diff options
Diffstat (limited to 'phpBB/includes')
41 files changed, 501 insertions, 510 deletions
diff --git a/phpBB/includes/acp/acp_attachments.php b/phpBB/includes/acp/acp_attachments.php index 257edf57e8..4ddcc10d1a 100644 --- a/phpBB/includes/acp/acp_attachments.php +++ b/phpBB/includes/acp/acp_attachments.php @@ -294,7 +294,7 @@ class acp_attachments { $sql = 'SELECT extension FROM ' . EXTENSIONS_TABLE . ' - WHERE extension_id IN (' . implode(', ', $extension_id_list) . ')'; + WHERE ' . $db->sql_in_set('extension_id', $extension_id_list); $result = $db->sql_query($sql); $extension_list = ''; @@ -306,7 +306,7 @@ class acp_attachments $sql = 'DELETE FROM ' . EXTENSIONS_TABLE . ' - WHERE extension_id IN (' . implode(', ', $extension_id_list) . ')'; + WHERE ' . $db->sql_in_set('extension_id', $extension_id_list); $db->sql_query($sql); add_log('admin', 'LOG_ATTACH_EXT_DEL', $extension_list); @@ -508,7 +508,7 @@ class acp_attachments { $sql = 'UPDATE ' . EXTENSIONS_TABLE . " SET group_id = $group_id - WHERE extension_id IN (" . implode(', ', $extension_list) . ")"; + WHERE " . $db->sql_in_set('extension_id', $extension_list); $db->sql_query($sql); } @@ -865,7 +865,7 @@ class acp_attachments $sql = 'SELECT forum_id, topic_id, post_id FROM ' . POSTS_TABLE . ' - WHERE post_id IN (' . implode(', ', array_keys($upload_list)) . ')'; + WHERE ' . $db->sql_in_set('post_id', array_keys($upload_list)); $result = $db->sql_query($sql); while ($row = $db->sql_fetchrow($result)) @@ -1373,16 +1373,16 @@ class acp_attachments } else if (isset($_POST['unsecuresubmit'])) { - $unip_sql = implode(', ', array_map('intval', $_POST['unip'])); + $unip_sql = array_map('intval', $_POST['unip']); - if ($unip_sql != '') + if (sizeof($unip_sql)) { $l_unip_list = ''; - + // Grab details of ips for logging information later $sql = 'SELECT site_ip, site_hostname - FROM ' . SITELIST_TABLE . " - WHERE site_id IN ($unip_sql)"; + FROM ' . SITELIST_TABLE . ' + WHERE ' . $db->sql_in_set('site_id', $unip_sql); $result = $db->sql_query($sql); while ($row = $db->sql_fetchrow($result)) @@ -1391,8 +1391,8 @@ class acp_attachments } $db->sql_freeresult($result); - $sql = 'DELETE FROM ' . SITELIST_TABLE . " - WHERE site_id IN ($unip_sql)"; + $sql = 'DELETE FROM ' . SITELIST_TABLE . ' + WHERE ' . $db->sql_in_set('site_id', $unip_sql); $db->sql_query($sql); add_log('admin', 'LOG_DOWNLOAD_REMOVE_IP', $l_unip_list); diff --git a/phpBB/includes/acp/acp_bots.php b/phpBB/includes/acp/acp_bots.php index a57283e3ea..f24a6b7b12 100644 --- a/phpBB/includes/acp/acp_bots.php +++ b/phpBB/includes/acp/acp_bots.php @@ -96,7 +96,7 @@ class acp_bots foreach ($_tables as $table) { $sql = "DELETE FROM $table - WHERE user_id IN (" . implode(', ', $user_id_ary) . ')'; + WHERE " . $db->sql_in_set('user_id', $user_id_ary); $db->sql_query($sql); } diff --git a/phpBB/includes/acp/acp_email.php b/phpBB/includes/acp/acp_email.php index f6f6e0de9d..c20640bd54 100644 --- a/phpBB/includes/acp/acp_email.php +++ b/phpBB/includes/acp/acp_email.php @@ -55,13 +55,11 @@ class acp_email { if ($usernames) { - $usernames = implode(', ', preg_replace('#^[\s]*?(.*?)[\s]*?