loviuz/openstamanager
loviuz/openstamanager
1
0
Fork 0
mirror of https://github.com/devcode-it/openstamanager.git synced 2025-01-27 06:04:54 +01:00
Code Issues Releases Activity

Supporto Prepared Statements

Browse Source 
Aggiunto supporto ai Prepared Statements PDO, per una maggiore sicurezza rispetto al metodo prepare (#160).
This commit is contained in:
Thomas Zilio 2018-07-14 11:41:42 +02:00
parent cf309b3632
commit 26d22892c9
2 changed files with 42 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
src/Auth.php
View File

@ -57,7 +57,9 @@ class Auth extends \Util\Singleton
if (API::isAPIRequest()) {
$token = API::getRequest()['token'];
$user = $database->fetchArray('SELECT `id_utente` FROM `zz_tokens` WHERE `enabled` = 1 AND `token` = '.prepare($token));
$user = $database->fetchArray('SELECT `id_utente` FROM `zz_tokens` WHERE `enabled` = 1 AND `token` = :token', [
':token' => $token,
]);
$id = !empty($user) ? $user[0]['id_utente'] : null;
}
@ -99,7 +101,9 @@ class Auth extends \Util\Singleton
$status = 'failed';
$users = $database->fetchArray('SELECT id AS id_utente, password, enabled FROM zz_users WHERE username = '.prepare($username).' LIMIT 1');
$users = $database->fetchArray('SELECT id AS id_utente, password, enabled FROM zz_users WHERE username = :username LIMIT 1', [
':username' => $username,
]);
if (!empty($users)) {
$user = $users[0];
@ -204,7 +208,9 @@ class Auth extends \Util\Singleton
$database = Database::getConnection();
try {
$results = $database->fetchArray('SELECT id AS id_utente, idanagrafica, username, (SELECT nome FROM zz_groups WHERE zz_groups.id=zz_users.idgruppo) AS gruppo FROM zz_users WHERE id = '.prepare($user_id).' AND enabled = 1 LIMIT 1', false, ['session' => false]);
$results = $database->fetchArray('SELECT id AS id_utente, idanagrafica, username, (SELECT nome FROM zz_groups WHERE zz_groups.id = zz_users.idgruppo) AS gruppo FROM zz_users WHERE id = :user_id AND enabled = 1 LIMIT 1', [
':user_id' => $user_id,
], false, ['session' => false]);
if (!empty($results)) {
$results[0]['id'] = $results[0]['id_utente'];
@ -270,7 +276,9 @@ class Auth extends \Util\Singleton
$user = self::user();
$database = Database::getConnection();
$tokens = $database->fetchArray('SELECT `token` FROM `zz_tokens` WHERE `enabled` = 1 AND `id_utente` = '.prepare($user['id_utente']));
$tokens = $database->fetchArray('SELECT `token` FROM `zz_tokens` WHERE `enabled` = 1 AND `id_utente` = :user_id', [
':user_id' => $user['id_utente'],
]);
// Generazione del token per l'utente
if (empty($tokens)) {
@ -314,11 +322,13 @@ class Auth extends \Util\Singleton
if (empty($this->first_module)) {
$query = 'SELECT id FROM zz_modules WHERE enabled = 1';
if (!$this->isAdmin()) {
$query .= ' AND id IN (SELECT idmodule FROM zz_permissions WHERE idgruppo = (SELECT id FROM zz_groups WHERE nome = '.prepare($this->getUser()['gruppo']).") AND permessi IN ('r', 'rw'))";
$query .= " AND id IN (SELECT idmodule FROM zz_permissions WHERE idgruppo = (SELECT id FROM zz_groups WHERE nome = :group) AND permessi IN ('r', 'rw'))";
}
$database = Database::getConnection();
$results = $database->fetchArray($query." AND options != '' AND options != 'menu' AND options IS NOT NULL ORDER BY `order` ASC");
$results = $database->fetchArray($query." AND options != '' AND options != 'menu' AND options IS NOT NULL ORDER BY `order` ASC", [
':group' => $this->getUser()['gruppo'],
]);
if (!empty($results)) {
$module = null;
@ -421,7 +431,11 @@ class Auth extends \Util\Singleton
}
if (!isset(self::$is_brute)) {
$results = $database->fetchArray('SELECT COUNT(*) AS tot FROM zz_logs WHERE ip = '.prepare(get_client_ip()).' AND stato = '.prepare(self::getStatus()['failed']['code']).' AND DATE_ADD(created_at, INTERVAL '.self::$brute_options['timeout'].' SECOND) >= NOW()');
$results = $database->fetchArray('SELECT COUNT(*) AS tot FROM zz_logs WHERE ip = :ip AND stato = :state AND DATE_ADD(created_at, INTERVAL :timeout SECOND) >= NOW()', [
':ip' => get_client_ip(),
':state' => self::getStatus()['failed']['code'],
':timeout' => self::$brute_options['timeout'],
]);
self::$is_brute = $results[0]['tot'] > self::$brute_options['attemps'];
}
@ -442,7 +456,11 @@ class Auth extends \Util\Singleton
$database = Database::getConnection();
$results = $database->fetchArray('SELECT TIME_TO_SEC(TIMEDIFF(DATE_ADD(created_at, INTERVAL '.self::$brute_options['timeout'].' SECOND), NOW())) AS diff FROM zz_logs WHERE ip = '.prepare(get_client_ip()).' AND stato = '.prepare(self::getStatus()['failed']['code']).' AND DATE_ADD(created_at, INTERVAL '.self::$brute_options['timeout'].' SECOND) >= NOW() ORDER BY created_at DESC LIMIT 1');
$results = $database->fetchArray('SELECT TIME_TO_SEC(TIMEDIFF(DATE_ADD(created_at, INTERVAL '.self::$brute_options['timeout'].' SECOND), NOW())) AS diff FROM zz_logs WHERE ip = :ip AND stato = :state AND DATE_ADD(created_at, INTERVAL :timeout SECOND) >= NOW() ORDER BY created_at DESC LIMIT 1', [
':ip' => get_client_ip(),
':state' => self::getStatus()['failed']['code'],
':timeout' => self::$brute_options['timeout'],
]);
return intval($results[0]['diff']);
}

