Fix the other queries too

2025-05-03 22:02:23 +03:00 · 2014-07-04 11:52:11 +02:00 · 2014-07-04 11:52:11 +02:00 · ca6c953818
commit ca6c953818
parent 340d297f71
2 changed files with 21 additions and 5 deletions
--- a/includes/misc.inc.php
+++ b/includes/misc.inc.php
@ -30,9 +30,16 @@ function get_all_users() {
 function get_pw($username) {
    $db = get_db();
-    $pw = $db->querySingle("SELECT password FROM users WHERE emailaddress = '".$username."'");
+    $q = $db->prepare('SELECT password FROM users WHERE emailaddress = ? LIMIT 1');
    $q->bindValue(1, $username, SQLITE_TEXT);
    $result = $q->execute();
    $pw = $result->fetchArray(SQLITE3_ASSOC);
    $db->close();
-    return $pw;
+    if (isset($pw['password'])) {
        return $pw['password'];
    }
    return FALSE;
 }
 function add_user($username, $isadmin = '0', $password = FALSE) {
@ -44,7 +51,11 @@ function add_user($username, $isadmin = '0', $password = FALSE) {
    }
    $db = get_db();
-    $ret = $db->exec("INSERT OR REPLACE INTO users (emailaddress, password, isadmin) VALUES ('".$username."', '".$password."', $isadmin)");
+    $q = $db->prepare('INSERT OR REPLACE INTO users (emailaddress, password, isadmin) VALUES (?, ?, ?)');
    $q->bindValue(1, $username, SQLITE3_TEXT);
    $q->bindValue(2, $password, SQLITE3_TEXT);
    $q->bindValue(3, $isadmin, SQLITE3_INTEGER);
    $ret = $q->execute();
    $db->close();
    return $ret;
@ -52,7 +63,9 @@ function add_user($username, $isadmin = '0', $password = FALSE) {
 function delete_user($id) {
    $db = get_db();
-    $ret = $db->exec("DELETE FROM users WHERE id = $id");
+    $q = $db->prepare('DELETE FROM users WHERE id = ?');
    $q->bindValue(1, $id, SQLITE3_INTEGER);
    $ret = $q->execute();
    $db->close();
    return $ret;
--- a/includes/session.inc.php
+++ b/includes/session.inc.php
@ -44,7 +44,10 @@ function try_login() {
            return FALSE;
        }
        $db = get_db();
-        $userinfo = $db->querySingle("SELECT * FROM users WHERE emailaddress = '".$_POST['username']."'", 1);
+        $q = $db->prepare('SELECT * FROM users WHERE emailaddress = ?');
        $q->bindValue(1, $_POST['username']);
        $result = $q->execute();
        $userinfo = $result->fetchArray(SQLITE3_ASSOC);
        if (isset($userinfo['password']) and (crypt($_POST['password'], $userinfo['password']) == $userinfo['password'])) {
            set_logged_in($_POST['username']);
            if (isset($userinfo['isadmin']) && $userinfo['isadmin'] == 1) {