$#e', "\"'\" . \$db->sql_escape('\\1') . \"'\"", explode("\n", $usernames))); - $sql = 'SELECT username, user_email, user_jabber, user_notify_type, user_lang - FROM ' . USERS_TABLE . " - WHERE username IN ($usernames) + FROM ' . USERS_TABLE . ' + WHERE ' . $db->sql_in_set('username', explode("\n", $usernames)) . ' AND user_allow_massemail = 1 - ORDER BY user_lang, user_notify_type"; // , SUBSTRING(user_email FROM INSTR(user_email, '@')) + ORDER BY user_lang, user_notify_type'; // , SUBSTRING(user_email FROM INSTR(user_email, '@')) } else { diff --git a/phpBB/includes/acp/acp_forums.php b/phpBB/includes/acp/acp_forums.php index 414dc08913..5964a285e7 100644 --- a/phpBB/includes/acp/acp_forums.php +++ b/phpBB/includes/acp/acp_forums.php @@ -971,14 +971,14 @@ class acp_forums $sql = 'UPDATE ' . FORUMS_TABLE . " SET right_id = right_id + $diff, forum_parents = '' WHERE " . $to_data['right_id'] . ' BETWEEN left_id AND right_id - AND forum_id NOT IN (' . implode(', ', $moved_ids) . ')'; + AND ' . $db->sql_in_set('forum_id', $moved_ids, true); $db->sql_query($sql); // Resync the righthand side of the tree $sql = 'UPDATE ' . FORUMS_TABLE . " SET left_id = left_id + $diff, right_id = right_id + $diff, forum_parents = '' WHERE left_id > " . $to_data['right_id'] . ' - AND forum_id NOT IN (' . implode(', ', $moved_ids) . ')'; + AND ' . $db->sql_in_set('forum_id', $moved_ids, true); $db->sql_query($sql); // Resync moved branch @@ -997,7 +997,7 @@ class acp_forums { $sql = 'SELECT MAX(right_id) AS right_id FROM ' . FORUMS_TABLE . ' - WHERE forum_id NOT IN (' . implode(', ', $moved_ids) . ')'; + WHERE ' . $db->sql_in_set('forum_id', $moved_ids, true); $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $db->sql_freeresult($result); @@ -1007,7 +1007,7 @@ class acp_forums $sql = 'UPDATE ' . FORUMS_TABLE . " SET left_id = left_id $diff, right_id = right_id $diff, forum_parents = '' - WHERE forum_id IN (" . implode(', ', $moved_ids) . ')'; + WHERE " . $db->sql_in_set('forum_id', $moved_ids); $db->sql_query($sql); } @@ -1119,7 +1119,7 @@ class acp_forums $diff = sizeof($forum_ids) * 2; $sql = 'DELETE FROM ' . FORUMS_TABLE . ' - WHERE forum_id IN (' . implode(', ', $forum_ids) . ')'; + WHERE ' . $db->sql_in_set('forum_id', $forum_ids); $db->sql_query($sql); } else if ($action_subforums == 'move') @@ -1362,11 +1362,10 @@ class acp_forums if (sizeof($ids)) { $start += sizeof($ids); - $id_list = implode(', ', $ids); foreach ($tables as $table) { - $db->sql_query("DELETE FROM $table WHERE $field IN ($id_list)"); + $db->sql_query("DELETE FROM $table WHERE " . $db->sql_in_set($field, $id_list)); } } } diff --git a/phpBB/includes/acp/acp_logs.php b/phpBB/includes/acp/acp_logs.php index 666ff208ba..d233d7c885 100644 --- a/phpBB/includes/acp/acp_logs.php +++ b/phpBB/includes/acp/acp_logs.php @@ -42,14 +42,15 @@ class acp_logs if (($deletemark || $deleteall) && $auth->acl_get('a_clearlogs')) { $where_sql = ''; - if ($deletemark && $marked) + + if ($deletemark && sizeof($marked)) { $sql_in = array(); foreach ($marked as $mark) { $sql_in[] = $mark; } - $where_sql = ' AND log_id IN (' . implode(', ', $sql_in) . ')'; + $where_sql = ' AND ' . $db->sql_in_set('log_id', $sql_in); unset($sql_in); } diff --git a/phpBB/includes/acp/acp_main.php b/phpBB/includes/acp/acp_main.php index 4aedb63df6..81c265581b 100644 --- a/phpBB/includes/acp/acp_main.php +++ b/phpBB/includes/acp/acp_main.php @@ -21,9 +21,9 @@ class acp_main global $phpbb_root_path, $phpbb_admin_path, $phpEx, $table_prefix; $action = request_var('action', ''); - $mark = (isset($_REQUEST['mark'])) ? implode(', ', request_var('mark', array(0))) : ''; + $mark = (isset($_REQUEST['mark'])) ? request_var('mark', array(0)) : array(); - if ($mark) + if (sizeof($mark)) { switch ($action) { @@ -36,8 +36,8 @@ class acp_main } $sql = 'SELECT username - FROM ' . USERS_TABLE . " - WHERE user_id IN ($mark)"; + FROM ' . USERS_TABLE . ' + WHERE ' . $db->sql_in_set('user_id', $mark); $result = $db->sql_query($sql); $user_affected = array(); @@ -50,14 +50,13 @@ class acp_main if ($action == 'activate') { include_once($phpbb_root_path . 'includes/functions_user.' . $phpEx); - $mark_ary = explode(', ', $mark); - foreach ($mark_ary as $user_id) + foreach ($mark as $user_id) { user_active_flip($user_id, USER_INACTIVE); } - set_config('num_users', $config['num_users'] + sizeof($mark_ary), true); + set_config('num_users', $config['num_users'] + sizeof($mark), true); // Update latest username update_last_username(); @@ -69,9 +68,9 @@ class acp_main trigger_error($user->lang['NO_ADMIN']); } - $sql = 'DELETE FROM ' . USER_GROUP_TABLE . " WHERE user_id IN ($mark)"; + $sql = 'DELETE FROM ' . USER_GROUP_TABLE . ' WHERE ' . $db->sql_in_set('user_id', $mark); $db->sql_query($sql); - $sql = 'DELETE FROM ' . USERS_TABLE . " WHERE user_id IN ($mark)"; + $sql = 'DELETE FROM ' . USERS_TABLE . ' WHERE ' . $db->sql_in_set('user_id', $mark); $db->sql_query($sql); add_log('admin', 'LOG_INDEX_' . strtoupper($action), implode(', ', $user_affected)); @@ -91,8 +90,8 @@ class acp_main } $sql = 'SELECT user_id, username, user_email, user_lang, user_jabber, user_notify_type, user_regdate, user_actkey - FROM ' . USERS_TABLE . " - WHERE user_id IN ($mark)"; + FROM ' . USERS_TABLE . ' + WHERE ' . $db->sql_in_set('user_id', $mark); $result = $db->sql_query($sql); if ($row = $db->sql_fetchrow($result)) diff --git a/phpBB/includes/acp/acp_modules.php b/phpBB/includes/acp/acp_modules.php index 2d9415bbf6..7c72a1ca6b 100644 --- a/phpBB/includes/acp/acp_modules.php +++ b/phpBB/includes/acp/acp_modules.php @@ -841,7 +841,7 @@ class acp_modules SET right_id = right_id + $diff WHERE module_class = '" . $db->sql_escape($this->module_class) . "' AND " . $to_data['right_id'] . ' BETWEEN left_id AND right_id - AND module_id NOT IN (' . implode(', ', $moved_ids) . ')'; + AND ' . $db->sql_in_set('module_id', $moved_ids, true); $db->sql_query($sql); // Resync the righthand side of the tree @@ -849,7 +849,7 @@ class acp_modules SET left_id = left_id + $diff, right_id = right_id + $diff WHERE module_class = '" . $db->sql_escape($this->module_class) . "' AND left_id > " . $to_data['right_id'] . ' - AND module_id NOT IN (' . implode(', ', $moved_ids) . ')'; + AND ' . $db->sql_in_set('module_id', $moved_ids, true); $db->sql_query($sql); // Resync moved branch @@ -868,7 +868,7 @@ class acp_modules $sql = 'SELECT MAX(right_id) AS right_id FROM ' . MODULES_TABLE . " WHERE module_class = '" . $db->sql_escape($this->module_class) . "' - AND module_id NOT IN (" . implode(', ', $moved_ids) . ')'; + AND " . $db->sql_in_set('module_id', $moved_ids, true); $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $db->sql_freeresult($result); @@ -879,7 +879,7 @@ class acp_modules $sql = 'UPDATE ' . MODULES_TABLE . " SET left_id = left_id $diff, right_id = right_id $diff WHERE module_class = '" . $db->sql_escape($this->module_class) . "' - AND module_id IN (" . implode(', ', $moved_ids) . ')'; + AND " . $db->sql_in_set('module_id', $moved_ids); $db->sql_query($sql); } diff --git a/phpBB/includes/acp/acp_permissions.php b/phpBB/includes/acp/acp_permissions.php index 8ebc83c524..53b835df7d 100644 --- a/phpBB/includes/acp/acp_permissions.php +++ b/phpBB/includes/acp/acp_permissions.php @@ -413,7 +413,7 @@ class acp_permissions { $sql = 'SELECT forum_name FROM ' . FORUMS_TABLE . ' - WHERE forum_id IN (' . implode(', ', $forum_id) . ') + WHERE ' . $db->sql_in_set('forum_id', $forum_id) . ' ORDER BY forum_name ASC'; $result = $db->sql_query($sql); @@ -554,7 +554,7 @@ class acp_permissions $sql = "SELECT $sql_id FROM $table - WHERE $sql_id IN (" . implode(', ', $ids) . ')'; + WHERE " . $db->sql_in_set($sql_id, $ids); $result = $db->sql_query($sql); $ids = array(); @@ -803,8 +803,8 @@ class acp_permissions } // Logging ... first grab user or groupnames ... - $sql = ($ug_type == 'group') ? 'SELECT group_name as name, group_type FROM ' . GROUPS_TABLE . ' WHERE group_id' : 'SELECT username as name FROM ' . USERS_TABLE . ' WHERE user_id'; - $sql .= ' IN (' . implode(', ', array_map('intval', $ug_id)) . ')'; + $sql = ($ug_type == 'group') ? 'SELECT group_name as name, group_type FROM ' . GROUPS_TABLE . ' WHERE ' : 'SELECT username as name FROM ' . USERS_TABLE . ' WHERE '; + $sql .= $db->sql_in_set(($ug_type == 'group') ? 'group_id' : 'user_id', array_map('intval', $ug_id)); $result = $db->sql_query($sql); $l_ug_list = ''; @@ -825,7 +825,7 @@ class acp_permissions // Grab the forum details if non-zero forum_id $sql = 'SELECT forum_name FROM ' . FORUMS_TABLE . ' - WHERE forum_id IN (' . implode(', ', $forum_id) . ')'; + WHERE ' . $db->sql_in_set('forum_id', $forum_id); $result = $db->sql_query($sql); $l_forum_list = ''; @@ -858,7 +858,7 @@ class acp_permissions if (sizeof($perms)) { $sql = 'DELETE FROM ' . ZEBRA_TABLE . ' - WHERE zebra_id IN (' . implode(', ', array_unique($perms)) . ') + WHERE ' . $db->sql_in_set('zebra_id', array_unique($perms)) . ' AND foe = 1'; $db->sql_query($sql); } @@ -1078,7 +1078,7 @@ class acp_permissions { global $db, $user; - $sql_forum_id = ($permission_scope == 'global') ? 'AND a.forum_id = 0' : ((sizeof($forum_id)) ? 'AND a.forum_id IN (' . implode(', ', $forum_id) . ')' : 'AND a.forum_id <> 0'); + $sql_forum_id = ($permission_scope == 'global') ? 'AND a.forum_id = 0' : ((sizeof($forum_id)) ? 'AND ' . $db->sql_in_set('a.forum_id', $forum_id) : 'AND a.forum_id <> 0'); $sql_permission_option = "AND o.auth_option LIKE '" . $db->sql_escape($permission_type) . "%'"; $sql = $db->sql_build_query('SELECT_DISTINCT', array( diff --git a/phpBB/includes/acp/acp_prune.php b/phpBB/includes/acp/acp_prune.php index 3fa99b6727..4752e7bafe 100644 --- a/phpBB/includes/acp/acp_prune.php +++ b/phpBB/includes/acp/acp_prune.php @@ -68,7 +68,7 @@ class acp_prune 'S_PRUNED' => true) ); - $sql_forum = (sizeof($forum_id)) ? ' AND forum_id IN (' . implode(', ', $forum_id) . ')' : ''; + $sql_forum = (sizeof($forum_id)) ? ' AND ' . $db->sql_in_set('forum_id', $forum_id) : ''; // Get a list of forum's or the data for the forum that we are pruning. $sql = 'SELECT forum_id, forum_name @@ -148,7 +148,7 @@ class acp_prune { $sql = 'SELECT forum_id, forum_name FROM ' . FORUMS_TABLE . ' - WHERE forum_id IN (' . implode(', ', $forum_id) . ')'; + WHERE ' . $db->sql_in_set('forum_id', $forum_id); $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); @@ -202,15 +202,7 @@ class acp_prune if ($users) { - $users = explode("\n", $users); - - $where_sql = ''; - - foreach ($users as $username) - { - $where_sql .= (($where_sql != '') ? ', ' : '') . "'" . $db->sql_escape($username) . "'"; - } - $where_sql = " AND username IN ($where_sql)"; + $where_sql = ' AND ' . $db->sql_in_set('username', explode("\n", $users)); } else { diff --git a/phpBB/includes/acp/acp_users.php b/phpBB/includes/acp/acp_users.php index a69a0f6681..e74a830b0f 100644 --- a/phpBB/includes/acp/acp_users.php +++ b/phpBB/includes/acp/acp_users.php @@ -393,7 +393,7 @@ class acp_users { $sql = 'SELECT topic_id, topic_replies, topic_replies_real FROM ' . TOPICS_TABLE . ' - WHERE topic_id IN (' . implode(', ', array_keys($topic_id_ary)) . ')'; + WHERE ' . $db->sql_in_set('topic_id', array_keys($topic_id_ary)); $result = $db->sql_query($sql); $del_topic_ary = array(); @@ -409,7 +409,7 @@ class acp_users if (sizeof($del_topic_ary)) { $sql = 'DELETE FROM ' . TOPICS_TABLE . ' - WHERE topic_id IN (' . implode(', ', $del_topic_ary) . ')'; + WHERE ' . $db->sql_in_set('topic_id', $del_topic_ary); $db->sql_query($sql); } } @@ -495,7 +495,7 @@ class acp_users { $sql = 'SELECT topic_id, forum_id, topic_title, topic_replies, topic_replies_real FROM ' . TOPICS_TABLE . ' - WHERE topic_id IN (' . implode(', ', array_keys($topic_id_ary)) . ')'; + WHERE ' . $db->sql_in_set('topic_id', array_keys($topic_id_ary)); $result = $db->sql_query($sql); while ($row = $db->sql_fetchrow($result)) @@ -842,7 +842,7 @@ class acp_users { $sql_in[] = $mark; } - $where_sql = ' AND log_id IN (' . implode(', ', $sql_in) . ')'; + $where_sql = ' AND ' . $db->sql_in_set('log_id', $sql_in); unset($sql_in); } @@ -1630,7 +1630,7 @@ class acp_users { $sql = 'SELECT real_filename FROM ' . ATTACHMENTS_TABLE . ' - WHERE attach_id IN (' . implode(', ', $marked) . ')'; + WHERE ' . $db->sql_in_set('attach_id', $marked); $result = $db->sql_query($sql); $log_attachments = array(); @@ -1834,7 +1834,7 @@ class acp_users // Select box for other groups $sql = 'SELECT group_id, group_name, group_type FROM ' . GROUPS_TABLE . ' - ' . ((sizeof($id_ary)) ? 'WHERE group_id NOT IN (' . implode(', ', $id_ary) . ')' : '') . ' + ' . ((sizeof($id_ary)) ? 'WHERE ' . $db->sql_in_set('group_id', $id_ary, true) : '') . ' ORDER BY group_type DESC, group_name ASC'; $result = $db->sql_query($sql); diff --git a/phpBB/includes/acp/auth.php b/phpBB/includes/acp/auth.php index a6ff1ddc2b..4ebf617913 100644 --- a/phpBB/includes/acp/auth.php +++ b/phpBB/includes/acp/auth.php @@ -136,7 +136,7 @@ class auth_admin extends auth $sql = 'SELECT user_id, user_permissions, user_type FROM ' . USERS_TABLE . ' - WHERE user_id IN (' . implode(',', $ug_id) . ')'; + WHERE ' . $db->sql_in_set('user_id', $ug_id); $result = $db->sql_query($sql); while ($userdata = $db->sql_fetchrow($result)) @@ -292,14 +292,14 @@ class auth_admin extends auth { $sql = 'SELECT user_id as ug_id, username as ug_name FROM ' . USERS_TABLE . ' - WHERE user_id IN (' . implode(', ', array_keys($hold_ary)) . ') + WHERE ' . $db->sql_in_set('user_id', array_keys($hold_ary)) . ' ORDER BY username ASC'; } else { $sql = 'SELECT group_id as ug_id, group_name as ug_name, group_type FROM ' . GROUPS_TABLE . ' - WHERE group_id IN (' . implode(', ', array_keys($hold_ary)) . ') + WHERE ' . $db->sql_in_set('group_id', array_keys($hold_ary)) . ' ORDER BY group_type DESC, group_name ASC'; } $result = $db->sql_query($sql); @@ -361,7 +361,7 @@ class auth_admin extends auth $sql = 'SELECT r.role_id, o.auth_option, r.auth_setting FROM ' . ACL_ROLES_DATA_TABLE . ' r, ' . ACL_OPTIONS_TABLE . ' o WHERE o.auth_option_id = r.auth_option_id - AND r.role_id IN (' . implode(', ', array_keys($roles)) . ')'; + AND ' . $db->sql_in_set('r.role_id', array_keys($roles)); $result = $db->sql_query($sql); while ($row = $db->sql_fetchrow($result)) @@ -584,7 +584,7 @@ class auth_admin extends auth // Get forum names $sql = 'SELECT forum_id, forum_name FROM ' . FORUMS_TABLE . ' - WHERE forum_id IN (' . implode(', ', array_keys($hold_ary)) . ')'; + WHERE ' . $db->sql_in_set('forum_id', array_keys($hold_ary)); $result = $db->sql_query($sql); $forum_names = array(); @@ -605,7 +605,7 @@ class auth_admin extends auth { $sql = 'SELECT user_id, username FROM ' . USERS_TABLE . ' - WHERE user_id IN (' . implode(', ', $auth_ary['users']) . ') + WHERE ' . $db->sql_in_set('user_id', $auth_ary['users']) . ' ORDER BY username'; $result = $db->sql_query($sql); @@ -624,7 +624,7 @@ class auth_admin extends auth { $sql = 'SELECT group_id, group_name, group_type FROM ' . GROUPS_TABLE . ' - WHERE group_id IN (' . implode(', ', $auth_ary['groups']) . ') + WHERE ' . $db->sql_in_set('group_id', $auth_ary['groups']) . ' ORDER BY group_type ASC, group_name'; $result = $db->sql_query($sql); @@ -768,12 +768,12 @@ class auth_admin extends auth $ug_id = array($ug_id); } - $ug_id_sql = 'IN (' . implode(', ', array_map('intval', $ug_id)) . ')'; - $forum_sql = 'IN (' . implode(', ', array_map('intval', $forum_id)) . ') '; + $ug_id_sql = $db->sql_in_set($ug_type . '_id', array_map('intval', $ug_id)); + $forum_sql = $db->sql_in_set('forum_id', array_map('intval', $forum_id)); // Instead of updating, inserting, removing we just remove all current settings and re-set everything... $table = ($ug_type == 'user') ? ACL_USERS_TABLE : ACL_GROUPS_TABLE; - $id_field = $ug_type . '_id'; + $id_field = $ug_type . '_id'; // Get any flags as required reset($auth); @@ -797,8 +797,8 @@ class auth_admin extends auth } $sql = "DELETE FROM $table - WHERE forum_id $forum_sql - AND $id_field $ug_id_sql + WHERE $forum_sql + AND $ug_id_sql AND auth_option_id IN ($any_option_id, " . implode(', ', $auth_option_ids) . ')'; $db->sql_query($sql); @@ -818,10 +818,10 @@ class auth_admin extends auth if (sizeof($role_ids)) { $sql = "DELETE FROM $table - WHERE forum_id $forum_sql - AND $id_field $ug_id_sql + WHERE $forum_sql + AND $ug_id_sql AND auth_option_id = 0 - AND auth_role_id IN (" . implode(', ', $role_ids) . ')'; + AND " . $db->sql_in_set('auth_role_id', $role_ids); $db->sql_query($sql); } @@ -995,12 +995,12 @@ class auth_admin extends auth if ($forum_id !