summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rwxr-xr-xSQL/postgres.initial.sql8
-rw-r--r--index.php8
-rw-r--r--program/include/cache.inc69
-rw-r--r--program/include/main.inc52
-rwxr-xr-xprogram/include/rcube_db.inc53
-rwxr-xr-xprogram/include/rcube_mdb2.inc42
-rw-r--r--program/include/session.inc87
-rw-r--r--program/steps/addressbook/delete.inc38
-rw-r--r--program/steps/addressbook/edit.inc13
-rw-r--r--program/steps/addressbook/func.inc35
-rw-r--r--program/steps/addressbook/list.inc26
-rw-r--r--program/steps/addressbook/save.inc49
-rw-r--r--program/steps/addressbook/show.inc13
-rw-r--r--program/steps/mail/addcontact.inc25
-rw-r--r--program/steps/mail/compose.inc34
-rw-r--r--program/steps/mail/sendmail.inc14
-rw-r--r--program/steps/settings/delete_identity.inc12
-rw-r--r--program/steps/settings/edit_identity.inc13
-rw-r--r--program/steps/settings/func.inc18
-rw-r--r--program/steps/settings/save_identity.inc44
-rw-r--r--program/steps/settings/save_prefs.inc15
21 files changed, 343 insertions, 325 deletions
diff --git a/SQL/postgres.initial.sql b/SQL/postgres.initial.sql
index 01b36af64..29c134d14 100755
--- a/SQL/postgres.initial.sql
+++ b/SQL/postgres.initial.sql
@@ -117,11 +117,11 @@ CREATE TABLE identities (
del boolean DEFAULT false NOT NULL,
"default" boolean DEFAULT false NOT NULL,
name character varying(128) NOT NULL,
- organization character varying(128) NOT NULL,
+ organization character varying(128),
email character varying(128) NOT NULL,
- "reply-to" character varying(128) NOT NULL,
- bcc character varying(128) NOT NULL,
- signature text NOT NULL
+ "reply-to" character varying(128),
+ bcc character varying(128),
+ signature text
);
diff --git a/index.php b/index.php
index d5b2db0e3..c80100a33 100644
--- a/index.php
+++ b/index.php
@@ -51,17 +51,19 @@ if ($CURRENT_PATH!='')
$CURRENT_PATH.='/';
// set environment first
-ini_set('include_path', ini_get('include_path').PATH_SEPARATOR.$INSTALL_PATH.PATH_SEPARATOR.$CURRENT_PATH.'program'.PATH_SEPARATOR.$CURRENT_PATH.'program/lib');
+// RC include folders MUST be included FIRST to avoid other
+// possible not compatible libraries (i.e PEAR) to be included
+// instead the ones provided by RC
+ini_set('include_path', $INSTALL_PATH.PATH_SEPARATOR.$CURRENT_PATH.'program'.PATH_SEPARATOR.$CURRENT_PATH.'program/lib'.PATH_SEPARATOR.ini_get('include_path'));
+
ini_set('session.name', 'sessid');
ini_set('session.use_cookies', 1);
ini_set('error_reporting', E_ALL&~E_NOTICE);
-
// increase maximum execution time for php scripts
// (does not work in safe mode)
@set_time_limit('120');
-
// include base files
require_once('include/rcube_shared.inc');
require_once('include/rcube_imap.inc');
diff --git a/program/include/cache.inc b/program/include/cache.inc
index b1e6b9317..ec8d7c046 100644
--- a/program/include/cache.inc
+++ b/program/include/cache.inc
@@ -25,13 +25,12 @@ function rcube_read_cache($key)
global $DB, $CACHE_KEYS;
// query db
- $sql_result = $DB->query(sprintf("SELECT cache_id, data
- FROM %s
- WHERE user_id=%d
- AND cache_key='%s'",
- get_table_name('cache'),
- $_SESSION['user_id'],
- $key));
+ $sql_result = $DB->query("SELECT cache_id, data
+ FROM ".get_table_name('cache')."
+ WHERE user_id=?
+ AND cache_key=?",
+ $_SESSION['user_id'],
+ $key);
// get cached data
if ($sql_arr = $DB->fetch_assoc($sql_result))
@@ -53,13 +52,12 @@ function rcube_write_cache($key, $data, $session_cache=FALSE)
// check if we already have a cache entry for this key
if (!isset($CACHE_KEYS[$key]))
{
- $sql_result = $DB->query(sprintf("SELECT cache_id
- FROM %s
- WHERE user_id=%d
- AND cache_key='%s'",
- get_table_name('cache'),
- $_SESSION['user_id'],
- $key));
+ $sql_result = $DB->query("SELECT cache_id
+ FROM ".get_table_name('cache')."
+ WHERE user_id=?
+ AND cache_key=?",
+ $_SESSION['user_id'],
+ $key);
if ($sql_arr = $DB->fetch_assoc($sql_result))
$CACHE_KEYS[$key] = $sql_arr['cache_id'];
@@ -70,27 +68,25 @@ function rcube_write_cache($key, $data, $session_cache=FALSE)
// update existing cache record
if ($CACHE_KEYS[$key])
{
- $DB->query(sprintf("UPDATE %s
- SET created=NOW(),
- data='%s'
- WHERE user_id=%d
- AND cache_key='%s'",
- get_table_name('cache'),
- addslashes($data),
- $_SESSION['user_id'],
- $key));
+ $DB->query("UPDATE ".get_table_name('cache')."
