diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..351d4f7 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,14 @@ +# Topmost editor config for this site +root = true + +# Global config settings +[*] +charset = utf-8 +indent_style = tab +insert_final_newline = true +trim_trailing_whitespace = true + +# Exceptions for specific files +[composer.{json,lock}] +indent_size = 4 +indent_style = space diff --git a/.gitignore b/.gitignore index b6a49ac..88f98ce 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,7 @@ -# SASS artifacts +# Composer dependencies +vendor + +# Stylesheet artifacts *.css *.css.map .sass-cache diff --git a/character-twitter.php b/character-twitter.php index 9aee60b..9ee383c 100644 --- a/character-twitter.php +++ b/character-twitter.php @@ -10,7 +10,8 @@ if('post_twitter' == $_REQUEST['action']) check_nonce('new-character-twitter'); #Fetch the password from the DB. - $acct = $mtdb->getRow(sprintf("SELECT username, password FROM twitter_user WHERE id = '%d'", $_REQUEST['twitter-account'])); + $stmt = $dbConnection->executeQuery('SELECT username, password FROM twitter_user WHERE id = ?', array($_REQUEST['twitter-account'])); + $acct = $stmt->fetch(); $post_at = strtotime($_REQUEST['date18']); @@ -35,13 +36,8 @@ if('post_twitter' == $_REQUEST['action']) else { #No luck, gotta schedule. - $mtdb->query( - sprintf("INSERT INTO twitter_post (status, user, time, text)VALUES ('scheduled', '%d', FROM_UNIXTIME('%d'), '%s')", - mysqli_real_escape_string($mtdb->link, $_REQUEST['twitter-account']), - $post_at, - mysqli_real_escape_string($mtdb->link, $_REQUEST['message']) - ) - ); + $dbConnection->executeUpdate('INSERT INTO twitter_post (status, user, time, text) VALUES (\'scheduled\', ?, FROM_UNIXTIME(?), ?)', + array($_REQUEST['twitter-account'], $post_at, $_REQUEST['message'])); $info .= "Your tweet for user " . htmlentities($acct->username) . " has been scheduled."; adminlog('Tweet for account ' . $acct->username . ' has been scheduled.', MTS_TWITTER, MTA_ADD); } @@ -52,12 +48,11 @@ if('post_twitter' == $_REQUEST['action']) } } -$characters = $mtdb->getAll("SELECT id, username FROM twitter_user ORDER BY username"); +$characters = $dbConnection->fetchAll('SELECT id, username FROM twitter_user ORDER BY username'); -$scheduled = $mtdb->getAll("SELECT username, text, status, twitter_post.id AS id, time - FROM twitter_post JOIN twitter_user - ON twitter_post.user = twitter_user.id - WHERE twitter_post.status = 'scheduled' ORDER BY time"); +$scheduled = $dbConnection->fetchAll('SELECT username, text, status, twitter_post.id AS id, time ' . + 'FROM twitter_post JOIN twitter_user ON twitter_post.user = twitter_user.id ' . + 'WHERE twitter_post.status = \'scheduled\' ORDER BY time'); adminhead('Manage Character Twitters'); adminmenu(); diff --git a/composer.json b/composer.json new file mode 100644 index 0000000..d2d1592 --- /dev/null +++ b/composer.json @@ -0,0 +1,5 @@ +{ + "require": { + "doctrine/dbal": "v2.5.12" + } +} diff --git a/composer.lock b/composer.lock new file mode 100644 index 0000000..f5c2e38 --- /dev/null +++ b/composer.lock @@ -0,0 +1,488 @@ +{ + "_readme": [ + "This file locks the dependencies of your project to a known state", + "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", + "This file is @generated automatically" + ], + "content-hash": "6b362fc1ca79445eff7965b72a3e900b", + "packages": [ + { + "name": "doctrine/annotations", + "version": "v1.4.0", + "source": { + "type": "git", + "url": "https://github.com/doctrine/annotations.git", + "reference": "54cacc9b81758b14e3ce750f205a393d52339e97" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/doctrine/annotations/zipball/54cacc9b81758b14e3ce750f205a393d52339e97", + "reference": "54cacc9b81758b14e3ce750f205a393d52339e97", + "shasum": "" + }, + "require": { + "doctrine/lexer": "1.*", + "php": "^5.6 || ^7.0" + }, + "require-dev": { + "doctrine/cache": "1.*", + "phpunit/phpunit": "^5.7" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "1.4.x-dev" + } + }, + "autoload": { + "psr-4": { + "Doctrine\\Common\\Annotations\\": "lib/Doctrine/Common/Annotations" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Roman Borschel", + "email": "roman@code-factory.org" + }, + { + "name": "Benjamin Eberlei", + "email": "kontakt@beberlei.de" + }, + { + "name": "Guilherme Blanco", + "email": "guilhermeblanco@gmail.com" + }, + { + "name": "Jonathan Wage", + "email": "jonwage@gmail.com" + }, + { + "name": "Johannes Schmitt", + "email": "schmittjoh@gmail.com" + } + ], + "description": "Docblock Annotations Parser", + "homepage": "http://www.doctrine-project.org", + "keywords": [ + "annotations", + "docblock", + "parser" + ], + "time": "2017-02-24T16:22:25+00:00" + }, + { + "name": "doctrine/cache", + "version": "v1.6.1", + "source": { + "type": "git", + "url": "https://github.com/doctrine/cache.git", + "reference": "b6f544a20f4807e81f7044d31e679ccbb1866dc3" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/doctrine/cache/zipball/b6f544a20f4807e81f7044d31e679ccbb1866dc3", + "reference": "b6f544a20f4807e81f7044d31e679ccbb1866dc3", + "shasum": "" + }, + "require": { + "php": "~5.5|~7.0" + }, + "conflict": { + "doctrine/common": ">2.2,<2.4" + }, + "require-dev": { + "phpunit/phpunit": "~4.8|~5.0", + "predis/predis": "~1.0", + "satooshi/php-coveralls": "~0.6" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "1.6.x-dev" + } + }, + "autoload": { + "psr-4": { + "Doctrine\\Common\\Cache\\": "lib/Doctrine/Common/Cache" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Roman Borschel", + "email": "roman@code-factory.org" + }, + { + "name": "Benjamin Eberlei", + "email": "kontakt@beberlei.de" + }, + { + "name": "Guilherme Blanco", + "email": "guilhermeblanco@gmail.com" + }, + { + "name": "Jonathan Wage", + "email": "jonwage@gmail.com" + }, + { + "name": "Johannes Schmitt", + "email": "schmittjoh@gmail.com" + } + ], + "description": "Caching library offering an object-oriented API for many cache backends", + "homepage": "http://www.doctrine-project.org", + "keywords": [ + "cache", + "caching" + ], + "time": "2016-10-29T11:16:17+00:00" + }, + { + "name": "doctrine/collections", + "version": "v1.4.0", + "source": { + "type": "git", + "url": "https://github.com/doctrine/collections.git", + "reference": "1a4fb7e902202c33cce8c55989b945612943c2ba" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/doctrine/collections/zipball/1a4fb7e902202c33cce8c55989b945612943c2ba", + "reference": "1a4fb7e902202c33cce8c55989b945612943c2ba", + "shasum": "" + }, + "require": { + "php": "^5.6 || ^7.0" + }, + "require-dev": { + "doctrine/coding-standard": "~0.1@dev", + "phpunit/phpunit": "^5.7" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "1.3.x-dev" + } + }, + "autoload": { + "psr-0": { + "Doctrine\\Common\\Collections\\": "lib/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Roman Borschel", + "email": "roman@code-factory.org" + }, + { + "name": "Benjamin Eberlei", + "email": "kontakt@beberlei.de" + }, + { + "name": "Guilherme Blanco", + "email": "guilhermeblanco@gmail.com" + }, + { + "name": "Jonathan Wage", + "email": "jonwage@gmail.com" + }, + { + "name": "Johannes Schmitt", + "email": "schmittjoh@gmail.com" + } + ], + "description": "Collections Abstraction library", + "homepage": "http://www.doctrine-project.org", + "keywords": [ + "array", + "collections", + "iterator" + ], + "time": "2017-01-03T10:49:41+00:00" + }, + { + "name": "doctrine/common", + "version": "v2.7.2", + "source": { + "type": "git", + "url": "https://github.com/doctrine/common.git", + "reference": "930297026c8009a567ac051fd545bf6124150347" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/doctrine/common/zipball/930297026c8009a567ac051fd545bf6124150347", + "reference": "930297026c8009a567ac051fd545bf6124150347", + "shasum": "" + }, + "require": { + "doctrine/annotations": "1.