From 92c7c9c951cfcbaa91ac18b2bdb3003017684a12 Mon Sep 17 00:00:00 2001 From: Martin Konecny Date: Thu, 9 May 2013 13:28:26 -0400 Subject: [PATCH 1/8] should constants instead of literals - only in function for now... --- airtime_mvc/application/common/Database.php | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/airtime_mvc/application/common/Database.php b/airtime_mvc/application/common/Database.php index bb9557474..b314fea0d 100644 --- a/airtime_mvc/application/common/Database.php +++ b/airtime_mvc/application/common/Database.php @@ -1,6 +1,11 @@ execute()) { - if ($type == 'single') { + if ($type == self::SINGLE) { $rows = $stmt->fetch($fetchType); - } else if ($type == 'column'){ + } else if ($type == self::COLUMN){ $rows = $stmt->fetchColumn(); - } else if ($type == 'all') { + } else if ($type == self::ALL) { $rows = $stmt->fetchAll($fetchType); - } else if ($type == 'execute') { + } else if ($type == self::EXECUTE) { $rows = null; } else { $msg = "bad type passed: type($type)"; From 21df9013ee8dced23fa11c3d70672f63832d1052 Mon Sep 17 00:00:00 2001 From: Martin Konecny Date: Thu, 9 May 2013 14:43:59 -0400 Subject: [PATCH 2/8] CC-5121: fix some SQL statements not being escaped/prepared --- airtime_mvc/application/common/Database.php | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/airtime_mvc/application/common/Database.php b/airtime_mvc/application/common/Database.php index b314fea0d..67c676567 100644 --- a/airtime_mvc/application/common/Database.php +++ b/airtime_mvc/application/common/Database.php @@ -5,9 +5,13 @@ class Application_Common_Database const COLUMN = 'column'; const ALL = 'all'; const EXECUTE = 'execute'; + const ROW_COUNT = 'row_count'; - public static function prepareAndExecute($sql, array $paramValueMap, - $type='all', $fetchType=PDO::FETCH_ASSOC, $con=null) + public static function prepareAndExecute($sql, + array $paramValueMap = array(), + $type=self::ALL, + $fetchType=PDO::FETCH_ASSOC, + $con=null) { if (is_null($con)) { $con = Propel::getConnection(); @@ -26,6 +30,8 @@ class Application_Common_Database $rows = $stmt->fetchAll($fetchType); } else if ($type == self::EXECUTE) { $rows = null; + } else if ($type == self::ROW_COUNT) { + $rows = $stmt->rowCount(); } else { $msg = "bad type passed: type($type)"; throw new Exception("Error: $msg"); From 9c05511613272b0ad9a13128705f553be1fa7e2a Mon Sep 17 00:00:00 2001 From: Martin Konecny Date: Thu, 9 May 2013 15:08:47 -0400 Subject: [PATCH 3/8] CC-5121: fix some SQL statements not being escaped/prepared --- airtime_mvc/application/models/Schedule.php | 14 +-- airtime_mvc/application/models/Show.php | 86 ++++++++++++------- .../application/models/StreamSetting.php | 9 +- airtime_mvc/application/models/Subjects.php | 17 ++-- 4 files changed, 77 insertions(+), 49 deletions(-) diff --git a/airtime_mvc/application/models/Schedule.php b/airtime_mvc/application/models/Schedule.php index b6cb20600..357141c08 100644 --- a/airtime_mvc/application/models/Schedule.php +++ b/airtime_mvc/application/models/Schedule.php @@ -418,7 +418,6 @@ SQL; public static function UpdateMediaPlayedStatus($p_id) { - $con = Propel::getConnection(); $sql = "UPDATE cc_schedule" ." SET media_item_played=TRUE"; // we need to update 'broadcasted' column as well @@ -431,11 +430,11 @@ SQL; $sql .= ", broadcasted=1"; } - $sql .= " WHERE id=$p_id"; + $sql .