[Fusionforge-commits] r8084 - in trunk/gforge: common/reporting www/frs www/frs/admin www/frs/include www/news www/news/admin www/people www/people/admin www/snippet www/trove www/trove/admin www/trove/include

Julien HEYMAN jheyman at libremir.placard.fr.eu.org
Thu Sep 3 17:15:46 CEST 2009


Author: jheyman
Date: 2009-09-03 17:15:45 +0200 (Thu, 03 Sep 2009)
New Revision: 8084

Modified:
   trunk/gforge/common/reporting/ReportSetup.class.php
   trunk/gforge/www/frs/admin/qrs.php
   trunk/gforge/www/frs/download.php
   trunk/gforge/www/frs/include/frs_utils.php
   trunk/gforge/www/frs/index.php
   trunk/gforge/www/news/admin/index.php
   trunk/gforge/www/news/news_utils.php
   trunk/gforge/www/people/admin/index.php
   trunk/gforge/www/people/editjob.php
   trunk/gforge/www/people/editprofile.php
   trunk/gforge/www/people/helpwanted-latest.php
   trunk/gforge/www/people/index.php
   trunk/gforge/www/people/people_utils.php
   trunk/gforge/www/people/skills_utils.php
   trunk/gforge/www/people/viewjob.php
   trunk/gforge/www/people/viewprofile.php
   trunk/gforge/www/snippet/add_snippet_to_package.php
   trunk/gforge/www/snippet/delete.php
   trunk/gforge/www/snippet/detail.php
   trunk/gforge/www/snippet/snippet_utils.php
   trunk/gforge/www/trove/TroveCategory.class.php
   trunk/gforge/www/trove/TroveCategoryFactory.class.php
   trunk/gforge/www/trove/TroveCategoryLabel.class.php
   trunk/gforge/www/trove/admin/trove_cat_add.php
   trunk/gforge/www/trove/include/trove.php
Log:
Ongoing migration to db_query_params()

Modified: trunk/gforge/common/reporting/ReportSetup.class.php
===================================================================
--- trunk/gforge/common/reporting/ReportSetup.class.php	2009-09-03 15:09:49 UTC (rev 8083)
+++ trunk/gforge/common/reporting/ReportSetup.class.php	2009-09-03 15:15:45 UTC (rev 8084)
@@ -312,7 +312,7 @@
 
 	for ($i=0; $i<count($sql); $i++) {
 
-		$res=db_query($sql[$i]);
+		$res=db_query_params($sql[$i], array());
 
 	}
 

Modified: trunk/gforge/www/frs/admin/qrs.php
===================================================================
--- trunk/gforge/www/frs/admin/qrs.php	2009-09-03 15:09:49 UTC (rev 8083)
+++ trunk/gforge/www/frs/admin/qrs.php	2009-09-03 15:15:45 UTC (rev 8084)
@@ -182,8 +182,7 @@
 		</td>
 		<td>
 <?php
-	$sql="SELECT * FROM frs_package WHERE group_id='$group_id' AND status_id='1'";
-	$res=db_query($sql);
+	$res=db_query_params("SELECT * FROM frs_package WHERE group_id=$1 AND status_id='1'", array($group_id));
 	$rows=db_numrows($res);
 	if (!$res || $rows < 1) {
 		echo '<h4>'._('No File Types Available').'</h4>';

Modified: trunk/gforge/www/frs/download.php
===================================================================
--- trunk/gforge/www/frs/download.php	2009-09-03 15:09:49 UTC (rev 8083)
+++ trunk/gforge/www/frs/download.php	2009-09-03 15:15:45 UTC (rev 8084)
@@ -105,8 +105,8 @@
 	}
 
 	$ip=getStringFromServer('REMOTE_ADDR');
-	$res=db_query("INSERT INTO frs_dlstats_file (ip_address,file_id,month,day,user_id) 
-		VALUES ('$ip','$file_id','".date('Ym')."','".date('d')."','$us')");
+	$res=db_query_params("INSERT INTO frs_dlstats_file (ip_address,file_id,month,day,user_id) 
+		VALUES ($1, $2, $3, $4, $5)"; array($ip,$file_id,date('Ym'),date('d'),$us));
 } else {
 	Header("Status: 404");
 }

Modified: trunk/gforge/www/frs/include/frs_utils.php
===================================================================
--- trunk/gforge/www/frs/include/frs_utils.php	2009-09-03 15:09:49 UTC (rev 8083)
+++ trunk/gforge/www/frs/include/frs_utils.php	2009-09-03 15:15:45 UTC (rev 8084)
@@ -193,10 +193,10 @@
 			}
 			$sql .=
 				"FROM frs_release,frs_package 
-WHERE frs_package.group_id='$group_id' 
+WHERE frs_package.group_id=$1 
 AND frs_release.package_id=frs_package.package_id";
 
-			$FRS_RELEASE_RES = db_query($sql);
+			$FRS_RELEASE_RES = db_query_params($sql,array($group_id));
 			echo db_error();
 		}
 		return html_build_select_box($FRS_RELEASE_RES,$name,$checked_val,false);

Modified: trunk/gforge/www/frs/index.php
===================================================================
--- trunk/gforge/www/frs/index.php	2009-09-03 15:09:49 UTC (rev 8083)
+++ trunk/gforge/www/frs/index.php	2009-09-03 15:15:45 UTC (rev 8084)
@@ -53,11 +53,11 @@
 
 $sql = "SELECT *
 	FROM frs_package 
-	WHERE group_id='$group_id' 
+	WHERE group_id=$1 
 	AND status_id='1' 
 	$pub_sql
 	ORDER BY name";
-$res_package = db_query( $sql );
+$res_package = db_query_params( $sql, array($group_id));
 $num_packages = db_numrows( $res_package );
 
 
@@ -172,7 +172,7 @@
 					
 				print $GLOBALS['HTML']->multiTableRow($bgstyle, $cell_data, FALSE);
 				// get the files in this release....
-				$sql = "SELECT frs_file.filename AS filename,
+				$res_file = db_query_params("SELECT frs_file.filename AS filename,
 				frs_file.file_size AS file_size,
 				frs_file.file_id AS file_id,
 				frs_file.release_time AS release_time,
@@ -181,11 +181,10 @@
 				frs_dlstats_filetotal_agg.downloads AS downloads 
 				FROM frs_filetype,frs_processor,
 				frs_file LEFT JOIN frs_dlstats_filetotal_agg ON frs_dlstats_filetotal_agg.file_id=frs_file.file_id 
-				WHERE release_id='". $package_release['release_id'] ."' 
+				WHERE release_id=$1
 				AND frs_filetype.type_id=frs_file.type_id 
 				AND frs_processor.processor_id=frs_file.processor_id 
-				ORDER BY filename";
-				$res_file = db_query($sql);
+				ORDER BY filename", array($package_release['release_id']));
 				$num_files = db_numrows( $res_file );
 
 				@$proj_stats['files'] += $num_files;

Modified: trunk/gforge/www/news/admin/index.php
===================================================================
--- trunk/gforge/www/news/admin/index.php	2009-09-03 15:09:49 UTC (rev 8083)
+++ trunk/gforge/www/news/admin/index.php	2009-09-03 15:15:45 UTC (rev 8084)
@@ -80,9 +80,8 @@
 			
 			$sanitizer = new TextSanitizer();
 			$details = $sanitizer->SanitizeHtml($details);
-			$sql="UPDATE news_bytes SET is_approved='$status', summary='".htmlspecialchars($summary)."', 
-details='".$details."' WHERE id='$id' AND group_id='$group_id'";
-			$result=db_query($sql);
+			$result = db_query_params("UPDATE news_bytes SET is_approved=$1, summary=$2, 
+details=$3 WHERE id=$4 AND group_id=$5", array($status, htmlspecialchars($summary), $details, $id, $group_id));
 
 			if (!$result || db_affected_rows($result) < 1) {
 				$feedback .= _('Error On Update:');
@@ -104,8 +103,7 @@
 			Show the submit form
 		*/
 
