# also sent), and the id, so that we have a way of telling that we
# got something instead of a bunch of NULLs
$sth = $dbh->prepare("SELECT extern_id, userid, disabledtext " .
- "FROM profiles WHERE login_name=?");
+ "FROM profiles WHERE " .
+ $dbh->sql_istrcmp('login_name', '?'));
$sth->execute($env_email);
$sth->execute();
use Bugzilla::Config;
use Bugzilla::Constants;
use Bugzilla::Util;
+# Because of the screwy way that Auth works, it thinks
+# that we're redefining subroutines if we "use" anything
+# that "uses" Bugzilla::Auth.
+require Bugzilla::User;
my $edit_options = {
'new' => 1,
return (AUTH_NODATA) unless defined $username && defined $passwd;
- # We're just testing against the db: any value is ok
- trick_taint($username);
-
- my $userid = $class->get_id_from_username($username);
- return (AUTH_LOGINFAILED) unless defined $userid;
+ my $userid = Bugzilla::User::login_to_id($username);
+ return (AUTH_LOGINFAILED) unless $userid;
return (AUTH_LOGINFAILED, $userid)
unless $class->check_password($userid, $passwd);
return (AUTH_OK, $userid);
}
-sub get_id_from_username {
- my ($class, $username) = @_;
- my $dbh = Bugzilla->dbh;
- my $sth = $dbh->prepare_cached("SELECT userid FROM profiles " .
- "WHERE login_name=?");
- my ($userid) = $dbh->selectrow_array($sth, undef, $username);
- return $userid;
-}
-
sub get_disabled {
my ($class, $userid) = @_;
my $dbh = Bugzilla->dbh;
my $dbh = Bugzilla->dbh;
my $sth = $dbh->prepare_cached("SELECT userid, disabledtext " .
"FROM profiles " .
- "WHERE login_name=?");
+ "WHERE " .
+ $dbh->sql_istrcmp('login_name', '?'));
my ($userid, $disabledtext) =
$dbh->selectrow_array($sth,
undef,
$Exporter::ExportLevel-- if $is_exporter;
}
+sub sql_istrcmp {
+ my ($self, $left, $right, $op) = @_;
+ $op ||= "=";
+
+ return $self->sql_istring($left) . " $op " . $self->sql_istring($right);
+}
+
+sub sql_istring {
+ my ($self, $string) = @_;
+
+ return "LOWER($string)";
+}
+
sub sql_position {
my ($self, $fragment, $text) = @_;
$text = text to search for (scalar)
Returns: formatted SQL for for full text search
+=item C<sql_istrcmp>
+
+ Description: Returns SQL for a case-insensitive string comparison.
+ Params: $left - What should be on the left-hand-side of the
+ operation.
+ $right - What should be on the right-hand-side of the
+ operation.
+ $op (optional) - What the operation is. Should be a
+ valid ANSI SQL comparison operator, like "=", "<",
+ "LIKE", etc. Defaults to "=" if not specified.
+ Returns: A SQL statement that will run the comparison in
+ a case-insensitive fashion.
+ Note: Uses sql_istring, so it has the same performance concerns.
+ Try to avoid using this function unless absolutely necessary.
+ Subclass Implementors: Override sql_istring instead of this
+ function, most of the time (this function uses sql_istring).
+
+=item C<sql_istring>
+
+ Description: Returns SQL syntax "preparing" a string or text column for
+ case-insensitive comparison.
+ Params: $string - string to convert (scalar)
+ Returns: formatted SQL making the string case insensitive
+ Note: The default implementation simply calls LOWER on the parameter.
+ If this is used to search on a text column with index, the index
+ will not be usually used unless it was created as LOWER(column).
+
=item C<bz_lock_tables>
Description: Performs a table lock operation on specified tables.
return "MATCH($column) AGAINST($text)";
}
+sub sql_istring {
+ my ($self, $string) = @_;
+
+ return $string;
+}
+
sub sql_to_days {
my ($self, $date) = @_;
AND tokens.tokentype = 'password'
AND tokens.issuedate > NOW() - " .
$dbh->sql_interval('10 MINUTE') . "
- WHERE login_name = $quotedloginname");
+ WHERE " . $dbh->sql_istrcmp('login_name', $quotedloginname));
my ($userid, $toosoon) = &::FetchSQLData();
if ($toosoon) {
# in the id its already had to validate (or the User.pm object, of course)
sub new_from_login {
my $invocant = shift;
- return $invocant->_create("login_name=?", @_);
+ my $dbh = Bugzilla->dbh;
+ return $invocant->_create($dbh->sql_istrcmp('login_name', '?'), @_);
}
# Internal helper for the above |new| methods
# Build the query.
my $sqlstr = &::SqlQuote($wildstr);
- my $query = "SELECT DISTINCT userid, realname, login_name, " .\r
+ my $query = "SELECT DISTINCT userid, realname, login_name, " .
