Ticket #12752: 0001-Avoid-double-quoting-SQL.patch

File 0001-Avoid-double-quoting-SQL.patch, 3.5 KB (added by ijc@…, 3 years ago)

Patch to avoid double quoting the SQL

  • modules/music/mp3act_functions.php

    From 6f4fe7ed0696463703394cfe37403773c23e2ad4 Mon Sep 17 00:00:00 2001
    From: Ian Campbell <ijc@hellion.org.uk>
    Date: Tue, 19 Jul 2016 20:01:32 +0100
    Subject: [PATCH] Avoid double quoting SQL
    
    $db->escape already wraps the result in 's so there is no need to do it in the
    caller.
    
    This is a little complicated in searchMusic since the %'s need to be inside the
    quoting but we do not want them to be escaped themselves. Concat them with the
    search term using a SQL CONCAT().
    ---
     modules/music/mp3act_functions.php | 16 ++++++++--------
     1 file changed, 8 insertions(+), 8 deletions(-)
    
    diff --git a/modules/music/mp3act_functions.php b/modules/music/mp3act_functions.php
    index b6fc7e0..9d2780c 100644
    a b function GarbageCollector() 
    3333    if (0 == mt_rand(0, 30))
    3434    {
    3535        $query = 'DELETE FROM music_playlists '.
    36             "WHERE playlist_name='".$db->escape('MythWeb Temporary Playlist')."'".
     36            "WHERE playlist_name=".$db->escape('MythWeb Temporary Playlist').
    3737            ' AND (NOW() - last_accessed) > ('.MYTH_PLAYLIST_SAVE_TIME.');';
    3838        $sh = $db->query($query);
    3939        $sh->finish();
    function buildBreadcrumb($page, $parent, $parentitem, $child, $childitem) 
    217217function musicLookup($type, $itemid)
    218218{
    219219  global $db;
    220   $sql_itemid = "'".$db->escape($itemid)."'";
     220  $sql_itemid = $db->escape($itemid);
    221221  switch($type)
    222222  {
    223223    case 'browse':
    function musicLookup($type, $itemid) 
    279279                   "FROM music_artists " .
    280280                   "GROUP BY artist_name_sort " .
    281281                   "HAVING artist_name_sort " .
    282                    "LIKE '" . $db->escape($itemid.'%') . "' " .
     282                   "LIKE " . $db->escape($itemid.'%') . " " .
    283283                   "ORDER BY artist_name_sort";
    284284      }
    285285      $sh = $db->query($query);
    function getRandItems($type) 
    10081008function searchMusic($terms, $option)
    10091009{
    10101010  global $db;
    1011   $sql_terms = "'%".$db->escape($terms)."%'";
     1011  $sql_terms = "CONCAT('%', ".$db->escape($terms).", '%')";
    10121012  $query = 'SELECT ms.song_id, ma.album_name, ms.track, mt.artist_name, ms.name, ms.rating, '.
    10131013    'SEC_TO_TIME(ms.length/1000) AS length, genre '.
    10141014    'FROM music_songs AS ms '.
    function internalUpdatePlaylist($songs, $count, $length) 
    11111111  $songlist = implode(',', $songs);
    11121112
    11131113  $query = 'music_playlists SET'.
    1114     " playlist_songs='".$db->escape($songlist)."'".
     1114    " playlist_songs=".$db->escape($songlist).
    11151115    ',length='.$db->escape($length).
    11161116    ',songcount='.$db->escape($count);
    11171117
    11181118  if (empty($plId))
    11191119  {
    11201120    $query = 'INSERT INTO '.$query.
    1121       ",hostname='".$db->escape('mythweb-'.$_SERVER['SERVER_NAME'])."'".
     1121      ",hostname=".$db->escape('mythweb-'.$_SERVER['SERVER_NAME']).
    11221122      ",playlist_name='".MYTH_WEB_PLAYLIST_NAME."'";
    11231123  }
    11241124  else
    function savePlaylist($pl_name, $newpl) 
    12521252  else
    12531253  {
    12541254    $query = 'UPDATE music_playlists SET'.
    1255       ' playlist_name=\''.$db->escape($pl_name).'\''.
     1255      ' playlist_name='.$db->escape($pl_name).
    12561256      ",hostname='' ".
    12571257      'WHERE playlist_id='.$db->escape($pl['playlist_id']);
    12581258
    function playlist_move($item1,$item2) 
    13601360  $songs[$idx2] = $tmp;
    13611361
    13621362  $query = 'UPDATE music_playlists SET'.
    1363     ' playlist_songs=\''.$db->escape(implode(',', $songs)).'\' '.
     1363    ' playlist_songs='.$db->escape(implode(',', $songs)).' '.
    13641364    'WHERE playlist_id='.$db->escape($pl['playlist_id']).';';
    13651365  $db->query($query);
    13661366}