aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorThomas Citharel <tcit@tcit.fr>2015-07-17 22:54:57 +0200
committerThomas Citharel <tcit@tcit.fr>2015-07-17 22:54:57 +0200
commit4a746679c899e44c214605561db2aeb5001f07cd (patch)
tree4d03c5e5e45464ba0770f307f6d0de72636c4e0f
parent7473f0cc4ab15ef8ff28169c5dec44b53131b1c3 (diff)
downloadwallabag-4a746679c899e44c214605561db2aeb5001f07cd.tar.gz
wallabag-4a746679c899e44c214605561db2aeb5001f07cd.tar.zst
wallabag-4a746679c899e44c214605561db2aeb5001f07cd.zip
secure database functions
-rwxr-xr-xinc/poche/Database.class.php128
-rwxr-xr-xinc/poche/Poche.class.php29
2 files changed, 85 insertions, 72 deletions
diff --git a/inc/poche/Database.class.php b/inc/poche/Database.class.php
index 7be7a394..28d4a232 100755
--- a/inc/poche/Database.class.php
+++ b/inc/poche/Database.class.php
@@ -156,11 +156,14 @@ class Database {
156 { 156 {
157 $sql = "SELECT * FROM users_config WHERE user_id = ?"; 157 $sql = "SELECT * FROM users_config WHERE user_id = ?";
158 $query = $this->executeQuery($sql, array($id)); 158 $query = $this->executeQuery($sql, array($id));
159 $result = $query->fetchAll(); 159 $result = ($query) ? $query->fetchAll() : false;
160 $user_config = array(); 160 $user_config = false;
161 if ($query) {
162 $user_config = array();
161 163
162 foreach ($result as $key => $value) { 164 foreach ($result as $key => $value) {
163 $user_config[$value['name']] = $value['value']; 165 $user_config[$value['name']] = $value['value'];
166 }
164 } 167 }
165 168
166 return $user_config; 169 return $user_config;
@@ -171,11 +174,7 @@ class Database {
171 $sql = "SELECT * FROM users WHERE username=?"; 174 $sql = "SELECT * FROM users WHERE username=?";
172 $query = $this->executeQuery($sql, array($username)); 175 $query = $this->executeQuery($sql, array($username));
173 $login = $query->fetchAll(); 176 $login = $query->fetchAll();
174 if (isset($login[0])) { 177 return (isset($login[0]) && $query) ? true : false;
175 return true;
176 } else {
177 return false;
178 }
179 } 178 }
180 179
181 public function login($username, $password, $isauthenticated = FALSE) 180 public function login($username, $password, $isauthenticated = FALSE)
@@ -187,10 +186,10 @@ class Database {
187 $sql = "SELECT * FROM users WHERE username=? AND password=?"; 186 $sql = "SELECT * FROM users WHERE username=? AND password=?";
188 $query = $this->executeQuery($sql, array($username, $password)); 187 $query = $this->executeQuery($sql, array($username, $password));
189 } 188 }
190 $login = $query->fetchAll(); 189 $login = ($query) ? $query->fetchAll() : false;
191 190
192 $user = array(); 191 $user = array();
193 if (isset($login[0])) { 192 if ($login[0]) {
194 $user['id'] = $login[0]['id']; 193 $user['id'] = $login[0]['id'];
195 $user['username'] = $login[0]['username']; 194 $user['username'] = $login[0]['username'];
196 $user['password'] = $login[0]['password']; 195 $user['password'] = $login[0]['password'];
@@ -243,7 +242,7 @@ class Database {
243 { 242 {
244 $sql = 'SELECT count(*) FROM users'.( $username ? ' WHERE username=?' : ''); 243 $sql = 'SELECT count(*) FROM users'.( $username ? ' WHERE username=?' : '');
245 $query = $this->executeQuery($sql, ( $username ? array($username) : array())); 244 $query = $this->executeQuery($sql, ( $username ? array($username) : array()));
