From 0f2bd2b5972cf0c4078db08e72edea5aa8afd066 Mon Sep 17 00:00:00 2001 From: Brian Koontz Date: Wed, 14 Dec 2016 21:49:08 -0700 Subject: [PATCH] Conversion to PDO to support PHP 7. Ref #1230. --- actions/adminpages/adminpages.php | 68 +-- actions/adminusers/adminusers.php | 57 ++- actions/countowned/countowned.php | 10 +- actions/dbinfo/dbinfo.php | 32 +- actions/highscores/highscores.php | 4 +- actions/lastusers/lastusers.php | 8 +- actions/mychanges/mychanges.php | 4 +- actions/mysqlversion/mysqlversion.php | 2 +- actions/usersettings/usersettings.php | 60 ++- actions/wikkaconfig/wikkaconfig.php | 2 +- handlers/acls/acls.php | 6 +- handlers/delete/delete.php | 10 +- handlers/delete_referrer/delete_referrer.php | 7 +- handlers/edit/edit.php | 7 +- handlers/maintenance.xml/maintenance.xml.php | 4 +- handlers/revert/revert.php | 2 +- .../review_blacklist/review_blacklist.php | 2 +- libs/Compatibility.lib.php | 21 +- libs/Wakka.class.php | 476 ++++++++++++------ libs/admin.lib.php | 20 +- scripts/convertHTMLEntities.php | 10 + scripts/migrateDeprecatedLinks.php | 10 + setup/default.php | 44 +- setup/inc/functions.inc.php | 70 ++- setup/install.php | 266 +++++----- setup/links.php | 18 +- wikka.php | 29 +- 27 files changed, 765 insertions(+), 484 deletions(-) diff --git a/actions/adminpages/adminpages.php b/actions/adminpages/adminpages.php index d88732a7..87bbbe00 100644 --- a/actions/adminpages/adminpages.php +++ b/actions/adminpages/adminpages.php @@ -328,9 +328,13 @@ function optionRanges($limits, $max, $firstinc = 1) if(isset($_GET['sort']) && in_array($_GET['sort'], $sort_fields)) $sort = $_GET['sort']; // sort order - $d = "desc"; - $sort_order = array('asc', 'desc'); - if(isset($_GET['d']) && in_array($_GET['d'], $sort_order)) $d = $_GET['d']; + $d = 'desc'; + if(isset($_GET['d'])) { + if($this->GetSafeVar('d', 'get') == 'asc') { + $d = 'asc'; + } + } + // start record $s = ADMINPAGES_DEFAULT_START; if (isset($_GET['s']) && (int)$_GET['s'] >=0) $s = (int)$_GET['s']; @@ -338,17 +342,14 @@ function optionRanges($limits, $max, $firstinc = 1) // search string $search = ADMINPAGES_DEFAULT_SEARCH; - $search_disp = ADMINPAGES_DEFAULT_SEARCH; + $search = ADMINPAGES_DEFAULT_SEARCH; if (isset($_POST['search'])) { - $search = - mysql_real_escape_string($this->GetSafeVar('search', 'post')); - $search_disp = $this->GetSafeVar('search', 'post'); + $search = $this->GetSafeVar('search', 'post'); } elseif (isset($_GET['search'])) { - $search = mysql_real_escape_string($this->GetSafeVar('search', 'get')); - $search_disp = $this->GetSafeVar('search', 'get'); + $search = $this->GetSafeVar('search', 'get'); } // select all added JW 2005-07-19 @@ -364,7 +365,7 @@ function optionRanges($limits, $max, $firstinc = 1) // build pager form $form_filter = $this->FormOpen('','','post','page_admin_panel'); $form_filter .= '
'.T_("Filter view:").''."\n"; - $form_filter .= '
'."\n"; + $form_filter .= '
'."\n"; // build date range fields $form_filter .= ' -- :: '.T_("and").' -- ::
'."\n"; @@ -380,20 +381,20 @@ function optionRanges($limits, $max, $firstinc = 1) is_numeric($start_MM) && $start_MM > 0 && $start_MM < 13 && is_numeric($start_DD) && $start_DD > 0 && $start_DD < 32) { - $start_ts = mysql_real_escape_string($start_YY); + $start_ts = $start_YY; $start_ts .= '-'; - $start_ts .= mysql_real_escape_string($start_MM); + $start_ts .= $start_MM; $start_ts .= '-'; - $start_ts .= mysql_real_escape_string($start_DD); + $start_ts .= $start_DD; if (is_numeric($start_hh) && $start_hh >= 0 && $start_hh <=24) { - $start_ts .= ' '.mysql_real_escape_string($start_hh).':'; + $start_ts .= ' '.$start_hh.':'; if (is_numeric($start_mm) && $start_mm >= 0 && $start_mm <= 59) { - $start_ts .= mysql_real_escape_string($start_mm).':'; + $start_ts .= $start_mm.':'; if (is_numeric($start_ss) && $start_ss >= 0 && $start_ss <= 59) { - $start_ts .= mysql_real_escape_string($start_ss); + $start_ts .= $start_ss; } else { @@ -409,20 +410,20 @@ function optionRanges($limits, $max, $firstinc = 1) is_numeric($end_MM) && $end_MM > 0 && $end_MM < 13 && is_numeric($end_DD) && $end_DD > 0 && $end_DD < 32) { - $end_ts = mysql_real_escape_string($end_YY); + $end_ts = $end_YY; $end_ts .= '-'; - $end_ts .= mysql_real_escape_string($end_MM); + $end_ts .= $end_MM; $end_ts .= '-'; - $end_ts .= mysql_real_escape_string($end_DD); + $end_ts .= $end_DD; if (is_numeric($end_hh) && $end_hh >= 0 && $end_hh <=24) { - $end_ts .= ' '.mysql_real_escape_string($end_hh).':'; + $end_ts .= ' '.$end_hh.':'; if (is_numeric($end_mm) && $end_mm >= 0 && $end_mm <= 59) { - $end_ts .= mysql_real_escape_string($end_mm).':'; + $end_ts .= $end_mm.':'; if (is_numeric($end_ss) && $end_ss >= 0 && $end_ss <= 59) { - $end_ts .= mysql_real_escape_string($end_ss); + $end_ts .= $end_ss; } else { @@ -442,13 +443,21 @@ function optionRanges($limits, $max, $firstinc = 1) } // restrict MySQL query by search string modified JW 2005-07-19 - $where = ('' == $search) ? "`latest` = 'Y'" : "`tag` LIKE '%".$search."%' AND `latest` = 'Y'"; + $params = array(); + if('' == $search) { + $where = "`latest` = 'Y'"; + } else { + $where = "`tag` LIKE :search AND `latest` = 'Y'"; + $params = array(':search' => '%'.$search.'%'); + } if (!empty($start_ts) && !empty($end_ts)) { - $where .= " AND time > '".$start_ts."' AND time < '".$end_ts."'"; + $where .= " AND time > :start_ts AND time < :end_ts"; + $params = array(':start_ts' => $start_ts, + ':end_ts' => $end_ts); } // get total number of pages - $numpages = $this->getCount('pages', $where); + $numpages = $this->getCount('pages', $where, $params); // ranged drop-down $pages_opts = optionRanges($page_limits,$numpages, ADMINPAGES_DEFAULT_MIN_RECORDS_DISPLAY); @@ -503,8 +512,11 @@ function optionRanges($limits, $max, $firstinc = 1) $table = 'pages'; } - $query = "SELECT *".$count." FROM ".$this->GetConfigValue('table_prefix').$table." WHERE ". $where." ".$group." ORDER BY ".$sort." ".$d." LIMIT ".$s.", ".$l; - $pagedata = $this->LoadAll($query); + $params[':sort'] = $sort; + $params[':s'] = (int)$s; + $params[':l'] = (int)$l; + $query = "SELECT *".$count." FROM ".$this->GetConfigValue('table_prefix').$table." WHERE ". $where." ".$group." ORDER BY :sort ".$d." LIMIT :s, :l"; + $pagedata = $this->LoadAll($query, $params); if ($pagedata) { @@ -710,7 +722,7 @@ function optionRanges($limits, $max, $firstinc = 1) else { // no records matching the search string: print error message - echo '

'.sprintf(T_("Sorry, there are no pages matching \"%s\""), $search_disp).'

'; + echo '

'.sprintf(T_("Sorry, there are no pages matching \"%s\""), $search).'

'; } } } diff --git a/actions/adminusers/adminusers.php b/actions/adminusers/adminusers.php index e6bec864..9c06e4fc 100644 --- a/actions/adminusers/adminusers.php +++ b/actions/adminusers/adminusers.php @@ -306,26 +306,26 @@ function optionRanges($limits, $max, $firstinc = 1) $sort_fields = array('name', 'email', 'signuptime'); $sort = (isset($_GET['sort'])) ? $this->GetSafeVar('sort', 'get') : "signuptime"; if(!in_array($sort, $sort_fields)) $sort = "signuptime"; - // sort order - $sort_order = array('asc', 'desc'); - $d = (isset($_GET['d'])) ? $this->GetSafeVar('d', 'get') : "desc"; - if(!in_array($d, $sort_order)) $d = "desc"; + $d = 'desc'; + if(isset($_GET['d'])) { + if($this->GetSafeVar('d', 'get') == 'asc') { + $d = 'asc'; + } + } // start record $s = (isset($_GET['s'])) ? $this->GetSafeVar('s', 'get') : ADMINUSERS_DEFAULT_START; if ((int)$s < 0) $s = ADMINUSERS_DEFAULT_START; // search string $search = ADMINUSERS_DEFAULT_SEARCH; - $search_disp = ADMINUSERS_DEFAULT_SEARCH; + $search = ADMINUSERS_DEFAULT_SEARCH; if (isset($_POST['search'])) { - $search = mysql_real_escape_string($this->GetSafeVar('search', 'post')); - $search_disp = $this->GetSafeVar('search', 'post'); + $search = $this->GetSafeVar('search', 'post'); } elseif (isset($_GET['search'])) { - $search = mysql_real_escape_string($this->GetSafeVar('search', 'get')); - $search_disp = $this->GetSafeVar('search', 'get'); + $search = $this->GetSafeVar('search', 'get'); } elseif($this->GetSafeVar('submit', 'post') == T_("Submit")) { @@ -335,6 +335,7 @@ function optionRanges($limits, $max, $firstinc = 1) // select all $checked = ''; + $params = array(); if (isset($_GET['selectall'])) { $checked = (1 == $_GET['selectall']) ? ' checked="checked"' : ''; @@ -342,9 +343,15 @@ function optionRanges($limits, $max, $firstinc = 1) // restrict MySQL query by search string $where = "(status IS NULL OR status != 'deleted') AND "; - $where .= ('' == $search) ? '1' : "name LIKE '%".$search."%'"; + if('' == $search) { + $where .= '1'; + } else { + $where .= "name LIKE :search"; + $params = array(':search' => '%'.$search.'%'); + } // get total number of users - $numusers = $this->getCount('users', $where); + + $numusers = $this->getCount('users', $where, $params); // If the user doesn't specifically want to change the records // per page, then use the default. The problem here is that one // form is being used to process two post requests, so things @@ -363,7 +370,7 @@ function optionRanges($limits, $max, $firstinc = 1) // build pager form $form_filter = $this->FormOpen('','','post','user_admin_panel'); $form_filter .= '
'.T_("Filter view:").''."\n"; - $form_filter .= '
'."\n"; + $form_filter .= '
'."\n"; // get values range for drop-down $users_opts = optionRanges($user_limits,$numusers, ADMINUSERS_DEFAULT_MIN_RECORDS_DISPLAY); $form_filter .= ' '."\n"; @@ -392,8 +399,10 @@ function optionRanges($limits, $max, $firstinc = 1) $form_filter .= '
'.$this->FormClose()."\n"; // get user list - $userdata = $this->LoadAll("SELECT * FROM ".$this->GetConfigValue('table_prefix')."users WHERE ".$where." ORDER BY ".$sort." ".$d." limit ".$s.", ".$l); - + $params[':sort'] = $sort; + $params[':s'] = (int)$s; + $params[':l'] = (int)$l; + $userdata = $this->LoadAll("SELECT * FROM ".$this->GetConfigValue('table_prefix')."users WHERE ".$where." ORDER BY :sort $d limit :s, :l", $params); if ($userdata) { // build header links @@ -422,12 +431,18 @@ function optionRanges($limits, $max, $firstinc = 1) foreach($userdata as $user) { // get counts - $where_owned = "`owner` = '".$user['name']."' AND latest = 'Y'"; - $where_changes = "`user` = '".$user['name']."'"; - $where_comments = "`user` = '".$user['name']."'"; - $numowned = $this->getCount('pages', $where_owned); - $numchanges = $this->getCount('pages', $where_changes); - $numcomments = $this->getCount('comments', $where_comments); + $where_owned = "`owner` = :owner AND latest = 'Y'"; + $where_changes = "`user` = :user"; + $where_comments = "`user` = :user"; + $numowned = $this->getCount('pages', + $where_owned, + array(':owner' => $user[name])); + $numchanges = $this->getCount('pages', + $where_changes, + array(':user' => $user[name])); + $numcomments = $this->getCount('comments', + $where_comments, + array(':user' => $user[name])); // build statistics links if needed $ownedlink = ($numowned > 0)? ''.$numowned.'' : '0'; @@ -485,7 +500,7 @@ function optionRanges($limits, $max, $firstinc = 1) else { // no records matching the search string: print error message - echo '

'.sprintf(T_("Sorry, there are no users matching \"%s\""), $search_disp).'

'; + echo '

'.sprintf(T_("Sorry, there are no users matching \"%s\""), $search).'