-		$sql="SELECT * FROM news_bytes WHERE id='$id' AND group_id='$group_id'";
-		$result=db_query($sql);
+		$result=db_query_params("SELECT * FROM news_bytes WHERE id=$1 AND group_id=$2", array($id, $group_id));
 		if (db_numrows($result) < 1) {
 			exit_error(_('Error'), _('NewsByte not found'));
 		}
@@ -159,8 +157,7 @@
 			Show list of waiting news items
 		*/
 
-		$sql="SELECT * FROM news_bytes WHERE is_approved <> 4 AND group_id='$group_id'";
-		$result=db_query($sql);
+		$result=db_query_params("SELECT * FROM news_bytes WHERE is_approved <> 4 AND group_id=$1", array($group_id));
 		$rows=db_numrows($result);
 		$group =& group_get_object($group_id);
 		
@@ -199,9 +196,8 @@
 				*/
 				$sanitizer = new TextSanitizer();
 				$details = $sanitizer->SanitizeHtml($details);
-				$sql="UPDATE news_bytes SET is_approved='1', post_date='".time()."', 
-summary='".htmlspecialchars($summary)."', details='".$details."' WHERE id='$id'";
-				$result=db_query($sql);
+				$result=db_query_params("UPDATE news_bytes SET is_approved='1', post_date=$1, 
+summary=$2, details=$3 WHERE id=$4", array(time(), htmlspecialchars($summary), $details, $id));
 				if (!$result || db_affected_rows($result) < 1) {
 					$feedback .= _('Error On Update:');
 				} else {
@@ -211,8 +207,7 @@
 				/*
 					Move msg to deleted status
 				*/
-				$sql="UPDATE news_bytes SET is_approved='2' WHERE id='$id'";
-				$result=db_query($sql);
+				$result=db_query_params("UPDATE news_bytes SET is_approved='2' WHERE id=$1", array($id));
 				if (!$result || db_affected_rows($result) < 1) {
 					$feedback .= _('Error On Update:');
 					$feedback .= db_error();
@@ -231,10 +226,9 @@
 				Move msg to rejected status
 			*/
 			$news_id = getArrayFromRequest('news_id');
-			$sql="UPDATE news_bytes 
+			$result = db_query_params("UPDATE news_bytes 
 SET is_approved='2' 
-WHERE id IN ('".implode("','",$news_id)."')";
-			$result=db_query($sql);
+WHERE id = ANY($1)",array(db_int_array_to_any_clause($news_id)));
 			if (!$result || db_affected_rows($result) < 1) {
 				$feedback .= _('Error On Update:');
 				$feedback .= db_error();
@@ -251,10 +245,9 @@
 			Show the submit form
 		*/
 
-		$sql="SELECT groups.unix_group_name,groups.group_id,news_bytes.* 
-FROM news_bytes,groups WHERE id='$id' 
-AND news_bytes.group_id=groups.group_id ";
-		$result=db_query($sql);
+		$result=db_query_params("SELECT groups.unix_group_name,groups.group_id,news_bytes.* 
+FROM news_bytes,groups WHERE id=$1 
+AND news_bytes.group_id=groups.group_id ", array($id));
 		if (db_numrows($result) < 1) {
 			exit_error(_('Error'), _('NewsByte not found'));
 		}

Modified: trunk/gforge/www/news/news_utils.php
===================================================================
--- trunk/gforge/www/news/news_utils.php	2009-09-03 15:09:49 UTC (rev 8083)
+++ trunk/gforge/www/news/news_utils.php	2009-09-03 15:15:45 UTC (rev 8084)
@@ -227,18 +227,17 @@
 		Show a the latest news for a portal
 	*/
 
-	$sql="SELECT groups.group_name,groups.unix_group_name,groups.group_id,
+	$result=db_query_params("SELECT groups.group_name,groups.unix_group_name,groups.group_id,
 		users.user_name,users.realname,news_bytes.forum_id,
 		news_bytes.summary,news_bytes.post_date,news_bytes.details 
 		FROM users,news_bytes,groups,foundry_news 
-		WHERE foundry_news.foundry_id='$group_id' 
+		WHERE foundry_news.foundry_id=$1 
 		AND users.user_id=news_bytes.submitted_by 
 		AND foundry_news.news_id=news_bytes.id 
 		AND news_bytes.group_id=groups.group_id 
 		AND foundry_news.is_approved=1 
-		ORDER BY news_bytes.post_date DESC";
+		ORDER BY news_bytes.post_date DESC", array($group_id),$limit);
 
-	$result=db_query($sql,$limit);
 	$rows=db_numrows($result);
 
 	if (!$result || $rows < 1) {
@@ -274,8 +273,7 @@
 	/*
 		Takes an ID and returns the corresponding forum name
 	*/
-	$sql="SELECT summary FROM news_bytes WHERE id='$id'";
-	$result=db_query($sql);
+	$result=db_query_params("SELECT summary FROM news_bytes WHERE id=$1", array($id));
 	if (!$result || db_numrows($result) < 1) {
 		return "Not Found";
 	} else {

Modified: trunk/gforge/www/people/admin/index.php
===================================================================
--- trunk/gforge/www/people/admin/index.php	2009-09-03 15:09:49 UTC (rev 8083)
+++ trunk/gforge/www/people/admin/index.php	2009-09-03 15:15:45 UTC (rev 8084)
@@ -46,8 +46,7 @@
 			if (!form_key_is_valid(getStringFromRequest('form_key'))) {
 				exit_form_double_submit();
 			}
-			$sql="INSERT INTO people_job_category (name) VALUES ('$cat_name')";
-			$result=db_query($sql);
+			$result=db_query_params("INSERT INTO people_job_category (name) VALUES ($1)", array($cat_name));
 			if (!$result) {
 				echo db_error();
 				form_release_key(getStringFromRequest("form_key"));
@@ -61,8 +60,7 @@
 			if (!form_key_is_valid(getStringFromRequest('form_key'))) {
 				exit_form_double_submit();
 			}
-			$sql="INSERT INTO people_skill (name) VALUES ('$skill_name')";
-			$result=db_query($sql);
+			$result=db_query_params("INSERT INTO people_skill (name) VALUES ($1)", array($skill_name));
 			if (!$result) {
 				echo db_error();
 				form_release_key(getStringFromRequest("form_key"));
@@ -114,8 +112,7 @@
 		/*
 			List of possible categories for this group
 		*/
-		$sql="select category_id,name from people_job_category";
-		$result=db_query($sql);
+		$result=db_query_params("select category_id,name from people_job_category", array());
 		echo "<p>";
 		if ($result && db_numrows($result) > 0) {
 			ShowResultSet($result,'Existing Categories','people_cat');
@@ -150,8 +147,7 @@
 		/*
 			List of possible people_groups for this group
 		*/
-		$sql="select skill_id,name from people_skill";
-		$result=db_query($sql);
+		$result=db_query_params("select skill_id,name from people_skill", array());
 		echo "<p>";
 		if ($result && db_numrows($result) > 0) {
 			ShowResultSet($result,"Existing Skills","people_skills");

Modified: trunk/gforge/www/people/editjob.php
===================================================================
--- trunk/gforge/www/people/editjob.php	2009-09-03 15:09:49 UTC (rev 8083)
+++ trunk/gforge/www/people/editjob.php	2009-09-03 15:15:45 UTC (rev 8084)
@@ -53,9 +53,9 @@
 		if (!form_key_is_valid(getStringFromRequest('form_key'))) {
 			exit_form_double_submit();
 		}
-		$sql="INSERT INTO people_job (group_id,created_by,title,description,post_date,status_id,category_id) 
-VALUES ('$group_id','". user_getid() ."','".htmlspecialchars($title)."','".htmlspecialchars($description)."','".time()."','1','$category_id')";
-		$result=db_query($sql);
+		$result=db_query_params("INSERT INTO people_job (group_id,created_by,title,description,post_date,status_id,category_id) 
+VALUES ($1, $2, $3, $4, $5, $6, $7)", 
+array($group_id, user_getid(), htmlspecialchars($title), htmlspecialchars($description), time(), '1',$category_id));
 		if (!$result || db_affected_rows($result) < 1) {
 			$feedback .= _('JOB insert FAILED');
 			echo db_error();
@@ -74,9 +74,8 @@
 			exit_error(_('error - missing info'),_('Fill in all required fields'));
 		}
 
