mirror of
https://github.com/wallabag/wallabag.git
synced 2024-12-11 10:16:28 +00:00
secure database functions
This commit is contained in:
parent
7473f0cc4a
commit
4a746679c8
2 changed files with 84 additions and 71 deletions
|
@ -156,12 +156,15 @@ class Database {
|
||||||
{
|
{
|
||||||
$sql = "SELECT * FROM users_config WHERE user_id = ?";
|
$sql = "SELECT * FROM users_config WHERE user_id = ?";
|
||||||
$query = $this->executeQuery($sql, array($id));
|
$query = $this->executeQuery($sql, array($id));
|
||||||
$result = $query->fetchAll();
|
$result = ($query) ? $query->fetchAll() : false;
|
||||||
|
$user_config = false;
|
||||||
|
if ($query) {
|
||||||
$user_config = array();
|
$user_config = array();
|
||||||
|
|
||||||
foreach ($result as $key => $value) {
|
foreach ($result as $key => $value) {
|
||||||
$user_config[$value['name']] = $value['value'];
|
$user_config[$value['name']] = $value['value'];
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return $user_config;
|
return $user_config;
|
||||||
}
|
}
|
||||||
|
@ -171,11 +174,7 @@ class Database {
|
||||||
$sql = "SELECT * FROM users WHERE username=?";
|
$sql = "SELECT * FROM users WHERE username=?";
|
||||||
$query = $this->executeQuery($sql, array($username));
|
$query = $this->executeQuery($sql, array($username));
|
||||||
$login = $query->fetchAll();
|
$login = $query->fetchAll();
|
||||||
if (isset($login[0])) {
|
return (isset($login[0]) && $query) ? true : false;
|
||||||
return true;
|
|
||||||
} else {
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public function login($username, $password, $isauthenticated = FALSE)
|
public function login($username, $password, $isauthenticated = FALSE)
|
||||||
|
@ -187,10 +186,10 @@ class Database {
|
||||||
$sql = "SELECT * FROM users WHERE username=? AND password=?";
|
$sql = "SELECT * FROM users WHERE username=? AND password=?";
|
||||||
$query = $this->executeQuery($sql, array($username, $password));
|
$query = $this->executeQuery($sql, array($username, $password));
|
||||||
}
|
}
|
||||||
$login = $query->fetchAll();
|
$login = ($query) ? $query->fetchAll() : false;
|
||||||
|
|
||||||
$user = array();
|
$user = array();
|
||||||
if (isset($login[0])) {
|
if ($login[0]) {
|
||||||
$user['id'] = $login[0]['id'];
|
$user['id'] = $login[0]['id'];
|
||||||
$user['username'] = $login[0]['username'];
|
$user['username'] = $login[0]['username'];
|
||||||
$user['password'] = $login[0]['password'];
|
$user['password'] = $login[0]['password'];
|
||||||
|
@ -243,7 +242,7 @@ class Database {
|
||||||
{
|
{
|
||||||
$sql = 'SELECT count(*) FROM users'.( $username ? ' WHERE username=?' : '');
|
$sql = 'SELECT count(*) FROM users'.( $username ? ' WHERE username=?' : '');
|
||||||
$query = $this->executeQuery($sql, ( $username ? array($username) : array()));
|
$query = $this->executeQuery($sql, ( $username ? array($username) : array()));
|
||||||
list($count) = $query->fetch();
|
list($count) = ($query) ? $query->fetch() : false;
|
||||||
return $count;
|
return $count;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -252,7 +251,7 @@ class Database {
|
||||||
$sql = "SELECT * FROM users WHERE id=?";
|
$sql = "SELECT * FROM users WHERE id=?";
|
||||||
$query = $this->executeQuery($sql, array($userID));
|
$query = $this->executeQuery($sql, array($userID));
