From b431d5252039630a40f275edb70e664495c696b9 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Sun, 3 Dec 2017 09:21:08 +0300 Subject: [PATCH] auth_remote: use PDO --- plugins/auth_internal/init.php | 1 + plugins/auth_remote/init.php | 31 ++++++++++++++++--------------- 2 files changed, 17 insertions(+), 15 deletions(-) diff --git a/plugins/auth_internal/init.php b/plugins/auth_internal/init.php index 0374295f..5253ae67 100644 --- a/plugins/auth_internal/init.php +++ b/plugins/auth_internal/init.php @@ -10,6 +10,7 @@ class Auth_Internal extends Plugin implements IAuthModule { true); } + /* @var PluginHost $host */ function init($host) { $this->host = $host; $this->pdo = Db::pdo(); diff --git a/plugins/auth_remote/init.php b/plugins/auth_remote/init.php index dd04dcd1..bad1af65 100644 --- a/plugins/auth_remote/init.php +++ b/plugins/auth_remote/init.php @@ -2,6 +2,7 @@ class Auth_Remote extends Plugin implements IAuthModule { private $host; + /* @var Auth_Base $base */ private $base; function about() { @@ -11,7 +12,8 @@ class Auth_Remote extends Plugin implements IAuthModule { true); } - function init($host) { + /* @var PluginHost $host */ + function init($host ) { $this->host = $host; $this->base = new Auth_Base(); @@ -19,15 +21,16 @@ class Auth_Remote extends Plugin implements IAuthModule { } function get_login_by_ssl_certificate() { - $cert_serial = db_escape_string(get_ssl_certificate_id()); + $cert_serial = get_ssl_certificate_id(); if ($cert_serial) { - $result = db_query("SELECT login FROM ttrss_user_prefs, ttrss_users - WHERE pref_name = 'SSL_CERT_SERIAL' AND value = '$cert_serial' AND + $sth = $this->pdo->prepare("SELECT login FROM ttrss_user_prefs, ttrss_users + WHERE pref_name = 'SSL_CERT_SERIAL' AND value = ? AND owner_uid = ttrss_users.id"); + $sth->execute([$cert_serial]); - if (db_num_rows($result) != 0) { - return db_escape_string(db_fetch_result($result, 0, "login")); + if ($row = $sth->fetch()) { + return $row['login']; } } @@ -38,11 +41,11 @@ class Auth_Remote extends Plugin implements IAuthModule { * @SuppressWarnings(PHPMD.UnusedFormalParameter) */ function authenticate($login, $password) { - $try_login = db_escape_string($_SERVER["REMOTE_USER"]); + $try_login = $_SERVER["REMOTE_USER"]; // php-cgi - if (!$try_login) $try_login = db_escape_string($_SERVER["REDIRECT_REMOTE_USER"]); - if (!$try_login) $try_login = db_escape_string($_SERVER["PHP_AUTH_USER"]); + if (!$try_login) $try_login = $_SERVER["REDIRECT_REMOTE_USER"]; + if (!$try_login) $try_login = $_SERVER["PHP_AUTH_USER"]; if (!$try_login) $try_login = $this->get_login_by_ssl_certificate(); @@ -60,16 +63,14 @@ class Auth_Remote extends Plugin implements IAuthModule { // update user name $fullname = $_SERVER['HTTP_USER_NAME'] ? $_SERVER['HTTP_USER_NAME'] : $_SERVER['AUTHENTICATE_CN']; if ($fullname){ - $fullname = db_escape_string($fullname); - db_query("UPDATE ttrss_users SET full_name = '$fullname' WHERE id = " . - $user_id); + $sth = $this->pdo->prepare("UPDATE ttrss_users SET full_name = ? WHERE id = ?"); + $sth->execute([$fullname, $user_id]); } // update user mail $email = $_SERVER['HTTP_USER_MAIL'] ? $_SERVER['HTTP_USER_MAIL'] : $_SERVER['AUTHENTICATE_MAIL']; if ($email){ - $email = db_escape_string($email); - db_query("UPDATE ttrss_users SET email = '$email' WHERE id = " . - $user_id); + $sth = $this->pdo->prepare("UPDATE ttrss_users SET email = ? WHERE id = ?"); + $sth->execute([$email, $user_id]); } } -- 2.39.5