From e6052c3ffdadf3a367930fc6d84240150ad0fb1b Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Fri, 18 Dec 2020 19:39:54 +0100 Subject: [PATCH 1/7] Add initial schema and data --- scripts/db_migrations/version0.sh | 654 ++++++++++++++++++++++++++++++ scripts/db_migrations/version1.sh | 2 +- scripts/db_migrations/version7.sh | 96 +++++ 3 files changed, 751 insertions(+), 1 deletion(-) create mode 100644 scripts/db_migrations/version0.sh create mode 100644 scripts/db_migrations/version7.sh diff --git a/scripts/db_migrations/version0.sh b/scripts/db_migrations/version0.sh new file mode 100644 index 00000000..ab9a0386 --- /dev/null +++ b/scripts/db_migrations/version0.sh @@ -0,0 +1,654 @@ +#!/bin/sh +# LibreSSL - CAcert web application +# Copyright (C) 2004-2020 CAcert Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + + + +# script to do database migrations + +# This particular version creates the initial database schema. +# If you want to reuse it for further migrations you probably should pay special +# attention because you have to adjust it a bit + +set -eu # script fails if any command fails or variables are undefined + +STDERR=2 + +if [ "$#" -gt 1 ] && [ "$1" = "--help" ]; then + cat >$STDERR 1>&2 <<- USAGE + Usage: $0 [MYSQL_OPTIONS] + You have to specify all options needed by "mysql" as if you had started + the MySQL command line client directly (including the name of the + database to operate on). The MySQL user used has to have enough + privileges to do all necessary operations (among others CREATE, ALTER, + DROP, UPDATE, INSERT, DELETE). + You might need to enter the mysql password multiple times if you + specify the -p option. + USAGE + exit 1 +fi + +mysql_opt="--batch --skip-column-names $@" + +mysql $mysql_opt <<- 'SQL' +-- Initial database schema +CREATE TABLE `abusereports` ( + `id` int(10) UNSIGNED NOT NULL AUTO_INCREMENT, + `when` datetime NOT NULL, + `IP` int(11) DEFAULT NULL, + `url` varchar(255) NOT NULL, + `name` varchar(255) NOT NULL, + `email` varchar(255) NOT NULL, + `comment` varchar(255) NOT NULL, + `reason` varchar(255) NOT NULL, + PRIMARY KEY (`id`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `addlang` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `userid` int(11) NOT NULL, + `lang` varchar(5) NOT NULL, + PRIMARY KEY (`id`), + UNIQUE KEY `userid` (`userid`, `lang`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `adminlog` ( + `when` datetime NOT NULL, + `uid` int(11) NOT NULL, + `adminid` int(11) NOT NULL, + `actiontypeid` int(11) DEFAULT NULL, + `old-lname` varchar(255), + `old-dob` varchar(255), + `new-lname` varchar(255), + `new-dob` varchar(255) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `advertising` ( + `id` int(10) UNSIGNED NOT NULL AUTO_INCREMENT, + `replaceid` int(10) UNSIGNED NOT NULL, + `replaced` tinyint(3) UNSIGNED NOT NULL, + `orderid` tinyint(3) UNSIGNED NOT NULL, + `link` varchar(255) NOT NULL, + `title` varchar(255) NOT NULL, + `months` tinyint(3) UNSIGNED NOT NULL, + `who` int(10) UNSIGNED NOT NULL, + `when` datetime NOT NULL, + `active` tinyint(3) UNSIGNED NOT NULL, + `approvedby` int(10) UNSIGNED NOT NULL, + `expires` datetime NOT NULL, + PRIMARY KEY (`id`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `alerts` ( + `memid` int(11) NOT NULL DEFAULT 0, + `general` tinyint(1) NOT NULL DEFAULT 0, + `country` tinyint(1) NOT NULL DEFAULT 0, + `regional` tinyint(1) NOT NULL DEFAULT 0, + `radius` tinyint(1) NOT NULL DEFAULT 0, + PRIMARY KEY (`memid`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `baddomains` ( + `domain` varchar(255) NOT NULL DEFAULT '' +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `cats_passed` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `user_id` int(11) NOT NULL, + `variant_id` int(11) NOT NULL, + `pass_date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP() ON UPDATE CURRENT_TIMESTAMP(), + PRIMARY KEY (`id`), + UNIQUE KEY `test_passed` (`user_id`, `variant_id`, `pass_date`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `cats_type` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `type_text` varchar(255) NOT NULL, + PRIMARY KEY (`id`), + UNIQUE KEY `type_text` (`type_text`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `cats_variant` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `type_id` int(11) NOT NULL, + `test_text` varchar(255) NOT NULL, + PRIMARY KEY (`id`), + UNIQUE KEY `test_text` (`test_text`, `type_id`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `countries` ( + `id` int(3) NOT NULL AUTO_INCREMENT, + `name` varchar(50) NOT NULL DEFAULT '', + `acount` int(11) NOT NULL DEFAULT 0, + PRIMARY KEY (`id`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `disputedomain` ( + `id` int(11) NOT NULL DEFAULT 0, + `memid` int(11) NOT NULL DEFAULT 0, + `oldmemid` int(11) NOT NULL DEFAULT 0, + `domain` varchar(255) NOT NULL DEFAULT '', + `created` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `hash` varchar(50) NOT NULL DEFAULT '', + `attempts` int(1) NOT NULL DEFAULT 0, + `action` enum ('accept','reject','failed') NOT NULL DEFAULT 'accept' +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `disputeemail` ( + `id` int(11) NOT NULL DEFAULT 0, + `memid` int(11) NOT NULL DEFAULT 0, + `oldmemid` int(11) NOT NULL DEFAULT 0, + `email` varchar(255) NOT NULL DEFAULT '', + `created` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `hash` varchar(50) NOT NULL DEFAULT '', + `attempts` int(1) NOT NULL DEFAULT 0, + `action` enum ('accept','reject','failed') NOT NULL DEFAULT 'accept', + `IP` varchar(20) NOT NULL DEFAULT '' +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `domaincerts` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `domid` int(11) NOT NULL DEFAULT 0, + `serial` varchar(50) NOT NULL DEFAULT '', + `CN` varchar(255) NOT NULL DEFAULT '', + `subject` text NOT NULL, + `csr_name` varchar(255) NOT NULL DEFAULT '', + `crt_name` varchar(255) NOT NULL DEFAULT '', + `created` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `modified` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `revoked` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `expire` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `warning` tinyint(1) NOT NULL DEFAULT 0, + `renewed` tinyint(1) NOT NULL DEFAULT 0, + `rootcert` int(2) NOT NULL DEFAULT 1, + `md` enum ('md5','sha1','sha256','sha512') NOT NULL DEFAULT 'sha512', + `type` tinyint(4) DEFAULT NULL, + `pkhash` char(40) DEFAULT NULL, + `certhash` char(40) DEFAULT NULL, + `coll_found` tinyint(1) NOT NULL, + PRIMARY KEY (`id`), + KEY `domaincerts_pkhash` (`pkhash`), + KEY `revoked` (`revoked`), + KEY `created` (`created`), + KEY `domid` (`domid`), + KEY `serial` (`serial`), + KEY `stats_domaincerts_expire` (`expire`), + KEY `domaincrt` (`crt_name`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `domains` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `memid` int(11) NOT NULL DEFAULT 0, + `domain` varchar(255) NOT NULL DEFAULT '', + `created` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `modified` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `deleted` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `hash` varchar(50) NOT NULL DEFAULT '', + `attempts` int(1) NOT NULL DEFAULT 0, + PRIMARY KEY (`id`), + KEY `memid` (`memid`), + KEY `domain` (`domain`), + KEY `memid_2` (`memid`), + KEY `stats_domains_hash` (`hash`), + KEY `stats_domains_deleted` (`deleted`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `domlink` ( + `certid` int(11) NOT NULL DEFAULT 0, + `domid` int(11) NOT NULL DEFAULT 0, + UNIQUE KEY `index` (`certid`, `domid`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `email` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `memid` int(11) NOT NULL DEFAULT 0, + `email` varchar(255) NOT NULL DEFAULT '', + `created` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `modified` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `deleted` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `hash` varchar(50) NOT NULL DEFAULT '', + `attempts` int(1) NOT NULL DEFAULT 0, + PRIMARY KEY (`id`), + KEY `memid` (`memid`), + KEY `stats_email_hash` (`hash`), + KEY `stats_email_deleted` (`deleted`), + KEY `email` (`email`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `emailcerts` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `memid` int(11) NOT NULL DEFAULT 0, + `serial` varchar(50) NOT NULL DEFAULT '', + `CN` varchar(255) NOT NULL DEFAULT '', + `subject` text NOT NULL, + `keytype` char(2) NOT NULL DEFAULT 'NS', + `codesign` tinyint(1) NOT NULL DEFAULT 0, + `csr_name` varchar(255) NOT NULL DEFAULT '', + `crt_name` varchar(255) NOT NULL DEFAULT '', + `created` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `modified` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `revoked` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `expire` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `warning` tinyint(1) NOT NULL DEFAULT 0, + `renewed` tinyint(1) NOT NULL DEFAULT 0, + `rootcert` int(2) NOT NULL DEFAULT 1, + `md` enum ('md5','sha1','sha256','sha512') NOT NULL DEFAULT 'sha512', + `type` tinyint(4) DEFAULT NULL, + `disablelogin` int(1) NOT NULL DEFAULT 0, + `pkhash` char(40) DEFAULT NULL, + `certhash` char(40) DEFAULT NULL, + `coll_found` tinyint(1) NOT NULL, + PRIMARY KEY (`id`), + KEY `emailcerts_pkhash` (`pkhash`), + KEY `revoked` (`revoked`), + KEY `created` (`created`), + KEY `memid` (`memid`), + KEY `serial` (`serial`), + KEY `stats_emailcerts_expire` (`expire`), + KEY `emailcrt` (`crt_name`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `emaillink` ( + `emailcertsid` int(11) NOT NULL DEFAULT 0, + `emailid` int(11) NOT NULL DEFAULT 0, + KEY `index` (`emailcertsid`, `emailid`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `gpg` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `memid` int(11) NOT NULL DEFAULT 0, + `email` varchar(255) NOT NULL DEFAULT '', + `level` int(1) NOT NULL DEFAULT 0, + `multiple` tinyint(1) NOT NULL DEFAULT 0, + `expires` tinyint(1) NOT NULL DEFAULT 0, + `csr` varchar(255) NOT NULL DEFAULT '', + `crt` varchar(255) NOT NULL DEFAULT '', + `issued` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `expire` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `keyid` char(18) DEFAULT NULL, + `warning` tinyint(1) NOT NULL DEFAULT 0, + PRIMARY KEY (`id`), + KEY `stats_gpg_expire` (`expire`), + KEY `stats_gpg_issued` (`issued`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `languages` ( + `locale` varchar(5) NOT NULL, + `en_co` varchar(255) NOT NULL, + `en_lang` varchar(255) NOT NULL, + `country` varchar(255) NOT NULL, + `lang` varchar(255) NOT NULL +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `localias` ( + `locid` int(11) NOT NULL DEFAULT 0, + `name` varchar(255) NOT NULL DEFAULT '', + KEY `locid` (`locid`), + KEY `name` (`name`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `locations` ( + `id` int(7) NOT NULL AUTO_INCREMENT, + `regid` int(4) NOT NULL DEFAULT 0, + `ccid` int(3) NOT NULL DEFAULT 0, + `name` varchar(50) NOT NULL DEFAULT '', + `lat` double(6, 3) NOT NULL DEFAULT 0.000, + `long` double(6, 3) NOT NULL DEFAULT 0.000, + `acount` int(11) NOT NULL DEFAULT 0, + PRIMARY KEY (`id`), + KEY `ccid` (`ccid`), + KEY `regid` (`regid`), + KEY `name` (`name`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `news` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `when` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `who` varchar(255) NOT NULL DEFAULT '', + `short` varchar(255) NOT NULL DEFAULT '', + `story` text NOT NULL, + PRIMARY KEY (`id`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `notary` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `from` int(11) NOT NULL DEFAULT 0, + `to` int(11) NOT NULL DEFAULT 0, + `awarded` int(3) NOT NULL DEFAULT 0, + `points` int(3) NOT NULL DEFAULT 0, + `method` enum ('Face to Face Meeting','Trusted Third Parties','Thawte Points Transfer','Administrative Increase','CT Magazine - Germany','Temporary Increase','Unknown') NOT NULL DEFAULT 'Face to Face Meeting', + `location` varchar(255) NOT NULL DEFAULT '', + `date` varchar(255) NOT NULL DEFAULT '', + `when` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `expire` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `sponsor` int(11) NOT NULL DEFAULT 0, + PRIMARY KEY (`id`), + KEY `from` (`from`), + KEY `to` (`to`), + KEY `from_2` (`from`), + KEY `to_2` (`to`), + KEY `stats_notary_when` (`when`), + KEY `stats_notary_method` (`method`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `org` ( + `orgid` int(11) NOT NULL DEFAULT 0, + `memid` int(11) NOT NULL DEFAULT 0, + `OU` varchar(255) NOT NULL DEFAULT '', + `masteracc` int(1) NOT NULL DEFAULT 0, + `comments` text NOT NULL, + UNIQUE KEY `orgid` (`orgid`, `memid`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `orgdomaincerts` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `orgid` int(11) NOT NULL DEFAULT 0, + `subject` text NOT NULL, + `serial` varchar(50) NOT NULL DEFAULT '', + `CN` varchar(255) NOT NULL DEFAULT '', + `csr_name` varchar(255) NOT NULL DEFAULT '', + `crt_name` varchar(255) NOT NULL DEFAULT '', + `created` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `modified` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `revoked` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `expire` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `renewed` tinyint(1) NOT NULL DEFAULT 0, + `rootcert` int(2) NOT NULL DEFAULT 1, + `md` enum ('md5','sha1','sha256','sha512') NOT NULL DEFAULT 'sha512', + `type` tinyint(4) DEFAULT NULL, + `warning` tinyint(1) NOT NULL DEFAULT 0, + `pkhash` char(40) DEFAULT NULL, + `certhash` char(40) DEFAULT NULL, + `coll_found` tinyint(1) NOT NULL, + PRIMARY KEY (`id`), + KEY `orgdomaincerts_pkhash` (`pkhash`), + KEY `stats_orgdomaincerts_created` (`created`), + KEY `stats_orgdomaincerts_revoked` (`revoked`), + KEY `stats_orgdomaincerts_expire` (`expire`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `orgdomains` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `orgid` int(11) NOT NULL DEFAULT 0, + `domain` varchar(255) NOT NULL DEFAULT '', + PRIMARY KEY (`id`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `orgdomlink` ( + `orgcertid` int(11) NOT NULL DEFAULT 0, + `orgdomid` int(11) NOT NULL DEFAULT 0, + UNIQUE KEY `index` (`orgcertid`, `orgdomid`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `orgemailcerts` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `orgid` int(11) NOT NULL DEFAULT 0, + `serial` varchar(50) NOT NULL DEFAULT '', + `CN` varchar(255) NOT NULL DEFAULT '', + `subject` text NOT NULL, + `keytype` char(2) NOT NULL DEFAULT 'NS', + `csr_name` varchar(255) NOT NULL DEFAULT '', + `crt_name` varchar(255) NOT NULL DEFAULT '', + `created` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `modified` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `revoked` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `expire` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `renewed` tinyint(1) NOT NULL DEFAULT 0, + `rootcert` int(2) NOT NULL DEFAULT 1, + `md` enum ('md5','sha1','sha256','sha512') NOT NULL DEFAULT 'sha512', + `type` tinyint(4) DEFAULT NULL, + `codesign` tinyint(1) NOT NULL DEFAULT 0, + `warning` tinyint(1) NOT NULL DEFAULT 0, + `pkhash` char(40) DEFAULT NULL, + `certhash` char(40) DEFAULT NULL, + `coll_found` tinyint(1) NOT NULL, + PRIMARY KEY (`id`), + KEY `orgemailcerts_pkhash` (`pkhash`), + KEY `stats_orgemailcerts_created` (`created`), + KEY `stats_orgemailcerts_revoked` (`revoked`), + KEY `stats_orgemailcerts_expire` (`expire`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `orgemaillink` ( + `emailcertsid` int(11) NOT NULL DEFAULT 0, + `domid` int(11) NOT NULL DEFAULT 0, + KEY `index` (`emailcertsid`, `domid`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `orginfo` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `contact` varchar(255) NOT NULL DEFAULT '', + `O` varchar(255) NOT NULL DEFAULT '', + `L` varchar(255) NOT NULL DEFAULT '', + `ST` varchar(255) NOT NULL DEFAULT '', + `C` char(2) NOT NULL DEFAULT '', + `comments` text NOT NULL, + PRIMARY KEY (`id`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `otphashes` ( + `when` datetime NOT NULL, + `username` varchar(255) NOT NULL, + `otp` varchar(255) NOT NULL +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `pinglog` ( + `when` datetime NOT NULL, + `uid` int(11) NOT NULL, + `email` varchar(255) NOT NULL, + `result` varchar(255) NOT NULL +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `regions` ( + `id` int(5) NOT NULL AUTO_INCREMENT, + `ccid` int(3) NOT NULL DEFAULT 0, + `name` varchar(50) NOT NULL DEFAULT '', + `acount` int(11) NOT NULL DEFAULT 0, + PRIMARY KEY (`id`), + KEY `ccid` (`ccid`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +-- stores names of root certificates (CN from SubjectDN?) +CREATE TABLE `root_certs` ( + `id` int(2) NOT NULL, + `cert_text` varchar(255) DEFAULT NULL, + PRIMARY KEY (`id`), + UNIQUE KEY `cert_text` (`cert_text`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +-- TODO: replace with goose_db_version table +CREATE TABLE `schema_version` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `version` int(11) NOT NULL, + `when` datetime NOT NULL, + PRIMARY KEY (`id`), + UNIQUE KEY `version` (`version`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `stampcache` ( + `id` int(10) UNSIGNED NOT NULL AUTO_INCREMENT, + `certid` int(10) UNSIGNED DEFAULT NULL, + `cacheexpire` bigint(20) UNSIGNED DEFAULT NULL, + `issued` datetime NOT NULL, + `expire` datetime NOT NULL, + `subject` varchar(255) NOT NULL, + `hostname` varchar(255) NOT NULL, + `org` tinyint(1) NOT NULL, + `points` tinyint(3) UNSIGNED NOT NULL, + `O` varchar(255) NOT NULL, + `L` varchar(255) NOT NULL, + `ST` varchar(255) NOT NULL, + `C` varchar(255) NOT NULL, + `valid` tinyint(1) NOT NULL, + PRIMARY KEY (`id`), + UNIQUE KEY `hostname` (`hostname`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `statscache` ( + `timestamp` bigint(20) NOT NULL, + `cache` text NOT NULL, + PRIMARY KEY (`timestamp`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +-- not mentioned in version5.sh +CREATE TABLE `temp` ( + `id` int(11) DEFAULT NULL, + `data` int(11) DEFAULT NULL +) ENGINE = InnoDB + DEFAULT CHARSET = latin1; + +CREATE TABLE `tickets` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `timestamp` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP() ON UPDATE CURRENT_TIMESTAMP(), + PRIMARY KEY (`id`), + KEY `timestamp` (`timestamp`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1 COMMENT ='Is used to generate ticket numbers for tracing back problems'; + +CREATE TABLE `tverify` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `memid` int(11) NOT NULL DEFAULT 0, + `photoid` varchar(255) NOT NULL DEFAULT '', + `URL` text NOT NULL, + `CN` text NOT NULL, + `created` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `modified` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + PRIMARY KEY (`id`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `tverify-vote` ( + `tverify` int(11) NOT NULL DEFAULT 0, + `memid` int(11) NOT NULL DEFAULT 0, + `when` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `vote` tinyint(1) NOT NULL DEFAULT 0, + `comment` varchar(255) NOT NULL DEFAULT '' +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `userlocations` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `memid` int(11) NOT NULL DEFAULT 0, + `ccid` int(11) NOT NULL DEFAULT 0, + `regid` int(11) NOT NULL DEFAULT 0, + `locid` int(11) NOT NULL DEFAULT 0, + PRIMARY KEY (`id`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +CREATE TABLE `users` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `email` varchar(255) NOT NULL DEFAULT '', + `password` varchar(255) NOT NULL DEFAULT '', + `fname` varchar(255) NOT NULL DEFAULT '', + `mname` varchar(255) NOT NULL DEFAULT '', + `lname` varchar(255) NOT NULL DEFAULT '', + `suffix` varchar(50) NOT NULL DEFAULT '', + `dob` date NOT NULL DEFAULT '0000-00-00', + `verified` int(1) NOT NULL DEFAULT 0, + `ccid` int(3) NOT NULL DEFAULT 0, + `regid` int(5) NOT NULL DEFAULT 0, + `locid` int(7) NOT NULL DEFAULT 0, + `listme` int(1) NOT NULL DEFAULT 0, + `codesign` int(1) NOT NULL DEFAULT 0, + `1024bit` tinyint(1) NOT NULL DEFAULT 0, + `contactinfo` varchar(255) NOT NULL DEFAULT '', + `admin` tinyint(1) NOT NULL DEFAULT 0, + `orgadmin` tinyint(1) NOT NULL, + `ttpadmin` tinyint(1) NOT NULL DEFAULT 0, + `adadmin` tinyint(1) UNSIGNED NOT NULL, + `board` tinyint(1) NOT NULL DEFAULT 0, + `tverify` tinyint(1) NOT NULL DEFAULT 0, + `locadmin` tinyint(1) NOT NULL DEFAULT 0, + `language` varchar(5) NOT NULL DEFAULT '', + `Q1` varchar(255) NOT NULL DEFAULT '', + `Q2` varchar(255) NOT NULL DEFAULT '', + `Q3` varchar(255) NOT NULL DEFAULT '', + `Q4` varchar(255) NOT NULL DEFAULT '', + `Q5` varchar(255) NOT NULL DEFAULT '', + `A1` varchar(255) NOT NULL DEFAULT '', + `A2` varchar(255) NOT NULL DEFAULT '', + `A3` varchar(255) NOT NULL DEFAULT '', + `A4` varchar(255) NOT NULL DEFAULT '', + `A5` varchar(255) NOT NULL DEFAULT '', + `created` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `modified` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `deleted` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', + `locked` tinyint(1) NOT NULL, + `uniqueID` varchar(255) NOT NULL, + `otphash` varchar(16) NOT NULL, + `otppin` smallint(4) UNSIGNED ZEROFILL NOT NULL, + `assurer` int(2) NOT NULL DEFAULT 0, + `assurer_blocked` tinyint(1) NOT NULL DEFAULT 0, + PRIMARY KEY (`id`), + KEY `ccid` (`ccid`), + KEY `regid` (`regid`), + KEY `locid` (`locid`), + KEY `email` (`email`), + KEY `stats_users_created` (`created`), + KEY `stats_users_verified` (`verified`), + KEY `userverified` (`verified`) +) ENGINE = MyISAM + DEFAULT CHARSET = latin1; + +-- Update schema version number + INSERT INTO `schema_version` + (`version`, `when`) VALUES + ('0' , NOW() ); + +SQL + + +echo "Database successfully migrated to version 0" +exit 0 diff --git a/scripts/db_migrations/version1.sh b/scripts/db_migrations/version1.sh index 48e24f9a..19467525 100755 --- a/scripts/db_migrations/version1.sh +++ b/scripts/db_migrations/version1.sh @@ -56,7 +56,7 @@ schema_version=$( mysql $mysql_opt <<- 'SQL' SQL ) -if [ $schema_version != "NULL" ]; then +if [ $schema_version != "0" ]; then cat >&$STDERR <<- ERROR Error: database schema is not in the right version to do the migration! Expected version: 0 (i.e. the version before there was versioning) diff --git a/scripts/db_migrations/version7.sh b/scripts/db_migrations/version7.sh new file mode 100644 index 00000000..904b9a5b --- /dev/null +++ b/scripts/db_migrations/version7.sh @@ -0,0 +1,96 @@ +#!/bin/sh +# LibreSSL - CAcert web application +# Copyright (C) 2020 CAcert Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + + + +# script to do database migrations + +# This particular version creates an initial set of data +# If you want to reuse it for further migrations you probably should pay special +# attention because you have to adjust it a bit + +set -eu # script fails if any command fails or variables are undefined + +STDERR=2 + +if [ "$1" = "--help" ]; then + cat >&$STDERR <<- USAGE + Usage: $0 [MYSQL_OPTIONS] + You have to specify all options needed by "mysql" as if you had started + the MySQL command line client directly (including the name of the + database to operate on). The MySQL user used has to have enough + privileges to do all necessary operations (among others CREATE, ALTER, + DROP, UPDATE, INSERT, DELETE). + You might need to enter the mysql password multiple times if you + specify the -p option. + USAGE + exit 1 +fi + +mysql_opt=" --batch --skip-column-names $@" + +schema_version=$( mysql $mysql_opt <<- 'SQL' + CREATE TABLE IF NOT EXISTS `schema_version` ( + `id` int(11) PRIMARY KEY auto_increment, + `version` int(11) NOT NULL UNIQUE, + `when` datetime NOT NULL + ) DEFAULT CHARSET=latin1; + + SELECT MAX(`version`) FROM `schema_version`; +SQL +) + +if [ $schema_version != "6" ]; then + cat >&$STDERR <<- ERROR + Error: database schema is not in the right version to do the migration! + Expected version: 6 (i.e. the version before there was versioning) + ERROR + exit 2 +fi + +mysql $mysql_opt <<- 'SQL' + INSERT IGNORE INTO cats_type (id, type_text) + VALUES + (1, 'Assurer Challenge'), + (2, 'Org Assurer Test'), + (3, 'Triage Challenge'), + (5, 'Data Privacy Quiz'); + + INSERT IGNORE INTO cats_variant (id, type_id, test_text) + VALUES + (5, 1, 'Assurer\'s challenge (EN)'), + (6, 1, 'CAcert Assurer Prüfung (DE)'), + (4, 1, 'CATS V0.1'), + (12, 5, 'Data Privacy Quiz (Generic)'), + (15, 5, 'Data Privacy Quiz (Infrastructure Admins)'), + (13, 5, 'Data Privacy Quiz (Software)'), + (14, 5, 'Data Privacy Quiz (Triage and Support)'), + (11, 1, 'Výzva zaručovatele (CZ)'); + +INSERT INTO root_certs (id, cert_text) +VALUES (1, 'CAcert Testserver Root'), + (2, 'CAcert Testserver Class 3'); + + + -- Update schema version number + INSERT INTO `schema_version` + (`version`, `when`) VALUES + ('7' , NOW() ); +SQL + +echo "Database successfully migrated to version 7" +exit 0 From 3031555679335ba7d5d69a5a751842f351822a6e Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Fri, 18 Dec 2020 19:40:43 +0100 Subject: [PATCH 2/7] Add database setup instructions --- README | 17 -------------- README.md | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 67 insertions(+), 17 deletions(-) delete mode 100644 README create mode 100644 README.md diff --git a/README b/README deleted file mode 100644 index 7f2ca78c..00000000 --- a/README +++ /dev/null @@ -1,17 +0,0 @@ -LibreSSL Documentation - -(c) 2005-2008 by CAcert Inc. -License: GNU-GPLv2 - -System Requirements: -Linux/POSIX -PHP -GetText -UFPDF - PDF generation library from http://acko.net/node/56 -OpenSSL - X.509 toolkit from http://www.openssl.org/ -openssl-vulnkey including blacklists for all common key sizes -GnuPG - OpenPGP toolkit from http://www.gnupg.org/ -whois - whois client from http://www.linux.it/~md/software/ -XEnroll - Enrollment Active-X control for IE5/6 from Microsoft (search for xenroll.cab) -CommModule - CAcert Communication Module - diff --git a/README.md b/README.md new file mode 100644 index 00000000..6f237d85 --- /dev/null +++ b/README.md @@ -0,0 +1,67 @@ +# LibreSSL Documentation + +(c) 2005-2008 by CAcert Inc. +License: GNU-GPLv2 + +## System Requirements + +Linux/POSIX +PHP and Webserver (i.e. Apache httpd) +MySQL compatible database system + +GetText +UFPDF - PDF generation library from http://acko.net/node/56 +OpenSSL - X.509 toolkit from http://www.openssl.org/ +openssl-vulnkey including blacklists for all common key sizes +GnuPG - OpenPGP toolkit from http://www.gnupg.org/ +whois - whois client from http://www.linux.it/~md/software/ +XEnroll - Enrollment Active-X control for IE5/6 from Microsoft (search for xenroll.cab) +CommModule - CAcert Communication Module + +## Setup + +### Create a database and database user + +Create a new database with charset `latin1` and default collation +`latin1_swedish_ci`. These settings are used for historical reasons. + +Create a user that has permissions on the database and has the global +[`FILE`](https://mariadb.com/kb/en/grant/#file) permission that is +required to export files using the `SELECT INTO OUTFILE` clause. + +The SQL commands can be executed in a shell via the regular mysql or mariadb +command: + +```shell +sudo mysql mysql <<<-EOF +-- SQL commands +EOF +``` + +```sql +CREATE database cacert CHARSET latin1 COLLATE latin1_swedish_ci; +CREATE USER cacertmigration@localhost IDENTIFIED BY 'hardtoguesslongpassword'; +GRANT ALL PRIVILEGES ON cacert.* TO cacertmigration@localhost; +GRANT FILE ON *.* TO cacertmigration@localhost; +``` + +It is a good idea to create a different user for the application that has +only the necessary privileges: + +```sql +CREATE USER cacertapplication@localhost IDENTIFIED BY 'anotherhardpassword'; +GRANT CREATE TEMPORARY TABLES ON cacert.* TO cacertapplication@localhost; +GRANT SELECT, INSERT, UPDATE, DELETE ON cacert.* TO cacertapplication@localhost; +``` + +### Apply schema migrations + +```shell +sh scripts/db_migrations/version0.sh -h localhost -u cacertmigration -phardtoguesslongpassword cacert +sh scripts/db_migrations/version1.sh -h localhost -u cacertmigration -phardtoguesslongpassword cacert +sh scripts/db_migrations/version2.sh -h localhost -u cacertmigration -phardtoguesslongpassword cacert +sh scripts/db_migrations/version3.sh -h localhost -u cacertmigration -phardtoguesslongpassword cacert +sh scripts/db_migrations/version4.sh -h localhost -u cacertmigration -phardtoguesslongpassword cacert +sh scripts/db_migrations/version5.sh -h localhost -u cacertmigration -phardtoguesslongpassword cacert +sh scripts/db_migrations/version6.sh -h localhost -u cacertmigration -phardtoguesslongpassword cacert +``` From 566690594962a197c797c37be9ffc2a7c479bd10 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Sun, 20 Dec 2020 14:52:45 +0100 Subject: [PATCH 3/7] Add missing default values to users table --- scripts/db_migrations/version0.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/scripts/db_migrations/version0.sh b/scripts/db_migrations/version0.sh index ab9a0386..3c6d3756 100644 --- a/scripts/db_migrations/version0.sh +++ b/scripts/db_migrations/version0.sh @@ -605,9 +605,9 @@ CREATE TABLE `users` ( `1024bit` tinyint(1) NOT NULL DEFAULT 0, `contactinfo` varchar(255) NOT NULL DEFAULT '', `admin` tinyint(1) NOT NULL DEFAULT 0, - `orgadmin` tinyint(1) NOT NULL, + `orgadmin` tinyint(1) NOT NULL DEFAULT 0, `ttpadmin` tinyint(1) NOT NULL DEFAULT 0, - `adadmin` tinyint(1) UNSIGNED NOT NULL, + `adadmin` tinyint(1) UNSIGNED NOT NULL DEFAULT 0, `board` tinyint(1) NOT NULL DEFAULT 0, `tverify` tinyint(1) NOT NULL DEFAULT 0, `locadmin` tinyint(1) NOT NULL DEFAULT 0, @@ -625,10 +625,10 @@ CREATE TABLE `users` ( `created` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', `modified` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', `deleted` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', - `locked` tinyint(1) NOT NULL, + `locked` tinyint(1) NOT NULL DEFAULT 0, `uniqueID` varchar(255) NOT NULL, - `otphash` varchar(16) NOT NULL, - `otppin` smallint(4) UNSIGNED ZEROFILL NOT NULL, + `otphash` varchar(16) NOT NULL DEFAULT '', + `otppin` smallint(4) UNSIGNED ZEROFILL NOT NULL DEFAULT 0, `assurer` int(2) NOT NULL DEFAULT 0, `assurer_blocked` tinyint(1) NOT NULL DEFAULT 0, PRIMARY KEY (`id`), From 29ceefce524d473a24c1a5d43bcc12b9fd58f15c Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Sun, 20 Dec 2020 14:53:36 +0100 Subject: [PATCH 4/7] Ignore pages/index/feed.xml --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index 4559ec0c..408081e9 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,5 @@ # Ignore file with the account data /password.dat + +/pages/index/feed.rss From 72c0b4a1963653502f325097286831eef0b06a00 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Mon, 21 Dec 2020 19:38:22 +0100 Subject: [PATCH 5/7] Switch database access to mysqli This change removes all invocations of the deprecated mysql_* APIs and replaces them with mysqli calls instead. Configuration in includes/mysql.php is now instrumented via environment variables. The application will not start if mandatory environment variables are not defined. Missing environment variables are logged to the PHP/Apache error log. Input validation in the autocomplete backend in www/ac.php has been fixed. The database connection is no longer stored in the session as it is only valid for a single request and had not been reused before either. Some TODO tags have been added at places in the code that need rework. Add TODO.md and changelog.md as well as setup instructions in README.md. --- README.md | 62 +- TODO.md | 30 + changelog.md | 6 + includes/.gitignore | 1 - includes/about_menu.php | 2 +- includes/account.php | 798 +++++++++--------- includes/account_stuff.php | 11 +- includes/general.php | 121 ++- includes/general_stuff.php | 15 +- includes/lib/account.php | 7 +- includes/lib/general.php | 27 +- includes/lib/l10n.php | 11 +- includes/loggedin.php | 14 +- includes/mysql.php | 167 ++++ includes/mysql.php.sample | 116 --- includes/notary.inc.php | 208 +++-- locale/Makefile | 4 +- pages/account/12.php | 8 +- pages/account/13.php | 6 +- pages/account/14.php | 4 +- pages/account/15.php | 8 +- pages/account/18.php | 14 +- pages/account/19.php | 8 +- pages/account/2.php | 6 +- pages/account/22.php | 14 +- pages/account/23.php | 8 +- pages/account/25.php | 14 +- pages/account/26.php | 8 +- pages/account/27.php | 4 +- pages/account/28.php | 4 +- pages/account/29.php | 6 +- pages/account/3.php | 6 +- pages/account/30.php | 6 +- pages/account/31.php | 4 +- pages/account/32.php | 10 +- pages/account/33.php | 4 +- pages/account/34.php | 8 +- pages/account/35.php | 16 +- pages/account/41.php | 12 +- pages/account/43.php | 144 ++-- pages/account/49.php | 32 +- pages/account/5.php | 8 +- pages/account/51.php | 10 +- pages/account/52.php | 26 +- pages/account/53.php | 24 +- pages/account/54.php | 20 +- pages/account/55.php | 16 +- pages/account/56.php | 6 +- pages/account/57.php | 8 +- pages/account/58.php | 14 +- pages/account/59.php | 38 +- pages/account/6.php | 8 +- pages/account/9.php | 8 +- pages/advertising/0.php | 22 +- pages/gpg/2.php | 8 +- pages/gpg/3.php | 8 +- pages/index/0.php | 4 +- pages/index/4.php | 4 +- pages/wot/1.php | 28 +- pages/wot/10.php | 20 +- pages/wot/12.php | 24 +- pages/wot/13.php | 38 +- pages/wot/9.php | 18 +- scripts/addpoints.php | 14 +- scripts/assurer.php | 8 +- scripts/consistence.php | 48 +- scripts/country.php | 6 +- scripts/cron/permissionreview.php | 8 +- scripts/cron/refresh_stats.php | 16 +- scripts/cron/removedead.php | 34 +- scripts/cron/updatesort.php | 26 +- scripts/cron/warning.php | 14 +- scripts/gpgcheck3.php | 34 +- scripts/gpgfillmissingemail.php | 10 +- scripts/gpgfillmissingkeyid.php | 10 +- scripts/mass-revoke.php | 18 +- scripts/newsletter.php | 8 +- scripts/newslettercebit.php | 8 +- scripts/notify.php | 8 +- scripts/resetpermissions.php | 12 +- scripts/scanforexponents.php | 26 +- scripts/send_heartbleed.php | 6 +- scripts/send_policy_cca_20140916.php | 6 +- .../send_policy_cca_correct_20150221_1.php | 6 +- .../send_policy_cca_correct_20150221_2.php | 6 +- stamp/certdet.php | 6 +- stamp/common.php | 42 +- stamp/displogo.php | 6 +- stamp/report.php | 12 +- tverify/index.php | 28 +- tverify/index/0.php | 12 +- www/ac.php | 48 +- www/account.php | 8 +- www/advertising.php | 8 +- www/alert_hash_collision.php | 9 +- www/api/ccsr.php | 42 +- www/api/cemails.php | 18 +- www/api/edu.php | 10 +- www/cap.php | 4 +- www/cats/cats_import.php | 36 +- www/disputes.php | 140 +-- www/gpg.php | 31 +- www/index.php | 164 ++-- www/news.php | 8 +- www/rss.php | 7 +- www/sqldump.php | 8 +- www/stats.php | 9 +- www/verify.php | 42 +- www/wot.php | 62 +- 109 files changed, 1773 insertions(+), 1633 deletions(-) create mode 100644 TODO.md create mode 100644 changelog.md delete mode 100644 includes/.gitignore create mode 100644 includes/mysql.php delete mode 100644 includes/mysql.php.sample diff --git a/README.md b/README.md index 6f237d85..e8ac3a86 100644 --- a/README.md +++ b/README.md @@ -1,22 +1,20 @@ # LibreSSL Documentation -(c) 2005-2008 by CAcert Inc. -License: GNU-GPLv2 +(c) 2005-2020 by CAcert Inc. License: GNU-GPLv2 ## System Requirements -Linux/POSIX -PHP and Webserver (i.e. Apache httpd) -MySQL compatible database system +* Linux/POSIX PHP and Webserver (i.e. Apache httpd) +* MySQL compatible database system -GetText -UFPDF - PDF generation library from http://acko.net/node/56 -OpenSSL - X.509 toolkit from http://www.openssl.org/ -openssl-vulnkey including blacklists for all common key sizes -GnuPG - OpenPGP toolkit from http://www.gnupg.org/ -whois - whois client from http://www.linux.it/~md/software/ -XEnroll - Enrollment Active-X control for IE5/6 from Microsoft (search for xenroll.cab) -CommModule - CAcert Communication Module + +* GetText UFPDF - PDF generation library from http://acko.net/node/56 +* OpenSSL - X.509 toolkit from http://www.openssl.org/ +* openssl-vulnkey including blacklists for all common key sizes +* GnuPG - OpenPGP toolkit from http://www.gnupg.org/ +* whois - whois client from http://www.linux.it/~md/software/ +* XEnroll - Enrollment Active-X control for IE5/6 from Microsoft (search for xenroll.cab) +* CommModule - CAcert Communication Module ## Setup @@ -26,11 +24,10 @@ Create a new database with charset `latin1` and default collation `latin1_swedish_ci`. These settings are used for historical reasons. Create a user that has permissions on the database and has the global -[`FILE`](https://mariadb.com/kb/en/grant/#file) permission that is -required to export files using the `SELECT INTO OUTFILE` clause. +[`FILE`](https://mariadb.com/kb/en/grant/#file) permission that is required to export files using +the `SELECT INTO OUTFILE` clause. -The SQL commands can be executed in a shell via the regular mysql or mariadb -command: +The SQL commands can be executed in a shell via the regular mysql or mariadb command: ```shell sudo mysql mysql <<<-EOF @@ -39,14 +36,13 @@ EOF ``` ```sql -CREATE database cacert CHARSET latin1 COLLATE latin1_swedish_ci; +CREATE DATABASE cacert CHARSET latin1 COLLATE latin1_swedish_ci; CREATE USER cacertmigration@localhost IDENTIFIED BY 'hardtoguesslongpassword'; GRANT ALL PRIVILEGES ON cacert.