*", + "doctrine/cache": "1.*", + "doctrine/collections": "1.*", + "doctrine/inflector": "1.*", + "doctrine/lexer": "1.*", + "php": "~5.6|~7.0" + }, + "require-dev": { + "phpunit/phpunit": "^5.4.6" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "2.7.x-dev" + } + }, + "autoload": { + "psr-4": { + "Doctrine\\Common\\": "lib/Doctrine/Common" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Roman Borschel", + "email": "roman@code-factory.org" + }, + { + "name": "Benjamin Eberlei", + "email": "kontakt@beberlei.de" + }, + { + "name": "Guilherme Blanco", + "email": "guilhermeblanco@gmail.com" + }, + { + "name": "Jonathan Wage", + "email": "jonwage@gmail.com" + }, + { + "name": "Johannes Schmitt", + "email": "schmittjoh@gmail.com" + } + ], + "description": "Common Library for Doctrine projects", + "homepage": "http://www.doctrine-project.org", + "keywords": [ + "annotations", + "collections", + "eventmanager", + "persistence", + "spl" + ], + "time": "2017-01-13T14:02:13+00:00" + }, + { + "name": "doctrine/dbal", + "version": "v2.5.12", + "source": { + "type": "git", + "url": "https://github.com/doctrine/dbal.git", + "reference": "7b9e911f9d8b30d43b96853dab26898c710d8f44" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/doctrine/dbal/zipball/7b9e911f9d8b30d43b96853dab26898c710d8f44", + "reference": "7b9e911f9d8b30d43b96853dab26898c710d8f44", + "shasum": "" + }, + "require": { + "doctrine/common": ">=2.4,<2.8-dev", + "php": ">=5.3.2" + }, + "require-dev": { + "phpunit/phpunit": "4.*", + "symfony/console": "2.*||^3.0" + }, + "suggest": { + "symfony/console": "For helpful console commands such as SQL execution and import of files." + }, + "bin": [ + "bin/doctrine-dbal" + ], + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "2.5.x-dev" + } + }, + "autoload": { + "psr-0": { + "Doctrine\\DBAL\\": "lib/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Roman Borschel", + "email": "roman@code-factory.org" + }, + { + "name": "Benjamin Eberlei", + "email": "kontakt@beberlei.de" + }, + { + "name": "Guilherme Blanco", + "email": "guilhermeblanco@gmail.com" + }, + { + "name": "Jonathan Wage", + "email": "jonwage@gmail.com" + } + ], + "description": "Database Abstraction Layer", + "homepage": "http://www.doctrine-project.org", + "keywords": [ + "database", + "dbal", + "persistence", + "queryobject" + ], + "time": "2017-02-08T12:53:47+00:00" + }, + { + "name": "doctrine/inflector", + "version": "v1.1.0", + "source": { + "type": "git", + "url": "https://github.com/doctrine/inflector.git", + "reference": "90b2128806bfde671b6952ab8bea493942c1fdae" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/doctrine/inflector/zipball/90b2128806bfde671b6952ab8bea493942c1fdae", + "reference": "90b2128806bfde671b6952ab8bea493942c1fdae", + "shasum": "" + }, + "require": { + "php": ">=5.3.2" + }, + "require-dev": { + "phpunit/phpunit": "4.*" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "1.1.x-dev" + } + }, + "autoload": { + "psr-0": { + "Doctrine\\Common\\Inflector\\": "lib/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Roman Borschel", + "email": "roman@code-factory.org" + }, + { + "name": "Benjamin Eberlei", + "email": "kontakt@beberlei.de" + }, + { + "name": "Guilherme Blanco", + "email": "guilhermeblanco@gmail.com" + }, + { + "name": "Jonathan Wage", + "email": "jonwage@gmail.com" + }, + { + "name": "Johannes Schmitt", + "email": "schmittjoh@gmail.com" + } + ], + "description": "Common String Manipulations with regard to casing and singular/plural rules.", + "homepage": "http://www.doctrine-project.org", + "keywords": [ + "inflection", + "pluralize", + "singularize", + "string" + ], + "time": "2015-11-06T14:35:42+00:00" + }, + { + "name": "doctrine/lexer", + "version": "v1.0.1", + "source": { + "type": "git", + "url": "https://github.com/doctrine/lexer.git", + "reference": "83893c552fd2045dd78aef794c31e694c37c0b8c" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/doctrine/lexer/zipball/83893c552fd2045dd78aef794c31e694c37c0b8c", + "reference": "83893c552fd2045dd78aef794c31e694c37c0b8c", + "shasum": "" + }, + "require": { + "php": ">=5.3.2" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "1.0.x-dev" + } + }, + "autoload": { + "psr-0": { + "Doctrine\\Common\\Lexer\\": "lib/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Roman Borschel", + "email": "roman@code-factory.org" + }, + { + "name": "Guilherme Blanco", + "email": "guilhermeblanco@gmail.com" + }, + { + "name": "Johannes Schmitt", + "email": "schmittjoh@gmail.com" + } + ], + "description": "Base library for a lexer that can be used in Top-Down, Recursive Descent Parsers.", + "homepage": "http://www.doctrine-project.org", + "keywords": [ + "lexer", + "parser" + ], + "time": "2014-09-09T13:34:57+00:00" + } + ], + "packages-dev": [], + "aliases": [], + "minimum-stability": "stable", + "stability-flags": [], + "prefer-stable": false, + "prefer-lowest": false, + "platform": [], + "platform-dev": [] +} diff --git a/delete-comic.php b/delete-comic.php index 0f1bff7..89493f9 100644 --- a/delete-comic.php +++ b/delete-comic.php @@ -9,7 +9,7 @@ check_nonce('delete-strip-'.(int)$_REQUEST['strip_id']); if(!deletestrip( $_REQUEST['strip_id'] )) { - adminlog("Error deleting strip $_REQUEST[strip_id]:".mysqli_error(), MTS_STRIP, MTA_DELETE, E_ERROR); + adminlog("Error deleting strip $_REQUEST[strip_id]:".$dbConnection->errorCode(), MTS_STRIP, MTA_DELETE, E_ERROR); mtdie('Error deleting the specified strip.','SQL Error'); } diff --git a/delete-page.php b/delete-page.php index d535cbf..b3fa09d 100644 --- a/delete-page.php +++ b/delete-page.php @@ -9,7 +9,7 @@ check_nonce('delete-page-'.$_REQUEST['page_name']); if(!deletepage( $_REQUEST['page_name'] )) { - adminlog("Error deleting page $_REQUEST[page_name]: ".mysqli_error(), MTS_PAGE, MTA_DELETE, E_ERROR); + adminlog("Error deleting page $_REQUEST[page_name]: ".$dbConnection->errorCode(), MTS_PAGE, MTA_DELETE, E_ERROR); mtdie('Error deleting the specified page.','SQL Error'); } diff --git a/delete-rant.php b/delete-rant.php index 122d598..e368f05 100644 --- a/delete-rant.php +++ b/delete-rant.php @@ -9,7 +9,7 @@ check_nonce('delete-rant-'.(int)$_REQUEST['rant_id']); if(!deleterant( $_REQUEST['rant_id'] )) { - adminlog("Error deleting rant $_REQUEST[rant_id]: ".mysqli_error(), MTS_RANT, MTA_DELETE, E_ERROR); + adminlog("Error deleting rant $_REQUEST[rant_id]: ".$dbConnection->errorCode(), MTS_RANT, MTA_DELETE, E_ERROR); mtdie('Error deleting the specified rant.','SQL Error'); } diff --git a/delete-tweet.php b/delete-tweet.php index e70002e..4a35719 100644 --- a/delete-tweet.php +++ b/delete-tweet.php @@ -12,7 +12,7 @@ $victim = (int)$_REQUEST['tweet_id']; if($victim) { - $r = $mtdb->query("DELETE FROM twitter_post WHERE id = '$victim'"); + $r = $dbConnection->executeUpdate('DELETE FROM twitter_post WHERE id = ?', array($victim)); if(!$r) { adminlog('Error deleting scheduled tweet ' . $victim, MTS_TWITTER, MTA_DELETE, E_ERROR); diff --git a/delete-twitter-user.php b/delete-twitter-user.php index c8069b1..0a50ed8 100644 --- a/delete-twitter-user.php +++ b/delete-twitter-user.php @@ -12,7 +12,7 @@ $victim = (int)$_REQUEST['id']; if($victim) { - $r = $mtdb->query("DELETE FROM twitter_user WHERE id = '$victim'"); + $r = $dbConnection->executeUpdate('DELETE FROM twitter_user WHERE id = ?', array($victim)); if(!