diff --git a/Dockerfile b/Dockerfile index 11bd6fd8..d2e547ee 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,7 +10,7 @@ RUN sed -i '/security.debian.org/d' /etc/apt/sources.list \ RUN echo "deb http://archive.debian.org/debian/ stretch main" > /etc/apt/sources.list \ && echo "deb http://archive.debian.org/debian-security stretch/updates main" >> /etc/apt/sources.list -RUN apt-get update && apt-get install -y zlib1g-dev libicu-dev g++ wget git +RUN apt-get update && apt-get install -y zlib1g-dev libicu-dev g++ wget git zip RUN wget --no-check-certificate https://pecl.php.net/get/xdebug-2.5.5.tgz \ && pecl install --offline ./xdebug-2.5.5.tgz \ diff --git a/actions-sms.php b/actions-sms.php index 5f1e5726..832c7464 100644 --- a/actions-sms.php +++ b/actions-sms.php @@ -1,4 +1,9 @@ conn->real_escape_string(trim($matches[1])); + else $userNote=$db->escape(trim($matches[1])); $result=$db->query("UPDATE bikes SET currentUser=NULL,currentStand=$standId WHERE bikeNum=$bikeNum"); if ($userNote) @@ -509,28 +514,30 @@ function freeBikes($number) function log_sms($sms_uuid, $sender, $receive_time, $sms_text, $ip) { - global $dbserver,$dbuser,$dbpassword,$dbname; - $localdb=new Database($dbserver,$dbuser,$dbpassword,$dbname); - $localdb->connect(); - $localdb->conn->autocommit(TRUE); - - $sms_uuid =$localdb->conn->real_escape_string($sms_uuid); - $sender =$localdb->conn->real_escape_string($sender); - $receive_time =$localdb->conn->real_escape_string($receive_time); - $sms_text =$localdb->conn->real_escape_string($sms_text); - $ip =$localdb->conn->real_escape_string($ip); - - $result =$localdb->query("SELECT sms_uuid FROM received WHERE sms_uuid='$sms_uuid'"); - if (DEBUG===FALSE AND $result->num_rows>=1) // sms already exists in DB, possible problem - { - notifyAdmins(_('Problem with SMS')." $sms_uuid!",1); - return FALSE; - } - else - { - $result =$localdb->query("INSERT INTO received SET sms_uuid='$sms_uuid',sender='$sender',receive_time='$receive_time',sms_text='$sms_text',ip='$ip'"); - } - + global $dbserver, $dbuser, $dbpassword, $dbname; + /** + * @var DbInterface + */ + $localdb = new MysqliDb($dbserver, $dbuser, $dbpassword, $dbname); + $localdb->connect(); + + #TODO does it needed??? + $localdb->setAutocommit(true); + + $sms_uuid = $localdb->escape($sms_uuid); + $sender = $localdb->escape($sender); + $receive_time = $localdb->escape($receive_time); + $sms_text = $localdb->escape($sms_text); + $ip = $localdb->escape($ip); + + $result = $localdb->query("SELECT sms_uuid FROM received WHERE sms_uuid='$sms_uuid'"); + if (DEBUG === FALSE and $result->num_rows >= 1) { + // sms already exists in DB, possible problem + notifyAdmins(_('Problem with SMS') . " $sms_uuid!", 1); + return FALSE; + } else { + $result = $localdb->query("INSERT INTO received SET sms_uuid='$sms_uuid',sender='$sender',receive_time='$receive_time',sms_text='$sms_text',ip='$ip'"); + } } @@ -554,7 +561,7 @@ function delnote($number,$bikeNum,$message) } else { - sendSMS($number,_('Error in bike number / stand name specification:'.$db->conn->real_escape_string($bikeNum))); + sendSMS($number,_('Error in bike number / stand name specification:'.$db->escape($bikeNum))); return; } @@ -587,7 +594,7 @@ function delnote($number,$bikeNum,$message) $reportedBy=$row["userName"]; $matches=explode(" ",$message,3); - $userNote=$db->conn->real_escape_string(trim($matches[2])); + $userNote=$db->escape(trim($matches[2])); if($userNote=='') { @@ -595,7 +602,7 @@ function delnote($number,$bikeNum,$message) } $result=$db->query("UPDATE notes SET deleted=NOW() where bikeNum=$bikeNum and deleted is null and note like '%$userNote%'"); - $count = $db->conn->affected_rows; + $count = $db->getAffectedRows(); if($count == 0) { @@ -647,7 +654,7 @@ function untag($number,$standName,$message) $matches=explode(" ",$message,3); - $userNote=$db->conn->real_escape_string(trim($matches[2])); + $userNote=$db->escape(trim($matches[2])); if($userNote=='') { @@ -655,7 +662,7 @@ function untag($number,$standName,$message) } $result=$db->query("update notes join bikes on notes.bikeNum = bikes.bikeNum set deleted=now() where bikes.currentStand='$standId' and note like '%$userNote%' and deleted is null"); - $count = $db->conn->affected_rows; + $count = $db->getAffectedRows(); if($count == 0) { @@ -706,7 +713,7 @@ function delstandnote($number,$standName,$message) $matches=explode(" ",$message,3); - $userNote=$db->conn->real_escape_string(trim($matches[2])); + $userNote=$db->escape(trim($matches[2])); if($userNote=='') { @@ -714,7 +721,7 @@ function delstandnote($number,$standName,$message) } $result=$db->query("UPDATE notes SET deleted=NOW() where standId=$standId and deleted is null and note like '%$userNote%'"); - $count = $db->conn->affected_rows; + $count = $db->getAffectedRows(); if($count == 0) { @@ -765,7 +772,7 @@ function standNote($number,$standName,$message) $matches=explode(" ",$message,3); - $userNote=$db->conn->real_escape_string(trim($matches[2])); + $userNote=$db->escape(trim($matches[2])); if ($userNote=="") //deletemmm { @@ -781,7 +788,7 @@ function standNote($number,$standName,$message) else { $db->query("INSERT INTO notes SET standId='$standId',userId='$userId',note='$userNote'"); - $noteid=$db->conn->insert_id; + $noteid=$db->getLastInsertId(); sendSMS($number,_('Note for stand')." ".$standName." "._('saved')."."); notifyAdmins(_('Note #').$noteid.": "._("on stand")." ".$standName." "._('by')." ".$reportedBy." (".$number."):".$userNote); } @@ -813,7 +820,7 @@ function tag($number,$standName,$message) $matches=explode(" ",$message,3); - $userNote=$db->conn->real_escape_string(trim($matches[2])); + $userNote=$db->escape(trim($matches[2])); if ($userNote=="") //deletemmm { @@ -829,7 +836,7 @@ function tag($number,$standName,$message) else { $db->query("INSERT INTO notes (bikeNum,userId,note) SELECT bikeNum,'$userId','$userNote' FROM bikes where currentStand='$standId'"); - //$noteid=$db->conn->insert_id; + //$noteid=$db->getLastInsertId(); sendSMS($number,_('All bikes on stand')." ".$standName." "._('tagged')."."); notifyAdmins(_('All bikes on stand')." "."$standName".' '._('tagged by')." ".$reportedBy." (".$number.")". _("with note:").$userNote); } @@ -855,7 +862,7 @@ function note($number,$bikeNum,$message) } else { - sendSMS($number,_('Error in bike number / stand name specification:'.$db->conn->real_escape_string($bikeNum))); + sendSMS($number,_('Error in bike number / stand name specification:'.$db->escape($bikeNum))); return; } @@ -892,7 +899,7 @@ function note($number,$bikeNum,$message) else { $matches=explode(" ",$message,3); - $userNote=$db->conn->real_escape_string(trim($matches[2])); + $userNote=$db->escape(trim($matches[2])); } if ($userNote=="") @@ -911,7 +918,7 @@ function note($number,$bikeNum,$message) else { $db->query("INSERT INTO notes SET bikeNum='$bikeNum',userId='$userId',note='$userNote'"); - $noteid=$db->conn->insert_id; + $noteid=$db->getLastInsertId(); sendSMS($number,_('Note for bike')." ".$bikeNum." "._('saved')."."); notifyAdmins(_('Note #').$noteid.": b.".$bikeNum." (".$bikeStatus.") "._('by')." ".$reportedBy." (".$number."):".$userNote); } @@ -1028,8 +1035,8 @@ function add($number,$email,$phone,$message) sendSMS($number,_('Contact information is in incorrect format. Use:')." ADD king@earth.com 0901456789 Martin Luther King Jr."); return; } - $userName=$db->conn->real_escape_string(trim($matches[2])); - $email=$db->conn->real_escape_string(trim($matches[1])); + $userName=$db->escape(trim($matches[2])); + $email=$db->escape(trim($matches[1])); $result=$db->query("INSERT into users SET userName='$userName',number=$phone,mail='$email'"); diff --git a/admin.php b/admin.php index 821c15e3..819726b7 100644 --- a/admin.php +++ b/admin.php @@ -1,15 +1,22 @@ connect(); checksession(); if (isset($_COOKIE["loguserid"])) { - $userid = $db->conn->real_escape_string(trim($_COOKIE["loguserid"])); + $userid = $db->escape(trim($_COOKIE["loguserid"])); } else { $userid = 0; } diff --git a/agree.php b/agree.php index e22bdd4a..463f91cc 100644 --- a/agree.php +++ b/agree.php @@ -1,9 +1,16 @@ connect(); ?