Skip to content

Commit

Permalink
Added SQL Injection protection, refactored, XSS fixes, installation p…
Browse files Browse the repository at this point in the history 
…re-requisite checks. Fully using PDO now, no mysql().
  • Loading branch information
@stephenlawrence
stephenlawrence committed Dec 24, 2014
1 parent 42f2846 commit 3d9ba0f
Show file tree
Hide file tree
Showing 67 changed files with 4,617 additions and 3,716 deletions.
28 changes: 19 additions & 9 deletions AccessLog_class.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,9 @@ class AccessLog extends Plugin {

var $accesslog='';

/*
/**
* AccessLog constructor for the AccessLog plugin
* @param string $_AccessLog Message to display
* @param string $_accesslog Message to display
*/
function AccessLog($_accesslog='') {
$this->name = 'AccessLog';
Expand All @@ -43,22 +43,22 @@ function AccessLog($_accesslog='') {
$this->accesslog = $_accesslog;
}

/*
/**
* @param string $_var The string to display
*/
function setAccessLog($_var) {
$this->accesslog = $_var;
}

/*
/**
* @returns string $var Get the value of accesslog var
*/
function getAccessLog() {
$var = $this->accesslog;
return $var;
}

/*
/**
* Draw the admin menu
* Required if you want an admin menu to show for your plugin
*/
Expand All @@ -68,20 +68,30 @@ function onAdminMenu()
$GLOBALS['smarty']->display('file:' . $curdir . '/templates/accesslog.tpl');
}

/*
/**
* Create the entry into the access_log database
* @param int $fileId
* @param string $type The type of entry to describe what happened
* @param PDO $pdo
*/
static function addLogEntry($fileId, $type)
static function addLogEntry($fileId, $type, PDO $pdo)
{
if ($fileId == 0)
{
global $id;
$fileId = $id;
}
$query = "INSERT INTO {$GLOBALS['CONFIG']['db_prefix']}access_log (file_id,user_id,timestamp,action) VALUES ( '$fileId', '$_SESSION[uid]',NOW(), '$type')";
$result = mysql_query($query, $GLOBALS['connection']) or die("Error in query: $query. " . mysql_error());

$query = "INSERT INTO {$GLOBALS['CONFIG']['db_prefix']}access_log (file_id,user_id,timestamp,action) VALUES ( :file_id, :uid, NOW(), :type)";
$stmt = $pdo->prepare($query);
$stmt->execute(
array(
':file_id' => $fileId,
':uid' => $_SESSION['uid'],
':type' => $type
)
);

}

}
15 changes: 8 additions & 7 deletions Category_class.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,21 +23,22 @@

class Category
{
/*
/**
* getAllCategories - Returns an array of all the categories
* @param PDO $pdo
* @returns array
*/

public static function getAllCategories()
public static function getAllCategories(PDO $pdo)
{
// query to get a list of available users
$query = "SELECT id, name FROM {$GLOBALS['CONFIG']['db_prefix']}category ORDER BY name";
$result = mysql_query($query, $GLOBALS['connection']) or die("Error in query: $query. " . mysql_error());
while ($row = mysql_fetch_assoc($result))
{
$stmt = $pdo->prepare($query);
$stmt->execute();
$result = $stmt->fetchAll();

foreach($result as $row) {
$categoryListArray[] = $row;
}
mysql_free_result ($result);
return $categoryListArray;
}

Expand Down
31 changes: 19 additions & 12 deletions Department_class.php
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
<?php
/*
Department_class.php - Department class is an extended class of the abstractive databaseData
Department_class.php - Department class is an extended class of the abstract databaseData
class. The only difference is that it provides it's own constructor to handle its own
characteristics.
Copyright (C) 2002-2004 Stephen Lawrence Jr., Khoa Nguyen
Copyright (C) 2005-2010 Stephen Lawrence Jr.
Copyright (C) 2005-2015 Stephen Lawrence Jr.
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
Expand All @@ -26,32 +26,39 @@ class. The only difference is that it provides it's own constructor to handle i
define('Department_class', 'true', false);
class Department extends databaseData
{
function Department($id, $connection, $database)
protected $connection;
/**
* @param int $id
* @param PDO $connection
*/
function Department($id, PDO $connection)
{
$this->field_name = 'name';
$this->field_id = 'id';
$this->result_limit = 1; //there is only 1 department with a certain department_id and department_name
$this->tablename = $this->TABLE_DEPARTMENT;
databaseData::databaseData($id, $connection, $database);
databaseData::databaseData($id, $connection);
}

/*
/**
* Function: getAllDepartments
* Get a list of department names and ids sorted by name
*
* @param PDO $pdo
* @returns array
*/

static function getAllDepartments()
static function getAllDepartments(PDO $pdo)
{
$departments = array();
$query = "SELECT name, id FROM {$GLOBALS['CONFIG']['db_prefix']}department ORDER by name";
$result = mysql_query($query, $GLOBALS['connection']) or die("Error in query: $query. " . mysql_error());
$stmt = $pdo->prepare($query);
$stmt->execute();
$result = $stmt->fetchAll();

$count = 0;
while (list($dept_name, $dept_id) = mysql_fetch_row($result))
{
$departments[$count]['id'] = $dept_id;
$departments[$count]['name'] = $dept_name;
foreach ($result as $row) {
$departments[$count]['id'] = $row['id'];
$departments[$count]['name'] = $row['name'];
$count++;
}
return $departments;
Expand Down
Loading

0 comments on commit 3d9ba0f

Please sign in to comment.