Update userprofil.php

-secured PDO queries with bindParam

Update userprofil.php
-secured PDO queries with bindParam
5b2702ac · Henoch Einbier · 9e5caba2 · 5b2702ac
Commit 5b2702ac authored 5 years ago by Henoch Einbier
--- a/content/konto/userprofil.php
+++ b/content/konto/userprofil.php
@@ -14,20 +14,37 @@ if (!isset($mailstatus)) $mailstatus = "";
 if (!isset($delchange)) $delchange = "";
 if ($_POST['acc_del'] == 'Jetzt löschen!' && $_POST['del_passwort']) {
-    $schnittstelle = mysql_fetch_array(db_query("SELECT `passwort` FROM " . _VMS_ . "_kontodaten LIMIT 1")) or die("Userinfo");
+    $sql = sql::$db->query("SELECT `passwort` FROM " . _VMS_ . "_kontodaten LIMIT 1") or die("Userinfo");
+    $schnittstelle = $sql->fetch();
    if ($schnittstelle['passwort'] != md5($_GET['del_passwort'])) {
        echo 'Passwort falsch';
    } else {
        $sperrzeit = time() + (86400 * 30);
-        db_query("DELETE FROM " . _VMS_ . "_kontodaten WHERE uid=" . $_SESSION['uid'] . "");
+        $sql = sql::$db->prepare("DELETE FROM " . _VMS_ . "_kontodaten WHERE uid=:session_uid");
-        db_query("DELETE FROM " . _VMS_ . "_emaildaten WHERE uid=" . $_SESSION['uid'] . "");
+        $sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
-        db_query("DELETE FROM " . _VMS_ . "_userdaten WHERE uid=" . $_SESSION['uid'] . "");
+        $sql -> execute();
-        db_query("DELETE FROM " . _VMS_ . "_werberdaten WHERE uid=" . $_SESSION['uid'] . "");
+        $sql = sql::$db->prepare("DELETE FROM " . _VMS_ . "_emaildaten WHERE uid=:session_uid");
-        db_query("UPDATE " . _VMS_ . "_werberdaten SET werber = 0 WHERE werber=" . $_SESSION['uid'] . "");
+        $sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
-        db_query ('DELETE FROM ' . _VMS_ . '_admin_abuse WHERE uid = ' . $_SESSION['uid']);
+        $sql -> execute();
-        db_query ('DELETE FROM vms_buchungen WHERE uid = ' . $_SESSION['uid']);
+        $sql = sql::$db->prepare("DELETE FROM " . _VMS_ . "_userdaten WHERE uid=:session_uid");
-        db_query ('DELETE FROM vms_reloads WHERE uid = ' . $_SESSION['uid']);
+        $sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
-        db_query ('DELETE FROM vms_schnittstelle_anfragen WHERE uid = ' . $_SESSION['uid']);
+        $sql -> execute();
+        $sql = sql::$db->prepare("DELETE FROM " . _VMS_ . "_werberdaten WHERE uid=:session_uid");
+        $sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
+        $sql -> execute();
+        $sql = sql::$db->prepare("UPDATE " . _VMS_ . "_werberdaten SET werber = 0 WHERE werber=:session_uid");
+        $sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
+        $sql -> execute();
+        //db_query ('DELETE FROM ' . _VMS_ . '_admin_abuse WHERE uid = ' . $_SESSION['uid']); //tabelle existiert nicht
+        $sql = sql::$db->prepare("DELETE FROM " . _VMS_ . "_buchungen WHERE uid=:session_uid");
+        $sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
+        $sql -> execute();
+        $sql = sql::$db->prepare("DELETE FROM " . _VMS_ . "_reloads WHERE uid=:session_uid");
+        $sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
+        $sql -> execute();
+        $sql = sql::$db->prepare("DELETE FROM " . _VMS_ . "_schnittstelle_anfragen WHERE uid=:session_uid");
+        $sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
+        $sql -> execute();
        echo '<meta http-equiv="refresh" content="0; URL=http://' . $_SERVER['HTTP_HOST'] . '/?content=/intern/startseite&logout=true">';
    }
 }
@@ -37,7 +54,10 @@ if ($_POST['aendern'] == 'Jetzt ändern!') {
    if ($_POST['pwd'] && $_POST['pwd2']) {
        if ($_POST['pwd'] == $_POST['pwd2']) {
            if (strlen($_POST['pwd']) >= 8) {
-                db_query("UPDATE " . _VMS_ . "_kontodaten SET passwort = '" . md5($_POST['pwd']) . "' WHERE uid=" . $_SESSION['uid'] . "");
+                $sql = sql::$db->prepare("UPDATE " . _VMS_ . "_kontodaten SET passwort = :pass WHERE uid = :session_uid");
+                $sql -> bindParam(':pass', md5($_POST['pwd']), PDO::PARAM_STR);
+                $sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
+                $sql -> execute();
                echo '<meta http-equiv="refresh" content="0; URL=http://' . $_SERVER['HTTP_HOST'] . '/?content=/intern/startseite&logout=true">';
                // $change .= 'Das Passwort wurde geändert!<br><b><font color="#FF0000">Bitte logge Dich jetzt aus und wieder neu ein!</font></b><br>';
            } else {
@@ -51,15 +71,24 @@ if ($_POST['aendern'] == 'Jetzt ändern!') {
    // Nickname ändern beginn !
