diff --git a/index.php b/index.php index 363d5e41..d9342ec9 100644 --- a/index.php +++ b/index.php @@ -93,7 +93,10 @@ if (isset($_COOKIE[COOKIE_PERSISTENT]) && $database && !$_SESSION['user']->isLog ->query( 'SELECT * FROM `sessions` - WHERE `session` = "' . $_COOKIE[COOKIE_PERSISTENT] . '";' + WHERE `session` = :session;', + array( + 'session' => $_COOKIE[COOKIE_PERSISTENT] + ) ) ->fetchAll(); diff --git a/src/api/statistics.php b/src/api/statistics.php index 940e5571..57874c6f 100644 --- a/src/api/statistics.php +++ b/src/api/statistics.php @@ -32,6 +32,7 @@ switch ($_SERVER['REQUEST_METHOD']) { $count = new Cache\Query( 'SELECT COUNT(`id`) AS "count" FROM `' . $table . '`;', + array(), Duration::DAY ); diff --git a/src/api/wishes.php b/src/api/wishes.php index 5b7ce905..a7801ab3 100644 --- a/src/api/wishes.php +++ b/src/api/wishes.php @@ -45,16 +45,18 @@ switch ($_SERVER['REQUEST_METHOD']) { /** * Get wishes by priority */ - $wishlist = new Wishlist($_GET['wishlist_id']); - $options = array( + $wishlist = new Wishlist($_GET['wishlist_id']); + $options = array( 'style' => $_GET['wishlist_style'], ); - $where = array( - 'priority' => '`priority` = ' . $_GET['wish_priority'], + $where = array( + 'priority' => '`priority` = :wish_priority', ); + $options['placeholders']['wish_priority'] = $_GET['wish_priority']; if (-1 === intval($_GET['wish_priority'])) { unset($where['priority']); + unset($options['placeholders']['wish_priority']); } if (empty($_GET['wish_priority'])) { @@ -129,7 +131,7 @@ switch ($_SERVER['REQUEST_METHOD']) { } $response = array( - 'info' => $info, + 'info' => $info, ); } @@ -142,14 +144,24 @@ switch ($_SERVER['REQUEST_METHOD']) { $database ->query( 'UPDATE `wishes` - SET `wishlist` = ' . $wish->wishlist . ', - `title` = ' . $wish_title . ', - `description` = ' . $wish_description . ', - `image` = ' . $wish_image . ', - `url` = ' . $wish_url . ', - `priority` = ' . $wish_priority . ', - `is_purchasable` = ' . $wish_is_purchasable . ' - WHERE `id` = ' . $wish->id . ';' + SET `wishlist` = :wishlist_id, + `title` = :wish_title, + `description` = :wish_description, + `image` = :wish_image, + `url` = :wish_url, + `priority` = :wish_priority, + `is_purchasable` = :wish_is_purchasable, + WHERE `id` = :wish_id', + array( + 'wishlist_id' => $wish->wishlist, + 'wish_title' => $wish_title, + 'wish_description' => $wish_description, + 'wish_image' => $wish_image, + 'wish_url' => $wish_url, + 'wish_priority' => $wish_priority, + 'wish_is_purchasable' => $wish_is_purchasable, + 'wish_id' => $wish->id, + ) ); /** @@ -166,9 +178,13 @@ switch ($_SERVER['REQUEST_METHOD']) { `wish`, `price` ) VALUES ( - ' . $wish->id . ', - ' . $wish_price . ' - );' + :wish_id, + :wish_price + );', + array( + 'wish_id' => $wish_id, + 'wish_price' => $wish_price, + ) ); $response['lastInsertId'] = $wish->id; @@ -201,7 +217,7 @@ switch ($_SERVER['REQUEST_METHOD']) { } $response = array( - 'info' => $info, + 'info' => $info, ); } @@ -223,14 +239,23 @@ switch ($_SERVER['REQUEST_METHOD']) { `priority`, `is_purchasable` ) VALUES ( - ' . $wishlist_id . ', - ' . $wish_title . ', - ' . $wish_description . ', - ' . $wish_image . ', - ' . $wish_url . ', - ' . $wish_priority . ', - ' . $wish_is_purchasable . ' - );' + :wishlist_id, + :wish_title, + :wish_description, + :wish_image, + :wish_url, + :wish_priority, + :wish_is_purchasable + );', + array( + 'wishlist_id' => $wishlist_id, + 'wish_title' => $wish_title, + 'wish_description' => $wish_description, + 'wish_image' => $wish_image, + 'wish_url' => $wish_url, + 'wish_priority' => $wish_priority, + 'wish_is_purchasable' => $wish_is_purchasable, + ) ); /** @@ -247,9 +272,13 @@ switch ($_SERVER['REQUEST_METHOD']) { `wish`, `price` ) VALUES ( - ' . $wish_id . ', - ' . $wish_price . ' - );' + :wish_id, + :wish_price + );', + array( + 'wish_id' => $wish_id, + 'wish_price' => $wish_price, + ) ); } @@ -265,8 +294,8 @@ switch ($_SERVER['REQUEST_METHOD']) { /** * Update Wish Status */ - $status = Sanitiser::getStatus($_PUT['wish_status']); - $wish_id = Sanitiser::getNumber($_PUT['wish_id']); + $wish_status = Sanitiser::getStatus($_PUT['wish_status']); + $wish_id = Sanitiser::getNumber($_PUT['wish_id']); if (Wish::STATUS_TEMPORARY === $status) { $status = time(); @@ -274,8 +303,12 @@ switch ($_SERVER['REQUEST_METHOD']) { $database->query( 'UPDATE `wishes` - SET `status` = "' . $status . '" - WHERE `id` = ' . $wish_id . ';' + SET `status` = :wish_status, + WHERE `id` = :wish_id', + array( + 'wish_status' => $wish_status, + 'wish_id' => $wish_id, + ) ); $response['success'] = true; @@ -285,8 +318,12 @@ switch ($_SERVER['REQUEST_METHOD']) { */ $database->query( 'UPDATE `wishes` - SET `url` = "' . Sanitiser::getURL($_PUT['wish_url_proposed']) . '" - WHERE `url` = "' . Sanitiser::getURL($_PUT['wish_url_current']) . '";' + SET `url` = :wish_url_proposed, + WHERE `url` = :wish_url_current', + array( + 'wish_url_proposed' => Sanitiser::getURL($_PUT['wish_url_proposed']), + 'wish_url_current' => Sanitiser::getURL($_PUT['wish_url_current']), + ) ); $response['success'] = true; @@ -299,7 +336,10 @@ switch ($_SERVER['REQUEST_METHOD']) { if (isset($_DELETE['wish_id'])) { $database->query( 'DELETE FROM `wishes` - WHERE `id` = ' . Sanitiser::getNumber($_DELETE['wish_id']) . ';' + WHERE `id` = :wish_id', + array( + 'wish_id' => Sanitiser::getNumber($_DELETE['wish_id']), + ) ); $response['success'] = true; diff --git a/src/api/wishlists-saved.php b/src/api/wishlists-saved.php index f51896f0..9fa5af36 100644 --- a/src/api/wishlists-saved.php +++ b/src/api/wishlists-saved.php @@ -29,7 +29,10 @@ switch ($_SERVER['REQUEST_METHOD']) { ->query( 'SELECT * FROM `wishlists_saved` - WHERE `wishlist` = ' . Sanitiser::getNumber($_POST['wishlist']) . ';' + WHERE `wishlist` = :wishlist_id', + array( + 'wishlist_id' => Sanitiser::getNumber($_POST['wishlist']) + ) ) ->fetch(); @@ -38,7 +41,10 @@ switch ($_SERVER['REQUEST_METHOD']) { $database ->query( 'DELETE FROM `wishlists_saved` - WHERE `wishlist` = ' . Sanitiser::getNumber($_POST['wishlist']) . ';' + WHERE `wishlist` = :wishlist_id', + array( + 'wishlist_id' => Sanitiser::getNumber($_POST['wishlist']) + ) ); $response['action'] = 'deleted'; @@ -50,9 +56,13 @@ switch ($_SERVER['REQUEST_METHOD']) { `user`, `wishlist` ) VALUES ( - ' . $_SESSION['user']->id . ', - ' . Sanitiser::getNumber($_POST['wishlist']) . ' - );' + :user_id, + :wishlist_id + );', + array( + 'user_id' => $_SESSION['user']->id, + 'wishlist_id' => Sanitiser::getNumber($_POST['wishlist']), + ) ); $response['action'] = 'created'; diff --git a/src/api/wishlists.php b/src/api/wishlists.php index 4b8e561c..7880608f 100644 --- a/src/api/wishlists.php +++ b/src/api/wishlists.php @@ -16,8 +16,9 @@ switch ($_SERVER['REQUEST_METHOD']) { /** * Create */ - $user_id = Sanitiser::getNumber($_SESSION['user']->id); - $wish_name = Sanitiser::getTitle($_POST['wishlist-name']); + $user_id = Sanitiser::getNumber($_SESSION['user']->id); + $wishlist_name = Sanitiser::getTitle($_POST['wishlist-name']); + $wishlist_hash = sha1(time() . $user_id . $wishlist_name); $database->query( 'INSERT INTO `wishlists` ( @@ -25,10 +26,15 @@ switch ($_SERVER['REQUEST_METHOD']) { `name`, `hash` ) VALUES ( - ' . $user_id . ', - "' . $wish_name . '", - "' . sha1(time() . $user_id . $wish_name) . '" - );' + :user_id, + :wishlist_name, + :wishlist_hash + );', + array( + 'user_id' => $user_id, + 'wishlist_name' => $wishlist_name, + 'wishlist_hash' => $wishlist_hash, + ) ); $response['data'] = array( @@ -38,15 +44,18 @@ switch ($_SERVER['REQUEST_METHOD']) { /** * Request more wishes */ - $wishlistID = Sanitiser::getNumber($_POST['wishlist-id']); + $wishlist_id = Sanitiser::getNumber($_POST['wishlist-id']); /** Get last notification time */ $wishlistQuery = $database ->query( 'SELECT * FROM `wishlists` - WHERE `id` = ' . $wishlistID . ' - AND (`notification_sent` < (CURRENT_TIMESTAMP - INTERVAL 1 DAY) OR `notification_sent` IS NULL);' + WHERE `id` = :wishlist_id + AND (`notification_sent` < (CURRENT_TIMESTAMP - INTERVAL 1 DAY) OR `notification_sent` IS NULL);', + array( + 'wishlist_id' => $wishlist_id, + ) ); $wishlist = $wishlistQuery->fetch(); @@ -78,7 +87,10 @@ switch ($_SERVER['REQUEST_METHOD']) { ->query( 'UPDATE `wishlists` SET `notification_sent` = CURRENT_TIMESTAMP - WHERE `id` = ' . $wishlist['id'] . ';' + WHERE `id` = :wishlist_id;', + array( + 'wishlist_id' = $wishlist['id'], + ) ); } } @@ -164,8 +176,12 @@ switch ($_SERVER['REQUEST_METHOD']) { $database ->query( 'UPDATE `wishlists` - SET `name` = "' . Sanitiser::getTitle($_PUT['wishlist_title']) . '" - WHERE `id` = ' . Sanitiser::getNumber($_PUT['wishlist_id']) . ';' + SET `name` = :wishlist_name, + WHERE `id` = :wishlist_id' + array( + 'wishlist_name' => Sanitiser::getTitle($_PUT['wishlist_title']), + 'wishlist_id' => Sanitiser::getTitle($_PUT['wishlist_id']), + ) ); $response['success'] = true; @@ -176,7 +192,10 @@ switch ($_SERVER['REQUEST_METHOD']) { $database->query( 'DELETE FROM `wishlists` - WHERE `id` = ' . Sanitiser::getNumber($_DELETE['wishlist_id']) . ';' + WHERE `id` = :wishlist_id;', + array( + 'wishlist_id' => Sanitiser::getNumber($_DELETE['wishlist_id']), + ) ); $response['success'] = true; diff --git a/src/classes/cache/query.php b/src/classes/cache/query.php index 5f50fa18..aa1f622f 100644 --- a/src/classes/cache/query.php +++ b/src/classes/cache/query.php @@ -12,11 +12,12 @@ class Query extends Cache * Private */ private \wishthis\Database $database; + private array $placeholders = array(); /** * Public */ - public function __construct(string $url, int $maxAge = \wishthis\Duration::YEAR) + public function __construct(string $url, array $placeholders = array(), int $maxAge = \wishthis\Duration::YEAR) { global $database; @@ -33,7 +34,8 @@ class Query extends Cache $response = $this->exists() ? json_decode(file_get_contents($filepath), true) : array(); if (true === $this->generateCache()) { - $pdoStatement = $this->database->query($this->url); + $pdoStatement = $this->database + ->query($this->url, $this->placeholders); if (false !