+ SET created=NOW(),
+ data=?
+ WHERE user_id=?
+ AND cache_key=?",
+ $data,
+ $_SESSION['user_id'],
+ $key);
}
// add new cache record
else
{
- $DB->query(sprintf("INSERT INTO %s
- (created, user_id, session_id, cache_key, data)
- VALUES (NOW(), %d, %s, '%s', '%s')",
- get_table_name('cache'),
- $_SESSION['user_id'],
- $session_cache ? "'$sess_id'" : 'NULL',
- $key,
- addslashes($data)));
+ $DB->query("INSERT INTO ".get_table_name('cache')."
+ (created, user_id, session_id, cache_key, data)
+ VALUES (NOW(), ?, ?, ?', ?)",
+ $_SESSION['user_id'],
+ $session_cache ? $sess_id : 'NULL',
+ $key,
+ $data);
}
}
@@ -100,12 +96,11 @@ function rcube_clear_cache($key)
{
global $DB;
- $DB->query(sprintf("DELETE FROM %s
- WHERE user_id=%d
- AND cache_key='%s'",
- get_table_name('cache'),
- $_SESSION['user_id'],
- $key));
+ $DB->query("DELETE FROM ".get_table_name('cache')."
+ WHERE user_id=?
+ AND cache_key=?",
+ $_SESSION['user_id'],
+ $key);
}
diff --git a/program/include/main.inc b/program/include/main.inc
index a7020c75f..0e206166e 100644
--- a/program/include/main.inc
+++ b/program/include/main.inc
@@ -263,13 +263,12 @@ function rcmail_login($user, $pass, $host=NULL)
}
// query if user already registered
- $sql_result = $DB->query(sprintf("SELECT user_id, username, language, preferences
- FROM %s
- WHERE mail_host='%s' AND (username='%s' OR alias='%s')",
- get_table_name('users'),
- addslashes($host),
- addslashes($user),
- addslashes($user)));
+ $sql_result = $DB->query("SELECT user_id, username, language, preferences
+ FROM ".get_table_name('users')."
+ WHERE mail_host=? AND (username=? OR alias=?)",
+ $host,
+ $user,
+ $user);
// user already registered -> overwrite username
if ($sql_arr = $DB->fetch_assoc($sql_result))
@@ -299,11 +298,10 @@ function rcmail_login($user, $pass, $host=NULL)
$sess_user_lang = $_SESSION['user_lang'] = $sql_arr['language'];
// update user's record
- $DB->query(sprintf("UPDATE %s
- SET last_login=NOW()
- WHERE user_id=%d",
- get_table_name('users'),
- $user_id));
+ $DB->query("UPDATE ".get_table_name('users')."
+ SET last_login=NOW()
+ WHERE user_id=?",
+ $user_id);
}
// create new system user
else if ($CONFIG['auto_create_user'])
@@ -336,27 +334,25 @@ function rcmail_create_user($user, $host)
{
global $DB, $CONFIG, $IMAP;
- $DB->query(sprintf("INSERT INTO %s
- (created, last_login, username, mail_host, language)
- VALUES (NOW(), NOW(), '%s', '%s', '%s')",
- get_table_name('users'),
- addslashes($user),
- addslashes($host),
- $_SESSION['user_lang']));
-
- if ($user_id = $DB->insert_id())
+ $DB->query("INSERT INTO ".get_table_name('users')."
+ (created, last_login, username, mail_host, language)
+ VALUES (NOW(), NOW(), ?, ?, ?)",
+ $user,
+ $host,
+ $_SESSION['user_lang']);
+
+ if ($user_id = $DB->insert_id('user_ids'))
{
$user_email = strstr($user, '@') ? $user : sprintf('%s@%s', $user, $host);
$user_name = $user!=$user_email ? $user : '';
// also create a new identity record
- $DB->query(sprintf("INSERT INTO %s
- (user_id, `default`, name, email)
- VALUES (%d, '1', '%s', '%s')",
- get_table_name('identities'),
- $user_id,
- addslashes($user_name),
- addslashes($user_email)));
+ $DB->query("INSERT INTO ".get_table_name('identities')."
+ (user_id, `default`, name, email)
+ VALUES (?, '1', ?, ?)",
+ $user_id,
+ $user_name,
+ $user_email);
// get existing mailboxes
$a_mailboxes = $IMAP->list_mailboxes();
diff --git a/program/include/rcube_db.inc b/program/include/rcube_db.inc
index f732da298..e83565843 100755
--- a/program/include/rcube_db.inc
+++ b/program/include/rcube_db.inc
@@ -101,9 +101,27 @@ class rcube_db
$this->db_connected = true;
}
- // Query database (read operations)
+ // Query database
- function query($query, $offset=0, $numrows=0)
+ function query()
+ {
+ $params = func_get_args();
+ $query = array_shift($params);
+
+ return $this->_query($query, 0, 0, $params);
+ }
+
+ function limitquery()
+ {
+ $params = func_get_args();
+ $query = array_shift($params);
+ $offset = array_shift($params);
+ $numrows = array_shift($params);
+
+ return $this->_query($query, $offset, $numrows, $params);
+ }
+
+ function _query($query, $offset, $numrows, $params)
{
// Read or write ?