"LENGTH(login_name) AS namelength " .
"FROM profiles ";
if (&::Param('usevisibilitygroups')) {
$query .= ", user_group_map ";
}
- $query .= "WHERE (login_name LIKE $sqlstr " .
- "OR realname LIKE $sqlstr) ";
+ $query .= "WHERE ("
+ . $dbh->sql_istrcmp('login_name', $sqlstr, "LIKE") . " OR " .
+ $dbh->sql_istrcmp('realname', $sqlstr, "LIKE") . ") ";
if (&::Param('usevisibilitygroups')) {
$query .= "AND user_group_map.user_id = userid " .
"AND isbless = 0 " .
my $sqlstr = &::SqlQuote($str);
my $query = "SELECT userid, realname, login_name " .
"FROM profiles " .
- "WHERE login_name = $sqlstr ";
+ "WHERE " . $dbh->sql_istrcmp('login_name', $sqlstr);
# Exact matches don't care if a user is disabled.
&::PushGlobalSQLState();
my $dbh = Bugzilla->dbh;
# $login will only be used by the following SELECT statement, so it's safe.
trick_taint($login);
- my $user_id = $dbh->selectrow_array(
- "SELECT userid FROM profiles WHERE login_name = ?", undef, $login);
+ my $user_id = $dbh->selectrow_array("SELECT userid FROM profiles WHERE " .
+ $dbh->sql_istrcmp('login_name', '?'),
+ undef, $login);
if ($user_id) {
return $user_id;
} else {
}
}
$sth = $dbh->prepare("SELECT login_name FROM profiles " .
- "WHERE login_name = ?");
+ "WHERE " . $dbh->sql_istrcmp('login_name', '?'));
$sth->execute($login);
if ($sth->rows > 0) {
print "$login already has an account.\n";
}
# Put the admin in each group if not already
- my $userid = $dbh->selectrow_array(
- "SELECT userid FROM profiles WHERE login_name = ?", undef, $login);
-
+ my $userid = $dbh->selectrow_array("SELECT userid FROM profiles WHERE " .
+ $dbh->sql_istrcmp('login_name', '?'),
+ undef, $login);
+
# Admins get explicit membership and bless capability for the admin group
my ($admingroupid) = $dbh->selectrow_array("SELECT id FROM groups
WHERE name = 'admin'");
use strict;
+my $dbh = Bugzilla->dbh;
+
my $EMAIL_TRANSFORM_NONE = "email_transform_none";
my $EMAIL_TRANSFORM_BASE_DOMAIN = "email_transform_base_domain";
my $EMAIL_TRANSFORM_NAME_ONLY = "email_transform_name_only";
my ($address) = @_;
# if $email_transform is $EMAIL_TRANSFORM_NONE, return the address, otherwise, return undef
if ($email_transform eq $EMAIL_TRANSFORM_NONE) {
- my $stmt = "SELECT login_name FROM profiles WHERE profiles.login_name = \'$address\';";
+ my $stmt = "SELECT login_name FROM profiles WHERE " .
+ $dbh->sql_istrcmp('login_name', $dbh->quote($address));
SendSQL($stmt);
my $found_address = FetchOneColumn();
return $found_address;
} elsif ($email_transform eq $EMAIL_TRANSFORM_BASE_DOMAIN) {
my ($username) = ($address =~ /(.+)@/);
- my $stmt = "SELECT login_name FROM profiles WHERE profiles.login_name RLIKE \'$username\';";
+ my $stmt = "SELECT login_name FROM profiles WHERE " . $dbh->sql_istrcmp(
+ 'login_name', $dbh->quote($username), $dbh->sql_regexp());
SendSQL($stmt);
my $domain;
return $new_address;
} elsif ($email_transform eq $EMAIL_TRANSFORM_NAME_ONLY) {
my ($username) = ($address =~ /(.+)@/);
- my $stmt = "SELECT login_name FROM profiles WHERE profiles.login_name RLIKE \'$username\';";
+ my $stmt = "SELECT login_name FROM profiles WHERE " .$dbh->sql_istrcmp(
+ 'login_name', $dbh->quote($username), $dbh->sql_regexp());
SendSQL($stmt);
my $found_address = FetchOneColumn();
return $found_address;