= " WHERE id=:pid"; + $map = array(":pid" => $p_id); - $retVal = $con->exec($sql); - - return $retVal; + Application_Common_Database::prepareAndExecute($sql, $map, + Application_Common_Database::EXECUTE); } public static function UpdateBrodcastedStatus($dateTime, $value) @@ -952,8 +951,9 @@ SQL; public static function deleteAll() { - $con = Propel::getConnection(); - $con->exec("TRUNCATE TABLE cc_schedule"); + $sql = "TRUNCATE TABLE cc_schedule"; + Application_Common_Database::prepareAndExecute($sql, array(), + Application_Common_Database::EXECUTE); } public static function deleteWithFileId($fileId) diff --git a/airtime_mvc/application/models/Show.php b/airtime_mvc/application/models/Show.php index 3aa5528bd..e7cf0c1e7 100644 --- a/airtime_mvc/application/models/Show.php +++ b/airtime_mvc/application/models/Show.php @@ -602,8 +602,6 @@ SQL; Application_Common_Database::prepareAndExecute( $sql, array( ':showId' => $this->getId(), ':timestamp' => gmdate("Y-m-d H:i:s")), 'execute'); - - $con->exec($sql); } /** @@ -617,8 +615,6 @@ SQL; */ public function removeAllInstancesFromDate($p_date=null) { - $con = Propel::getConnection(); - $timestamp = gmdate("Y-m-d H:i:s"); if (is_null($p_date)) { @@ -628,12 +624,16 @@ SQL; $showId = $this->getId(); $sql = "DELETE FROM cc_show_instances " - ." WHERE date(starts) >= DATE '$p_date'" - ." AND starts > TIMESTAMP '$timestamp'" - ." AND show_id = $showId"; + ." WHERE date(starts) >= :date::date" + ." AND starts > :timestamp::timestamp" + ." AND show_id = :showId"; - $con->exec($sql); + $map = array(":date"=>$p_date, + ':timestamp'=>$timestamp, + ':showId'=>$showId); + $res = Application_Common_Database::prepareAndExecute($sql, $map, + Application_Common_Database::EXECUTE); } /** @@ -650,17 +650,20 @@ SQL; */ public function removeAllInstancesBeforeDate($p_date) { - $con = Propel::getConnection(); - $timestamp = gmdate("Y-m-d H:i:s"); $showId = $this->getId(); $sql = "DELETE FROM cc_show_instances " - ." WHERE date(starts) < DATE '$p_date'" - ." AND starts > TIMESTAMP '$timestamp'" - ." AND show_id = $showId"; + ." WHERE date(starts) < :date::date" + ." AND starts > :timestamp::timestamp" + ." AND show_id = :showId"; - $con->exec($sql); + $map = array(":date"=>$p_date, + ":timestamp"=>$timestamp, + ":showId"=>$showId); + + $res = Application_Common_Database::prepareAndExecute($sql, $map, + Application_Common_Database::EXECUTE); } public function getNextFutureRepeatShowTime() @@ -870,43 +873,62 @@ SQL; private function updateStartDateTime($p_data, $p_endDate) { - //need to update cc_schedule, cc_show_instances, cc_show_days - $con = Propel::getConnection(); - $date = new Application_Common_DateHelper; $timestamp = $date->getTimestamp(); //TODO fix this from overwriting info. $sql = "UPDATE cc_show_days " - ."SET start_time = TIME '$p_data[add_show_start_time]', " - ."first_show = DATE '$p_data[add_show_start_date]', "; + ."SET start_time = :start_time::time, " + ."first_show = :start_date::date, "; if (strlen ($p_endDate) == 0) { $sql .= "last_show = NULL "; } else { - $sql .= "last_show = DATE '$p_endDate' "; + $sql .= "last_show = :end_date::date"; } - $sql .= "WHERE show_id = $p_data[add_show_id]"; - $con->exec($sql); + $sql .= "WHERE show_id = :show_id"; + + $map = array(":start_time" => $p_data['add_show_start_time'], + ':start_date' => $p_data['add_show_start_date'], + ':end_date' => $p_endDate, + ':show_id' => $p_data['add_show_id'], + ); + + $res = Application_Common_Database::prepareAndExecute($sql, $map, + Application_Common_Database::EXECUTE); $dtOld = new DateTime($this->getStartDate()." ".$this->getStartTime(), new DateTimeZone("UTC")); - $dtNew = new DateTime($p_data['add_show_start_date']." ".$p_data['add_show_start_time'], new DateTimeZone(date_default_timezone_get())); + $dtNew = new DateTime($p_data['add_show_start_date']." ".