if (strtolower(trim(substr($query,0,6)))=='select')
@@ -118,18 +136,21 @@ class rcube_db
if ($numrows || $offset)
{
- $result = $this->db_handle->limitQuery($query,$offset,$numrows);
+ $result = $this->db_handle->limitQuery($query,$offset,$numrows,$params);
}
else
- $result = $this->db_handle->query($query);
-
+ $result = $this->db_handle->query($query,$params);
+
if (DB::isError($result))
+ {
raise_error(array('code' => 500,
'type' => 'db',
'line' => __LINE__,
'file' => __FILE__,
'message' => $result->getMessage()), TRUE, FALSE);
-
+ return false;
+ }
+
return $this->_add_result($result, $query);
}
@@ -196,6 +217,26 @@ class rcube_db
return $result->fetchRow(DB_FETCHMODE_ASSOC);
}
+ function quoteIdentifier ( $str )
+ {
+ if (!$this->db_handle)
+ $this->db_connect('r');
+
+ return $this->db_handle->quoteIdentifier($str);
+ }
+
+ function unixtimestamp($field)
+ {
+ switch($this->db_provider)
+ {
+ case 'pgsql':
+ return "EXTRACT (EPOCH FROM $field)";
+ break;
+ default:
+ return "UNIX_TIMESTAMP($field)";
+ }
+ }
+
function _add_result($res, $query)
{
// sql error occured
diff --git a/program/include/rcube_mdb2.inc b/program/include/rcube_mdb2.inc
index cd394a878..a61f0b899 100755
--- a/program/include/rcube_mdb2.inc
+++ b/program/include/rcube_mdb2.inc
@@ -101,9 +101,27 @@ class rcube_db
$this->db_connected = true;
}
- // Query database (read operations)
+ // Query database
- function query($query, $offset=0, $numrows=0)
+ function query()
+ {
+ $params = func_get_args();
+ $query = array_shift($params);
+
+ return $this->_query($query, 0, 0, $params);
+ }
+
+ function limitquery()
+ {
+ $params = func_get_args();
+ $query = array_shift($params);
+ $offset = array_shift($params);
+ $numrows = array_shift($params);
+
+ return $this->_query($query, $offset, $numrows, $params);
+ }
+
+ function _query($query, $offset, $numrows, $params)
{
// Read or write ?
if (strtolower(trim(substr($query,0,6)))=='select')
@@ -175,6 +193,26 @@ class rcube_db
return $result->fetchRow(MDB2_FETCHMODE_ASSOC);
}
+ function quoteIdentifier ( $str )
+ {
+ if (!$this->db_handle)
+ $this->db_connect('r');
+
+ return $this->db_handle->quoteIdentifier($str);
+ }
+
+ function unixtimestamp($field)
+ {
+ switch($this->db_provider)
+ {
+ case 'pgsql':
+ return "EXTRACT (EPOCH FROM $field)";
+ break;
+ default:
+ return "UNIX_TIMESTAMP($field)";
+ }
+ }
+
function _add_result($res, $query)
{
// sql error occured
diff --git a/program/include/session.inc b/program/include/session.inc
index ca2b0b4ce..ccca0a920 100644
--- a/program/include/session.inc
+++ b/program/include/session.inc
@@ -38,11 +38,10 @@ function sess_read($key)
{
global $DB, $SESS_CHANGED;
- $sql_result = $DB->query(sprintf("SELECT vars, ip, UNIX_TIMESTAMP(changed) AS changed
- FROM %s
- WHERE sess_id='%s'",
- get_table_name('session'),
- $key));
+ $sql_result = $DB->query("SELECT vars, ip, ".$DB->unixtimestamp('changed')." AS changed
+ FROM ".get_table_name('session')."
+ WHERE sess_id=?",
+ $key);
if ($sql_arr = $DB->fetch_assoc($sql_result))
{
@@ -61,32 +60,29 @@ function sess_write($key, $vars)
{
global $DB;
- $sql_result = $DB->query(sprintf("SELECT 1
- FROM %s
- WHERE sess_id='%s'",
- get_table_name('session'),
- $key));
+ $sql_result = $DB->query("SELECT 1
+ FROM ".get_table_name('session')."
+ WHERE sess_id=?",
+ $key);
if ($DB->num_rows($sql_result))
{
session_decode($vars);
- $DB->query(sprintf("UPDATE %s
- SET vars='%s',
- changed=NOW()
- WHERE sess_id='%s'",
- get_table_name('session'),
- $vars,
- $key));
+ $DB->query("UPDATE ".get_table_name('session')."
+ SET vars=?,
+ changed=NOW()
+ WHERE sess_id=?",
+ $vars,
+ $key);
}
else
{
- $DB->query(sprintf("INSERT INTO %s
- (sess_id, vars, ip, created, changed)
- VALUES ('%s', '%s', '%s', NOW(), NOW())",
- get_table_name('session'),
- $key,
- $vars,
- $_SERVER['REMOTE_ADDR']));
+ $DB->query("INSERT INTO ".get_table_name('session')."