$r) { adminlog('Error deleting specified twitter user ' . $victim, MTS_TWITTER, MTA_DELETE, E_ERROR); diff --git a/edit-comic.php b/edit-comic.php index 478b5ac..2ce79cb 100644 --- a/edit-comic.php +++ b/edit-comic.php @@ -35,13 +35,13 @@ if( $_POST ) { if( !is_valid_upload('comicFile') ) { adminlog("Image upload failed.", MTS_STRIP, MTA_ADD, E_WARNING); - mtdie('If you want to upload a new comic, you must provide said comic.','Strip upload failed.'); + mtdie('If you want to upload a new comic, you must provide said comic.', 'Strip upload failed.'); } // get image type and target extension $imagedata = getimagesize($_FILES['comicFile']['tmp_name']); $strip->media = $imagedata[2]; - $fileext = $mtdb->getOne( 'SELECT extension FROM media_t WHERE id = ' . (int)$strip->media ); + $fileext = $dbConnection->fetchColumn('SELECT extension FROM media_t WHERE id = ?', array($strip->media), 0, array(PDO::PARAM_INT)); if(strlen($fileext) < 3) { @@ -53,8 +53,8 @@ if( $_POST ) { // Insert new strip into the database, get a real $strip->id if(!insertstrip( $strip )) { - adminlog("Error on insertion of new strip: ".mysqli_error(), MTS_STRIP, MTA_ADD, E_ERROR); - mtdie('Error on insertion of new strip: '.mysqli_error(), 'SQL Error'); + adminlog("Error on insertion of new strip: ".$dbConnection->errorCode(), MTS_STRIP, MTA_ADD, E_ERROR); + mtdie('Error on insertion of new strip: '.$dbConnection->errorCode(), 'SQL Error'); } // Store the uploaded file to xxxx-0.ext @@ -86,7 +86,7 @@ if( $_POST ) { $imagedata = getimagesize($_FILES['comicFile']['tmp_name']); $strip->media = $imagedata[2]; } - $fileext = $mtdb->getOne( 'SELECT extension FROM media_t WHERE id=' . (int)$strip->media ); + $fileext = $dbConnection->fetchColumn('SELECT extension FROM media_t WHERE id = ?', array($strip->media), 0, array(PDO::PARAM_INT)); if(strlen($fileext) < 3) { @@ -99,7 +99,7 @@ if( $_POST ) { if(!updatestrip( $strip ) ) { adminlog("Failed to update strip ".$strip->id.".", MTS_STRIP, MTA_UPDATE); - mtdie('Error updating strip: ' . mysqli_error(), 'SQL Error'); + mtdie('Error updating strip: ' . $dbConnection->errorCode(), 'SQL Error'); } if( is_valid_upload('comicFile') ) { // If uploading, store the uploaded file to xxxx-n.ext @@ -178,7 +178,7 @@ adminmenu('manage-comics.php');

Comic Type

getAll('select id,name from contributor'); + $contrib = $dbConnection->fetchAll('SELECT id, name FROM contributor'); foreach( $contrib as $k=>$v ) { printf('', htmlentities($v->id, ENT_COMPAT, 'UTF-8'), ( $v->id == $rant->author ? 'selected="selected"' : '' ), htmlentities($v->name) ); } ?> @@ -298,7 +298,7 @@ adminmenu('manage-rants.php');

Attach files:

    getAll('SELECT ra.id AS id, extension FROM rant_attachment ra JOIN media_t ON ra.media = media_t.id WHERE ra.rant = '.$rant->id.' ORDER BY id'); + $attachments = $dbConnection->fetchAll('SELECT ra.id AS id, extension FROM rant_attachment ra JOIN media_t ON ra.media = media_t.id WHERE ra.rant = ? ORDER BY id', array($rant->id)); foreach($attachments as $k=>$v) printf('
  1. %s
    2. ', $v->id, SITE_HOST, SITE_PATH, get_rantattachment_filename($v->id), get_rantattachment_filename($v->id)); ?> diff --git a/fredart_parse.php b/fredart_parse.php index c90c692..011aeee 100644 --- a/fredart_parse.php +++ b/fredart_parse.php @@ -24,12 +24,8 @@ for ($count = 0; $count < 5; $count++) { $entry = $feed->getEntryByOffset($count); - $link = mysqli_real_escape_string($mtdb->link, $entry->link); - $title = mysqli_real_escape_string($mtdb->link, $entry->title); - $date = $entry->pubdate; - $mtdb->query("INSERT INTO fredart (pubdate, title, link) - VALUES (FROM_UNIXTIME($date), '$title', '$link')", false); + $dbConnection->executeUpdate('INSERT INTO fredart (pubdate, title, link) VALUES (FROM_UNIXTIME(?), ?, ?)', array($entry->pubdate, $entry->title, $entry->link)); } header('Content-Type: text/xml'); diff --git a/include/admin.inc.php b/include/admin.inc.php index 30695cd..b14ad0d 100644 --- a/include/admin.inc.php +++ b/include/admin.inc.php @@ -1,12 +1,11 @@ connect( DB_SERVER, DB_WRITE_USER, DB_WRITE_PASS, DB_NAME ); +// Initialize a connection to the database +$dbConfig = new \Doctrine\DBAL\Configuration(); +$dbParams = array( + 'dbname' => DB_NAME, + 'user' => DB_WRITE_USER, + 'password' => DB_WRITE_PASS, + 'host' => DB_SERVER, + 'driver' => 'pdo_mysql', + 'charset' => 'utf8mb4' +); +$dbConnection = \Doctrine\DBAL\DriverManager::getConnection($dbParams, $dbConfig); +$dbConnection->setFetchMode(PDO::FETCH_OBJ); /* TODO: Move these definitions to LocalSettings.php */ if ( !defined('RANTIMG') ) @@ -42,21 +51,20 @@ define('USING_TIDY', false); /* These function are all for core authentication. */ -// Call mysql to hash a password function mt_hash_password($password) { - global $mtdb; - return $mtdb->getOne('SELECT SHA1("' . mysqli_real_escape_string($mtdb->link, $password) . '")') ; + return sha1($password); } -// Remove invalid characters from username. Permit only alpha, underscore, period, at, hypen +// Remove invalid characters from username. Permit only alpha, underscore, period, at, hyphen function sanitize_username( $username ) { return preg_replace('|[^a-z_.@-]|i', '', $username); } // Attempt to login with a username and password. If from cookies, set already_hashed = true. function mt_login($username, $password, $already_hashed = false) { - global $error,$mtdb; + global $error, $dbConnection; + // Fail login if either user or pass is blank if ( '' == $username ) return false; @@ -67,7 +75,11 @@ function mt_login($username, $password, $already_hashed = false) { $username = sanitize_username( $username ); - $login = $mtdb->getRow( 'SELECT id,name,email,nameplate,default_image,default_link,password FROM contributor WHERE name = "' . mysqli_real_escape_string($mtdb->link, $username) . '"'); + // Get user info from the database + $sql = 'SELECT * FROM contributor WHERE name LIKE ?'; + $stmt = $dbConnection->executeQuery($sql, array($username)); + $login = $stmt->fetch(); + if (!$login) { $error = ('ERROR: Invalid username or password.'); adminlog("Failed login attempt from ".$_SERVER['REMOTE_ADDR']." for $username.", MTS_LOGIN, MTA_CHANGE); @@ -144,5 +156,4 @@ function nocache_headers() { @ header('Pragma: no-cache'); } - ?> diff --git a/include/cookies.php b/include/cookies.php index 05e2f0d..9fdc5b8 100644 --- a/include/cookies.php +++ b/include/cookies.php @@ -25,7 +25,6 @@ function mt_get_cookie_login() { // Store username and password in a cookie function mt_setcookie($username, $password, $already_md5 = false, $siteurl = '', $remember = false) { - global $mtdb; if ( !$already_md5 ) $password = mt_hash_password($password); diff --git a/include/error.php b/include/error.php index 3d6dc52..aa433f7 100644 --- a/include/error.php +++ b/include/error.php @@ -13,8 +13,7 @@ define('MTS_TYPE_META', 8); // Changes in the metatype manager define('MTS_TUMBLR', 10); - -define('MTA_ADD', 'create'); // Creation action +define('MTA_ADD', 'create'); // Creation action define('MTA_INSERT', 'create'); // Creation action define('MTA_DELETE', 'delete'); // Deletion action define('MTA_REMOVE', 'delete'); // Deletion action @@ -24,21 +23,29 @@ define('MTA_CHANGE', 'update'); // Modification action function adminlog($msg, $section, $action, $level=E_USER_NOTICE, $email=false) { - global $mtdb, $currentuser; + global $dbConnection, $currentuser; - $sql = sprintf('INSERT INTO admin_log (contributor, section, action, level, message) VALUES (%s, %d, "%s", %d, "%s")', - (is_numeric($currentuser->id) ? $currentuser->id : "NULL"), $section, mysqli_real_escape_string($mtdb->link, $action), $level, mysqli_real_escape_string($mtdb->link, $msg)); - $mtdb->query( $sql ) or die($sql."