$p_data['add_show_start_time'], + new DateTimeZone(date_default_timezone_get())); $diff = $dtOld->getTimestamp() - $dtNew->getTimestamp(); $sql = "UPDATE cc_show_instances " - ."SET starts = starts + INTERVAL '$diff sec', " - ."ends = ends + INTERVAL '$diff sec' " - ."WHERE show_id = $p_data[add_show_id] " - ."AND starts > TIMESTAMP '$timestamp'"; - $con->exec($sql); + ."SET starts = starts + :diff1::interval, " + ."ends = ends + :diff2::interval " + ."WHERE show_id = :show_id " + ."AND starts > :timestamp::timestamp"; + $map = array( + ":diff1"=>"$diff sec", + ":diff2"=>"$diff sec", + ":show_id"=>$p_data['add_show_id'], + ":timestamp"=>$timestamp, + ); + $res = Application_Common_Database::prepareAndExecute($sql, $map, + Application_Common_Database::EXECUTE); $showInstanceIds = $this->getAllFutureInstanceIds(); if (count($showInstanceIds) > 0 && $diff != 0) { $showIdsImploded = implode(",", $showInstanceIds); $sql = "UPDATE cc_schedule " - ."SET starts = starts + INTERVAL '$diff sec', " - ."ends = ends + INTERVAL '$diff sec' " - ."WHERE instance_id IN ($showIdsImploded)"; - $con->exec($sql); + ."SET starts = starts + :diff1::interval, " + ."ends = ends + :diff2::interval " + ."WHERE instance_id IN (:show_ids)"; + $map = array( + ":diff1"=>"$diff sec", + ":diff2"=>"$diff sec", + ":show_ids"=>$showIdsImploded, + ); + $res = Application_Common_Database::prepareAndExecute($sql, $map, + Application_Common_Database::EXECUTE); } } diff --git a/airtime_mvc/application/models/StreamSetting.php b/airtime_mvc/application/models/StreamSetting.php index 58c8fb496..1cc2eae3c 100644 --- a/airtime_mvc/application/models/StreamSetting.php +++ b/airtime_mvc/application/models/StreamSetting.php @@ -265,11 +265,12 @@ class Application_Model_StreamSetting */ public static function setIndividualStreamSetting($data) { - $con = Propel::getConnection(); - foreach ($data as $keyname => $v) { - $sql = "UPDATE cc_stream_setting SET value='$v' WHERE keyname='$keyname'"; - $con->exec($sql); + $sql = "UPDATE cc_stream_setting SET value=:v WHERE keyname=:keyname"; + $map = array(":v" => $v, ":keyname"=>$keyname); + + $res = Application_Common_Database::prepareAndExecute($sql, $map, + Application_Common_Database::EXECUTE); } } diff --git a/airtime_mvc/application/models/Subjects.php b/airtime_mvc/application/models/Subjects.php index 8977bcd12..cd220da88 100644 --- a/airtime_mvc/application/models/Subjects.php +++ b/airtime_mvc/application/models/Subjects.php @@ -20,20 +20,25 @@ class Application_Model_Subjects public static function increaseLoginAttempts($login) { - $con = Propel::getConnection(); $sql = "UPDATE cc_subjs SET login_attempts = login_attempts+1" - ." WHERE login='$login'"; - $res = $con->exec($sql); + ." WHERE login=:login"; + + $map = array(":login" => $login); + + $res = Application_Common_Database::prepareAndExecute($sql, $map, + Application_Common_Database::EXECUTE); return (intval($res) > 0); } public static function resetLoginAttempts($login) { - $con = Propel::getConnection(); $sql = "UPDATE cc_subjs SET login_attempts = '0'" - ." WHERE login='$login'"; - $res = $con->exec($sql); + ." WHERE login=:login"; + $map = array(":login" => $login); + + $res = Application_Common_Database::prepareAndExecute($sql, $map, + Application_Common_Database::EXECUTE); return true; } From 40eb51b8925118b56d2bc02f15f0c6355f83b1a9 Mon Sep 17 00:00:00 2001 From: denise Date: Thu, 9 May 2013 15:53:12 -0400 Subject: [PATCH 4/8] CC-5121: fix some SQL statements not being escaped/prepared --- airtime_mvc/application/models/LiveLog.php | 90 ++++++++++++------- airtime_mvc/application/models/Locale.php | 2 +- .../application/models/LoginAttempts.php | 27 +++--- airtime_mvc/application/models/Playlist.php | 10 +-- airtime_mvc/application/models/Show.php | 3 +- airtime_mvc/application/models/StoredFile.php | 16 ++-- airtime_mvc/application/models/User.php | 4 +- 7 files changed, 87 insertions(+), 65 deletions(-) diff --git a/airtime_mvc/application/models/LiveLog.php b/airtime_mvc/application/models/LiveLog.php index fd95e4ff6..d8b5e58fd 100644 --- a/airtime_mvc/application/models/LiveLog.php +++ b/airtime_mvc/application/models/LiveLog.php @@ -6,14 +6,13 @@ class Application_Model_LiveLog public static function GetLiveShowDuration($p_keepData=false) { try { - $con = Propel::getConnection(); $sql = "SELECT * FROM CC_LIVE_LOG" - ." WHERE state = 'L'" + ." WHERE state = :state" ." and (start_time >= (now() - INTERVAL '1 day'))" ." ORDER BY id"; - - $rows = $con->query($sql)->fetchAll(); + $rows = Application_Common_Database::prepareAndExecute($sql, array(':state'=>'L'), + Application_Common_Database::ALL); /* Check if last log has end time. * If not, set end time to current time @@ -24,17 +23,19 @@ class Application_Model_LiveLog $skip = false; } else { $sql = "SELECT * FROM CC_LIVE_LOG" - ." WHERE state = 'L'" + ." WHERE state = :state" ." ORDER BY id"; - $rows = $con->query($sql)->fetchAll(); + $rows = Application_Common_Database::prepareAndExecute($sql, array(':state'=>'L'), + Application_Common_Database::ALL); if ($rows != null) { $last_row = self::UpdateLastLogEndTime(array_pop($rows)); array_push($rows, $last_row); foreach ($rows as $row) { $sql_delete = "DELETE FROM CC_LIVE_LOG" - ." WHERE id = '{$row['id']}'"; - $con->exec($sql_delete); + ." WHERE id = :id"; + Application_Common_Database::prepareAndExecute($sql_delete, array(':id'=>$row['id']), + Application_Common_Database::EXECUTE); } } $skip = true; @@ -80,8 +81,9 @@ class Application_Model_LiveLog if (!$p_keepData) { // Delete data we just used to start a new log history $sql_delete = "DELETE FROM CC_LIVE_LOG" - ." WHERE id = '{$row['id']}'"; - $con->exec($sql_delete); + ." WHERE id = :id"; + Application_Common_Database::prepareAndExecute($sql_delete, array(':id'=>$row['id']), + Application_Common_Database::EXECUTE); } } //Trim milliseconds @@ -104,14 +106,14 @@ class Application_Model_LiveLog public static function GetScheduledDuration($p_keepData=false) { try { - $con = Propel::getConnection(); $sql_get_logs = "SELECT * FROM CC_LIVE_LOG" - ." WHERE state = 'S'" + ." WHERE state = :state" ." and (start_time >= (now() - INTERVAL '1 day'))" ." ORDER BY id"; - $rows = $con->query($sql_get_logs)->fetchAll(); + $rows = Application_Common_Database::prepareAndExecute($sql_get_logs, array(':state'=>'S'), + Application_Common_Database::ALL); /* Check if last log has end time. * If not, set end time to current time @@ -122,17 +124,19 @@ class Application_Model_LiveLog $skip = false; } else { $sql = "SELECT * FROM CC_LIVE_LOG" - ." WHERE state = 'S'" + ." WHERE state = :state" ." ORDER BY id"; - $rows = $con->query($sql)->fetchAll(); + $rows = Application_Common_Database::prepareAndExecute($sql, array(':state'=>'S'), + Application_Common_Database::ALL); if ($rows != null) { $last_row = self::UpdateLastLogEndTime(array_pop($rows)); array_push($rows, $last_row); foreach ($rows as $row) { $sql_delete = "DELETE FROM CC_LIVE_LOG" - ." WHERE id = '{$row['id']}'"; - $con->exec($sql_delete); + ." WHERE id = :id"; + Application_Common_Database::prepareAndExecute($sql_delete, array(':id'=>$row['id']), + Application_Common_Database::EXECUTE); } } $skip = true; @@ -148,11 +152,17 @@ class Application_Model_LiveLog */ foreach ($rows as $row) { $sql_get_tracks = "SELECT * FROM cc_schedule" - ." WHERE starts >= '{$row['start_time']}'" - ." AND starts < '{$row['end_time']}'" + ." WHERE starts >= :starts1" + ." AND starts < :starts2" ." AND file_id IS NOT NULL" ." AND media_item_played IS TRUE"; - $tracks = $con->query($sql_get_tracks)->fetchAll(); + $params = array( + ':starts1'=>$row['start_time'], + ':starts2'=>$row['end_time'] + ); + $tracks = Application_Common_Database::prepareAndExecute($sql_get_tracks, $params, + Application_Common_Database::ALL); + foreach ($tracks as $track) { if ($track['ends'] > $row['end_time']) { $scheduled_ends = new DateTime($row['end_time']); @@ -237,8 +247,9 @@ class Application_Model_LiveLog if (!$p_keepData) { //Delete row because we do not need data anymore $sql_delete = "DELETE FROM CC_LIVE_LOG" - ." WHERE id = '{$row['id']}'"; - $con->exec($sql_delete); + ." WHERE id = :id"; + Application_Common_Database::prepareAndExecute($sql_delete, array(':id'=>$row['id']), + Application_Common_Database::EXECUTE); } } @@ -275,7 +286,6 @@ class Application_Model_LiveLog public static function SetNewLogTime($state, $dateTime) { try { - $con = Propel::getConnection(); $scheduled = Application_Model_Preference::GetSourceSwitchStatus('scheduled_play'); if ($state == 'L' && $scheduled == 'on') { @@ -286,13 +296,23 @@ class Application_Model_LiveLog * has ended */ $sql_select = "SELECT max(id) from CC_LIVE_LOG" - ." WHERE (state='L' and end_time is NULL) or (state='S' and end_time is NULL)"; - $id = $con->query($sql_select)->fetchColumn(0); + ." WHERE (state= :state1 and end_time is NULL) or (state= :state2 and end_time is NULL)"; + $params = array( + ":state1"=> 'L', + ":state2"=> 'S' + ); + $id = Application_Common_Database::prepareAndExecute($sql_select, $params, + Application_Common_Database::COLUMN); if ($id == null) { $sql_insert = "INSERT INTO CC_LIVE_LOG (state, start_time)" - ." VALUES ('$state', '{$dateTime->format("Y-m-d H:i:s")}')"; - $con->exec($sql_insert); + ." VALUES (:state, :start)"; + $params = array( + ':state'=>$state, + ':start'=>$dateTime->format("Y-m-d H:i:s") + ); + Application_Common_Database::prepareAndExecute($sql_insert, $params, + Application_Common_Database::EXECUTE); if ($state == "S") { // if scheduled play source is getting broadcasted Application_Model_Schedule::UpdateBrodcastedStatus($dateTime, 1); @@ -309,24 +329,28 @@ class Application_Model_LiveLog public static function SetEndTime($state, $dateTime, $override=false) { try { - $con = Propel::getConnection(); - $dj_live = Application_Model_Preference::GetSourceSwitchStatus('live_dj'); $master_live = Application_Model_Preference::GetSourceSwitchStatus('master_dj'); if (($dj_live=='off' && $master_live=='off') || $state == 'S' || $override) { $sql = "SELECT id, state from cc_live_log" ." where id in (select max(id) from cc_live_log)"; - $row = $con->query($sql)->fetch(); + $row = Application_Common_Database::prepareAndExecute($sql, array(), + Application_Common_Database::SINGLE); /* Only set end time if state recevied ($state) * is the last row in cc_live_log */ if ($row['state'] == $state) { $update_sql = "UPDATE CC_LIVE_LOG" - ." SET end_time = '{$dateTime->format("Y-m-d H:i:s")}'" - ." WHERE id = '{$row['id']}'"; - $con->exec($update_sql); + ." SET end_time = :end" + ." WHERE id = :id"; + $params = array( + ':end'=>$dateTime->format("Y-m-d H:i:s"), + ':id'=>$row['id'] + ); + Application_Common_Database::prepareAndExecute($update_sql, $params, + Application_Common_Database::EXECUTE); } //If live