-		$sql="UPDATE people_job SET title='".htmlspecialchars($title)."',description='".htmlspecialchars($description)."',status_id='$status_id',category_id='$category_id' 
-WHERE job_id='$job_id' AND group_id='$group_id'";
-		$result=db_query($sql);
+		$result=db_query_params("UPDATE people_job SET title=$1,description=$2,status_id=$3,category_id=$4 WHERE job_id=$5 AND group_id=$6",
+			array(htmlspecialchars($title), htmlspecialchars($description), $status_id, $category_id, $job_id, $group_id));
 		if (!$result || db_affected_rows($result) < 1) {
 			$feedback = _('JOB update FAILED');
 			echo db_error();
@@ -110,9 +109,8 @@
 		}
 
 		if (people_verify_job_group($job_id,$group_id)) {
-			$sql="UPDATE people_job_inventory SET skill_level_id='$skill_level_id',skill_year_id='$skill_year_id' 
-WHERE job_id='$job_id' AND job_inventory_id='$job_inventory_id'";
-			$result=db_query($sql);
+			$result=db_query_params("UPDATE people_job_inventory SET skill_level_id=$1,skill_year_id=$2 WHERE job_id=$3 AND job_inventory_id=$4",
+				array($skill_level_id, $skill_year_id, $job_id, $job_inventory_id));
 			if (!$result || db_affected_rows($result) < 1) {
 				$feedback .= _('JOB skill update FAILED');
 				echo db_error();
@@ -133,8 +131,7 @@
 		}
 
 		if (people_verify_job_group($job_id,$group_id)) {
-			$sql="DELETE FROM people_job_inventory WHERE job_id='$job_id' AND job_inventory_id='$job_inventory_id'";
-			$result=db_query($sql);
+			$result = db_query_params="DELETE FROM people_job_inventory WHERE job_id=$1 AND job_inventory_id=$2", array($job_id, $job_inventory_id));
 			if (!$result || db_affected_rows($result) < 1) {
 				$feedback .= _('JOB skill delete FAILED');
 				echo db_error();
@@ -153,8 +150,7 @@
 	people_header(array('title'=>_('Edit Job')));
 
 	//for security, include group_id
-	$sql="SELECT * FROM people_job WHERE job_id='$job_id' AND group_id='$group_id'";
-	$result=db_query($sql);
+	$result=db_query_params("SELECT * FROM people_job WHERE job_id=$1 AND group_id=$2", array($job_id, $group_id));
 	if (!$result || db_numrows($result) < 1) {
 		echo db_error();
 		$feedback .= _('POSTING fetch FAILED');

Modified: trunk/gforge/www/people/editprofile.php
===================================================================
--- trunk/gforge/www/people/editprofile.php	2009-09-03 15:09:49 UTC (rev 8083)
+++ trunk/gforge/www/people/editprofile.php	2009-09-03 15:15:45 UTC (rev 8084)
@@ -33,9 +33,8 @@
 			exit_form_double_submit();
 		}
 		
-		$sql="UPDATE users SET people_view_skills='$people_view_skills'
-WHERE user_id='".user_getid()."'";
-		$result=db_query($sql);
+		$result=db_query_params("UPDATE users SET people_view_skills=$1
+WHERE user_id=$2", array($people_view_skills, $user_getid()));
 		if (!$result || db_affected_rows($result) < 1) {
 			form_release_key(getStringFromRequest("form_key"));
 			$feedback .= _('User update FAILED');
@@ -68,21 +67,20 @@
 			$title = str_replace("\n", " ", $title);
 			
 				 
-			$sql = "SELECT * from skills_data where user_id = ".user_getid().
-				   " AND type=".$type.
-				   " AND title='".$title."'".
-				   " AND start=".$start.
-				   " AND finish=".$finish.
-				   " AND keywords='".$keywords."'";
+			$result = db_query_params("SELECT * from skills_data where user_id = $1
+				   AND type=$2
+				   AND title=$3
+				   AND start=$4
+				   AND finish=$5
+				   AND keywords=$6",
+					 array($user_getid(), $type, $title, $start, $finish, $keywords));
 				   
-			$result=db_query($sql);
 			if (db_numrows($result) >= 1) {
 				$feedback .= '';	/* don't tell them anything! */
 			} else {		  
-				$sql = "INSERT into skills_data (user_id, type, title, start, finish, keywords) values
-(".user_getid().",".$type.",'".$title."',".$start.",".$finish.",'".$keywords."')";
+				$result = db_query_params("INSERT into skills_data (user_id, type, title, start, finish, keywords) values
+($1, $2, $3, $4, $5, $6)",array(user_getid(), $type, $title, $start, $finish, $keywords));
 			   
-				$result=db_query($sql);
 				if (!$result || db_affected_rows($result) < 1) {
 					form_release_key(getStringFromRequest("form_key"));
 					echo db_error();
@@ -122,11 +120,9 @@
 
 					$keywords[$i] = str_replace("\n", " ", $keywords[$i]);  /* strip out any backspace characters. */
 					$title[$i] = str_replace("\n", " ", $title[$i]);
-					$sql="UPDATE skills_data SET type='$type[$i]',title='$title[$i]',start='$startY[$i]$startM[$i]',
-finish='$endY[$i]$endM[$i]',keywords='$keywords[$i]' 
-WHERE skills_data_id='$skill_edit[$i]'";
+					$result = db_query_params("UPDATE skills_data SET type=$1 ,title=$2 ,start=$3,finish=$4, keywords=$5 WHERE skills_data_id=$6",
+																		array($type[$i], $title[$i], $startY[$i]$startM[$i], $endY[$i]$endM[$i], $keywords[$i], $skill_edit[$i]));
 
-					$result=db_query($sql);
 					if (!$result || db_affected_rows($result) < 1) {
 						echo db_error();
 						$feedback = _('Failed to update skills');
@@ -232,9 +228,7 @@
 	html_feedback_top($feedback);
 		
 	//for security, include group_id
-	$sql="SELECT * FROM users WHERE user_id='". user_getid() ."'";
-	
-	$result=db_query($sql);
+	$result = db_query_params("SELECT * FROM users WHERE user_id=$1", array(user_getid()));
 
 	if (!$result || db_numrows($result) < 1) {
 		echo db_error();
@@ -258,8 +252,7 @@
 		//now show the list of desired skills
 		//echo '<p>'.people_edit_skill_inventory( user_getid() );
 	   
-		$sql="SELECT * FROM skills_data_types WHERE type_id > 0";
-		$skills=db_query($sql);
+		$skills = db_query_params("SELECT * FROM skills_data_types WHERE type_id > 0", array());
 		if (!$skills || db_numrows($skills) < 1) {
 			echo db_error();
 			$feedback .= _('No skill types in database (skills_data_types table)');

Modified: trunk/gforge/www/people/helpwanted-latest.php
===================================================================
--- trunk/gforge/www/people/helpwanted-latest.php	2009-09-03 15:09:49 UTC (rev 8083)
+++ trunk/gforge/www/people/helpwanted-latest.php	2009-09-03 15:15:45 UTC (rev 8084)
@@ -39,13 +39,13 @@
 {
         echo '<p>';
 
-	$sql="SELECT people_job.group_id,people_job.job_id,groups.group_name,groups.unix_group_name,people_job.title,people_job.post_date,people_job_category.name AS category_name 
+	$result=db_query_params("SELECT people_job.group_id,people_job.job_id,groups.group_name,groups.unix_group_name,people_job.title,people_job.post_date,people_job_category.name AS category_name 
 FROM people_job,people_job_category,groups 
 WHERE people_job.group_id=groups.group_id 
 AND people_job.category_id=people_job_category.category_id 
 AND people_job.status_id=1 
-ORDER BY post_date DESC";
-	$result=db_query($sql,30);
+ORDER BY post_date DESC",
+array(),30);
         echo people_show_job_list($result) . '</p>';
 
 }

Modified: trunk/gforge/www/people/index.php
===================================================================
--- trunk/gforge/www/people/index.php	2009-09-03 15:09:49 UTC (rev 8083)
+++ trunk/gforge/www/people/index.php	2009-09-03 15:15:45 UTC (rev 8084)
@@ -64,13 +64,12 @@
 
         echo '<h4>'._('Last posts').'</h4>';
 
