Update forcedbanner.php

-secured PDO queries with bindParam

Update forcedbanner.php
-secured PDO queries with bindParam
894ebe56 · Henoch Einbier · 9e5caba2 · 894ebe56
Commit 894ebe56 authored 5 years ago by Henoch Einbier
--- a/content/verdienen/forcedbanner.php
+++ b/content/verdienen/forcedbanner.php
@@ -2,15 +2,20 @@
 userstatus ();

    head ('Klickbanner');
-    $sql = sql::$db->query('SELECT COUNT(t1.tan) AS ganzahl, SUM(t1.verdienst) AS gverdienst, SUM(t1.aufendhalt) AS gaufenthalt FROM '._VMS_.'_gebuchte_werbung t1
+    $sql = sql::$db->prepare('SELECT COUNT(t1.tan) AS ganzahl, SUM(t1.verdienst) AS gverdienst, SUM(t1.aufendhalt) AS gaufenthalt FROM '._VMS_.'_gebuchte_werbung t1
                        LEFT JOIN '._VMS_.'_fb_blacklist AS t3 ON t3.kid = t1.kid AND t3.werbeart=t1.werbeart
-                        WHERE (t3.kid IS NULL OR LOCATE(t3.sponsor, t1.ziel) = 0) AND t1.werbeart = "forcedbanner" and t1.reload >= 100 AND t1.menge > 0 AND t1.status = 1 AND t1.verdienst >= 0 AND t1.sponsor != '.$_SESSION['uid'].'');
+                        WHERE (t3.kid IS NULL OR LOCATE(t3.sponsor, t1.ziel) = 0) AND t1.werbeart = "forcedbanner" and t1.reload >= 100 AND t1.menge > 0 AND t1.status = 1 AND t1.verdienst >= 0 AND t1.sponsor != :session_uid');
+    $sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
+    $sql -> execute();
    $fstats_gesamt = $sql->fetch();

-    $sql = sql::$db->query('SELECT COUNT(t1.tan) AS uanzahl, SUM(t1.verdienst) AS uverdienst FROM '._VMS_.'_gebuchte_werbung t1
+    $sql = sql::$db->prepare('SELECT COUNT(t1.tan) AS uanzahl, SUM(t1.verdienst) AS uverdienst FROM '._VMS_.'_gebuchte_werbung t1
                        LEFT JOIN '._VMS_.'_fb_blacklist AS t3 ON t3.kid = t1.kid AND t3.werbeart=t1.werbeart
-                        LEFT JOIN '._VMS_.'_reloads t2 ON (t1.tan = t2.tan AND (t2.uid = '.$_SESSION['uid'].' OR t2.ip = "'.$system['ip'].'") AND t2.bis >= '.time().')
-                        WHERE (t3.kid IS NULL OR LOCATE(t3.sponsor, t1.ziel) = 0) AND t2.tan IS NULL AND t1.werbeart = "forcedbanner" and t1.reload >= 100 AND t1.menge > 0 AND t1.status = 1 AND t1.verdienst >= 0 AND t1.sponsor != '.$_SESSION['uid'].'');
+                        LEFT JOIN '._VMS_.'_reloads t2 ON (t1.tan = t2.tan AND (t2.uid = :session_uid OR t2.ip = :ip) AND t2.bis >= '.time().')
+                        WHERE (t3.kid IS NULL OR LOCATE(t3.sponsor, t1.ziel) = 0) AND t2.tan IS NULL AND t1.werbeart = "forcedbanner" and t1.reload >= 100 AND t1.menge > 0 AND t1.status = 1 AND t1.verdienst >= 0 AND t1.sponsor != :session_uid');
+    $sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
+    $sql -> bindParam(':ip', $system['ip'], PDO::PARAM_INT);
+    $sql -> execute();
    $fstats_uebrig = $sql->fetch();

    if($fstats_gesamt['ganzahl'] == 0) {
@@ -46,10 +51,13 @@ userstatus ();
        jQuery('#fortschritt').progressbar({value: width});
        jQuery('#fortschritt').append(jQuery('<div>').html('Noch ".$uebrig."&#37; &uuml;brig ').css('position', 'relative').css('top', '-21px').css('width', '100%').css('font-size', '14px').attr('align', 'center').attr('id', 'fortschritttext'));
        </script> ";
-    $sql = sql::$db->query ('SELECT r.bis FROM '._VMS_.'_reloads AS r
-                                        LEFT JOIN '._VMS_.'_gebuchte_werbung AS ad ON (ad.tan = r.tan AND ad.status = 1 AND ad.werbeart = "forcedbanner" AND ad.sponsor != '.$_SESSION['uid'].')
-                                        WHERE r.uid = '.$_SESSION['uid'].'  AND ad.tan IS NOT NULL  AND r.bis > '.(time()).'
+    $sql = sql::$db->prepare('SELECT r.bis FROM '._VMS_.'_reloads AS r
+                                        LEFT JOIN '._VMS_.'_gebuchte_werbung AS ad ON (ad.tan = r.tan AND ad.status = 1 AND ad.werbeart = "forcedbanner" AND ad.sponsor != :session_uid)
+                                        WHERE r.uid = :session_uid AND ad.tan IS NOT NULL  AND r.bis > '.(time()).'
                                        ORDER BY r.bis ASC LIMIT 1');
+    $sql -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
+    $sql -> execute();
+
    $res = $sql->fetch();
    $zeit = ((($res['bis']-time()) >= 0) ? ($res['bis']-time()) : NULL );
    if ($zeit != NULL){
@@ -58,20 +66,26 @@ userstatus ();