'; } } } diff --git a/actions/countowned/countowned.php b/actions/countowned/countowned.php index 8478ecb3..9fde18b7 100644 --- a/actions/countowned/countowned.php +++ b/actions/countowned/countowned.php @@ -13,17 +13,13 @@ * @todo print different text if user is not logged in * @todo Add parameter to specify date range #955 */ -/* -$where = "`owner` = '".mysql_real_escape_string($this->GetUserName())."' AND `latest` = 'Y'"; -$count = $this->getCount('pages', $where); -*/ $count = 0; if ($username = $this->GetUserName()) // no param: get name of logged in user only (#543) { - $where = "owner = '".mysql_real_escape_string($username)."' AND latest = 'Y'"; - $count = $this->getCount('pages',$where); + $where = "owner = :username AND latest = 'Y'"; + $count = $this->getCount('pages', $where, array(':username' => $username)); } echo $this->Link('MyPages', '', $count,'','', T_("Display a list of the pages you currently own")); -?> \ No newline at end of file +?> diff --git a/actions/dbinfo/dbinfo.php b/actions/dbinfo/dbinfo.php index 6a09d057..f5dbae33 100644 --- a/actions/dbinfo/dbinfo.php +++ b/actions/dbinfo/dbinfo.php @@ -10,6 +10,9 @@ * By specifying prefix='0' the prefix configured for Wikka is ignored, allowing other tables in the same database (if any) * to be inspected. * + * NOTE: These calls are most likely MySQL-specific. This action + * needs some work to make it db-agnostic. + * * Syntax: * {{dbinfo [all="0|1"] [prefix="0|1"]}} * @@ -69,7 +72,7 @@ // variables $isAdmin = $this->IsAdmin(); -$database = $this->GetConfigValue('mysql_database'); +$database = $this->GetConfigValue('dbms_database'); $prefix = $this->GetConfigValue('table_prefix'); // ---------------------- processsing -------------------------- @@ -105,10 +108,10 @@ if ($bAll) { $query = 'SHOW DATABASES'; - $tableresult = mysql_query($query); + $tableresult = $this->Query($query)->fetchAll(); if ($tableresult) { - while ($row = mysql_fetch_assoc($tableresult)) + foreach ($tableresult as $row) { $aDbList[] = $row['Database']; } @@ -142,14 +145,16 @@ { $seldb = $database; # no choice: wikka database } + if (isset($seldb)) { - $query = 'SHOW CREATE DATABASE '.$seldb; - $dbcreateresult = mysql_query($query); + $query = 'SHOW CREATE DATABASE '.$this->pdo_quote_identifier($seldb); + $dbcreateresult = + $this->Query($query); if ($dbcreateresult) { - $row = mysql_fetch_assoc($dbcreateresult); - $dbcreate = $row['Create Database']; + $dbcreate = ($dbcreateresult->fetch())['Create Database']; + $dbcreateresult->closeCursor(); } } @@ -157,13 +162,13 @@ $aTableList = array(); if (isset($seldb)) { - $query = 'SHOW TABLES FROM '.$seldb; + $query = 'SHOW TABLES FROM '.$this->pdo_quote_identifier($seldb); if ($bPrefix) { $pattern = $prefix.'%'; $query .= " LIKE '".$pattern."'"; } - $tablelistresult = mysql_query($query); + $tablelistresult = $this->Query($query)->fetchAll(); if ($tablelistresult) { $colname = 'Tables_in_'.$seldb; @@ -171,7 +176,7 @@ { $colname .= ' ('.$pattern.')'; } - while ($row = mysql_fetch_assoc($tablelistresult)) + foreach($tablelistresult as $row) { $aTableList[] = $row[$colname]; } @@ -184,12 +189,15 @@ if (isset($_POST['seltable']) && in_array($_POST['seltable'],$aTableList)) # valid choice { $seltable = $this->GetSafeVar('seltable', 'post'); + $seltable = $this->pdo_quote_identifier($seltable); $query = 'SHOW CREATE TABLE '.$seltable; - $tablecreateresult = mysql_query($query); + $tablecreateresult = + $this->Query($query); if ($tablecreateresult) { - $row = mysql_fetch_assoc($tablecreateresult); + $row = $tablecreateresult->fetch(); $tablecreate = $row['Create Table']; + $tablecreateresult->closeCursor(); } } } diff --git a/actions/highscores/highscores.php b/actions/highscores/highscores.php index f783c74d..57e863c0 100644 --- a/actions/highscores/highscores.php +++ b/actions/highscores/highscores.php @@ -84,11 +84,11 @@ } //fetch data -$rank_query = $this->Query($query); +$rank_query = $this->Query($query)->fetchAll(); $i = 0; $str = ''; -while($row = mysql_fetch_array($rank_query)) +foreach($rank_query as $row) { $i++; $str .= ' '."\n"; diff --git a/actions/lastusers/lastusers.php b/actions/lastusers/lastusers.php index 52e84025..47389c8d 100644 --- a/actions/lastusers/lastusers.php +++ b/actions/lastusers/lastusers.php @@ -38,7 +38,7 @@ { $style = T_("complex"); } -if (isset($vars['max']) && $vars['max'] > 0) +if (isset($vars['max']) && is_numeric($vars['max']) && $vars['max'] > 0) { $max = (int) $vars['max']; } @@ -48,7 +48,7 @@ } // @@@TODO reformat query -$last_users = $this->LoadAll("SELECT name, signuptime FROM ".$this->GetConfigValue('table_prefix')."users ORDER BY signuptime DESC LIMIT ".$max); +$last_users = $this->LoadAll("SELECT name, signuptime FROM ".$this->GetConfigValue('table_prefix')."users ORDER BY signuptime DESC LIMIT :max", array(':max' => $max)); $htmlout .= ''."\n"; if ($style == 'complex') @@ -65,9 +65,9 @@ $htmlout .= ' '."\n"; if ($style == 'complex') { - $where = "`owner` = '".mysql_real_escape_string($user['name'])."' AND `latest` = 'Y'"; + $where = "`owner` = :name AND `latest` = 'Y'"; $htmlout .= ' '."\n"; - $htmlout .= ' '."\n"; + $htmlout .= ' '."\n"; $htmlout .= ' '."\n"; } else diff --git a/actions/mychanges/mychanges.php b/actions/mychanges/mychanges.php index 5d3733a4..62eba123 100644 --- a/actions/mychanges/mychanges.php +++ b/actions/mychanges/mychanges.php @@ -81,11 +81,11 @@ $query = " SELECT id, tag, time FROM ".$this->GetConfigValue('table_prefix')."pages - WHERE user = '".mysql_real_escape_string($username)."' + WHERE user = :username AND latest = 'Y' ORDER BY ".$order; - if ($pages = $this->LoadAll($query)) + if ($pages = $this->LoadAll($query, array(':username' => $username))) { $current = ''; diff --git a/actions/mysqlversion/mysqlversion.php b/actions/mysqlversion/mysqlversion.php index c6a9d39e..000a752a 100644 --- a/actions/mysqlversion/mysqlversion.php +++ b/actions/mysqlversion/mysqlversion.php @@ -26,7 +26,7 @@ //check privs if ($this->GetConfigValue('public_sysinfo') == '1' || $this->IsAdmin()) { - $out = mysql_get_server_info(); + $out = $this->pdo_get_server_version(); } echo $out; ?> diff --git a/actions/usersettings/usersettings.php b/actions/usersettings/usersettings.php index e318ba20..fdf7db8e 100644 --- a/actions/usersettings/usersettings.php +++ b/actions/usersettings/usersettings.php @@ -21,7 +21,6 @@ * invalid input fields; * @todo remove useless redirections; * @todo [accessibility] make logout independent of JavaScript - * @todo remove mysql_real_escape_string from password storage #531 * @todo complete @uses */ @@ -123,17 +122,26 @@ break; // @@@ validate doubleclickedit, show-comments and (especially) default_comment_display default: // input is valid + $name = $user['name']; $this->Query(" UPDATE ".$this->GetConfigValue('table_prefix')."users - SET email = '".mysql_real_escape_string($email)."', - doubleclickedit = '".mysql_real_escape_string($doubleclickedit)."', - show_comments = '".mysql_real_escape_string($show_comments)."', - default_comment_display = '".mysql_real_escape_string($default_comment_display)."', - revisioncount = ".mysql_real_escape_string($revisioncount).", - changescount = ".mysql_real_escape_string($changescount).", - theme = '".mysql_real_escape_string($usertheme)."' - WHERE name = '".$user['name']."' - LIMIT 1" + SET email = :email, + doubleclickedit = :doubleclickedit, + show_comments = :show_comments, + default_comment_display = :default_comment_display, + revisioncount = :revisioncount, + changescount = :changescount, + theme = :usertheme + WHERE name = :name + LIMIT 1", + array(':email' => $email, + ':doubleclickedit' => $doubleclickedit, + ':show_comments' => $show_comments, + ':default_comment_display' => $default_comment_display, + ':revisioncount' => $revisioncount, + ':changescount' => $changescount, + ':usertheme' => $usertheme, + ':name' => $name) ); $this->SetUser($this->loadUserData($user['name'])); } @@ -248,12 +256,16 @@ break; default: $challenge = dechex(crc32(time())); + $user['password'] = md5($challenge.$password); + $user['challenge'] = $challenge; $this->Query(" UPDATE ".$this->GetConfigValue('table_prefix')."users - SET password = '".md5($challenge.mysql_real_escape_string($password))."', - challenge = '".$challenge."' WHERE name = '".$user['name']."'" + SET password = :password, + challenge = :challenge WHERE name = :name", + array(':password' => $user['password'], + ':challenge' => $challenge, + ':name' => $user['name']) ); - $user['password'] = md5($challenge.$password); $this->SetUser($user); $passsuccess = T_("Password successfully changed!"); } @@ -466,13 +478,21 @@ break; default: //valid input, create user $challenge = dechex(crc32(time())); - $this->Query("INSERT INTO ".$this->GetConfigValue('table_prefix')."users SET ". - "signuptime = now(), ". - "name = '".mysql_real_escape_string($name)."', ". - "email = '".mysql_real_escape_string($email)."', ". - "challenge = '".$challenge."', ". - "default_comment_display = '".$this->GetConfigValue('default_comment_display')."', ". - "password = md5('".$challenge.mysql_real_escape_string($this->GetSafeVar('password', 'post'))."')"); + $password = $this->GetSafeVar('password', 'post'); + $password = md5($challenge.$password); + $default_comment_display = $this->GetConfigValue('default_comment_display'); + $this->Query("INSERT INTO ".$this->GetConfigValue('table_prefix')."users SET + signuptime = now(), + name = :name, + email = :email, + challenge = :challenge, + default_comment_display = :default_comment_display, + password = :password", + array(':name' => $name, + ':email' => $email, + ':challenge' => $challenge, + ':default_comment_display' => $default_comment_display, + ':password' => $password)); // log in #$this->SetUser($this->LoadUser($name)); diff --git a/actions/wikkaconfig/wikkaconfig.php b/actions/wikkaconfig/wikkaconfig.php index a84a3539..9c5fba2f 100644 --- a/actions/wikkaconfig/wikkaconfig.php +++ b/actions/wikkaconfig/wikkaconfig.php @@ -22,7 +22,7 @@ $odd_row = TRUE; $settings = $this->config; //array of sensitive config options to exclude from the output - $hide_options = array('mysql_host', 'mysql_user', 'mysql_password'); + $hide_options = array('dbms_host', 'dbms_user', 'dbms_password'); $wc_output = '
'.$this->FormatUser($user['name']).''.$this->getCount('pages', $where).''.$this->getCount('pages', $where, array(':name' => $user['name'])).'('.$user['signuptime'].')
'."\n"; $wc_output .= ' '."\n"; diff --git a/handlers/acls/acls.php b/handlers/acls/acls.php index 9af776d7..6c262421 100644 --- a/handlers/acls/acls.php +++ b/handlers/acls/acls.php @@ -64,9 +64,9 @@ // store lists only if ACLs have previously been defined, // or if the posted values are different than the defaults - $page = $this->LoadSingle('SELECT * FROM '.$this->GetConfigValue('table_prefix'). - "acls WHERE page_tag = '".mysql_real_escape_string($this->GetPageTag()). - "' LIMIT 1"); + $page_tag = $this->GetPageTag(); + $page = $this->LoadSingle('SELECT * FROM '.$this->GetConfigValue('table_prefix')."acls WHERE page_tag = :page_tag LIMIT 1", + array(':page_tag' => $page_tag)); if ($page || ($posted_read_acl != $default_read_acl || diff --git a/handlers/delete/delete.php b/handlers/delete/delete.php index b3519c86..d194a3cc 100644 --- a/handlers/delete/delete.php +++ b/handlers/delete/delete.php @@ -45,11 +45,11 @@ if (NULL != $_POST) { // delete the page, comments, related "from" links, acls and referrers - $this->Query("DELETE FROM ".$this->GetConfigValue('table_prefix')."pages WHERE tag = '".mysql_real_escape_string($tag)."'"); - $this->Query("DELETE FROM ".$this->GetConfigValue('table_prefix')."comments WHERE page_tag = '".mysql_real_escape_string($tag)."'"); - $this->Query("DELETE FROM ".$this->GetConfigValue('table_prefix')."links WHERE from_tag = '".mysql_real_escape_string($tag)."'"); - $this->Query("DELETE FROM ".$this->GetConfigValue('table_prefix')."acls WHERE page_tag = '".mysql_real_escape_string($tag)."'"); - $this->Query("DELETE FROM ".$this->GetConfigValue('table_prefix')."referrers WHERE page_tag = '".mysql_real_escape_string($tag)."'"); + $this->Query("DELETE FROM ".$this->GetConfigValue('table_prefix')."pages WHERE tag = :tag", array(':tag' => $tag)); + $this->Query("DELETE FROM ".$this->GetConfigValue('table_prefix')."comments WHERE page_tag = :tag", array(':tag' => $tag)); + $this->Query("DELETE FROM ".$this->GetConfigValue('table_prefix')."links WHERE from_tag = :tag", array(':tag' => $tag)); + $this->Query("DELETE FROM ".$this->GetConfigValue('table_prefix')."acls WHERE page_tag = :tag", array(':tag' => $tag)); + $this->Query("DELETE FROM ".$this->GetConfigValue('table_prefix')."referrers WHERE page_tag = :tag", array(':tag' => $tag)); // redirect back to main page, or AdminPages if it is redirect page. if (isset($_POST['redirect_page']) && $this->existsPage($_POST['redirect_page']) && 'AdminPages' == $_POST['redirect_page']) diff --git a/handlers/delete_referrer/delete_referrer.php b/handlers/delete_referrer/delete_referrer.php index 14f68a2e..12cfb4ad 100644 --- a/handlers/delete_referrer/delete_referrer.php +++ b/handlers/delete_referrer/delete_referrer.php @@ -25,10 +25,11 @@ if (isset($spammer) && $spammer) { - $this->Query("DELETE FROM ".$this->GetConfigValue('table_prefix')."referrers WHERE referrer LIKE '%".mysql_real_escape_string($spammer)."%'"); - if (!$already_blacklisted = $this->LoadSingle("SELECT * from ".$this->GetConfigValue('table_prefix')."referrer_blacklist WHERE spammer = '".mysql_real_escape_string($spammer)."'")) + $like_spammer = '%'.$spammer.'%'; + $this->Query("DELETE FROM ".$this->GetConfigValue('table_prefix')."referrers WHERE referrer LIKE :spammer", array(':spammer' => $like_spammer)); + if (!$already_blacklisted = $this->LoadSingle("SELECT * from ".$this->GetConfigValue('table_prefix')."referrer_blacklist WHERE spammer = :spammer", array(':spammer' => $spammer))) { - $this->Query("INSERT INTO ".$this->GetConfigValue('table_prefix')."referrer_blacklist SET spammer = '".mysql_real_escape_string($spammer)."'"); + $this->Query("INSERT INTO ".$this->GetConfigValue('table_prefix')."referrer_blacklist SET spammer = :spammer", array(':spammer' => $spammer)); } } diff --git a/handlers/edit/edit.php b/handlers/edit/edit.php index e6badbcd..af63034f 100644 --- a/handlers/edit/edit.php +++ b/handlers/edit/edit.php @@ -81,7 +81,7 @@ $id = $this->page['id']; if(isset($_GET['id'])) { - $page = $this->LoadPageById(mysql_real_escape_string($this->GetSafeVar('id', 'get'))); + $page = $this->LoadPageById($this->GetSafeVar('id', 'get')); if($page['tag'] != $this->page['tag']) { $this->Redirect($this->Href(), T_("The revision id does not exist for the requested page")); @@ -185,8 +185,9 @@ } // derive maximum length for a page name from the table structure if possible - if ($result = mysql_query("describe ".