* TO cacertmigration@localhost; GRANT FILE ON *.* TO cacertmigration@localhost; ``` -It is a good idea to create a different user for the application that has -only the necessary privileges: +It is a good idea to create a different user for the application that has only the necessary privileges: ```sql CREATE USER cacertapplication@localhost IDENTIFIED BY 'anotherhardpassword'; @@ -65,3 +61,29 @@ sh scripts/db_migrations/version4.sh -h localhost -u cacertmigration -phardtogue sh scripts/db_migrations/version5.sh -h localhost -u cacertmigration -phardtoguesslongpassword cacert sh scripts/db_migrations/version6.sh -h localhost -u cacertmigration -phardtoguesslongpassword cacert ``` + +### Configuration + +The application is configured via a set of environment variables. The variables can be defined via +[`SetEnv` directives](https://httpd.apache.org/docs/current/mod/mod_env.html#setenv). The following environment +variables are used: + +Variable | Description | Default value +---- | ---- | ---- +`DEPLOYMENT_NAME` | name of the specific instance | `"CAcert.org Website"` +`CRT_DIRECTORY`* | directory where certificates are stored | none +`CSR_DIRECTORY`* | directory where CSRs are stored | none +`MYSQL_APP_DATABASE`* | database name | none +`MYSQL_APP_HOSTNAME`* | database hostname | none +`MYSQL_APP_PASSWORD`* | database password | none +`MYSQL_APP_USER`* | database user name | none +`RETURN_ADDRESS`* | return address (Errors-To header) for outgoing mails | none +`SMTP_HOST`* | mail server to use for outgoing mails | none +`SMTP_PORT` | port of the mail server | `25` +`INSECURE_PORT` | port to use for http | none (defaults to 80) +`SECURE_PORT` | port to use for https | none (default to 443) +`DEFAULT_HOSTNAME`* | hostname for the default URL | none +`SECURE_HOSTNAME`* | hostname for client certificate authentication | none +`TVERIFY_HOSTNAME`* | hostname for tverify | none + +Environment variables marked with an asterisk (*) need to be defined explicitly. \ No newline at end of file diff --git a/TODO.md b/TODO.md new file mode 100644 index 00000000..d086bbd7 --- /dev/null +++ b/TODO.md @@ -0,0 +1,30 @@ +# Development to do list + +## Modernization for PHP > 5 and newer OS + +* change from deprecated mysql to mysqli ✅ +* switch to supported PDF library ([tcpdf](https://tcpdf.org/)) + +## Maintainability + +* rename numbered files to something more readable +* implement release automation +* implement automated tests + +## Best practice implementation + +* switch everything to UTF-8 (better i18n, support for international names, support for modern PDF library, ...) +* use redirect after POST for all form actions +* implement CSRF protection + +## Code quality + +* do not store request scoped objects in session +* unify formatting +* add copyright headers in all files +* remove dead code / commented sections + +## Documentation + +* add documentation for all request flows +* add documentation for the signer protocol \ No newline at end of file diff --git a/changelog.md b/changelog.md new file mode 100644 index 00000000..873307ed --- /dev/null +++ b/changelog.md @@ -0,0 +1,6 @@ +# Change log + +## _unreleased_ + +* switch from deprecated mysql_* APIs to [mysqli](https://www.php.net/manual/de/book.mysqli.php) +* add documentation for setup (in [README.md](README.md)) and [development to do list](TODO.md) \ No newline at end of file diff --git a/includes/.gitignore b/includes/.gitignore deleted file mode 100644 index 9ac21562..00000000 --- a/includes/.gitignore +++ /dev/null @@ -1 +0,0 @@ -mysql.php diff --git a/includes/about_menu.php b/includes/about_menu.php index f34a2749..90d8aa10 100644 --- a/includes/about_menu.php +++ b/includes/about_menu.php @@ -8,7 +8,7 @@
  • < = _ ("PR Materials" ) > ?> < ? = _ ( " CAcert Logos " ) ? > ?> -
  • +
  • < ? = _ ( " Credits " ) ? > ?>
  • diff --git a/includes/account.php b/includes/account.php index 6dacf2da..7f19b135 100644 --- a/includes/account.php +++ b/includes/account.php @@ -1,6 +1,6 @@ real_escape_string(trim(stripslashes($_REQUEST['newemail']))) == "") { showheader(_("My CAcert.org Account!")); printf(_("Not a valid email address. Can't continue.")); @@ -128,7 +128,7 @@ function buildSubjectFromSession() { exit; } $oldid=0; - $_REQUEST['email'] = trim(mysql_real_escape_string(stripslashes($_REQUEST['newemail']))); + $_REQUEST['email'] = $db_conn->real_escape_string(trim(stripslashes($_REQUEST['newemail']))); if(check_email_exists($_REQUEST['email'])==true) { showheader(_("My CAcert.org Account!")); @@ -152,11 +152,11 @@ function buildSubjectFromSession() { } $hash = make_hash(); $query = "insert into `email` set `email`='".$_REQUEST['email']."',`memid`='".intval($_SESSION['profile']['id'])."',`created`=NOW(),`hash`='$hash'"; - mysql_query($query); - $emailid = mysql_insert_id(); + $db_conn->query($query); + $emailid = $db_conn->insert_id; $body = _("Below is the link you need to open to verify your email address. Once your address is verified you will be able to start issuing certificates to your heart's content!")."\n\n"; - $body .= "http://".$_SESSION['_config']['normalhostname']."/verify.php?type=email&emailid=$emailid&hash=$hash\n\n"; + $body .= build_verify_url(["type" => "email", "mailid" => $emailid, "hash" => $hash]); $body .= _("Best regards")."\n"._("CAcert.org Support!"); sendmail($_REQUEST['email'], "[CAcert.org] "._("Email Probe"), $body, "support@cacert.org", "", "", "CAcert Support"); @@ -172,15 +172,15 @@ function buildSubjectFromSession() { $id = 2; $emailid = intval($_REQUEST['emailid']); $query = "select * from `email` where `id`='$emailid' and `memid`='".intval($_SESSION['profile']['id'])."' and `hash` = '' and `deleted`=0"; - $res = mysql_query($query); - if(mysql_num_rows($res) <= 0) + $res = $db_conn->query($query); + if($res->num_rows <= 0) { showheader(_("Error!")); echo _("You currently don't have access to the email address you selected, or you haven't verified it yet."); showfooter(); exit; } - $row = mysql_fetch_assoc($res); + $row = $res->fetch_assoc(); $body = sprintf(_("Hi %s,"),$_SESSION['profile']['fname'])."\n\n"; $body .= _("You are receiving this email because you or someone else ". "has changed the default email on your account.")."\n\n"; @@ -191,8 +191,8 @@ function buildSubjectFromSession() { "support@cacert.org", "", "", "CAcert Support"); $_SESSION['profile']['email'] = $row['email']; - $query = "update `users` set `email`='".mysql_real_escape_string($row['email'])."' where `id`='".intval($_SESSION['profile']['id'])."'"; - mysql_query($query); + $query = "update `users` set `email`='".$db_conn->real_escape_string($row['email'])."' where `id`='".intval($_SESSION['profile']['id'])."'"; + $db_conn->query($query); showheader(_("My CAcert.org Account!")); printf(_("Your default email address has been updated to '%s'."), sanitizeHTML($row['email'])); showfooter(); @@ -216,11 +216,11 @@ function buildSubjectFromSession() { } $id = intval($id); $query = "select * from `email` where `id`='$id' and `memid`='".intval($_SESSION['profile']['id'])."' and - `email`!='".mysql_real_escape_string($_SESSION['profile']['email'])."'"; - $res = mysql_query($query); - if(mysql_num_rows($res) > 0) + `email`!='".$db_conn->real_escape_string($_SESSION['profile']['email'])."'"; + $res = $db_conn->query($query); + if($res->num_rows > 0) { - $row = mysql_fetch_assoc($res); + $row = $res->fetch_assoc($res); echo $row['email']."
    \n"; account_email_delete($row['id']); $delcount++; @@ -258,7 +258,7 @@ function buildSubjectFromSession() { exit; } - $_SESSION['_config']['SSO'] = intval($_REQUEST['SSO']); + $_SESSION['_config']['SSO'] = array_key_exists('SSO', $_REQUEST) ? intval($_REQUEST['SSO']) : 0; $_SESSION['_config']['addid'] = $_REQUEST['addid']; if($_SESSION['profile']['points'] >= 50) @@ -326,10 +326,10 @@ function buildSubjectFromSession() { if(is_array($_SESSION['_config']['addid'])) foreach($_SESSION['_config']['addid'] as $id) { - $res = mysql_query("select * from `email` where `memid`='".intval($_SESSION['profile']['id'])."' and `id`='".intval($id)."'"); - if(mysql_num_rows($res) > 0) + $res = $db_conn->query("select * from `email` where `memid`='".intval($_SESSION['profile']['id'])."' and `id`='".intval($id)."'"); + if($res->num_rows > 0) { - $row = mysql_fetch_assoc($res); + $row = $res->fetch_assoc(); if(!$emails) $defaultemail = $row['email']; $emails .= "$count.emailAddress = ".$row['email']."\n"; @@ -345,7 +345,8 @@ function buildSubjectFromSession() { showfooter(); exit; } - $user = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".intval($_SESSION['profile']['id'])."'")); + $res = $db_conn->query("select * from `users` where `id`='".intval($_SESSION['profile']['id'])."'"); + $user = $res->fetch_assoc(); if($_SESSION['_config']['SSO'] == 1) $emails .= "$count.emailAddress = ".$user['uniqueID']."\n"; @@ -389,13 +390,13 @@ function buildSubjectFromSession() { `codesign`='".intval($_SESSION['_config']['codesign'])."', `disablelogin`='".($_SESSION['_config']['disablelogin']?1:0)."', `rootcert`='".intval($_SESSION['_config']['rootcert'])."', - `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."', - `description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'"; - mysql_query($query); - $emailid = mysql_insert_id(); + `md`='".$db_conn->real_escape_string($_SESSION['_config']['hash_alg'])."', + `description`='".$db_conn->real_escape_string($_SESSION['_config']['description'])."'"; + $db_conn->query($query); + $emailid = $db_conn->insert_id; if(is_array($addys)) foreach($addys as $addy) - mysql_query("insert into `emaillink` set `emailcertsid`='$emailid', `emailid`='$addy'"); + $db_conn->query("insert into `emaillink` set `emailcertsid`='$emailid', `emailid`='$addy'"); $CSRname=generatecertpath("csr","client",$emailid); $fp = fopen($CSRname, "w"); fputs($fp, $emails); @@ -411,7 +412,7 @@ function buildSubjectFromSession() { showfooter(); exit; } - mysql_query("update `emailcerts` set `csr_name`='$CSRname' where `id`='".intval($emailid)."'"); + $db_conn->query("update `emailcerts` set `csr_name`='$CSRname' where `id`='".intval($emailid)."'"); } else if($_REQUEST['keytype'] == "MS" || $_REQUEST['keytype'] == "VI") { if($csr == "") $csr = "-----BEGIN CERTIFICATE REQUEST-----\n".clean_csr($_REQUEST['CSR'])."\n-----END CERTIFICATE REQUEST-----\n"; @@ -434,7 +435,8 @@ function buildSubjectFromSession() { $defaultemail = ""; $csrsubject=""; - $user = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".intval($_SESSION['profile']['id'])."'")); + $res = $db_conn->query("select * from `users` where `id`='".intval($_SESSION['profile']['id'])."'"); + $user = $res->fetch_assoc(); if(strlen($user['mname']) == 1) $user['mname'] .= '.'; if($_SESSION['_config']['incname'] <= 0 || $_SESSION['_config']['incname'] > 4) @@ -450,10 +452,10 @@ function buildSubjectFromSession() { if(is_array($_SESSION['_config']['addid'])) foreach($_SESSION['_config']['addid'] as $id) { - $res = mysql_query("select * from `email` where `memid`='".intval($_SESSION['profile']['id'])."' and `id`='".intval($id)."'"); - if(mysql_num_rows($res) > 0) + $res = $db_conn->query("select * from `email` where `memid`='".intval($_SESSION['profile']['id'])."' and `id`='".intval($id)."'"); + if($res->num_rows > 0) { - $row = mysql_fetch_assoc($res); + $row = $res->fetch_assoc(); if($defaultemail == "") $defaultemail = $row['email']; $csrsubject .= "/emailAddress=".$row['email']; @@ -490,27 +492,27 @@ function buildSubjectFromSession() { `keytype`='".sanitizeHTML($_REQUEST['keytype'])."', `memid`='".intval($_SESSION['profile']['id'])."', `created`=FROM_UNIXTIME(UNIX_TIMESTAMP()), - `subject`='".mysql_real_escape_string($csrsubject)."', + `subject`='".$db_conn->real_escape_string($csrsubject)."', `codesign`='".intval($_SESSION['_config']['codesign'])."', `disablelogin`='".($_SESSION['_config']['disablelogin']?1:0)."', `rootcert`='".intval($_SESSION['_config']['rootcert'])."', - `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."', - `description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'"; - mysql_query($query); - $emailid = mysql_insert_id(); + `md`='".$db_conn->real_escape_string($_SESSION['_config']['hash_alg'])."', + `description`='".$db_conn->real_escape_string($_SESSION['_config']['description'])."'"; + $db_conn->query($query); + $emailid = $db_conn->insert_id; if(is_array($addys)) foreach($addys as $addy) - mysql_query("insert into `emaillink` set `emailcertsid`='$emailid', `emailid`='".mysql_real_escape_string($addy)."'"); + $db_conn->query("insert into `emaillink` set `emailcertsid`='$emailid', `emailid`='".$db_conn->real_escape_string($addy)."'"); $CSRname=generatecertpath("csr","client",$emailid); $fp = fopen($CSRname, "w"); fputs($fp, $csr); fclose($fp); - mysql_query("update `emailcerts` set `csr_name`='$CSRname' where `id`='$emailid'"); + $db_conn->query("update `emailcerts` set `csr_name`='$CSRname' where `id`='$emailid'"); } waitForResult("emailcerts", $emailid, 4); $query = "select * from `emailcerts` where `id`='$emailid' and `crt_name` != ''"; - $res = mysql_query($query); - if(mysql_num_rows($res) <= 0) + $res = $db_conn->query($query); + if($res->num_rows <= 0) { $id = 4; showheader(_("My CAcert.org Account!")); @@ -547,12 +549,12 @@ function buildSubjectFromSession() { } $newdom = trim(escapeshellarg($newdomain)); - $newdomain = mysql_real_escape_string(trim($newdomain)); + $newdomain = $db_conn->real_escape_string(trim($newdomain)); - $res1 = mysql_query("select * from `orgdomains` where `domain`='$newdomain'"); + $res1 = $db_conn->query("select * from `orgdomains` where `domain`='$newdomain'"); $query = "select * from `domains` where `domain`='$newdomain' and `deleted`=0"; - $res2 = mysql_query($query); - if(mysql_num_rows($res1) > 0 || mysql_num_rows($res2)) + $res2 = $db_conn->query($query); + if($res1->num_rows > 0 || $res2->num_rows) { $oldid=0; $id = 7; @@ -576,10 +578,13 @@ function buildSubjectFromSession() { if(is_array($adds)) foreach($adds as $line) { - $bits = explode(":", $line, 2); - $line = trim($bits[1]); - if(!in_array($line, $addy) && $line != "") - $addy[] = trim(mysql_real_escape_string(stripslashes($line))); + if (strpos($line, ":") > 0) { + $bits = explode(":", $line, 2); + $line = trim($bits[1]); + if (!in_array($line, $addy) && $line != "") { + $addy[] = $db_conn->real_escape_string(trim(stripslashes($line))); + } + } } } else { if(is_array($adds)) @@ -597,7 +602,7 @@ function buildSubjectFromSession() { $line = $bit; } if(!in_array($line, $addy) && $line != "") - $addy[] = trim(mysql_real_escape_string(stripslashes($line))); + $addy[] = trim($db_conn->real_escape_string(stripslashes($line))); } } @@ -606,7 +611,7 @@ function buildSubjectFromSession() { if(!in_array($sub, $addy)) $addy[] = $sub; $_SESSION['_config']['addy'] = $addy; - $_SESSION['_config']['domain'] = mysql_real_escape_string($newdomain); + $_SESSION['_config']['domain'] = $db_conn->real_escape_string($newdomain); } if($process != "" && $oldid == 8) @@ -615,7 +620,7 @@ function buildSubjectFromSession() { $oldid=0; $id = 8; - $authaddy = trim(mysql_real_escape_string(stripslashes($_REQUEST['authaddy']))); + $authaddy = trim($db_conn->real_escape_string(stripslashes($_REQUEST['authaddy']))); if($authaddy == "" || !is_array($_SESSION['_config']['addy'])) { @@ -633,9 +638,9 @@ function buildSubjectFromSession() { exit; } - $query = "select * from `domains` where `domain`='".mysql_real_escape_string($_SESSION['_config']['domain'])."' and `deleted`=0"; - $res = mysql_query($query); - if(mysql_num_rows($res) > 0) + $query = "select * from `domains` where `domain`='".$db_conn->real_escape_string($_SESSION['_config']['domain'])."' and `deleted`=0"; + $res = $db_conn->query($query); + if($res->num_rows > 0) { showheader(_("My CAcert.org Account!")); printf(_("The domain '%s' is already in a different account and is listed as valid. Can't continue."), sanitizeHTML($_SESSION['_config']['domain'])); @@ -659,13 +664,13 @@ function buildSubjectFromSession() { } $hash = make_hash(); - $query = "insert into `domains` set `domain`='".mysql_real_escape_string($_SESSION['_config']['domain'])."', + $query = "insert into `domains` set `domain`='".$db_conn->real_escape_string($_SESSION['_config']['domain'])."', `memid`='".intval($_SESSION['profile']['id'])."',`created`=NOW(),`hash`='$hash'"; - mysql_query($query); - $domainid = mysql_insert_id(); + $db_conn->query($query); + $domainid = $db_conn->insert_id; $body = sprintf(_("Below is the link you need to open to verify your domain '%s'. Once your address is verified you will be able to start issuing certificates to your heart's content!"),$_SESSION['_config']['domain'])."\n\n"; - $body .= "http://".$_SESSION['_config']['normalhostname']."/verify.php?type=domain&domainid=$domainid&hash=$hash\n\n"; + $body .= build_verify_url(["type" => domain, "domainid"=>$domainid,"hash"=>$hash]) . "\n\n"; $body .= _("Best regards")."\n"._("CAcert.org Support!"); sendmail($authaddy, "[CAcert.org] "._("Email Probe"), $body, "support@cacert.org", "", "", "CAcert Support"); @@ -689,10 +694,10 @@ function buildSubjectFromSession() { { $id = intval($id); $query = "select * from `domains` where `id`='$id' and `memid`='".intval($_SESSION['profile']['id'])."'"; - $res = mysql_query($query); - if(mysql_num_rows($res) > 0) + $res = $db_conn->query($query); + if($res->num_rows > 0) { - $row = mysql_fetch_assoc($res); + $row = $res->fetch_assoc(); echo $row['domain']."
