diff --git a/airtime_mvc/application/models/Datatables.php b/airtime_mvc/application/models/Datatables.php index e11395fa0..041530407 100644 --- a/airtime_mvc/application/models/Datatables.php +++ b/airtime_mvc/application/models/Datatables.php @@ -4,7 +4,8 @@ class Application_Model_Datatables { private static function buildWhereClauseForAdvancedSearch($dbname2searchTerm) { - $where = array(); + $where['clause'] = array(); + $where['params'] = array(); foreach ($dbname2searchTerm as $dbname=>$term) { $isRange = false; if (strstr($term, '~')) { @@ -24,22 +25,27 @@ class Application_Model_Datatables if ($isRange) { $sub = array(); if ($input1 != null) { - $sub[] = $dbname." >= '".$input1."'"; + $sub[] = $dbname." >= :" . $dbname . "1"; } if ($input2 != null) { - $sub[] = $dbname." <= '".$input2."'"; + $sub[] = $dbname." <= :" . $dbname . "2"; } if (!empty($sub)) { - $where[] = "(".implode(' AND ', $sub).")"; + $where['clause'][$dbname] = "(".implode(' AND ', $sub).")"; + $where['params'][$dbname."1"] = $input1; + if ($input2 != null) { + $where['params'][$dbname."2"] = $input2; + } } } else { if (trim($input1) !== "") { - $where[] = $dbname." ILIKE "."'%".$input1."%'"; + $where['clause'][$dbname] = $dbname." ILIKE :" . $dbname."1"; + $where['params'][$dbname."1"] = "%".$input1."%"; } } } - return implode(" AND ", $where); + return $where; } /* * query used to return data for a paginated/searchable datatable. @@ -73,10 +79,15 @@ class Application_Model_Datatables } $where = array(); + /* Holds the parameters for binding after the + * statement has been prepared + */ + $params = array(); $advancedWhere = self::buildWhereClauseForAdvancedSearch($dbname2searchTerm); - if ($advancedWhere != "") { - $where[] = $advancedWhere; + if (!empty($advancedWhere['clause'])) { + $where[] = join(" AND ", $advancedWhere['clause']); + $params = $advancedWhere['params']; } if ($data["sSearch"] !== "") { @@ -99,17 +110,19 @@ class Application_Model_Datatables } $outerCond = array(); + $simpleWhere = array(); foreach ($searchTerms as $term) { $innerCond = array(); foreach ($searchCols as $col) { - $escapedTerm = pg_escape_string($term); - $innerCond[] = "{$col}::text ILIKE '%{$escapedTerm}%'"; + $simpleWhere['clause']["simple_".$col] = "{$col}::text ILIKE :simple_".$col; + $simpleWhere['params']["simple_".$col] = "%".$term."%"; } - $outerCond[] = "(".join(" OR ", $innerCond).")"; + $outerCond[] = "(".implode(" OR ", $simpleWhere['clause']).")"; } - $where[] = "(".join(" AND ", $outerCond).")"; + $where[] = "(" .implode(" AND ", $outerCond). ")"; + $params = array_merge($params, $simpleWhere['params']); } // End Where clause @@ -124,8 +137,10 @@ class Application_Model_Datatables // End Order By clause $displayLength = intval($data["iDisplayLength"]); + $needToBind = false; if (count($where) > 0) { - $where = join(" AND ", $where); + $needToBind = true; + $where = join(" OR ", $where); $sql = $selectorCount." FROM ".$fromTable." WHERE ".$where; $sqlTotalDisplayRows = $sql; @@ -149,15 +164,41 @@ class Application_Model_Datatables $totalRows = $r->fetchColumn(0); if (isset($sqlTotalDisplayRows)) { - $r = $con->query($sqlTotalDisplayRows); - $totalDisplayRows = $r->fetchColumn(0); + $stmt = $con->prepare($sqlTotalDisplayRows); + foreach($params as $param=>&$value) { + $stmt->bindParam(":$param", $value); + } + if ($stmt->execute()) { + $totalDisplayRows = $stmt->fetchColumn(0); + } else { + $msg = implode(',', $stmt->errorInfo()); + throw new Exception("Error: $msg"); + } } else { $totalDisplayRows = $totalRows; } - $r = $con->query($sql); - $r->setFetchMode(PDO::FETCH_ASSOC); - $results = $r->fetchAll(); + //TODO + if ($needToBind) { + $stmt = $con->prepare($sql); + + foreach($params as $param=>&$value) { + $stmt->bindParam(":$param", $value); + } + + if ($stmt->execute()) { + $stmt->setFetchMode(PDO::FETCH_ASSOC); + $results = $stmt->fetchAll(); + } else { + $msg = implode(',', $stmt->errorInfo()); + throw new Exception("Error: $msg"); + } + } else { + $stmt = $con->query($sql); + $stmt->setFetchMode(PDO::FETCH_ASSOC); + $results = $stmt->fetchAll(); + } + // we need to go over all items and fix length for playlist // in case the playlist contains dynamic block foreach ($results as &$r) { diff --git a/airtime_mvc/application/models/Preference.php b/airtime_mvc/application/models/Preference.php index 16c9e44c7..3f0f54844 100644 --- a/airtime_mvc/application/models/Preference.php +++ b/airtime_mvc/application/models/Preference.php @@ -16,9 +16,6 @@ class Application_Model_Preference $id = $auth->getIdentity()->id; } - $key = pg_escape_string($key); - $value = pg_escape_string($value); - //Check if key already exists $sql = "SELECT COUNT(*) FROM cc_pref" ." WHERE keystr = '$key'"; diff --git a/airtime_mvc/application/models/StreamSetting.php b/airtime_mvc/application/models/StreamSetting.php index c17b1ef92..61a179d8a 100644 --- a/airtime_mvc/application/models/StreamSetting.php +++ b/airtime_mvc/application/models/StreamSetting.php @@ -3,50 +3,63 @@ class Application_Model_StreamSetting { public static function setValue($key, $value, $type) { - global $CC_CONFIG; $con = Propel::getConnection(); - $key = pg_escape_string($key); - $value = pg_escape_string($value); - // Check if key already exists $sql = "SELECT COUNT(*) FROM cc_stream_setting" - ." WHERE keyname = '$key'"; + ." WHERE keyname = :key"; - $result = $con->query($sql)->fetchColumn(0); + $stmt = $con->prepare($sql); + $stmt->bindParam(':key', $key); + + if ($stmt->execute()) { + $result = $stmt->fetchColumn(0); + } else { + $msg = implode(',', $stmt->errorInfo()); + throw new Exception("Error: $msg"); + } if ($result == 1) { $sql = "UPDATE cc_stream_setting" - ." SET value = '$value', type='$type'" - ." WHERE keyname = '$key'"; + ." SET value = :value, type = :type" + ." WHERE keyname = :key"; } else { $sql = "INSERT INTO cc_stream_setting (keyname, value, type)" - ." VALUES ('$key', '$value', '$type')"; + ." VALUES (:key, :value, :type)"; } - return $con->exec($sql); + $stmt = $con->prepare($sql); + $stmt->bindParam(':key', $key); + $stmt->bindParam(':value', $value); + $stmt->bindParam(':type', $type); + + if ($stmt->execute()) { + //do nothing + } else { + $msg = implode(',', $stmt->errorInfo()); + throw new Exception("Error: $msg"); + } } public static function getValue($key) { - global $CC_CONFIG; $con = Propel::getConnection(); - + //Check if key already exists - $sql = "SELECT COUNT(*) FROM cc_stream_setting" - ." WHERE keyname = '$key'"; - $result = $con->query($sql)->fetchColumn(0); + $sql = "SELECT value FROM cc_stream_setting" + ." WHERE keyname = :key"; - if ($result == 0) { - return ""; + $stmt = $con->prepare($sql); + $stmt->bindParam(':key', $key); + + if ($stmt->execute()) { + $result = $stmt->fetchColumn(0); } else { - $sql = "SELECT value FROM cc_stream_setting" - ." WHERE keyname = '$key'"; - - $result = $con->query($sql)->fetchColumn(0); - - return ($result !== false) ? $result : null; + $msg = implode(',', $stmt->errorInfo()); + throw new Exception("Error: $msg"); } + + return $result ? $result : ""; } /* Returns the id's of all streams that are enabled in an array. An @@ -95,9 +108,18 @@ class Application_Model_StreamSetting $con = Propel::getConnection(); $sql = "SELECT * " ."FROM cc_stream_setting " - ."WHERE keyname LIKE '${p_streamId}_%'"; + ."WHERE keyname LIKE :stream_id"; + + $stmt = $con->prepare($sql); + $stmt->bindParam(':stream_id', "${p_streamId}_%"); + + if ($stmt->execute()) { + $rows = $stmt->fetchAll(); + } else { + $msg = implode(',', $stmt->errorInfo()); + throw new Exception("Error: $msg"); + } - $rows = $con->query($sql)->fetchAll(); $data = array(); foreach ($rows as $row) { @@ -197,21 +219,6 @@ class Application_Model_StreamSetting } } - /* - * Sets indivisual stream setting. - * - * $data - data array. $data is []. - */ - public static function setIndivisualStreamSetting($data) - { - $con = Propel::getConnection(); - - foreach ($data as $keyname => $v) { - $sql = "UPDATE cc_stream_setting SET value='$v' WHERE keyname='$keyname'"; - $con->exec($sql); - } - } - /* * Stores liquidsoap status if $boot_time > save time. * save time is the time that user clicked save on stream setting page @@ -224,17 +231,37 @@ class Application_Model_StreamSetting if ($boot_time == null || $boot_time > $update_time) { $keyname = "s".