    ".mysqli_error($mtdb->link)."
    \n".var_export(debug_backtrace())); + $sql = 'INSERT INTO admin_log (contributor, section, action, level, message) VALUES (?, ?, ?, ?, ?)'; + $stmt = $dbConnection->prepare($sql); + $stmt->bindValue(1, is_numeric($currentuser->id) ? $currentuser->id : NULL); + $stmt->bindValue(2, $section); + $stmt->bindValue(3, $action); + $stmt->bindValue(4, $level); + $stmt->bindValue(5, $msg); + $stmt->execute() or die($sql . '
    ' . $stmt->errorCode() . '
    ' . var_export(debug_backtrace())); // Log all important sorts of messages in the Apache log - if( $level & (E_USER_WARNING | E_USER_ERROR) ) { + if( $level & (E_USER_WARNING | E_USER_ERROR) ) + { error_log($msg, 0); } // Email critical messages and those for which email is requested - if($email || E_USER_ERROR == $level || E_ERROR == $level) { + if($email || E_USER_ERROR == $level || E_ERROR == $level) + { // Pretty printing - switch($level) { + switch($level) + { case E_USER_NOTICE: case E_NOTICE: $importance = 'Notice'; @@ -56,7 +63,8 @@ function adminlog($msg, $section, $action, $level=E_USER_NOTICE, $email=false) break; } - switch($section) { + switch($section) + { case MTS_LOGIN: $area = 'User login'; break; case MTS_USER: $area = 'Modify user'; break; case MTS_PAGE: $area = 'Modify page'; break; diff --git a/include/html.php b/include/html.php index 2ad1c6c..422b6cb 100644 --- a/include/html.php +++ b/include/html.php @@ -12,7 +12,7 @@ function adminhead($title = '') { Megatokyo Administrative Dashboard<?php if( $title ) echo " — $title"; ?> - + @@ -41,7 +41,7 @@ $submenu['manage-comics.php'] = array( 'manage-types.php' => 'Types', 'manage-twitter-users.php' => 'Twitter Users', 'manage-metatypes.php' => 'Metatypes', - 'swap-comics.php' => 'Swap Comics', +//'swap-comics.php' => 'Swap Comics', 'character-twitter.php' => 'Character Twitters', 'view-adminlog.php' => 'View Admin Log' ); @@ -155,6 +155,7 @@ function handle_error($errno, $errstr, $errfile, $errline, $errcontext) { case E_CORE_WARNING: case E_COMPILE_WARNING: break; + case E_USER_ERROR: case E_ERROR: case E_PARSE: @@ -164,7 +165,7 @@ function handle_error($errno, $errstr, $errfile, $errline, $errcontext) { header('Content-Type: text/html; charset=utf-8'); if (eregi('^(sql)$', $errstr)) { - $errstr = "SQL Error " . mysqli_errno() . ': ' . mysqli_error(); + // $errstr = "SQL Error " . mysqli_errno() . ': ' . mysqli_error(); } $message = "Error#$errno: $errstr"; @@ -204,7 +205,7 @@ function mtdie($message,$title='') { font-dize: 18px; font-weight: lighter; } - h2 { + h2 { font-size: 16px; } p, li, dt { @@ -222,13 +223,12 @@ function mtdie($message,$title='') {

    Megatokyo Admin

    - $title\n"; ?> + $title\n"; ?>

    getOne('SELECT title FROM rant WHERE id=' . $i); break; - case 'strip': $v = $mtdb->getOne('SELECT id FROM strip WHERE id=' . $i); break; - case 'type': $v = $mtdb->getOne('SELECT name FROM strip_t WHERE id=' . $i); break; - case 'metatype':$v = $mtdb->getOne('SELECT name FROM meta_t WHERE id=' . $i); break; + case 'rant': $v = $dbConnection->fetchColumn('SELECT title FROM rant WHERE id = ?', array($i)); break; + case 'strip': $v = $dbConnection->fetchColumn('SELECT id FROM strip WHERE id = ?', array($i)); break; + case 'type': $v = $dbConnection->fetchColumn('SELECT name FROM strip_t WHERE id = ?', array($i)); break; + case 'metatype':$v = $dbConnection->fetchColumn('SELECT name FROM meta_t WHERE id = ?', array($i)); break; case 'extra': $temp = extra_file_from_inode($i); $v = $temp->name; break; - case 'twitteruser': $v = $mtdb->getOne('SELECT username FROM twitter_user WHERE id=' . $i); break; + case 'twitteruser': $v = $dbConnection->fetchColumn('SELECT username FROM twitter_user WHERE id = ?', array($i)); break; default: $v = $i; } diff --git a/include/pages.php b/include/pages.php index a5ffc88..12dfb83 100644 --- a/include/pages.php +++ b/include/pages.php @@ -1,53 +1,84 @@ url_name) +function savepage($page) +{ + if ($page->url_name) return updatepage($page); else return insertpage($page); } -function insertpage($page) { - global $mtdb; - $sql = 'INSERT INTO static_page ( url_name, status, title, body, style ) VALUES (' - . ' "' . mysqli_real_escape_string($mtdb->link, $page->url_name) - . '", "' . mysqli_real_escape_string($mtdb->link, $page->status) - . '", "' . mysqli_real_escape_string( $mtdb->link, trim( $page->title ) ) - . '", "' . mysqli_real_escape_string( $mtdb->link, trim( $page->body ) ) - . '", "' . mysqli_real_escape_string( $mtdb->link, trim( $page->style ) ) - . '")'; - adminlog("Page '".$page->url_name."' has been added.", MTS_PAGE, MTA_ADD); - return $mtdb->query($sql); +function insertpage($page) +{ + if ( !$page->url_name ) return false; + global $dbConnection; + + $sql = 'INSERT INTO static_page (url_name, status, title, body, style) VALUES (:slug, :status, :title, :body, :style)'; + $stmt = $dbConnection->prepare($sql); + + $stmt->bindValue('slug', $page->url_name); + $stmt->bindValue('status', $page->status); + $stmt->bindValue('title', trim($page->title)); + $stmt->bindValue('body', trim($page->body)); + $stmt->bindValue('style', trim($page->style)); + + adminlog("Page '" . $page->url_name . "' has been added.", MTS_PAGE, MTA_ADD); + return $stmt->execute(); } -function updatepage($page) { +function updatepage($page) +{ if ( !$page->url_name ) return false; - global $mtdb; - - $sql = 'UPDATE static_page SET url_name = "' . mysqli_real_escape_string($mtdb->link, $page->url_name) - . '", status = "' . mysqli_real_escape_string($mtdb->link, $page->status) - . '", title = "' . mysqli_real_escape_string( $mtdb->link, trim( $page->title ) ) - . '", body = "' . mysqli_real_escape_string( $mtdb->link, trim( $page->body ) ) - . '", style = "' . mysqli_real_escape_string( $mtdb->link, trim( $page->style ) ) - . '" WHERE url_name = "' . mysqli_real_escape_string($mtdb->link, $page->url_name) . '"'; - adminlog("Page '".$page->url_name."' has been updated.", MTS_PAGE, MTA_MODIFY); - return $mtdb->query( $sql ); + global $dbConnection; + + $sql = 'UPDATE static_page SET url_name = :slug, status = :status, title = :title, body = :body, style = :style WHERE url_name = :slug'; + $stmt = $dbConnection->prepare($sql); + + $stmt->bindValue('slug', $page->url_name); + $stmt->bindValue('status', $page->status); + $stmt->bindValue('title', trim($page->title)); + $stmt->bindValue('body', trim($page->body)); + $stmt->bindValue('style', trim($page->style)); + + adminlog("Page '" . $page->url_name . "' has been updated.", MTS_PAGE, MTA_MODIFY); + return $stmt->execute(); } -function deletepage($url_name) { +function deletepage($url_name) +{ if ( !$url_name ) return false; - global $mtdb; - adminlog("Page '".$page->url_name."' has been deleted.", MTS_PAGE, MTA_DELETE); - return $mtdb->query( 'DELETE FROM static_page WHERE url_name = "' . mysqli_real_escape_string($mtdb->link, $url_name) . '"' ); + global $dbConnection; + + $sql = 'DELETE FROM static_page WHERE url_name = :slug'; + $stmt = $dbConnection->prepare($sql); + + $stmt->bindValue('slug', $url_name); + + adminlog("Page '" . $page->url_name . "' has been deleted.", MTS_PAGE, MTA_DELETE); + return $stmt->execute(); } -function getpage($url_name) { - global $mtdb; - return $mtdb->getRow( 'SELECT url_name, status, title, body, style FROM static_page WHERE url_name = "'. mysqli_real_escape_string($mtdb->link, $url_name) . '"' ); +function getpage($url_name) +{ + if ( !