    \n"; account_domain_delete($row['id']); } @@ -810,20 +815,20 @@ function buildSubjectFromSession() { if(array_key_exists('0',$_SESSION['_config']['rowid']) && $_SESSION['_config']['rowid']['0'] > 0) { $query = "insert into `domaincerts` set - `CN`='".mysql_real_escape_string($_SESSION['_config']['rows']['0'])."', - `domid`='".mysql_real_escape_string($_SESSION['_config']['rowid']['0'])."', - `created`=NOW(),`subject`='".mysql_real_escape_string($subject)."', - `rootcert`='".mysql_real_escape_string($_SESSION['_config']['rootcert'])."', - `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."', - `description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'"; + `CN`='".$db_conn->real_escape_string($_SESSION['_config']['rows']['0'])."', + `domid`='".$db_conn->real_escape_string($_SESSION['_config']['rowid']['0'])."', + `created`=NOW(),`subject`='".$db_conn->real_escape_string($subject)."', + `rootcert`='".$db_conn->real_escape_string($_SESSION['_config']['rootcert'])."', + `md`='".$db_conn->real_escape_string($_SESSION['_config']['hash_alg'])."', + `description`='".$db_conn->real_escape_string($_SESSION['_config']['description'])."'"; } elseif(array_key_exists('0',$_SESSION['_config']['altid']) && $_SESSION['_config']['altid']['0'] > 0) { $query = "insert into `domaincerts` set - `CN`='".mysql_real_escape_string($_SESSION['_config']['altrows']['0'])."', - `domid`='".mysql_real_escape_string($_SESSION['_config']['altid']['0'])."', - `created`=NOW(),`subject`='".mysql_real_escape_string($subject)."', - `rootcert`='".mysql_real_escape_string($_SESSION['_config']['rootcert'])."', - `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."', - `description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'"; + `CN`='".$db_conn->real_escape_string($_SESSION['_config']['altrows']['0'])."', + `domid`='".$db_conn->real_escape_string($_SESSION['_config']['altid']['0'])."', + `created`=NOW(),`subject`='".$db_conn->real_escape_string($subject)."', + `rootcert`='".$db_conn->real_escape_string($_SESSION['_config']['rootcert'])."', + `md`='".$db_conn->real_escape_string($_SESSION['_config']['hash_alg'])."', + `description`='".$db_conn->real_escape_string($_SESSION['_config']['description'])."'"; } else { showheader(_("My CAcert.org Account!")); echo _("Domain not verified."); @@ -831,24 +836,24 @@ function buildSubjectFromSession() { exit; } - mysql_query($query); - $CSRid = mysql_insert_id(); + $db_conn->query($query); + $CSRid = $db_conn->insert_id; if(is_array($_SESSION['_config']['rowid'])) foreach($_SESSION['_config']['rowid'] as $dom) - mysql_query("insert into `domlink` set `certid`='$CSRid', `domid`='$dom'"); + $db_conn->query("insert into `domlink` set `certid`='$CSRid', `domid`='$dom'"); if(is_array($_SESSION['_config']['altid'])) foreach($_SESSION['_config']['altid'] as $dom) - mysql_query("insert into `domlink` set `certid`='$CSRid', `domid`='$dom'"); + $db_conn->query("insert into `domlink` set `certid`='$CSRid', `domid`='$dom'"); $CSRname=generatecertpath("csr","server",$CSRid); rename($_SESSION['_config']['tmpfname'], $CSRname); chmod($CSRname,0644); - mysql_query("update `domaincerts` set `CSR_name`='$CSRname' where `id`='$CSRid'"); + $db_conn->query("update `domaincerts` set `CSR_name`='$CSRname' where `id`='$CSRid'"); waitForResult("domaincerts", $CSRid, 11); $query = "select * from `domaincerts` where `id`='$CSRid' and `crt_name` != ''"; - $res = mysql_query($query); - if(mysql_num_rows($res) <= 0) + $res = $db_conn->query($query); + if($res->num_rows <= 0) { $id = 11; showheader(_("My CAcert.org Account!")); @@ -878,14 +883,14 @@ function buildSubjectFromSession() { where `domaincerts`.`id`='$id' and `domaincerts`.`domid`=`domains`.`id` and `domains`.`memid`='".intval($_SESSION['profile']['id'])."'"; - $res = mysql_query($query); - if(mysql_num_rows($res) <= 0) + $res = $db_conn->query($query); + if($res->num_rows <= 0) { printf(_("Invalid ID '%s' presented, can't do anything with it.")."
    \n", $id); continue; } - $row = mysql_fetch_assoc($res); + $row = $res->fetch_assoc(); if (($weakKey = checkWeakKeyX509(file_get_contents( $row['crt_name']))) !== "") @@ -894,20 +899,20 @@ function buildSubjectFromSession() { continue; } - mysql_query("update `domaincerts` set `renewed`='1' where `id`='$id'"); + $db_conn->query("update `domaincerts` set `renewed`='1' where `id`='$id'"); $query = "insert into `domaincerts` set `domid`='".intval($row['domid'])."', - `CN`='".mysql_real_escape_string($row['CN'])."', - `subject`='".mysql_real_escape_string($row['subject'])."',". + `CN`='".$db_conn->real_escape_string($row['CN'])."', + `subject`='".$db_conn->real_escape_string($row['subject'])."',". //`csr_name`='".$row['csr_name']."', // RACE CONDITION - "`created`='".mysql_real_escape_string($row['created'])."', + "`created`='".$db_conn->real_escape_string($row['created'])."', `modified`=NOW(), `rootcert`='".intval($row['rootcert'])."', `type`='".intval($row['type'])."', - `pkhash`='".mysql_real_escape_string($row['pkhash'])."', - `description`='".mysql_real_escape_string($row['description'])."'"; - mysql_query($query); - $newid = mysql_insert_id(); + `pkhash`='".$db_conn->real_escape_string($row['pkhash'])."', + `description`='".$db_conn->real_escape_string($row['description'])."'"; + $db_conn->query($query); + $newid = $db_conn->insert_id; $newfile=generatecertpath("csr","server",$newid); copy($row['csr_name'], $newfile); $newfile_esc = escapeshellarg($newfile); @@ -929,18 +934,18 @@ function buildSubjectFromSession() { } $subject = buildSubjectFromSession(); - $subject = mysql_real_escape_string($subject); - mysql_query("update `domaincerts` set `subject`='$subject',`csr_name`='$newfile' where `id`='$newid'"); + $subject = $db_conn->real_escape_string($subject); + $db_conn->query("update `domaincerts` set `subject`='$subject',`csr_name`='$newfile' where `id`='$newid'"); echo _("Renewing").": ".sanitizeHTML($_SESSION['_config']['0.CN'])."
    \n"; waitForResult("domaincerts", $newid,$oldid,0); $query = "select * from `domaincerts` where `id`='$newid' and `crt_name` != ''"; - $res = mysql_query($query); - if(mysql_num_rows($res) <= 0) + $res = $db_conn->query($query); + if($res->num_rows <= 0) { printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "", ""); } else { - $drow = mysql_fetch_assoc($res); + $drow = $res->fetch_assoc(); $crt_name = escapeshellarg($drow['crt_name']); $cert = shell_exec("/usr/bin/openssl x509 -in $crt_name"); echo "
    \n$cert\n
    \n"; @@ -971,19 +976,19 @@ function buildSubjectFromSession() { where `domaincerts`.`id`='$id' and `domaincerts`.`domid`=`domains`.`id` and `domains`.`memid`='".intval($_SESSION['profile']['id'])."'"; - $res = mysql_query($query); - if(mysql_num_rows($res) <= 0) + $res = $db_conn->query($query); + if($res->num_rows <= 0) { printf(_("Invalid ID '%s' presented, can't do anything with it.")."
    \n", $id); continue; } - $row = mysql_fetch_assoc($res); + $row = $res->fetch_assoc(); if($row['revoke'] > 0) { printf(_("It would seem '%s' has already been revoked. I'll skip this for now.")."
    \n", $row['CN']); continue; } - mysql_query("update `domaincerts` set `revoked`='1970-01-01 10:00:01' where `id`='$id'"); + $db_conn->query("update `domaincerts` set `revoked`='1970-01-01 10:00:01' where `id`='$id'"); printf(_("Certificate for '%s' with the serial no '%s' has been revoked.").'
    ', htmlspecialchars($row['CN']), htmlspecialchars($row['serial'])); } @@ -1006,19 +1011,19 @@ function buildSubjectFromSession() { where `domaincerts`.`id`='$id' and `domaincerts`.`domid`=`domains`.`id` and `domains`.`memid`='".intval($_SESSION['profile']['id'])."'"; - $res = mysql_query($query); - if(mysql_num_rows($res) <= 0) + $res = $db_conn->query($query); + if($res->num_rows <= 0) { printf(_("Invalid ID '%s' presented, can't do anything with it.")."
    \n", $id); continue; } - $row = mysql_fetch_assoc($res); + $row = $res->fetch_assoc(); if($row['expired'] > 0) { printf(_("Couldn't remove the request for `%s`, request had already been processed.")."
    \n", $row['CN']); continue; } - mysql_query("delete from `domaincerts` where `id`='$id'"); + $db_conn->query("delete from `domaincerts` where `id`='$id'"); @unlink($row['csr_name']); @unlink($row['crt_name']); printf(_("Removed a pending request for '%s'")."
    \n", $row['CN']); @@ -1036,8 +1041,8 @@ function buildSubjectFromSession() { if(substr($id,0,14)=="check_comment_") { $cid = intval(substr($id,14)); - $comment=trim(mysql_real_escape_string(stripslashes($_REQUEST['comment_'.$cid]))); - mysql_query("update `domaincerts` set `description`='$comment' where `id`='$cid'"); + $comment=trim($db_conn->real_escape_string(stripslashes($_REQUEST['comment_'.$cid]))); + $db_conn->query("update `domaincerts` set `description`='$comment' where `id`='$cid'"); } } echo(_("Certificate settings have been changed.")."
    \n"); @@ -1057,14 +1062,14 @@ function buildSubjectFromSession() { $id = intval($id); $query = "select *,UNIX_TIMESTAMP(`revoked`) as `revoke` from `emailcerts` where `id`='$id' and `memid`='".intval($_SESSION['profile']['id'])."'"; - $res = mysql_query($query); - if(mysql_num_rows($res) <= 0) + $res = $db_conn->query($query); + if($res->num_rows <= 0) { printf(_("Invalid ID '%s' presented, can't do anything with it.")."
    \n", $id); continue; } - $row = mysql_fetch_assoc($res); + $row = $res->fetch_assoc(); if (($weakKey = checkWeakKeyX509(file_get_contents( $row['crt_name']))) !== "") @@ -1073,34 +1078,34 @@ function buildSubjectFromSession() { continue; } - mysql_query("update `emailcerts` set `renewed`='1' where `id`='$id'"); + $db_conn->query("update `emailcerts` set `renewed`='1' where `id`='$id'"); $query = "insert into emailcerts set `memid`='".intval($row['memid'])."', - `CN`='".mysql_real_escape_string($row['CN'])."', - `subject`='".mysql_real_escape_string($row['subject'])."', - `keytype`='".mysql_real_escape_string($row['keytype'])."', - `csr_name`='".mysql_real_escape_string($row['csr_name'])."', - `created`='".mysql_real_escape_string($row['created'])."', + `CN`='".$db_conn->real_escape_string($row['CN'])."', + `subject`='".$db_conn->real_escape_string($row['subject'])."', + `keytype`='".$db_conn->real_escape_string($row['keytype'])."', + `csr_name`='".$db_conn->real_escape_string($row['csr_name'])."', + `created`='".$db_conn->real_escape_string($row['created'])."', `modified`=NOW(), `disablelogin`='".intval($row['disablelogin'])."', `codesign`='".intval($row['codesign'])."', `rootcert`='".intval($row['rootcert'])."', - `description`='".mysql_real_escape_string($row['description'])."'"; - mysql_query($query); - $newid = mysql_insert_id(); + `description`='".$db_conn->real_escape_string($row['description'])."'"; + $db_conn->query($query); + $newid = $db_conn->insert_id; $newfile=generatecertpath("csr","client",$newid); copy($row['csr_name'], $newfile); - mysql_query("update `emailcerts` set `csr_name`='$newfile' where `id`='$newid'"); - $res = mysql_query("select * from `emaillink` where `emailcertsid`='".$row['id']."'"); - while($r2 = mysql_fetch_assoc($res)) + $db_conn->query("update `emailcerts` set `csr_name`='$newfile' where `id`='$newid'"); + $res = $db_conn->query("select * from `emaillink` where `emailcertsid`='".$row['id']."'"); + while($r2 = $res->fetch_assoc()) { - mysql_query("insert into `emaillink` set `emailid`='".$r2['emailid']."', + $db_conn->query("insert into `emaillink` set `emailid`='".$r2['emailid']."', `emailcertsid`='$newid'"); } waitForResult("emailcerts", $newid,$oldid,0); $query = "select * from `emailcerts` where `id`='$newid' and `crt_name` != ''"; - $res = mysql_query($query); - if(mysql_num_rows($res) <= 0) + $res = $db_conn->query($query); + if($res->num_rows <= 0) { printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "", ""); } else { @@ -1131,19 +1136,19 @@ function buildSubjectFromSession() { $id = intval($id); $query = "select *,UNIX_TIMESTAMP(`revoked`) as `revoke` from `emailcerts` where `id`='$id' and `memid`='".intval($_SESSION['profile']['id'])."'"; - $res = mysql_query($query); - if(mysql_num_rows($res) <= 0) + $res = $db_conn->query($query); + if($res->num_rows <= 0) { printf(_("Invalid ID '%s' presented, can't do anything with it.")."
    \n", $id); continue; } - $row = mysql_fetch_assoc($res); + $row = $res->fetch_assoc(); if($row['revoke'] > 0) { printf(_("It would seem '%s' has already been revoked. I'll skip this for now.")."
    \n", $row['CN']); continue; } - mysql_query("update `emailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='$id'"); + $db_conn->query("update `emailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='$id'"); printf(_("Certificate for '%s' with the serial no '%s' has been revoked.").'
    ', htmlspecialchars($row['CN']), htmlspecialchars($row['serial'])); } @@ -1163,19 +1168,19 @@ function buildSubjectFromSession() { $id = intval($id); $query = "select *,UNIX_TIMESTAMP(`expire`) as `expired` from `emailcerts` where `id`='$id' and `memid`='".intval($_SESSION['profile']['id'])."'"; - $res = mysql_query($query); - if(mysql_num_rows($res) <= 0) + $res = $db_conn->query($query); + if($res->num_rows <= 0) { printf(_("Invalid ID '%s' presented, can't do anything with it.")."
    \n", $id); continue; } - $row = mysql_fetch_assoc($res); + $row = $res->fetch_assoc(); if($row['expired'] > 0) { printf(_("Couldn't remove the request for `%s`, request had already been processed.")."
    \n", $row['CN']); continue; } - mysql_query("delete from `emailcerts` where `id`='$id'"); + $db_conn->query("delete from `emailcerts` where `id`='$id'"); @unlink($row['csr_name']); @unlink($row['crt_name']); printf(_("Removed a pending request for '%s'")."
