB_query("DELETE FROM User_Prefs".
-                          " WHERE user_id='$myid' AND pref_key='vacation stop'" );
+                          " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation stop'" );
        $result = DB_query("DELETE FROM User_Prefs".
-                          " WHERE user_id='$myid' AND pref_key='vacation comment'" );
+                          " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation comment'" );
        $changed_vacation = 1;
       }
     /* change in database if format is ok */
@@ -106,12 +106,12 @@ if(myisset('vacation_start','vacation_stop','vacation_comment') &&
        if($vacation_start!=$PREF['vacation_start'])
          {
            $result = DB_query("SELECT * from User_Prefs".
-                              " WHERE user_id='$myid' AND pref_key='vacation start'" );
+                              " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation start'" );
            if( DB_fetch_array($result))
              $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($vacation_start).
-                                " WHERE user_id='$myid' AND pref_key='vacation start'" );
+                                " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation start'" );
            else
-             $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','vacation start',".
+             $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'vacation start',".
                                 DB_quote_smart($vacation_start).")");
 
            $changed_vacation = 1;
@@ -121,12 +121,12 @@ if(myisset('vacation_start','vacation_stop','vacation_comment') &&
        if($vacation_stop!=$PREF['vacation_stop'])
          {
            $result = DB_query("SELECT * from User_Prefs".
-                              " WHERE user_id='$myid' AND pref_key='vacation stop'" );
+                              " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation stop'" );
            if( DB_fetch_array($result))
              $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($vacation_stop).
-                                " WHERE user_id='$myid' AND pref_key='vacation stop'" );
+                                " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation stop'" );
            else
-             $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','vacation stop',".
+             $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'vacation stop',".
                                 DB_quote_smart($vacation_stop).")");
 
            $changed_vacation = 1;
@@ -136,12 +136,12 @@ if(myisset('vacation_start','vacation_stop','vacation_comment') &&
        if($vacation_comment!=$PREF['vacation_comment'])
          {
            $result = DB_query("SELECT * from User_Prefs".
-                              " WHERE user_id='$myid' AND pref_key='vacation comment'" );
+                              " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation comment'" );
            if( DB_fetch_array($result))
              $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($vacation_comment).
-                                " WHERE user_id='$myid' AND pref_key='vacation comment'" );
+                                " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation comment'" );
            else
-             $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','vacation comment',".
+             $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'vacation comment',".
                                 DB_quote_smart($vacation_comment).")");
 