    if ($_POST['aendern'] == 'Jetzt ändern!') {
        if (isset ($_POST['nickname'])) {
-            $nickname = mysql_real_escape_string(ucfirst($_POST['nickname']));
+            $nickname = ucfirst($_POST['nickname']);
-            $nickname_check = db_query ("SELECT `nickname` FROM " . _VMS_ . "_userdaten WHERE nickname='" . $nickname . "'");
+            $nickname_check = sql::$db->prepare("SELECT `nickname` FROM " . _VMS_ . "_userdaten WHERE nickname = :nickname");
-            $nickname_check2 = db_query ("SELECT `nickname` FROM " . _VMS_ . "_userdaten WHERE nickname='" . $nickname . "'AND uid=" . $_SESSION['uid'] . "");
+            $nickname_check -> bindParam(':nickname', $nickname, PDO::PARAM_STR);
-            if (mysql_num_rows($nickname_check))
+            $nickname_check -> execute();
-                if (mysql_num_rows($nickname_check2)) {
+            $nickname_check2 = sql::$db->prepare("SELECT `nickname` FROM " . _VMS_ . "_userdaten WHERE nickname = :nickname AND uid = :session_uid");
+            $nickname_check2 -> bindParam(':nickname', $nickname, PDO::PARAM_STR);
+            $nickname_check2 -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_STR);
+            $nickname_check2 -> execute();
+            if ($nickname_check->rowCount() )
+                if ($nickname_check2->rowCount() ) {
                } else {
                    $change = 'Dieser Nickname ist schon vergeben!<br>';
                } else {
-                    db_query("UPDATE " . _VMS_ . "_userdaten SET nickname = '" . $nickname . "' WHERE uid=" . $_SESSION['uid'] . "");
+                    $sql = sql::$db->prepare("UPDATE " . _VMS_ . "_userdaten SET nickname = :nickname WHERE uid = :session_uid");
+                    $sql -> bindParam(':nickname', $nickname, PDO::PARAM_STR);
+                    $sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_STR);
+                    $sql -> execute();
                }
            }
        }
@@ -71,13 +100,23 @@ if ($_POST['aendern'] == 'Jetzt ändern!') {
            if ($_POST['newsletter'] == 0 and $_POST['paidmails'] == 1) $mailstatus = 2;
            if ($_POST['newsletter'] == 1 and $_POST['paidmails'] == 1) $mailstatus = 3;
            $_POST['max_forced'] = (int)$_POST['max_forced'];
-            db_query("UPDATE " . _VMS_ . "_emaildaten SET freigabe_fuer = " . $mailstatus . ", emailadresse = '" . $_POST['emailadresse'] . "' WHERE uid=" . $_SESSION['uid'] . "");
+            $sql = sql::$db->prepare("UPDATE " . _VMS_ . "_emaildaten SET freigabe_fuer = :mailstatus, emailadresse = :emailadresse WHERE uid = :session_uid");
-            db_query("UPDATE " . _VMS_ . "_userdaten SET max_forced = '" . $_POST['max_forced'] . "' WHERE uid=" . $_SESSION['uid'] . "");
+            $sql -> bindParam(':mailstatus', $mailstatus, PDO::PARAM_INT);
+            $sql -> bindParam(':emailadresse', $_POST['emailadresse'], PDO::PARAM_STR);
+            $sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
+            $sql -> execute();
+            $sql = sql::$db->prepare("UPDATE " . _VMS_ . "_userdaten SET max_forced = :max_forced WHERE uid = :session_uid");
+            $sql -> bindParam(':max_forced', $_POST['max_forced'], PDO::PARAM_STR);
+            $sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
+            $sql -> execute();