    \n", $row['CN']); @@ -1194,14 +1199,14 @@ function buildSubjectFromSession() { { $cid = intval(substr($id,5)); $dis=(array_key_exists('disablelogin_'.$cid,$_REQUEST) && $_REQUEST['disablelogin_'.$cid]=="1")?"0":"1"; - mysql_query("update `emailcerts` set `disablelogin`='$dis' where `id`='$cid' and `memid`='".intval($_SESSION['profile']['id'])."'"); + $db_conn->query("update `emailcerts` set `disablelogin`='$dis' where `id`='$cid' and `memid`='".intval($_SESSION['profile']['id'])."'"); } if(substr($id,0,14)=="check_comment_") { $cid = intval(substr($id,14)); if(!empty($_REQUEST['check_comment_'.$cid])) { - $comment=trim(mysql_real_escape_string(stripslashes($_REQUEST['comment_'.$cid]))); - mysql_query("update `emailcerts` set `description`='$comment' where `id`='$cid' and `memid`='".intval($_SESSION['profile']['id'])."'"); + $comment=trim($db_conn->real_escape_string(stripslashes($_REQUEST['comment_'.$cid]))); + $db_conn->query("update `emailcerts` set `description`='$comment' where `id`='$cid' and `memid`='".intval($_SESSION['profile']['id'])."'"); } } } @@ -1215,16 +1220,16 @@ function buildSubjectFromSession() { csrf_check("perschange"); $_SESSION['_config']['user'] = $_SESSION['profile']; - $_SESSION['_config']['user']['Q1'] = trim(mysql_real_escape_string(stripslashes(strip_tags($_REQUEST['Q1'])))); - $_SESSION['_config']['user']['Q2'] = trim(mysql_real_escape_string(stripslashes(strip_tags($_REQUEST['Q2'])))); - $_SESSION['_config']['user']['Q3'] = trim(mysql_real_escape_string(stripslashes(strip_tags($_REQUEST['Q3'])))); - $_SESSION['_config']['user']['Q4'] = trim(mysql_real_escape_string(stripslashes(strip_tags($_REQUEST['Q4'])))); - $_SESSION['_config']['user']['Q5'] = trim(mysql_real_escape_string(stripslashes(strip_tags($_REQUEST['Q5'])))); - $_SESSION['_config']['user']['A1'] = trim(mysql_real_escape_string(stripslashes(strip_tags($_REQUEST['A1'])))); - $_SESSION['_config']['user']['A2'] = trim(mysql_real_escape_string(stripslashes(strip_tags($_REQUEST['A2'])))); - $_SESSION['_config']['user']['A3'] = trim(mysql_real_escape_string(stripslashes(strip_tags($_REQUEST['A3'])))); - $_SESSION['_config']['user']['A4'] = trim(mysql_real_escape_string(stripslashes(strip_tags($_REQUEST['A4'])))); - $_SESSION['_config']['user']['A5'] = trim(mysql_real_escape_string(stripslashes(strip_tags($_REQUEST['A5'])))); + $_SESSION['_config']['user']['Q1'] = trim($db_conn->real_escape_string(stripslashes(strip_tags($_REQUEST['Q1'])))); + $_SESSION['_config']['user']['Q2'] = trim($db_conn->real_escape_string(stripslashes(strip_tags($_REQUEST['Q2'])))); + $_SESSION['_config']['user']['Q3'] = trim($db_conn->real_escape_string(stripslashes(strip_tags($_REQUEST['Q3'])))); + $_SESSION['_config']['user']['Q4'] = trim($db_conn->real_escape_string(stripslashes(strip_tags($_REQUEST['Q4'])))); + $_SESSION['_config']['user']['Q5'] = trim($db_conn->real_escape_string(stripslashes(strip_tags($_REQUEST['Q5'])))); + $_SESSION['_config']['user']['A1'] = trim($db_conn->real_escape_string(stripslashes(strip_tags($_REQUEST['A1'])))); + $_SESSION['_config']['user']['A2'] = trim($db_conn->real_escape_string(stripslashes(strip_tags($_REQUEST['A2'])))); + $_SESSION['_config']['user']['A3'] = trim($db_conn->real_escape_string(stripslashes(strip_tags($_REQUEST['A3'])))); + $_SESSION['_config']['user']['A4'] = trim($db_conn->real_escape_string(stripslashes(strip_tags($_REQUEST['A4'])))); + $_SESSION['_config']['user']['A5'] = trim($db_conn->real_escape_string(stripslashes(strip_tags($_REQUEST['A5'])))); if($_SESSION['_config']['user']['Q1'] == $_SESSION['_config']['user']['Q2'] || $_SESSION['_config']['user']['Q1'] == $_SESSION['_config']['user']['Q3'] || @@ -1276,16 +1281,16 @@ function buildSubjectFromSession() { if($oldid == 13 && $process != "") { $ddquery = "select sum(`points`) as `total` from `notary` where `to`='".intval($_SESSION['profile']['id'])."' and `deleted` = 0 group by `to`"; - $ddres = mysql_query($ddquery); - $ddrow = mysql_fetch_assoc($ddres); + $ddres = $db_conn->query($ddquery); + $ddrow = $ddres->fetch_assoc(); $_SESSION['profile']['points'] = $ddrow['total']; if($_SESSION['profile']['points'] == 0) { - $_SESSION['_config']['user']['fname'] = trim(mysql_real_escape_string(stripslashes(strip_tags($_REQUEST['fname'])))); - $_SESSION['_config']['user']['mname'] = trim(mysql_real_escape_string(stripslashes(strip_tags($_REQUEST['mname'])))); - $_SESSION['_config']['user']['lname'] = trim(mysql_real_escape_string(stripslashes(strip_tags($_REQUEST['lname'])))); - $_SESSION['_config']['user']['suffix'] = trim(mysql_real_escape_string(stripslashes(strip_tags($_REQUEST['suffix'])))); + $_SESSION['_config']['user']['fname'] = trim($db_conn->real_escape_string(stripslashes(strip_tags($_REQUEST['fname'])))); + $_SESSION['_config']['user']['mname'] = trim($db_conn->real_escape_string(stripslashes(strip_tags($_REQUEST['mname'])))); + $_SESSION['_config']['user']['lname'] = trim($db_conn->real_escape_string(stripslashes(strip_tags($_REQUEST['lname'])))); + $_SESSION['_config']['user']['suffix'] = trim($db_conn->real_escape_string(stripslashes(strip_tags($_REQUEST['suffix'])))); $_SESSION['_config']['user']['day'] = intval($_REQUEST['day']); $_SESSION['_config']['user']['month'] = intval($_REQUEST['month']); $_SESSION['_config']['user']['year'] = intval($_REQUEST['year']); @@ -1316,7 +1321,7 @@ function buildSubjectFromSession() { `suffix`='".$_SESSION['_config']['user']['suffix']."', `dob`='".$_SESSION['_config']['user']['year']."-".$_SESSION['_config']['user']['month']."-".$_SESSION['_config']['user']['day']."' where `id`='".intval($_SESSION['profile']['id'])."'"; - mysql_query($query); + $db_conn->query($query); } if ($showdetails!="") { $query = "update `users` set `Q1`='".$_SESSION['_config']['user']['Q1']."', @@ -1330,16 +1335,16 @@ function buildSubjectFromSession() { `A4`='".$_SESSION['_config']['user']['A4']."', `A5`='".$_SESSION['_config']['user']['A5']."' where `id`='".intval($_SESSION['profile']['id'])."'"; - mysql_query($query); + $db_conn->query($query); } $_SESSION['_config']['user']['set'] = 0; - $_SESSION['profile'] = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".intval($_SESSION['profile']['id'])."'")); + $_SESSION['profile'] = $db_conn->query("select * from `users` where `id`='".intval($_SESSION['profile']['id'])."'")->fetch_assoc(); $_SESSION['profile']['loggedin'] = 1; $ddquery = "select sum(`points`) as `total` from `notary` where `to`='".intval($_SESSION['profile']['id'])."' and `deleted` = 0 group by `to`"; - $ddres = mysql_query($ddquery); - $ddrow = mysql_fetch_assoc($ddres); + $ddres = $db_conn->query($ddquery); + $ddrow = $ddres->fetch_assoc(); $_SESSION['profile']['points'] = $ddrow['total']; @@ -1352,9 +1357,9 @@ function buildSubjectFromSession() { if($oldid == 14 && $process != "") { - $_SESSION['_config']['user']['oldpass'] = trim(mysql_real_escape_string(stripslashes($_REQUEST['oldpassword']))); - $_SESSION['_config']['user']['pword1'] = trim(mysql_real_escape_string(stripslashes($_REQUEST['pword1']))); - $_SESSION['_config']['user']['pword2'] = trim(mysql_real_escape_string(stripslashes($_REQUEST['pword2']))); + $_SESSION['_config']['user']['oldpass'] = trim($db_conn->real_escape_string(stripslashes($_REQUEST['oldpassword']))); + $_SESSION['_config']['user']['pword1'] = trim($db_conn->real_escape_string(stripslashes($_REQUEST['pword1']))); + $_SESSION['_config']['user']['pword2'] = trim($db_conn->real_escape_string(stripslashes($_REQUEST['pword2']))); $id = 14; csrf_check("pwchange"); @@ -1371,10 +1376,10 @@ function buildSubjectFromSession() { if($_SESSION['_config']['hostname'] != $_SESSION['_config']['securehostname']) { - $match = mysql_query("select * from `users` where `id`='".intval($_SESSION['profile']['id'])."' and + $match = $db_conn->query("select * from `users` where `id`='".intval($_SESSION['profile']['id'])."' and (`password`=old_password('".$_SESSION['_config']['user']['oldpass']."') or `password`=sha1('".$_SESSION['_config']['user']['oldpass']."'))"); - $rc = mysql_num_rows($match); + $rc = $match->num_rows; } else { $rc = 1; } @@ -1392,7 +1397,7 @@ function buildSubjectFromSession() { _("Failure: Pass Phrase not Changed"), '', "\n"; echo _("You failed to correctly enter your current Pass Phrase."); } else { - mysql_query("update `users` set `password`=sha1('".$_SESSION['_config']['user']['pword1']."') + $db_conn->query("update `users` set `password`=sha1('".$_SESSION['_config']['user']['pword1']."') where `id`='".intval($_SESSION['profile']['id'])."'"); echo '

    ', _("Pass Phrase Changed Successfully"), '

    ', "\n"; echo _("Your Pass Phrase has been updated and your primary email account has been notified of the change."); @@ -1417,7 +1422,7 @@ function buildSubjectFromSession() { foreach($_REQUEST['emails'] as $val) { - $val = mysql_real_escape_string(stripslashes(trim($val))); + $val = $db_conn->real_escape_string(stripslashes(trim($val))); $bits = explode("@", $val); $count = count($bits); if($count != 2) @@ -1434,7 +1439,7 @@ function buildSubjectFromSession() { if($val != "") $_SESSION['_config']['emails'][] = $val; } - $_SESSION['_config']['name'] = mysql_real_escape_string(stripslashes(trim($_REQUEST['name']))); + $_SESSION['_config']['name'] = $db_conn->real_escape_string(stripslashes(trim($_REQUEST['name']))); $_SESSION['_config']['OU'] = stripslashes(trim($_REQUEST['OU'])); $_SESSION['_config']['description']= trim(stripslashes($_REQUEST['description'])); @@ -1504,7 +1509,7 @@ function buildSubjectFromSession() { if($_SESSION['_config']['name'] != "") $emails .= "commonName = ".$_SESSION['_config']['name']."\n"; if($_SESSION['_config']['OU']) - $emails .= "organizationalUnitName = ".mysql_real_escape_string($_SESSION['_config']['OU'])."\n"; + $emails .= "organizationalUnitName = ".$db_conn->real_escape_string($_SESSION['_config']['OU'])."\n"; if($org['O']) $emails .= "organizationName = ".$org['O']."\n"; if($org['L']) @@ -1529,19 +1534,20 @@ function buildSubjectFromSession() { $query = "insert into `orgemailcerts` set `CN`='$defaultemail', - `ou`='".mysql_real_escape_string($_SESSION['_config']['OU'])."', + `ou`='".$db_conn->real_escape_string($_SESSION['_config']['OU'])."', `keytype`='NS', `orgid`='".intval($org['orgid'])."', `created`=FROM_UNIXTIME(UNIX_TIMESTAMP()), `codesign`='".intval($_SESSION['_config']['codesign'])."', `rootcert`='".intval($_SESSION['_config']['rootcert'])."', - `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."', - `description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'"; - mysql_query($query); - $emailid = mysql_insert_id(); + `md`='".$db_conn->real_escape_string($_SESSION['_config']['hash_alg'])."', + `description`='".$db_conn->real_escape_string($_SESSION['_config']['description'])."'"; + $db_conn->query($query); + $emailid = $db_conn->insert_id; - foreach($_SESSION['_config']['domids'] as $addy) - mysql_query("insert into `domemaillink` set `emailcertsid`='$emailid', `emailid`='$addy'"); + foreach($_SESSION['_config']['domids'] as $addy) { + $db_conn->query("insert into `orgemaillink` set `emailcertsid`='$emailid', `domid`='$addy'"); + } $CSRname=generatecertpath("csr","orgclient",$emailid); $fp = fopen($CSRname, "w"); @@ -1558,7 +1564,7 @@ function buildSubjectFromSession() { showfooter(); exit; } - mysql_query("update `orgemailcerts` set `csr_name`='$CSRname' where `id`='$emailid'"); + $db_conn->query("update `orgemailcerts` set `csr_name`='$CSRname' where `id`='$emailid'"); } else if($_REQUEST['keytype'] == "MS" || $_REQUEST['keytype']=="VI") { $csr = clean_csr($_REQUEST['CSR']); if(strpos($csr,"---BEGIN") === FALSE) @@ -1629,31 +1635,31 @@ function buildSubjectFromSession() { $query = "insert into `orgemailcerts` set `CN`='$defaultemail', - `ou`='".mysql_real_escape_string($_SESSION['_config']['OU'])."', + `ou`='".$db_conn->real_escape_string($_SESSION['_config']['OU'])."', `keytype`='" . sanitizeHTML($_REQUEST['keytype']) . "', `orgid`='".intval($org['orgid'])."', `created`=FROM_UNIXTIME(UNIX_TIMESTAMP()), - `subject`='".mysql_real_escape_string($csrsubject)."', + `subject`='".$db_conn->real_escape_string($csrsubject)."', `codesign`='".intval($_SESSION['_config']['codesign'])."', `rootcert`='".intval($_SESSION['_config']['rootcert'])."', - `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."', - `description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'"; - mysql_query($query); - $emailid = mysql_insert_id(); + `md`='".$db_conn->real_escape_string($_SESSION['_config']['hash_alg'])."', + `description`='".$db_conn->real_escape_string($_SESSION['_config']['description'])."'"; + $db_conn->query($query); + $emailid = $db_conn->insert_id; foreach($_SESSION['_config']['domids'] as $addy) - mysql_query("insert into `domemaillink` set `emailcertsid`='$emailid', `emailid`='$addy'"); + $db_conn->query("insert into `orgemaillink` set `emailcertsid`='$emailid', `domid`='$addy'"); $CSRname=generatecertpath("csr","orgclient",$emailid); $fp = fopen($CSRname, "w"); fputs($fp, $csr); fclose($fp); - mysql_query("update `orgemailcerts` set `csr_name`='$CSRname' where `id`='$emailid'"); + $db_conn->query("update `orgemailcerts` set `csr_name`='$CSRname' where `id`='$emailid'"); } waitForResult("orgemailcerts", $emailid,$oldid); $query = "select * from `orgemailcerts` where `id`='$emailid' and `crt_name` != ''"; - $res = mysql_query($query); - if(mysql_num_rows($res) <= 0) + $res = $db_conn->query($query); + if($res->num_rows <= 0) { showheader(_("My CAcert.org Account!")); printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "", ""); @@ -1681,14 +1687,14 @@ function buildSubjectFromSession() { $query = "select *,UNIX_TIMESTAMP(`revoked`) as `revoke` from `orgemailcerts`, `org` where `orgemailcerts`.`id`='$id' and `org`.`memid`='".intval($_SESSION['profile']['id'])."' and `org`.`orgid`=`orgemailcerts`.`orgid`"; - $res = mysql_query($query); - if(mysql_num_rows($res) <= 0) + $res = $db_conn->query($query); + if($res->num_rows <= 0) { printf(_("Invalid ID '%s' presented, can't do anything with it.")."
    \n", $id); continue; } - $row = mysql_fetch_assoc($res); + $row = $res->fetch_assoc(); if (($weakKey = checkWeakKeyX509(file_get_contents( $row['crt_name']))) !== "") @@ -1697,7 +1703,7 @@ function buildSubjectFromSession() { continue; } - mysql_query("update `orgemailcerts` set `renewed`='1' where `id`='$id'"); + $db_conn->query("update `orgemailcerts` set `renewed`='1' where `id`='$id'"); if($row['revoke'] > 0) { printf(_("It would seem '%s' has already been revoked. I'll skip this for now.")."
    \n", $row['CN']); @@ -1705,25 +1711,25 @@ function buildSubjectFromSession() { } $query = "insert into `orgemailcerts` set `orgid`='".intval($row['orgid'])."', - `CN`='".mysql_real_escape_string($row['CN'])."', - `ou`='".mysql_real_escape_string($row['ou'])."', - `subject`='".mysql_real_escape_string($row['subject'])."', - `keytype`='".mysql_real_escape_string($row['keytype'])."', - `csr_name`='".mysql_real_escape_string($row['csr_name'])."', - `created`='".mysql_real_escape_string($row['created'])."', + `CN`='".$db_conn->real_escape_string($row['CN'])."', + `ou`='".$db_conn->real_escape_string($row['ou'])."', + `subject`='".$db_conn->real_escape_string($row['subject'])."', + `keytype`='".$db_conn->real_escape_string($row['keytype'])."', + `csr_name`='".$db_conn->real_escape_string($row['csr_name'])."', + `created`='".$db_conn->real_escape_string($row['created'])."', `modified`=NOW(), `codesign`='".intval($row['codesign'])."', `rootcert`='".intval($row['rootcert'])."', - `description`='".mysql_real_escape_string($row['description'])."'"; - mysql_query($query); - $newid = mysql_insert_id(); + `description`='".$db_conn->real_escape_string($row['description'])."'"; + $db_conn->query($query); + $newid = $db_conn->insert_id; $newfile=generatecertpath("csr","orgclient",$newid); copy($row['csr_name'], $newfile); - mysql_query("update `orgemailcerts` set `csr_name`='$newfile' where `id`='$newid'"); + $db_conn->query("update `orgemailcerts` set `csr_name`='$newfile' where `id`='$newid'"); waitForResult("orgemailcerts", $newid,$oldid,0); $query = "select * from `orgemailcerts` where `id`='$newid' and `crt_name` != ''"; - $res = mysql_query($query); - if(mysql_num_rows($res) > 0) + $res = $db_conn->query($query); + if($res->num_rows > 0) { printf(_("Certificate for '%s' has been renewed."), $row['CN']); echo "". @@ -1754,19 +1760,19 @@ function buildSubjectFromSession() { $query = "select *,UNIX_TIMESTAMP(`revoked`) as `revoke` from `orgemailcerts`, `org` where `orgemailcerts`.`id`='".intval($id)."' and `org`.`memid`='".intval($_SESSION['profile']['id'])."' and `org`.`orgid`=`orgemailcerts`.`orgid`"; - $res = mysql_query($query); - if(mysql_num_rows($res) <= 0) + $res = $db_conn->query($query); + if($res->num_rows <= 0) { printf(_("Invalid ID '%s' presented, can't do anything with it.")."
    \n", $id); continue; } - $row = mysql_fetch_assoc($res); + $row = $res->fetch_assoc(); if($row['revoke'] > 0) { printf(_("It would seem '%s' has already been revoked. I'll skip this for now.")."
    \n", $row['CN']); continue; } - mysql_query("update `orgemailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='$id'"); + $db_conn->query("update `orgemailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='$id'"); printf(_("Certificate for '%s' with the serial no '%s' has been revoked.").'