== $pdoStatement) { if (1 === $pdoStatement->rowCount()) { diff --git a/src/classes/database.php b/src/classes/database.php index 93208d1f..9b5dd665 100644 --- a/src/classes/database.php +++ b/src/classes/database.php @@ -34,12 +34,10 @@ class Database $this->pdo = new \PDO($dsn, $this->user, $this->password, $options); } - public function query(string $query): \PDOStatement + public function query(string $query, array $placeholders = array()): \PDOStatement { - $statement = $this->pdo->query( - $query, - \PDO::FETCH_ASSOC - ); + $statement = $this->pdo->prepare($query, array(\PDO::FETCH_ASSOC)); + $statement->execute($placeholders); $this->lastInsertId = $this->pdo->lastInsertId(); @@ -78,8 +76,12 @@ class Database ->query( 'SELECT * FROM `INFORMATION_SCHEMA`.`COLUMNS` - WHERE TABLE_NAME = "' . $table_to_check . '" - AND COLUMN_NAME = "' . $column_to_check . '"' + WHERE `TABLE_NAME` = :table_name, + AND `COLUMN_NAME` = :column_name', + array( + 'table_name' => $table_to_check, + 'column_name' => $column_to_check, + ) ) ->fetch(); $exists = false !== $result; diff --git a/src/classes/options.php b/src/classes/options.php index 3d056394..ec853cfb 100644 --- a/src/classes/options.php +++ b/src/classes/options.php @@ -27,9 +27,14 @@ class Options try { $option = $this->database->query( - 'SELECT * FROM `options` - WHERE `key` = "' . Sanitiser::getOption($key) . '";' - )->fetch(); + 'SELECT * + FROM `options` + WHERE `key` = :option_key', + array( + 'option_key' => Sanitiser::getOption($key), + ) + ) + ->fetch(); $value = $option['value'] ?? ''; } catch (\Throwable $th) { @@ -42,21 +47,37 @@ class Options public function setOption(string $key, string $value): void { $optionExists = 0 !== $this->database - ->query('SELECT * - FROM `options` - WHERE `key` = "' . $key . '";') + ->query( + 'SELECT * + FROM `options` + WHERE `key` = :option_key;', + array( + 'option_key' => $key, + ) + ) ->rowCount(); if ($optionExists) { - $this->database->query('UPDATE `options` - SET `value` = "' . $value . '" - WHERE `key` = "' . $key . '" - ;'); + $this->database->query( + 'UPDATE `options` + SET `value` = :option_value, + WHERE `key` = :option_key;', + array( + 'option_value' => $value, + 'option_key' => $key, + ) + ); } else { - $this->database->query('INSERT INTO `options` - (`key`, `value`) VALUES - ("' . $key . '", "' . $value . '") - ;'); + $this->database->query( + 'INSERT INTO `options` + (`key`, `value`) + VALUES + (:option_key, :option_value);', + array( + 'option_key' => $key, + 'option_value' => $value, + ) + ); } } } diff --git a/src/classes/user.php b/src/classes/user.php index ef812be3..0ee39215 100644 --- a/src/classes/user.php +++ b/src/classes/user.php @@ -23,7 +23,10 @@ class User ->query( 'SELECT * FROM `users` - WHERE `id` = ' . $user_id + WHERE `id` = :user_id', + array( + 'user_id' => $user_id, + ) ); if (false !== $userQuery) { @@ -139,7 +142,10 @@ class User ->query( 'SELECT * FROM `wishlists` - WHERE `user` = ' . $this->id . ';' + WHERE `user` = :user_id;', + array( + 'user_id' => $this->id, + ) ) ->fetchAll(); @@ -163,7 +169,10 @@ class User `w`.`hash` FROM `wishlists_saved` `ws` JOIN `wishlists` `w` ON `w`.`id` = `ws`.`wishlist` - WHERE `ws`.`user` = ' . $this->id . ';' + WHERE `ws`.