+ (sess_id, vars, ip, created, changed)
+ VALUES (?, ?, ?, NOW(), NOW())",
+ $key,
+ $vars,
+ $_SERVER['REMOTE_ADDR']);
}
return TRUE;
@@ -98,16 +94,14 @@ function sess_destroy($key)
{
global $DB;
- $DB->query(sprintf("DELETE FROM %s
- WHERE sess_id='%s'",
- get_table_name('session'),
- $key));
-
- // also delete session entries in cache table
- $DB->query(sprintf("DELETE FROM %s
- WHERE session_id='%s'",
- get_table_name('cache'),
- $key));
+ // delete session entries in cache table
+ $DB->query("DELETE FROM ".get_table_name('cache')."
+ WHERE session_id=?",
+ $key);
+
+ $DB->query("DELETE FROM ".get_table_name('session')."
+ WHERE sess_id=?",
+ $key);
return TRUE;
}
@@ -119,11 +113,10 @@ function sess_gc($maxlifetime)
global $DB;
// get all expired sessions
- $sql_result = $DB->query(sprintf("SELECT sess_id
- FROM %s
- WHERE UNIX_TIMESTAMP(NOW())-UNIX_TIMESTAMP(created) > %d",
- get_table_name('session'),
- $maxlifetime));
+ $sql_result = $DB->query("SELECT sess_id
+ FROM ".get_table_name('session')."
+ WHERE ".$DB->unixtimestamp('NOW()')."-".$DB->unixtimestamp('created')." > ?",
+ $maxlifetime);
$a_exp_sessions = array();
while ($sql_arr = $DB->fetch_assoc($sql_result))
@@ -132,17 +125,13 @@ function sess_gc($maxlifetime)
if (sizeof($a_exp_sessions))
{
+ // delete session cache records
+ $DB->query("DELETE FROM ".get_table_name('cache')."
+ WHERE session_id IN ('".join("','", $a_exp_sessions)."')");
+
// delete session records
- $DB->query(sprintf("DELETE FROM %s
- WHERE sess_id IN ('%s')",
- get_table_name('session'),
- join("','", $a_exp_sessions)));
-
- // also delete session cache records
- $DB->query(sprintf("DELETE FROM %s
- WHERE session_id IN ('%s')",
- get_table_name('cache'),
- join("','", $a_exp_sessions)));
+ $DB->query("DELETE FROM ".get_table_name('session')."
+ WHERE sess_id IN ('".join("','", $a_exp_sessions)."')");
}
return TRUE;
diff --git a/program/steps/addressbook/delete.inc b/program/steps/addressbook/delete.inc
index e988f5569..a3fcefbf7 100644
--- a/program/steps/addressbook/delete.inc
+++ b/program/steps/addressbook/delete.inc
@@ -23,13 +23,11 @@ $REMOTE_REQUEST = TRUE;
if ($_GET['_cid'])
{
- $DB->query(sprintf("UPDATE %s
- SET del='1'
- WHERE user_id=%d
- AND contact_id IN (%s)",
- get_table_name('contacts'),
- $_SESSION['user_id'],
- $_GET['_cid']));
+ $DB->query("UPDATE ".get_table_name('contacts')."
+ SET del='1'
+ WHERE user_id=?
+ AND contact_id IN (".$_GET['_cid'].")",
+ $_SESSION['user_id']);
$count = $DB->affected_rows();
if (!$count)
@@ -40,12 +38,11 @@ if ($_GET['_cid'])
// count contacts for this user
- $sql_result = $DB->query(sprintf("SELECT COUNT(contact_id) AS rows
- FROM %s
- WHERE del!='1'
- AND user_id=%d",
- get_table_name('contacts'),
- $_SESSION['user_id']));
+ $sql_result = $DB->query("SELECT COUNT(contact_id) AS rows
+ FROM ".get_table_name('contacts')."
+ WHERE del<>'1'
+ AND user_id=?",
+ $_SESSION['user_id']);
$sql_arr = $DB->fetch_assoc($sql_result);
$rowcount = $sql_arr['rows'];
@@ -62,14 +59,13 @@ if ($_GET['_cid'])
$start_row = ($_SESSION['page'] * $CONFIG['pagesize']) - $count;
// get contacts from DB
- $sql_result = $DB->query(sprintf("SELECT * FROM %s
- WHERE del!='1'
- AND user_id=%d
- ORDER BY name",
- get_table_name('contacts'),
- $_SESSION['user_id']),
- $start_row,
- $count);
+ $sql_result = $DB->limitquery("SELECT * FROM ".get_table_name('contacts')."
+ WHERE del<>'1'
+ AND user_id=?