26
src/Database.php
View File

@ -220,10 +220,11 @@ class Database extends Util\Singleton
*
* @return int
*/
public function query($query, $signal = null, $options = [])
public function query($query, $parameters = [], $signal = null, $options = [])
{
try {
$this->pdo->query($query);
$statement = $this->pdo->prepare($query);
$statement->execute($parameters);
$id = $this->lastInsertedID();
if ($id == 0) {
@ -246,12 +247,15 @@ class Database extends Util\Singleton
*
* @return array
*/
public function fetchArray($query, $numeric = false, $options = [])
public function fetchArray($query, $parameters = [], $numeric = false, $options = [])
{
try {
$mode = empty($numeric) ? PDO::FETCH_ASSOC : PDO::FETCH_NUM;
$result = $this->pdo->query($query)->fetchAll($mode);
$statement = $this->pdo->prepare($query);
$statement->execute($parameters);
$result = $statement->fetchAll($mode);
return $result;
} catch (PDOException $e) {
@ -271,7 +275,7 @@ class Database extends Util\Singleton
*/
public function fetchRows($query)
{
return $this->fetchArray($query, true);
return $this->fetchArray($query, [], true);
}
/**
@ -299,13 +303,13 @@ class Database extends Util\Singleton
*
* @return array
*/
public function fetchOne($query)
public function fetchOne($query, $parameters = [])
{
if (!str_contains($query, 'LIMIT')) {
$query .= ' LIMIT 1';
}
$result = $this->fetchArray($query);
$result = $this->fetchArray($query, $parameters);
if (isset($result[0])) {
return $result[0];
@ -323,9 +327,9 @@ class Database extends Util\Singleton
*
* @return int
*/
public function fetchNum($query)
public function fetchNum($query, $parameters = [])
{
$result = $this->fetchArray('SELECT COUNT(*) as `tot` FROM ('.$query.') AS `count`');
$result = $this->fetchArray('SELECT COUNT(*) as `tot` FROM ('.$query.') AS `count`', $parameters);
if (!empty($result)) {
return $result[0]['tot'];
@ -339,7 +343,9 @@ class Database extends Util\Singleton
$results = null;
if ($this->isConnected()) {
$results = $this->fetchArray("SHOW TABLES LIKE '".$table."'");
$results = $this->fetchArray('SHOW TABLES LIKE :table', [
':table' => $table,
]);
}
return !empty($results);