`user` = :user_id;', + array( + 'user_id' => $this->id, + ) ) ->fetchAll(); @@ -190,7 +199,10 @@ class User $persistent = $database ->query( 'DELETE FROM `sessions` - WHERE `session` = "' . $_COOKIE[COOKIE_PERSISTENT] . '";' + WHERE `session` = :session;', + array( + 'session' => $_COOKIE[COOKIE_PERSISTENT], + ) ); } diff --git a/src/classes/wish.php b/src/classes/wish.php index 05c79fec..478fe82f 100644 --- a/src/classes/wish.php +++ b/src/classes/wish.php @@ -16,7 +16,7 @@ class Wish public const SELECT = '`wishes`.*, `products`.`price`'; public const FROM = '`wishes`'; public const LEFT_JOIN = '`products` ON `wishes`.`id` = `products`.`wish`'; - public const WHERE = '`wishes`.`id` = %d;'; + public const WHERE = '`wishes`.`id` = :wish_id;'; public const NO_IMAGE = '/src/assets/img/no-image.svg'; @@ -80,10 +80,13 @@ class Wish $id = $idOrColumns; $columns = $database ->query( - 'SELECT ' . self::SELECT . ' - FROM ' . self::FROM . ' - LEFT JOIN ' . self::LEFT_JOIN . ' - WHERE ' . sprintf(self::WHERE, $id) + ' SELECT ' . self::SELECT . ' + FROM ' . self::FROM . ' + LEFT JOIN ' . self::LEFT_JOIN . ' + WHERE ' . self::WHERE, + array( + 'wish_id' => $id, + ) ) ->fetch(); } elseif (is_array($idOrColumns)) { diff --git a/src/classes/wishlist.php b/src/classes/wishlist.php index d0076ec8..2fe61edf 100644 --- a/src/classes/wishlist.php +++ b/src/classes/wishlist.php @@ -34,7 +34,10 @@ class Wishlist ->query( 'SELECT * FROM `wishlists` - WHERE `' . $column . '` = ' . $id_or_hash . ';' + WHERE `' . $column . '` = :id_or_hash;', + array( + 'id_or_hash' => $id_or_hash, + ) ) ->fetch(); @@ -54,15 +57,19 @@ class Wishlist // $this->wishes = $this->getWishes(); } - public function getWishes($sql = array()): array + public function getWishes($options = array()): array { global $database; - $SELECT = isset($sql['SELECT']) ? $sql['SELECT'] : Wish::SELECT; - $FROM = isset($sql['FROM']) ? $sql['FROM'] : Wish::FROM; - $LEFT_JOIN = isset($sql['LEFT_JOIN']) ? $sql['LEFT_JOIN'] : Wish::LEFT_JOIN; - $WHERE = isset($sql['WHERE']) ? $sql['WHERE'] : '`wishlist` = ' . $this->id; - $ORDER_BY = isset($sql['ORDER_BY']) ? $sql['ORDER_BY'] : '`priority` DESC, `url` ASC, `title` ASC'; + if (!isset($options['WHERE'])) { + $options['placeholders']['wishlist_id'] = $this->id; + } + + $SELECT = isset($options['SELECT']) ? $options['SELECT'] : Wish::SELECT; + $FROM = isset($options['FROM']) ? $options['FROM'] : Wish::FROM; + $LEFT_JOIN = isset($options['LEFT_JOIN']) ? $options['LEFT_JOIN'] : Wish::LEFT_JOIN; + $WHERE = isset($options['WHERE']) ? $options['WHERE'] : '`wishlist` = :wishlist_id'; + $ORDER_BY = isset($options['ORDER_BY']) ? $options['ORDER_BY'] : '`priority` DESC, `url` ASC, `title` ASC'; /** Default to showing available wishes */ $wish_status = ' AND ( @@ -92,11 +99,12 @@ class Wishlist $this->wishes = $database ->query( - 'SELECT ' . $SELECT . ' - FROM ' . $FROM . ' - LEFT JOIN ' . $LEFT_JOIN . ' - WHERE ' . $WHERE . ' - ORDER BY ' . $ORDER_BY . ';' + ' SELECT ' . $SELECT . ' + FROM ' . $FROM . ' + LEFT JOIN ' . $LEFT_JOIN . ' + WHERE ' . $WHERE . ' + ORDER BY ' . $ORDER_BY . ';', + $options['placeholders'] ) ->fetchAll(); diff --git a/src/pages/home.php b/src/pages/home.php index 15fc8899..c330fd04 100644 --- a/src/pages/home.php +++ b/src/pages/home.php @@ -43,9 +43,12 @@ $page->navigation(); FROM `wishes` JOIN `wishlists` ON `wishes`.`wishlist` = `wishlists`.`id` JOIN `users` ON `wishlists`.`user` = `users`.`id` - WHERE `users`.`id` = ' . $_SESSION['user']->id . ' + WHERE `users`.