Congegni
/
sintonia
7
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

CC-5121: fix some SQL statements not being escaped/prepared

This commit is contained in:
denise 2013-05-09 15:53:12 -04:00
parent 21df9013ee
commit 40eb51b892
7 changed files with 87 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

90
airtime_mvc/application/models/LiveLog.php
View File

@ -6,14 +6,13 @@ class Application_Model_LiveLog
public static function GetLiveShowDuration($p_keepData=false) public static function GetLiveShowDuration($p_keepData=false)
{ {
try { try {
$con = Propel::getConnection();
$sql = "SELECT * FROM CC_LIVE_LOG" $sql = "SELECT * FROM CC_LIVE_LOG"
." WHERE state = 'L'" ." WHERE state = :state"
." and (start_time >= (now() - INTERVAL '1 day'))" ." and (start_time >= (now() - INTERVAL '1 day'))"
." ORDER BY id"; ." ORDER BY id";
$rows = Application_Common_Database::prepareAndExecute($sql, array(':state'=>'L'),
$rows = $con->query($sql)->fetchAll(); Application_Common_Database::ALL);
/* Check if last log has end time. /* Check if last log has end time.
* If not, set end time to current time * If not, set end time to current time
@ -24,17 +23,19 @@ class Application_Model_LiveLog
$skip = false; $skip = false;
} else { } else {
$sql = "SELECT * FROM CC_LIVE_LOG" $sql = "SELECT * FROM CC_LIVE_LOG"
." WHERE state = 'L'" ." WHERE state = :state"
." ORDER BY id"; ." ORDER BY id";
$rows = $con->query($sql)->fetchAll(); $rows = Application_Common_Database::prepareAndExecute($sql, array(':state'=>'L'),
Application_Common_Database::ALL);
if ($rows != null) { if ($rows != null) {
$last_row = self::UpdateLastLogEndTime(array_pop($rows)); $last_row = self::UpdateLastLogEndTime(array_pop($rows));
array_push($rows, $last_row); array_push($rows, $last_row);
foreach ($rows as $row) { foreach ($rows as $row) {
$sql_delete = "DELETE FROM CC_LIVE_LOG" $sql_delete = "DELETE FROM CC_LIVE_LOG"
." WHERE id = '{$row['id']}'"; ." WHERE id = :id";
$con->exec($sql_delete); Application_Common_Database::prepareAndExecute($sql_delete, array(':id'=>$row['id']),
Application_Common_Database::EXECUTE);
} }
} }
$skip = true; $skip = true;
@ -80,8 +81,9 @@ class Application_Model_LiveLog
if (!$p_keepData) { if (!$p_keepData) {
// Delete data we just used to start a new log history // Delete data we just used to start a new log history
$sql_delete = "DELETE FROM CC_LIVE_LOG" $sql_delete = "DELETE FROM CC_LIVE_LOG"
." WHERE id = '{$row['id']}'"; ." WHERE id = :id";
$con->exec($sql_delete); Application_Common_Database::prepareAndExecute($sql_delete, array(':id'=>$row['id']),
Application_Common_Database::EXECUTE);
} }
} }
//Trim milliseconds //Trim milliseconds
@ -104,14 +106,14 @@ class Application_Model_LiveLog
public static function GetScheduledDuration($p_keepData=false) public static function GetScheduledDuration($p_keepData=false)
{ {
try { try {
$con = Propel::getConnection();
$sql_get_logs = "SELECT * FROM CC_LIVE_LOG" $sql_get_logs = "SELECT * FROM CC_LIVE_LOG"
." WHERE state = 'S'" ." WHERE state = :state"
." and (start_time >= (now() - INTERVAL '1 day'))" ." and (start_time >= (now() - INTERVAL '1 day'))"
." ORDER BY id"; ." ORDER BY id";