    ', htmlspecialchars($row['CN']), htmlspecialchars($row['serial'])); } @@ -1787,19 +1793,19 @@ function buildSubjectFromSession() { $query = "select *,UNIX_TIMESTAMP(`expire`) as `expired` from `orgemailcerts`, `org` where `orgemailcerts`.`id`='".intval($id)."' and `org`.`memid`='".intval($_SESSION['profile']['id'])."' and `org`.`orgid`=`orgemailcerts`.`orgid`"; - $res = mysql_query($query); - if(mysql_num_rows($res) <= 0) + $res = $db_conn->query($query); + if($res->num_rows <= 0) { printf(_("Invalid ID '%s' presented, can't do anything with it.")."
    \n", $id); continue; } - $row = mysql_fetch_assoc($res); + $row = $res->fetch_assoc(); if($row['expired'] > 0) { printf(_("Couldn't remove the request for `%s`, request had already been processed.")."
    \n", $row['CN']); continue; } - mysql_query("delete from `orgemailcerts` where `id`='$id'"); + $db_conn->query("delete from `orgemailcerts` where `id`='$id'"); @unlink($row['csr_name']); @unlink($row['crt_name']); printf(_("Removed a pending request for '%s'")."
    \n", $row['CN']); @@ -1817,8 +1823,8 @@ function buildSubjectFromSession() { if(substr($id,0,14)=="check_comment_") { $cid = intval(substr($id,14)); - $comment=trim(mysql_real_escape_string(stripslashes($_REQUEST['comment_'.$cid]))); - mysql_query("update `orgemailcerts` set `description`='$comment' where `id`='$cid'"); + $comment=trim($db_conn->real_escape_string(stripslashes($_REQUEST['comment_'.$cid]))); + $db_conn->query("update `orgemailcerts` set `description`='$comment' where `id`='$cid'"); } } echo(_("Certificate settings have been changed.")."
    \n"); @@ -1879,14 +1885,14 @@ function buildSubjectFromSession() { `org`.`memid`='".intval($_SESSION['profile']['id'])."' and `org`.`orgid`=`orginfo`.`id` and `org`.`orgid`=`orgdomains`.`orgid` and - `orgdomains`.`domain`='".mysql_real_escape_string($_SESSION['_config']['0.CN'])."'"; - $_SESSION['_config']['CNorg'] = mysql_fetch_assoc(mysql_query($query)); + `orgdomains`.`domain`='".$db_conn->real_escape_string($_SESSION['_config']['0.CN'])."'"; + $_SESSION['_config']['CNorg'] = $db_conn->query($query)->fetch_assoc(); $query = "select * from `orginfo`,`org`,`orgdomains` where `org`.`memid`='".intval($_SESSION['profile']['id'])."' and `org`.`orgid`=`orginfo`.`id` and `org`.`orgid`=`orgdomains`.`orgid` and - `orgdomains`.`domain`='".mysql_real_escape_string($_SESSION['_config']['0.subjectAltName'])."'"; - $_SESSION['_config']['SANorg'] = mysql_fetch_assoc(mysql_query($query)); + `orgdomains`.`domain`='".$db_conn->real_escape_string($_SESSION['_config']['0.subjectAltName'])."'"; + $_SESSION['_config']['SANorg'] = $db_conn->query($query)->fetch_assoc(); //echo "
    "; print_r($_SESSION['_config']); die;
     
     		if($_SESSION['_config']['0.CN'] == "" && $_SESSION['_config']['0.subjectAltName'] == "")
    @@ -1946,7 +1952,7 @@ function buildSubjectFromSession() {
     					`orginfo`.`id`=`org`.`orgid` and
     					`org`.`memid`='".intval($_SESSION['profile']['id'])."'";
     		}
    -		$org = mysql_fetch_assoc(mysql_query($query));
    +		$org = $db_conn->query($query)->fetch_assoc();
     		$csrsubject = "";
     
     		if($_SESSION['_config']['OU'])
    @@ -1972,42 +1978,42 @@ function buildSubjectFromSession() {
     		if($_SESSION['_config']['rowid']['0'] > 0)
     		{
     			$query = "insert into `orgdomaincerts` set
    -					`CN`='".mysql_real_escape_string($_SESSION['_config']['rows']['0'])."',
    +					`CN`='".$db_conn->real_escape_string($_SESSION['_config']['rows']['0'])."',
     					`orgid`='".intval($org['id'])."',
     					`created`=NOW(),
    -					`subject`='".mysql_real_escape_string($csrsubject)."',
    +					`subject`='".$db_conn->real_escape_string($csrsubject)."',
     					`rootcert`='".intval($_SESSION['_config']['rootcert'])."',
    -					`md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."',
    +					`md`='".$db_conn->real_escape_string($_SESSION['_config']['hash_alg'])."',
     					`type`='".$type."',
    -					`description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'";
    +					`description`='".$db_conn->real_escape_string($_SESSION['_config']['description'])."'";
     		} else {
     			$query = "insert into `orgdomaincerts` set
    -					`CN`='".mysql_real_escape_string($_SESSION['_config']['altrows']['0'])."',
    +					`CN`='".$db_conn->real_escape_string($_SESSION['_config']['altrows']['0'])."',
     					`orgid`='".intval($org['id'])."',
     					`created`=NOW(),
    -					`subject`='".mysql_real_escape_string($csrsubject)."',
    +					`subject`='".$db_conn->real_escape_string($csrsubject)."',
     					`rootcert`='".intval($_SESSION['_config']['rootcert'])."',
    -					`md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."',
    +					`md`='".$db_conn->real_escape_string($_SESSION['_config']['hash_alg'])."',
     					`type`='".$type."',
    -					`description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'";
    +					`description`='".$db_conn->real_escape_string($_SESSION['_config']['description'])."'";
     		}
    -		mysql_query($query);
    -		$CSRid = mysql_insert_id();
    +		$db_conn->query($query);
    +		$CSRid = $db_conn->insert_id;
     
     		$CSRname=generatecertpath("csr","orgserver",$CSRid);
     		rename($_SESSION['_config']['tmpfname'], $CSRname);
     		chmod($CSRname,0644);
    -		mysql_query("update `orgdomaincerts` set `CSR_name`='$CSRname' where `id`='$CSRid'");
    +		$db_conn->query("update `orgdomaincerts` set `CSR_name`='$CSRname' where `id`='$CSRid'");
     		if(is_array($_SESSION['_config']['rowid']))
     			foreach($_SESSION['_config']['rowid'] as $id)
    -				mysql_query("insert into `orgdomlink` set `orgdomid`='".intval($id)."', `orgcertid`='$CSRid'");
    +				$db_conn->query("insert into `orgdomlink` set `orgdomid`='".intval($id)."', `orgcertid`='$CSRid'");
     		if(is_array($_SESSION['_config']['altid']))
     			foreach($_SESSION['_config']['altid'] as $id)
    -				mysql_query("insert into `orgdomlink` set `orgdomid`='".intval($id)."', `orgcertid`='$CSRid'");
    +				$db_conn->query("insert into `orgdomlink` set `orgdomid`='".intval($id)."', `orgcertid`='$CSRid'");
     		waitForResult("orgdomaincerts", $CSRid,$oldid);
     		$query = "select * from `orgdomaincerts` where `id`='$CSRid' and `crt_name` != ''";
    -		$res = mysql_query($query);
    -		if(mysql_num_rows($res) <= 0)
    +		$res = $db_conn->query($query);
    +		if($res->num_rows <= 0)
     		{
     			showheader(_("My CAcert.org Account!"));
     			printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions.")." CSRid: $CSRid", "", "");
    @@ -2035,14 +2041,14 @@ function buildSubjectFromSession() {
     						where `orgdomaincerts`.`id`='$id' and
     						`orgdomaincerts`.`orgid`=`org`.`orgid` and
     						`org`.`memid`='".intval($_SESSION['profile']['id'])."'";
    -				$res = mysql_query($query);
    -				if(mysql_num_rows($res) <= 0)
    +				$res = $db_conn->query($query);
    +				if($res->num_rows <= 0)
     				{
     					printf(_("Invalid ID '%s' presented, can't do anything with it.")."
    \n", $id); continue; } - $row = mysql_fetch_assoc($res); + $row = $res->fetch_assoc(); if (($weakKey = checkWeakKeyX509(file_get_contents( $row['crt_name']))) !== "") @@ -2051,7 +2057,7 @@ function buildSubjectFromSession() { continue; } - mysql_query("update `orgdomaincerts` set `renewed`='1' where `id`='$id'"); + $db_conn->query("update `orgdomaincerts` set `renewed`='1' where `id`='$id'"); if($row['revoke'] > 0) { printf(_("It would seem '%s' has already been revoked. I'll skip this for now.")."
    \n", $row['CN']); @@ -2059,32 +2065,32 @@ function buildSubjectFromSession() { } $query = "insert into `orgdomaincerts` set `orgid`='".intval($row['orgid'])."', - `CN`='".mysql_real_escape_string($row['CN'])."', - `csr_name`='".mysql_real_escape_string($row['csr_name'])."', - `created`='".mysql_real_escape_string($row['created'])."', + `CN`='".$db_conn->real_escape_string($row['CN'])."', + `csr_name`='".$db_conn->real_escape_string($row['csr_name'])."', + `created`='".$db_conn->real_escape_string($row['created'])."', `modified`=NOW(), - `subject`='".mysql_real_escape_string($row['subject'])."', + `subject`='".$db_conn->real_escape_string($row['subject'])."', `type`='".intval($row['type'])."', `rootcert`='".intval($row['rootcert'])."', - `description`='".mysql_real_escape_string($row['description'])."'"; - mysql_query($query); - $newid = mysql_insert_id(); + `description`='".$db_conn->real_escape_string($row['description'])."'"; + $db_conn->query($query); + $newid = $db_conn->insert_id; //echo "NewID: $newid
    \n"; $newfile=generatecertpath("csr","orgserver",$newid); copy($row['csr_name'], $newfile); - mysql_query("update `orgdomaincerts` set `csr_name`='$newfile' where `id`='$newid'"); + $db_conn->query("update `orgdomaincerts` set `csr_name`='$newfile' where `id`='$newid'"); echo _("Renewing").": ".$row['CN']."
    \n"; - $res = mysql_query("select * from `orgdomlink` where `orgcertid`='".$row['id']."'"); - while($r2 = mysql_fetch_assoc($res)) - mysql_query("insert into `orgdomlink` set `orgdomid`='".intval($r2['orgdomid'])."', `orgcertid`='$newid'"); + $res = $db_conn->query("select * from `orgdomlink` where `orgcertid`='".$row['id']."'"); + while($r2 = $res->fetch_assoc()) + $db_conn->query("insert into `orgdomlink` set `orgdomid`='".intval($r2['orgdomid'])."', `orgcertid`='$newid'"); waitForResult("orgdomaincerts", $newid,$oldid,0); $query = "select * from `orgdomaincerts` where `id`='$newid' and `crt_name` != ''"; - $res = mysql_query($query); - if(mysql_num_rows($res) <= 0) + $res = $db_conn->query($query); + if($res->num_rows <= 0) { printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions.")." newid: $newid", "", ""); } else { - $drow = mysql_fetch_assoc($res); + $drow = $res->fetch_assoc(); $crtname = escapeshellarg($drow['crt_name']); $cert = shell_exec("/usr/bin/openssl x509 -in $crtname"); echo "
    \n$cert\n
    \n"; @@ -2114,19 +2120,19 @@ function buildSubjectFromSession() { where `orgdomaincerts`.`id`='$id' and `orgdomaincerts`.`orgid`=`org`.`orgid` and `org`.`memid`='".intval($_SESSION['profile']['id'])."'"; - $res = mysql_query($query); - if(mysql_num_rows($res) <= 0) + $res = $db_conn->query($query); + if($res->num_rows <= 0) { printf(_("Invalid ID '%s' presented, can't do anything with it.")."
    \n", $id); continue; } - $row = mysql_fetch_assoc($res); + $row = $res->fetch_assoc(); if($row['revoke'] > 0) { printf(_("It would seem '%s' has already been revoked. I'll skip this for now.")."
    \n", $row['CN']); continue; } - mysql_query("update `orgdomaincerts` set `revoked`='1970-01-01 10:00:01' where `id`='$id'"); + $db_conn->query("update `orgdomaincerts` set `revoked`='1970-01-01 10:00:01' where `id`='$id'"); printf(_("Certificate for '%s' with the serial no '%s' has been revoked.").'
    ', htmlspecialchars($row['CN']), htmlspecialchars($row['serial'])); } @@ -2149,19 +2155,19 @@ function buildSubjectFromSession() { where `orgdomaincerts`.`id`='$id' and `orgdomaincerts`.`orgid`=`org`.`orgid` and `org`.`memid`='".intval($_SESSION['profile']['id'])."'"; - $res = mysql_query($query); - if(mysql_num_rows($res) <= 0) + $res = $db_conn->query($query); + if($res->num_rows <= 0) { printf(_("Invalid ID '%s' presented, can't do anything with it.")."
    \n", $id); continue; } - $row = mysql_fetch_assoc($res); + $row = $res->fetch_assoc(); if($row['expired'] > 0) { printf(_("Couldn't remove the request for `%s`, request had already been processed.")."
    \n", $row['CN']); continue; } - mysql_query("delete from `orgdomaincerts` where `id`='$id'"); + $db_conn->query("delete from `orgdomaincerts` where `id`='$id'"); @unlink($row['csr_name']); @unlink($row['crt_name']); printf(_("Removed a pending request for '%s'")."
    \n", $row['CN']); @@ -2179,8 +2185,8 @@ function buildSubjectFromSession() { if(substr($id,0,14)=="check_comment_") { $cid = intval(substr($id,14)); - $comment=trim(mysql_real_escape_string(stripslashes($_REQUEST['comment_'.$cid]))); - mysql_query("update `orgdomaincerts` set `description`='$comment' where `id`='$cid'"); + $comment=trim($db_conn->real_escape_string(stripslashes($_REQUEST['comment_'.$cid]))); + $db_conn->query("update `orgdomaincerts` set `description`='$comment' where `id`='$cid'"); } } echo(_("Certificate settings have been changed.")."