`id` = :user_id ORDER BY `wishes`.`edited` DESC - LIMIT 1;' + LIMIT 1;', + array( + 'user_id' => $_SESSION['user']->id, + ) ); if (false !== $lastWishlistQuery && 1 === $lastWishlistQuery->rowCount()) { diff --git a/src/pages/login-as.php b/src/pages/login-as.php index 10403b0a..dc576101 100644 --- a/src/pages/login-as.php +++ b/src/pages/login-as.php @@ -17,7 +17,10 @@ if (isset($_POST['email'])) { ->query( 'SELECT * FROM `users` - WHERE `email` = "' . $email . '";' + WHERE `email` = :user_email;', + array( + 'user_email' => $email, + ) ); $success = false !== $userQuery; diff --git a/src/pages/login.php b/src/pages/login.php index de9f8bc3..a6618db6 100644 --- a/src/pages/login.php +++ b/src/pages/login.php @@ -21,16 +21,24 @@ if (isset($_POST['login'], $_POST['email'], $_POST['password'])) { ->query( 'UPDATE `users` SET `last_login` = NOW() - WHERE `email` = "' . $email . '" - AND `password` = "' . $password . '";' + WHERE `email` = :user_email, + AND `password` = :user_password;', + array( + 'user_email' => $email, + 'user_password' => $password, + ) ); $fields = $database ->query( 'SELECT * FROM `users` - WHERE `email` = "' . $email . '" - AND `password` = "' . $password . '";' + WHERE `email` = :user_email, + AND `password` = :user_password;', + array( + 'user_email' => $email, + 'user_password' => $password, + ) ) ->fetch(); @@ -67,10 +75,15 @@ if (isset($_POST['login'], $_POST['email'], $_POST['password'])) { `session`, `expires` ) VALUES ( - ' . $_SESSION['user']->id . ', - "' . session_id() . '", - "' . date('Y-m-d H:i:s', $sessionExpires) . '" - );' + :user_id, + :session_id, + :session_expires + );', + array( + 'user_id' => $_SESSION['user']->id, + 'session_id' => session_id(), + 'session_expires' => date('Y-m-d H:i:s', $sessionExpires), + ) ); } else { $database->query( @@ -78,9 +91,13 @@ if (isset($_POST['login'], $_POST['email'], $_POST['password'])) { `user`, `session` ) VALUES ( - ' . $_SESSION['user']->id . ', - "' . session_id() . '" - );' + :user_id, + :session_id + );', + array( + 'user_id' => $_SESSION['user']->id, + 'session_id' => session_id(), + ) ); } } @@ -108,7 +125,10 @@ if (isset($_POST['reset'], $_POST['email'])) { ->query( 'SELECT * FROM `users` - WHERE `email` = "' . Sanitiser::getEmail($_POST['email']) . '";' + WHERE `email` = :user_email;', + array( + 'user_email' => Sanitiser::getEmail($_POST['email']), + ) ); $user = false !== $userQuery ? new User($userQuery->fetch()) : new User(); @@ -120,9 +140,13 @@ if (isset($_POST['reset'], $_POST['email'])) { $database ->query( 'UPDATE `users` - SET `password_reset_token` = "' . $token . '", - `password_reset_valid_until` = "' . date('Y-m-d H:i:s', $validUntil) . '" - WHERE `id` = ' . $user->id . ';' + SET `password_reset_token` = :user_password_reset_token, + `password_reset_valid_until` = :user_reset_valid_until + WHERE `id` = ' . $user->id . ';', + array( + 'user_password_reset_token' => $token, + 'user_reset_valid_until' => date('Y-m-d H:i:s', $validUntil), + ) ); $emailReset = new Email($_POST['email'], __('Password reset link', null, $user), 'default', 'password-reset'); diff --git a/src/pages/profile.php b/src/pages/profile.php index 1ace41ad..47031daf 100644 --- a/src/pages/profile.php +++ b/src/pages/profile.php @@ -32,7 +32,7 @@ if (isset($_POST['user-id'], $_POST['section'])) { 'column' => 'email', 'key' => 'user-email', 