-	$sql="SELECT people_job.group_id,people_job.job_id,groups.group_name,groups.unix_group_name,people_job.title,people_job.post_date,people_job_category.name AS category_name 
+	$result=db_query_params("SELECT people_job.group_id,people_job.job_id,groups.group_name,groups.unix_group_name,people_job.title,people_job.post_date,people_job_category.name AS category_name 
 FROM people_job,people_job_category,groups 
 WHERE people_job.group_id=groups.group_id 
 AND people_job.category_id=people_job_category.category_id 
 AND people_job.status_id=1 
-ORDER BY post_date DESC";
-	$result=db_query($sql,5);
+ORDER BY post_date DESC", array(), 5);
         echo people_show_job_list($result);
         echo '<p><a href="helpwanted-latest.php">['._('more latest posts').']</a></p>';
 

Modified: trunk/gforge/www/people/people_utils.php
===================================================================
--- trunk/gforge/www/people/people_utils.php	2009-09-03 15:09:49 UTC (rev 8083)
+++ trunk/gforge/www/people/people_utils.php	2009-09-03 15:15:45 UTC (rev 8084)
@@ -49,8 +49,7 @@
 	global $PEOPLE_SKILL;
 	if (!$PEOPLE_SKILL) {
 		//will be used many times potentially on a single page
-		$sql="SELECT * FROM people_skill ORDER BY name ASC";
-		$PEOPLE_SKILL=db_query($sql);
+		$PEOPLE_SKILL=db_query_params("SELECT * FROM people_skill ORDER BY name ASC"; array());
 	}
 	return html_build_select_box($PEOPLE_SKILL,$name,$checked);
 }
@@ -59,8 +58,7 @@
 	global $PEOPLE_SKILL_LEVEL;
 	if (!$PEOPLE_SKILL_LEVEL) {
 		//will be used many times potentially on a single page
-		$sql="SELECT * FROM people_skill_level";
-		$PEOPLE_SKILL_LEVEL=db_query($sql);
+		$PEOPLE_SKILL_LEVEL=db_query_params("SELECT * FROM people_skill_level", array());
 	}
 	return html_build_select_box ($PEOPLE_SKILL_LEVEL,$name,$checked);
 }
@@ -69,21 +67,18 @@
 	global $PEOPLE_SKILL_YEAR;
 	if (!$PEOPLE_SKILL_YEAR) {
 		//will be used many times potentially on a single page
-		$sql="SELECT * FROM people_skill_year";
-		$PEOPLE_SKILL_YEAR=db_query($sql);
+		$PEOPLE_SKILL_YEAR=db_query_params("SELECT * FROM people_skill_year", array());
 	}
 	return html_build_select_box ($PEOPLE_SKILL_YEAR,$name,$checked);
 }
 
 function people_job_status_box($name='status_id',$checked='xyxy') {
-	$sql="SELECT * FROM people_job_status";
-	$result=db_query($sql);
+	$result=db_query_params("SELECT * FROM people_job_status", array());
 	return html_build_select_box ($result,$name,$checked);
 }
 
 function people_job_category_box($name='category_id',$checked='xyxy') {
-	$sql="SELECT category_id,name FROM people_job_category WHERE private_flag=0";
-	$result=db_query($sql);
+	$result=db_query_params("SELECT category_id,name FROM people_job_category WHERE private_flag=0", array());
 	return html_build_select_box ($result,$name,$checked);
 }
 
@@ -95,13 +90,11 @@
 			$feedback .= _('Must select a skill ID');
 		} else {
 		//check if they've already added this skill
-		$sql="SELECT * FROM people_skill_inventory WHERE user_id='". user_getid() ."' AND skill_id='$skill_id'";
-		$result=db_query($sql);
+		$result=db_query_prams("SELECT * FROM people_skill_inventory WHERE user_id=$1 AND skill_id=$2", array(user_getid(), $skill_id));
 		if (!$result || db_numrows($result) < 1) {
 			//skill not already in inventory
-			$sql="INSERT INTO people_skill_inventory (user_id,skill_id,skill_level_id,skill_year_id) 
-VALUES ('". user_getid() ."','$skill_id','$skill_level_id','$skill_year_id')";
-			$result=db_query($sql);
+			$result = db_query_params("INSERT INTO people_skill_inventory (user_id,skill_id,skill_level_id,skill_year_id) 
+VALUES ($1, $2, $3, $4)", array(user_getid() ,$skill_id, $skill_level_id, $skill_year_id));
 			if (!$result || db_affected_rows($result) < 1) {
 				$feedback .= _('ERROR inserting into skill inventory');
 				echo db_error();
@@ -118,13 +111,12 @@
 }
 
 function people_show_skill_inventory($user_id) {
-	$sql="SELECT people_skill.name AS skill_name, people_skill_level.name AS level_name, people_skill_year.name AS year_name 
+	$result = db_query_params("SELECT people_skill.name AS skill_name, people_skill_level.name AS level_name, people_skill_year.name AS year_name 
 FROM people_skill_year,people_skill_level,people_skill,people_skill_inventory 
 WHERE people_skill_year.skill_year_id=people_skill_inventory.skill_year_id 
 AND people_skill_level.skill_level_id=people_skill_inventory.skill_level_id 
 AND people_skill.skill_id=people_skill_inventory.skill_id 
-AND people_skill_inventory.user_id='$user_id'";
-	$result=db_query($sql);
+AND people_skill_inventory.user_id=$1", array($user_id));
 
 	$title_arr=array();
 	$title_arr[]=_('Skill');
@@ -154,8 +146,7 @@
 }
 
 function people_edit_skill_inventory($user_id) {
-	$sql="SELECT * FROM people_skill_inventory WHERE user_id='$user_id'";
-	$result=db_query($sql);
+	$result=db_query_params("SELECT * FROM people_skill_inventory WHERE user_id=$1", array($user_id));
 
 	$title_arr=array();
 	$title_arr[]=_('Skill');
@@ -207,13 +198,11 @@
 	global $feedback;
 	if (session_loggedin()) {
 		//check if they've already added this skill
-		$sql="SELECT * FROM people_job_inventory WHERE job_id='$job_id' AND skill_id='$skill_id'";
-		$result=db_query($sql);
+		$result=db_query_params("SELECT * FROM people_job_inventory WHERE job_id=$1 AND skill_id=$2", array($job_id, $skill_id));
 		if (!$result || db_numrows($result) < 1) {
 			//skill isn't already in this inventory
-			$sql="INSERT INTO people_job_inventory (job_id,skill_id,skill_level_id,skill_year_id) 
-VALUES ('$job_id','$skill_id','$skill_level_id','$skill_year_id')";
-			$result=db_query($sql);
+			$result=db_query_params("INSERT INTO people_job_inventory (job_id,skill_id,skill_level_id,skill_year_id) 
+VALUES ($1, $2, $3, $4)", array($job_id, $skill_id, $skill_level_id, $skill_year_id));
 			if (!$result || db_affected_rows($result) < 1) {
 				$feedback .= _('ERROR inserting into skill inventory');
 				echo db_error();
@@ -230,13 +219,12 @@
 }
 
 function people_show_job_inventory($job_id) {
-	$sql="SELECT people_skill.name AS skill_name, people_skill_level.name AS level_name, people_skill_year.name AS year_name 
+	$result=db_query_params="SELECT people_skill.name AS skill_name, people_skill_level.name AS level_name, people_skill_year.name AS year_name 
 FROM people_skill_year,people_skill_level,people_skill,people_job_inventory 
 WHERE people_skill_year.skill_year_id=people_job_inventory.skill_year_id 
 AND people_skill_level.skill_level_id=people_job_inventory.skill_level_id 
 AND people_skill.skill_id=people_job_inventory.skill_id 
-AND people_job_inventory.job_id='$job_id'";
-	$result=db_query($sql);
+AND people_job_inventory.job_id=$1", array($job_id));
 