== false) { - $where_sql[] = (!is_array($forum_id)) ? 'forum_id = ' . (int) $forum_id : 'forum_id IN (' . implode(', ', array_map('intval', $forum_id)) . ')'; + $where_sql[] = (!is_array($forum_id)) ? 'forum_id = ' . (int) $forum_id : $db->sql_in_set('forum_id', array_map('intval', $forum_id)); } if ($ug_id !== false) { - $where_sql[] = (!is_array($ug_id)) ? $id_field . ' = ' . (int) $ug_id : $id_field . ' IN (' . implode(', ', array_map('intval', $ug_id)) . ')'; + $where_sql[] = (!is_array($ug_id)) ? $id_field . ' = ' . (int) $ug_id : $db->sql_in_set($id_field, array_map('intval', $ug_id)); } // There seem to be auth options involved, therefore we need to go through the list and make sure we capture roles correctly @@ -1043,7 +1043,7 @@ class auth_admin extends auth $sql = 'SELECT ao.auth_option, rd.role_id, rd.auth_setting FROM ' . ACL_OPTIONS_TABLE . ' ao, ' . ACL_ROLES_DATA_TABLE . ' rd WHERE ao.auth_option_id = rd.auth_option_id - AND rd.role_id IN (' . implode(', ', array_keys($cur_role_auth)) . ')'; + AND ' . $db->sql_in_set('rd.role_id', array_keys($cur_role_auth)); $result = $db->sql_query($sql); $auth_settings = array(); @@ -1072,7 +1072,7 @@ class auth_admin extends auth // Now, normally remove permissions... if ($permission_type !== false) { - $where_sql[] = 'auth_option_id IN (' . implode(', ', array_map('intval', $option_id_ary)) . ')'; + $where_sql[] = $db->sql_in_set('auth_option_id', array_map('intval', $option_id_ary)); } $sql = "DELETE FROM $table diff --git a/phpBB/includes/auth.php b/phpBB/includes/auth.php index af833d04d9..4e6a8af1d8 100644 --- a/phpBB/includes/auth.php +++ b/phpBB/includes/auth.php @@ -161,7 +161,7 @@ class auth if (sizeof($this->acl)) { - $sql .= ' WHERE forum_id NOT IN (' . implode(', ', array_keys($this->acl)) . ')'; + $sql .= ' WHERE ' . $db->sql_in_set('forum_id', array_keys($this->acl), true); } $result = $db->sql_query($sql); @@ -418,7 +418,13 @@ class auth { global $db; - $where_sql = ($user_id !== false) ? ' WHERE user_id ' . ((is_array($user_id)) ? ' IN (' . implode(', ', array_map('intval', $user_id)) . ')' : " = $user_id") : ''; + $where_sql = ''; + + if ($user_id !== false) + { + $user_id = (!is_array($user_id)) ? $user_id = array((int) $user_id) : array_map('intval', $user_id); + $where_sql = ' WHERE ' . $db->sql_in_set('user_id', $user_id); + } $sql = 'UPDATE ' . USERS_TABLE . " SET user_permissions = '', @@ -440,8 +446,8 @@ class auth $sql_id = ($user_type == 'user') ? 'user_id' : 'group_id'; - $sql_ug = ($ug_id !== false) ? ((!is_array($ug_id)) ? "AND a.$sql_id = $ug_id" : "AND a.$sql_id IN (" . implode(', ', $ug_id) . ')') : ''; - $sql_forum = ($forum_id !== false) ? ((!is_array($forum_id)) ? "AND a.forum_id = $forum_id" : 'AND a.forum_id IN (' . implode(', ', $forum_id) . ')') : ''; + $sql_ug = ($ug_id !== false) ? ((!is_array($ug_id)) ? "AND a.$sql_id = $ug_id" : 'AND ' . $db->sql_in_set("a.$sql_id", $ug_id)) : ''; + $sql_forum = ($forum_id !== false) ? ((!is_array($forum_id)) ? "AND a.forum_id = $forum_id" : 'AND ' . $db->sql_in_set('a.forum_id', $forum_id)) : ''; // Grab assigned roles... $sql = 'SELECT a.auth_role_id, a.' . $sql_id . ', a.forum_id @@ -469,8 +475,8 @@ class auth { global $db; - $sql_user = ($user_id !