From 40eb51b8925118b56d2bc02f15f0c6355f83b1a9 Mon Sep 17 00:00:00 2001 From: denise Date: Thu, 9 May 2013 15:53:12 -0400 Subject: [PATCH] CC-5121: fix some SQL statements not being escaped/prepared --- airtime_mvc/application/models/LiveLog.php | 90 ++++++++++++------- airtime_mvc/application/models/Locale.php | 2 +- .../application/models/LoginAttempts.php | 27 +++--- airtime_mvc/application/models/Playlist.php | 10 +-- airtime_mvc/application/models/Show.php | 3 +- airtime_mvc/application/models/StoredFile.php | 16 ++-- airtime_mvc/application/models/User.php | 4 +- 7 files changed, 87 insertions(+), 65 deletions(-) diff --git a/airtime_mvc/application/models/LiveLog.php b/airtime_mvc/application/models/LiveLog.php index fd95e4ff6..d8b5e58fd 100644 --- a/airtime_mvc/application/models/LiveLog.php +++ b/airtime_mvc/application/models/LiveLog.php @@ -6,14 +6,13 @@ class Application_Model_LiveLog public static function GetLiveShowDuration($p_keepData=false) { try { - $con = Propel::getConnection(); $sql = "SELECT * FROM CC_LIVE_LOG" - ." WHERE state = 'L'" + ." WHERE state = :state" ." and (start_time >= (now() - INTERVAL '1 day'))" ." ORDER BY id"; - - $rows = $con->query($sql)->fetchAll(); + $rows = Application_Common_Database::prepareAndExecute($sql, array(':state'=>'L'), + Application_Common_Database::ALL); /* Check if last log has end time. * If not, set end time to current time @@ -24,17 +23,19 @@ class Application_Model_LiveLog $skip = false; } else { $sql = "SELECT * FROM CC_LIVE_LOG" - ." WHERE state = 'L'" + ." WHERE state = :state" ." ORDER BY id"; - $rows = $con->query($sql)->fetchAll(); + $rows = Application_Common_Database::prepareAndExecute($sql, array(':state'=>'L'), + Application_Common_Database::ALL); if ($rows != null) { $last_row = self::UpdateLastLogEndTime(array_pop($rows)); array_push($rows, $last_row); foreach ($rows as $row) { $sql_delete = "DELETE FROM CC_LIVE_LOG" - ." WHERE id = '{$row['id']}'"; - $con->exec($sql_delete); + ." WHERE id = :id"; + Application_Common_Database::prepareAndExecute($sql_delete, array(':id'=>$row['id']), + Application_Common_Database::EXECUTE); } } $skip = true; @@ -80,8 +81,9 @@ class Application_Model_LiveLog if (!$p_keepData) { // Delete data we just used to start a new log history $sql_delete = "DELETE FROM CC_LIVE_LOG" - ." WHERE id = '{$row['id']}'"; - $con->exec($sql_delete); + ." WHERE id = :id"; + Application_Common_Database::prepareAndExecute($sql_delete, array(':id'=>$row['id']), + Application_Common_Database::EXECUTE); } } //Trim milliseconds @@ -104,14 +106,14 @@ class Application_Model_LiveLog public static function GetScheduledDuration($p_keepData=false) { try { - $con = Propel::getConnection(); $sql_get_logs = "SELECT * FROM CC_LIVE_LOG" - ." WHERE state = 'S'" + ." WHERE state = :state" ." and (start_time >= (now() - INTERVAL '1 day'))" ." ORDER BY id"; - $rows = $con->query($sql_get_logs)->fetchAll(); + $rows = Application_Common_Database::prepareAndExecute($sql_get_logs, array(':state'=>'S'), + Application_Common_Database::ALL); /* Check if last log has end time. * If not, set end time to current time @@ -122,17 +124,19 @@ class Application_Model_LiveLog $skip = false; } else { $sql = "SELECT * FROM CC_LIVE_LOG" - ." WHERE state = 'S'" + ." WHERE state = :state" ." ORDER BY id"; - $rows = $con->query($sql)->fetchAll(); + $rows = Application_Common_Database::prepareAndExecute($sql, array(':state'=>'S'), + Application_Common_Database::ALL); if ($rows != null) { $last_row = self::UpdateLastLogEndTime(array_pop($rows)); array_push($rows, $last_row); foreach ($rows as $row) { $sql_delete = "DELETE FROM CC_LIVE_LOG" - ." WHERE id = '{$row['id']}'"; - $con->exec($sql_delete); + ." WHERE id = :id"; + Application_Common_Database::prepareAndExecute($sql_delete, array(':id'=>$row['id']), + Application_Common_Database::EXECUTE); } } $skip = true; @@ -148,11 +152,17 @@ class Application_Model_LiveLog */ foreach ($rows as $row) { $sql_get_tracks = "SELECT * FROM cc_schedule" - ." WHERE starts >= '{$row['start_time']}'" - ." AND starts < '{$row['end_time']}'" + ." WHERE starts >= :starts1" + ." AND starts < :starts2" ." AND file_id IS NOT NULL" ." AND media_item_played IS TRUE"; - $tracks = $con->query($sql_get_tracks)->fetchAll(); + $params = array( + ':starts1'=>$row['start_time'], + ':starts2'=>$row['end_time'] + ); + $tracks = Application_Common_Database::prepareAndExecute($sql_get_tracks, $params, + Application_Common_Database::ALL); + foreach ($tracks as $track) { if ($track['ends'] > $row['end_time']) { $scheduled_ends = new DateTime($row['end_time']); @@ -237,8 +247,9 @@ class Application_Model_LiveLog if (!$p_keepData) { //Delete row because we do not need data anymore $sql_delete = "DELETE FROM CC_LIVE_LOG" - ." WHERE id = '{$row['id']}'"; - $con->exec($sql_delete); + ." WHERE id = :id"; + Application_Common_Database::prepareAndExecute($sql_delete, array(':id'=>$row['id']), + Application_Common_Database::EXECUTE); } } @@ -275,7 +286,6 @@ class Application_Model_LiveLog public static function SetNewLogTime($state, $dateTime) { try { - $con = Propel::getConnection(); $scheduled = Application_Model_Preference::GetSourceSwitchStatus('scheduled_play'); if ($state == 'L' && $scheduled == 'on') { @@ -286,13 +296,23 @@ class Application_Model_LiveLog * has ended */ $sql_select = "SELECT max(id) from CC_LIVE_LOG" - ." WHERE (state='L' and end_time is NULL) or (state='S' and end_time is NULL)"; - $id = $con->query($sql_select)->fetchColumn(0); + ." WHERE (state= :state1 and end_time is NULL) or (state= :state2 and end_time is NULL)"; + $params = array( + ":state1"=> 'L', + ":state2"=> 'S' + ); + $id = Application_Common_Database::prepareAndExecute($sql_select, $params, + Application_Common_Database::COLUMN); if ($id == null) { $sql_insert = "INSERT INTO CC_LIVE_LOG (state, start_time)" - ." VALUES ('$state', '{$dateTime->format("Y-m-d H:i:s")}')"; - $con->exec($sql_insert); + ." VALUES (:state, :start)"; + $params = array( + ':state'=>$state, + ':start'=>$dateTime->format("Y-m-d H:i:s") + ); + Application_Common_Database::prepareAndExecute($sql_insert, $params, + Application_Common_Database::EXECUTE); if ($state == "S") { // if scheduled play source is getting broadcasted Application_Model_Schedule::UpdateBrodcastedStatus($dateTime, 1); @@ -309,24 +329,28 @@ class Application_Model_LiveLog public static function SetEndTime($state, $dateTime, $override=false) { try { - $con = Propel::getConnection(); - $dj_live = Application_Model_Preference::GetSourceSwitchStatus('live_dj'); $master_live = Application_Model_Preference::GetSourceSwitchStatus('master_dj'); if (($dj_live=='off' && $master_live=='off') || $state == 'S' || $override) { $sql = "SELECT id, state from cc_live_log" ." where id in (select max(id) from cc_live_log)"; - $row = $con->query($sql)->fetch(); + $row = Application_Common_Database::prepareAndExecute($sql, array(), + Application_Common_Database::SINGLE); /* Only set end time if state recevied ($state) * is