$stream_id."_liquidsoap_error"; $sql = "SELECT COUNT(*) FROM cc_stream_setting" - ." WHERE keyname = '$keyname'"; - $result = $con->query($sql)->fetchColumn(0); + ." WHERE keyname = :keyname"; + + $stmt = $con->prepare($sql); + $stmt->bindParam(':keyname', $keyname); + + if ($stmt->execute()) { + $result= $stmt->fetchColumn(0); + } else { + $msg = implode(',', $stmt->errorInfo()); + throw new Exception("Error: $msg"); + } + if ($result == 1) { $sql = "UPDATE cc_stream_setting" - ." SET value = '$msg'" - ." WHERE keyname = '$keyname'"; + ." SET value = :msg" + ." WHERE keyname = :keyname"; } else { $sql = "INSERT INTO cc_stream_setting (keyname, value, type)" - ." VALUES ('$keyname', '$msg', 'string')"; + ." VALUES (:keyname, :msg, 'string')"; + } + + $stmt = $con->prepare($sql); + $stmt->bindParam(':keyname', $keyname); + $stmt->bindParam(':msg', $msg); + + if ($stmt->execute()) { + //do nothing + } else { + $msg = implode(',', $stmt->errorInfo()); + throw new Exception("Error: $msg"); } - $res = $con->exec($sql); } } @@ -244,8 +271,17 @@ class Application_Model_StreamSetting $keyname = "s".$stream_id."_liquidsoap_error"; $sql = "SELECT value FROM cc_stream_setting" - ." WHERE keyname = '$keyname'"; - $result = $con->query($sql)->fetchColumn(0); + ." WHERE keyname = :keyname"; + + $stmt = $con->prepare($sql); + $stmt->bindParam(':keyname', $keyname); + + if ($stmt->execute()) { + $result= $stmt->fetchColumn(0); + } else { + $msg = implode(',', $stmt->errorInfo()); + throw new Exception("Error: $msg"); + } return ($result !== false) ? $result : null; } @@ -256,15 +292,19 @@ class Application_Model_StreamSetting $keyname = "s" . $stream_id . "_enable"; $sql = "SELECT value FROM cc_stream_setting" - ." WHERE keyname = '$keyname'"; - $result = $con->query($sql)->fetchColumn(0); - if ($result == 'false') { - $result = false; + ." WHERE keyname = :keyname"; + + $stmt = $con->prepare($sql); + $stmt->bindParam(':keyname', $keyname); + + if ($stmt->execute()) { + $result= $stmt->fetchColumn(0); } else { - $result = true; + $msg = implode(',', $stmt->errorInfo()); + throw new Exception("Error: $msg"); } - return $result; + return ($result != 'false'); } /* @@ -279,13 +319,22 @@ class Application_Model_StreamSetting $enabled_stream = self::getEnabledStreamIds(); foreach ($enabled_stream as $stream) { - $keys = "'".$stream."_output', "."'".$stream."_type', "."'" - .$stream."_bitrate', "."'".$stream."_host'"; + $keys = array("{$stream}_output", "{$stream}_type", "{$stream}_bitrate", "{$stream}_host"); + $key_csv = implode(',', $keys); $sql = "SELECT keyname, value FROM cc_stream_setting" - ." WHERE keyname IN ($keys)"; + ." WHERE keyname IN (:key_csv)"; + + $stmt = $con->prepare($sql); + $stmt->bindParam(':key_csv', $key_csv); + + if ($stmt->execute()) { + $rows = $stmt->fetchAll(); + } else { + $msg = implode(',', $stmt->errorInfo()); + throw new Exception("Error: $msg"); + } - $rows = $con->query($sql)->fetchAll(); $info = array(); foreach ($rows as $r) { $temp = explode("_", $r['keyname']); diff --git a/dev_tools/release/release.sh b/dev_tools/release/release.sh index 4b44b0686..4ca00c19e 100755 --- a/dev_tools/release/release.sh +++ b/dev_tools/release/release.sh @@ -35,15 +35,10 @@ cd $target echo "Checking out tag airtime-${suffix}" git checkout airtime-${suffix} -git submodule init -git submodule update -cd python_apps/pypo/liquidsoap_bin/ -git checkout master -git pull origin master cd $target -rm -rf .git .gitignore .gitmodules .zfproject.xml dev_tools/ audio_samples/ python_apps/pypo/liquidsoap_bin/.git +rm -rf .git .gitignore .gitmodules .zfproject.xml dev_tools/ audio_samples/ #echo "Minimizing Airtime Javascript files..." #cd $dir