|
||||||
$password = $query->fetchAll();
|
$password = $query->fetchAll();
|
||||||
return isset($password[0]['password']) ? $password[0]['password'] : null;
|
return ($query) ? $password[0]['password'] : false;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function deleteUserConfig($userID)
|
public function deleteUserConfig($userID)
|
||||||
|
@ -260,12 +259,13 @@ class Database {
|
||||||
$sql_action = 'DELETE from users_config WHERE user_id=?';
|
$sql_action = 'DELETE from users_config WHERE user_id=?';
|
||||||
$params_action = array($userID);
|
$params_action = array($userID);
|
||||||
$query = $this->executeQuery($sql_action, $params_action);
|
$query = $this->executeQuery($sql_action, $params_action);
|
||||||
return $query;
|
return ($query) ? $query : false;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function deleteTagsEntriesAndEntries($userID)
|
public function deleteTagsEntriesAndEntries($userID)
|
||||||
{
|
{
|
||||||
$entries = $this->retrieveAll($userID);
|
$entries = $this->retrieveAll($userID);
|
||||||
|
if ($entries) {
|
||||||
foreach($entries as $entryid) {
|
foreach($entries as $entryid) {
|
||||||
$tags = $this->retrieveTagsByEntry($entryid);
|
$tags = $this->retrieveTagsByEntry($entryid);
|
||||||
foreach($tags as $tag) {
|
foreach($tags as $tag) {
|
||||||
|
@ -273,6 +273,9 @@ class Database {
|
||||||
}
|
}
|
||||||
$this->deleteById($entryid,$userID);
|
$this->deleteById($entryid,$userID);
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public function deleteUser($userID)
|
public function deleteUser($userID)
|
||||||
|
@ -302,7 +305,7 @@ class Database {
|
||||||
$query = $this->executeQuery($sql, array($user_id));
|
$query = $this->executeQuery($sql, array($user_id));
|
||||||
$entries = $query->fetchAll();
|
$entries = $query->fetchAll();
|
||||||
|
|
||||||
return $entries;
|
return ($query) ? $entries : false;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function retrieveUnfetchedEntriesCount($user_id)
|
public function retrieveUnfetchedEntriesCount($user_id)
|
||||||
|
@ -320,12 +323,13 @@ class Database {
|
||||||
$query = $this->executeQuery($sql, array($user_id));
|
$query = $this->executeQuery($sql, array($user_id));
|
||||||
$entries = $query->fetchAll();
|
$entries = $query->fetchAll();
|
||||||
|
|
||||||
return $entries;
|
return ($query) ? $entries : false;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function retrieveAllWithTags($user_id)
|
public function retrieveAllWithTags($user_id)
|
||||||
{
|
{
|
||||||
$entries = $this->retrieveAll($user_id);
|
$entries = $this->retrieveAll($user_id);
|
||||||
|
if ($entries) {
|
||||||
$count = count($entries);
|
$count = count($entries);
|
||||||
for ($i = 0; $i < $count; $i++) {
|
for ($i = 0; $i < $count; $i++) {
|
||||||
$tag_entries = $this->retrieveTagsByEntry($entries[$i]['id']);
|
$tag_entries = $this->retrieveTagsByEntry($entries[$i]['id']);
|
||||||
|
@ -335,29 +339,28 @@ class Database {
|
||||||
}
|
}
|
||||||
$entries[$i]['tags'] = implode(',', $tags);
|
$entries[$i]['tags'] = implode(',', $tags);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
return $entries;
|
return $entries;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function retrieveOneById($id, $user_id)
|
public function retrieveOneById($id, $user_id)