$this->GetConfigValue('table_prefix')."pages tag")) { - $field = mysql_fetch_assoc($result); + // MySQL specific! + if ($result = $this->Query("describe ".$this->GetConfigValue('table_prefix')."pages tag")) { + $field = ($result->fetchAll())[0]; if (preg_match("/varchar\((\d+)\)/", $field['Type'], $matches)) $maxtaglen = $matches[1]; } else diff --git a/handlers/maintenance.xml/maintenance.xml.php b/handlers/maintenance.xml/maintenance.xml.php index fd39356c..4fd61ccd 100644 --- a/handlers/maintenance.xml/maintenance.xml.php +++ b/handlers/maintenance.xml/maintenance.xml.php @@ -35,7 +35,9 @@ function UpdatePageTitle(&$wakka, $limit = 100) { $page_title = trim(preg_replace('![A-Z]!', " \\0", $tag)); } - $wakka->Query("UPDATE ".$wakka->GetConfigValue('table_prefix')."pages set title = '".mysql_real_escape_string($page_title)."' WHERE tag = '".mysql_real_escape_string($tag)."' and latest = 'Y'"); + $wakka->Query("UPDATE ".$wakka->GetConfigValue('table_prefix')."pages set title = :page_title WHERE tag = :tag and latest = 'Y'", + array(':page_title' => $page_title, + ':tag' => $tag)); echo "$tag $page_title \n"; } echo "Done..."; diff --git a/handlers/revert/revert.php b/handlers/revert/revert.php index 103bc7ee..3f602c2c 100644 --- a/handlers/revert/revert.php +++ b/handlers/revert/revert.php @@ -46,7 +46,7 @@ { include_once($this->BuildFullpathFromMultipath('..'.DIRECTORY_SEPARATOR.'..'.DIRECTORY_SEPARATOR.'libs'.DIRECTORY_SEPARATOR.'admin.lib.php', $this->GetConfigValue('action_path'))); $comment = T_("Reverted to previous revision"); - $tag = mysql_real_escape_string($this->GetPageTag()); + $tag = $this->GetPageTag(); $message = RevertPageToPreviousByTag($this, $tag, $comment); $this->Redirect($this->Href(), $message); } diff --git a/handlers/review_blacklist/review_blacklist.php b/handlers/review_blacklist/review_blacklist.php index 1d460812..cba89da0 100644 --- a/handlers/review_blacklist/review_blacklist.php +++ b/handlers/review_blacklist/review_blacklist.php @@ -28,7 +28,7 @@ if ($IsAdmin && isset($_GET["whitelist"])) { $whitelist = $this->GetSafeVar('whitelist'); - $this->Query('DELETE FROM '.$this->GetConfigValue('table_prefix').'referrer_blacklist WHERE spammer = "'.mysql_real_escape_string($whitelist).'"'); + $this->Query('DELETE FROM '.$this->GetConfigValue('table_prefix').'referrer_blacklist WHERE spammer = :whitelist', array(':whitelist' => $whitelist)); $this->redirect($this->Href('review_blacklist')); } else diff --git a/libs/Compatibility.lib.php b/libs/Compatibility.lib.php index fcf0105a..da177ab8 100644 --- a/libs/Compatibility.lib.php +++ b/libs/Compatibility.lib.php @@ -66,21 +66,6 @@ function getmicrotime($get_as_float=FALSE) return (FALSE === $get_as_float) ? $time : (float) $time; } -if (!function_exists('mysql_real_escape_string')) -{ - /** - * Escape special characters in a string for use in a SQL statement. - * - * This function is added for back-compatibility with MySQL 3.23. - * @param string $string the string to be escaped - * @return string a string with special characters escaped - */ - function mysql_real_escape_string($string) - { - return mysql_escape_string($string); - } -} - /** * Workaround for the amazingly annoying magic quotes. * @@ -137,6 +122,11 @@ function instantiate($class, $par1=NULL, $par2=NULL, $par3=NULL) return $obj; } +/* Deprecated as of 1.4.0 + * + * Use Wakka::pdo_get_server_version() as a generic replacement + * + function getMysqlVersion(&$mysql_errors) { $mysql_version = FALSE; @@ -172,6 +162,7 @@ function getMysqlVersion(&$mysql_errors) } return $mysql_version; } +*/ // The following functions are more utility functions than for compatibility // although in validLocalPath() we do take into account that realpath() under diff --git a/libs/Wakka.class.php b/libs/Wakka.class.php index aa4cacc6..82a28c8b 100644 --- a/libs/Wakka.class.php +++ b/libs/Wakka.class.php @@ -231,25 +231,36 @@ class Wakka * Constructor. * Database connection is established when the main class Wakka is constructed. * - * @uses Config::$mysql_database - * @uses Config::$mysql_host - * @uses Config::$mysql_password - * @uses Config::$mysql_user + * @uses Config::$dbms_database + * @uses Config::$dbms_host + * @uses Config::$dbms_password + * @uses Config::$dbms_user + * @uses Config::$dbms_type */ function Wakka($config) { $this->config = $config; - $this->dblink = @mysql_connect($this->GetConfigValue('mysql_host'), $this->GetConfigValue('mysql_user'), $this->GetConfigValue('mysql_password')); - mysql_query("SET NAMES 'utf8'", $this->dblink); - if ($this->dblink) - { - if (!@mysql_select_db($this->GetConfigValue('mysql_database'), $this->dblink)) - { - @mysql_close($this->dblink); - $this->dblink = FALSE; - } - } + // Set up PDO object + $dsn = $this->GetConfigValue('dbms_type') . ':' . + 'host=' . $this->GetConfigValue('dbms_host') . ';' . + 'dbname=' . $this->GetConfigValue('dbms_database'); + $user = $this->GetConfigValue('dbms_user'); + $pass = $this->GetConfigValue('dbms_password'); + try { + $this->dblink = new PDO($dsn, $user, $pass); + } catch(PDOException $e) { + die(''.T_("PDO connection error!").''); + } + $this->dblink->query("SET NAMES 'utf8'"); + + // Don't emulate prepare statements (to prevent injection attacks) + $this->dblink->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); + // Throw an exception on PDO::query calls + $this->dblink->setAttribute(PDO::ATTR_ERRMODE, + PDO::ERRMODE_EXCEPTION); + + // Set Wikka version, patch level (if present) $this->VERSION = WAKKA_VERSION; $this->PATCH_LEVEL = WIKKA_PATCH_LEVEL; } @@ -266,15 +277,19 @@ function Wakka($config) * Debugging is enabled, the query and the time it took to execute * are added to the Query-Log. * + * To prevent SQL injection attacks, all queries must be + * parameterized! + * * @uses Config::$sql_debugging * @uses Wakka::GetMicroTime() * * @param string $query mandatory: the query to be executed. + * @param array $params optional: parameters for query (NULL if none) * @param resource $dblink optional: connection to the database - * @return array the result of the query. + * @return PDOStatement the result of the query. * */ - function Query($query, $dblink='') + function Query($query, $params=NULL, $dblink='') { // init - detect if called from object or externally if ('' == $dblink) @@ -287,10 +302,32 @@ function Query($query, $dblink='') { $object = FALSE; } - if (!$result = mysql_query($query, $dblink)) - { + try { + $result = $dblink->prepare($query); + if(NULL == $params) { + $result->execute(); + } else { + $result->execute($params); + } + } catch(PDOException $e) { ob_end_clean(); - die("Query failed: ".$query." (".mysql_error().")"); #i18n + /* + die('' . + T_("Query failed in Query(): ") . + $e->getCode() . + ''); + */ + + // DEBUG + // Don't use this in production! + print $e; + print "
"; + print "Query: ".$query; + print "Params: ".var_dump($params); + die('' . + T_("Query failed in Query(): ") . + $e->getCode() . + ''); } if ($object && $this->GetConfigValue('sql_debugging')) { @@ -302,19 +339,82 @@ function Query($query, $dblink='') return $result; } + /** + * Replacement for mysql_real_escape_string() (wrapper around + * PDO::quote()). + * + * Note that the use of parameters using prepare()/execute() is + * the preferred method for santizing input. Use PDO::quote() + * sparingly! + * + * @param string $val mandatory: the string to be sanitized + * @param resource $dblink optional: connection to the database + * @return string the sanitized string + * + */ + function pdo_quote($val, $dblink='') + { + // init - detect if called from object or externally + if ('' == $dblink) + { + $dblink = $this->dblink; + } + return $dblink->quote($val); + } + + /** + * Return "safe" identifiers (tables, fields, and database names) + * by enclosing in backticks. + * + * Note that this offers protection against SQL injection, but not + * against dynamic input of table/field/db names. Best to check + * against a whitelist! + * + * Adapted from http://php.net/manual/en/pdo.quote.php#112169 + * + * @param string $ident mandatory: identifier + * @param resource $dblink optional: connection to the database + * @return string the sanitized identifier + */ + function pdo_quote_identifier($ident, $dblink='') { + if('' == $dblink) { + $dblink = $this->dblink; + } + return "`".str_replace("`","``",$ident)."`"; + } + + /** + * Return DB server version. + * + * @param resource $dblink optional: connection to the database + * @return string the DB version + */ + function pdo_get_server_version($dblink='') { + // init - detect if called from object or externally + if ('' == $dblink) + { + $dblink = $this->dblink; + } + return $dblink->getAttribute(PDO::ATTR_SERVER_VERSION); + } + + /** * Return the first row of a query executed on the database. * * @uses Wakka::LoadAll() * * @param string $query mandatory: the query to be executed + * @param array $params optional: parameters for query (NULL if none) * @return mixed an array with the first result row of the query, or FALSE if nothing was returned. * @todo for 1.3: check if indeed false is returned (compare with trunk) */ - function LoadSingle($query) + function LoadSingle($query, $params=NULL) { - if ($data = $this->LoadAll($query)) - return $data[0]; + if ($data = $this->LoadAll($query, $params)) { + return $data[0]; + } + return FALSE; } /** @@ -323,18 +423,14 @@ function LoadSingle($query) * @uses Wakka::Query() * * @param string $query mandatory: the query to be executed + * @param array $params optional: parameters for query (NULL if none) * @return array the result of the query. */ - function LoadAll($query) + function LoadAll($query, $params=NULL) { - $data = array(); - if ($r = $this->Query($query)) + if ($r = $this->Query($query, $params)) { - while ($row = mysql_fetch_assoc($r)) - { - $data[] = $row; - } - mysql_free_result($r); + $data = $r->fetchAll(); } return $data; } @@ -360,9 +456,9 @@ function LoadAll($query) * @param string $where optional: criteria to be specified for a WHERE clause; * do not include WHERE * @param boolean $usePrefix optional: if true, append prefix defined in wikka.config.php file; if false, do not append prefix - * @return integer number of matches returned by MySQL + * @return integer number of matches returned by query */ - function getCount($table, $where='', $usePrefix=TRUE) # JW 2005-07-16 + function getCount($table, $where='', $params = NULL, $usePrefix=TRUE) { // build query $prefix = ''; @@ -377,12 +473,14 @@ function getCount($table, $where='', $usePrefix=TRUE) # JW 2005-07-16 $where; // get and return the count as an integer - $count = (int)mysql_result($this->Query($query),0); - return $count; + $r = $this->Query($query, $params); + $count = $r->fetch($cursor_offset = 0); + $r->closeCursor(); + return $count[0]; } /** - * Check if the MySQL-Version is higher or equal to a given (minimum) one. + * Check if the DB version is higher or equal to a given (minimum) one. * * @param $major * @param $minor @@ -390,39 +488,28 @@ function getCount($table, $where='', $usePrefix=TRUE) # JW 2005-07-16 * @return unknown_type * @todo for 1.3: compare with trunk-version! */ - function CheckMySQLVersion($major, $minor, $subminor) + function CheckDBVersion($major, $minor, $subminor) { - $result = @mysql_query('SELECT VERSION() AS version'); - if ($result !== FALSE && @mysql_num_rows($result) > 0) + $result = $this->pdo_get_server_version(); + if ($result !== FALSE) { - $row = mysql_fetch_array($result); - $match = explode('.', $row['version']); - } - else - { - $result = @mysql_query('SHOW VARIABLES LIKE \'version\''); - if ($result !== FALSE && @mysql_num_rows($result) > 0) - { - $row = mysql_fetch_row($result); - $match = explode('.', $row[1]); - } - else - { - return 0; - } + $match = explode('.', $result); + } else { + return -1; } - $mysql_major = $match[0]; - $mysql_minor = $match[1]; - $mysql_subminor = $match[2][0].$match[2][1]; - if ($mysql_major > $major) - { - return 1; - } + $db_major = $match[0]; + $db_minor = $match[1]; + $db_subminor = $match[2][0].$match[2][1]; + + if ($db_major > $major) + { + return 1; + } else { - if (($mysql_major == $major) && ($mysql_minor >= $minor) && ($mysql_subminor >= $subminor)) + if (($db_major == $major) && ($db_minor >= $minor) && ($db_subminor >= $subminor)) { return 1; } @@ -433,8 +520,6 @@ function CheckMySQLVersion($major, $minor, $subminor) } } - /**#@-*/ - /**#@+ * @category Misc methods */ @@ -1491,7 +1576,18 @@ function LoadPage($tag, $time='', $cache=TRUE) if ($page=="cached_nonexistent_page") return null; } // load page - if (!isset($page)) $page = $this->LoadSingle("select * from ".$this->GetConfigValue('table_prefix')."pages where tag = '".mysql_real_escape_string($tag)."' ".($time ? "and time = '".mysql_real_escape_string($time)."'" : "and latest = 'Y'")." limit 1"); + if(!isset($page)) { + $params = NULL; + if('' != $time) { + $params = array(':time'=>$time); + } + $params[':tag'] = $tag; + $query = "SELECT * FROM " . $this->GetConfigValue('table_prefix') . + "pages WHERE tag=:tag " . + ($time ? "AND time=:time " : "AND latest='Y' ") . + "LIMIT 1"; + $page = $this->LoadSingle($query, $params); + } // cache result if ($page && !$time) { $this->pageCache[$page["tag"]] = $page; @@ -1616,8 +1712,7 @@ function LoadPageById($id) return $this->LoadSingle(" SELECT * FROM ".$this->GetConfigValue('table_prefix')."pages - WHERE id = '".mysql_real_escape_string($id)."' - LIMIT 1" + WHERE id = :id LIMIT 1", array(':id' => $id) ); } @@ -1633,7 +1728,7 @@ function LoadPageById($id) */ function LoadRevisions($page) { - return $this->LoadAll("select * from ".$this->GetConfigValue('table_prefix')."pages where tag = '".mysql_real_escape_string($page)."' order by id desc"); + return $this->LoadAll("select * from ".$this->GetConfigValue('table_prefix')."pages where tag = :page order by id desc", array(':page' => $page)); } /** @@ -1661,9 +1756,9 @@ function LoadOldestRevision($tag) $oldest_revision = $this->LoadSingle(" SELECT note, id, time, user FROM ".$this->GetConfigValue('table_prefix')."pages - WHERE tag = '".mysql_real_escape_string($tag)."' + WHERE tag = :tag ORDER BY time - LIMIT 1" + LIMIT 1", array(':tag' => $tag) ); return $oldest_revision; } @@ -1681,8 +1776,8 @@ function LoadPagesLinkingTo($tag) // #410 return $this->LoadAll(" SELECT from_tag AS page_tag FROM ".$this->GetConfigValue('table_prefix')."links - WHERE to_tag = '".mysql_real_escape_string($tag)."' - ORDER BY page_tag" + WHERE to_tag = :tag + ORDER BY page_tag", array(':tag' => $tag) ); } @@ -1830,8 +1925,8 @@ function LoadPagesByOwner($owner) SELECT tag FROM ".$this->GetConfigValue('table_prefix')."pages WHERE `latest` = 'Y' - AND `owner` = '".mysql_real_escape_string($owner)."' - ORDER BY `tag`" + AND `owner` = :owner + ORDER BY `tag`", array(':owner' => $owner) ); } @@ -1906,20 +2001,26 @@ function SavePage($tag, $body, $note, $owner=null) $this->Query(" UPDATE ".