the last row in cc_live_log */ if ($row['state'] == $state) { $update_sql = "UPDATE CC_LIVE_LOG" - ." SET end_time = '{$dateTime->format("Y-m-d H:i:s")}'" - ." WHERE id = '{$row['id']}'"; - $con->exec($update_sql); + ." SET end_time = :end" + ." WHERE id = :id"; + $params = array( + ':end'=>$dateTime->format("Y-m-d H:i:s"), + ':id'=>$row['id'] + ); + Application_Common_Database::prepareAndExecute($update_sql, $params, + Application_Common_Database::EXECUTE); } //If live broadcasting is off, turn scheduled play on diff --git a/airtime_mvc/application/models/Locale.php b/airtime_mvc/application/models/Locale.php index de77b8c11..c07c9974c 100644 --- a/airtime_mvc/application/models/Locale.php +++ b/airtime_mvc/application/models/Locale.php @@ -6,7 +6,7 @@ class Application_Model_Locale { $con = Propel::getConnection(); $sql = "SELECT * FROM cc_locale"; - $res = $con->query($sql)->fetchAll(); + $res = Application_Common_Database::prepareAndExecute($sql); $out = array(); foreach ($res as $r) { $out[$r["locale_code"]] = $r["locale_lang"]; diff --git a/airtime_mvc/application/models/LoginAttempts.php b/airtime_mvc/application/models/LoginAttempts.php index 63cdce6b5..ecb4da5f9 100644 --- a/airtime_mvc/application/models/LoginAttempts.php +++ b/airtime_mvc/application/models/LoginAttempts.php @@ -7,35 +7,32 @@ class Application_Model_LoginAttempts public static function increaseAttempts($ip) { - $con = Propel::getConnection(); - $sql = "select count(*) from cc_login_attempts WHERE ip='$ip'"; - $res = $con->query($sql)->fetchColumn(0); + $sql = "select count(*) from cc_login_attempts WHERE ip= :ip"; + $res = Application_Common_Database::prepareAndExecute($sql, array(':ip'=>$ip), Application_Common_Database::ALL); if ($res) { - $sql = "UPDATE cc_login_attempts SET attempts=attempts+1 WHERE ip='$ip'"; - $con->exec($sql); + $sql = "UPDATE cc_login_attempts SET attempts=attempts+1 WHERE ip= :ip"; + Application_Common_Database::prepareAndExecute($sql, array(':ip'=>$ip), Application_Common_Database::EXECUTE); } else { - $sql = "INSERT INTO cc_login_attempts (ip, attempts) values ('$ip', '1')"; - $con->exec($sql); + $sql = "INSERT INTO cc_login_attempts (ip, attempts) values (':ip', '1')"; + Application_Common_Database::prepareAndExecute($sql, array(':ip'=>$ip), Application_Common_Database::EXECUTE); } } public static function getAttempts($ip) { - $con = Propel::getConnection(); - $sql = "select attempts from cc_login_attempts WHERE ip='$ip'"; - $res = $con->query($sql)->fetchColumn(0); + $sql = "select attempts from cc_login_attempts WHERE ip= :ip"; + $res = Application_Common_Database::prepareAndExecute($sql, array(':ip'=>$ip), Application_Common_Database::ALL); return $res ? $res : 0; } public static function resetAttempts($ip) { - $con = Propel::getConnection(); - $sql = "select count(*) from cc_login_attempts WHERE ip='$ip'"; - $res = $con->query($sql)->fetchColumn(0); + $sql = "select count(*) from cc_login_attempts WHERE ip= :ip"; + $res = Application_Common_Database::prepareAndExecute($sql, array(':ip'=>$ip), Application_Common_Database::ALL); if ($res > 0) { - $sql = "DELETE FROM cc_login_attempts WHERE ip='$ip'"; - $con->exec($sql); + $sql = "DELETE FROM cc_login_attempts WHERE ip= :ip"; + Application_Common_Database::prepareAndExecute($sql, array(':ip'=>$ip), Application_Common_Database::EXECUTE); } } } diff --git a/airtime_mvc/application/models/Playlist.php b/airtime_mvc/application/models/Playlist.php index 9d45f7daa..16e89c7d5 100644 --- a/airtime_mvc/application/models/Playlist.php +++ b/airtime_mvc/application/models/Playlist.php @@ -936,10 +936,10 @@ SQL; public static function getPlaylistCount() { - $con = Propel::getConnection(); $sql = 'SELECT count(*) as cnt FROM cc_playlist'; - return $con->query($sql)->fetchColumn(0); + return Application_Common_Database::prepareAndExecute($sql, array(), + Application_Common_Database::COLUMN); } /** @@ -1063,13 +1063,12 @@ SQL; public static function getAllPlaylistFiles() { - $con = Propel::getConnection(); $sql = <<query($sql)->fetchAll(); + $files = Application_Common_Database::prepareAndExecute($sql); $real_files = array(); foreach ($files as $f) { $real_files[] = $f['file_id']; @@ -1079,13 +1078,12 @@ SQL; public static function getAllPlaylistStreams() { - $con = Propel::getConnection(); $sql = <<query($sql)->fetchAll(); + $streams = Application_Common_Database::prepareAndExecute($sql); $real_streams = array(); foreach ($streams as $s) { $real_streams[] = $s['stream_id']; diff --git a/airtime_mvc/application/models/Show.php b/airtime_mvc/application/models/Show.php index 3aa5528bd..f097958d0 100644 --- a/airtime_mvc/application/models/Show.php +++ b/airtime_mvc/application/models/Show.php @@ -2199,12 +2199,11 @@ SQL; public static function getMaxLengths() { - $con = Propel::getConnection(); $sql = << 0 SQL; - $result = $con->query($sql)->fetchAll(); + $result = Application_Common_Database::prepareAndExecute($sql); $assocArray = array(); foreach ($result as $row) { $assocArray[$row['column_name']] = $row['character_maximum_length']; diff --git a/airtime_mvc/application/models/StoredFile.php b/airtime_mvc/application/models/StoredFile.php index 0b743e849..7dd74c62b 100644 --- a/airtime_mvc/application/models/StoredFile.php +++ b/airtime_mvc/application/models/StoredFile.php @@ -1063,9 +1063,9 @@ SQL; public static function getFileCount() { - $con = Propel::getConnection(); $sql = "SELECT count(*) as cnt FROM cc_files WHERE file_exists"; - return $con->query($sql)->fetchColumn(0); + return Application_Common_Database::prepareAndExecute($sql, array(), + Application_Common_Database::COLUMN); } /** @@ -1167,7 +1167,6 @@ SQL; public static function getSoundCloudUploads() { try { - $con = Propel::getConnection(); $sql = <<= (now() - (INTERVAL '1 day'))) SQL; - $rows = $con->query($sql)->fetchAll(); + $params = array( + ':id1' => -2, + ':id2' => -3 + ); + $rows = Application_Common_Database::prepareAndExecute($sql, $params, + Application_Common_Database::ALL); return count($rows); } catch (Exception $e) { @@ -1349,12 +1353,12 @@ SQL; public static function updatePastFilesIsScheduled() { - $con = Propel::getConnection(); $sql = <<query($sql)->fetchAll(); + $files = Application_Common_Database::prepareAndExecute($sql); + foreach ($files as $file) { if (!is_null($file['file_id'])) { self::setIsScheduled(null, false, $file['file_id']); diff --git a/airtime_mvc/application/models/User.php b/airtime_mvc/application/models/User.php index 97c9ca3ad..34e1fe0f6 100644 --- a/airtime_mvc/application/models/User.php +++ b/airtime_mvc/application/models/User.php @@ -297,10 +297,10 @@ class Application_Model_User public static function getUserCount() { - $con = Propel::getConnection(); $sql_gen = "SELECT count(*) AS cnt FROM cc_subjs"; - $query = $con->query($sql_gen)->fetchColumn(0); + $query = Application_Common_Database::prepareAndExecute($sql_gen, array(), + Application_Common_Database::COLUMN); return ($query !== false) ? $query : null; }