|
||||||
{
|
{
|
||||||
$entry = NULL;
|
|
||||||
$sql = "SELECT * FROM entries WHERE id=? AND user_id=?";
|
$sql = "SELECT * FROM entries WHERE id=? AND user_id=?";
|
||||||
$params = array(intval($id), $user_id);
|
$params = array(intval($id), $user_id);
|
||||||
$query = $this->executeQuery($sql, $params);
|
$query = $this->executeQuery($sql, $params);
|
||||||
$entry = $query->fetchAll();
|
$entry = $query->fetchAll();
|
||||||
|
|
||||||
return isset($entry[0]) ? $entry[0] : null;
|
return ($query) ? $entry[0] : false;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function retrieveOneByURL($url, $user_id)
|
public function retrieveOneByURL($url, $user_id)
|
||||||
{
|
{
|
||||||
$entry = NULL;
|
|
||||||
$sql = "SELECT * FROM entries WHERE url=? AND user_id=?";
|
$sql = "SELECT * FROM entries WHERE url=? AND user_id=?";
|
||||||
$params = array($url, $user_id);
|
$params = array($url, $user_id);
|
||||||
$query = $this->executeQuery($sql, $params);
|
$query = $this->executeQuery($sql, $params);
|
||||||
$entry = $query->fetchAll();
|
$entry = $query->fetchAll();
|
||||||
|
|
||||||
return isset($entry[0]) ? $entry[0] : null;
|
return ($query) ? $entry[0] : false;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function reassignTags($old_entry_id, $new_entry_id)
|
public function reassignTags($old_entry_id, $new_entry_id)
|
||||||
|
@ -395,7 +398,8 @@ class Database {
|
||||||
$query = $this->executeQuery($sql, $params);
|
$query = $this->executeQuery($sql, $params);
|
||||||
$entries = $query->fetchAll();
|
$entries = $query->fetchAll();
|
||||||
|
|
||||||
return $entries;
|
return ($query) ? $entries : false;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public function getEntriesByViewCount($view, $user_id, $tag_id = 0)
|
public function getEntriesByViewCount($view, $user_id, $tag_id = 0)
|
||||||
|
@ -422,7 +426,7 @@ class Database {
|
||||||
}
|
}
|
||||||
|
|
||||||
$query = $this->executeQuery($sql, $params);
|
$query = $this->executeQuery($sql, $params);
|
||||||
list($count) = $query->fetch();
|
list($count) = ($query) ? $query->fetch() : array(false);
|
||||||
|
|
||||||
return $count;
|
return $count;
|
||||||
}
|
}
|
||||||
|
@ -445,7 +449,7 @@ class Database {
|
||||||
$query = $this->executeQuery($sql, $params);
|
$query = $this->executeQuery($sql, $params);
|
||||||
$id = $query->fetchAll();
|
$id = $query->fetchAll();
|
||||||
|
|
||||||
return $id;
|
return ($query) ? $id : false;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function getPreviousArticle($id, $user_id)
|
public function getPreviousArticle($id, $user_id)
|
||||||
|
@ -454,7 +458,7 @@ class Database {
|
||||||
$params = array($id, $user_id);
|
$params = array($id, $user_id);
|
||||||
$query = $this->executeQuery($sql, $params);
|
$query = $this->executeQuery($sql, $params);
|
||||||
$id_entry = $query->fetchAll();
|
$id_entry = $query->fetchAll();
|
||||||
$id = $id_entry[0][0];
|
$id = ($query) ? $id_entry[0][0] : false;
|
||||||
return $id;
|
return $id;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -464,7 +468,7 @@ class Database {
|
||||||
$params = array($id, $user_id);
|
$params = array($id, $user_id);
|
||||||
$query = $this->executeQuery($sql, $params);
|
$query = $this->executeQuery($sql, $params);
|
||||||
$id_entry = $query->fetchAll();