+ ORDER BY name",
+ $start_row,
+ $count,
+ $_SESSION['user_id']);
$commands .= rcmail_js_contacts_list($sql_result);
diff --git a/program/steps/addressbook/edit.inc b/program/steps/addressbook/edit.inc
index 3c5a544d3..24300bfce 100644
--- a/program/steps/addressbook/edit.inc
+++ b/program/steps/addressbook/edit.inc
@@ -23,13 +23,12 @@
if (($_GET['_cid'] || $_POST['_cid']) && $_action=='edit')
{
$cid = $_POST['_cid'] ? $_POST['_cid'] : $_GET['_cid'];
- $DB->query(sprintf("SELECT * FROM %s
- WHERE contact_id=%d
- AND user_id=%d
- AND del!='1'",
- get_table_name('contacts'),
- $cid,
- $_SESSION['user_id']));
+ $DB->query("SELECT * FROM ".get_table_name('contacts')."
+ WHERE contact_id=?
+ AND user_id=?
+ AND del<>'1'",
+ $cid,
+ $_SESSION['user_id']);
$CONTACT_RECORD = $DB->fetch_assoc();
diff --git a/program/steps/addressbook/func.inc b/program/steps/addressbook/func.inc
index 53628162b..4cc79bad6 100644
--- a/program/steps/addressbook/func.inc
+++ b/program/steps/addressbook/func.inc
@@ -41,12 +41,11 @@ function rcmail_contacts_list($attrib)
//$image_tag = '<img src="%s%s" alt="%s" border="0" />';
// count contacts for this user
- $sql_result = $DB->query(sprintf("SELECT COUNT(contact_id) AS rows
- FROM %s
- WHERE del!='1'
- AND user_id=%d",
- get_table_name('contacts'),
- $_SESSION['user_id']));
+ $sql_result = $DB->query("SELECT COUNT(contact_id) AS rows
+ FROM ".get_table_name('contacts')."
+ WHERE del<>'1'
+ AND user_id=?",
+ $_SESSION['user_id']);
$sql_arr = $DB->fetch_assoc($sql_result);
$rowcount = $sql_arr['rows'];
@@ -56,14 +55,13 @@ function rcmail_contacts_list($attrib)
$start_row = ($CONTACTS_LIST['page']-1) * $CONFIG['pagesize'];
// get contacts from DB
- $sql_result = $DB->query(sprintf("SELECT * FROM %s
- WHERE del!='1'
- AND user_id=%d
- ORDER BY name",
- get_table_name('contacts'),
- $_SESSION['user_id']),
- $start_row,
- $CONFIG['pagesize']);
+ $sql_result = $DB->limitquery("SELECT * FROM ".get_table_name('contacts')."
+ WHERE del<>'1'
+ AND user_id= ?
+ ORDER BY name",
+ $start_row,
+ $CONFIG['pagesize'],
+ $_SESSION['user_id']);
}
else
$sql_result = NULL;
@@ -174,11 +172,10 @@ function rcmail_get_rowcount_text($max=NULL)
// get nr of contacts
if ($max===NULL)
{
- $sql_result = $DB->query(sprintf("SELECT 1 FROM %s
- WHERE del!='1'
- AND user_id=%d",
- get_table_name('contacts'),
- $_SESSION['user_id']));
+ $sql_result = $DB->query("SELECT 1 FROM ".get_table_name('contacts')."
+ WHERE del<>'1'
+ AND user_id=?",
+ $_SESSION['user_id']);
$max = $DB->num_rows($sql_result);
}
diff --git a/program/steps/addressbook/list.inc b/program/steps/addressbook/list.inc
index 4ed092541..ecb634b6f 100644
--- a/program/steps/addressbook/list.inc
+++ b/program/steps/addressbook/list.inc
@@ -22,12 +22,11 @@
$REMOTE_REQUEST = TRUE;
// count contacts for this user
-$sql_result = $DB->query(sprintf("SELECT COUNT(contact_id) AS rows
- FROM %s
- WHERE del!='1'
- AND user_id=%d",
- get_table_name('contacts'),
- $_SESSION['user_id']));
+$sql_result = $DB->query("SELECT COUNT(contact_id) AS rows
+ FROM ".get_table_name('contacts')."
+ WHERE del<>'1'
+ AND user_id=?",
+ $_SESSION['user_id']);
$sql_arr = $DB->fetch_assoc($sql_result);
$rowcount = $sql_arr['rows'];
@@ -40,14 +39,13 @@ $commands .= sprintf("this.set_env('pagecount', %d);\n", $pages);
$start_row = ($CONTACTS_LIST['page']-1) * $CONFIG['pagesize'];
// get contacts from DB
-$sql_result = $DB->query(sprintf("SELECT * FROM %s
- WHERE del!='1'
- AND user_id=%d
- ORDER BY name",
- get_table_name('contacts'),
- $_SESSION['user_id']),
- $start_row,
- $CONFIG['pagesize']);
+$sql_result = $DB->limitquery("SELECT * FROM ".get_table_name('contacts')."
+ WHERE del<>'1'
+ AND user_id=?
+ ORDER BY name",
+ $start_row,
+ $CONFIG['pagesize'],
+ $_SESSION['user_id']);
$commands .= rcmail_js_contacts_list($sql_result);
diff --git a/program/steps/addressbook/save.inc b/program/steps/addressbook/save.inc
index 62cc5d8a6..814f50a34 100644
--- a/program/steps/addressbook/save.inc
+++ b/program/steps/addressbook/save.inc
@@ -39,15 +39,13 @@ if ($_POST['_cid'])
if (sizeof($a_write_sql))
{
- $DB->query(sprintf("UPDATE %s
- SET %s
- WHERE contact_id=%d
- AND user_id=%d
- AND del!='1'",
- get_table_name('contacts'),
- join(', ', $a_write_sql),
- $_POST['_cid'],
- $_SESSION['user_id']));
+ $DB->query("UPDATE ".get_table_name('contacts')."