 	$title_arr=array();
 	$title_arr=array();
@@ -267,8 +255,7 @@
 }
 
 function people_verify_job_group($job_id,$group_id) {
-	$sql="SELECT * FROM people_job WHERE job_id='$job_id' AND group_id='$group_id'";
-	$result=db_query($sql);
+	$result=db_query_params("SELECT * FROM people_job WHERE job_id=$1 AND group_id=$2", array($job_id, $group_id));
 	if (!$result || db_numrows($result) < 1) {
 		return false;
 	} else {
@@ -277,8 +264,7 @@
 }
 
 function people_get_skill_name($skill_id) {
-	$sql="SELECT name FROM people_skill WHERE skill_id='$skill_id'";
-	$result=db_query($sql);
+	$result=db_query_params("SELECT name FROM people_skill WHERE skill_id=$1", array($skill_id));
 	if (!$result || db_numrows($result) < 1) {
 		return _('Invalid ID');
 	} else {
@@ -287,8 +273,7 @@
 }
 
 function people_get_category_name($category_id) {
-	$sql="SELECT name FROM people_job_category WHERE category_id='$category_id'";
-	$result=db_query($sql);
+	$result=db_query_params("SELECT name FROM people_job_category WHERE category_id=$1", array($category_id));
 	if (!$result || db_numrows($result) < 1) {
 		return 'Invalid ID';
 	} else {
@@ -302,8 +287,7 @@
 // table looking like poo.
 function people_edit_job_inventory($job_id,$group_id) {
 	global $HTML;
-	$sql="SELECT * FROM people_job_inventory WHERE job_id='$job_id'";
-	$result=db_query($sql);
+	$result=db_query_params("SELECT * FROM people_job_inventory WHERE job_id=$1", array($job_id));
 
 	$title_arr=array();
 	$title_arr[]=_('Skill').utils_requiredField();
@@ -369,14 +353,13 @@
 AND pj.status_id=1 
 GROUP BY pjc.category_id, pjc.name";
 */
-	$sql="SELECT pjc.category_id, pjc.name, COUNT(pj.category_id) AS total 
+	$result= db_query_params("SELECT pjc.category_id, pjc.name, COUNT(pj.category_id) AS total 
 FROM people_job_category pjc LEFT JOIN people_job pj 
 ON pjc.category_id=pj.category_id 
 WHERE pjc.private_flag=0 
 AND (pj.status_id=1 OR pj.status_id IS NULL) 
-GROUP BY pjc.category_id, pjc.name";
+GROUP BY pjc.category_id, pjc.name", array());
 
-	$result=db_query($sql);
 	$rows=db_numrows($result);
 	if (!$result || $rows < 1) {
 		$return .= '<tr><td><h2>'._('No Categories Found').'</h2></td></tr>';
@@ -393,26 +376,24 @@
 
 function people_show_project_jobs($group_id) {
 	//show open jobs for this project
-	$sql="SELECT people_job.group_id,people_job.job_id,groups.group_name,groups.unix_group_name,people_job.title,people_job.post_date,people_job_category.name AS category_name 
+	$result = db_query_params("SELECT people_job.group_id,people_job.job_id,groups.group_name,groups.unix_group_name,people_job.title,people_job.post_date,people_job_category.name AS category_name 
 FROM people_job,people_job_category,groups 
-WHERE people_job.group_id='$group_id' 
+WHERE people_job.group_id=$1
 AND people_job.group_id=groups.group_id 
 AND people_job.category_id=people_job_category.category_id 
-AND people_job.status_id=1 ORDER BY post_date DESC";
-	$result=db_query($sql);
+AND people_job.status_id=1 ORDER BY post_date DESC", array($group_id));
 
 	return people_show_job_list($result);
 }
 
 function people_show_category_jobs($category_id) {
 	//show open jobs for this category
-	$sql="SELECT people_job.group_id,people_job.job_id,groups.unix_group_name,groups.group_name,people_job.title,people_job.post_date,people_job_category.name AS category_name 
+	$result=db_query_params("SELECT people_job.group_id,people_job.job_id,groups.unix_group_name,groups.group_name,people_job.title,people_job.post_date,people_job_category.name AS category_name 
 FROM people_job,people_job_category,groups 
-WHERE people_job.category_id='$category_id' 
+WHERE people_job.category_id=$1
 AND people_job.group_id=groups.group_id 
 AND people_job.category_id=people_job_category.category_id 
-AND people_job.status_id=1 ORDER BY post_date DESC";
-	$result=db_query($sql);
+AND people_job.status_id=1 ORDER BY post_date DESC", array($category_id));
 
 	return people_show_job_list($result);
 }

Modified: trunk/gforge/www/people/skills_utils.php
===================================================================
--- trunk/gforge/www/people/skills_utils.php	2009-09-03 15:09:49 UTC (rev 8083)
+++ trunk/gforge/www/people/skills_utils.php	2009-09-03 15:15:45 UTC (rev 8084)
@@ -9,8 +9,7 @@
 
 function displayUserSkills($user_id, $allowEdit) {
 	global $HTML;
-	$sql = "SELECT * FROM skills_data_types ORDER BY type_id ASC";
-	$result=db_query($sql);
+	$result=db_query_params("SELECT * FROM skills_data_types ORDER BY type_id ASC", array());
 	$rows = db_numrows($result);
 	if ($rows >= 1) {
 		/* obtain the types keywords... */
@@ -19,8 +18,7 @@
 		}
 	}
 	
-	$sql="SELECT * FROM skills_data WHERE user_id='$user_id' ORDER BY finish DESC, start ASC, skills_data_id DESC";
-	$result=db_query($sql);
+	$result= db_query_params("SELECT * FROM skills_data WHERE user_id=$1 ORDER BY finish DESC, start ASC, skills_data_id DESC",array($user_id));
 	$rows = db_numrows($result);
 	if (!$result || $rows < 1) {
 		echo db_error();
@@ -110,8 +108,7 @@
 	if (!$result || $rows < 1) {
 		echo db_error();
 	} else {
-		$sql="SELECT * FROM skills_data_types WHERE type_id > 0";
-		$skills=db_query($sql);
+		$skills=db_query_params("SELECT * FROM skills_data_types WHERE type_id > 0", array());
 		if (!$skills || db_numrows($skills) < 1) {
 			echo db_error();
 			$feedback .= _('User fetch FAILED');

Modified: trunk/gforge/www/people/viewjob.php
===================================================================
--- trunk/gforge/www/people/viewjob.php	2009-09-03 15:09:49 UTC (rev 8083)
+++ trunk/gforge/www/people/viewjob.php	2009-09-03 15:15:45 UTC (rev 8084)
@@ -41,7 +41,7 @@
 	*/
 
 	//for security, include group_id
-	$sql="SELECT groups.group_name,people_job_category.name AS category_name,
+	$result=db_query_params("SELECT groups.group_name,people_job_category.name AS category_name,
 people_job_status.name AS status_name,people_job.title,
 people_job.description,people_job.post_date,users.user_name,users.user_id 
 FROM people_job,groups,people_job_status,people_job_category,users 
@@ -49,8 +49,8 @@
 AND people_job_status.status_id=people_job.status_id 
 AND users.user_id=people_job.created_by 
 AND groups.group_id=people_job.group_id 
-AND people_job.job_id='$job_id' AND people_job.group_id='$group_id'";
-	$result=db_query($sql);
+AND people_job.job_id=$1 AND people_job.group_id=$2",
+array($job_id, $group_id));
 	if (!$result || db_numrows($result) < 1) {
 		people_header(array('title'=>_('View a Job')));
 		echo db_error();

Modified: trunk/gforge/www/people/viewprofile.php
===================================================================
--- trunk/gforge/www/people/viewprofile.php	2009-09-03 15:09:49 UTC (rev 8083)
+++ trunk/gforge/www/people/viewprofile.php	2009-09-03 15:15:45 UTC (rev 8084)
@@ -29,8 +29,7 @@
 	people_header(array('title'=>_('View a User Profile')));
 
 	//for security, include group_id
-	$sql="SELECT * FROM users WHERE user_id='$user_id'";
-	$result=db_query($sql);
+	$result=db_query_params("SELECT * FROM users WHERE user_id=$1", array($user_id));
 	if (!$result || db_numrows($result) < 1) {
 		echo db_error();
 		$feedback .= _('User fetch FAILED');