            $change .= 'Deine Daten wurden aktualisiert!<br>';
        }
    }
-    $sql = sql::$db->query("SELECT u.*,e.emailadresse,e.freigabe_fuer FROM " . _VMS_ . "_userdaten AS u LEFT JOIN " . _VMS_ . "_emaildaten AS e ON e.uid=u.uid WHERE u.uid=" . $_SESSION['uid'] . " LIMIT 1");
+    $sql = sql::$db->prepare("SELECT u.*,e.emailadresse,e.freigabe_fuer FROM " . _VMS_ . "_userdaten AS u LEFT JOIN " . _VMS_ . "_emaildaten AS e ON e.uid=u.uid WHERE u.uid = :session_uid LIMIT 1");
+    $sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
+    $sql -> execute();
    $info = $sql->fetch();
    if ($info['freigabe_fuer'] == 0) {
@@ -184,7 +223,10 @@ die Paidmails wenn Du keine haben möchtest!<br>
        head("Externe Konten");
        if (isset($_POST['veri'])) {
-            $schnittstelle = mysql_fetch_array(db_query("SELECT * FROM " . _VMS_ . "_schnittstelle WHERE schnittstelle='" . $_POST['schnittstelle'] . "' AND aktiv > 0 LIMIT 1"));
+            $sql = sql::$db->prepare("SELECT * FROM " . _VMS_ . "_schnittstelle WHERE schnittstelle = :schnittstelle AND aktiv > 0 LIMIT 1");
+            $sql -> bindParam(':schnittstelle', $_POST['schnittstelle'], PDO::PARAM_STR);
+            $sql -> execute();
+            $schnittstelle = $sql->fetch();
            // User beim Betreiber prüfen
            $sql = sql::$db->prepare("INSERT INTO " . _VMS_ . "_schnittstelle_anfragen (zeit,uid) VALUES (?,?)");
            $sql->execute(array( $tag, $_SESSION['uid'] ));
@@ -193,12 +235,14 @@ die Paidmails wenn Du keine haben möchtest!<br>
            $error = $trans_ausgabe;
            print_r($error);
            if (!$error) {
-            $sql = sql::$db->prepare("INSERT INTO " . _VMS_ . "_multi_konten (uid, kontoid, waehrung) VALUES(?,?,?) ON DUPLICATE KEY UPDATE kontoid='" . $_POST['veri_id'] . "'");
+            $sql = sql::$db->prepare("INSERT INTO " . _VMS_ . "_multi_konten (uid, kontoid, waehrung) VALUES(?,?,?) ON DUPLICATE KEY UPDATE kontoid=?");
-            $sql->execute(array( $_SESSION['uid'], $_POST['veri_id'], $_POST['schnittstelle'] ));
+            $sql->execute(array( $_SESSION['uid'], $_POST['veri_id'], $_POST['schnittstelle'], $_POST['veri_id'] ));
            }
        }
-        $moeglichkeiten_q = sql::$db->query('SELECT schnittstelle FROM ' . _VMS_ . '_schnittstelle WHERE aktiv > 0 AND schnittstelle NOT IN (SELECT waehrung AS schnittstelle FROM vms_multi_konten WHERE uid=' . $_SESSION['uid'] . ')');
+        $moeglichkeiten_q = sql::$db->prepare('SELECT schnittstelle FROM ' . _VMS_ . '_schnittstelle WHERE aktiv > 0 AND schnittstelle NOT IN (SELECT waehrung AS schnittstelle FROM vms_multi_konten WHERE uid = :session_uid)');
+        $moeglichkeiten_q -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
+        $moeglichkeiten_q -> execute();
        ?>
  <form action="" method="post">
@@ -230,7 +274,10 @@ die Paidmails wenn Du keine haben möchtest!<br>
 Bereits&nbsp;verifiziert:<br />
 <table>
    <?php
-        $veri = sql::$db->query('SELECT * FROM vms_multi_konten WHERE uid=' . $_SESSION['uid'] . '');
+        $veri = sql::$db->prepare('SELECT * FROM vms_multi_konten WHERE uid=:session_uid');
+        $veri -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
+        $veri -> execute();
        while ($verid = $veri->fetch() ) { ?>
 	<tr>
 		<td><?php echo $verid['waehrung']; ?>:</td>