    \n"); @@ -2219,18 +2225,18 @@ function buildSubjectFromSession() { if($oldid == 24 && $process != "") { $id = intval($oldid); - $_SESSION['_config']['O'] = trim(mysql_real_escape_string(stripslashes($_REQUEST['O']))); - $_SESSION['_config']['contact'] = trim(mysql_real_escape_string(stripslashes($_REQUEST['contact']))); - $_SESSION['_config']['L'] = trim(mysql_real_escape_string(stripslashes($_REQUEST['L']))); - $_SESSION['_config']['ST'] = trim(mysql_real_escape_string(stripslashes($_REQUEST['ST']))); - $_SESSION['_config']['C'] = trim(mysql_real_escape_string(stripslashes($_REQUEST['C']))); - $_SESSION['_config']['comments'] = trim(mysql_real_escape_string(stripslashes($_REQUEST['comments']))); + $_SESSION['_config']['O'] = trim($db_conn->real_escape_string(stripslashes($_REQUEST['O']))); + $_SESSION['_config']['contact'] = trim($db_conn->real_escape_string(stripslashes($_REQUEST['contact']))); + $_SESSION['_config']['L'] = trim($db_conn->real_escape_string(stripslashes($_REQUEST['L']))); + $_SESSION['_config']['ST'] = trim($db_conn->real_escape_string(stripslashes($_REQUEST['ST']))); + $_SESSION['_config']['C'] = trim($db_conn->real_escape_string(stripslashes($_REQUEST['C']))); + $_SESSION['_config']['comments'] = trim($db_conn->real_escape_string(stripslashes($_REQUEST['comments']))); if($_SESSION['_config']['O'] == "" || $_SESSION['_config']['contact'] == "") { $_SESSION['_config']['errmsg'] = _("Organisation Name and Contact Email are required fields."); } else { - mysql_query("insert into `orginfo` set `O`='".$_SESSION['_config']['O']."', + $db_conn->query("insert into `orginfo` set `O`='".$_SESSION['_config']['O']."', `contact`='".$_SESSION['_config']['contact']."', `L`='".$_SESSION['_config']['L']."', `ST`='".$_SESSION['_config']['ST']."', @@ -2247,18 +2253,18 @@ function buildSubjectFromSession() { { csrf_check('orgdetchange'); $id = intval($oldid); - $_SESSION['_config']['O'] = trim(mysql_real_escape_string(stripslashes($_REQUEST['O']))); - $_SESSION['_config']['contact'] = trim(mysql_real_escape_string(stripslashes($_REQUEST['contact']))); - $_SESSION['_config']['L'] = trim(mysql_real_escape_string(stripslashes($_REQUEST['L']))); - $_SESSION['_config']['ST'] = trim(mysql_real_escape_string(stripslashes($_REQUEST['ST']))); - $_SESSION['_config']['C'] = trim(mysql_real_escape_string(stripslashes($_REQUEST['C']))); - $_SESSION['_config']['comments'] = trim(mysql_real_escape_string(stripslashes($_REQUEST['comments']))); + $_SESSION['_config']['O'] = trim($db_conn->real_escape_string(stripslashes($_REQUEST['O']))); + $_SESSION['_config']['contact'] = trim($db_conn->real_escape_string(stripslashes($_REQUEST['contact']))); + $_SESSION['_config']['L'] = trim($db_conn->real_escape_string(stripslashes($_REQUEST['L']))); + $_SESSION['_config']['ST'] = trim($db_conn->real_escape_string(stripslashes($_REQUEST['ST']))); + $_SESSION['_config']['C'] = trim($db_conn->real_escape_string(stripslashes($_REQUEST['C']))); + $_SESSION['_config']['comments'] = trim($db_conn->real_escape_string(stripslashes($_REQUEST['comments']))); if($_SESSION['_config']['O'] == "" || $_SESSION['_config']['contact'] == "") { $_SESSION['_config']['errmsg'] = _("Organisation Name and Contact Email are required fields."); } else { - mysql_query("update `orginfo` set `O`='".$_SESSION['_config']['O']."', + $db_conn->query("update `orginfo` set `O`='".$_SESSION['_config']['O']."', `contact`='".$_SESSION['_config']['contact']."', `L`='".$_SESSION['_config']['L']."', `ST`='".$_SESSION['_config']['ST']."', @@ -2274,9 +2280,9 @@ function buildSubjectFromSession() { if($oldid == 28 && $process != "" && array_key_exists("domainname",$_REQUEST)) { - $domain = $_SESSION['_config']['domain'] = trim(mysql_real_escape_string(stripslashes($_REQUEST['domainname']))); - $res1 = mysql_query("select * from `orgdomains` where `domain`='$domain'"); - if(mysql_num_rows($res1) > 0) + $domain = $_SESSION['_config']['domain'] = trim($db_conn->real_escape_string(stripslashes($_REQUEST['domainname']))); + $res1 = $db_conn->query("select * from `orgdomains` where `domain`='$domain'"); + if($res1->num_rows > 0) { $_SESSION['_config']['errmsg'] = sprintf(_("The domain '%s' is already in a different account and is listed as valid. Can't continue."), sanitizeHTML($domain)); $id = $oldid; @@ -2292,7 +2298,7 @@ function buildSubjectFromSession() { if($oldid == 28 && $process != "" && array_key_exists("orgid",$_SESSION["_config"])) { - mysql_query("insert into `orgdomains` set `orgid`='".intval($_SESSION['_config']['orgid'])."', `domain`='$domain'"); + $db_conn->query("insert into `orgdomains` set `orgid`='".intval($_SESSION['_config']['orgid'])."', `domain`='$domain'"); showheader(_("My CAcert.org Account!")); printf(_("'%s' has just been successfully added to the database."), sanitizeHTML($domain)); echo "

    "._("Click here")." "._("to continue."); @@ -2302,11 +2308,11 @@ function buildSubjectFromSession() { if($oldid == 29 && $process != "") { - $domain = mysql_real_escape_string(stripslashes(trim($_REQUEST['domainname']))); + $domain = $db_conn->real_escape_string(stripslashes(trim($_REQUEST['domainname']))); - $res1 = mysql_query("select * from `orgdomains` where `domain` like '$domain' and `id`!='".intval($domid)."'"); - $res2 = mysql_query("select * from `domains` where `domain` like '$domain' and `deleted`=0"); - if(mysql_num_rows($res1) > 0 || mysql_num_rows($res2) > 0) + $res1 = $db_conn->query("select * from `orgdomains` where `domain` like '$domain' and `id`!='".intval($domid)."'"); + $res2 = $db_conn->query("select * from `domains` where `domain` like '$domain' and `deleted`=0"); + if($res1->num_rows > 0 || $res2->num_rows > 0) { $_SESSION['_config']['errmsg'] = sprintf(_("The domain '%s' is already in a different account and is listed as valid. Can't continue."), sanitizeHTML($domain)); $id = $oldid; @@ -2320,23 +2326,23 @@ function buildSubjectFromSession() { `orgdomlink`.`orgdomid`=`orgdomains`.`id` and `orgdomaincerts`.`id`=`orgdomlink`.`orgcertid` and `orgdomains`.`id`='".intval($domid)."'"; - $res = mysql_query($query); - while($row = mysql_fetch_assoc($res)) - mysql_query("update `orgdomaincerts` set `revoked`='1970-01-01 10:00:01' where `id`='".$row['id']."'"); + $res = $db_conn->query($query); + while($row = $res->fetch_assoc()) + $db_conn->query("update `orgdomaincerts` set `revoked`='1970-01-01 10:00:01' where `id`='".$row['id']."'"); $query = "select `orgemailcerts`.`id` as `id` from `orgemailcerts`, `orgemaillink`, `orgdomains` where `orgemaillink`.`domid`=`orgdomains`.`id` and `orgemailcerts`.`id`=`orgemaillink`.`emailcertsid` and `orgdomains`.`id`='".intval($domid)."'"; - $res = mysql_query($query); - while($row = mysql_fetch_assoc($res)) - mysql_query("update `orgemailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='".intval($row['id'])."'"); + $res = $db_conn->query($query); + while($row = $res->fetch_assoc()) + $db_conn->query("update `orgemailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='".intval($row['id'])."'"); } if($oldid == 29 && $process != "") { - $row = mysql_fetch_assoc(mysql_query("select * from `orgdomains` where `id`='".intval($domid)."'")); - mysql_query("update `orgdomains` set `domain`='$domain' where `id`='".intval($domid)."'"); + $row = $db_conn->query("select * from `orgdomains` where `id`='".intval($domid)."'")->fetch_assoc(); + $db_conn->query("update `orgdomains` set `domain`='$domain' where `id`='".intval($domid)."'"); showheader(_("My CAcert.org Account!")); printf(_("'%s' has just been successfully updated in the database."), sanitizeHTML($domain)); echo "

    "._("Click here")." "._("to continue."); @@ -2346,9 +2352,10 @@ function buildSubjectFromSession() { if($oldid == 30 && $process != "") { - $row = mysql_fetch_assoc(mysql_query("select * from `orgdomains` where `id`='".intval($domid)."'")); + $res = $db_conn->query("select * from `orgdomains` where `id`='".intval($domid)."'"); + $row = $res->fetch_assoc(); $domain = $row['domain']; - mysql_query("delete from `orgdomains` where `id`='".intval($domid)."'"); + $db_conn->query("delete from `orgdomains` where `id`='".intval($domid)."'"); showheader(_("My CAcert.org Account!")); printf(_("'%s' has just been successfully deleted from the database."), sanitizeHTML($domain)); echo "

    "._("Click here")." "._("to continue."); @@ -2365,36 +2372,36 @@ function buildSubjectFromSession() { if($oldid == 31 && $process != "") { $query = "select * from `orgdomains` where `orgid`='".intval($_SESSION['_config']['orgid'])."'"; - $dres = mysql_query($query); - while($drow = mysql_fetch_assoc($dres)) + $dres = $db_conn->query($query); + while($drow = $dres->fetch_assoc()) { $query = "select `orgdomaincerts`.`id` as `id` from `orgdomlink`, `orgdomaincerts`, `orgdomains` where `orgdomlink`.`orgdomid`=`orgdomains`.`id` and `orgdomaincerts`.`id`=`orgdomlink`.`orgcertid` and `orgdomains`.`id`='".intval($drow['id'])."'"; - $res = mysql_query($query); - while($row = mysql_fetch_assoc($res)) + $res = $db_conn->query($query); + while($row = $res->fetch_assoc()) { - mysql_query("update `orgdomaincerts` set `revoked`='1970-01-01 10:00:01' where `id`='".intval($row['id'])."'"); - mysql_query("delete from `orgdomaincerts` where `orgid`='".intval($row['id'])."'"); - mysql_query("delete from `orgdomlink` where `domid`='".intval($row['id'])."'"); + $db_conn->query("update `orgdomaincerts` set `revoked`='1970-01-01 10:00:01' where `id`='".intval($row['id'])."'"); + $db_conn->query("delete from `orgdomaincerts` where `orgid`='".intval($row['id'])."'"); + $db_conn->query("delete from `orgdomlink` where `orgcertid`='".intval($row['id'])."'"); } $query = "select `orgemailcerts`.`id` as `id` from `orgemailcerts`, `orgemaillink`, `orgdomains` where `orgemaillink`.`domid`=`orgdomains`.`id` and `orgemailcerts`.`id`=`orgemaillink`.`emailcertsid` and `orgdomains`.`id`='".intval($drow['id'])."'"; - $res = mysql_query($query); - while($row = mysql_fetch_assoc($res)) + $res = $db_conn->query($query); + while($row = $res->fetch_assoc()) { - mysql_query("update `orgemailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='".intval($row['id'])."'"); - mysql_query("delete from `orgemailcerts` where `id`='".intval($row['id'])."'"); - mysql_query("delete from `orgemaillink` where `domid`='".intval($row['id'])."'"); + $db_conn->query("update `orgemailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='".intval($row['id'])."'"); + $db_conn->query("delete from `orgemailcerts` where `id`='".intval($row['id'])."'"); + $db_conn->query("delete from `orgemaillink` where `domid`='".intval($row['id'])."'"); } } - mysql_query("delete from `org` where `orgid`='".intval($_SESSION['_config']['orgid'])."'"); - mysql_query("delete from `orgdomains` where `orgid`='".intval($_SESSION['_config']['orgid'])."'"); - mysql_query("delete from `orginfo` where `id`='".intval($_SESSION['_config']['orgid'])."'"); + $db_conn->query("delete from `org` where `orgid`='".intval($_SESSION['_config']['orgid'])."'"); + $db_conn->query("delete from `orgdomains` where `orgid`='".intval($_SESSION['_config']['orgid'])."'"); + $db_conn->query("delete from `orginfo` where `id`='".intval($_SESSION['_config']['orgid'])."'"); } if($oldid == 31) @@ -2406,7 +2413,8 @@ function buildSubjectFromSession() { if($id == 32 || $oldid == 32 || $id == 33 || $oldid == 33 || $id == 34 || $oldid == 34) { $query = "select * from `org` where `memid`='".intval($_SESSION['profile']['id'])."' and `masteracc`='1'"; - $_macc = mysql_num_rows(mysql_query($query)); + $res = $db_conn->query($query); + $_macc = $res->num_rows; if($_SESSION['profile']['orgadmin'] != 1 && $_macc <= 0) { showheader(_("My CAcert.org Account!")); @@ -2419,7 +2427,7 @@ function buildSubjectFromSession() { if($id == 35 || $oldid == 35) { $query = "select 1 from `org` where `memid`='".intval($_SESSION['profile']['id'])."'"; - $is_orguser = mysql_num_rows(mysql_query($query)); + $is_orguser = $db_conn->query($query->num_rows); if($_SESSION['profile']['orgadmin'] != 1 && $is_orguser <= 0) { showheader(_("My CAcert.org Account!")); @@ -2433,8 +2441,8 @@ function buildSubjectFromSession() { { $orgid = intval($_SESSION['_config']['orgid']); $query = "select * from `org` where `orgid`='$orgid' and `memid`='".intval($_SESSION['profile']['id'])."' and `masteracc`='1'"; - $res = mysql_query($query); - if(mysql_num_rows($res) <= 0) + $res = $db_conn->query($query); + if($res->num_rows <= 0) { $id = 35; } @@ -2447,17 +2455,17 @@ function buildSubjectFromSession() { $masteracc = $_SESSION['_config']['masteracc'] = intval($_REQUEST['masteracc']); else $masteracc = $_SESSION['_config']['masteracc'] = 0; - $_REQUEST['email'] = $_SESSION['_config']['email'] = mysql_real_escape_string(stripslashes(trim($_REQUEST['email']))); + $_REQUEST['email'] = $_SESSION['_config']['email'] = $db_conn->real_escape_string(stripslashes(trim($_REQUEST['email']))); $_SESSION['_config']['OU'] = stripslashes(trim($_REQUEST['OU'])); - $comments = $_SESSION['_config']['comments'] = mysql_real_escape_string(stripslashes(trim($_REQUEST['comments']))); - $res = mysql_query("select * from `users` where `email`='".$_REQUEST['email']."' and `deleted`=0"); - if(mysql_num_rows($res) <= 0) + $comments = $_SESSION['_config']['comments'] = $db_conn->real_escape_string(stripslashes(trim($_REQUEST['comments']))); + $res = $db_conn->query("select * from `users` where `email`='".$_REQUEST['email']."' and `deleted`=0"); + if($res->num_rows <= 0) { $id = $oldid; $oldid=0; $_SESSION['_config']['errmsg'] = sprintf(_("Wasn't able to match '%s' against any user in the system"), sanitizeHTML($_REQUEST['email'])); } else { - $row = mysql_fetch_assoc($res); + $row = $res->fetch_assoc(); if ( !is_assurer(intval($row['id'])) ) { $id = $oldid; @@ -2465,12 +2473,12 @@ function buildSubjectFromSession() { $_SESSION['_config']['errmsg'] = _("The user is not an Assurer yet"); } else { - mysql_query( + $db_conn->query( "insert into `org` set `memid`='".intval($row['id'])."', `orgid`='".intval($_SESSION['_config']['orgid'])."', `masteracc`='$masteracc', - `OU`='".mysql_real_escape_string($_SESSION['_config']['OU'])."', + `OU`='".$db_conn->real_escape_string($_SESSION['_config']['OU'])."', `comments`='$comments'"); } } @@ -2479,8 +2487,8 @@ function buildSubjectFromSession() { if(($oldid == 34 || $id == 34) && $_SESSION['profile']['orgadmin'] != 1) { $orgid = intval($_SESSION['_config']['orgid']); - $res = mysql_query("select * from `org` where `orgid`='$orgid' and `memid`='".intval($_SESSION['profile']['id'])."' and `masteracc`='1'"); - if(mysql_num_rows($res) <= 0) + $res = $db_conn->query("select * from `org` where `orgid`='$orgid' and `memid`='".intval($_SESSION['profile']['id'])."' and `masteracc`='1'"); + if($res->num_rows <= 0) $id = 32; } @@ -2489,7 +2497,7 @@ function buildSubjectFromSession() { $orgid = intval($_SESSION['_config']['orgid']); $memid = intval($_REQUEST['memid']); $query = "delete from `org` where `orgid`='$orgid' and `memid`='$memid'"; - mysql_query($query); + $db_conn->query($query); } if($oldid == 34 || $oldid == 33) @@ -2501,7 +2509,8 @@ function buildSubjectFromSession() { if($id == 36) { - $row = mysql_fetch_assoc(mysql_query("select * from `alerts` where `memid`='".intval($_SESSION['profile']['id'])."'")); + $res = $db_conn->query("select * from `alerts` where `memid`='".intval($_SESSION['profile']['id'])."'"); + $row = $res->fetch_assoc(); $_REQUEST['general'] = $row['general']; $_REQUEST['country'] = $row['country']; $_REQUEST['regional'] = $row['regional']; @@ -2510,7 +2519,8 @@ function buildSubjectFromSession() { if($oldid == 36) { - $rc = mysql_num_rows(mysql_query("select * from `alerts` where `memid`='".intval($_SESSION['profile']['id'])."'")); + $result = $db_conn->query("select * from `alerts` where `memid`='" . intval($_SESSION['profile']['id']) . "'"); + $rc = $result->num_rows; if($rc > 0) { $query = "update `alerts` set `general`='".intval(array_key_exists('general',$_REQUEST)?$_REQUEST['general']:0)."', @@ -2525,7 +2535,7 @@ function buildSubjectFromSession() { `radius`='".intval(array_key_exists('radius',$_REQUEST)?$_REQUEST['radius']:0)."', `memid`='".intval($_SESSION['profile']['id'])."'"; } - mysql_query($query); + $db_conn->query($query); $id = $oldid; $oldid=0; } @@ -2533,12 +2543,12 @@ function buildSubjectFromSession() { if($oldid == 41 && $_REQUEST['action'] == 'default') { csrf_check("mainlang"); - $lang = mysql_real_escape_string($_REQUEST['lang']); + $lang = $db_conn->real_escape_string($_REQUEST['lang']); foreach(L10n::$translations as $key => $val) { if($key == $lang) { - mysql_query("update `users` set `language`='$lang' where `id`='".intval($_SESSION['profile']['id'])."'"); + $db_conn->query("update `users` set `language`='$lang' where `id`='".intval($_SESSION['profile']['id'])."'"); $_SESSION['profile']['language'] = $lang; showheader(_("My CAcert.org Account!")); echo _("Your language setting has been updated."); @@ -2556,9 +2566,9 @@ function buildSubjectFromSession() { if($oldid == 41 && $_REQUEST['action'] == 'addsec') { csrf_check("seclang"); - $addlang = mysql_real_escape_string($_REQUEST['addlang']); + $addlang = $db_conn->real_escape_string($_REQUEST['addlang']); // Does the language exist? - mysql_query("insert into `addlang` set `userid`='".intval($_SESSION['profile']['id'])."', `lang`='$addlang'"); + $db_conn->query("insert into `addlang` set `userid`='".intval($_SESSION['profile']['id'])."', `lang`='$addlang'"); showheader(_("My CAcert.org Account!")); echo _("Your language setting has been updated."); showfooter(); @@ -2568,8 +2578,8 @@ function buildSubjectFromSession() { if($oldid == 41 && $_REQUEST['action'] == 'dellang') { csrf_check("seclang"); - $remove = mysql_real_escape_string($_REQUEST['remove']); - mysql_query("delete from `addlang` where `userid`='".intval($_SESSION['profile']['id'])."' and `lang`='$remove'"); + $remove = $db_conn->real_escape_string($_REQUEST['remove']); + $db_conn->query("delete from `addlang` where `userid`='".intval($_SESSION['profile']['id'])."' and `lang`='$remove'"); showheader(_("My CAcert.org Account!")); echo _("Your language setting has been updated."); showfooter(); @@ -2604,7 +2614,7 @@ function buildSubjectFromSession() { $regid = intval(array_key_exists('regid',$_REQUEST)?$_REQUEST['regid']:0); $newreg = intval(array_key_exists('newreg',$_REQUEST)?$_REQUEST['newreg']:0); $locid = intval(array_key_exists('locid',$_REQUEST)?$_REQUEST['locid']:0); - $name = array_key_exists('name',$_REQUEST)?mysql_real_escape_string(strip_tags($_REQUEST['name'])):""; + $name = array_key_exists('name',$_REQUEST)?