Modified: trunk/gforge/www/snippet/add_snippet_to_package.php
===================================================================
--- trunk/gforge/www/snippet/add_snippet_to_package.php	2009-09-03 15:09:49 UTC (rev 8083)
+++ trunk/gforge/www/snippet/add_snippet_to_package.php	2009-09-03 15:15:45 UTC (rev 8084)
@@ -53,9 +53,9 @@
 			/*
 				check to see if they are the creator of this version
 			*/
-			$result=db_query("SELECT * FROM snippet_package_version ".
-				"WHERE submitted_by='".user_getid()."' AND ".
-				"snippet_package_version_id='$snippet_package_version_id'");
+			$result=db_query_params("SELECT * FROM snippet_package_version ".
+				"WHERE submitted_by=$1 AND ".
+				"snippet_package_version_id=$2", array(user_getid(), $snippet_package_version_id));
 			if (!$result || db_numrows($result) < 1) {
 				echo '<h1>' ._('Error - Only the creator of a package version can add snippets to it.').'</h1>';
 				handle_add_exit();
@@ -89,9 +89,8 @@
 			/*
 				create the snippet version
 			*/
-			$sql="INSERT INTO snippet_package_item (snippet_package_version_id,snippet_version_id) 
-VALUES ('$snippet_package_version_id','$snippet_version_id')";
-			$result=db_query($sql);
+			$result=db_query_params("INSERT INTO snippet_package_item (snippet_package_version_id,snippet_version_id) 
+VALUES ($1, $2)", array($snippet_package_version_id, $snippet_version_id));
 
 			if (!$result) {
 				$feedback .= _('ERROR DOING SNIPPET VERSION INSERT!');

Modified: trunk/gforge/www/snippet/delete.php
===================================================================
--- trunk/gforge/www/snippet/delete.php	2009-09-03 15:09:49 UTC (rev 8083)
+++ trunk/gforge/www/snippet/delete.php	2009-09-03 15:15:45 UTC (rev 8084)
@@ -31,9 +31,9 @@
 		*/
 
 		//Check to see if they are the creator of this package_version
-		$result=db_query("SELECT * FROM snippet_package_version ".
-			"WHERE submitted_by='".user_getid()."' AND ".
-			"snippet_package_version_id='$snippet_package_version_id'");
+		$result=db_query_params("SELECT * FROM snippet_package_version ".
+			"WHERE submitted_by=$1 AND ".
+			"snippet_package_version_id=$2", array(user_getid(), $snippet_package_version_id));
 		if (!$result || db_numrows($result) < 1) {
 			echo '<h1>Error - Only the creator of a package version can delete snippets from it.</h1>';
 			snippet_footer(array());
@@ -63,8 +63,8 @@
 		*/
 
 		//find this snippet id and make sure the current user created it
-		$result=db_query("SELECT * FROM snippet_version ".
-			"WHERE snippet_version_id='$snippet_version_id' AND submitted_by='".user_getid()."'");
+		$result=db_query_params("SELECT * FROM snippet_version ".
+			"WHERE snippet_version_id=$1 AND submitted_by=$2", array($snippet_version_id, user_getid()));
 		if (!$result || db_numrows($result) < 1) {
 			echo '<h1>Error - That snippet doesn\'t exist.</h1>';
 			snippet_footer(array());
@@ -73,15 +73,15 @@
 			$snippet_id=db_result($result,0,'snippet_id');
 
 			//do the delete
-			$result=db_query("DELETE FROM snippet_version ".
-				"WHERE snippet_version_id='$snippet_version_id' AND submitted_by='".user_getid()."'");
+			$result=db_query_params("DELETE FROM snippet_version ".
+				"WHERE snippet_version_id=$1 AND submitted_by=$2", array($snippet_version_id, user_getid()));
 
 			//see if any versions of this snippet are left
-			$result=db_query("SELECT * FROM snippet_version WHERE snippet_id='$snippet_id'");
+			$result=db_query_params("SELECT * FROM snippet_version WHERE snippet_id=$1", array($snippet_id));
 			if (!$result || db_numrows($result) < 1) {
 				//since no version of this snippet exist, delete the main snippet entry,
 				//even if this person is not the creator of the original snippet
-				$result=db_query("DELETE FROM snippet WHERE snippet_id='$snippet_id'");
+				$result=db_query_params("DELETE FROM snippet WHERE snippet_id=$1",array($snippet_id));
 			}
 
 			echo '<h1>Snippet Removed</h1>';
@@ -96,9 +96,9 @@
 		*/
 
 		//make sure they own this version of the package
-		$result=db_query("SELECT * FROM snippet_package_version ".
-			"WHERE submitted_by='".user_getid()."' AND ".
-			"snippet_package_version_id='$snippet_package_version_id'");
+		$result=db_query_params("SELECT * FROM snippet_package_version ".
+			"WHERE submitted_by=$1 AND ".
+			"snippet_package_version_id=$2", array(user_getid(), $snippet_package_version_id));
 		if (!$result || db_numrows($result) < 1) {
 			//they don't own it or it's not found
 			echo '<h1>Error - Only the creator of a package version can delete it.</h1>';
@@ -108,21 +108,21 @@
 			$snippet_package_id=db_result($result,0,'snippet_package_id');
 
 			//do the version delete
-			$result=db_query("DELETE FROM snippet_package_version ".
-		       		"WHERE submitted_by='".user_getid()."' AND ".
-				"snippet_package_version_id='$snippet_package_version_id'");
+			$result=db_query_params("DELETE FROM snippet_package_version ".
+		       		"WHERE submitted_by=$1 AND ".
+				"snippet_package_version_id=$2", array(user_getid(), $snippet_package_version_id));
 
 			//delete snippet_package_items
-			$result=db_query("DELETE FROM snippet_package_item ".
-				"WHERE snippet_package_version_id='$snippet_package_version_id'");
+			$result=db_query_params("DELETE FROM snippet_package_item ".
+				"WHERE snippet_package_version_id=$1", array($snippet_package_version_id));
 
 			//see if any versions of this package remain
-			$result=db_query("SELECT * FROM snippet_package_version ".
-				"WHERE snippet_package_id='$snippet_package_id'");
+			$result=db_query_params("SELECT * FROM snippet_package_version ".
+				"WHERE snippet_package_id=$1", array($snippet_package_id));
 			if (!$result || db_numrows($result) < 1) {
 				//since no versions of this package remain,
 				//delete the main package even if the user didn't create it
-				$result=db_query("DELETE FROM snippet_package WHERE snippet_package_id='$snippet_package_id'");
+				$result=db_query_params("DELETE FROM snippet_package WHERE snippet_package_id=$1", array($snippet_package_id));
 			}
 			echo '<h1>Package Removed</h1>';
 			snippet_footer(array());

Modified: trunk/gforge/www/snippet/detail.php
===================================================================
--- trunk/gforge/www/snippet/detail.php	2009-09-03 15:09:49 UTC (rev 8083)
+++ trunk/gforge/www/snippet/detail.php	2009-09-03 15:15:45 UTC (rev 8084)
@@ -35,12 +35,11 @@
 	/*
 		Get all the versions of this snippet
 	*/
-	$sql="SELECT users.realname,users.user_name,users.user_id,snippet_version.snippet_version_id,snippet_version.version,snippet_version.post_date,snippet_version.changes 
+	$result=db_query_params("SELECT users.realname,users.user_name,users.user_id,snippet_version.snippet_version_id,snippet_version.version,snippet_version.post_date,snippet_version.changes 
 FROM snippet_version,users 
-WHERE users.user_id=snippet_version.submitted_by AND snippet_id='$id' 
-ORDER BY snippet_version.snippet_version_id DESC";
+WHERE users.user_id=snippet_version.submitted_by AND snippet_id=$1 
+ORDER BY snippet_version.snippet_version_id DESC", array($id));
 
-	$result=db_query($sql);
 	$rows=db_numrows($result);
 	if (!$result || $rows < 1) {
 		echo '<h3>' ._('Error - no versions found').'</h3>';
@@ -124,11 +123,11 @@
 	/*
 		Get all the versions of this package
 	*/
-	$sql="SELECT users.realname,users.user_name,users.user_id,snippet_package_version.snippet_package_version_id,
+	$result=db_query_params("SELECT users.realname,users.user_name,users.user_id,snippet_package_version.snippet_package_version_id,
 snippet_package_version.version,snippet_package_version.post_date 
 FROM snippet_package_version,users 
-WHERE users.user_id=snippet_package_version.submitted_by AND snippet_package_id='$id' 
-ORDER BY snippet_package_version.snippet_package_version_id DESC";
+WHERE users.user_id=snippet_package_version.submitted_by AND snippet_package_id=$1 
+ORDER BY snippet_package_version.snippet_package_version_id DESC", array($id));
 