|
$id_entry = $query->fetchAll();
|
||||||
$id = $id_entry[0][0];
|
$id = ($query) ? $id_entry[0][0] : false;
|
||||||
return $id;
|
return $id;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -540,7 +544,7 @@ class Database {
|
||||||
$sql_action .= $this->getEntriesOrder().' ' . $limit;
|
$sql_action .= $this->getEntriesOrder().' ' . $limit;
|
||||||
$params_action = array($user_id, $search, $search, $search);
|
$params_action = array($user_id, $search, $search, $search);
|
||||||
$query = $this->executeQuery($sql_action, $params_action);
|
$query = $this->executeQuery($sql_action, $params_action);
|
||||||
return $query->fetchAll();
|
return ($query) ? $query->fetchAll() : false;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function retrieveAllTags($user_id, $term = NULL)
|
public function retrieveAllTags($user_id, $term = NULL)
|
||||||
|
@ -553,23 +557,23 @@ class Database {
|
||||||
GROUP BY tags.id, tags.value
|
GROUP BY tags.id, tags.value
|
||||||
ORDER BY tags.value";
|
ORDER BY tags.value";
|
||||||
$query = $this->executeQuery($sql, (($term)? array($user_id, strtolower('%'.$term.'%')) : array($user_id) ));
|
$query = $this->executeQuery($sql, (($term)? array($user_id, strtolower('%'.$term.'%')) : array($user_id) ));
|
||||||
$tags = $query->fetchAll();
|
$tags = ($query) ? $query->fetchAll() : false;
|
||||||
|
|
||||||
return $tags;
|
return $tags;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function retrieveTag($id, $user_id)
|
public function retrieveTag($id, $user_id)
|
||||||
{
|
{
|
||||||
$tag = NULL;
|
|
||||||
$sql = "SELECT DISTINCT tags.* FROM tags
|
$sql = "SELECT DISTINCT tags.* FROM tags
|
||||||
LEFT JOIN tags_entries ON tags_entries.tag_id=tags.id
|
LEFT JOIN tags_entries ON tags_entries.tag_id=tags.id
|
||||||
LEFT JOIN entries ON tags_entries.entry_id=entries.id
|
LEFT JOIN entries ON tags_entries.entry_id=entries.id
|
||||||
WHERE tags.id=? AND entries.user_id=?";
|
WHERE tags.id=? AND entries.user_id=?";
|
||||||
$params = array(intval($id), $user_id);
|
$params = array(intval($id), $user_id);
|
||||||
$query = $this->executeQuery($sql, $params);
|
$query = $this->executeQuery($sql, $params);
|
||||||
$tag = $query->fetchAll();
|
$tags = ($query) ? $query->fetchAll() : false;
|
||||||
|
$tag = ($query) ? $tags[0] : false;
|
||||||
|
|
||||||
return isset($tag[0]) ? $tag[0] : NULL;
|
return $tag[0];
|
||||||
}
|
}
|
||||||
|
|
||||||
public function retrieveEntriesByTag($tag_id, $user_id)
|
public function retrieveEntriesByTag($tag_id, $user_id)
|
||||||
|
@ -579,7 +583,7 @@ class Database {
|
||||||
LEFT JOIN tags_entries ON tags_entries.entry_id=entries.id
|
LEFT JOIN tags_entries ON tags_entries.entry_id=entries.id
|
||||||
WHERE tags_entries.tag_id = ? AND entries.user_id=? ORDER by entries.id DESC";
|
WHERE tags_entries.tag_id = ? AND entries.user_id=? ORDER by entries.id DESC";
|
||||||
$query = $this->executeQuery($sql, array($tag_id, $user_id));
|
$query = $this->executeQuery($sql, array($tag_id, $user_id));
|
||||||
$entries = $query->fetchAll();
|
$entries = ($query) ? $query->fetchAll() : false;
|
||||||
|
|
||||||
return $entries;
|
return $entries;
|
||||||
}
|
}
|
||||||
|
@ -591,7 +595,7 @@ class Database {
|
||||||
LEFT JOIN tags_entries ON tags_entries.tag_id=tags.id
|