> diff --git a/command.php b/command.php index 11e7c655..0d954e4d 100644 --- a/command.php +++ b/command.php @@ -1,19 +1,26 @@ connect(); if (isset($_COOKIE["loguserid"])) { - $userid = $db->conn->real_escape_string(trim($_COOKIE["loguserid"])); + $userid = $db->escape(trim($_COOKIE["loguserid"])); } else { $userid = 0; } if (isset($_COOKIE["logsession"])) { - $session = $db->conn->real_escape_string(trim($_COOKIE["logsession"])); + $session = $db->escape(trim($_COOKIE["logsession"])); } else { $session = ''; } diff --git a/common.php b/common.php index 3031e7bb..c0288143 100644 --- a/common.php +++ b/common.php @@ -3,6 +3,8 @@ use BikeShare\Mail\DebugMailSender; use BikeShare\Mail\MailSenderInterface; use BikeShare\Mail\PHPMailerMailSender; +use BikeShare\Db\DbInterface; +use BikeShare\Db\MysqliDb; use BikeShare\SmsConnector\SmsConnectorFactory; require_once 'vendor/autoload.php'; @@ -37,7 +39,7 @@ function error($message) { global $db; - $db->conn->rollback(); + $db->rollback(); exit($message); } @@ -73,14 +75,19 @@ function sendSMS($number,$text) function logSendsms($number, $text) { - global $dbserver,$dbuser,$dbpassword,$dbname; - $localdb=new Database($dbserver,$dbuser,$dbpassword,$dbname); - $localdb->connect(); - $localdb->conn->autocommit(TRUE); - $number = $localdb->conn->real_escape_string($number); - $text = $localdb->conn->real_escape_string($text); + global $dbserver, $dbuser, $dbpassword, $dbname; + /** + * @var DbInterface + */ + $localdb = new MysqliDb($dbserver, $dbuser, $dbpassword, $dbname); + $localdb->connect(); - $result = $localdb->query("INSERT INTO sent SET number='$number',text='$text'"); + #TODO does it needed??? + $localdb->setAutocommit(true); + $number = $localdb->escape($number); + $text = $localdb->escape($text); + + $result = $localdb->query("INSERT INTO sent SET number='$number',text='$text'"); } @@ -165,8 +172,8 @@ function isloggedin() { global $db; if (isset($_COOKIE['loguserid']) and isset($_COOKIE['logsession'])) { - $userid = $db->conn->real_escape_string(trim($_COOKIE['loguserid'])); - $session = $db->conn->real_escape_string(trim($_COOKIE['logsession'])); + $userid = $db->escape(trim($_COOKIE['loguserid'])); + $session = $db->escape(trim($_COOKIE['logsession'])); $result = $db->query("SELECT sessionId FROM sessions WHERE userId='$userid' AND sessionId='$session' AND timeStamp>'" . time() . "'"); if ($result->num_rows == 1) { return 1; @@ -183,16 +190,16 @@ function checksession() $result = $db->query("DELETE FROM sessions WHERE timeStamp<='" . time() . "'"); if (isset($_COOKIE['loguserid']) and isset($_COOKIE['logsession'])) { - $userid = $db->conn->real_escape_string(trim($_COOKIE['loguserid'])); - $session = $db->conn->real_escape_string(trim($_COOKIE['logsession'])); + $userid = $db->escape(trim($_COOKIE['loguserid'])); + $session = $db->escape(trim($_COOKIE['logsession'])); $result = $db->query("SELECT sessionId FROM sessions WHERE userId='$userid' AND sessionId='$session' AND timeStamp>'" . time() . "'"); if ($result->num_rows == 1) { $timestamp = time() + 86400 * 14; $result = $db->query("UPDATE sessions SET timeStamp='$timestamp' WHERE userId='$userid' AND sessionId='$session'"); - $db->conn->commit(); + $db->commit(); } else { $result = $db->query("DELETE FROM sessions WHERE userId='$userid' OR sessionId='$session'"); - $db->conn->commit(); + $db->commit(); setcookie('loguserid', '', time() - 86400); setcookie('logsession', '', time() - 86400); header('HTTP/1.1 302 Found'); @@ -210,10 +217,15 @@ function checksession() function logrequest($userid) { - global $dbserver, $dbuser, $dbpassword, $dbname; - $localdb = new Database($dbserver, $dbuser, $dbpassword, $dbname); + global $dbserver,$dbuser,$dbpassword,$dbname; + /** + * @var DbInterface + */ + $localdb = new MysqliDb($dbserver, $dbuser, $dbpassword, $dbname); $localdb->connect(); - $localdb->conn->autocommit(true); + + #TODO does it needed??? + $localdb->setAutocommit(true); $number = getphonenumber($userid); @@ -224,20 +236,29 @@ function logresult($userid, $text) { global $dbserver, $dbuser, $dbpassword, $dbname; - $localdb = new Database($dbserver, $dbuser, $dbpassword, $dbname); + /** + * @var DbInterface + */ + $localdb = new MysqliDb($dbserver, $dbuser, $dbpassword, $dbname); $localdb->connect(); - $localdb->conn->autocommit(true); - $userid = $localdb->conn->real_escape_string($userid); - $logtext = ''; - if (is_array($text)) { - foreach ($text as $value) { - $logtext .