$rows = $con->query($sql_get_logs)->fetchAll(); $rows = Application_Common_Database::prepareAndExecute($sql_get_logs, array(':state'=>'S'),
Application_Common_Database::ALL);
/* Check if last log has end time. /* Check if last log has end time.
* If not, set end time to current time * If not, set end time to current time
@ -122,17 +124,19 @@ class Application_Model_LiveLog
$skip = false; $skip = false;
} else { } else {
$sql = "SELECT * FROM CC_LIVE_LOG" $sql = "SELECT * FROM CC_LIVE_LOG"
." WHERE state = 'S'" ." WHERE state = :state"
." ORDER BY id"; ." ORDER BY id";
$rows = $con->query($sql)->fetchAll(); $rows = Application_Common_Database::prepareAndExecute($sql, array(':state'=>'S'),
Application_Common_Database::ALL);
if ($rows != null) { if ($rows != null) {
$last_row = self::UpdateLastLogEndTime(array_pop($rows)); $last_row = self::UpdateLastLogEndTime(array_pop($rows));
array_push($rows, $last_row); array_push($rows, $last_row);
foreach ($rows as $row) { foreach ($rows as $row) {
$sql_delete = "DELETE FROM CC_LIVE_LOG" $sql_delete = "DELETE FROM CC_LIVE_LOG"
." WHERE id = '{$row['id']}'"; ." WHERE id = :id";
$con->exec($sql_delete); Application_Common_Database::prepareAndExecute($sql_delete, array(':id'=>$row['id']),
Application_Common_Database::EXECUTE);
} }
} }
$skip = true; $skip = true;
@ -148,11 +152,17 @@ class Application_Model_LiveLog
*/ */
foreach ($rows as $row) { foreach ($rows as $row) {
$sql_get_tracks = "SELECT * FROM cc_schedule" $sql_get_tracks = "SELECT * FROM cc_schedule"
." WHERE starts >= '{$row['start_time']}'" ." WHERE starts >= :starts1"
." AND starts < '{$row['end_time']}'" ." AND starts < :starts2"
." AND file_id IS NOT NULL" ." AND file_id IS NOT NULL"
." AND media_item_played IS TRUE"; ." AND media_item_played IS TRUE";
$tracks = $con->query($sql_get_tracks)->fetchAll(); $params = array(
':starts1'=>$row['start_time'],
':starts2'=>$row['end_time']
);
$tracks = Application_Common_Database::prepareAndExecute($sql_get_tracks, $params,
Application_Common_Database::ALL);
foreach ($tracks as $track) { foreach ($tracks as $track) {
if ($track['ends'] > $row['end_time']) { if ($track['ends'] > $row['end_time']) {
$scheduled_ends = new DateTime($row['end_time']); $scheduled_ends = new DateTime($row['end_time']);
@ -237,8 +247,9 @@ class Application_Model_LiveLog
if (!$p_keepData) { if (!$p_keepData) {
//Delete row because we do not need data anymore //Delete row because we do not need data anymore
$sql_delete = "DELETE FROM CC_LIVE_LOG" $sql_delete = "DELETE FROM CC_LIVE_LOG"
." WHERE id = '{$row['id']}'"; ." WHERE id = :id";
$con->exec($sql_delete); Application_Common_Database::prepareAndExecute($sql_delete, array(':id'=>$row['id']),
Application_Common_Database::EXECUTE);
} }
} }
@ -275,7 +286,6 @@ class Application_Model_LiveLog
public static function SetNewLogTime($state, $dateTime) public static function SetNewLogTime($state, $dateTime)
{ {
try { try {
$con = Propel::getConnection();
$scheduled = Application_Model_Preference::GetSourceSwitchStatus('scheduled_play'); $scheduled = Application_Model_Preference::GetSourceSwitchStatus('scheduled_play');
