From 6f4fe7ed0696463703394cfe37403773c23e2ad4 Mon Sep 17 00:00:00 2001 From: Ian Campbell Date: Tue, 19 Jul 2016 20:01:32 +0100 Subject: [PATCH] Avoid double quoting SQL $db->escape already wraps the result in 's so there is no need to do it in the caller. This is a little complicated in searchMusic since the %'s need to be inside the quoting but we do not want them to be escaped themselves. Concat them with the search term using a SQL CONCAT(). --- modules/music/mp3act_functions.php | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/modules/music/mp3act_functions.php b/modules/music/mp3act_functions.php index b6fc7e0..9d2780c 100644 --- a/modules/music/mp3act_functions.php +++ b/modules/music/mp3act_functions.php @@ -33,7 +33,7 @@ function GarbageCollector() if (0 == mt_rand(0, 30)) { $query = 'DELETE FROM music_playlists '. - "WHERE playlist_name='".$db->escape('MythWeb Temporary Playlist')."'". + "WHERE playlist_name=".$db->escape('MythWeb Temporary Playlist'). ' AND (NOW() - last_accessed) > ('.MYTH_PLAYLIST_SAVE_TIME.');'; $sh = $db->query($query); $sh->finish(); @@ -217,7 +217,7 @@ function buildBreadcrumb($page, $parent, $parentitem, $child, $childitem) function musicLookup($type, $itemid) { global $db; - $sql_itemid = "'".$db->escape($itemid)."'"; + $sql_itemid = $db->escape($itemid); switch($type) { case 'browse': @@ -279,7 +279,7 @@ function musicLookup($type, $itemid) "FROM music_artists " . "GROUP BY artist_name_sort " . "HAVING artist_name_sort " . - "LIKE '" . $db->escape($itemid.'%') . "' " . + "LIKE " . $db->escape($itemid.'%') . " " . "ORDER BY artist_name_sort"; } $sh = $db->query($query); @@ -1008,7 +1008,7 @@ function getRandItems($type) function searchMusic($terms, $option) { global $db; - $sql_terms = "'%".$db->escape($terms)."%'"; + $sql_terms = "CONCAT('%', ".$db->escape($terms).", '%')"; $query = 'SELECT ms.song_id, ma.album_name, ms.track, mt.artist_name, ms.name, ms.rating, '. 'SEC_TO_TIME(ms.length/1000) AS length, genre '. 'FROM music_songs AS ms '. @@ -1111,14 +1111,14 @@ function internalUpdatePlaylist($songs, $count, $length) $songlist = implode(',', $songs); $query = 'music_playlists SET'. - " playlist_songs='".$db->escape($songlist)."'". + " playlist_songs=".$db->escape($songlist). ',length='.$db->escape($length). ',songcount='.$db->escape($count); if (empty($plId)) { $query = 'INSERT INTO '.$query. - ",hostname='".$db->escape('mythweb-'.$_SERVER['SERVER_NAME'])."'". + ",hostname=".$db->escape('mythweb-'.$_SERVER['SERVER_NAME']). ",playlist_name='".MYTH_WEB_PLAYLIST_NAME."'"; } else @@ -1252,7 +1252,7 @@ function savePlaylist($pl_name, $newpl) else { $query = 'UPDATE music_playlists SET'. - ' playlist_name=\''.$db->escape($pl_name).'\''. + ' playlist_name='.$db->escape($pl_name). ",hostname='' ". 'WHERE playlist_id='.$db->escape($pl['playlist_id']); @@ -1360,7 +1360,7 @@ function playlist_move($item1,$item2) $songs[$idx2] = $tmp; $query = 'UPDATE music_playlists SET'. - ' playlist_songs=\''.$db->escape(implode(',', $songs)).'\' '. + ' playlist_songs='.$db->escape(implode(',', $songs)).' '. 'WHERE playlist_id='.$db->escape($pl['playlist_id']).';'; $db->query($query); } -- 2.8.1