LEFT JOIN tags_entries ON tags_entries.tag_id=tags.id
|
||||||
WHERE tags_entries.entry_id = ?";
|
WHERE tags_entries.entry_id = ?";
|
||||||
$query = $this->executeQuery($sql, array($entry_id));
|
$query = $this->executeQuery($sql, array($entry_id));
|
||||||
$tags = $query->fetchAll();
|
$tags = ($query) ? $query->fetchAll() : false;
|
||||||
|
|
||||||
return $tags;
|
return $tags;
|
||||||
}
|
}
|
||||||
|
@ -601,18 +605,19 @@ class Database {
|
||||||
$sql_action = "DELETE FROM tags_entries WHERE tag_id=? AND entry_id=?";
|
$sql_action = "DELETE FROM tags_entries WHERE tag_id=? AND entry_id=?";
|
||||||
$params_action = array($tag_id, $entry_id);
|
$params_action = array($tag_id, $entry_id);
|
||||||
$query = $this->executeQuery($sql_action, $params_action);
|
$query = $this->executeQuery($sql_action, $params_action);
|
||||||
return $query;
|
return ($query) ? $query : false;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function cleanUnusedTag($tag_id)
|
public function cleanUnusedTag($tag_id)
|
||||||
{
|
{
|
||||||
$sql_action = "SELECT tags.* FROM tags JOIN tags_entries ON tags_entries.tag_id=tags.id WHERE tags.id=?";
|
$sql_action = "SELECT tags.* FROM tags JOIN tags_entries ON tags_entries.tag_id=tags.id WHERE tags.id=?";
|
||||||
$query = $this->executeQuery($sql_action,array($tag_id));
|
$query = $this->executeQuery($sql_action,array($tag_id));
|
||||||
$tagstokeep = $query->fetchAll();
|
$tagstokeep = ($query) ? $query->fetchAll() : false;
|
||||||
$sql_action = "SELECT tags.* FROM tags LEFT JOIN tags_entries ON tags_entries.tag_id=tags.id WHERE tags.id=?";
|
$sql_action = "SELECT tags.* FROM tags LEFT JOIN tags_entries ON tags_entries.tag_id=tags.id WHERE tags.id=?";
|
||||||
$query = $this->executeQuery($sql_action,array($tag_id));
|
$query = $this->executeQuery($sql_action,array($tag_id));
|
||||||
$alltags = $query->fetchAll();
|
$alltags = ($query) ? $query->fetchAll() : false;
|
||||||
|
|
||||||
|
if ($tagstokeep && $alltags) {
|
||||||
foreach ($alltags as $tag) {
|
foreach ($alltags as $tag) {
|
||||||
if ($tag && !in_array($tag,$tagstokeep)) {
|
if ($tag && !in_array($tag,$tagstokeep)) {
|
||||||
$sql_action = "DELETE FROM tags WHERE id=?";
|
$sql_action = "DELETE FROM tags WHERE id=?";
|
||||||
|
@ -621,18 +626,19 @@ class Database {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public function retrieveTagByValue($value)
|
public function retrieveTagByValue($value)
|
||||||
{
|
{
|
||||||
$tag = NULL;
|
|
||||||
$sql = "SELECT * FROM tags WHERE value=?";
|
$sql = "SELECT * FROM tags WHERE value=?";
|
||||||
$params = array($value);
|
$params = array($value);
|
||||||
$query = $this->executeQuery($sql, $params);
|
$query = $this->executeQuery($sql, $params);
|
||||||
$tag = $query->fetchAll();
|
$tag = ($query) ? $query->fetchAll() : false;
|
||||||
|
|
||||||
return isset($tag[0]) ? $tag[0] : null;
|
return ($query) ? $tag[0] : false;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function createTag($value)
|
public function createTag($value)
|
||||||
|
@ -640,7 +646,7 @@ class Database {
|
||||||
$sql_action = 'INSERT INTO tags ( value ) VALUES (?)';
|
$sql_action = 'INSERT INTO tags ( value ) VALUES (?)';
|
||||||
$params_action = array($value);
|
$params_action = array($value);
|
||||||
$query = $this->executeQuery($sql_action, $params_action);