'label' => __('Email'), - ) + ), ); $loginRequired = false; @@ -150,7 +150,10 @@ if (isset($_POST['user-id'], $_POST['section'])) { ->query( 'UPDATE `users` SET ' . implode(',', $set) . ' - WHERE `id` = ' . Sanitiser::getNumber($_POST['user-id']) + WHERE `id` = :user_id', + array( + 'user_id' => Sanitiser::getNumber($_POST['user-id']), + ) ); } diff --git a/src/pages/register.php b/src/pages/register.php index 6729f8e6..f0443cd3 100644 --- a/src/pages/register.php +++ b/src/pages/register.php @@ -16,7 +16,12 @@ $buttonSubmit = $passwordReset ? __('Reset') : __('Register'); $page = new Page(__FILE__, $pageTitle); if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) { - $users = $database->query('SELECT * FROM `users`;')->fetchAll(); + $users = $database + ->query( + 'SELECT * + FROM `users`;' + ) + ->fetchAll(); $emails = array_map( function ($user) { return $user['email']; @@ -67,8 +72,12 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) { $userQuery = $database ->query( 'SELECT * FROM `users` - WHERE `email` = "' . $user_email . '" - AND `password_reset_token` = "' . $user_token . '";' + WHERE `email` = :user_email, + AND `password_reset_token` = :user_password_reset_token', + array( + 'user_email' => $user_email, + 'user_password_reset_token' => $user_token, + ) ); if (false !== $userQuery) { @@ -78,10 +87,14 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) { $database ->query( 'UPDATE `users` - SET `password` = "' . User::generatePassword($_POST['password']) . '", + SET `password` = :user_password, `password_reset_token` = NULL, `password_reset_valid_until` = NULL - WHERE `id` = ' . $user->id . ';' + WHERE `id` = :user_id;', + array( + 'user_password' => User::generatePassword($_POST['password']), + 'user_id' => $user->id, + ) ); $page->messages[] = Page::success( @@ -105,10 +118,14 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) { `password`, `power` ) VALUES ( - "' . $user_email . '", - "' . User::generatePassword($_POST['password']) . '", + :user_email, + :user_password, 100 - );' + );', + array( + 'user_email' => $user_email, + 'user_password' => User::generatePassword($_POST['password']), + ) ); $userRegistered = true; } else { @@ -123,9 +140,13 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) { `email`, `password` ) VALUES ( - "' . $user_email . '", - "' . User::generatePassword($_POST['password']) . '" - );' + :user_email, + :user_password + );', + array( + 'user_email' => $user_email, + 'user_password' => User::generatePassword($_POST['password']), + ) ); $userRegistered = true; @@ -138,8 +159,9 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) { * Insert default wishlist */ if ($userRegistered) { - $userID = $database->lastInsertID(); - $wishlistName = Sanitiser::getTitle(__('My hopes and dreams')); + $user_id = $database->lastInsertID(); + $wishlist_name = Sanitiser::getTitle(__('My hopes and dreams')); + $wishlist_hash = sha1(time() . $user_id . $wishlist_name); $database ->query( @@ -148,10 +170,15 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) { `name`, `hash` ) VALUES ( - ' . $userID . ', - "' . $wishlistName . '", - "' . sha1(time() . $userID . $wishlistName) . '" - );' + :wishlist_user_id, + :wishlist_name, + :wishlist_hash + );', + array( + 'wishlist_user_id' => $user_id, + 'wishlist_name' => $wishlist_name, + 'wishlist_hash' => $wishlist_hash, + ) ); } } else {