 $sql = sql::$db->query ('SELECT max_forced FROM ' . _VMS_ . '_userdaten WHERE uid = ' . $_SESSION['uid'] . ' LIMIT 1');
 $usr = $sql->fetch();
-
-$fbanner = sql::$db->query ('SELECT t1.*
+sql::$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
+$fbanner = sql::$db->prepare('SELECT t1.*
          	FROM ' . _VMS_ . '_gebuchte_werbung t1
            LEFT JOIN ' . _VMS_ . '_fb_blacklist AS t3 ON t3.kid = t1.kid AND t3.werbeart=t1.werbeart
          	LEFT JOIN ' . _VMS_ . '_reloads t2
-          	ON (t1.tan = t2.tan AND (t2.uid = ' . $_SESSION['uid'] . ' OR t2.ip = "' . $system['ip'] . '") AND t2.bis >= ' . time() . ')
-          	WHERE (t3.kid IS NULL OR LOCATE(t3.sponsor, t1.ziel) = 0)  AND t2.tan IS NULL AND t1.werbeart = "forcedbanner" AND t1.menge > 0 AND t1.status = 1 AND t1.verdienst > 0 AND t1.sponsor != ' . $_SESSION['uid'] . ' ORDER BY t1.verdienst DESC LIMIT ' . $usr['max_forced']);
+          	ON (t1.tan = t2.tan AND (t2.uid = :session_uid OR t2.ip = :ip) AND t2.bis >= ' . time() . ')
+          	WHERE (t3.kid IS NULL OR LOCATE(t3.sponsor, t1.ziel) = 0)  AND t2.tan IS NULL AND t1.werbeart = "forcedbanner" AND t1.menge > 0 AND t1.status = 1 AND t1.verdienst > 0 AND t1.sponsor != :session_uid2
+          	ORDER BY t1.verdienst DESC LIMIT :max_forced');
+$fbanner -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
+$fbanner -> bindParam(':session_uid2', $_SESSION['uid'], PDO::PARAM_INT);
+$fbanner -> bindParam(':ip', $system['ip'], PDO::PARAM_STR);
+$fbanner -> bindParam(':max_forced', $usr['max_forced'], PDO::PARAM_INT);
+$fbanner -> execute();

 while ($f_banner = $fbanner->fetch(PDO::FETCH_ASSOC) ) {
-    echo '<div align="center" id="banner_' . $f_banner['tan'] . '"><a href="top_forcedbanner.php?tan=' . $f_banner['tan'] . '" target="_blank"><img src="' . $f_banner['banner'] . '" border="0" height="60" width="468" alt="' . $f_banner['tan'] . '" onClick="document.getElementById(\'banner_' . $f_banner['tan'] . '\').style.display=\'none\';"></a>'
+    echo '<div align="center" id="banner_' . $f_banner['tan'] . '"><a href="top_forced.php?tan=' . $f_banner['tan'] . '" target="_blank"><img src="' . $f_banner['banner'] . '" border="0" height="60" width="468" alt="' . $f_banner['tan'] . '" onClick="document.getElementById(\'banner_' . $f_banner['tan'] . '\').style.display=\'none\';"></a>'
     . '<br>Reload:' . $f_banner['reload'] / 3600 . ' Std. | Verdienst: ' . number_format($f_banner['verdienst'], 2, ',', '.') . ' | Aufenthalt: ' . $f_banner['aufendhalt'] . ' Sekunden<br><br></div>';
 }

 if ($fbanner->rowCount() > 0) echo '<div align="center"><input type="button" name="mehr_banner" value="Weitere Banner !" onclick="javascript:location.reload();" /></div>';
-else echo '<div style="text-align: center; font-weight: bold; color: #ff0000;">Alle Banner im Reload !</div>';
+else echo '<div style="text-align: center; font-weight: bold; color: #ff0000;">Alle Banner im Reload!</div>';

 foot ();
\ No newline at end of file