246 list($count) = $query->fetch(); 245 list($count) = ($query) ? $query->fetch() : false;
247 return $count; 246 return $count;
248 } 247 }
249 248
@@ -252,7 +251,7 @@ class Database {
252 $sql = "SELECT * FROM users WHERE id=?"; 251 $sql = "SELECT * FROM users WHERE id=?";
253 $query = $this->executeQuery($sql, array($userID)); 252 $query = $this->executeQuery($sql, array($userID));
254 $password = $query->fetchAll(); 253 $password = $query->fetchAll();
255 return isset($password[0]['password']) ? $password[0]['password'] : null; 254 return ($query) ? $password[0]['password'] : false;
256 } 255 }
257 256
258 public function deleteUserConfig($userID) 257 public function deleteUserConfig($userID)
@@ -260,18 +259,22 @@ class Database {
260 $sql_action = 'DELETE from users_config WHERE user_id=?'; 259 $sql_action = 'DELETE from users_config WHERE user_id=?';
261 $params_action = array($userID); 260 $params_action = array($userID);
262 $query = $this->executeQuery($sql_action, $params_action); 261 $query = $this->executeQuery($sql_action, $params_action);
263 return $query; 262 return ($query) ? $query : false;
264 } 263 }
265 264
266 public function deleteTagsEntriesAndEntries($userID) 265 public function deleteTagsEntriesAndEntries($userID)
267 { 266 {
268 $entries = $this->retrieveAll($userID); 267 $entries = $this->retrieveAll($userID);
269 foreach($entries as $entryid) { 268 if ($entries) {
270 $tags = $this->retrieveTagsByEntry($entryid); 269 foreach($entries as $entryid) {
271 foreach($tags as $tag) { 270 $tags = $this->retrieveTagsByEntry($entryid);
272 $this->removeTagForEntry($entryid,$tags); 271 foreach($tags as $tag) {
272 $this->removeTagForEntry($entryid,$tags);
273 }
274 $this->deleteById($entryid,$userID);
273 } 275 }
274 $this->deleteById($entryid,$userID); 276 } else {
277 return false;
275 } 278 }
276 } 279 }
277 280
@@ -302,7 +305,7 @@ class Database {
302 $query = $this->executeQuery($sql, array($user_id)); 305 $query = $this->executeQuery($sql, array($user_id));
303 $entries = $query->fetchAll(); 306 $entries = $query->fetchAll();
304 307
305 return $entries; 308 return ($query) ? $entries : false;
306 } 309 }
307 310
308 public function retrieveUnfetchedEntriesCount($user_id) 311 public function retrieveUnfetchedEntriesCount($user_id)
@@ -320,44 +323,44 @@ class Database {
320 $query = $this->executeQuery($sql, array($user_id)); 323 $query = $this->executeQuery($sql, array($user_id));
321 $entries = $query->fetchAll(); 324 $entries = $query->fetchAll();
322 325
323 return $entries; 326 return ($query) ? $entries : false;
324 } 327 }
325 328
326 public function retrieveAllWithTags($user_id) 329 public function retrieveAllWithTags($user_id)
327 { 330 {
328 $entries = $this->retrieveAll($user_id); 331 $entries = $this->retrieveAll($user_id);
329 $count = count($entries); 332 if ($entries) {
330 for ($i = 0; $i < $count; $i++) { 333 $count = count($entries);
331 $tag_entries = $this->retrieveTagsByEntry($entries[$i]['id']); 334 for ($i = 0; $i < $count; $i++) {
332 $tags = []; 335 $tag_entries = $this->retrieveTagsByEntry($entries[$i]['id']);
333 foreach ($tag_entries as $tag) { 336 $tags = [];
334 $tags[] = $tag[1]; 337 foreach ($tag_entries as $tag) {
335 } 338 $tags[] = $tag[1];
336 $entries[$i]['tags'] = implode(',', $tags); 339 }