$this->GetConfigValue('table_prefix')."pages SET latest = 'N' - WHERE tag = '".mysql_real_escape_string($tag)."'" + WHERE tag = :tag", array(':tag' => $tag) ); // add new revision $this->Query(" INSERT INTO ".$this->GetConfigValue('table_prefix')."pages - SET tag = '".mysql_real_escape_string($tag)."', - title = '".mysql_real_escape_string($page_title)."', + SET tag = :tag, + title = :page_title, time = now(), - owner = '".mysql_real_escape_string($owner)."', - user = '".mysql_real_escape_string($user)."', - note = '".mysql_real_escape_string($note)."', + owner = :owner, + user = :user, + note = :note, latest = 'Y', - body = '".mysql_real_escape_string($body)."'" + body = :body", + array(':tag' => $tag, + ':page_title' => $page_title, + ':owner' => $owner, + ':user' => $user, + ':note' => $note, + ':body' => $body) ); // WikiPing @@ -1956,21 +2057,20 @@ function FullTextSearch($phrase, $caseSensitive=0, $utf8Compatible=0) if(0 == $utf8Compatible) { $id = ''; - // Should work with any browser/entity conversion scheme - $search_phrase = mysql_real_escape_string($phrase); // Convert " entity to actual quotes for exact phrase match - $search_phrase = stripslashes(str_replace(""", "\"", $search_phrase)); + $search_phrase = stripslashes(str_replace(""", "\"", $phrase)); if ( 1 == $caseSensitive ) $id = ', id'; - $sql = "select * from ".$this->GetConfigValue('table_prefix')."pages where latest = ". "'Y'" ." and match(tag, body".$id.") against(". "'$search_phrase'" ." IN BOOLEAN MODE) order by time DESC"; + $sql = "select * from ".$this->GetConfigValue('table_prefix')."pages where latest = ". "'Y'" ." and match(tag, body".$id.") against(:search_phrase IN BOOLEAN MODE) order by time DESC"; + $data = $this->LoadAll($sql, array(':search_phrase' => $search_phrase)); } else { - $search_phrase = mysql_real_escape_string($phrase); $sql = "select * from ".$this->GetConfigValue('table_prefix')."pages WHERE latest = ". "'Y'"; - foreach( explode(' ', $search_phrase) as $term ) - $sql .= " AND ((`tag` LIKE '%{$term}%') OR (body LIKE '%{$term}%'))"; + foreach( explode(' ', $phrase) as $term ) + $sql .= " AND ((`tag` LIKE '%'.$this->quote($term).'%') OR (body LIKE '%'.$this->quote($term).'%'))"; + $data = $this->LoadAll($sql, NULL); } - $data = $this->LoadAll($sql); + return $data; } @@ -1982,7 +2082,8 @@ function FullTextSearch($phrase, $caseSensitive=0, $utf8Compatible=0) */ function FullCategoryTextSearch($phrase) { - return $this->LoadAll("select * from ".$this->GetConfigValue('table_prefix')."pages where latest = 'Y' and match(body) against('".mysql_real_escape_string($phrase)."' IN BOOLEAN MODE)"); + return $this->LoadAll("select * from ".$this->GetConfigValue('table_prefix')."pages where latest = 'Y' and match(body) against(':phrase' IN BOOLEAN MODE)", + array(':phrase' => $phrase)); } /**#@-*/ @@ -2121,10 +2222,9 @@ function PageTitle($tag=null) else { $query = "SELECT title FROM ". $this->GetConfigValue('table_prefix'). - "pages WHERE tag = '". - mysql_real_escape_string($tag). - "' AND LATEST = 'Y'"; - $res = $this->LoadSingle($query); + "pages WHERE tag = :tag + AND LATEST = 'Y'"; + $res = $this->LoadSingle($query, array(':tag' => $tag)); $page_title = trim($res['title']) !== '' ? $res['title'] : $tag; $page_title = strip_tags($page_title); } @@ -2197,16 +2297,15 @@ function existsPage($page, $prefix='', $dblink=NULL, $active=TRUE) // build query $query = "SELECT COUNT(tag) FROM ".$table_prefix."pages - WHERE tag='".mysql_real_escape_string($page)."'"; + WHERE tag=:page"; if ($active) { $query .= " AND latest='Y'"; } // do query - if ($r = Wakka::Query($query, $dblink)) - { - $count = mysql_result($r,0); - mysql_free_result($r); + if($r = $this->Query($query, array(':page' => $page))) { + $count = $r->fetch($cursor_offset = 0); + $r->closeCursor(); } // report return ($count > 0) ? TRUE : FALSE; @@ -2982,17 +3081,19 @@ function StopLinkTracking() function WriteLinkTable() { // delete entries for current page from link table + $tag = $this->GetPageTag(); $this->Query(" DELETE FROM ".$this->GetConfigValue('table_prefix')."links - WHERE from_tag = '".mysql_real_escape_string($this->GetPageTag())."'" + WHERE from_tag = :tag", array(':tag' => $tag) ); // build and insert new entries for current page in link table if ($linktable = $this->GetLinkTable()) { - $from_tag = mysql_real_escape_string($this->GetPageTag()); + $from_tag = $this->GetPageTag(); $written = array(); $sql = ''; + $params = array(); foreach ($linktable as $to_tag) { $lower_to_tag = strtolower($to_tag); @@ -3002,16 +3103,17 @@ function WriteLinkTable() { $sql .= ', '; } - $sql .= "('".$from_tag."', '".mysql_real_escape_string($to_tag)."')"; + //$sql .= "(:from_tag, :to_tag)"; + $sql .= "(?, ?)"; + array_push($params, $from_tag); + array_push($params, $to_tag); $written[$lower_to_tag] = 1; } } if($sql) { $this->Query(" - INSERT INTO ".$this->GetConfigValue('table_prefix')."links - VALUES ".$sql - ); + INSERT INTO ".$this->GetConfigValue('table_prefix')."links VALUES ".$sql, $params); } } } @@ -3432,15 +3534,16 @@ function LogReferrer($tag = '', $referrer = '') $blacklist = $this->LoadSingle(" SELECT * FROM ".$this->GetConfigValue('table_prefix')."referrer_blacklist - WHERE spammer = '".mysql_real_escape_string($spammer)."'" + WHERE spammer = :spammer", array(':spammer' => $spammer) ); if (FALSE == $blacklist) { $this->Query(" INSERT INTO ".$this->GetConfigValue('table_prefix')."referrers - SET page_tag = '".mysql_real_escape_string($tag)."', - referrer = '".mysql_real_escape_string($referrer)."', - time = now()" + SET page_tag = :tag, + referrer = :referrer, + time = now()", + array(':tag' => $tag, ':referrer' => $referrer) ); } } @@ -3455,14 +3558,24 @@ function LogReferrer($tag = '', $referrer = '') */ function LoadReferrers($tag = '') { - $where = ($tag = trim($tag)) ? " WHERE page_tag = '".mysql_real_escape_string($tag)."'" : ''; - $referrers = $this->LoadAll(" - SELECT referrer, COUNT(referrer) AS num - FROM ".$this->GetConfigValue('table_prefix')."referrers". - $where." - GROUP BY referrer - ORDER BY num DESC" - ); + $where = ($tag = trim($tag)) ? " WHERE page_tag = :tag" : ''; + if('' == $where) { + $referrers = $this->LoadAll(" + SELECT referrer, COUNT(referrer) AS num + FROM ".$this->GetConfigValue('table_prefix')."referrers". + $where." + GROUP BY referrer + ORDER BY num DESC", NULL + ); + } else { + $referrers = $this->LoadAll(" + SELECT referrer, COUNT(referrer) AS num + FROM ".$this->GetConfigValue('table_prefix')."referrers". + $where." + GROUP BY referrer + ORDER BY num DESC", array(':tag' => $tag) + ); + } return $referrers; } @@ -3730,7 +3843,7 @@ function authenticateUserFromCookies() $users = $this->LoadAll(" SELECT * FROM ".$this->GetConfigValue('table_prefix')."users - WHERE name = '".mysql_real_escape_string($c_username)."'" + WHERE name = :c_username", array(':c_username' => $c_username) ); // evaluate result if (is_array($users)) @@ -3801,8 +3914,8 @@ function loadUserData($username) $user = $this->LoadSingle(" SELECT * FROM ".$this->GetConfigValue('table_prefix')."users - WHERE name = '".mysql_real_escape_string($username)."' - LIMIT 1" + WHERE name = :username + LIMIT 1", array(':username' => $username) ); if (is_array($user)) { @@ -3827,12 +3940,21 @@ function loadUserData($username) */ function LoadUser($name, $password = 0) { - return $this->LoadSingle(" - SELECT * - FROM ".$this->GetConfigValue('table_prefix')."users - WHERE name = '".mysql_real_escape_string($name)."' ".($password === 0 ? "" : "and password = '".mysql_real_escape_string($password)."'")." - LIMIT 1" - ); + if(0 === $password) { + return $this->LoadSingle(" + SELECT * + FROM ".$this->GetConfigValue('table_prefix')."users + WHERE name = :name LIMIT 1", array(':name' => $name) + ); + } else { + return $this->LoadSingle(" + SELECT * + FROM ".$this->GetConfigValue('table_prefix')."users + WHERE name = :name and password = :password + LIMIT 1", + array(':name' => $name, ':password' => $password) + ); + } } /** @@ -4081,8 +4203,8 @@ function existsUser($username=NULL) $user = $this->LoadSingle(" SELECT `name` FROM ".$this->GetConfigValue('table_prefix')."users - WHERE `name` = '".mysql_real_escape_string($username)."' - LIMIT 1" + WHERE `name` = :name + LIMIT 1", array(':name' => $name) ); if (is_array($user)) { @@ -4137,9 +4259,9 @@ function LoadComments($tag, $order=NULL) return $this->LoadAll(" SELECT * FROM ".$this->GetConfigValue('table_prefix')."comments - WHERE page_tag = '".mysql_real_escape_string($tag)."' + WHERE page_tag = :tag AND (status IS NULL or status != 'deleted') - ORDER BY time" + ORDER BY time", array(':tag' => $tag) ); } elseif ($order == COMMENT_ORDER_DATE_DESC) @@ -4148,9 +4270,9 @@ function LoadComments($tag, $order=NULL) return $this->LoadAll(" SELECT * FROM ".$this->GetConfigValue('table_prefix')."comments - WHERE page_tag = '".mysql_real_escape_string($tag)."' + WHERE page_tag = :tag AND (status IS NULL or status != 'deleted') - ORDER BY time DESC" + ORDER BY time DESC", array(':tag' => $tag) ); } elseif ($order == COMMENT_ORDER_THREADED) @@ -4283,7 +4405,7 @@ function TraverseComments($tag, &$graph) */ function CountComments($tag) { - $count = $this->getCount('comments', "page_tag = '".mysql_real_escape_string($tag)."' AND (status IS NULL OR status != 'deleted')"); + $count = $this->getCount('comments', "page_tag = :tag AND (status IS NULL OR status != 'deleted')", array(':tag' => $tag)); return $count; } @@ -4297,7 +4419,7 @@ function CountComments($tag) */ function CountAllComments($tag) { - $count = $this->getCount('comments', "page_tag = '".mysql_real_escape_string($tag)."'"); + $count = $this->getCount('comments', "page_tag = :tag", $params = array(':tag' => $tag)); return $count; } /** @@ -4320,14 +4442,21 @@ function LoadRecentComments($limit=50, $user='') // @@@ if(!empty($user) && ($this->GetUser() || $this->IsAdmin())) { - $where = " WHERE user = '".mysql_real_escape_string($user)."' AND "; + $where = " WHERE user = :user AND "; + return $this->LoadAll(" + SELECT * + FROM ".$this->GetConfigValue('table_prefix')."comments + ".$where." (status IS NULL or status != 'deleted') + ORDER BY time DESC + LIMIT ".intval($limit), array(':user' => $user)); + } else { + return $this->LoadAll(" + SELECT * + FROM ".$this->GetConfigValue('table_prefix')."comments + ".$where." (status IS NULL or status != 'deleted') + ORDER BY time DESC + LIMIT ".intval($limit)); } - return $this->LoadAll(" - SELECT * - FROM ".$this->GetConfigValue('table_prefix')."comments - ".$where." (status IS NULL or status != 'deleted') - ORDER BY time DESC - LIMIT ".intval($limit)); } /** @@ -4347,10 +4476,12 @@ function LoadRecentComments($limit=50, $user='') // @@@ function LoadRecentlyCommented($limit = 50, $user = '') // @@@ { $where = ' AND 1 '; + $params = NULL; if(!empty($user) && ($this->GetUser() || $this->IsAdmin())) { - $where = " AND comments.user = '".mysql_real_escape_string($user)."' "; + $where = " AND comments.user = :user "; + $params = array(':user' => $user); } $sql = " @@ -4364,7 +4495,7 @@ function LoadRecentlyCommented($limit = 50, $user = '') // @@@ ".$where." ORDER BY time DESC LIMIT ".intval($limit); - return $this->LoadAll($sql); + return $this->LoadAll($sql, $params); } /** @@ -4384,18 +4515,21 @@ function SaveComment($page_tag, $comment, $parent_id) $user = $this->GetUserName(); // add new comment - $parent_id = mysql_real_escape_string($parent_id); if (!$parent_id) { $parent_id = 'NULL'; } $this->Query(" INSERT INTO ".$this->GetConfigValue('table_prefix')."comments - SET page_tag = '".mysql_real_escape_string($page_tag)."', + SET page_tag = :page_tag, time = now(), - comment = '".mysql_real_escape_string($comment)."', - parent = ".$parent_id.", - user = '".mysql_real_escape_string($user)."'" + comment = :comment, + parent = :parent_id, + user = :user", + array(':page_tag' => $page_tag, + ':comment' => $comment, + ':parent_id' => ($parent_id == 'NULL') ? null : $parent_id, + ':user' => $user) ); } @@ -4526,10 +4660,10 @@ function SetPageOwner($tag, $user) // update latest revision with new owner $this->Query(" UPDATE ".$this->GetConfigValue('table_prefix')."pages - SET owner = '".mysql_real_escape_string($user)."' - WHERE tag = '".mysql_real_escape_string($tag)."' + SET owner = :user + WHERE tag = :tag AND latest = 'Y' - LIMIT 1" + LIMIT 1", array(':user' => $user, ':tag' => $tag) ); } } @@ -4552,11 +4686,16 @@ function SetPageOwner($tag, $user) */ function LoadACL($tag, $privilege, $useDefaults = 1) // @@@ { + $allowed_privs = array('read', 'write', 'comment_read', 'comment_post'); + if(!in_array($privilege, $allowed_privs)) { + die(''.T_("Invalid ACL privilege!").''); + } + $privs = $privilege."_acl"; if ((!$acl = $this->LoadSingle(" - SELECT ".mysql_real_escape_string($privilege)."_acl + SELECT $privs FROM ".$this->GetConfigValue('table_prefix')."acls - WHERE `page_tag` = '".mysql_real_escape_string($tag)."' - LIMIT 1" + WHERE `page_tag` = :tag + LIMIT 1", array(':tag' => $tag) )) && $useDefaults) { $acl = array( @@ -4588,9 +4727,9 @@ function LoadAllACLs($tag, $useDefaults = 1) // @@@ if ((!$acl = $this->LoadSingle(" SELECT * FROM ".$this->GetConfigValue('table_prefix')."acls - WHERE `page_tag` = '".mysql_real_escape_string($tag)."' - LIMIT 1 - ")) && $useDefaults) + WHERE `page_tag` = :tag + LIMIT 1", array(':tag' => $tag) + )) && $useDefaults) { $acl = array( 'page_tag' => $tag, @@ -4622,24 +4761,32 @@ function LoadAllACLs($tag, $useDefaults = 1) // @@@ */ function SaveACL($tag, $privilege, $list) { + $allowed_privs = array('read', 'write', 'comment_read', 'comment_post'); + if(!in_array($privilege, $allowed_privs)) { + die(''.T_("Invalid ACL privilege!").''); + } // the $default will be put in the SET statement of the INSERT SQL for default values. It isn't used in UPDATE. $default = " read_acl = '', write_acl = '', comment_read_acl = '', comment_post_acl = '', "; // we strip the privilege_acl from default, to avoid redundancy $default = str_replace(" ".$privilege."_acl = '',", ' ', $default); + $privs = $privilege."_acl"; if ($this->LoadACL($tag, $privilege, 0)) { + $list = trim(str_replace("\r", "", $list)); $this->Query(" UPDATE ".$this->GetConfigValue('table_prefix')."acls - SET ".mysql_real_escape_string($privilege)."_acl = '".mysql_real_escape_string(trim(str_replace("\r", "", $list)))."' - WHERE page_tag = '".mysql_real_escape_string($tag)."' - LIMIT 1" + SET $privs = :list + WHERE page_tag = :tag + LIMIT 1", + array(':list' => $list, ':tag' => $tag) ); } else { $this->Query(" INSERT INTO ".$this->GetConfigValue('table_prefix')."acls - SET".$default." `page_tag` = '".mysql_real_escape_string($tag)."', ".mysql_real_escape_string($privilege)."_acl = '".mysql_real_escape_string(trim(str_replace("\r", "", $list)))."'" + SET".$default." `page_tag` = :tag, ".$privs." = :list", + array(':tag' => $tag, ':list' => $list) ); } } @@ -4998,7 +5145,8 @@ function Maintenance() { $this->Query(" DELETE FROM ".