if ($state == 'L' && $scheduled == 'on') { if ($state == 'L' && $scheduled == 'on') {
@ -286,13 +296,23 @@ class Application_Model_LiveLog
* has ended * has ended
*/ */
$sql_select = "SELECT max(id) from CC_LIVE_LOG" $sql_select = "SELECT max(id) from CC_LIVE_LOG"
." WHERE (state='L' and end_time is NULL) or (state='S' and end_time is NULL)"; ." WHERE (state= :state1 and end_time is NULL) or (state= :state2 and end_time is NULL)";
$id = $con->query($sql_select)->fetchColumn(0); $params = array(
":state1"=> 'L',
":state2"=> 'S'
);
$id = Application_Common_Database::prepareAndExecute($sql_select, $params,
Application_Common_Database::COLUMN);
if ($id == null) { if ($id == null) {
$sql_insert = "INSERT INTO CC_LIVE_LOG (state, start_time)" $sql_insert = "INSERT INTO CC_LIVE_LOG (state, start_time)"
." VALUES ('$state', '{$dateTime->format("Y-m-d H:i:s")}')"; ." VALUES (:state, :start)";
$con->exec($sql_insert); $params = array(
':state'=>$state,
':start'=>$dateTime->format("Y-m-d H:i:s")
);
Application_Common_Database::prepareAndExecute($sql_insert, $params,
Application_Common_Database::EXECUTE);
if ($state == "S") { if ($state == "S") {
// if scheduled play source is getting broadcasted // if scheduled play source is getting broadcasted
Application_Model_Schedule::UpdateBrodcastedStatus($dateTime, 1); Application_Model_Schedule::UpdateBrodcastedStatus($dateTime, 1);
@ -309,24 +329,28 @@ class Application_Model_LiveLog
public static function SetEndTime($state, $dateTime, $override=false) public static function SetEndTime($state, $dateTime, $override=false)
{ {
try { try {
$con = Propel::getConnection();
$dj_live = Application_Model_Preference::GetSourceSwitchStatus('live_dj'); $dj_live = Application_Model_Preference::GetSourceSwitchStatus('live_dj');
$master_live = Application_Model_Preference::GetSourceSwitchStatus('master_dj'); $master_live = Application_Model_Preference::GetSourceSwitchStatus('master_dj');
if (($dj_live=='off' && $master_live=='off') || $state == 'S' || $override) { if (($dj_live=='off' && $master_live=='off') || $state == 'S' || $override) {
$sql = "SELECT id, state from cc_live_log" $sql = "SELECT id, state from cc_live_log"
." where id in (select max(id) from cc_live_log)"; ." where id in (select max(id) from cc_live_log)";
$row = $con->query($sql)->fetch(); $row = Application_Common_Database::prepareAndExecute($sql, array(),
Application_Common_Database::SINGLE);
/* Only set end time if state recevied ($state) /* Only set end time if state recevied ($state)
* is the last row in cc_live_log * is the last row in cc_live_log
*/ */
if ($row['state'] == $state) { if ($row['state'] == $state) {
$update_sql = "UPDATE CC_LIVE_LOG" $update_sql = "UPDATE CC_LIVE_LOG"
." SET end_time = '{$dateTime->format("Y-m-d H:i:s")}'" ." SET end_time = :end"
." WHERE id = '{$row['id']}'"; ." WHERE id = :id";
$con->exec($update_sql); $params = array(
':end'=>$dateTime->format("Y-m-d H:i:s"),
':id'=>$row['id']
);
Application_Common_Database::prepareAndExecute($update_sql, $params,
Application_Common_Database::EXECUTE);
} }
//If live broadcasting is off, turn scheduled play on //If live broadcasting is off, turn scheduled play on