#
# You need to work with bug_email.pl the MIME::Parser installed.
#
-# $Id: bug_email.pl,v 1.27 2005/05/12 19:13:56 lpsolit%gmail.com Exp $
+# $Id: bug_email.pl,v 1.28 2005/07/08 02:31:43 mkanat%kerio.com Exp $
###############################################################
# 02/12/2000 (SML)
my $SenderShort;
my $Message_ID;
+my $dbh = Bugzilla->dbh;
+
# change to use default product / component functionality
my $DEFAULT_PRODUCT = "PENDING";
my $DEFAULT_COMPONENT = "PENDING";
$query .= $state . ", \'$bug_when\', \'$bug_when\', $ever_confirmed)\n";
# $query .= SqlQuote( "NEW" ) . ", now(), " . SqlQuote($comment) . " )\n";
- SendSQL("SELECT userid FROM profiles WHERE login_name=\'$reporter\'");
+ SendSQL("SELECT userid FROM profiles WHERE " .
+ $dbh->sql_istrcmp('login_name', $dbh->quote($reporter)));
my $userid = FetchOneColumn();
my $id;
use Bugzilla::Config qw(:DEFAULT $datadir);
use Bugzilla::BugMail;
+my $dbh = Bugzilla->dbh;
+
# Create a new MIME parser:
my $parser = new MIME::Parser;
}
# get the user id
-SendSQL("SELECT userid FROM profiles WHERE login_name = \'$SenderShort\';");
+SendSQL("SELECT userid FROM profiles WHERE " .
+ $dbh->sql_istrcmp('login_name', $dbh->quote($SenderShort)));
my $userid = FetchOneColumn();
if (!defined($userid)) {
DealWithError("Userid not found for $SenderShort");
use Net::LDAP;
my $cgi = Bugzilla->cgi;
+my $dbh = Bugzilla->dbh;
my $readonly = 0;
my $nodisable = 0;
print "Performing DB update:\nPhase 1: disabling not-existing users... " unless $quiet;
if($nodisable == 0) {
while( my ($key, $value) = each(%disable_users) ) {
- SendSQL("UPDATE profiles SET disabledtext = 'auto-disabled by ldap sync' WHERE login_name='$key'" );
+ SendSQL("UPDATE profiles SET disabledtext = 'auto-disabled by ldap " .
+ "sync' WHERE " . $dbh->sql_istrcmp('login_name',
+ $dbh->quote($key)));
}
print "done!\n" unless $quiet;
}
if($noupdate == 0) {
while( my ($key, $value) = each(%update_users) ) {
if(defined @$value{'new_login_name'}) {
- SendSQL("UPDATE profiles SET login_name = '" . @$value{'new_login_name'} . "' WHERE login_name='$key'" );
+ SendSQL("UPDATE profiles SET login_name = '" .
+ @$value{'new_login_name'} . "' WHERE " .
+ $dbh->sql_istrcmp('login_name', $dbh->quote($key)));
} else {
- SendSQL("UPDATE profiles SET realname = '" . @$value{'realname'} . "' WHERE login_name='$key'" );
+ SendSQL("UPDATE profiles SET realname = '" . @$value{'realname'} .
+ "' WHERE " . $dbh->sql_istrcmp('login_name', $dbh->quote($key)));
}
}
print "done!\n" unless $quiet;
# Filter results by exact email address of requester or requestee.
if (defined $cgi->param('requester') && $cgi->param('requester') ne "") {
- push(@criteria, "requesters.login_name = " . SqlQuote($cgi->param('requester')));
+ push(@criteria, $dbh->sql_istrcmp('requesters.login_name',
+ SqlQuote($cgi->param('requester'))));
push(@excluded_columns, 'requester') unless $cgi->param('do_union');
}
if (defined $cgi->param('requestee') && $cgi->param('requestee') ne "") {
if ($cgi->param('requestee') ne "-") {
- push(@criteria, "requestees.login_name = " . SqlQuote($cgi->param('requestee')));
+ push(@criteria, $dbh->sql_istrcmp('requestees.login_name',
+ SqlQuote($cgi->param('requestee'))));
}
else { push(@criteria, "flags.requestee_id IS NULL") }
push(@excluded_columns, 'requestee') unless $cgi->param('do_union');
use Bugzilla::Auth;
my $cgi = Bugzilla->cgi;
+my $dbh = Bugzilla->dbh;
# Include the Bugzilla CGI and general utility library.
require "CGI.pl";
CheckEmailSyntax($cgi->param('loginname'));
my $quotedloginname = SqlQuote($cgi->param('loginname'));
- SendSQL("SELECT userid FROM profiles WHERE login_name = $quotedloginname");
+ SendSQL("SELECT userid FROM profiles WHERE " .
+ $dbh->sql_istrcmp('login_name', $quotedloginname));
FetchSQLData()
|| ThrowUserError("account_inexistent");
}
projects / thirdparty / bugzilla.git / commitdiff