$this->GetConfigValue('table_prefix')."referrers - WHERE time < date_sub(now(), interval '".mysql_real_escape_string($days)."' day)" + WHERE time < date_sub(now(), interval :days day)", + array(':days' => $days) ); } @@ -5007,10 +5155,10 @@ function Maintenance() { $this->Query(" DELETE FROM ".$this->GetConfigValue('table_prefix')."pages - WHERE time < date_sub(now(), interval '".mysql_real_escape_string($days)."' day) - AND latest = 'N'" + WHERE time < date_sub(now(), interval :days day) + AND latest = 'N'", array(':days' => $days) ); - $this->Query("delete from ".$this->GetConfigValue('table_prefix')."pages where time < date_sub(now(), interval '".mysql_real_escape_string($days)."' day) and latest = 'N'"); + $this->Query("delete from ".$this->GetConfigValue('table_prefix')."pages where time < date_sub(now(), interval :days day) and latest = 'N'", array(':days' => days)); } } diff --git a/libs/admin.lib.php b/libs/admin.lib.php index 4a653800..368afe0e 100644 --- a/libs/admin.lib.php +++ b/libs/admin.lib.php @@ -31,8 +31,7 @@ */ function LoadLastTwoPagesByTag($wakka, $tag) { - $tag = mysql_real_escape_string($tag); - $res = $wakka->LoadAll("SELECT * FROM ".$wakka->config['table_prefix']."pages WHERE tag='".$tag."' ORDER BY time DESC LIMIT 2"); + $res = $wakka->LoadAll("SELECT * FROM ".$wakka->config['table_prefix']."pages WHERE tag=:tag ORDER BY time DESC LIMIT 2", array(':tag' => $tag)); if(count($res) != 2) { return null; @@ -55,8 +54,6 @@ function LoadLastTwoPagesByTag($wakka, $tag) function RevertPageToPreviousByTag($wakka, $tag, $comment='') { $message = T_("Reversion to previous version FAILED!"); - $tag = mysql_real_escape_string($tag); - $comment = mysql_real_escape_string($comment); if(TRUE===$wakka->IsAdmin()) { // Select current version of this page and version immediately preceding @@ -98,7 +95,6 @@ function RevertPageToPreviousByTag($wakka, $tag, $comment='') function RevertPageToPreviousById($wakka, $id, $comment='') { $message = T_("Reversion to previous version FAILED!"); - $id = mysql_real_escape_string($id); if(TRUE===$wakka->IsAdmin()) { $res = $wakka->LoadPageById($id); @@ -130,11 +126,7 @@ function DeleteUser($wakka, $user) $status = true; if(is_array($user)) { - $user = mysql_real_escape_string($user['name']); - } - else - { - $user = mysql_real_escape_string($user); + $user = $user['name']; } if(TRUE===$wakka->IsAdmin()) { @@ -145,10 +137,10 @@ function DeleteUser($wakka, $user) } // Reset password - $res = $wakka->LoadSingle("SELECT * FROM ".$wakka->config['table_prefix']."users WHERE name='".$user."'"); + $res = $wakka->LoadSingle("SELECT * FROM ".$wakka->config['table_prefix']."users WHERE name=:user", array(':user' => $user)); if(FALSE===empty($res)) { - $wakka->Query("UPDATE ".$wakka->config['table_prefix']."users SET status='deleted', password='!' WHERE name='".$user."'"); + $wakka->Query("UPDATE ".$wakka->config['table_prefix']."users SET status='deleted', password='!' WHERE name=:user", array(':user' => $user)); } else { @@ -156,7 +148,7 @@ function DeleteUser($wakka, $user) } // Remove sessions - $res = $wakka->LoadAll("SELECT * FROM ".$wakka->config['table_prefix']."sessions WHERE userid='".$user."'"); + $res = $wakka->LoadAll("SELECT * FROM ".$wakka->config['table_prefix']."sessions WHERE userid=:user", array(':user' => $user)); if(FALSE===empty($res)) { foreach($res as $session) @@ -164,7 +156,7 @@ function DeleteUser($wakka, $user) $session_file = session_save_path().DIRECTORY_SEPARATOR."sess_".$session['sessionid']; } } - $wakka->Query("DELETE FROM ".$wakka->config['table_prefix']."sessions WHERE userid='".$user."'"); + $wakka->Query("DELETE FROM ".$wakka->config['table_prefix']."sessions WHERE userid=:user", array(':user' => $user)); return $status; } diff --git a/scripts/convertHTMLEntities.php b/scripts/convertHTMLEntities.php index 929d075f..e8ca0840 100755 --- a/scripts/convertHTMLEntities.php +++ b/scripts/convertHTMLEntities.php @@ -53,6 +53,16 @@ = 70000) { + die("This script is deprecated for PHP versions 7 and greater!"); +} + include_once('../wikka.config.php'); function replace_callback($matches) diff --git a/scripts/migrateDeprecatedLinks.php b/scripts/migrateDeprecatedLinks.php index be002972..6515c775 100755 --- a/scripts/migrateDeprecatedLinks.php +++ b/scripts/migrateDeprecatedLinks.php @@ -126,6 +126,16 @@ protected function connect_to_database() { } } +// This script is deprecated for PHP versions 7 and greater! +if (!defined('PHP_VERSION_ID')) { + $version = explode('.', PHP_VERSION); + + define('PHP_VERSION_ID', ($version[0] * 10000 + $version[1] * 100 + $version[2])); +} +if(PHP_VERSION_ID >= 70000) { + die("This script is deprecated for PHP versions 7 and greater!"); +} + include_once('wikka.config.php'); $migrator = new LinkMigrator($wakkaConfig); $migrator->run(); diff --git a/setup/default.php b/setup/default.php index 497e1159..57238267 100644 --- a/setup/default.php +++ b/setup/default.php @@ -21,28 +21,28 @@ $wakkaConfig[$key] = $value; } } -if (!isset($wakkaConfig['mysql_password'])) +if (!isset($wakkaConfig['dbms_password'])) { - $wakkaConfig['mysql_password'] = ''; + $wakkaConfig['dbms_password'] = ''; } // Validate data $error['flag'] = false; if(isset($_SESSION['error_flag'])) { - if (isset($_POST['config']['mysql_host']) && strlen($_POST['config']['mysql_host']) == 0) + if (isset($_POST['config']['dbms_host']) && strlen($_POST['config']['dbms_host']) == 0) { - $error['mysql_host'] = "Please fill in a valid MySQL host."; + $error['dbms_host'] = "Please fill in a valid DB host."; $error['flag'] = true; } - if (isset($_POST['config']['mysql_database']) && strlen($_POST['config']['mysql_database']) == 0) + if (isset($_POST['config']['dbms_database']) && strlen($_POST['config']['dbms_database']) == 0) { - $error['mysql_database'] = "Please fill in a valid database."; + $error['dbms_database'] = "Please fill in a valid database."; $error['flag'] = true; } - if (isset($_POST['config']['mysql_user']) && strlen($_POST['config']['mysql_user']) == 0) + if (isset($_POST['config']['dbms_user']) && strlen($_POST['config']['dbms_user']) == 0) { - $error['mysql_user'] = "Please fill in a valid MySQL username."; + $error['dbms_user'] = "Please fill in a valid DB username."; $error['flag'] = true; } if (isset($_POST['config']['wakka_name']) && strlen($_POST['config']['wakka_name']) == 0) @@ -156,23 +156,23 @@ { ?> - - - + + + - - - - + + + + - - - - + + + + - - - + + + getCode()."\n
"; + print 'Exception message: '.$e->getMessage()."\n
"; + die('PDO connection error: '.$dsn); + } + // Don't emulate prepare statements (to prevent injection attacks) + $dblink->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); + // Throw an exception on PDO::query calls + $dblink->setAttribute(PDO::ATTR_ERRMODE, + PDO::ERRMODE_EXCEPTION); + + $dblink->exec("SET NAMES utf8"); + + return $dblink; +} + +/** + * Send a query to the database. (Modified version of Wakka::Query()) + * + * If the query fails, the function will simply die(). + * + * To prevent SQL injection attacks, all queries must be + * parameterized! + * + * @param string $query mandatory: the query to be executed. + * @param array $params optional: parameters for query (NULL if none) + * @param resource $dblink mandatory: connection to the database + * @return PDOStatement the result of the query. + * + */ +function db_query($query, $params=NULL, $dblink) +{ + if ('' == $dblink) + { + die('Must have valid instance of dblink in db_query!'); + } + try { + $result = $dblink->prepare($query); + $result->execute($params); + } catch (PDOException $e) { + return FALSE; + } + return $result; +} + /** * Brute force copy routine for those sites that have copy() disabled * @@ -76,9 +142,9 @@ function update_default_page($tag, $dblink, $config, $lang_defaults_path, $lang_ $body = ob_get_contents(); ob_end_clean(); //$body = implode('', file($txt_filepath)); - mysql_query('update '.$config['table_prefix'].'pages set latest = "N" where tag = \''.$tag.'\'', $dblink); + db_query('update '.$config['table_prefix'].'pages set latest = "N" where tag = :tag', array(':tag' => $tag), $dblink); test (sprintf(__('Adding/Updating default page %s'.'...'), $tag), - @mysql_query('insert into '.$config['table_prefix'].'pages set tag=\''.$tag.'\', body = \''.mysql_real_escape_string($body).'\', user=\'WikkaInstaller\', owner = \''.$admin_main_user.'\', time=now(), latest =\'Y\', note = \''.mysql_real_escape_string($note).'\'', $dblink), + db_query('insert into '.$config['table_prefix'].'pages set tag = :tag, body = :body, user = \'WikkaInstaller\', owner = :owner, time=now(), latest =\'Y\', note = :note', array(':tag' => $tag, ':body' => $body, ':owner' => $admin_main_user, ':note' => $note), $dblink), '', 0); // @@@ pick up any page-specific ACL here (look in both $lang_defaults_path and $lang_defaults_fallback_path) diff --git a/setup/install.php b/setup/install.php index 32d83d95..b57f3392 100644 --- a/setup/install.php +++ b/setup/install.php @@ -68,9 +68,10 @@ // test configuration print("

Testing Configuration

\n"); -test("Testing MySQL connection settings...", $dblink = @mysql_connect($config["mysql_host"], $config["mysql_user"], $config["mysql_password"])); +test("Testing DB connection settings...", $dblink = db_connect($config)); +/* test("Looking for database...", @mysql_select_db($config["mysql_database"], $dblink), "The database you configured was not found. Remember, it needs to exist before you can install/upgrade Wakka!\n\nPress the Back button and reconfigure the settings."); -@mysql_query("SET NAMES 'utf8'", $dblink); // refs #1024 +*/ print("
\n"); // do installation stuff @@ -89,9 +90,9 @@ case "0": print("

Installing Stuff

"); test("Setting up database for UTF-8...", true); - @mysql_query( "ALTER DATABASE ".$config['mysql_database']." DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;", $dblink); + $dblink->exec("ALTER DATABASE ".$config['dbms_database']." DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;"); test("Creating page table...", - @mysql_query( + db_query( "CREATE TABLE ".$config['table_prefix']."pages (". "id int(10) unsigned NOT NULL auto_increment,". "tag varchar(75) NOT NULL default '',". @@ -108,9 +109,9 @@ "KEY idx_time (time),". "KEY idx_owner (owner), ". "KEY idx_latest (latest)". - ") CHARACTER SET utf8 COLLATE utf8_unicode_ci ENGINE=MyISAM", $dblink), "Already exists?", 0); + ") CHARACTER SET utf8 COLLATE utf8_unicode_ci ENGINE=MyISAM", NULL, $dblink), "Already exists?", 0); test("Creating ACL table...", - @mysql_query( + db_query( "CREATE TABLE ".$config['table_prefix']."acls (". "page_tag varchar(75) NOT NULL default '',". "read_acl text NOT NULL,". @@ -118,32 +119,32 @@ "comment_read_acl text NOT NULL,". "comment_post_acl text NOT NULL,". "PRIMARY KEY (page_tag)". - ") CHARACTER SET utf8 COLLATE utf8_unicode_ci ENGINE=MyISAM", $dblink), "Already exists?", 0); + ") CHARACTER SET utf8 COLLATE utf8_unicode_ci ENGINE=MyISAM", NULL, $dblink), "Already exists?", 0); test("Creating link tracking table...", - @mysql_query( + db_query( "CREATE TABLE ".$config['table_prefix']."links (". "from_tag varchar(75) NOT NULL default '',". "to_tag varchar(75) NOT NULL default '',". "UNIQUE KEY from_tag (from_tag,to_tag),". "KEY idx_to (to_tag)". - ") CHARACTER SET utf8 COLLATE utf8_unicode_ci ENGINE=MyISAM", $dblink), "Already exists?", 0); + ") CHARACTER SET utf8 COLLATE utf8_unicode_ci ENGINE=MyISAM", NULL, $dblink), "Already exists?", 0); test("Creating referrer table...", - @mysql_query( + db_query( "CREATE TABLE ".$config['table_prefix']."referrers (". "page_tag varchar(75) NOT NULL default '',". "referrer varchar(255) NOT NULL default '',". "time datetime NOT NULL default '1900-01-01 00:00:00',". "KEY idx_page_tag (page_tag),". "KEY idx_time (time)". - ") CHARACTER SET utf8 COLLATE utf8_unicode_ci ENGINE=MyISAM", $dblink), "Already exists?", 0); + ") CHARACTER SET utf8 COLLATE utf8_unicode_ci ENGINE=MyISAM", NULL, $dblink), "Already exists?", 0); test("Creating referrer blacklist table...", - @mysql_query( + db_query( "CREATE TABLE ".$config['table_prefix']."referrer_blacklist (". "spammer varchar(255) NOT NULL default '',". "KEY idx_spammer (spammer)". - ") CHARACTER SET utf8 COLLATE utf8_unicode_ci ENGINE=MyISAM", $dblink), "Already exists?", 0); + ") CHARACTER SET utf8 COLLATE utf8_unicode_ci ENGINE=MyISAM", NULL, $dblink), "Already exists?", 0); test("Creating user table...", - @mysql_query( + db_query( "CREATE TABLE ".$config['table_prefix']."users (". "name varchar(75) NOT NULL default '',". "password varchar(32) NOT NULL default '',". @@ -159,9 +160,9 @@ "challenge varchar(8) default '',". // refs #1023 "PRIMARY KEY (name),". "KEY idx_signuptime (signuptime)". - ") CHARACTER SET utf8 COLLATE utf8_unicode_ci ENGINE=MyISAM", $dblink), "Already exists?", 0); + ") CHARACTER SET utf8 COLLATE utf8_unicode_ci ENGINE=MyISAM", NULL, $dblink), "Already exists?", 0); test("Creating comment table...", - @mysql_query( + db_query( "CREATE TABLE ".$config['table_prefix']."comments (". "id int(10) unsigned NOT NULL auto_increment,". "page_tag varchar(75) NOT NULL default '',". @@ -174,15 +175,15 @@ "PRIMARY KEY (id),". "KEY idx_page_tag (page_tag),". "KEY idx_time (time)". - ") CHARACTER SET utf8 COLLATE utf8_unicode_ci ENGINE=MyISAM", $dblink), "Already exists?", 0); + ") CHARACTER SET utf8 COLLATE utf8_unicode_ci ENGINE=MyISAM", NULL, $dblink), "Already exists?", 0); test("Creating session tracking table...", - @mysql_query( + db_query( "CREATE TABLE ".$config['table_prefix']."sessions (". "sessionid char(32) NOT NULL,". "userid varchar(75) NOT NULL,". "PRIMARY KEY (sessionid, userid),". "session_start datetime NOT NULL". - ") CHARACTER SET utf8 COLLATE utf8_unicode_ci ENGINE=MyISAM", $dblink), "Already exists?", 0); + ") CHARACTER SET utf8 COLLATE utf8_unicode_ci ENGINE=MyISAM", NULL, $dblink), "Already exists?", 0); update_default_page(array( '_rootpage', @@ -229,23 +230,25 @@ // use page-specific "ACL" files to create page-specific ACLs (in update_default_page()!). // @@@ use test() function to report actual results instead of assuming success! test("Setting default ACL...", 1); - mysql_query("insert into ".$config['table_prefix']."acls set page_tag = 'UserSettings', read_acl = '*', write_acl = '+', comment_read_acl = '*', comment_post_acl = '+'", $dblink); - mysql_query("insert into ".$config['table_prefix']."acls set page_tag = 'AdminUsers', read_acl = '!*', write_acl = '!*', comment_read_acl = '!*', comment_post_acl = '!*'", $dblink); - mysql_query("insert into ".$config['table_prefix']."acls set page_tag = 'AdminPages', read_acl = '!*', write_acl = '!*', comment_read_acl = '!*', comment_post_acl = '!*'", $dblink); - mysql_query("insert into ".$config['table_prefix']."acls set page_tag = 'SysInfo', read_acl = '!*', write_acl = '!*', comment_read_acl = '!