$url_name ) return false; + global $dbConnection; + + $sql = 'SELECT url_name, status, title, body, style FROM static_page WHERE url_name = :slug'; + $stmt = $dbConnection->prepare($sql); + + $stmt->bindValue('slug', $url_name); + + $stmt->execute(); + return $stmt->fetch(); } ?> diff --git a/include/rants.php b/include/rants.php index 3dd3399..b599705 100644 --- a/include/rants.php +++ b/include/rants.php @@ -1,119 +1,193 @@ id) +function saverant($rant) +{ + if ($rant->id) return updaterant($rant); else return insertrant($rant); } -function insertrant($rant) { - global $mtdb; - $sql = 'INSERT INTO rant ( published, status, side, author, title, body, link, imagetype, imagetext ) VALUES ( FROM_UNIXTIME(' - . (int)$rant->published - . '), "' . mysqli_real_escape_string($mtdb->link, $rant->status) - . '", "' . mysqli_real_escape_string($mtdb->link, $rant->side) - . '", "' . (int)$rant->author - . '", "' . mysqli_real_escape_string( $mtdb->link, trim( $rant->title) ) - . '", "' . mysqli_real_escape_string( $mtdb->link, trim( $rant->body ) ) - . '", "' . mysqli_real_escape_string( $mtdb->link, trim( $rant->link ) ) - . '", ' . mysqli_real_escape_string($mtdb->link, $rant->imagetype) - . ', "' . mysqli_real_escape_string( $mtdb->link, trim( $rant->imagetext ) ) - . '")'; - - if( $mtdb->query( $sql ) ) { +function insertrant($rant) +{ + global $dbConnection; + + $sql = 'INSERT INTO rant (published, status, side, author, title, body, link, imagetype, imagetext) VALUES ' . + '(FROM_UNIXTIME(:published), :status, :side, :author, :title, :body, :link, :imagetype, :imagetext)'; + $stmt = $dbConnection->prepare($sql); + + $stmt->bindValue('published', (int)$rant->published); + $stmt->bindValue('status', $rant->status); + $stmt->bindValue('side', $rant->side); + $stmt->bindValue('author', (int)$rant->author); + $stmt->bindValue('title', trim($rant->title)); + $stmt->bindValue('body', trim($rant->body)); + $stmt->bindValue('link', trim($rant->link)); + $stmt->bindValue('imagetype', $rant->imagetype); + $stmt->bindValue('imagetext', trim($rant->imagetext)); + + if ($stmt->execute()) + { //logthis( 'Saved changes to rant ' . $rant->id ); - $rant->id = mysqli_insert_id( $mtdb->link ); + $rant->id = $dbConnection->lastInsertId(); - adminlog("Rant ".$rant->id." saved.", MTS_RANT, MTA_ADD); + adminlog("Rant " . $rant->id . " saved.", MTS_RANT, MTA_ADD); - if($rant->status == "published") + if ($rant->status == "published") { + adminlog("Rant " . $rant->id . " published.", MTS_RANT, MTA_ADD); + + /* $poster = get_userdatabyid($rant->author); - adminlog("Rant ".$rant->id." published.", MTS_RANT, MTA_ADD); twitterpost("New rant posted by ".$poster->name.": ".SITE_HOST.SITE_PATH."/rant/".$rant->id); if($rant->author === 1) { tumblrpost($rant->title, $rant->body); } + */ } return $rant->id; } + return false; } -function updaterant($rant) { +function updaterant($rant) +{ if ( !(int)$rant->id ) return false; - global $mtdb; - - #first, check if it's published already - $qr = $mtdb->query("SELECT status FROM rant WHERE id = ".$rant->id); - $row = mysqli_fetch_row($qr); - $status = $row[0]; - - adminlog("Rant ".$rant->id." updated.", MTS_RANT, MTA_UPDATE); - - $sql = 'UPDATE rant SET published=FROM_UNIXTIME(' . (int)$rant->published - . '), status = "' . mysqli_real_escape_string($mtdb->link, $rant->status) - . '", side = "' . mysqli_real_escape_string($mtdb->link, $rant->side) - . '", author = ' . (int)$rant->author - . ', title = "' . mysqli_real_escape_string( $mtdb->link, trim($rant->title) ) - . '", body = "' . mysqli_real_escape_string( $mtdb->link, trim($rant->body ) ) - . '", link = "' . mysqli_real_escape_string( $mtdb->link, trim($rant->link ) ) - . '", imagetype = ' . (int)$rant->imagetype - . ', imagetext = "' . mysqli_real_escape_string( $mtdb->link, trim($rant->imagetext) ) - . '" WHERE id=' . (int)$rant->id; - - if($status == "draft" && $rant->status == "published") + global $dbConnection; + + # First, check if it's published already + $sql = 'SELECT status FROM rant WHERE id = ?'; + $stmt = $dbConnection->prepare($sql); + + $stmt->bindValue(1, $rant->id); + + $stmt->execute(); + $status = $stmt->fetchColumn(); + + adminlog("Rant " . $rant->id . " updated.", MTS_RANT, MTA_UPDATE); + + $sql = 'UPDATE rant SET published = FROM_UNIXTIME(:published), status = :status, side = :side, author = :author, ' . + 'title = :title, body = :body, link = :link, imagetype = :imagetype, imagetext = :imagetext WHERE id = :id'; + $stmt = $dbConnection->prepare($sql); + + $stmt->bindValue('id', (int)$rant->id); + $stmt->bindValue('published', (int)$rant->published); + $stmt->bindValue('status', $rant->status); + $stmt->bindValue('side', $rant->side); + $stmt->bindValue('author', (int)$rant->author); + $stmt->bindValue('title', trim($rant->title)); + $stmt->bindValue('body', trim($rant->body)); + $stmt->bindValue('link', trim($rant->link)); + $stmt->bindValue('imagetype', (int)$rant->imagetype); + $stmt->bindValue('imagetext', trim($rant->imagetext)); + + if ($status == "draft" && $rant->status == "published") { + adminlog("Rant " . $rant->id . " published.", MTS_RANT, MTA_UPDATE); + + /* $poster = get_userdatabyid($rant->author); - adminlog("Rant ".$rant->id." published.", MTS_RANT, MTA_UPDATE); twitterpost("New rant posted by ".$poster->name.": ".SITE_HOST.SITE_PATH."/rant/".$rant->id); if($rant->author === 1) { tumblrpost($rant->title, $rant->body); } + */ } - return $mtdb->query( $sql ); + return $stmt->execute(); } -function deleterant($rantid) { +function deleterant($rantid) +{ if ( !(int)$rantid ) return false; - global $mtdb; - adminlog("Rant ".$rantid." deleted.", MTS_RANT, MTA_DELETE); - return $mtdb->query( 'DELETE FROM rant WHERE id=' . $rantid ); + global $dbConnection; + + $sql = 'DELETE FROM rant WHERE id = ?'; + $stmt = $dbConnection->prepare($sql); + + $stmt->bindValue(1, $rantid); + + adminlog("Rant " . $rantid . " deleted.", MTS_RANT, MTA_DELETE); + return $stmt->execute(); } function deleteattachment($id) { - global $mtdb; - $file = SITE_PATH_ABS.'/'.get_rantattachment_filename($id); - unlink( $file ) or adminlog("Could not delete $file", MTS_RANT, MTA_DELETE, E_USER_WARNING); - $mtdb->query( 'DELETE FROM rant_attachment WHERE id = ' . $id ); + global $dbConnection; + + // Remove attachment from filesystem + $file = SITE_PATH_ABS . '/' . get_rantattachment_filename($id); + unlink($file) or adminlog("Could not delete $file", MTS_RANT, MTA_DELETE, E_USER_WARNING); + + // Remove from database + $sql = 'DELETE FROM rant_attachment WHERE id = ?'; + $stmt = $dbConnection->prepare($sql); + + $stmt->bindValue(1, $id); + + $stmt->execute(); adminlog("Deleted attachment $id", MTS_RANT, MTA_DELETE); } -function getrant($id) { - global $mtdb; - return $mtdb->getRow( 'SELECT id, UNIX_TIMESTAMP(published) as published, status, side, author, title, body, link, imagetype, imagetext FROM rant WHERE id = '. (int)$id ); +function getrant($id) +{ + global $dbConnection; + + $sql = 'SELECT id, UNIX_TIMESTAMP(published) as published, status, side, author, title, body, link, imagetype, imagetext FROM rant WHERE id = ?'; + $stmt = $dbConnection->prepare($sql); + + $stmt->bindValue(1, (int)$id); + + $stmt->execute(); + return $stmt->fetch(); } -function get_rantimage_filename( $rant ) { - global $mtdb; - $ext = $mtdb->getOne( 'SELECT extension FROM media_t WHERE id=' . (int)$rant->imagetype ); // filename extension - return sprintf( '%s/%04d.