 	$result=db_query($sql);
 	$rows=db_numrows($result);

Modified: trunk/gforge/www/snippet/snippet_utils.php
===================================================================
--- trunk/gforge/www/snippet/snippet_utils.php	2009-09-03 15:09:49 UTC (rev 8083)
+++ trunk/gforge/www/snippet/snippet_utils.php	2009-09-03 15:15:45 UTC (rev 8084)
@@ -121,14 +121,13 @@
 
 function snippet_show_package_snippets($version) {
 	//show the latest version
-	$sql="SELECT snippet_package_item.snippet_version_id, snippet_version.version,snippet.name,users.user_name 
+	$result=db_query_params("SELECT snippet_package_item.snippet_version_id, snippet_version.version,snippet.name,users.user_name 
 FROM snippet,snippet_version,snippet_package_item,users 
 WHERE snippet.snippet_id=snippet_version.snippet_id 
 AND users.user_id=snippet_version.submitted_by 
 AND snippet_version.snippet_version_id=snippet_package_item.snippet_version_id 
-AND snippet_package_item.snippet_package_version_id='$version'";
+AND snippet_package_item.snippet_package_version_id=$1", array($version));
 
-	$result=db_query($sql);
 	$rows=db_numrows($result);
 	echo '
 	<p>&nbsp;</p>
@@ -170,8 +169,7 @@
 function snippet_show_package_details($id) {
 	global $SCRIPT_CATEGORY,$SCRIPT_LANGUAGE;
 
-	$sql="SELECT * FROM snippet_package WHERE snippet_package_id='$id'";
-	$result=db_query($sql);
+	$result=db_query_params("SELECT * FROM snippet_package WHERE snippet_package_id=$1", array($id));
 
 	echo '
 	<p>
@@ -202,8 +200,7 @@
 function snippet_show_snippet_details($id) {
 	global $SCRIPT_TYPE,$SCRIPT_CATEGORY,$SCRIPT_LICENSE,$SCRIPT_LANGUAGE;
 
-	$sql="SELECT * FROM snippet WHERE snippet_id='$id'";
-	$result=db_query($sql);
+	$result=db_query_params("SELECT * FROM snippet WHERE snippet_id=$1", array($id));
 
 	echo '
 	<p>

Modified: trunk/gforge/www/trove/TroveCategory.class.php
===================================================================
--- trunk/gforge/www/trove/TroveCategory.class.php	2009-09-03 15:09:49 UTC (rev 8083)
+++ trunk/gforge/www/trove/TroveCategory.class.php	2009-09-03 15:15:45 UTC (rev 8084)
@@ -83,9 +83,9 @@
 	 *	@return	boolean	success.
 	 */
 	function fetchData($categoryId) {
-		$res=db_query("SELECT *
+		$res=db_query_params("SELECT *
 			FROM trove_cat
-			WHERE trove_cat_id='".$categoryId."'", -1, 0, SYS_DB_TROVE);
+			WHERE trove_cat_id=$1",array($categoryId) -1, 0, SYS_DB_TROVE);
 		if (!$res || db_numrows($res) < 1) {
 			return false;
 		}
@@ -103,12 +103,13 @@
 			return false;
 		} else {
 			db_begin();
-			$result = db_query("UPDATE trove_cat
-				SET	shortname='".htmlspecialchars($shortName)."',
-					fullname='".htmlspecialchars($fullName)."',
-					description='".htmlspecialchars($description)."',
-					version='".date('Ymd',time())."01'
-				WHERE trove_cat_id='".$this->categoryId."'"
+			$result = db_query_params("UPDATE trove_cat
+				SET	shortname=$1,
+					fullname=$2,
+					description=$3,
+					version=$4
+				WHERE trove_cat_id=$5", 
+				array(htmlspecialchars($shortName), htmlspecialchars($fullName), htmlspecialchars($description), date('Ymd',time())."01", $this->categoryId));
 			);
 			if(!$result || db_affected_rows($result) != 1) {
 				$this->setError(_('ERROR'), _('Cannot update'));
@@ -155,8 +156,9 @@
 	function & getLabels() {
 		if(!isset($this->labels)) {
 			$this->labels = array();
-			$sql = 'SELECT  trove_category_labels.*, supported_languages.name AS language_name FROM trove_category_labels, supported_languages  WHERE category_id='.$this->categoryId.' AND supported_languages.language_id=trove_category_labels.language_id';
-			$res = db_query($sql);
+			$res = db_query_params("SELECT  trove_category_labels.*, supported_languages.name AS language_name FROM trove_category_labels, supported_languages  
+																WHERE category_id=$1 AND supported_languages.language_id=trove_category_labels.language_id", 
+																array($this->cathergoryId));
 			
 			if (!$res) {
 				return $this->labels;
@@ -177,7 +179,7 @@
 		if(!isset($this->children)) {
 			$this->children = array();
 			
-			$result = db_query("
+			$result = db_query_params("
 				SELECT trove_cat.*,
 				trove_treesums.subprojects AS subprojects
 				FROM trove_cat LEFT JOIN trove_treesums USING (trove_cat_id) 
@@ -185,9 +187,9 @@
 					trove_treesums.limit_1=0 
 					OR trove_treesums.limit_1 IS NULL
 				)
-				AND trove_cat.parent='".$this->categoryId."'
-				ORDER BY fullname
-			", -1, 0, SYS_DB_TROVE);
+				AND trove_cat.parent=$1
+				ORDER BY fullname",
+				array($this->categoryId), -1, 0, SYS_DB_TROVE);
 			
 			if(!$result) {
 				$this->setError();

Modified: trunk/gforge/www/trove/TroveCategoryFactory.class.php
===================================================================
--- trunk/gforge/www/trove/TroveCategoryFactory.class.php	2009-09-03 15:09:49 UTC (rev 8083)
+++ trunk/gforge/www/trove/TroveCategoryFactory.class.php	2009-09-03 15:15:45 UTC (rev 8084)
@@ -33,13 +33,13 @@
 	 * @return	array	The array of TroveCategory objects.
 	 */
 	function & getRootCategories() {
-		$result = db_query('
+		$result = db_query_params("
 			SELECT *
 			FROM trove_cat
 			WHERE parent = 0
 			AND trove_cat_id != 0
 			ORDER BY fullname
-		');
+		", array());
 		
 		if(!$result) {
 			$this->setError();
@@ -54,12 +54,12 @@
 	}
 	
 	function & getCategories($ids) {
-		$result = db_query('
+		$result = db_query_params("
 			SELECT *
 			FROM trove_cat
-			WHERE trove_cat_id IN('.implode(',', $ids).')
+			WHERE trove_cat_id = ANY ($1)
 			ORDER BY fullname
-		');
+		", array(db_int_array_to_any_clause($ids)));
 		if(!$result) {
 			$this->setError();
 			return false;

Modified: trunk/gforge/www/trove/TroveCategoryLabel.class.php
===================================================================
--- trunk/gforge/www/trove/TroveCategoryLabel.class.php	2009-09-03 15:09:49 UTC (rev 8083)
+++ trunk/gforge/www/trove/TroveCategoryLabel.class.php	2009-09-03 15:15:45 UTC (rev 8084)
@@ -74,14 +74,10 @@
 			return false;
 		}
 		