*', comment_post_acl = '!*'", $dblink); - mysql_query("insert into ".$config['table_prefix']."acls set page_tag = 'WikkaConfig', read_acl = '!*', write_acl = '!*', comment_read_acl = '!*', comment_post_acl = '!*'", $dblink); - mysql_query("insert into ".$config['table_prefix']."acls set page_tag = 'DatabaseInfo', read_acl = '!*', write_acl = '!*', comment_read_acl = '!*', comment_post_acl = '!*'", $dblink); - mysql_query("insert into ".$config['table_prefix']."acls set page_tag = 'WikkaMenulets', read_acl = '!*', write_acl = '!*', comment_read_acl = '!*', comment_post_acl = '!*'", $dblink); - mysql_query("insert into ".$config['table_prefix']."acls set page_tag = 'AdminBadWords', read_acl = '!*', write_acl = '!*', comment_read_acl = '!*', comment_post_acl = '!*'", $dblink); - mysql_query("insert into ".$config['table_prefix']."acls set page_tag = 'AdminSpamLog', read_acl = '!*', write_acl = '!*', comment_read_acl = '!*', comment_post_acl = '!*'", $dblink); + db_query("insert into ".$config['table_prefix']."acls set page_tag = 'UserSettings', read_acl = '*', write_acl = '+', comment_read_acl = '*', comment_post_acl = '+'", NULL, $dblink); + db_query("insert into ".$config['table_prefix']."acls set page_tag = 'AdminUsers', read_acl = '!*', write_acl = '!*', comment_read_acl = '!*', comment_post_acl = '!*'", NULL, $dblink); + db_query("insert into ".$config['table_prefix']."acls set page_tag = 'AdminPages', read_acl = '!*', write_acl = '!*', comment_read_acl = '!*', comment_post_acl = '!*'", NULL, $dblink); + db_query("insert into ".$config['table_prefix']."acls set page_tag = 'SysInfo', read_acl = '!*', write_acl = '!*', comment_read_acl = '!*', comment_post_acl = '!*'", NULL, $dblink); + db_query("insert into ".$config['table_prefix']."acls set page_tag = 'WikkaConfig', read_acl = '!*', write_acl = '!*', comment_read_acl = '!*', comment_post_acl = '!*'", NULL, $dblink); + db_query("insert into ".$config['table_prefix']."acls set page_tag = 'DatabaseInfo', read_acl = '!*', write_acl = '!*', comment_read_acl = '!*', comment_post_acl = '!*'", NULL, $dblink); + db_query("insert into ".$config['table_prefix']."acls set page_tag = 'WikkaMenulets', read_acl = '!*', write_acl = '!*', comment_read_acl = '!*', comment_post_acl = '!*'", NULL, $dblink); + db_query("insert into ".$config['table_prefix']."acls set page_tag = 'AdminBadWords', read_acl = '!*', write_acl = '!*', comment_read_acl = '!*', comment_post_acl = '!*'", NULL, $dblink); + db_query("insert into ".$config['table_prefix']."acls set page_tag = 'AdminSpamLog', read_acl = '!*', write_acl = '!*', comment_read_acl = '!*', comment_post_acl = '!*'", NULL, $dblink); // Register admin user $challenge = dechex(crc32(time())); - $pass_val = md5($challenge.(mysql_real_escape_string($_POST['password']))); + $pass_val = md5($challenge.$_POST['password']); + $name = $config['admin_users']; + $email = $config['admin_email']; // Delete existing admin user in case installer was run twice - @mysql_query('delete from '.$config['table_prefix'].'users where name = \''.$config['admin_users'].'\'', $dblink); + db_query('delete from '.$config['table_prefix'].'users where name = :name', array(':name' => $name), $dblink); test(__('Adding admin user').'...', - @mysql_query("insert into ".$config["table_prefix"]."users set name = '".$config["admin_users"]."', password = '".$pass_val."', email = '".$config["admin_email"]."', signuptime = now(), challenge='".$challenge."'", $dblink), "Hmm!", 0); + db_query("insert into ".$config["table_prefix"]."users set name = :name, password = :pass_val, email = :email, signuptime = now(), challenge= :challenge", array(':name' => $name, ':pass_val' => $pass_val, ':email' => $email, ':challenge' => $challenge), $dblink), "Hmm!", 0); // Auto-login wiki admin // Set default cookie path @@ -268,7 +271,7 @@ case "0.1": print("Wakka 0.1 to 0.1.1
\n"); test("Just very slightly altering the pages table...", - @mysql_query("alter table ".$config['table_prefix']."pages add body_r text not null default '' after body", $dblink), "Already done? Hmm!", 0); + db_query("alter table ".$config['table_prefix']."pages add body_r text not null default '' after body", NULL, $dblink), "Already done? Hmm!", 0); test("Claiming all your base...", 1); // from 0.1.1 to 0.1.2 @@ -284,11 +287,11 @@ case "0.1.3-dev": print("Wakka 0.1.3-dev to Wikka 1.0.0 changes:
\n"); test("Adding note column to the pages table...", - @mysql_query("ALTER TABLE ".$config['table_prefix']."pages ADD note varchar(50) NOT NULL default '' after latest", $dblink), "Failed.", 1); + db_query("ALTER TABLE ".$config['table_prefix']."pages ADD note varchar(50) NOT NULL default '' after latest", NULL, $dblink), "Failed.", 1); test("Just slightly altering the pages table...", - @mysql_query("alter table ".$config['table_prefix']."pages DROP COLUMN body_r", $dblink), "Already done? Hmm!", 0); + db_query("alter table ".$config['table_prefix']."pages DROP COLUMN body_r", NULL, $dblink), "Already done? Hmm!", 0); test("Just slightly altering the users table...", - @mysql_query("alter table ".$config['table_prefix']."users DROP COLUMN motto", $dblink), "Already done? Hmm!", 0); + db_query("alter table ".$config['table_prefix']."users DROP COLUMN motto", NULL, $dblink), "Already done? Hmm!", 0); case "1.0": case "1.0.1": case "1.0.2": @@ -302,7 +305,7 @@ case "1.0.6": print("1.0.6 to 1.1.0 changes:
\n"); test("Creating comment table...", - @mysql_query( + db_query( "CREATE TABLE ".$config['table_prefix']."comments (". "id int(10) unsigned NOT NULL auto_increment,". "page_tag varchar(75) NOT NULL default '',". @@ -312,65 +315,65 @@ "PRIMARY KEY (id),". "KEY idx_page_tag (page_tag),". "KEY idx_time (time)". - ") ENGINE=MyISAM", $dblink), "Already done? Hmm!", 1); + ") ENGINE=MyISAM", NULL, $dblink), "Already done? Hmm!", 1); test("Copying comments from the pages table to the new comments table...", - @mysql_query("INSERT INTO ".$config['table_prefix']."comments (page_tag, time, comment, user) SELECT comment_on, time, body, user FROM ".$config['table_prefix']."pages WHERE comment_on != '';", $dblink), "Already done? Hmm!", 1); + db_query("INSERT INTO ".$config['table_prefix']."comments (page_tag, time, comment, user) SELECT comment_on, time, body, user FROM ".$config['table_prefix']."pages WHERE comment_on != '';", NULL, $dblink), "Already done? Hmm!", 1); test("Deleting comments from the pages table...", - @mysql_query("DELETE FROM ".$config['table_prefix']."pages WHERE comment_on != ''", $dblink), "Already done? Hmm!", 1); + db_query("DELETE FROM ".$config['table_prefix']."pages WHERE comment_on != ''", NULL, $dblink), "Already done? Hmm!", 1); test("Removing comment_on field from the pages table...", - @mysql_query("ALTER TABLE ".$config['table_prefix']."pages DROP comment_on", $dblink), "Already done? Hmm!", 1); + db_query("ALTER TABLE ".$config['table_prefix']."pages DROP comment_on", NULL, $dblink), "Already done? Hmm!", 1); test("Removing comment pages from the ACL table...", - @mysql_query("DELETE FROM ".$config['table_prefix']."acls WHERE page_tag like 'Comment%'", $dblink), "Already done? Hmm!", 1); + db_query("DELETE FROM ".$config['table_prefix']."acls WHERE page_tag like 'Comment%'", NULL, $dblink), "Already done? Hmm!", 1); case "1.1.0": print("1.1.0 to 1.1.2 changes:
\n"); test("Dropping current ACL table structure...", - @mysql_query("DROP TABLE ".$config['table_prefix']."acls", $dblink), "Already done? Hmm!", 0); + db_query("DROP TABLE ".$config['table_prefix']."acls", NULL, $dblink), "Already done? Hmm!", 0); test("Creating new ACL table structure...", - @mysql_query( + db_query( "CREATE TABLE ".$config['table_prefix']."acls (". "page_tag varchar(75) NOT NULL default '',". "read_acl text NOT NULL,". "write_acl text NOT NULL,". "comment_acl text NOT NULL,". "PRIMARY KEY (page_tag)". - ") ENGINE=MyISAM", $dblink), "Already exists?", 1); + ") ENGINE=MyISAM", NULL, $dblink), "Already exists?", 1); case "1.1.2": case "1.1.3": print("1.1.3 to 1.1.3.1 changes:
\n"); test("Altering pages table structure...", - @mysql_query("ALTER TABLE ".$config['table_prefix']."pages CHANGE tag tag varchar(75) NOT NULL default ''", $dblink), "Failed. ?", 1); + db_query("ALTER TABLE ".$config['table_prefix']."pages CHANGE tag tag varchar(75) NOT NULL default ''", NULL, $dblink), "Failed. ?", 1); test("Altering pages table structure...", - @mysql_query("ALTER TABLE ".$config['table_prefix']."pages CHANGE user user varchar(75) NOT NULL default ''", $dblink), "Failed. ?", 1); + db_query("ALTER TABLE ".$config['table_prefix']."pages CHANGE user user varchar(75) NOT NULL default ''", NULL, $dblink), "Failed. ?", 1); test("Altering pages table structure...", - @mysql_query("ALTER TABLE ".$config['table_prefix']."pages CHANGE owner owner varchar(75) NOT NULL default ''", $dblink), "Failed. ?", 1); + db_query("ALTER TABLE ".$config['table_prefix']."pages CHANGE owner owner varchar(75) NOT NULL default ''", NULL, $dblink), "Failed. ?", 1); test("Altering pages table structure...", - @mysql_query("ALTER TABLE ".$config['table_prefix']."pages CHANGE note note varchar(100) NOT NULL default ''", $dblink), "Failed. ?", 1); + db_query("ALTER TABLE ".$config['table_prefix']."pages CHANGE note note varchar(100) NOT NULL default ''", NULL, $dblink), "Failed. ?", 1); test("Altering user table structure...", - @mysql_query("ALTER TABLE ".$config['table_prefix']."users CHANGE name name varchar(75) NOT NULL default ''", $dblink), "Failed. ?", 1); + db_query("ALTER TABLE ".$config['table_prefix']."users CHANGE name name varchar(75) NOT NULL default ''", NULL, $dblink), "Failed. ?", 1); test("Altering comments table structure...", - @mysql_query("ALTER TABLE ".$config['table_prefix']."comments CHANGE page_tag page_tag varchar(75) NOT NULL default ''", $dblink), "Failed. ?", 1); + db_query("ALTER TABLE ".$config['table_prefix']."comments CHANGE page_tag page_tag varchar(75) NOT NULL default ''", NULL, $dblink), "Failed. ?", 1); test("Altering comments table structure...", - @mysql_query("ALTER TABLE ".$config['table_prefix']."comments CHANGE user user varchar(75) NOT NULL default ''", $dblink), "Failed. ?", 1); + db_query("ALTER TABLE ".$config['table_prefix']."comments CHANGE user user varchar(75) NOT NULL default ''", NULL, $dblink), "Failed. ?", 1); test("Altering acls table structure...", - @mysql_query("ALTER TABLE ".$config['table_prefix']."acls CHANGE page_tag page_tag varchar(75) NOT NULL default ''", $dblink), "Failed. ?", 1); + db_query("ALTER TABLE ".$config['table_prefix']."acls CHANGE page_tag page_tag varchar(75) NOT NULL default ''", NULL, $dblink), "Failed. ?", 1); test("Altering links table structure...", - @mysql_query("ALTER TABLE ".$config['table_prefix']."links CHANGE from_tag from_tag varchar(75) NOT NULL default ''", $dblink), "Failed. ?", 1); + db_query("ALTER TABLE ".$config['table_prefix']."links CHANGE from_tag from_tag varchar(75) NOT NULL default ''", NULL, $dblink), "Failed. ?", 1); test("Altering links table structure...", - @mysql_query("ALTER TABLE ".$config['table_prefix']."links CHANGE to_tag to_tag varchar(75) NOT NULL default ''", $dblink), "Failed. ?", 1); + db_query("ALTER TABLE ".$config['table_prefix']."links CHANGE to_tag to_tag varchar(75) NOT NULL default ''", NULL, $dblink), "Failed. ?", 1); test("Altering referrers table structure...", - @mysql_query("ALTER TABLE ".$config['table_prefix']."referrers MODIFY referrer varchar(150) NOT NULL default ''", $dblink), "Failed. ?", 1); + db_query("ALTER TABLE ".$config['table_prefix']."referrers MODIFY referrer varchar(150) NOT NULL default ''", NULL, $dblink), "Failed. ?", 1); test("Creating referrer_blacklist table...", - @mysql_query( + db_query( "CREATE TABLE ".$config['table_prefix']."referrer_blacklist (". "spammer varchar(150) NOT NULL default '',". "KEY idx_spammer (spammer)". - ") ENGINE=MyISAM", $dblink), "Already exists? Hmm!", 1); + ") ENGINE=MyISAM", NULL, $dblink), "Already exists? Hmm!", 1); test("Altering a pages table index...", - @mysql_query("alter table ".$config['table_prefix']."pages DROP INDEX tag", $dblink), "Already done? Hmm!", 0); + db_query("alter table ".$config['table_prefix']."pages DROP INDEX tag", NULL, $dblink), "Already done? Hmm!", 0); test("Altering a pages table index...", - @mysql_query("alter table ".$config['table_prefix']."pages ADD FULLTEXT body (body)", $dblink), "Already done? Hmm!", 0); + db_query("alter table ".$config['table_prefix']."pages ADD FULLTEXT body (body)", NULL, $dblink), "Already done? Hmm!", 0); test("Altering a users table index...", - @mysql_query("alter table ".$config['table_prefix']."users DROP INDEX idx_name", $dblink), "Already done? Hmm!", 0); + db_query("alter table ".$config['table_prefix']."users DROP INDEX idx_name", NULL, $dblink), "Already done? Hmm!", 0); case "1.1.3.1": case "1.1.3.2": print("1.1.3.2 to 1.1.3.3 changes:
\n"); @@ -432,56 +435,55 @@ 'DatabaseInfo', 'WikiCategory'), $dblink, $config, $lang_defaults_path, $lang_defaults_fallback_path, $upgrade_note); test("Adding status field to users table...", - mysql_query("alter table ".$config['table_prefix']."users add column status enum ('invited','signed-up','pending','active','suspended','banned','deleted')"), "Already done? OK!", 0); + db_query("alter table ".$config['table_prefix']."users add column status enum ('invited','signed-up','pending','active','suspended','banned','deleted')", NULL, $dblink), "Already done? OK!", 0); test("Adding sessions tracking table...", - mysql_query("create table ".$config['table_prefix']."sessions (sessionid char(32) NOT NULL, userid varchar(75) NOT NULL, PRIMARY KEY (sessionid, userid), session_start datetime NOT NULL)"), "Already done? OK!", 0); + db_query("create table ".$config['table_prefix']."sessions (sessionid char(32) NOT NULL, userid varchar(75) NOT NULL, PRIMARY KEY (sessionid, userid), session_start datetime NOT NULL)", NULL, $dblink), "Already done? OK!", 0); test('Dropping obsolete index `from_tag`...', - mysql_query('alter table '.$config['table_prefix'].'links drop index `idx_from`'), 'Already done? OK!', 0); + db_query('alter table '.$config['table_prefix'].'links drop index `idx_from`', NULL, $dblink), 'Already done? OK!', 0); case "1.1.6.4": case "1.1.6.5": case "1.1.6.6": case "1.1.6.7": print("1.1.6.7 to 1.2 changes:
\n"); test("Adding theme field to user preference table...", - @mysql_query("ALTER TABLE ".$config['table_prefix']."users ADD - theme varchar(50) default ''", $dblink), "Already done? OK!", 0); + db_query("ALTER TABLE ".$config['table_prefix']."users ADD theme varchar(50) default ''", NULL, $dblink), "Already done? OK!", 0); test("Setting default UserSettings ACL...", - @mysql_query("insert into ".$config['table_prefix']."acls set page_tag = 'UserSettings', comment_read_acl = '*', comment_post_acl = '+'", $dblink), __('Already done? OK!'), 0); + db_query("insert into ".$config['table_prefix']."acls set page_tag = 'UserSettings', comment_read_acl = '*', comment_post_acl = '+'", NULL, $dblink), __('Already done? OK!'), 0); test("Setting default AdminUsers ACL...", - @mysql_query("insert into ".$config['table_prefix']."acls set page_tag = 'AdminUsers', read_acl = '!*', write_acl = '!*', comment_acl = '!*', comment_read_acl = '!*', comment_post_acl = '!*'", $dblink), __('Already done? OK!'), 0); + db_query("insert into ".$config['table_prefix']."acls set page_tag = 'AdminUsers', read_acl = '!*', write_acl = '!*', comment_acl = '!*', comment_read_acl = '!*', comment_post_acl = '!*'", NULL, $dblink), __('Already done? OK!'), 0); test("Setting default AdminPages ACL...", - @mysql_query("insert into ".$config['table_prefix']."acls set page_tag = 'AdminPages', read_acl = '!*', write_acl = '!*', comment_acl = '!*', comment_read_acl = '!*', comment_post_acl = '!*'", $dblink), __('Already done? OK!'), 0); + db_query("insert into ".$config['table_prefix']."acls set page_tag = 'AdminPages', read_acl = '!*', write_acl = '!*', comment_acl = '!*', comment_read_acl = '!*', comment_post_acl = '!*'", NULL, $dblink), __('Already done? OK!'), 0); test("Setting default DatabaseInfo ACL...", - @mysql_query("insert into ".$config['table_prefix']."acls set page_tag = 'DatabaseInfo', read_acl = '!*', write_acl = '!*', comment_acl = '!*', comment_read_acl = '!*', comment_post_acl = '!*'", $dblink), __('Already done? OK!'), 0); + db_query("insert into ".$config['table_prefix']."acls set page_tag = 'DatabaseInfo', read_acl = '!*', write_acl = '!*', comment_acl = '!*', comment_read_acl = '!*', comment_post_acl = '!*'", NULL, $dblink), __('Already done? OK!'), 0); update_default_page('FormattingRules', $dblink, $config, $lang_defaults_path, $lang_defaults_fallback_path, $upgrade_note); case "1.2": print("1.2 to 1.3.1 changes:
\n"); // Dropping obsolete "handler" field from pages table, refs #452 test('Removing handler field from the pages table...', - @mysql_query("ALTER TABLE ".$config["table_prefix"]."pages DROP handler", $dblink), __('Already done? OK!'), 0); + db_query("ALTER TABLE ".$config["table_prefix"]."pages DROP handler", NULL, $dblink), __('Already done? OK!'), 0); // Support for threaded comments test("Adding fields to comments table to enable threading...", - mysql_query("alter table ".$config["table_prefix"]."comments add parent int(10) unsigned default NULL", $dblink), "Already done? OK!", 0); + db_query("alter table ".$config["table_prefix"]."comments add parent int(10) unsigned default NULL", NULL, $dblink), "Already done? OK!", 0); test("Adding fields to comments table to enable threading...", - mysql_query("alter table ".$config["table_prefix"]."users add default_comment_display enum('date_asc', 'date_desc', 'threaded') NOT NULL default 'threaded'", $dblink), "Already done? OK!", 0); + db_query("alter table ".$config["table_prefix"]."users add default_comment_display enum('date_asc', 'date_desc', 'threaded') NOT NULL default 'threaded'", NULL, $dblink), "Already done? OK!", 0); test("Adding fields to comments table to enable threading...", - mysql_query("alter table ".$config["table_prefix"]."comments add status enum('deleted') default NULL", $dblink), "Already done? OK!", 0); + db_query("alter table ".$config["table_prefix"]."comments add status enum('deleted') default NULL", NULL, $dblink), "Already done? OK!", 0); // Create new fields for comment_read_acl and comment_post_acl, // and copy existing comment_acl values to these new fields test('Creating new comment_read_acl field...', - @mysql_query("alter table ".$config['table_prefix']."acls add comment_read_acl text not null", $dblink), __('Already done? OK!'), 0); + db_query("alter table ".$config['table_prefix']."acls add comment_read_acl text not null", NULL, $dblink), __('Already done? OK!'), 0); test('Creating new comment_post_acl field...', - @mysql_query("alter table ".$config['table_prefix']."acls add comment_post_acl text not null", $dblink), __('Already done? OK!'), 0); + db_query("alter table ".$config['table_prefix']."acls add comment_post_acl text not null", NULL, $dblink), __('Already done? OK!'), 0); test('Copying existing comment_acls to new fields...', - @mysql_query("update ".$config['table_prefix']."acls as a inner join(select page_tag, comment_acl from ".$config['table_prefix']."acls) as b on a.page_tag = b.page_tag set a.comment_read_acl=b.comment_acl, a.comment_post_acl=b.comment_acl", $dblink), __('Already done? OK!'), 0); + db_query("update ".$config['table_prefix']."acls as a inner join(select page_tag, comment_acl from ".$config['table_prefix']."acls) as b on a.page_tag = b.page_tag set a.comment_read_acl=b.comment_acl, a.comment_post_acl=b.comment_acl", NULL, $dblink), __('Already done? OK!'), 0); test('Drop old comment acl...', - @mysql_query("alter table ".$config['table_prefix']."acls drop comment_acl", $dblink), __('Already done? OK!'), 0); + db_query("alter table ".$config['table_prefix']."acls drop comment_acl", NULL, $dblink), __('Already done? OK!'), 0); test(__('Creating index on owner column').'...', - @mysql_query('alter table '.$config['table_prefix'].'pages add index `idx_owner` (`owner`)', $dblink), __('Already done? OK!'), 0); + db_query('alter table '.$config['table_prefix'].'pages add index `idx_owner` (`owner`)', NULL, $dblink), __('Already done? OK!'), 0); test(__('Altering referrers table structure').'...', - @mysql_query("ALTER TABLE ".$config['table_prefix']."referrers MODIFY referrer varchar(255) NOT NULL default ''", $dblink), __('Already done? OK!'), 0); + db_query("ALTER TABLE ".$config['table_prefix']."referrers MODIFY referrer varchar(255) NOT NULL default ''", NULL, $dblink), __('Already done? OK!'), 0); test(__('Altering referrer blacklist table structure').'...', - @mysql_query("ALTER TABLE ".$config['table_prefix']."referrer_blacklist MODIFY spammer varchar(255) NOT NULL default ''", $dblink), __('Already done? OK!'), 0); + db_query("ALTER TABLE ".$config['table_prefix']."referrer_blacklist MODIFY spammer varchar(255) NOT NULL default ''", NULL, $dblink), __('Already done? OK!'), 0); update_default_page(array( 'FormattingRules', 'SysInfo', @@ -516,93 +518,93 @@ 'AdminSpamLog', 'WikkaMenulets'), $dblink, $config, $lang_defaults_path, $lang_defaults_fallback_path); test("Setting default ACL...", 1); - mysql_query("insert into ".$config['table_prefix']."acls set page_tag = 'WikkaMenulets', read_acl = '!*', write_acl = '!*', comment_read_acl = '!*', comment_post_acl = '!*'", $dblink); - mysql_query("insert into ".$config['table_prefix']."acls set page_tag = 'AdminBadWords', read_acl = '!*', write_acl = '!*', comment_read_acl = '!*', comment_post_acl = '!*'", $dblink); - mysql_query("insert into ".$config['table_prefix']."acls set page_tag = 'AdminSpamLog', read_acl = '!*', write_acl = '!*', comment_read_acl = '!*', comment_post_acl = '!*'", $dblink); + db_query("insert into ".$config['table_prefix']."acls set page_tag = 'WikkaMenulets', read_acl = '!*', write_acl = '!*', comment_read_acl = '!*', comment_post_acl = '!*'", NULL, $dblink); + db_query("insert into ".$config['table_prefix']."acls set page_tag = 'AdminBadWords', read_acl = '!*', write_acl = '!*', comment_read_acl = '!*', comment_post_acl = '!*'", NULL, $dblink); + db_query("insert into ".$config['table_prefix']."acls set page_tag = 'AdminSpamLog', read_acl = '!*', write_acl = '!*', comment_read_acl = '!*', comment_post_acl = '!*'", NULL, $dblink); // Converting DB UTF-8 (but data remains // unchanged -- this is handled by a standalone script) test("Setting up database for UTF-8...", true); - @mysql_query("ALTER DATABASE ".$config['mysql_database']." DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci", $dblink); + db_query("ALTER DATABASE ".$config['dbms_database']." DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci", NULL, $dblink); // Converting pages table and fields to UTF-8 test("Setting up pages table and fields for UTF-8...", true); - @mysql_query("ALTER TABLE ".$config['table_prefix']."pages DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."pages CHANGE `tag` `tag` VARCHAR( 75 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."pages CHANGE `body` `body` MEDIUMTEXT CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."pages CHANGE `owner` `owner` VARCHAR( 75 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."pages CHANGE `user` `user` VARCHAR( 75 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."pages CHANGE `latest` `latest` ENUM( 'Y','N' ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default 'N'", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."pages CHANGE `note` `note` varchar(100) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", $dblink); // refs #1021 + db_query("ALTER TABLE ".$config['table_prefix']."pages DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."pages CHANGE `tag` `tag` VARCHAR( 75 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."pages CHANGE `body` `body` MEDIUMTEXT CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."pages CHANGE `owner` `owner` VARCHAR( 75 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."pages CHANGE `user` `user` VARCHAR( 75 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."pages CHANGE `latest` `latest` ENUM( 'Y','N' ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default 'N'", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."pages CHANGE `note` `note` varchar(100) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", NULL, $dblink); // refs #1021 // Converting acls table and fields to UTF-8 test("Setting up acls table and fields for UTF-8...", true); - @mysql_query("ALTER TABLE ".$config['table_prefix']."acls DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."acls CHANGE `page_tag` `page_tag` VARCHAR( 75 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."acls CHANGE `read_acl` `read_acl` TEXT CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."acls CHANGE `write_acl` `write_acl` TEXT CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."acls CHANGE `comment_read_acl` `comment_read_acl` TEXT CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."acls CHANGE `comment_post_acl` `comment_post_acl` TEXT CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL", $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."acls DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."acls CHANGE `page_tag` `page_tag` VARCHAR( 75 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."acls CHANGE `read_acl` `read_acl` TEXT CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."acls CHANGE `write_acl` `write_acl` TEXT CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."acls CHANGE `comment_read_acl` `comment_read_acl` TEXT CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."acls CHANGE `comment_post_acl` `comment_post_acl` TEXT CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL", NULL, $dblink); test("Setting up links table and fields for UTF-8...", true); - @mysql_query("ALTER TABLE ".$config['table_prefix']."links DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."links CHANGE `from_tag` `from_tag` VARCHAR( 75 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."links CHANGE `to_tag` `to_tag` VARCHAR( 75 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."links DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."links CHANGE `from_tag` `from_tag` VARCHAR( 75 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."links CHANGE `to_tag` `to_tag` VARCHAR( 75 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", NULL, $dblink); // Converting referrers table and fields to UTF-8 test("Setting up referrers table and fields for UTF-8...", true); - @mysql_query("ALTER TABLE ".$config['table_prefix']."referrers DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."referrers CHANGE `page_tag` `page_tag` VARCHAR( 75 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."referrers CHANGE `referrer` `referrer` VARCHAR(250) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."referrers DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."referrers CHANGE `page_tag` `page_tag` VARCHAR( 75 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."referrers CHANGE `referrer` `referrer` VARCHAR(250) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", NULL, $dblink); // Converting referrer_blacklist table and fields to UTF-8 test("Setting up referrer_blacklist table and fields for UTF-8...", true); - @mysql_query("ALTER TABLE ".$config['table_prefix']."referrer_blacklist DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."referrer_blacklist CHANGE `spammer` `spammer` VARCHAR(250) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."referrer_blacklist DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."referrer_blacklist CHANGE `spammer` `spammer` VARCHAR(250) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", NULL, $dblink); // Converting users table and fields to UTF-8 test("Setting up users table and fields for UTF-8...", true); - @mysql_query("ALTER TABLE ".$config['table_prefix']."users DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."users CHANGE `name` `name` VARCHAR( 75 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."users CHANGE `password` `password` VARCHAR( 32 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."users CHANGE `email` `email` VARCHAR( 50 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."users CHANGE `doubleclickedit` `doubleclickedit` ENUM( 'Y','N' ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default 'Y'", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."users CHANGE `show_comments` `show_comments` ENUM( 'Y','N' ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default 'N'", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."users CHANGE `default_comment_display` `default_comment_display` ENUM( 'date_asc','date_desc','threaded' ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default 'threaded'", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."users CHANGE `status` `status` ENUM( 'invited','signed-up','pending','active','suspended','banned','deleted') CHARACTER SET utf8 COLLATE utf8_unicode_ci", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."users CHANGE `theme` `theme` VARCHAR( 50 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci default ''", $dblink); // refs #1022 + db_query("ALTER TABLE ".