%s',SITE_RANT, (int)$rant->id, $ext ); +function get_rantimage_filename($rant) +{ + global $dbConnection; + + $sql = 'SELECT extension FROM media_t WHERE id = ?'; + $stmt = $dbConnection->prepare($sql); + + $stmt->bindValue(1, (int)$rant->imagetype); + + $stmt->execute(); + $ext = $stmt->fetchColumn(); // filename extension + + return sprintf('%s/%04d.%s', SITE_RANT, (int)$rant->id, $ext); } -function get_rantattachment_filename( $id ) { - global $mtdb; - $ext = $mtdb->getOne( 'SELECT extension FROM media_t JOIN rant_attachment ra ON ra.media = media_t.id WHERE ra.id=' . (int)$id ); // filename extension - return sprintf( '%s/%d.%s',SITE_RANT_ATTACHMENT, (int)$id, $ext ); +function get_rantattachment_filename($id) +{ + global $dbConnection; + + $sql = 'SELECT extension FROM media_t JOIN rant_attachment ra ON ra.media = media_t.id WHERE ra.id = ?'; + $stmt = $dbConnection->prepare($sql); + + $stmt->bindValue(1, (int)$id); + + $stmt->execute(); + $ext = $stmt->fetchColumn(); // filename extension + + return sprintf('%s/%d.%s', SITE_RANT_ATTACHMENT, (int)$id, $ext ); } ?> diff --git a/include/rss.php b/include/rss.php index 3087cb2..be72b2c 100644 --- a/include/rss.php +++ b/include/rss.php @@ -2,13 +2,14 @@ function rsspost($body, $url) { - global $mtdb; + global $dbConnection; - $mtdb->query('INSERT INTO rss_comment (body, url) - VALUES ("'.mysqli_real_escape_string($mtdb->link, $body).'", - "'.mysqli_real_escape_string($mtdb->link, $url).'")'); + $sql = 'INSERT INTO rss_comment (body, url) VALUES (?, ?)'; + $stmt = $dbConnection->prepare($sql); + $stmt->bindValue(1, $body); + $stmt->bindValue(2, $url); - return true; + return $stmt->execute(); } ?> diff --git a/include/strip.php b/include/strip.php index 82eca8c..8c49b7d 100644 --- a/include/strip.php +++ b/include/strip.php @@ -3,8 +3,16 @@ // Book: The offset from 0 at the beginning of time // Page: The offset from 0 at the beginning of the volume -class Strip { - var $id, $old_id, $published, $media, $type, $title, $book, $page; +class Strip +{ + public $id; + public $old_id; + public $published; + public $media; + public $type; + public $title; + public $book; + public $page; } // old_id is used to detect alterations to the strip id in forms. Not saved in database. @@ -12,29 +20,31 @@ class Strip { // Strip id is automatically incremented function insertstrip(&$strip) { - global $mtdb; - - $strip->book = ($strip->book == '') ? 'NULL' : (int)$strip->book; - $strip->page = ($strip->page == '') ? 'NULL' : (int)$strip->page; - - $mtdb->query('START TRANSACTION'); - $newid = $mtdb->getOne('SELECT MAX(id) FROM strip') + 1; - $sql = 'INSERT INTO strip ( id, published, media, type, title, book, page ) VALUES (' - . $newid - . ', FROM_UNIXTIME(' . (int)$strip->published - . '), '. (int)$strip->media - . ', ' . (int)$strip->type - . ', "' . mysqli_real_escape_string( $mtdb->link, trim($strip->title) ) - . '", '. $strip->book - . ', ' . $strip->page - . ')'; - - $r = $mtdb->query( $sql ); + global $dbConnection; + + $strip->book = ($strip->book == '') ? NULL : (int)$strip->book; + $strip->page = ($strip->page == '') ? NULL : (int)$strip->page; + + $dbConnection->beginTransaction(); + $newid = $dbConnection->fetchColumn('SELECT MAX(id) FROM strip') + 1; + + $sql = 'INSERT INTO strip (id, published, media, type, title, book, page) VALUES(?, FROM_UNIXTIME(?), ?, ?, ?, ?, ?)'; + $stmt = $dbConnection->prepare($sql); + + $stmt->bindValue(1, $newid); + $stmt->bindValue(2, $strip->published, PDO::PARAM_INT); + $stmt->bindValue(3, $strip->media, PDO::PARAM_INT); + $stmt->bindValue(4, $strip->type, PDO::PARAM_INT); + $stmt->bindValue(5, trim($strip->title)); + $stmt->bindValue(6, $strip->book); + $stmt->bindValue(7, $strip->page); + + $r = $stmt->execute(); if( !$r ) { - $mtdb->query('ROLLBACK'); + $dbConnection->rollback(); return false; } - $mtdb->query('COMMIT'); + $dbConnection->commit(); adminlog("Comic ".$newid." posted.", MTS_STRIP, MTA_ADD); $strip->id = $newid; @@ -43,22 +53,26 @@ function insertstrip(&$strip) { } function updatestrip(&$strip) { - global $mtdb; - - $strip->book = ($strip->book === '') ? 'NULL' : (int)$strip->book; - $strip->page = ($strip->page === '') ? 'NULL' : (int)$strip->page; - - $mtdb->query('START TRANSACTION'); - $sql = 'UPDATE strip SET - published = FROM_UNIXTIME(' . (int)$strip->published .') - , media = '. (int)$strip->media .' - , type = ' . (int)$strip->type .' - , title = "' . mysqli_real_escape_string( $mtdb->link, trim($strip->title) ) .'" - , book = ' . (int)$strip->book .' - , page = ' . (int)$strip->page .' - WHERE id = ' . (int)$strip->id; - $mtdb->query( $sql ); - $mtdb->query('COMMIT'); + global $dbConnection; + + $strip->book = ($strip->book === '') ? NULL : (int)$strip->book; + $strip->page = ($strip->page === '') ? NULL : (int)$strip->page; + + $dbConnection->beginTransaction(); + + $sql = 'UPDATE strip SET published = FROM_UNIXTIME(?), media = ?, type = ?, title = ?, book = ?, page = ? WHERE id = ?'; + $stmt = $dbConnection->prepare($sql); + + $stmt->bindValue(1, $strip->published, PDO::PARAM_INT); + $stmt->bindValue(2, $strip->media, PDO::PARAM_INT); + $stmt->bindValue(3, $strip->type, PDO::PARAM_INT); + $stmt->bindValue(4, trim($strip->title)); + $stmt->bindValue(5, $strip->book, PDO::PARAM_INT); + $stmt->bindValue(6, $strip->page, PDO::PARAM_INT); + $stmt->bindValue(7, $strip->id, PDO::PARAM_INT); + + $stmt->execute(); + $dbConnection->commit(); adminlog("Comic ".$strip->id." modified.", MTS_STRIP, MTA_MODIFY); return true; } @@ -66,12 +80,12 @@ function updatestrip(&$strip) { // Delete destination strip from DB and FS, and Update/Rename the source strip into place. Destructive Move! function move_strip($from_id, $to_id) { - global $mtdb; + global $dbConnection; $from_id = (int) $from_id; $to_id = (int) $to_id; // Ensure our source exists - $num_strips = $mtdb->getOne( "SELECT COUNT(*) FROM strip WHERE id = $from_id" ); + $num_strips = $dbConnection->fetchColumn('SELECT COUNT(*) FROM strip WHERE id = ?', array($from_id)); if($num_strips < 1) mtdie("Cannot move strip number $from_id, because it cannot be found in database."); @@ -79,8 +93,8 @@ function move_strip($from_id, $to_id) deletestrip( $to_id ); // Update database - $mtdb->query( "UPDATE strip SET id = $to_id WHERE id = $from_id" ); - $strip = $mtdb->getRow( "SELECT strip.id, extension FROM strip, media_t WHERE media_t.id = strip.media AND strip.id = $to_id" ); + $dbConnection->executeUpdate('UPDATE strip SET id = ? WHERE id = ?', array($to_id, $from_id)); + $strip = $dbConnection->executeQuery('SELECT strip.id, extension FROM strip, media_t WHERE media_t.id = strip.media AND strip.id = ?', array($to_id))->fetch(); // Update filesystem foreach(glob(sprintf(SITE_PATH_ABS.'/'.SITE_STRIP.'/%04d.*', $from_id)) as $item) { @@ -101,8 +115,8 @@ function deletestrip($id) { $id = (int)$id; if ( !$id ) return false; - global $mtdb; - $r = $mtdb->query( 'DELETE FROM strip WHERE id=' . $id ); + global $dbConnection; + $r = $dbConnection->executeUpdate('DELETE FROM strip WHERE id = ?', array($id)); foreach(glob(sprintf(SITE_PATH_ABS.'/'.SITE_STRIP.'/%04d*.*', $id)) as $item) unlink($item); foreach(glob(sprintf(SITE_PATH_ABS.'/'.SITE_STRIP.'/restricted/%04d*.