340 $entries[$i]['tags'] = implode(',', $tags);
341 }
337 } 342 }
338 return $entries; 343 return $entries;
339 } 344 }
340 345
341 public function retrieveOneById($id, $user_id) 346 public function retrieveOneById($id, $user_id)
342 { 347 {
343 $entry = NULL;
344 $sql = "SELECT * FROM entries WHERE id=? AND user_id=?"; 348 $sql = "SELECT * FROM entries WHERE id=? AND user_id=?";
345 $params = array(intval($id), $user_id); 349 $params = array(intval($id), $user_id);
346 $query = $this->executeQuery($sql, $params); 350 $query = $this->executeQuery($sql, $params);
347 $entry = $query->fetchAll(); 351 $entry = $query->fetchAll();
348 352
349 return isset($entry[0]) ? $entry[0] : null; 353 return ($query) ? $entry[0] : false;
350 } 354 }
351 355
352 public function retrieveOneByURL($url, $user_id) 356 public function retrieveOneByURL($url, $user_id)
353 { 357 {
354 $entry = NULL;
355 $sql = "SELECT * FROM entries WHERE url=? AND user_id=?"; 358 $sql = "SELECT * FROM entries WHERE url=? AND user_id=?";
356 $params = array($url, $user_id); 359 $params = array($url, $user_id);
357 $query = $this->executeQuery($sql, $params); 360 $query = $this->executeQuery($sql, $params);
358 $entry = $query->fetchAll(); 361 $entry = $query->fetchAll();
359 362
360 return isset($entry[0]) ? $entry[0] : null; 363 return ($query) ? $entry[0] : false;
361 } 364 }
362 365
363 public function reassignTags($old_entry_id, $new_entry_id) 366 public function reassignTags($old_entry_id, $new_entry_id)
@@ -395,7 +398,8 @@ class Database {
395 $query = $this->executeQuery($sql, $params); 398 $query = $this->executeQuery($sql, $params);
396 $entries = $query->fetchAll(); 399 $entries = $query->fetchAll();
397 400
398 return $entries; 401 return ($query) ? $entries : false;
402
399 } 403 }
400 404
401 public function getEntriesByViewCount($view, $user_id, $tag_id = 0) 405 public function getEntriesByViewCount($view, $user_id, $tag_id = 0)
@@ -422,7 +426,7 @@ class Database {
422 } 426 }
423 427
424 $query = $this->executeQuery($sql, $params); 428 $query = $this->executeQuery($sql, $params);
425 list($count) = $query->fetch(); 429 list($count) = ($query) ? $query->fetch() : array(false);
426 430
427 return $count; 431 return $count;
428 } 432 }
@@ -445,7 +449,7 @@ class Database {
445 $query = $this->executeQuery($sql, $params); 449 $query = $this->executeQuery($sql, $params);
446 $id = $query->fetchAll(); 450 $id = $query->fetchAll();
447 451
448 return $id; 452 return ($query) ? $id : false;
449 } 453 }
450 454
451 public function getPreviousArticle($id, $user_id) 455 public function getPreviousArticle($id, $user_id)
@@ -454,7 +458,7 @@ class Database {
454 $params = array($id, $user_id); 458 $params = array($id, $user_id);
455 $query = $this->executeQuery($sql, $params); 459 $query = $this->executeQuery($sql, $params);
456 $id_entry = $query->fetchAll(); 460 $id_entry = $query->fetchAll();
457 $id = $id_entry[0][0]; 461 $id = ($query) ? $id_entry[0][0] : false;
458 return $id; 462 return $id;
459 } 463 }
460 464
@@ -464,7 +468,7 @@ class Database {
464 $params = array($id, $user_id); 468 $params = array($id, $user_id);
465 $query = $this->executeQuery($sql, $params); 469 $query = $this->executeQuery($sql, $params);
466 $id_entry = $query->fetchAll(); 470 $id_entry = $query->fetchAll();