2
airtime_mvc/application/models/Locale.php
View File

@ -6,7 +6,7 @@ class Application_Model_Locale
{ {
$con = Propel::getConnection(); $con = Propel::getConnection();
$sql = "SELECT * FROM cc_locale"; $sql = "SELECT * FROM cc_locale";
$res = $con->query($sql)->fetchAll(); $res = Application_Common_Database::prepareAndExecute($sql);
$out = array(); $out = array();
foreach ($res as $r) { foreach ($res as $r) {
$out[$r["locale_code"]] = $r["locale_lang"]; $out[$r["locale_code"]] = $r["locale_lang"];

27
airtime_mvc/application/models/LoginAttempts.php
View File

@ -7,35 +7,32 @@ class Application_Model_LoginAttempts
public static function increaseAttempts($ip) public static function increaseAttempts($ip)
{ {
$con = Propel::getConnection(); $sql = "select count(*) from cc_login_attempts WHERE ip= :ip";
$sql = "select count(*) from cc_login_attempts WHERE ip='$ip'"; $res = Application_Common_Database::prepareAndExecute($sql, array(':ip'=>$ip), Application_Common_Database::ALL);
$res = $con->query($sql)->fetchColumn(0);
if ($res) { if ($res) {
$sql = "UPDATE cc_login_attempts SET attempts=attempts+1 WHERE ip='$ip'"; $sql = "UPDATE cc_login_attempts SET attempts=attempts+1 WHERE ip= :ip";
$con->exec($sql); Application_Common_Database::prepareAndExecute($sql, array(':ip'=>$ip), Application_Common_Database::EXECUTE);
} else { } else {
$sql = "INSERT INTO cc_login_attempts (ip, attempts) values ('$ip', '1')"; $sql = "INSERT INTO cc_login_attempts (ip, attempts) values (':ip', '1')";
$con->exec($sql); Application_Common_Database::prepareAndExecute($sql, array(':ip'=>$ip), Application_Common_Database::EXECUTE);
} }
} }
public static function getAttempts($ip) public static function getAttempts($ip)
{ {
$con = Propel::getConnection(); $sql = "select attempts from cc_login_attempts WHERE ip= :ip";
$sql = "select attempts from cc_login_attempts WHERE ip='$ip'"; $res = Application_Common_Database::prepareAndExecute($sql, array(':ip'=>$ip), Application_Common_Database::ALL);
$res = $con->query($sql)->fetchColumn(0);
return $res ? $res : 0; return $res ? $res : 0;
} }
public static function resetAttempts($ip) public static function resetAttempts($ip)
{ {
$con = Propel::getConnection(); $sql = "select count(*) from cc_login_attempts WHERE ip= :ip";
$sql = "select count(*) from cc_login_attempts WHERE ip='$ip'"; $res = Application_Common_Database::prepareAndExecute($sql, array(':ip'=>$ip), Application_Common_Database::ALL);
$res = $con->query($sql)->fetchColumn(0);
if ($res > 0) { if ($res > 0) {
$sql = "DELETE FROM cc_login_attempts WHERE ip='$ip'"; $sql = "DELETE FROM cc_login_attempts WHERE ip= :ip";
$con->exec($sql); Application_Common_Database::prepareAndExecute($sql, array(':ip'=>$ip), Application_Common_Database::EXECUTE);
} }
} }
} }

10
airtime_mvc/application/models/Playlist.php
View File

@ -936,10 +936,10 @@ SQL;
public static function getPlaylistCount() public static function getPlaylistCount()
{ {
$con = Propel::getConnection();
$sql = 'SELECT count(*) as cnt FROM cc_playlist'; $sql = 'SELECT count(*) as cnt FROM cc_playlist';
return $con->query($sql)->fetchColumn(0); return Application_Common_Database::prepareAndExecute($sql, array(),
Application_Common_Database::COLUMN);
} }
/** /**
@ -1063,13 +1063,12 @@ SQL;
public static function getAllPlaylistFiles() public static function getAllPlaylistFiles()
{ {
$con = Propel::getConnection();
$sql = <<<SQL $sql = <<<SQL
SELECT distinct(file_id) SELECT distinct(file_id)
FROM cc_playlistcontents FROM cc_playlistcontents
WHERE file_id is not null WHERE file_id is not null
SQL; SQL;
$files = $con->query($sql)->fetchAll(); $files = Application_Common_Database::prepareAndExecute($sql);
$real_files = array(); $real_files = array();
foreach ($files as $f) { foreach ($files as $f) {
$real_files[] = $f['file_id']; $real_files[] = $f['file_id'];
@ -1079,13 +1078,12 @@ SQL;
public static function getAllPlaylistStreams() public static function getAllPlaylistStreams()
{ {
$con = Propel::getConnection();
$sql = <<<SQL $sql = <<<SQL
SELECT distinct(stream_id) SELECT distinct(stream_id)
FROM cc_playlistcontents FROM cc_playlistcontents
WHERE stream_id is not null WHERE stream_id is not null
SQL; SQL;
$streams = $con->query($sql)->fetchAll(); $streams = Application_Common_Database::prepareAndExecute($sql);
$real_streams = array(); $real_streams = array();
foreach ($streams as $s) { foreach ($streams as $s) {
$real_streams[] = $s['stream_id']; $real_streams[] = $s['stream_id'];