$db_conn->real_escape_string(strip_tags($_REQUEST['name'])):""; $long = array_key_exists('longitude',$_REQUEST)?ereg_replace("[^-0-9\.]","",$_REQUEST['longitude']):""; $lat = array_key_exists('latitude', $_REQUEST)?ereg_replace("[^-0-9\.]","",$_REQUEST['latitude']):""; $action = array_key_exists('action',$_REQUEST)?$_REQUEST['action']:""; @@ -2612,58 +2622,60 @@ function buildSubjectFromSession() { if($locid > 0 && $action == "edit") { $query = "update `locations` set `name`='$name', `lat`='$lat', `long`='$long' where `id`='$locid'"; - mysql_query($query); - $row = mysql_fetch_assoc(mysql_query("select * from `locations` where `id`='$locid'")); + $db_conn->query($query); + $res = $db_conn->query("select * from `locations` where `id`='$locid'"); + $row = $res->fetch_assoc(); $_REQUEST['regid'] = $row['regid']; unset($_REQUEST['ccid']); unset($_REQUEST['locid']); unset($_REQUEST['action']); } else if($regid > 0 && $action == "edit") { $query = "update `regions` set `name`='$name' where `id`='$regid'"; - mysql_query($query); - $row = mysql_fetch_assoc(mysql_query("select * from `regions` where `id`='$regid'")); + $db_conn->query($query); + $res = $db_conn->query("select * from `regions` where `id`='$regid'"); + $row = $res->fetch_assoc(); $_REQUEST['ccid'] = $row['ccid']; unset($_REQUEST['regid']); unset($_REQUEST['locid']); unset($_REQUEST['action']); } else if($regid > 0 && $action == "add") { - $row = mysql_fetch_assoc(mysql_query("select `ccid` from `regions` where `id`='$regid'")); + $row = $db_conn->query("select `ccid` from `regions` where `id`='$regid'")->fetch_assoc(); $ccid = $row['ccid']; $query = "insert into `locations` set `ccid`='$ccid', `regid`='$regid', `name`='$name', `lat`='$lat', `long`='$long'"; - mysql_query($query); + $db_conn->query($query); unset($_REQUEST['ccid']); unset($_REQUEST['locid']); unset($_REQUEST['action']); } else if($ccid > 0 && $action == "add" && $name != "") { $query = "insert into `regions` set `ccid`='$ccid', `name`='$name'"; - mysql_query($query); - $row = mysql_fetch_assoc(mysql_query("select * from `locations` where `id`='$locid'")); + $db_conn->query($query); + $row = $db_conn->query("select * from `locations` where `id`='$locid'")->fetch_assoc(); unset($_REQUEST['regid']); unset($_REQUEST['locid']); unset($_REQUEST['action']); } else if($locid > 0 && $action == "delete") { - $row = mysql_fetch_assoc(mysql_query("select * from `locations` where `id`='$locid'")); + $row = $db_conn->query("select * from `locations` where `id`='$locid'")->fetch_assoc(); $_REQUEST['regid'] = $row['regid']; - mysql_query("delete from `localias` where `locid`='$locid'"); - mysql_query("delete from `locations` where `id`='$locid'"); + $db_conn->query("delete from `localias` where `locid`='$locid'"); + $db_conn->query("delete from `locations` where `id`='$locid'"); unset($_REQUEST['ccid']); unset($_REQUEST['locid']); unset($_REQUEST['action']); } else if($locid > 0 && $action == "move") { - $row = mysql_fetch_assoc(mysql_query("select * from `locations` where `id`='$locid'")); + $row = $db_conn->query("select * from `locations` where `id`='$locid'")->fetch_assoc(); $oldregid = $row['regid']; - mysql_query("update `locations` set `regid`='$newreg' where `id`='$locid'"); - mysql_query("update `users` set `regid`='$newreg' where `regid`='$oldregid'"); - $row = mysql_fetch_assoc(mysql_query("select * from `locations` where `id`='$locid'")); + $db_conn->query("update `locations` set `regid`='$newreg' where `id`='$locid'"); + $db_conn->query("update `users` set `regid`='$newreg' where `regid`='$oldregid'"); + $row = $db_conn->query("select * from `locations` where `id`='$locid'")->fetch_assoc(); $_REQUEST['regid'] = $row['regid']; unset($_REQUEST['ccid']); unset($_REQUEST['locid']); unset($_REQUEST['action']); } else if($regid > 0 && $action == "delete") { - $row = mysql_fetch_assoc(mysql_query("select * from `regions` where `id`='$regid'")); + $row = $db_conn->query("select * from `regions` where `id`='$regid'")->fetch_assoc(); $_REQUEST['ccid'] = $row['ccid']; - mysql_query("delete from `locations` where `regid`='$regid'"); - mysql_query("delete from `regions` where `id`='$regid'"); + $db_conn->query("delete from `locations` where `regid`='$regid'"); + $db_conn->query("delete from `regions` where `id`='$regid'"); unset($_REQUEST['regid']); unset($_REQUEST['locid']); unset($_REQUEST['action']); @@ -2672,12 +2684,12 @@ function buildSubjectFromSession() { $_REQUEST['action'] = "aliases"; $_REQUEST['locid'] = $locid; $name = htmlentities($name); - $row = mysql_query("insert into `localias` set `locid`='$locid',`name`='$name'"); + $row = $db_conn->query("insert into `localias` set `locid`='$locid',`name`='$name'"); } else if($locid > 0 && $action == "delalias") { $id = 54; $_REQUEST['action'] = "aliases"; $_REQUEST['locid'] = $locid; - $row = mysql_query("delete from `localias` where `locid`='$locid' and `name`='$name'"); + $row = $db_conn->query("delete from `localias` where `locid`='$locid' and `name`='$name'"); } } @@ -2714,15 +2726,15 @@ function buildSubjectFromSession() { showfooter(); exit; } - $fname = mysql_real_escape_string($_REQUEST['fname']); - $mname = mysql_real_escape_string($_REQUEST['mname']); - $lname = mysql_real_escape_string($_REQUEST['lname']); - $suffix = mysql_real_escape_string($_REQUEST['suffix']); + $fname = $db_conn->real_escape_string($_REQUEST['fname']); + $mname = $db_conn->real_escape_string($_REQUEST['mname']); + $lname = $db_conn->real_escape_string($_REQUEST['lname']); + $suffix = $db_conn->real_escape_string($_REQUEST['suffix']); $day = intval($_REQUEST['day']); $month = intval($_REQUEST['month']); $year = intval($_REQUEST['year']); $query = "update `users` set `fname`='$fname',`mname`='$mname',`lname`='$lname',`suffix`='$suffix',`dob`='$year-$month-$day' where `id`='$userid'"; - mysql_query($query); + $db_conn->query($query); }elseif($oldid == 43 && $actionrequest == "updatedob" && $ticketvalidation == FALSE){ $id = 43; $oldid=0; @@ -2761,7 +2773,7 @@ function buildSubjectFromSession() { if($id == 44) { $_REQUEST['userid'] = intval($_REQUEST['userid']); - $row = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".intval($_REQUEST['userid'])."'")); + $row = $db_conn->query("select * from `users` where `id`='".intval($_REQUEST['userid'])."'")->fetch_assoc(); if($row['email'] == "") $id = 42; else @@ -2781,8 +2793,8 @@ function buildSubjectFromSession() { showfooter(); exit; } - mysql_query("update `users` set `password`=sha1('".mysql_real_escape_string(stripslashes($_REQUEST['newpass']))."') where `id`='".intval($_REQUEST['userid'])."'"); - $row = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".intval($_REQUEST['userid'])."'")); + $db_conn->query("update `users` set `password`=sha1('".$db_conn->real_escape_string(stripslashes($_REQUEST['newpass']))."') where `id`='".intval($_REQUEST['userid'])."'"); + $row = $db_conn->query("select * from `users` where `id`='".intval($_REQUEST['userid'])."'")->fetch_assoc(); printf(_("The password for %s has been updated successfully in the system."), sanitizeHTML($row['email'])); $my_translation = L10n::get_translation(); @@ -2872,24 +2884,24 @@ function buildSubjectFromSession() { `CN`='".$_SESSION['_config']['0.CN']."', `domid`='".$_SESSION['_config']['row']['id']."', `created`=NOW()"; - mysql_query($query); - $CSRid = mysql_insert_id(); + $db_conn->query($query); + $CSRid = $db_conn->insert_id; foreach($_SESSION['_config']['rowid'] as $dom) - mysql_query("insert into `domlink` set `certid`='$CSRid', `domid`='".intval($dom)."'"); + $db_conn->query("insert into `domlink` set `certid`='$CSRid', `domid`='".intval($dom)."'"); if(is_array($_SESSION['_config']['altid'])) foreach($_SESSION['_config']['altid'] as $dom) - mysql_query("insert into `domlink` set `certid`='$CSRid', `domid`='".intval($dom)."'"); + $db_conn->query("insert into `domlink` set `certid`='$CSRid', `domid`='".intval($dom)."'"); $CSRname=generatecertpath("csr","server",$CSRid); $fp = fopen($CSRname, "w"); fputs($fp, $_SESSION['_config']['CSR']); fclose($fp); - mysql_query("update `domaincerts` set `CSR_name`='$CSRname' where `id`='$CSRid'"); + $db_conn->query("update `domaincerts` set `CSR_name`='$CSRname' where `id`='$CSRid'"); waitForResult("domaincerts", $CSRid,$oldid); $query = "select * from `domaincerts` where `id`='$CSRid' and `crt_name` != ''"; - $res = mysql_query($query); - if(mysql_num_rows($res) <= 0) + $res = $db_conn->query($query); + if($res->num_rows <= 0) { showheader(_("My CAcert.org Account!")); printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "", ""); @@ -2913,9 +2925,9 @@ function buildSubjectFromSession() { exit; } $query = "select * from `users` where `id`='$memid'"; - $row = mysql_fetch_assoc(mysql_query($query)); + $row = $db_conn->query($query)->fetch_assoc(); $ver = !$row['tverify']; - mysql_query("update `users` set `tverify`='$ver' where `id`='$memid'"); + $db_conn->query("update `users` set `tverify`='$ver' where `id`='$memid'"); }elseif($id == 43 && array_key_exists('tverify',$_REQUEST) && $_REQUEST['tverify'] > 0 && $ticketvalidation==FALSE){ $_SESSION['ticketmsg']='No action taken. Ticket number is missing!'; } @@ -2932,9 +2944,9 @@ function buildSubjectFromSession() { exit; } $query = "select * from `users` where `id`='$memid'"; - $row = mysql_fetch_assoc(mysql_query($query)); + $row = $db_conn->query($query)->fetch_assoc(); $ver = !$row['assurer']; - mysql_query("update `users` set `assurer`='$ver' where `id`='$memid'"); + $db_conn->query("update `users` set `assurer`='$ver' where `id`='$memid'"); }elseif($id == 43 && array_key_exists('assurer',$_REQUEST) && $_REQUEST['assurer'] > 0 && $ticketvalidation == FALSE){ $_REQUEST['userid'] = intval($_REQUEST['assurer']); $_SESSION['ticketmsg']='No action (Change assurer status) taken. Ticket number is missing!'; @@ -2950,9 +2962,9 @@ function buildSubjectFromSession() { exit; } $query = "select * from `users` where `id`='$memid'"; - $row = mysql_fetch_assoc(mysql_query($query)); + $row = $db_conn->query($query)->fetch_assoc(); $ver = !$row['assurer_blocked']; - mysql_query("update `users` set `assurer_blocked`='$ver' where `id`='$memid'"); + $db_conn->query("update `users` set `assurer_blocked`='$ver' where `id`='$memid'"); }elseif($id == 43 && array_key_exists('assurer_blocked',$_REQUEST) && $_REQUEST['assurer_blocked'] > 0 && $ticketvalidation == FALSE){ $_REQUEST['userid'] = intval($_REQUEST['assurer_blocked']); $_SESSION['ticketmsg']='No action taken. Ticket number is missing!'; @@ -2969,9 +2981,9 @@ function buildSubjectFromSession() { exit; } $query = "select * from `users` where `id`='$memid'"; - $row = mysql_fetch_assoc(mysql_query($query)); + $row = $db_conn->query($query)->fetch_assoc(); $ver = !$row['locked']; - mysql_query("update `users` set `locked`='$ver' where `id`='$memid'"); + $db_conn->query("update `users` set `locked`='$ver' where `id`='$memid'"); }elseif($id == 43 && array_key_exists('locked',$_REQUEST) && $_REQUEST['locked'] > 0 && $ticketvalidation == FALSE){ $_REQUEST['userid'] = intval($_REQUEST['locked']); $_SESSION['ticketmsg']='No action taken. Ticket number is missing!'; @@ -2988,9 +3000,9 @@ function buildSubjectFromSession() { exit; } $query = "select * from `users` where `id`='$memid'"; - $row = mysql_fetch_assoc(mysql_query($query)); + $row = $db_conn->query($query)->fetch_assoc(); $ver = !$row['codesign']; - mysql_query("update `users` set `codesign`='$ver' where `id`='$memid'"); + $db_conn->query("update `users` set `codesign`='$ver' where `id`='$memid'"); }elseif($id == 43 && array_key_exists('codesign',$_REQUEST) && $_REQUEST['codesign'] > 0 && $ticketvalidation == FALSE){ $_REQUEST['userid'] = intval($_REQUEST['codesign']); $_SESSION['ticketmsg']='No action taken. Ticket number is missing!'; @@ -3007,9 +3019,9 @@ function buildSubjectFromSession() { exit; } $query = "select * from `users` where `id`='$memid'"; - $row = mysql_fetch_assoc(mysql_query($query)); + $row = $db_conn->query($query)->fetch_assoc(); $ver = !$row['orgadmin']; - mysql_query("update `users` set `orgadmin`='$ver' where `id`='$memid'"); + $db_conn->query("update `users` set `orgadmin`='$ver' where `id`='$memid'"); }elseif($id == 43 && array_key_exists('orgadmin',$_REQUEST) && $_REQUEST['orgadmin'] > 0 && $ticketvalidation == FALSE){ $_REQUEST['userid'] = intval($_REQUEST['orgadmin']); $_SESSION['ticketmsg']='No action taken. Ticket number is missing!'; @@ -3026,9 +3038,9 @@ function buildSubjectFromSession() { exit; } $query = "select * from `users` where `id`='$memid'"; - $row = mysql_fetch_assoc(mysql_query($query)); + $row = $db_conn->query($query)->fetch_assoc(); $ver = !$row['ttpadmin']; - mysql_query("update `users` set `ttpadmin`='$ver' where `id`='$memid'"); + $db_conn->query("update `users` set `ttpadmin`='$ver' where `id`='$memid'"); }elseif($id == 43 && array_key_exists('ttpadmin',$_REQUEST) && $_REQUEST['ttpadmin'] > 0 && $ticketvalidation == FALSE){ $_REQUEST['userid'] = intval($_REQUEST['ttpadmin']); $_SESSION['ticketmsg']='No action taken. Ticket number is missing!'; @@ -3044,11 +3056,11 @@ function buildSubjectFromSession() { exit; } $query = "select * from `users` where `id`='$memid'"; - $row = mysql_fetch_assoc(mysql_query($query)); + $row = $db_conn->query($query)->fetch_assoc(); $ver = $row['adadmin'] + 1; if($ver > 2) $ver = 0; - mysql_query("update `users` set `adadmin`='$ver' where `id`='$memid'"); + $db_conn->query("update `users` set `adadmin`='$ver' where `id`='$memid'"); }elseif($id == 43 && array_key_exists('adadmin',$_REQUEST) && $_REQUEST['adadmin'] > 0 && $ticketvalidation == FALSE){ $_REQUEST['userid'] = intval($_REQUEST['adadmin']); $_SESSION['ticketmsg']='No action taken. Ticket number is missing!'; @@ -3064,9 +3076,9 @@ function buildSubjectFromSession() { exit; } $query = "select * from `users` where `id`='$memid'"; - $row = mysql_fetch_assoc(mysql_query($query)); + $row = $db_conn->query($query)->fetch_assoc(); $ver = !$row['locadmin']; - mysql_query("update `users` set `locadmin`='$ver' where `id`='$memid'"); + $db_conn->query("update `users` set `locadmin`='$ver' where `id`='$memid'"); }elseif($id == 43 && array_key_exists('locadmin',$_REQUEST) && $_REQUEST['locadmin'] > 0 && $ticketvalidation == FALSE){ $_REQUEST['userid'] = intval($_REQUEST['locadmin']); $_SESSION['ticketmsg']='No action taken. Ticket number is missing!'; @@ -3083,9 +3095,9 @@ function buildSubjectFromSession() { exit; } $query = "select * from `users` where `id`='$memid'"; - $row = mysql_fetch_assoc(mysql_query($query)); + $row = $db_conn->query($query)->fetch_assoc(); $ver = !$row['admin']; - mysql_query("update `users` set `admin`='$ver' where `id`='$memid'"); + $db_conn->query("update `users` set `admin`='$ver' where `id`='$memid'"); }elseif($id == 43 && array_key_exists('admin',$_REQUEST) && $_REQUEST['admin'] > 0 && $ticketvalidation == FALSE){ $_REQUEST['userid'] = intval($_REQUEST['admin']); $_SESSION['ticketmsg']='No action taken. Ticket number is missing!'; @@ -3101,9 +3113,9 @@ function buildSubjectFromSession() { exit; } $query = "select * from `alerts` where `memid`='$memid'"; - $row = mysql_fetch_assoc(mysql_query($query)); + $row = $db_conn->query($query)->fetch_assoc(); $ver = !$row['general']; - mysql_query("update `alerts` set `general`='$ver' where `memid`='$memid'"); + $db_conn->query("update `alerts` set `general`='$ver' where `memid`='$memid'"); }elseif($id == 43 && array_key_exists('general',$_REQUEST) && $_REQUEST['general'] > 0 && $ticketvalidation == FALSE){ $_REQUEST['userid'] = intval($_REQUEST['general']); $_SESSION['ticketmsg']='No action taken. Ticket number is missing!'; @@ -3119,9 +3131,9 @@ function buildSubjectFromSession() { exit; } $query = "select * from `alerts` where `memid`='$memid'"; - $row = mysql_fetch_assoc(mysql_query($query)); + $row = $db_conn->query($query)->fetch_assoc(); $ver = !$row['country']; - mysql_query("update `alerts` set `country`='$ver' where `memid`='$memid'"); + $db_conn->query("update `alerts` set `country`='$ver' where `memid`='$memid'"); }elseif($id == 43 && array_key_exists('country',$_REQUEST) && $_REQUEST['country'] > 0 && $ticketvalidation == FALSE){ $_REQUEST['userid'] = intval($_REQUEST['country']); $_SESSION['ticketmsg']='No action taken. Ticket number is missing!'; @@ -3137,9 +3149,9 @@ function buildSubjectFromSession() { exit; } $query = "select * from `alerts` where `memid`='$memid'"; - $row = mysql_fetch_assoc(mysql_query($query)); + $row = $db_conn->query($query)->fetch_assoc(); $ver = !$row['regional']; - mysql_query("update `alerts` set `regional`='$ver' where `memid`='$memid'"); + $db_conn->query("update `alerts` set `regional`='$ver' where `memid`='$memid'"); }elseif($id == 43 && array_key_exists('regional',$_REQUEST) && $_REQUEST['regional'] > 0 && $ticketvalidation == FALSE){ $_REQUEST['userid'] = intval($_REQUEST['regional']); $_SESSION['ticketmsg']='No action taken. Ticket number is missing!'; @@ -3155,9 +3167,9 @@ function buildSubjectFromSession() { exit; } $query = "select * from `alerts` where `memid`='$memid'"; - $row = mysql_fetch_assoc(mysql_query($query)); + $row = $db_conn->query($query)->fetch_assoc(); $ver = !$row['radius']; - mysql_query("update `alerts` set `radius`='$ver' where `memid`='$memid'"); + $db_conn->query("update `alerts` set `radius`='$ver' where `memid`='$memid'"); }elseif($id == 43 && array_key_exists('radius',$_REQUEST) && $_REQUEST['radius'] > 0 && $ticketvalidation == false){ $_REQUEST['userid'] = intval($_REQUEST['radius']); $_SESSION['ticketmsg']='No action taken. Ticket number is missing!'; @@ -3169,7 +3181,7 @@ function buildSubjectFromSession() { $_REQUEST['userid'] = intval($_REQUEST['userid']); } - $row = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".intval($_REQUEST['userid'])."'")); + $row = $db_conn->query("select * from `users` where `id`='".intval($_REQUEST['userid'])."'")->fetch_assoc(); if($row['email'] == "") { $id = 42; } else { @@ -3216,7 +3228,7 @@ function buildSubjectFromSession() { showfooter(); exit; } - if (check_is_orgadmin(intval($_REQUEST['userid']),1)) { + if (check_is_orgadmin(intval($_REQUEST['userid']))) { showheader(_("My CAcert.org Account!")); printf(_("The user is listed as Organisation Administrator. Can't continue.")); printf('
    ' . _('Back to previous page.') .''); diff --git a/includes/account_stuff.php b/includes/account_stuff.php index 0fda2f1a..524be4d2 100644 --- a/includes/account_stuff.php +++ b/includes/account_stuff.php @@ -1,6 +1,6 @@ ">

    - +
    - 0 || $_SESSION['profile']['orgadmin'] == 1) { ?> +query("select * from `org` where `memid`='".intval($_SESSION['profile']['id'])."'") + ->num_rows > 0 || $_SESSION['profile']['orgadmin'] == 1) { ?> - 0 || $_SESSION['profile']['orgadmin'] == 1) { ?> +query("select * from `org` where `memid`='".intval($_SESSION['profile']['id'])."'")->num_rows > 0 || $_SESSION['profile']['orgadmin'] == 1) { ?>