467 $id = $id_entry[0][0]; 471 $id = ($query) ? $id_entry[0][0] : false;
468 return $id; 472 return $id;
469 } 473 }
470 474
@@ -540,7 +544,7 @@ class Database {
540 $sql_action .= $this->getEntriesOrder().' ' . $limit; 544 $sql_action .= $this->getEntriesOrder().' ' . $limit;
541 $params_action = array($user_id, $search, $search, $search); 545 $params_action = array($user_id, $search, $search, $search);
542 $query = $this->executeQuery($sql_action, $params_action); 546 $query = $this->executeQuery($sql_action, $params_action);
543 return $query->fetchAll(); 547 return ($query) ? $query->fetchAll() : false;
544 } 548 }
545 549
546 public function retrieveAllTags($user_id, $term = NULL) 550 public function retrieveAllTags($user_id, $term = NULL)
@@ -553,23 +557,23 @@ class Database {
553 GROUP BY tags.id, tags.value 557 GROUP BY tags.id, tags.value
554 ORDER BY tags.value"; 558 ORDER BY tags.value";
555 $query = $this->executeQuery($sql, (($term)? array($user_id, strtolower('%'.$term.'%')) : array($user_id) )); 559 $query = $this->executeQuery($sql, (($term)? array($user_id, strtolower('%'.$term.'%')) : array($user_id) ));
556 $tags = $query->fetchAll(); 560 $tags = ($query) ? $query->fetchAll() : false;
557 561
558 return $tags; 562 return $tags;
559 } 563 }
560 564
561 public function retrieveTag($id, $user_id) 565 public function retrieveTag($id, $user_id)
562 { 566 {
563 $tag = NULL;
564 $sql = "SELECT DISTINCT tags.* FROM tags 567 $sql = "SELECT DISTINCT tags.* FROM tags
565 LEFT JOIN tags_entries ON tags_entries.tag_id=tags.id 568 LEFT JOIN tags_entries ON tags_entries.tag_id=tags.id
566 LEFT JOIN entries ON tags_entries.entry_id=entries.id 569 LEFT JOIN entries ON tags_entries.entry_id=entries.id
567 WHERE tags.id=? AND entries.user_id=?"; 570 WHERE tags.id=? AND entries.user_id=?";
568 $params = array(intval($id), $user_id); 571 $params = array(intval($id), $user_id);
569 $query = $this->executeQuery($sql, $params); 572 $query = $this->executeQuery($sql, $params);
570 $tag = $query->fetchAll(); 573 $tags = ($query) ? $query->fetchAll() : false;
574 $tag = ($query) ? $tags[0] : false;
571 575
572 return isset($tag[0]) ? $tag[0] : NULL; 576 return $tag[0];
573 } 577 }
574 578
575 public function retrieveEntriesByTag($tag_id, $user_id) 579 public function retrieveEntriesByTag($tag_id, $user_id)
@@ -579,7 +583,7 @@ class Database {
579 LEFT JOIN tags_entries ON tags_entries.entry_id=entries.id 583 LEFT JOIN tags_entries ON tags_entries.entry_id=entries.id
580 WHERE tags_entries.tag_id = ? AND entries.user_id=? ORDER by entries.id DESC"; 584 WHERE tags_entries.tag_id = ? AND entries.user_id=? ORDER by entries.id DESC";
581 $query = $this->executeQuery($sql, array($tag_id, $user_id)); 585 $query = $this->executeQuery($sql, array($tag_id, $user_id));
582 $entries = $query->fetchAll(); 586 $entries = ($query) ? $query->fetchAll() : false;
583 587
584 return $entries; 588 return $entries;
585 } 589 }
@@ -591,7 +595,7 @@ class Database {
591 LEFT JOIN tags_entries ON tags_entries.tag_id=tags.id 595 LEFT JOIN tags_entries ON tags_entries.tag_id=tags.id
592 WHERE tags_entries.entry_id = ?"; 596 WHERE tags_entries.entry_id = ?";
593 $query = $this->executeQuery($sql, array($entry_id)); 597 $query = $this->executeQuery($sql, array($entry_id));