broadcasting is off, turn scheduled play on diff --git a/airtime_mvc/application/models/Locale.php b/airtime_mvc/application/models/Locale.php index de77b8c11..c07c9974c 100644 --- a/airtime_mvc/application/models/Locale.php +++ b/airtime_mvc/application/models/Locale.php @@ -6,7 +6,7 @@ class Application_Model_Locale { $con = Propel::getConnection(); $sql = "SELECT * FROM cc_locale"; - $res = $con->query($sql)->fetchAll(); + $res = Application_Common_Database::prepareAndExecute($sql); $out = array(); foreach ($res as $r) { $out[$r["locale_code"]] = $r["locale_lang"]; diff --git a/airtime_mvc/application/models/LoginAttempts.php b/airtime_mvc/application/models/LoginAttempts.php index 63cdce6b5..ecb4da5f9 100644 --- a/airtime_mvc/application/models/LoginAttempts.php +++ b/airtime_mvc/application/models/LoginAttempts.php @@ -7,35 +7,32 @@ class Application_Model_LoginAttempts public static function increaseAttempts($ip) { - $con = Propel::getConnection(); - $sql = "select count(*) from cc_login_attempts WHERE ip='$ip'"; - $res = $con->query($sql)->fetchColumn(0); + $sql = "select count(*) from cc_login_attempts WHERE ip= :ip"; + $res = Application_Common_Database::prepareAndExecute($sql, array(':ip'=>$ip), Application_Common_Database::ALL); if ($res) { - $sql = "UPDATE cc_login_attempts SET attempts=attempts+1 WHERE ip='$ip'"; - $con->exec($sql); + $sql = "UPDATE cc_login_attempts SET attempts=attempts+1 WHERE ip= :ip"; + Application_Common_Database::prepareAndExecute($sql, array(':ip'=>$ip), Application_Common_Database::EXECUTE); } else { - $sql = "INSERT INTO cc_login_attempts (ip, attempts) values ('$ip', '1')"; - $con->exec($sql); + $sql = "INSERT INTO cc_login_attempts (ip, attempts) values (':ip', '1')"; + Application_Common_Database::prepareAndExecute($sql, array(':ip'=>$ip), Application_Common_Database::EXECUTE); } } public static function getAttempts($ip) { - $con = Propel::getConnection(); - $sql = "select attempts from cc_login_attempts WHERE ip='$ip'"; - $res = $con->query($sql)->fetchColumn(0); + $sql = "select attempts from cc_login_attempts WHERE ip= :ip"; + $res = Application_Common_Database::prepareAndExecute($sql, array(':ip'=>$ip), Application_Common_Database::ALL); return $res ? $res : 0; } public static function resetAttempts($ip) { - $con = Propel::getConnection(); - $sql = "select count(*) from cc_login_attempts WHERE ip='$ip'"; - $res = $con->query($sql)->fetchColumn(0); + $sql = "select count(*) from cc_login_attempts WHERE ip= :ip"; + $res = Application_Common_Database::prepareAndExecute($sql, array(':ip'=>$ip), Application_Common_Database::ALL); if ($res > 0) { - $sql = "DELETE FROM cc_login_attempts WHERE ip='$ip'"; - $con->exec($sql); + $sql = "DELETE FROM cc_login_attempts WHERE ip= :ip"; + Application_Common_Database::prepareAndExecute($sql, array(':ip'=>$ip), Application_Common_Database::EXECUTE); } } } diff --git a/airtime_mvc/application/models/Playlist.php b/airtime_mvc/application/models/Playlist.php index 9d45f7daa..16e89c7d5 100644 --- a/airtime_mvc/application/models/Playlist.php +++ b/airtime_mvc/application/models/Playlist.php @@ -936,10 +936,10 @@ SQL; public static function getPlaylistCount() { - $con = Propel::getConnection(); $sql = 'SELECT count(*) as cnt FROM cc_playlist'; - return $con->query($sql)->fetchColumn(0); + return Application_Common_Database::prepareAndExecute($sql, array(), + Application_Common_Database::COLUMN); } /** @@ -1063,13 +1063,12 @@ SQL; public static function getAllPlaylistFiles() { - $con = Propel::getConnection(); $sql = <<query($sql)->fetchAll(); + $files = Application_Common_Database::prepareAndExecute($sql); $real_files = array(); foreach ($files as $f) { $real_files[] = $f['file_id']; @@ -1079,13 +1078,12 @@ SQL; public static function getAllPlaylistStreams() { - $con = Propel::getConnection(); $sql = <<query($sql)->fetchAll(); + $streams = Application_Common_Database::prepareAndExecute($sql); $real_streams = array(); foreach ($streams as $s) { $real_streams[] = $s['stream_id']; diff --git a/airtime_mvc/application/models/Show.php b/airtime_mvc/application/models/Show.php index 3aa5528bd..f097958d0 100644 --- a/airtime_mvc/application/models/Show.php +++ b/airtime_mvc/application/models/Show.php @@ -2199,12 +2199,11 @@ SQL; public static function getMaxLengths() { - $con = Propel::getConnection(); $sql = << 0 SQL; - $result = $con->query($sql)->fetchAll(); + $result = Application_Common_Database::prepareAndExecute($sql); $assocArray = array(); foreach ($result as $row) { $assocArray[$row['column_name']] = $row['character_maximum_length']; diff --git a/airtime_mvc/application/models/StoredFile.php b/airtime_mvc/application/models/StoredFile.php index 0b743e849..7dd74c62b 100644 --- a/airtime_mvc/application/models/StoredFile.php +++ b/airtime_mvc/application/models/StoredFile.php @@ -1063,9 +1063,9 @@ SQL; public static function getFileCount() { - $con = Propel::getConnection(); $sql = "SELECT count(*) as cnt FROM cc_files WHERE file_exists"; - return $con->query($sql)->fetchColumn(0); + return Application_Common_Database::prepareAndExecute($sql, array(), + Application_Common_Database::COLUMN); } /** @@ -1167,7 +1167,6 @@ SQL; public static function getSoundCloudUploads() { try { - $con = Propel::getConnection(); $sql = <<= (now() - (INTERVAL '1 day'))) SQL; - $rows = $con->query($sql)->fetchAll(); + $params = array( + ':id1' => -2, + ':id2' => -3 + ); + $rows = Application_Common_Database::prepareAndExecute($sql, $params, + Application_Common_Database::ALL); return count($rows); } catch (Exception $e) { @@ -1349,12 +1353,12 @@ SQL; public static function updatePastFilesIsScheduled() { - $con = Propel::getConnection(); $sql = <<query($sql)->fetchAll(); + $files = Application_Common_Database::prepareAndExecute($sql); + foreach ($files as $file) { if (!is_null($file['file_id'])) { self::setIsScheduled(null, false, $file['file_id']); diff --git a/airtime_mvc/application/models/User.php b/airtime_mvc/application/models/User.php index 97c9ca3ad..34e1fe0f6 100644 --- a/airtime_mvc/application/models/User.php +++ b/airtime_mvc/application/models/User.php @@ -297,10 +297,10 @@ class Application_Model_User public static function getUserCount() { - $con = Propel::getConnection(); $sql_gen = "SELECT count(*) AS cnt FROM cc_subjs"; - $query = $con->query($sql_gen)->fetchColumn(0); + $query = Application_Common_Database::prepareAndExecute($sql_gen, array(), + Application_Common_Database::COLUMN); return ($query !== false) ? $query : null; } From 8cd8d0922f217b3657ddcd61b918ad7c44efb846 Mon Sep 17 00:00:00 2001 From: denise Date: Thu, 9 May 2013 16:05:04 -0400 Subject: [PATCH 5/8] CC-5121: fix some SQL statements not being escaped/prepared --- airtime_mvc/application/models/LoginAttempts.