= $value . '; '; - } - } else { - $logtext = $text; - } - $logtext = strip_tags($localdb->conn->real_escape_string($logtext)); + #TODO does it needed??? + $localdb->setAutocommit(true); + $userid = $localdb->escape($userid); + $logtext=""; + if (is_array($text)) + { + foreach ($text as $value) + { + $logtext.=$value."; "; + } + } + else + { + $logtext=$text; + } + + $logtext = strip_tags($localdb->escape($logtext)); $result = $localdb->query("INSERT INTO sent SET number='$userid',text='$logtext'"); } @@ -312,7 +333,7 @@ function sendConfirmationEmail($emailto) function confirmUser($userKey) { global $db, $limits; - $userKey = $db->conn->real_escape_string($userKey); + $userKey = $db->escape($userKey); $result = $db->query("SELECT userId FROM registration WHERE userKey='$userKey'"); if ($result->num_rows == 1) { diff --git a/cron.php b/cron.php index 5c4d482d..e123fa7a 100644 --- a/cron.php +++ b/cron.php @@ -1,9 +1,16 @@ connect(); checklongrental(); diff --git a/db.class.php b/db.class.php deleted file mode 100644 index 8ec534f8..00000000 --- a/db.class.php +++ /dev/null @@ -1,37 +0,0 @@ -dbserver=$dbserver; - $this->dbuser=$dbuser; - $this->dbpassword=$dbpassword; - $this->dbname=$dbname; - } - - function connect() - { - $this->conn=new mysqli($this->dbserver,$this->dbuser,$this->dbpassword,$this->dbname); - $this->conn->set_charset("utf8"); - $this->conn->autocommit(FALSE); - if (!$this->conn OR $this->conn->connect_errno) error(_('DB connection error!')); - return $this->conn; - } - - function query($query) - { - $result=$this->conn->query($query); - if (!$result) error(_('DB error').' '.$this->conn->error.' '._('in').': '.$query); - return $result; - } - - function insertid() - { - return $this->conn->insert_id; - } - -} - -?> \ No newline at end of file diff --git a/index.php b/index.php index 28cac9f0..caae893b 100644 --- a/index.php +++ b/index.php @@ -1,11 +1,16 @@ connect(); ?> @@ -43,7 +48,7 @@ var mapzoom=; conn->real_escape_string(trim($_COOKIE["loguserid"])); + $userid = $db->escape(trim($_COOKIE["loguserid"])); } else { $userid = 0; } diff --git a/install/generate.php b/install/generate.php index 5623e4f2..8ff5e624 100644 --- a/install/generate.php +++ b/install/generate.php @@ -1,14 +1,19 @@ connect(); // create new PDF document diff --git a/install/index.php b/install/index.php index ee816828..e853737e 100644 --- a/install/index.php +++ b/install/index.php @@ -1,6 +1,9 @@ connect(); $sql=file_get_contents("../docker-data/mysql/create-database.sql"); $sql=explode(";",$sql); @@ -233,16 +238,19 @@ function return_bytes($val) { connect(); $result=$db->query("REPLACE INTO users SET userName='".$_POST["username"]."',password=SHA2('".$_POST["password"]."',512),mail='".$_POST["email"]."',number='".$_POST["phone"]."',privileges=7"); -$userid=$db->conn->insert_id; +$userid=$db->getLastInsertId(); if (!$connectors["sms"]) { $result=$db->query("UPDATE users SET number='$userid' WHERE userId='$userid'"); } $result=$db->query("REPLACE INTO limits SET userId='$userid',userLimit='100'"); -$db->conn->commit(); +$db->commit(); ?>
',_('Admin user'),' ',$_POST["username"],' ',_('created with password:'),' ',$_POST["password"]; if (!$connectors["sms"]) { echo '. ',_('Use number'),' ',$userid,' ',_('for login'),'.'; } echo ''; ?> @@ -254,7 +262,10 @@ function return_bytes($val) { connect(); $stands=explode(",",$_POST["stands"]); foreach ($stands as $stand) @@ -267,7 +278,7 @@ function return_bytes($val) { $code=sprintf("%04d",rand(100,9900)); //do not create a code with more than one leading zero or more than two leading 9s (kind of unusual/unsafe). $result=$db->query("REPLACE INTO bikes SET bikeNum='".$i."',currentStand=1,currentCode='".$code."'"); } -$db->conn->commit(); +$db->commit(); ?> connect(); ?>