594 $tags = $query->fetchAll(); 598 $tags = ($query) ? $query->fetchAll() : false;
595 599
596 return $tags; 600 return $tags;
597 } 601 }
@@ -601,38 +605,40 @@ class Database {
601 $sql_action = "DELETE FROM tags_entries WHERE tag_id=? AND entry_id=?"; 605 $sql_action = "DELETE FROM tags_entries WHERE tag_id=? AND entry_id=?";
602 $params_action = array($tag_id, $entry_id); 606 $params_action = array($tag_id, $entry_id);
603 $query = $this->executeQuery($sql_action, $params_action); 607 $query = $this->executeQuery($sql_action, $params_action);
604 return $query; 608 return ($query) ? $query : false;
605 } 609 }
606 610
607 public function cleanUnusedTag($tag_id) 611 public function cleanUnusedTag($tag_id)
608 { 612 {
609 $sql_action = "SELECT tags.* FROM tags JOIN tags_entries ON tags_entries.tag_id=tags.id WHERE tags.id=?"; 613 $sql_action = "SELECT tags.* FROM tags JOIN tags_entries ON tags_entries.tag_id=tags.id WHERE tags.id=?";
610 $query = $this->executeQuery($sql_action,array($tag_id)); 614 $query = $this->executeQuery($sql_action,array($tag_id));
611 $tagstokeep = $query->fetchAll(); 615 $tagstokeep = ($query) ? $query->fetchAll() : false;
612 $sql_action = "SELECT tags.* FROM tags LEFT JOIN tags_entries ON tags_entries.tag_id=tags.id WHERE tags.id=?"; 616 $sql_action = "SELECT tags.* FROM tags LEFT JOIN tags_entries ON tags_entries.tag_id=tags.id WHERE tags.id=?";
613 $query = $this->executeQuery($sql_action,array($tag_id)); 617 $query = $this->executeQuery($sql_action,array($tag_id));
614 $alltags = $query->fetchAll(); 618 $alltags = ($query) ? $query->fetchAll() : false;
615 619
616 foreach ($alltags as $tag) { 620 if ($tagstokeep && $alltags) {
617 if ($tag && !in_array($tag,$tagstokeep)) { 621 foreach ($alltags as $tag) {
618 $sql_action = "DELETE FROM tags WHERE id=?"; 622 if ($tag && !in_array($tag,$tagstokeep)) {
619 $params_action = array($tag[0]); 623 $sql_action = "DELETE FROM tags WHERE id=?";
620 $this->executeQuery($sql_action, $params_action); 624 $params_action = array($tag[0]);
621 return true; 625 $this->executeQuery($sql_action, $params_action);
626 return true;
627 }
622 } 628 }
629 } else {
630 return false;
623 } 631 }
624
625 } 632 }
626 633
627 public function retrieveTagByValue($value) 634 public function retrieveTagByValue($value)
628 { 635 {
629 $tag = NULL;
630 $sql = "SELECT * FROM tags WHERE value=?"; 636 $sql = "SELECT * FROM tags WHERE value=?";
631 $params = array($value); 637 $params = array($value);
632 $query = $this->executeQuery($sql, $params); 638 $query = $this->executeQuery($sql, $params);
633 $tag = $query->fetchAll(); 639 $tag = ($query) ? $query->fetchAll() : false;
634 640
635 return isset($tag[0]) ? $tag[0] : null; 641 return ($query) ? $tag[0] : false;
636 } 642 }
637 643
638 public function createTag($value) 644 public function createTag($value)
@@ -640,7 +646,7 @@ class Database {
640 $sql_action = 'INSERT INTO tags ( value ) VALUES (?)'; 646 $sql_action = 'INSERT INTO tags ( value ) VALUES (?)';
641 $params_action = array($value); 647 $params_action = array($value);
642 $query = $this->executeQuery($sql_action, $params_action); 648 $query = $this->executeQuery($sql_action, $params_action);
643 return $query; 649 return ($query) ? $query : false;
644 } 650 }
645 651