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/airtime_mvc/application/models/LoginAttempts.php b/airtime_mvc/application/models/LoginAttempts.php index ecb4da5f9..3997bc1ab 100644 --- a/airtime_mvc/application/models/LoginAttempts.php +++ b/airtime_mvc/application/models/LoginAttempts.php @@ -29,7 +29,7 @@ class Application_Model_LoginAttempts public static function resetAttempts($ip) { $sql = "select count(*) from cc_login_attempts WHERE ip= :ip"; - $res = Application_Common_Database::prepareAndExecute($sql, array(':ip'=>$ip), Application_Common_Database::ALL); + $res = Application_Common_Database::prepareAndExecute($sql, array(':ip'=>$ip), Application_Common_Database::COLUMN); if ($res > 0) { $sql = "DELETE FROM cc_login_attempts WHERE ip= :ip"; Application_Common_Database::prepareAndExecute($sql, array(':ip'=>$ip), Application_Common_Database::EXECUTE); From afb24c37ab05b694b5dc01e5a155875f3ce4d13b Mon Sep 17 00:00:00 2001 From: denise Date: Thu, 9 May 2013 16:07:34 -0400 Subject: [PATCH 6/8] CC-5121: fix some SQL statements not being escaped/prepared --- airtime_mvc/application/models/StoredFile.php | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/airtime_mvc/application/models/StoredFile.php b/airtime_mvc/application/models/StoredFile.php index 7dd74c62b..0d186597c 100644 --- a/airtime_mvc/application/models/StoredFile.php +++ b/airtime_mvc/application/models/StoredFile.php @@ -1177,12 +1177,7 @@ WHERE (id != -2 AND (soundcloud_upload_time >= (now() - (INTERVAL '1 day'))) SQL; - $params = array( - ':id1' => -2, - ':id2' => -3 - ); - $rows = Application_Common_Database::prepareAndExecute($sql, $params, - Application_Common_Database::ALL); + $rows = Application_Common_Database::prepareAndExecute($sql); return count($rows); } catch (Exception $e) { From 3948964e8d0c9c419938c91ba701dd01389a6c7f Mon Sep 17 00:00:00 2001 From: Martin Konecny Date: Thu, 9 May 2013 16:58:50 -0400 Subject: [PATCH 7/8] remove useless log --- airtime_mvc/application/models/StoredFile.php | 3 --- 1 file changed, 3 deletions(-) diff --git a/airtime_mvc/application/models/StoredFile.php b/airtime_mvc/application/models/StoredFile.php index 0d186597c..4cfc7cb94 100644 --- a/airtime_mvc/application/models/StoredFile.php +++ b/airtime_mvc/application/models/StoredFile.php @@ -151,9 +151,6 @@ class Application_Model_StoredFile } $dbMd[constant($mdConst)] = $mdValue; - } else { - Logging::warn("using metadata that is not defined. - [$mdConst] => [$mdValue]"); } } $this->setDbColMetadata($dbMd); From f5fa0332078b9f17c1ac33f0c77335aab2147589 Mon Sep 17 00:00:00 2001 From: Martin Konecny Date: Thu, 9 May 2013 17:37:23 -0400 Subject: [PATCH 8/8] better flow in dispatchMetadata function --- airtime_mvc/application/controllers/ApiController.php | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/airtime_mvc/application/controllers/ApiController.php b/airtime_mvc/application/controllers/ApiController.php index 8c767c0e0..c7fbae673 100644 --- a/airtime_mvc/application/controllers/ApiController.php +++ b/airtime_mvc/application/controllers/ApiController.php @@ -520,8 +520,6 @@ class ApiController extends Zend_Controller_Action //File is not in database anymore. if (is_null($file)) { $return_hash['error'] = _("File does not exist in Airtime."); - - return $return_hash; } //Updating a metadata change. else { @@ -547,8 +545,6 @@ class ApiController extends Zend_Controller_Action $return_hash['error'] = _("File doesn't exist in Airtime."); Logging::warn("Attempt to delete file that doesn't exist. Path: '$filepath'"); - - return $return_hash; } else { $file->deleteByMediaMonitor(); } @@ -561,11 +557,11 @@ class ApiController extends Zend_Controller_Action $file->deleteByMediaMonitor(); } $return_hash['success'] = 1; - - return $return_hash; } - $return_hash['fileid'] = is_null($file) ? '-1' : $file->getId(); + if (!isset($return_hash['error'])) { + $return_hash['fileid'] = is_null($file) ? '-1' : $file->getId(); + } $con->commit(); } catch (Exception $e) { Logging::warn("rolling back");