+ SET ".join(', ', $a_write_sql)."
+ WHERE contact_id=?
+ AND user_id=?
+ AND del<>'1'",
+ $_POST['_cid'],
+ $_SESSION['user_id']);
$updated = $DB->affected_rows();
}
@@ -63,13 +61,12 @@ if ($_POST['_cid'])
$a_show_cols = array('name', 'email');
$a_js_cols = array();
- $sql_result = $DB->query(sprintf("SELECT * FROM %s
- WHERE contact_id=%d
- AND user_id=%d
- AND del!='1'",
- get_table_name('contacts'),
+ $sql_result = $DB->query("SELECT * FROM ".get_table_name('contacts')."
+ WHERE contact_id=?
+ AND user_id=?
+ AND del<>'1'",
$_POST['_cid'],
- $_SESSION['user_id']));
+ $_SESSION['user_id']);
$sql_arr = $DB->fetch_assoc($sql_result);
foreach ($a_show_cols as $col)
@@ -111,13 +108,10 @@ else
if (sizeof($a_insert_cols))
{
- $DB->query(sprintf("INSERT INTO %s
- (user_id, %s)
- VALUES (%d, %s)",
- get_table_name('contacts'),
- join(', ', $a_insert_cols),
- $_SESSION['user_id'],
- join(', ', $a_insert_values)));
+ $DB->query("INSERT INTO ".get_table_name('contacts')."
+ (user_id, ".join(', ', $a_insert_cols).")
+ VALUES (?, ".join(', ', $a_insert_values).")",
+ $_SESSION['user_id']);
$insert_id = $DB->insert_id();
}
@@ -131,12 +125,11 @@ else
{
// add contact row or jump to the page where it should appear
$commands = sprintf("if(parent.%s)parent.", $JS_OBJECT_NAME);
- $sql_result = $DB->query(sprintf("SELECT * FROM %s
- WHERE contact_id=%d
- AND user_id=%d",
- get_table_name('contacts'),
- $insert_id,
- $_SESSION['user_id']));
+ $sql_result = $DB->query("SELECT * FROM ".get_table_name('contacts')."
+ WHERE contact_id=?
+ AND user_id=?",
+ $insert_id,
+ $_SESSION['user_id']);
$commands .= rcmail_js_contacts_list($sql_result, $JS_OBJECT_NAME);
$commands .= sprintf("if(parent.%s)parent.%s.select('%d');\n",
diff --git a/program/steps/addressbook/show.inc b/program/steps/addressbook/show.inc
index 4129cd27f..83db486cc 100644
--- a/program/steps/addressbook/show.inc
+++ b/program/steps/addressbook/show.inc
@@ -23,13 +23,12 @@
if ($_GET['_cid'] || $_POST['_cid'])
{
$cid = $_POST['_cid'] ? $_POST['_cid'] : $_GET['_cid'];
- $DB->query(sprintf("SELECT * FROM %s
- WHERE contact_id=%d
- AND user_id=%d
- AND del!='1'",
- get_table_name('contacts'),
- $cid,
- $_SESSION['user_id']));
+ $DB->query("SELECT * FROM ".get_table_name('contacts')."
+ WHERE contact_id=?
+ AND user_id=?
+ AND del<>'1'",
+ $cid,
+ $_SESSION['user_id']);
$CONTACT_RECORD = $DB->fetch_assoc();
diff --git a/program/steps/mail/addcontact.inc b/program/steps/mail/addcontact.inc
index 465ed3125..6ead67812 100644
--- a/program/steps/mail/addcontact.inc
+++ b/program/steps/mail/addcontact.inc
@@ -29,13 +29,11 @@ if ($_GET['_address'])
$contact = $contact_arr[1];
if ($contact['mailto'])
- $sql_result = $DB->query(sprintf("SELECT 1 FROM %s
- WHERE user_id=%d
- AND email='%s'
- AND del!='1'",
- get_table_name('contacts'),
- $_SESSION['user_id'],
- $contact['mailto']));
+ $sql_result = $DB->query("SELECT 1 FROM ".get_table_name('contacts')."
+ WHERE user_id=?
+ AND email=?
+ AND del<>'1'",
+ $_SESSION['user_id'],$contact['mailto']);
// contact entry with this mail address exists
if ($sql_result && $DB->num_rows($sql_result))
@@ -43,13 +41,12 @@ if ($_GET['_address'])
else if ($contact['mailto'])
{
- $DB->query(sprintf("INSERT INTO %s
- (user_id, name, email)
- VALUES (%d, '%s', '%s')",
- get_table_name('contacts'),
- $_SESSION['user_id'],
- $contact['name'],
- $contact['mailto']));
+ $DB->query("INSERT INTO ".get_table_name('contacts')."