646 public function setTagToEntry($tag_id, $entry_id) 652 public function setTagToEntry($tag_id, $entry_id)
@@ -648,7 +654,7 @@ class Database {
648 $sql_action = 'INSERT INTO tags_entries ( tag_id, entry_id ) VALUES (?, ?)'; 654 $sql_action = 'INSERT INTO tags_entries ( tag_id, entry_id ) VALUES (?, ?)';
649 $params_action = array($tag_id, $entry_id); 655 $params_action = array($tag_id, $entry_id);
650 $query = $this->executeQuery($sql_action, $params_action); 656 $query = $this->executeQuery($sql_action, $params_action);
651 return $query; 657 return ($query) ? $query : false;
652 } 658 }
653 659
654 private function getEntriesOrder() 660 private function getEntriesOrder()
diff --git a/inc/poche/Poche.class.php b/inc/poche/Poche.class.php
index e0c9abbb..15d83bfe 100755
--- a/inc/poche/Poche.class.php
+++ b/inc/poche/Poche.class.php
@@ -599,7 +599,7 @@ class Poche
599 599
600 $count = $this->store->getEntriesByViewCount($view, $this->user->getId(), $id); 600 $count = $this->store->getEntriesByViewCount($view, $this->user->getId(), $id);
601 601
602 if ($count > 0) { 602 if ($count && $count > 0) {
603 $this->pagination->set_total($count); 603 $this->pagination->set_total($count);
604 $page_links = str_replace(array('previous', 'next'), array(_('previous'), _('next')), 604 $page_links = str_replace(array('previous', 'next'), array(_('previous'), _('next')),
605 $this->pagination->page_links('?view=' . $view . '&sort=' . $_SESSION['sort'] . (($id)?'&id='.$id:'') . '&' )); 605 $this->pagination->page_links('?view=' . $view . '&sort=' . $_SESSION['sort'] . (($id)?'&id='.$id:'') . '&' ));
@@ -903,14 +903,18 @@ class Poche
903 */ 903 */
904 public function export() 904 public function export()
905 { 905 {
906 $filename = "wallabag-export-".$this->user->getId()."-".date("Y-m-d").".json"; 906 $filename = "wallabag-export-".$this->user->getId()."-".date("Y-m-d").".json";
907 header('Content-Disposition: attachment; filename='.$filename); 907 header('Content-Disposition: attachment; filename='.$filename);
908 908
909 $entries = $this->store->retrieveAllWithTags($this->user->getId()); 909 $entries = $this->store->retrieveAllWithTags($this->user->getId());
910 echo $this->tpl->render('export.twig', array( 910 if ($entries) {
911 'export' => Tools::renderJson($entries), 911 echo $this->tpl->render('export.twig', array(
912 )); 912 'export' => Tools::renderJson($entries),
913 Tools::logm('export view'); 913 ));
914 Tools::logm('export view');
915 } else {
916 Tools::logm('error accessing database while exporting');
917 }
914 } 918 }
915 919
916 /** 920 /**
@@ -986,7 +990,7 @@ class Poche
986 if (0 == $limit) { 990 if (0 == $limit) {
987 $limit = count($entries); 991 $limit = count($entries);
988 } 992 }
989 if (count($entries) > 0) { 993 if ($entries && count($entries) > 0) {
990 for ($i = 0; $i < min(count($entries), $limit); $i++) { 994 for ($i = 0; $i < min(count($entries), $limit); $i++) {
991 $entry = $entries[$i]; 995 $entry = $entries[$i];
992 $newItem = $feed->createNewItem(); 996 $newItem = $feed->createNewItem();
@@ -998,7 +1002,10 @@ class Poche
998 $feed->addItem($newItem); 1002 $feed->addItem($newItem);
999 } 1003 }
1000 } 1004 }
1001 1005 else
1006 {
1007 Tools::logm("database error while generating feeds");
1008 }
1002 $feed->genarateFeed(); 1009 $feed->genarateFeed();
1003 exit; 1010 exit;
1004 } 1011 }