*', $id)) as $item) @@ -112,19 +126,19 @@ function deletestrip($id) { } function getstrip($id) { - global $mtdb; - return $mtdb->getRow( 'SELECT id, UNIX_TIMESTAMP(published) as published, type, media, title, book, page FROM strip WHERE id=' . (int)$id); + global $dbConnection; + return $dbConnection->executeQuery('SELECT id, UNIX_TIMESTAMP(published) as published, type, media, title, book, page FROM strip WHERE id = ?', array($id))->fetch(); } function get_stripimage_filename( $strip ) { - global $mtdb; - $ext = $mtdb->getOne( 'SELECT extension FROM media_t WHERE id=' . (int)$strip->media ); // filename extension + global $dbConnection; + $ext = $dbConnection->fetchColumn('SELECT extension FROM media_t WHERE id = ?', array($strip->media)); // filename extension return sprintf( '%s/%04d.%s', SITE_STRIP, $strip->id, $ext ); } function get_stripid_by_rantid($rantid) { - global $mtdb; - return $mtdb->getOne('SELECT MAX(strip.id) FROM strip,rant WHERE strip.published<=rant.published AND rant.id=' . (int)$rantid); + global $dbConnection; + return $dbConnection->fetchColumn('SELECT MAX(strip.id) FROM strip, rant WHERE strip.published <= rant.published AND rant.id = ?', array($rantid)); } ?> diff --git a/include/transcript.php b/include/transcript.php index 2697e25..977f4f0 100644 --- a/include/transcript.php +++ b/include/transcript.php @@ -17,9 +17,9 @@ function bracketbalance($line) // Retrieve transcript for this strip from the database, modifying the strip object. function gettranscript(&$strip) { - global $mtdb; + global $dbConnection; - $result = $mtdb->query('SELECT strip FROM transcript WHERE strip=' . (int)$strip->id ); + $result = $dbConnection->executeQuery('SELECT strip FROM transcript WHERE strip = ?', array($strip->id)); if($result) { @@ -30,16 +30,16 @@ function gettranscript(&$strip) # either way, I care not Might be able to exchange this loop of getOne()s for a getAll() call. */ - $numPanels = $mtdb->getOne( 'SELECT MAX(panel) FROM transcript WHERE transcript.strip=' . (int)$strip->id ); + $numPanels = $dbConnection->fetchColumn('SELECT MAX(panel) FROM transcript WHERE strip = ?', array($strip->id)); if( $numPanels ) { for($i = 1; $i <= $numPanels; $i++) { - $result = $mtdb->query( 'SELECT speaker, speech FROM transcript WHERE transcript.strip=' . (int)$strip->id . ' AND panel=' .$i.' ORDER BY line') - or mtdie("There was an error fetching the panel count in the transcript for $strip->id, panel $i. " . mysqli_error(), 'SQL Error'); + $result = $dbConnection->executeQuery('SELECT speaker, speech FROM transcript WHERE transcript.strip = ? AND panel = ? ORDER BY line', array($strip->id, $i)) + or mtdie("There was an error fetching the panel count in the transcript for $strip->id, panel $i. " . $dbConnection->errorCode(), 'SQL Error'); if(!$result) continue; $output.= "\nnewpanel\n"; - while($row = mysqli_fetch_row($result)) { + while($row = $result->fetch(PDO::FETCH_NUM)) { if(strlen($row[0]) < 1) continue; $output.= $row[0]; @@ -56,16 +56,17 @@ function gettranscript(&$strip) // Parse submitted transcript from strip object, and insert it into the database. function savetranscript( &$strip ) { - global $mtdb; + global $dbConnection; $info = ''; - $mtdb->query('START TRANSACTION'); + $dbConnection->beginTransaction(); //remove any old transcript data - it's being replaced - $mtdb->query( 'DELETE FROM transcript WHERE transcript.strip=' . (int)$strip->id ); + $dbConnection->executeUpdate('DELETE FROM transcript WHERE transcript.strip = ?', array($strip->id)); if( $strip->transcript_posted ) { - $inserter = 'INSERT INTO transcript (strip,panel,line,speaker,speech,search) VALUES (%d,%d,%d,"%s","%s","%s")'; + $insert_sql = 'INSERT INTO transcript (strip, panel, line, speaker, speech, search) VALUES (?, ?, ?, ?, ?, ?)'; + $inserter_types = array(PDO::PARAM_INT, PDO::PARAM_INT, PDO::PARAM_INT, PDO::PARAM_STR, PDO::PARAM_STR, PDO::PARAM_STR); if(strpos($strip->transcript_posted, 'Panel <$n>') !== FALSE) { # This is probably a scrivener script @@ -83,11 +84,11 @@ function savetranscript( &$strip ) { $has_spoken = true; for($j = 0; $j < count($lines); $j++) { - $insert_sql = ''; + $inserter_values = array(); if(strpos($lines[$j], '(') === 0) { # Line is a note, add it as a comment - $insert_sql = sprintf($inserter, (int)$strip->id, $i, $j, '#', mysqli_real_escape_string($mtdb->link, $lines[$j]), ''); + $inserter_values = array($strip->id, $i, $j, '#', $lines[$j], ''); } elseif(strpos($lines[$j], '[') === 0 || strlen($lines[$j]) == 0) { # Line is an annotation or blank, do nothing continue; @@ -95,13 +96,13 @@ function savetranscript( &$strip ) { # Line contains a list of nonspeaking characters array_splice($lines, $j, 1, array_map('_nospeaker', explode(',', substr($lines[$j], 11)))); $speaker = trim(substr($lines[$j], 11)); - $insert_sql = sprintf($inserter, (int)$strip->id, $i, $j, mysqli_real_escape_string($mtdb->link, $speaker), '', ''); + $inserter_values = array($strip->id, $i, $j, $speaker, '', ''); } elseif($i > 0 && $lines[$j] == strtoupper($lines[$j])) { # Line designates a new speaker, note speaker # Handle speakers who did not say anything if(null !== $speaker && !$has_spoken) - $insert_sql = sprintf($inserter, (int)$strip->id, $i, $j, mysqli_real_escape_string($mtdb->link, $speaker), '', ''); + $inserter_values = array($strip->id, $i, $j, $speaker, '', ''); $speaker = ucfirst(strtolower($lines[$j])); $has_spoken = false; @@ -111,25 +112,24 @@ function savetranscript( &$strip ) { $info .= "

    Warning: Open brackets do not match close brackets in panel $i for speaker ".htmlentities($speaker).'

    '; $search = preg_replace( '/[[:punct:]]|(?<=\s)\s+/', ' ', strtolower($lines[$j]) ); - $insert_sql = sprintf($inserter, (int)$strip->id, $i, $j, mysqli_real_escape_string($mtdb->link, $speaker), - mysqli_real_escape_string($mtdb->link, $lines[$j]), mysqli_real_escape_string($mtdb->link, $search)); + $inserter_values = array($strip->id, $i, $j, $speaker, $lines[$j], $search); $has_spoken = true; } else { # Line is unrecognized, add it as a comment - $insert_sql = sprintf($inserter, (int)$strip->id, $i, $j, '#', mysqli_real_escape_string($mtdb->link, $lines[$j]), ''); + $inserter_values = array($strip->id, $i, $j, '#', $lines[$j], ''); } - if( $insert_sql && false === $mtdb->query( $insert_sql ) ) { - $mtdb->query('ROLLBACK'); - mtdie (mysqli_error($mtdb->link), 'Error inserting transcript.'); + if( $inserter_values && false === $dbConnection->executeUpdate($insert_sql, $inserter_values, $inserter_types) ) { + $dbConnection->rollback(); + mtdie ($dbConnection->errorCode(), 'Error inserting transcript.'); } } if(null !== $speaker && !$has_spoken) { - $insert_sql = sprintf($inserter, (int)$strip->id, $i, $j, mysqli_real_escape_string($mtdb->link, $speaker), '', ''); - if( false === $mtdb->query( $insert_sql ) ) { - $mtdb->query('ROLLBACK'); - mtdie (mysqli_error($mtdb->link), 'Error inserting transcript.'); + $inserter_values = array($strip->id, $i, $j, $speaker, '', ''); + if( false === $dbConnection->executeUpdate($insert_sql, $inserter_values, $inserter_types) ) { + $dbConnection->rollback(); + mtdie ($dbConnection->errorCode(), 'Error inserting transcript.'); } } } @@ -160,17 +160,16 @@ function savetranscript( &$strip ) { if(!bracketbalance($spoken[1])) $info .= "

    Warning: Open brackets do not match close brackets in panel $i for speaker ".htmlentities($spoken[0]).'