3
airtime_mvc/application/models/Show.php
View File

@ -2199,12 +2199,11 @@ SQL;
public static function getMaxLengths() public static function getMaxLengths()
{ {
$con = Propel::getConnection();
$sql = <<<SQL $sql = <<<SQL
SELECT column_name, character_maximum_length FROM information_schema.columns SELECT column_name, character_maximum_length FROM information_schema.columns
WHERE table_name = 'cc_show' AND character_maximum_length > 0 WHERE table_name = 'cc_show' AND character_maximum_length > 0
SQL; SQL;
$result = $con->query($sql)->fetchAll(); $result = Application_Common_Database::prepareAndExecute($sql);
$assocArray = array(); $assocArray = array();
foreach ($result as $row) { foreach ($result as $row) {
$assocArray[$row['column_name']] = $row['character_maximum_length']; $assocArray[$row['column_name']] = $row['character_maximum_length'];

16
airtime_mvc/application/models/StoredFile.php
View File

@ -1063,9 +1063,9 @@ SQL;
public static function getFileCount() public static function getFileCount()
{ {
$con = Propel::getConnection();
$sql = "SELECT count(*) as cnt FROM cc_files WHERE file_exists"; $sql = "SELECT count(*) as cnt FROM cc_files WHERE file_exists";
return $con->query($sql)->fetchColumn(0); return Application_Common_Database::prepareAndExecute($sql, array(),
Application_Common_Database::COLUMN);
} }
/** /**
@ -1167,7 +1167,6 @@ SQL;
public static function getSoundCloudUploads() public static function getSoundCloudUploads()
{ {
try { try {
$con = Propel::getConnection();
$sql = <<<SQL $sql = <<<SQL
SELECT soundcloud_id AS id, SELECT soundcloud_id AS id,
@ -1178,7 +1177,12 @@ WHERE (id != -2
AND (soundcloud_upload_time >= (now() - (INTERVAL '1 day'))) AND (soundcloud_upload_time >= (now() - (INTERVAL '1 day')))
SQL; SQL;
$rows = $con->query($sql)->fetchAll(); $params = array(
':id1' => -2,
':id2' => -3
);
$rows = Application_Common_Database::prepareAndExecute($sql, $params,
Application_Common_Database::ALL);
return count($rows); return count($rows);
} catch (Exception $e) { } catch (Exception $e) {
@ -1349,12 +1353,12 @@ SQL;
public static function updatePastFilesIsScheduled() public static function updatePastFilesIsScheduled()
{ {
$con = Propel::getConnection();
$sql = <<<SQL $sql = <<<SQL
SELECT file_id FROM cc_schedule SELECT file_id FROM cc_schedule
WHERE ends < now() at time zone 'UTC' WHERE ends < now() at time zone 'UTC'
SQL; SQL;
$files = $con->query($sql)->fetchAll(); $files = Application_Common_Database::prepareAndExecute($sql);
foreach ($files as $file) { foreach ($files as $file) {
if (!is_null($file['file_id'])) { if (!is_null($file['file_id'])) {
self::setIsScheduled(null, false, $file['file_id']); self::setIsScheduled(null, false, $file['file_id']);

4
airtime_mvc/application/models/User.php
View File

@ -297,10 +297,10 @@ class Application_Model_User
public static function getUserCount() public static function getUserCount()
{ {
$con = Propel::getConnection();
$sql_gen = "SELECT count(*) AS cnt FROM cc_subjs"; $sql_gen = "SELECT count(*) AS cnt FROM cc_subjs";
$query = $con->query($sql_gen)->fetchColumn(0); $query = Application_Common_Database::prepareAndExecute($sql_gen, array(),
Application_Common_Database::COLUMN);
return ($query !== false) ? $query : null; return ($query !== false) ? $query : null;
} }