-		$sql = 'INSERT INTO trove_category_labels '
-			. '(category_id, label, language_id) VALUES ('
-			. $this->category->getId(). ', '
-			. "'".$label."',"
-			. "'".$languageId."')";
-		
 		db_begin();
-		$result = db_query($sql);
+		$result = db_query_params("INSERT INTO trove_category_labels
+			(category_id, label, language_id) VALUES ($1, $2, $3)",
+			array($this->category->getId(), $label, $languageId));
 		echo db_error();
 		if (!$result) {
 			db_rollback();
@@ -96,11 +92,11 @@
 	}
 	
 	function fetchData($labelId) {
-		$res=db_query("SELECT trove_category_labels.*, supported_languages.name AS language_name FROM trove_category_labels, supported_languages "
-			. "WHERE trove_category_labels.label_id='".$labelId."' "
-			. "AND trove_category_labels.category_id='". $this->category->getId() ."' "
-			. "AND supported_languages.language_id=trove_category_labels.language_id"
-			);
+		$res=db_query_params("SELECT trove_category_labels.*, supported_languages.name AS language_name FROM trove_category_labels, supported_languages "
+			. "WHERE trove_category_labels.label_id=$1 "
+			. "AND trove_category_labels.category_id=$2 "
+			. "AND supported_languages.language_id=trove_category_labels.language_id",
+			array($labelId, $this->category->getId()));
 
 		if (!$res || db_numrows($res) < 1) {
 			return false;
@@ -112,7 +108,7 @@
 
 	function remove() {
 		db_begin();
-		$res = db_query('DELETE FROM trove_category_labels WHERE label_id='.$this->labelId);
+		$res = db_query_params("DELETE FROM trove_category_labels WHERE label_id=$1", array($this->labelId));
 		if(!res || db_affected_rows($res) != 1) {
 			// $this->setError();
 			db_rollback();
@@ -141,4 +137,4 @@
 
 }
 
-?>
\ No newline at end of file
+?>

Modified: trunk/gforge/www/trove/admin/trove_cat_add.php
===================================================================
--- trunk/gforge/www/trove/admin/trove_cat_add.php	2009-09-03 15:09:49 UTC (rev 8083)
+++ trunk/gforge/www/trove/admin/trove_cat_add.php	2009-09-03 15:15:45 UTC (rev 8084)
@@ -21,18 +21,17 @@
 	$newroot = trove_getrootcat($GLOBALS['form_parent']);
 
 	if ($GLOBALS[form_shortname]) {
-		$res = db_query("
+		$res = db_query_params("
 			INSERT INTO trove_cat 
 				(shortname,fullname,description,parent,version,root_parent)
-			VALUES (
-				'".htmlspecialchars($form_shortname)."',
-				'".htmlspecialchars($form_fullname)."',
-				'".htmlspecialchars($form_description)."',
-				'$form_parent',
-				'".date("Ymd",time())."01',
-				'$newroot'
-			)
-		");
+			VALUES ($1, $2, $3, $4, $5, $6)", 
+			array(htmlspecialchars($form_shortname),
+				htmlspecialchars($form_fullname),
+				htmlspecialchars($form_description),
+				$form_parent,
+				date("Ymd",time())."01",
+				$newroot)
+			);
 
 		if (!$res || db_affected_rows($res)<1) {
 			exit_error(

Modified: trunk/gforge/www/trove/include/trove.php
===================================================================
--- trunk/gforge/www/trove/include/trove.php	2009-09-03 15:09:49 UTC (rev 8083)
+++ trunk/gforge/www/trove/include/trove.php	2009-09-03 15:15:45 UTC (rev 8084)
@@ -25,18 +25,17 @@
  */
 function trove_genfullpaths($mynode,$myfullpath,$myfullpathids) {
 	// first generate own path
-	$res_update = db_query('UPDATE trove_cat SET fullpath=\''
-		.$myfullpath.'\',fullpath_ids=\''
-		.$myfullpathids.'\' WHERE trove_cat_id='.$mynode);
+	$res_update = db_query_params("UPDATE trove_cat SET fullpath=$1,
+		fullpath_ids=$2
+		WHERE trove_cat_id=$3", array($myfullpath, $myfullpathids, $mynode));
 	// now generate paths for all children by recursive call
 	if($mynode!=0)
 	{
-		$res_child = db_query("
+		$res_child = db_query_params("
 			SELECT trove_cat_id,fullname
 			FROM trove_cat
-			WHERE parent='$mynode'
-			AND trove_cat_id!=0;
-		", -1, 0, SYS_DB_TROVE);
+			WHERE parent=$1
+			AND trove_cat_id!=0;", array($mynode), -1, 0, SYS_DB_TROVE);
 
 		while ($row_child = db_fetch_array($res_child)) {
 			trove_genfullpaths($row_child['trove_cat_id'],
@@ -56,17 +55,16 @@
  */
 function trove_updaterootparent($mynode,$rootnode) {
 	// first generate own path
-	if($mynode!=$rootnode) $res_update = db_query('UPDATE trove_cat SET root_parent=' .$rootnode. ' WHERE trove_cat_id='.$mynode);
-	else $res_update = db_query('UPDATE trove_cat SET root_parent=0 WHERE trove_cat_id='.$mynode);
+	if($mynode!=$rootnode) $res_update = db_query_params("UPDATE trove_cat SET root_parent=$1 WHERE trove_cat_id=$2", array($rootnode, $mynode));
+	else $res_update = db_query_params("UPDATE trove_cat SET root_parent=0 WHERE trove_cat_id=$1", array($mynode));
 	// now generate paths for all children by recursive call
 	if($mynode!=0)
 	{
-		$res_child = db_query("
+		$res_child = db_query_params("
 			SELECT trove_cat_id
 			FROM trove_cat
-			WHERE parent='$mynode'
-			AND trove_cat_id!=0;
-		", -1, 0, SYS_DB_TROVE);
+			WHERE parent=$1
+			AND trove_cat_id!=0;", array($mynode), -1, 0, SYS_DB_TROVE);
 
 		while ($row_child = db_fetch_array($res_child)) {
 			trove_updaterootparent($row_child['trove_cat_id'],$rootnode);
@@ -88,11 +86,10 @@
 	if ((!$group_id) || (!$trove_cat_id)) return 1;
 
 	// verify trove category exists
-	$res_verifycat = db_query("
+	$res_verifycat = db_query_params("
 		SELECT trove_cat_id,fullpath_ids
 		FROM trove_cat
-		WHERE trove_cat_id='$trove_cat_id'
-	", -1, 0, SYS_DB_TROVE);
+		WHERE trove_cat_id=$1", array($trove_cat_id), -1, 0, SYS_DB_TROVE);
 
 	if (db_numrows($res_verifycat) != 1) return 1;
 	$row_verifycat = db_fetch_array($res_verifycat);
@@ -103,13 +100,13 @@
 	}
 
 	// must first make sure that this is not a subnode of anything current
-	$res_topnodes = db_query("
+	$res_topnodes = db_query_params("
 		SELECT trove_cat.trove_cat_id AS trove_cat_id,
 			trove_cat.fullpath_ids AS fullpath_ids
 		FROM trove_cat,trove_group_link
 		WHERE trove_cat.trove_cat_id=trove_group_link.trove_cat_id
-		AND trove_group_link.group_id='$group_id'
-		AND trove_cat.root_parent='$rootnode'");
+		AND trove_group_link.group_id=$1
+		AND trove_cat.root_parent=$2", array($group_id, $rootnode));
 
 	while($row_topnodes = db_fetch_array($res_topnodes)) {
 		$pathids = explode(' :: ',$row_topnodes['fullpath_ids']);
@@ -137,17 +134,17 @@
 		for ($i=0;$i<count($subnodeids);$i++) {
 			if ($subnodeids[$i] == $row_checksubs['trove_cat_id']) {
 				// then delete subnode
-				db_query('DELETE FROM trove_group_link WHERE '
-					.'group_id='.$group_id.' AND trove_cat_id='
-					.$subnodeids[$i]);
+				db_query_params("DELETE FROM trove_group_link WHERE 
+					group_id=$1 AND trove_cat_id=$2",
+					array($group_id, $subnodeids[$i]));
 			}
 		}
 	}
 
 	// if we got this far, must be ok
-	db_query('INSERT INTO trove_group_link (trove_cat_id,trove_cat_version,'
-		.'group_id,trove_cat_root) VALUES ('.$trove_cat_id.','
-		.time().','.$group_id.','.$rootnode.')');
+	db_query_params("INSERT INTO trove_group_link (trove_cat_id,trove_cat_version,
+		group_id,trove_cat_root) VALUES ($1, $2, $3, $4)",
+		array($trove_cat_id, time(), $group_id, $rootnode));
 	return 0;
 }
 




More information about the Fusionforge-commits mailing list