    '; - $insert_sql = sprintf($inserter, (int)$strip->id, (int)$i, (int)$j, mysqli_real_escape_string($mtdb->link, $spoken[0]), - mysqli_real_escape_string($mtdb->link, $spoken[1]), mysqli_real_escape_string($mtdb->link, $spoken[2]) ); - if( false === $mtdb->query( $insert_sql ) ) { - $mtdb->query('ROLLBACK'); - mtdie (mysqli_error($mtdb->link), 'Error inserting transcript.'); + $inserter_values = array($strip->id, $i, $j, $spoken[0], $spoken[1], $spoken[2]); + if( false === $dbConnection->executeUpdate($insert_sql, $inserter_values, $inserter_types) ) { + $dbConnection->rollback(); + mtdie ($dbConnection->errorCode(), 'Error inserting transcript.'); } } } } } - $mtdb->query('COMMIT'); + $dbConnection->commit(); return $info; } diff --git a/include/twitter.php b/include/twitter.php index b73dd93..4bab4fa 100644 --- a/include/twitter.php +++ b/include/twitter.php @@ -2,7 +2,9 @@ function twitterpost($message, $user=TWITTER_USER, $password=TWITTER_PASS) { - global $mtdb, $info, $error; + if (!TWITTER_ENABLED) return; + + global $dbConnection, $info, $error; if( $user == '' ) { # preserve existing twitterpost(message) style posting until OAuth has been vetted. $user = TWITTER_USER; @@ -25,7 +27,7 @@ function twitterpost($message, $user=TWITTER_USER, $password=TWITTER_PASS) } else { # OAuth Mode - $row = $mtdb->getRow( sprintf('SELECT id, username, oauth_token, oauth_token_secret FROM twitter_user WHERE username="%s"', mysqli_real_escape_string($mtdb->link, $user))); + $row = $dbConnection->executeQuery('SELECT id, username, oauth_token, oauth_token_secret FROM twitter_user WHERE username = ?', array($user))->fetch(); $username = $row->username; $oauth_token = $row->oauth_token; @@ -53,9 +55,9 @@ function twitterpost($message, $user=TWITTER_USER, $password=TWITTER_PASS) function setOAuthTokens($userid,$oauth_token,$oauth_token_secret, $username) { - global $mtdb; + global $dbConnection; $id = (int)$userid; - if( $mtdb->query( sprintf('UPDATE twitter_user SET oauth_token="%s", oauth_token_secret="%s", username="%s" WHERE id=%d', mysqli_real_escape_string($mtdb->link, $oauth_token), mysqli_real_escape_string($mtdb->link, $oauth_token_secret), mysqli_real_escape_string($mtdb->link, $username), $id )) ) + if ($dbConnection->executeUpdate('UPDATE twitter_user SET oauth_token = ?, oauth_token_secret = ?, username = ? WHERE id = ?', array($oauth_token, $oauth_token_secret, $username, $id))) return true; return false; } diff --git a/include/type.php b/include/type.php index e3741b3..f298165 100644 --- a/include/type.php +++ b/include/type.php @@ -3,21 +3,23 @@ /* Types */ function get_typeByID( $id ) { - global $mtdb; + global $dbConnection; $id = (int)$id; - $r = $mtdb->getRow( 'SELECT id, name, description FROM strip_t WHERE id=' . $id ); - $r->meta = $mtdb->getAll( 'SELECT meta as id from meta where type=' . $id); + $stmt = $dbConnection->executeQuery('SELECT id, name, description FROM strip_t WHERE id = ?', array($id)); + $r = $stmt->fetch(); + $r->meta = $dbConnection->fetchAll('SELECT meta AS id FROM meta WHERE type = ?', array($id)); return $r; } function get_allTypes() { - global $mtdb; - return $mtdb->getRow( 'SELECT id, name, description, meta FROM strip_t' ); + global $dbConnection; + $stmt = $dbConnection->executeQuery('SELECT id, name, description, meta FROM strip_t'); + return $stmt->fetch(); } function get_allMetaTypes() { - global $mtdb; - return $mtdb->getAll("SELECT id, name FROM meta_t"); + global $dbConnection; + return $dbConnection->fetchAll('SELECT id, name FROM meta_t'); } function _getMetaNameFromObject($obj) { diff --git a/include/uploads.php b/include/uploads.php index 796d193..0d9d670 100644 --- a/include/uploads.php +++ b/include/uploads.php @@ -86,11 +86,11 @@ function save_upload_rant_image( $source, $rant ) { function save_upload_rant_attachment( $source, $rant ) { - global $mtdb; + global $dbConnection; $image_data = getimagesize( $source ); - $mtdb->query( "INSERT INTO rant_attachment (rant, media) VALUES ($rant, $image_data[2])" ); - $rant_attachment_id = mysqli_insert_id( $mtdb->link ); + $dbConnection->executeUpdate('INSERT INTO rant_attachment (rant, media) VALUES (?, ?)', array($rant, $image_data[2])); + $rant_attachment_id = $dbConnection->lastInsertId(); if( move_uploaded_file($source, SITE_PATH_ABS.'/'.get_rantattachment_filename($rant_attachment_id) ) ) { $upload_info='

    New rant attachment uploaded for rant '. $rant .'.

    '; diff --git a/include/user.php b/include/user.php index 0a2924a..b658430 100644 --- a/include/user.php +++ b/include/user.php @@ -1,6 +1,6 @@ getRow( 'SELECT id,name,email,nameplate,default_image,default_link FROM contributor WHERE id = ' . (int)$id ); + global $dbConnection; + return $dbConnection->executeQuery('SELECT id, name, email, nameplate, default_image, default_link FROM contributor WHERE id = ?', array($id))->fetch(); } function get_userdatabylogin( $username ) { - global $mtdb; - return $mtdb->getRow( 'SELECT id,name,email,nameplate,default_image,default_link FROM contributor WHERE name = "' . mysqli_real_escape_string($mtdb->link, $username) . '"' ); + global $dbConnection; + return $dbConnection->executeQuery('SELECT id, name, email, nameplate, default_image, default_link FROM contributor WHERE name LIKE ?', array($username))->fetch(); } function save_userdata( $user ) { adminlog("Saved changes to user ".$user->id." (".$user->name.").", MTS_USER, MTA_UPDATE); - global $mtdb; - return $mtdb->query( sprintf( 'UPDATE contributor SET email="%s", nameplate="%s", default_image="%s", default_link="%s" WHERE id=%d', - mysqli_real_escape_string($mtdb->link, $user->email), mysqli_real_escape_string($mtdb->link, $user->nameplate), - mysqli_real_escape_string($mtdb->link, $user->default_image), mysqli_real_escape_string($mtdb->link, $user->default_link), $user->id) ); + global $dbConnection; + + return $dbConnection->executeUpdate('UPDATE contributor SET email = ?, nameplate = ?, default_image = ?, default_link = ? WHERE id = ?', + array($user->email, $user->nameplate, $user->default_image, $user->default_link, $user->id)); } function change_password( $user ) { adminlog("Changed password for user ".$user->id." (".$user->name.").", MTS_USER, MTA_UPDATE); - global $mtdb, $currentuser; + global $dbConnection, $currentuser; if( $currentuser->id === $user->id ) mt_setcookie($user->name, $user->password, false, ADMINURL, FALSE ); - return $mtdb->query( 'UPDATE contributor SET password=SHA1( "' . mysqli_real_escape_string($mtdb->link, $user->password) . '" ) WHERE id = "' . mysqli_real_escape_string($mtdb->link, $user->id) . '"' ); + return $dbConnection->executeUpdate('UPDATE contributor SET password = SHA1(?) WHERE id = ?', array($user->password, $user->id)); } ?> diff --git a/index.php b/index.php index dc40a9a..f6c4654 100644 --- a/index.php +++ b/index.php @@ -46,7 +46,7 @@ adminmenu();