            $changed_vacation = 1;
@@ -167,12 +167,12 @@ if(myisset("cards"))
       {
        /* check if we already have an entry for the user, if so change it, if not create new one */
        $result = DB_query("SELECT * from User_Prefs".
-                          " WHERE user_id='$myid' AND pref_key='cardset'" );
+                          " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='cardset'" );
        if( DB_fetch_array($result))
          $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($cards).
-                            " WHERE user_id='$myid' AND pref_key='cardset'" );
+                            " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='cardset'" );
        else
-         $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','cardset',".
+         $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'cardset',".
                             DB_quote_smart($cards).")");
        $changed_cards = 1;
       }
@@ -185,12 +185,12 @@ if(myisset("notify"))
       {
        /* check if we already have an entry for the user, if so change it, if not create new one */
        $result = DB_query("SELECT * from User_Prefs".
-                          " WHERE user_id='$myid' AND pref_key='email'" );
+                          " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='email'" );
        if( DB_fetch_array($result))
          $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($notify).
-                            " WHERE user_id='$myid' AND pref_key='email'" );
+                            " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='email'" );
        else
-         $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','email',".
+         $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'email',".
                             DB_quote_smart($notify).")");
        $changed_notify=1;
       }
@@ -203,12 +203,12 @@ if(myisset("digest"))
       {
        /* check if we already have an entry for the user, if so change it, if not create new one */
        $result = DB_query("SELECT * from User_Prefs".
-                          " WHERE user_id='$myid' AND pref_key='digest'" );
+                          " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='digest'" );
        if( DB_fetch_array($result))
          $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($digest).
-                            " WHERE user_id='$myid' AND pref_key='digest'" );
+                            " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='digest'" );
        else
-         $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','digest',".
+         $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'digest',".
                             DB_quote_smart($digest).")");
        $changed_digest=1;
       }
@@ -221,12 +221,12 @@ if(myisset("autosetup"))
       {
        /* check if we already have an entry for the user, if so change it, if not create new one */
        $result = DB_query("SELECT * from User_Prefs".
-                          " WHERE user_id='$myid' AND pref_key='autosetup'" );
+                          " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='autosetup'" );
        if( DB_fetch_array($result))
          $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($autosetup).
-                            " WHERE user_id='$myid' AND pref_key='autosetup'" );
+                            " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='autosetup'" );
        else
-         $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','autosetup',".
+         $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'autosetup',".
                             DB_quote_smart($autosetup).")");
        $changed_autosetup=1;
       }
@@ -239,12 +239,12 @@ if(myisset("sorting"))
       {
        /* check if we already have an entry for the user, if so change it, if not create new one */
        $result = DB_query("SELECT * from User_Prefs".
-                          " WHERE user_id='$myid' AND pref_key='sorting'" );
+                          " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='sorting'" );
        if( DB_fetch_array($result))
          $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($sorting).
-                            " WHERE user_id='$myid' AND pref_key='sorting'" );
+                            " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='sorting'" );
        else
-         $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','sorting',".
+         $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'sorting',".
                             DB_quote_smart($sorting).")");
        $changed_sorting=1;
       }
@@ -257,12 +257,12 @@ if(myisset("open_for_games"))
       {
        /* check if we already have an entry for the user, if so change it, if not create new one */
        $result = DB_query("SELECT * from User_Prefs".
-                          " WHERE user_id='$myid' AND pref_key='open for games'" );
+                          " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='open for games'" );
        if( DB_fetch_array($result))
          $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($openforgames).
-                            " WHERE user_id='$myid' AND pref_key='open for games'" );
+                            " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='open for games'" );
        else
-         $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','open for games',".
+         $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'open for games',".
                             DB_quote_smart($openforgames).")");
        $changed_openforgames=1;
       }
@@ -319,12 +319,12 @@ if(myisset("language"))
       {
        /* check if we already have an entry for the user, if so change it, if not create new one */
        $result = DB_query("SELECT * from User_Prefs".
-                          " WHERE user_id='$myid' AND pref_key='language'" );
+                          " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='language'" );
        if( DB_fetch_array($result))
          $result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($language).
-                            " WHERE user_id='$myid' AND pref_key='language'" );
+                            " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='language'" );
        else
-         $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','language',".
+         $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'language',".
                             DB_quote_smart($language).")");
        $changed_language = 1;
       }
index 546ea8d..65544f5 100644 (file)
@@ -160,7 +160,7 @@ else
                           " G.session".
                           " FROM Hand".
                           " LEFT JOIN Game G ON G.id=Hand.game_id".
-                          " WHERE user_id='$myid'".
+                          " WHERE user_id=".DB_quote_smart($myid).
                           " ORDER BY G.session,G.create_date" );
 
        /* sort into active and passive sessions */
diff --git a/rss.php b/rss.php
index a6e5d1b..e6db287 100644 (file)
--- a/rss.php
+++ b/rss.php
@@ -100,8 +100,8 @@ echo "</author>\n\n";
 
   $result = DB_query("SELECT Hand.hash,Hand.game_id,Game.player from Hand".
                     " LEFT JOIN Game On Hand.game_id=Game.id".
-                    " WHERE Hand.user_id='$id'".
-                    " AND ( Game.player='$id' OR ISNULL(Game.player) )".
+                    " WHERE Hand.user_id=".DB_quote_smart($id).
+                    " AND ( Game.player=".DB_quote_smart($id)." OR ISNULL(Game.player) )".
                     " AND ( Game.status='pre' OR Game.status='play' )".
                     " ORDER BY Game.session" );