|
$query = $this->executeQuery($sql_action, $params_action);
|
||||||
return $query;
|
return ($query) ? $query : false;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function setTagToEntry($tag_id, $entry_id)
|
public function setTagToEntry($tag_id, $entry_id)
|
||||||
|
@ -648,7 +654,7 @@ class Database {
|
||||||
$sql_action = 'INSERT INTO tags_entries ( tag_id, entry_id ) VALUES (?, ?)';
|
$sql_action = 'INSERT INTO tags_entries ( tag_id, entry_id ) VALUES (?, ?)';
|
||||||
$params_action = array($tag_id, $entry_id);
|
$params_action = array($tag_id, $entry_id);
|
||||||
$query = $this->executeQuery($sql_action, $params_action);
|
$query = $this->executeQuery($sql_action, $params_action);
|
||||||
return $query;
|
return ($query) ? $query : false;
|
||||||
}
|
}
|
||||||
|
|
||||||
private function getEntriesOrder()
|
private function getEntriesOrder()
|
||||||
|
|
|
@ -599,7 +599,7 @@ class Poche
|
||||||
|
|
||||||
$count = $this->store->getEntriesByViewCount($view, $this->user->getId(), $id);
|
$count = $this->store->getEntriesByViewCount($view, $this->user->getId(), $id);
|
||||||
|
|
||||||
if ($count > 0) {
|
if ($count && $count > 0) {
|
||||||
$this->pagination->set_total($count);
|
$this->pagination->set_total($count);
|
||||||
$page_links = str_replace(array('previous', 'next'), array(_('previous'), _('next')),
|
$page_links = str_replace(array('previous', 'next'), array(_('previous'), _('next')),
|
||||||
$this->pagination->page_links('?view=' . $view . '&sort=' . $_SESSION['sort'] . (($id)?'&id='.$id:'') . '&' ));
|
$this->pagination->page_links('?view=' . $view . '&sort=' . $_SESSION['sort'] . (($id)?'&id='.$id:'') . '&' ));
|
||||||
|
@ -907,10 +907,14 @@ class Poche
|
||||||
header('Content-Disposition: attachment; filename='.$filename);
|
header('Content-Disposition: attachment; filename='.$filename);
|
||||||
|
|
||||||
$entries = $this->store->retrieveAllWithTags($this->user->getId());
|
$entries = $this->store->retrieveAllWithTags($this->user->getId());
|
||||||
|
if ($entries) {
|
||||||
echo $this->tpl->render('export.twig', array(
|
echo $this->tpl->render('export.twig', array(
|
||||||
'export' => Tools::renderJson($entries),
|
'export' => Tools::renderJson($entries),
|
||||||
));
|
));
|
||||||
Tools::logm('export view');
|
Tools::logm('export view');
|
||||||
|
} else {
|
||||||
|
Tools::logm('error accessing database while exporting');
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -986,7 +990,7 @@ class Poche
|
||||||
if (0 == $limit) {
|
if (0 == $limit) {
|
||||||
$limit = count($entries);
|
$limit = count($entries);
|
||||||
}
|
}
|
||||||
if (count($entries) > 0) {
|
if ($entries && count($entries) > 0) {
|
||||||
for ($i = 0; $i < min(count($entries), $limit); $i++) {
|
for ($i = 0; $i < min(count($entries), $limit); $i++) {
|
||||||
$entry = $entries[$i];
|
$entry = $entries[$i];
|
||||||
$newItem = $feed->createNewItem();
|
$newItem = $feed->createNewItem();
|
||||||
|
@ -998,7 +1002,10 @@ class Poche
|
||||||
$feed->addItem($newItem);
|
$feed->addItem($newItem);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
Tools::logm("database error while generating feeds");
|
||||||
|
}
|
||||||
$feed->genarateFeed();
|
$feed->genarateFeed();
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue