1 files changed, 24 insertions, 28 deletions

diff --git a/program/include/main.inc b/program/include/main.inc
index a7020c75f..0e206166e 100644
--- a/program/include/main.inc
+++ b/program/include/main.inc
@@ -263,13 +263,12 @@ function rcmail_login($user, $pass, $host=NULL)
     }
 
   // query if user already registered
-  $sql_result = $DB->query(sprintf("SELECT user_id, username, language, preferences
-                                    FROM   %s
-                                    WHERE  mail_host='%s' AND (username='%s' OR alias='%s')",
-                                   get_table_name('users'),
-                                   addslashes($host),
-                                   addslashes($user),
-                                   addslashes($user)));
+  $sql_result = $DB->query("SELECT user_id, username, language, preferences
+                            FROM ".get_table_name('users')."
+                            WHERE  mail_host=? AND (username=? OR alias=?)",
+                            $host,
+                            $user,
+                            $user);
 
   // user already registered -> overwrite username
   if ($sql_arr = $DB->fetch_assoc($sql_result))
@@ -299,11 +298,10 @@ function rcmail_login($user, $pass, $host=NULL)
       $sess_user_lang = $_SESSION['user_lang'] = $sql_arr['language'];
       
     // update user's record
-    $DB->query(sprintf("UPDATE %s
-                        SET    last_login=NOW()
-                        WHERE  user_id=%d",
-                       get_table_name('users'),
-                       $user_id));
+    $DB->query("UPDATE ".get_table_name('users')."
+                SET    last_login=NOW()
+                WHERE  user_id=?",
+                $user_id);
     }
   // create new system user
   else if ($CONFIG['auto_create_user'])
@@ -336,27 +334,25 @@ function rcmail_create_user($user, $host)
   {
   global $DB, $CONFIG, $IMAP;
   
-  $DB->query(sprintf("INSERT INTO %s
-                      (created, last_login, username, mail_host, language)
-                      VALUES (NOW(), NOW(), '%s', '%s', '%s')",
-                     get_table_name('users'),
-                     addslashes($user),
-                     addslashes($host),
-		             $_SESSION['user_lang']));
-
-  if ($user_id = $DB->insert_id())
+  $DB->query("INSERT INTO ".get_table_name('users')."
+              (created, last_login, username, mail_host, language)
+              VALUES (NOW(), NOW(), ?, ?, ?)",
+              $user,
+              $host,
+		      $_SESSION['user_lang']);
+
+  if ($user_id = $DB->insert_id('user_ids'))
     {
     $user_email = strstr($user, '@') ? $user : sprintf('%s@%s', $user, $host);
     $user_name = $user!=$user_email ? $user : '';
     
     // also create a new identity record
-    $DB->query(sprintf("INSERT INTO %s
-                        (user_id, `default`, name, email)
-                        VALUES (%d, '1', '%s', '%s')",
-                       get_table_name('identities'),
-                       $user_id,
-                       addslashes($user_name),
-                       addslashes($user_email)));
+    $DB->query("INSERT INTO ".get_table_name('identities')."
+                (user_id, `default`, name, email)
+                VALUES (?, '1', ?, ?)",
+                $user_id,
+                $user_name,
+                $user_email);
                        
     // get existing mailboxes
     $a_mailboxes = $IMAP->list_mailboxes();