$config['table_prefix']."users DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."users CHANGE `name` `name` VARCHAR( 75 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."users CHANGE `password` `password` VARCHAR( 32 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."users CHANGE `email` `email` VARCHAR( 50 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."users CHANGE `doubleclickedit` `doubleclickedit` ENUM( 'Y','N' ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default 'Y'", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."users CHANGE `show_comments` `show_comments` ENUM( 'Y','N' ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default 'N'", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."users CHANGE `default_comment_display` `default_comment_display` ENUM( 'date_asc','date_desc','threaded' ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default 'threaded'", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."users CHANGE `status` `status` ENUM( 'invited','signed-up','pending','active','suspended','banned','deleted') CHARACTER SET utf8 COLLATE utf8_unicode_ci", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."users CHANGE `theme` `theme` VARCHAR( 50 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci default ''", NULL, $dblink); // refs #1022 // Converting comments table and fields to UTF-8 test("Setting up comments table and fields for UTF-8...", true); - @mysql_query("ALTER TABLE ".$config['table_prefix']."comments DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."comments CHANGE `page_tag` `page_tag` VARCHAR( 75 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."comments CHANGE `comment` `comment` TEXT CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."comments CHANGE `user` `user` VARCHAR( 75 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."comments CHANGE `status` `status` ENUM( 'deleted' ) CHARACTER SET utf8 COLLATE utf8_unicode_ci default NULL", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."comments CHANGE `deleted` `deleted` CHAR( 1 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci default NULL", $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."comments DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."comments CHANGE `page_tag` `page_tag` VARCHAR( 75 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."comments CHANGE `comment` `comment` TEXT CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."comments CHANGE `user` `user` VARCHAR( 75 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL default ''", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."comments CHANGE `status` `status` ENUM( 'deleted' ) CHARACTER SET utf8 COLLATE utf8_unicode_ci default NULL", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."comments CHANGE `deleted` `deleted` CHAR( 1 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci default NULL", NULL, $dblink); // Converting sessions table and fields to UTF-8 test("Setting up sessions table and fields for UTF-8...", true); - @mysql_query("ALTER TABLE ".$config['table_prefix']."sessions DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci", $dblink); - @mysql_query("ALTER TABLE ".$config['table_prefix']."sessions CHANGE `sessionid` `sessionid` CHAR( 32 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL", $dblink); // refs #1022 - @mysql_query("ALTER TABLE ".$config['table_prefix']."sessions CHANGE `userid` `userid` VARCHAR( 75 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL", $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."sessions DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci", NULL, $dblink); + db_query("ALTER TABLE ".$config['table_prefix']."sessions CHANGE `sessionid` `sessionid` CHAR( 32 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL", NULL, $dblink); // refs #1022 + db_query("ALTER TABLE ".$config['table_prefix']."sessions CHANGE `userid` `userid` VARCHAR( 75 ) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL", NULL, $dblink); // Adding challenge, refs #1023 test("Adding/updating challenge field to users table to improve security...", - @mysql_query("alter table ".$config["table_prefix"]."users ADD challenge varchar(8) CHARACTER SET utf8 COLLATE utf8_unicode_ci DEFAULT ''", $dblink), __("Already done? OK!"), 0); - @mysql_query("alter table ".$config["table_prefix"]."users CHANGE `challenge` `challenge` varchar(8) CHARACTER SET utf8 COLLATE utf8_unicode_ci DEFAULT ''", $dblink); - @mysql_query("UPDATE ".$config['table_prefix']."users SET challenge='' WHERE challenge='00000000'", $dblink); + db_query("alter table ".$config["table_prefix"]."users ADD challenge varchar(8) CHARACTER SET utf8 COLLATE utf8_unicode_ci DEFAULT ''", NULL, $dblink), __("Already done? OK!"), 0); + db_query("alter table ".$config["table_prefix"]."users CHANGE `challenge` `challenge` varchar(8) CHARACTER SET utf8 COLLATE utf8_unicode_ci DEFAULT ''", NULL, $dblink); + db_query("UPDATE ".$config['table_prefix']."users SET challenge='' WHERE challenge='00000000'", NULL, $dblink); case "1.3.2": print("1.3.2 to 1.3.3 changes:
\n"); test("Adding/updating title field to users page ...", - @mysql_query("alter table `".$config["table_prefix"]."pages` ADD `title` varchar(75) CHARACTER SET utf8 COLLATE utf8_unicode_ci DEFAULT '' AFTER `tag`", $dblink), __("Already done? OK!"), 0); // refs #529 + db_query("alter table `".$config["table_prefix"]."pages` ADD `title` varchar(75) CHARACTER SET utf8 COLLATE utf8_unicode_ci DEFAULT '' AFTER `tag`", NULL, $dblink), __("Already done? OK!"), 0); // refs #529 case "1.3.6": print("1.3.5 to 1.3.6 changes:
\n"); test("Changing \"default\" theme references to \"classic\" theme ...", - @mysql_query("UPDATE `".$config["table_prefix"]."users` SET theme='classic' WHERE theme='default'", $dblink), __("Already done? OK!"), 0); + db_query("UPDATE `".$config["table_prefix"]."users` SET theme='classic' WHERE theme='default'", NULL, $dblink), __("Already done? OK!"), 0); case "1.3.7": print("1.3.7 to 1.3.8 changes:
\n"); // delete file removed from previous version @unlink('lang/en/defaults/TableMarkupReference.php'); // Change datetime default to '1900-01-01' for MySQL > 5.7 compatibility test("Altering pages table structure...", - @mysql_query("ALTER TABLE ".$config['table_prefix']."pages CHANGE time time datetime NOT NULL default '1900-01-01 00:00:00'", $dblink), "Failed. ?", 1); + db_query("ALTER TABLE ".$config['table_prefix']."pages CHANGE time time datetime NOT NULL default '1900-01-01 00:00:00'", NULL, $dblink), "Failed. ?", 1); test("Altering referrers table structure...", - @mysql_query("ALTER TABLE ".$config['table_prefix']."referrers CHANGE time time datetime NOT NULL default '1900-01-01 00:00:00'", $dblink), "Failed. ?", 1); + db_query("ALTER TABLE ".$config['table_prefix']."referrers CHANGE time time datetime NOT NULL default '1900-01-01 00:00:00'", NULL, $dblink), "Failed. ?", 1); test("Altering users table structure...", - @mysql_query("ALTER TABLE ".$config['table_prefix']."users CHANGE signuptime signuptime datetime NOT NULL default '1900-01-01 00:00:00'", $dblink), "Failed. ?", 1); + db_query("ALTER TABLE ".$config['table_prefix']."users CHANGE signuptime signuptime datetime NOT NULL default '1900-01-01 00:00:00'", NULL, $dblink), "Failed. ?", 1); test("Altering comments table structure...", - @mysql_query("ALTER TABLE ".$config['table_prefix']."comments CHANGE time time datetime NOT NULL default '1900-01-01 00:00:00'", $dblink), "Failed. ?", 1); + db_query("ALTER TABLE ".$config['table_prefix']."comments CHANGE time time datetime NOT NULL default '1900-01-01 00:00:00'", NULL, $dblink), "Failed. ?", 1); case "1.3.8": case "master": } diff --git a/setup/links.php b/setup/links.php index 150f3457..2becf82c 100644 --- a/setup/links.php +++ b/setup/links.php @@ -38,15 +38,17 @@ function LoadSomePages($start='', $limit=100) global $config, $dblink; //Less RAM: select tag and body only // Note that LoadSomePages needs result to be sorted by tag. - $result = mysql_query("SELECT tag, body FROM {$config['table_prefix']}pages - WHERE tag > '".mysql_real_escape_string($start)."' AND latest = 'Y' + $result = db_query("SELECT tag, body FROM {$config['table_prefix']}pages + WHERE tag > :start AND latest = 'Y' ORDER BY tag ASC - LIMIT $limit", $dblink); + LIMIT :limit", array(':start' => $start, ':limit' => (int)$limit), $dblink); $pages = array(); if ($result) { - while ($row = mysql_fetch_assoc($result)) $pages[] = $row; - mysql_free_result($result); + $rows = $result->fetchAll(); + foreach($rows as $row) { + $pages[] = $row; + } } return ($pages); } @@ -56,7 +58,7 @@ function LoadSomePages($start='', $limit=100) $GLOBALS['written'] = ''; // Delete from wikka_links once for all // @@@ coding standards: don't use {...} or embedded variables but use concatenation -mysql_query("TRUNCATE TABLE {$config['table_prefix']}links", $dblink); +db_query("TRUNCATE TABLE {$config['table_prefix']}links", NULL, $dblink); while ($pages = LoadSomePages($start)) { foreach ($pages as $page) @@ -101,7 +103,7 @@ function relinkcallback($thing) if ($sql) // @@@ bad name: it's only a "values" fragment; better: $values { // @@@ coding standards: don't use {...} or embedded variables but use concatenation - mysql_query("INSERT INTO {$config['table_prefix']}links VALUES $sql", $dblink); + db_query("INSERT INTO {$config['table_prefix']}links VALUES $sql", NULL, $dblink); } $sql = ''; return; @@ -121,7 +123,7 @@ function relinkcallback($thing) if (($url) && (!isset($written[strtolower($url)])) && (strtolower($url) != strtolower($tag))) { if ($sql) $sql .= ', '; - $sql .= "('".mysql_real_escape_string($tag)."', '".mysql_real_escape_string($url)."')"; + $sql .= "('".$dblink->quote(tag)."', '".$dblink->quote($url)."')"; $written[strtolower($url)] = $url; } } diff --git a/wikka.php b/wikka.php index 72337d9a..50a1dfeb 100644 --- a/wikka.php +++ b/wikka.php @@ -38,7 +38,7 @@ error_reporting(E_ALL); else error_reporting(E_ALL & !E_DEPRECATED); -error_reporting(E_ALL); +error_reporting(E_ALL & ~E_NOTICE & ~E_DEPRECATED); // ---------------------- END DEBUGGING AND ERROR REPORTING ------------------- // ---------------------------- VERSIONING ------------------------------------ @@ -157,7 +157,7 @@ function GetSafeVar($varname, $gpc='get') // ------------ CRITICAL ERROR MESSAGES USED BEFORE LANG FILE LOADED ----------- // Do not move these declaration to lang files. if(!defined('ERROR_WRONG_PHP_VERSION')) define('ERROR_WRONG_PHP_VERSION', 'Wikka requires PHP %s or higher!'); // %s - version number -if(!defined('ERROR_MYSQL_SUPPORT_MISSING')) define('ERROR_MYSQL_SUPPORT_MISSING', 'PHP can\'t find MySQL support but Wikka requires MySQL. Please check the output of phpinfo() in a php document for MySQL support: it needs to be compiled into PHP, the module itself needs to be present in the expected location, and php.ini needs to have it enabled.
Also note that you cannot have mysqli and mysql support both enabled at the same time.
Please double-check all of these things, restart your webserver after any fixes, and then try again!'); +if(!defined('ERROR_PDO_SUPPORT_MISSING')) define('ERROR_PDO_SUPPORT_MISSING', 'PHP can\'t find PDO (DBMS) support but Wikka requires it. Please check the output of phpinfo() in a php document for PDO support: it needs to be compiled into PHP, the module itself needs to be present in the expected location, and php.ini needs to have it enabled.
Please double-check all of these things, restart your webserver after any fixes, and then try again!'); if(!defined('ERROR_WAKKA_LIBRARY_MISSING')) define('ERROR_WAKKA_LIBRARY_MISSING','The necessary file "libs/Wakka.class.php" could not be found. To run Wikka, please make sure the file exists and is placed in the right directory!'); // --------END: CRITICAL ERROR MESSAGES USED BEFORE LANG FILE LOADED ----------- @@ -171,11 +171,10 @@ function GetSafeVar($varname, $gpc='get') $php_version_error = sprintf(ERROR_WRONG_PHP_VERSION,MINIMUM_PHP_VERSION); die($php_version_error); # fatalerror !!! default error in English } -// MySQL needs to be installed and available +// PDO needs to be installed and available // @@@ message could be refined by detecting detect OS (mention module name) and maybe server name -if (!function_exists('mysql_connect')) -{ - die(ERROR_MYSQL_SUPPORT_MISSING); +if(!extension_loaded('PDO')) { + die(ERROR_PDO_SUPPORT_MISSING); } /** @@ -305,9 +304,10 @@ function GetSafeVar($varname, $gpc='get') $wakkaDefaultConfig = array( - 'mysql_host' => 'localhost', - 'mysql_database' => 'wikka', - 'mysql_user' => 'wikka', + 'dbms_host' => 'localhost', + 'dbms_database' => 'wikka', + 'dbms_user' => 'wikka', + 'dbms_type' => 'mysql', 'table_prefix' => 'wikka_', 'root_page' => 'HomePage', @@ -690,16 +690,21 @@ function GetSafeVar($varname, $gpc='get') // Only store sessions for real users! if(NULL != $user) { - $res = $wakka->LoadSingle("SELECT * FROM ".$wakka->config['table_prefix']."sessions WHERE sessionid='".session_id()."' AND userid='".$user['name']."'"); + $sessionid = session_id(); + $username = $user['name']; + $res = $wakka->LoadSingle("SELECT * FROM ".$wakka->config['table_prefix']."sessions WHERE sessionid=:sessionid AND userid=:userid", + array(':sessionid' => $sessionid, ':userid' => $username)); if(isset($res)) { // Just update the session_start time - $wakka->Query("UPDATE ".$wakka->config['table_prefix']."sessions SET session_start=FROM_UNIXTIME(".$wakka->GetMicroTime().") WHERE sessionid='".session_id()."' AND userid='".$user['name']."'"); + $wakka->Query("UPDATE ".$wakka->config['table_prefix']."sessions SET session_start=FROM_UNIXTIME(".$wakka->GetMicroTime().") WHERE sessionid=:sessionid AND userid=:userid", + array(':sessionid' => $sessionid, ':userid' => $username)); } else { // Create new session record - $wakka->Query("INSERT INTO ".$wakka->config['table_prefix']."sessions (sessionid, userid, session_start) VALUES('".session_id()."', '".$user['name']."', FROM_UNIXTIME(".$wakka->GetMicroTime()."))"); + $wakka->Query("INSERT INTO ".$wakka->config['table_prefix']."sessions (sessionid, userid, session_start) VALUES(:sessionid, :userid, FROM_UNIXTIME(".$wakka->GetMicroTime()."))", + array(':sessionid' => $sessionid, ':username' => $username)); } }
'.sprintf(T_("Wikka Configuration Settings [%s]"), '?').'

1. Database Configuration

The host your MySQL server is running on. Usually "localhost" (ie, the same machine your Wikka site is on).
The host your DB server is running on. Usually "localhost" (ie, the same machine your Wikka site is on).
MySQL host:" />
The MySQL database Wikka should use. This database needs to exist already before you continue!
DB host:" />
The database Wikka should use. This database needs to exist already before you continue!
MySQL database:" />
Name and password of the MySQL user used to connect to your database.
Database:" />
Name and password of the DB user used to connect to your database.
MySQL user name:" />
MySQL password:" />
Prefix of all tables used by Wikka. This allows you to run multiple Wikka installations using the same MySQL database by configuring them to use different table prefixes.
DB user name:" />
DB password:" />
Prefix of all tables used by Wikka. This allows you to run multiple Wikka installations using the same database by configuring them to use different table prefixes.
Table prefix:" />