+ (user_id, name, email)
+ VALUES (?, ?, ?)",
+ $_SESSION['user_id'],
+ $contact['name'],
+ $contact['mailto']);
$added = $DB->insert_id();
}
diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc
index f7e094aa0..f70759914 100644
--- a/program/steps/mail/compose.inc
+++ b/program/steps/mail/compose.inc
@@ -87,13 +87,11 @@ function rcmail_compose_headers($attrib)
$field_attrib[$attr] = $value;
// get this user's identities
- $sql_result = $DB->query(sprintf("SELECT identity_id, name, email
- FROM %s
- WHERE user_id=%d
- AND del!='1'
- ORDER BY `default` DESC, name ASC",
- get_table_name('identities'),
- $_SESSION['user_id']));
+ $sql_result = $DB->query("SELECT identity_id, name, email
+ FROM ".get_table_name('identities')." WHERE user_id=?
+ AND del<>'1'
+ ORDER BY ".$DB->quoteIdentifier('default')." DESC, name ASC",
+ $_SESSION['user_id']);
if ($DB->num_rows($sql_result))
{
@@ -123,14 +121,11 @@ function rcmail_compose_headers($attrib)
if (!empty($_GET['_to']) && preg_match('/[0-9]+,?/', $_GET['_to']))
{
$a_recipients = array();
- $sql_result = $DB->query(sprintf("SELECT name, email
- FROM %s
- WHERE user_id=%d
- AND del!='1'
- AND contact_id IN (%s)",
- get_table_name('contacts'),
- $_SESSION['user_id'],
- $_GET['_to']));
+ $sql_result = $DB->query("SELECT name, email
+ FROM ".get_table_name('contacts')." WHERE user_id=?
+ AND del<>'1'
+ AND contact_id IN (".$_GET['_to'].")",
+ $_SESSION['user_id']);
while ($sql_arr = $DB->fetch_assoc($sql_result))
$a_recipients[] = format_email_recipient($sql_arr['email'], $sql_arr['name']);
@@ -559,12 +554,9 @@ function format_email_recipient($email, $name='')
/****** get contacts for this user and add them to client scripts ********/
-$sql_result = $DB->query(sprintf("SELECT name, email
- FROM %s
- WHERE user_id=%d
- AND del!='1'",
- get_table_name('contacts'),
- $_SESSION['user_id']));
+$sql_result = $DB->query("SELECT name, email
+ FROM ".get_table_name('contacts')." WHERE user_id=?
+ AND del<>'1'",$_SESSION['user_id']);
if ($DB->num_rows($sql_result))
{
diff --git a/program/steps/mail/sendmail.inc b/program/steps/mail/sendmail.inc
index bacb1b1e8..ddd08f11e 100644
--- a/program/steps/mail/sendmail.inc
+++ b/program/steps/mail/sendmail.inc
@@ -42,14 +42,12 @@ function rcmail_get_identity($id)
global $DB;
// get identity record
- $sql_result = $DB->query(sprintf("SELECT *, email AS mailto
- FROM %s
- WHERE identity_id=%d
- AND user_id=%d
- AND del!='1'",
- get_table_name('identities'),
- $id,
- $_SESSION['user_id']));
+ $sql_result = $DB->query("SELECT *, email AS mailto
+ FROM ".get_table_name('identities')."
+ WHERE identity_id=?
+ AND user_id=?
+ AND del<>'1'",
+ $id,$_SESSION['user_id']);
if ($DB->num_rows($sql_result))
{
diff --git a/program/steps/settings/delete_identity.inc b/program/steps/settings/delete_identity.inc
index 58fda4970..3bca860b3 100644
--- a/program/steps/settings/delete_identity.inc
+++ b/program/steps/settings/delete_identity.inc
@@ -23,13 +23,11 @@ $REMOTE_REQUEST = $_GET['_remote'] ? TRUE : FALSE;
if ($_GET['_iid'])
{
- $DB->query(sprintf("UPDATE %s
- SET del='1'
- WHERE user_id=%d
- AND identity_id IN (%s)",
- get_table_name('identities'),
- $_SESSION['user_id'],
- $_GET['_iid']));
+ $DB->query("UPDATE ".get_table_name('identities')."
+ SET del='1'
+ WHERE user_id=?
+ AND identity_id IN (".$_GET['_iid'].")",
+ $_SESSION['user_id']);
$count = $DB->affected_rows();
if ($count)
diff --git a/program/steps/settings/edit_identity.inc b/program/steps/settings/edit_identity.inc
index e0f649cdc..dc2f14990 100644
--- a/program/steps/settings/edit_identity.inc
+++ b/program/steps/settings/edit_identity.inc
@@ -22,13 +22,12 @@
if (($_GET['_iid'] || $_POST['_iid']) && $_action=='edit-identity')
{
$id = $_POST['_iid'] ? $_POST['_iid'] : $_GET['_iid'];
- $DB->query(sprintf("SELECT * FROM %s
- WHERE identity_id=%d
- AND user_id=%d
- AND del!='1'",
- get_table_name('identities'),
- $id,
- $_SESSION['user_id']));
+ $DB->query("SELECT * FROM ".get_table_name('identities')."
+ WHERE identity_id=?
+ AND user_id=?
+ AND del<>'1'",
+ $id,
+ $_SESSION['user_id']);
$IDENTITY_RECORD = $DB->fetch_assoc();
diff --git a/program/steps/settings/func.inc b/program/steps/settings/func.inc
index 621acd96c..9b7ef002b 100644
--- a/program/steps/settings/func.inc
+++ b/program/steps/settings/func.inc
@@ -21,10 +21,9 @@
// get user record
-$sql_result = $DB->query(sprintf("SELECT username, mail_host FROM %s
- WHERE user_id=%d",
- get_table_name('users'),
- $_SESSION['user_id']));
+$sql_result = $DB->query("SELECT username, mail_host FROM ".get_table_name('users')."
+ WHERE user_id=?",
+ $_SESSION['user_id']);
if ($USER_DATA = $DB->fetch_assoc($sql_result))
$PAGE_TITLE = sprintf('%s %s@%s', rcube_label('settingsfor'), $USER_DATA['username'], $USER_DATA['mail_host']);
@@ -143,12 +142,11 @@ function rcmail_identities_list($attrib)
// get contacts from DB
- $sql_result = $DB->query(sprintf("SELECT * FROM %s
- WHERE del!='1'
- AND user_id=%d
- ORDER BY `default` DESC, name ASC",
- get_table_name('identities'),
- $_SESSION['user_id']));
+ $sql_result = $DB->query("SELECT * FROM ".get_table_name('identities')."
+ WHERE del<>'1'
+ AND user_id=?
+ ORDER BY ".$DB->quoteIdentifier('default')." DESC, name ASC",
+ $_SESSION['user_id']);
// add id to message list table if not specified
diff --git a/program/steps/settings/save_identity.inc b/program/steps/settings/save_identity.inc
index 39bf8fa84..680833d7c 100644
--- a/program/steps/settings/save_identity.inc
+++ b/program/steps/settings/save_identity.inc
@@ -38,15 +38,13 @@ if ($_POST['_iid'])
if (sizeof($a_write_sql))
{
- $DB->query(sprintf("UPDATE %s
- SET %s
- WHERE identity_id=%d
- AND user_id=%d
- AND del!='1'",
- get_table_name('identities'),
- join(', ', $a_write_sql),
- $_POST['_iid'],
- $_SESSION['user_id']));
+ $DB->query("UPDATE ".get_table_name('identities')."
+ SET ".join(', ', $a_write_sql)."
+ WHERE identity_id=?
+ AND user_id=?
+ AND del<>'1'",
+ $_POST['_iid'],
+ $_SESSION['user_id']);
$updated = $DB->affected_rows();
}
@@ -56,14 +54,13 @@ if ($_POST['_iid'])
show_message('successfullysaved', 'confirmation');
// mark all other identities as 'not-default'
- $DB->query(sprintf("UPDATE %s
- SET `default`='0'
- WHERE identity_id!=%d
- AND user_id=%d
- AND del!='1'",
- get_table_name('identities'),
- $_POST['_iid'],
- $_SESSION['user_id']));
+ $DB->query("UPDATE ".get_table_name('identities')."
+ SET ".$DB->quoteIdentifier('default')."='0'
+ WHERE identity_id!=?
+ AND user_id=?
+ AND del<>'1'",
+ $_POST['_iid'],
+ $_SESSION['user_id']);
if ($_POST['_framed'])
{
@@ -89,19 +86,16 @@ else
if (!isset($_POST[$fname]))
continue;
- $a_insert_cols[] = "`$col`";
+ $a_insert_cols[] = $DB->quoteIdentifier($col);
$a_insert_values[] = sprintf("'%s'", addslashes($_POST[$fname]));
}
if (sizeof($a_insert_cols))
{
- $DB->query(sprintf("INSERT INTO %s
- (user_id, %s)
- VALUES (%d, %s)",
- get_table_name('identities'),
- join(', ', $a_insert_cols),
- $_SESSION['user_id'],
- join(', ', $a_insert_values)));
+ $DB->query("INSERT INTO ".get_table_name('identities')."
+ (user_id, ".join(', ', $a_insert_cols).")
+ VALUES (?, ".join(', ', $a_insert_values).")",
+ $_SESSION['user_id']);
$insert_id = $DB->insert_id();
}
diff --git a/program/steps/settings/save_prefs.inc b/program/steps/settings/save_prefs.inc
index 7cc327028..1322acaf7 100644
--- a/program/steps/settings/save_prefs.inc
+++ b/program/steps/settings/save_prefs.inc
@@ -35,14 +35,13 @@ if (isset($_POST['_language']))
$sess_user_lang = $_SESSION['user_lang'] = $_POST['_language'];
-$DB->query(sprintf("UPDATE %s
- SET preferences='%s',
- language='%s'
- WHERE user_id=%d",
- get_table_name('users'),
- addslashes(serialize($a_user_prefs)),
- $sess_user_lang,
- $_SESSION['user_id']));
+$DB->query("UPDATE ".get_table_name('users')."
+ SET preferences=?,
+ language=?
+ WHERE user_id=?",
+ serialize($a_user_prefs),
+ $sess_user_lang,
+ $_SESSION['user_id']);
if ($DB->affected_rows())
{
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-23 13:53:00 +0000