== false) ? ((!is_array($user_id)) ? "user_id = $user_id" : 'user_id IN (' . implode(', ', $user_id) . ')') : ''; - $sql_forum = ($forum_id !== false) ? ((!is_array($forum_id)) ? "AND a.forum_id = $forum_id" : 'AND a.forum_id IN (' . implode(', ', $forum_id) . ')') : ''; + $sql_user = ($user_id !== false) ? ((!is_array($user_id)) ? "user_id = $user_id" : $db->sql_in_set('user_id', $user_id)) : ''; + $sql_forum = ($forum_id !== false) ? ((!is_array($forum_id)) ? "AND a.forum_id = $forum_id" : 'AND ' . $db->sql_in_set('a.forum_id', $forum_id)) : ''; $sql_opts = ''; @@ -482,7 +488,7 @@ class auth } else { - $sql_opts = 'AND ao.auth_option IN (' . implode(', ', preg_replace('#^\s*(.*)\s*$#e', "\"'\" . \$db->sql_escape('\\1') . \"'\"", $opts)) . ')'; + $sql_opts = 'AND ' . $db->sql_in_set('ao.auth_option', $opts); } } @@ -586,8 +592,8 @@ class auth { global $db; - $sql_user = ($user_id !== false) ? ((!is_array($user_id)) ? "user_id = $user_id" : 'user_id IN (' . implode(', ', $user_id) . ')') : ''; - $sql_forum = ($forum_id !== false) ? ((!is_array($forum_id)) ? "AND a.forum_id = $forum_id" : 'AND a.forum_id IN (' . implode(', ', $forum_id) . ')') : ''; + $sql_user = ($user_id !== false) ? ((!is_array($user_id)) ? "user_id = $user_id" : $db->sql_in_set('user_id', $user_id)) : ''; + $sql_forum = ($forum_id !== false) ? ((!is_array($forum_id)) ? "AND a.forum_id = $forum_id" : 'AND ' . $db->sql_in_set('a.forum_id', $forum_id)) : ''; $sql_opts = ''; @@ -599,7 +605,7 @@ class auth } else { - $sql_opts = 'AND ao.auth_option IN (' . implode(', ', preg_replace('#^\s*(.*)\s*$#e', "\"'\" . \$db->sql_escape('\\1') . \"'\"", $opts)) . ')'; + $sql_opts = 'AND ' . $db->sql_in_set('ao.auth_option', $opts); } } @@ -647,8 +653,8 @@ class auth { global $db; - $sql_group = ($group_id !== false) ? ((!is_array($group_id)) ? "group_id = $group_id" : 'group_id IN (' . implode(', ', $group_id) . ')') : ''; - $sql_forum = ($forum_id !== false) ? ((!is_array($forum_id)) ? "AND a.forum_id = $forum_id" : 'AND a.forum_id IN (' . implode(', ', $forum_id) . ')') : ''; + $sql_group = ($group_id !== false) ? ((!is_array($group_id)) ? "group_id = $group_id" : $db->sql_in_set('group_id', $group_id)) : ''; + $sql_forum = ($forum_id !== false) ? ((!is_array($forum_id)) ? "AND a.forum_id = $forum_id" : 'AND ' . $db->sql_in_set('a.forum_id', $forum_id)) : ''; if ($opts !== false) { @@ -658,7 +664,7 @@ class auth } else { - $sql_opts = 'AND ao.auth_option IN (' . implode(', ', preg_replace('#^\s*(.*)\s*$#e', "\"'\" . \$db->sql_escape('\\1') . \"'\"", $opts)) . ')'; + $sql_opts = 'AND ' . $db->sql_in_set('ao.auth_option', $opts); } } diff --git a/phpBB/includes/bbcode.php b/phpBB/includes/bbcode.php index f8fbbc2d3e..7293f07dc9 100644 --- a/phpBB/includes/bbcode.php +++ b/phpBB/includes/bbcode.php @@ -124,8 +124,7 @@ class bbcode } } - $sql = ''; - $bbcode_ids = $rowset = array(); + $bbcode_ids = $rowset = $sql = array(); $bitfield = new bitfield($this->bbcode_bitfield); $bbcodes_set = $bitfield->get_all_set(); @@ -141,18 +140,18 @@ class bbcode if ($bbcode_id > NUM_CORE_BBCODES) { - $sql .= (($sql) ? ',' : '') . $bbcode_id; + $sql[] = $bbcode_id; } } - if ($sql) + if (sizeof($sql)) { global $db; $sql = 'SELECT * - FROM ' . BBCODES_TABLE . " - WHERE bbcode_id IN ($sql)"; - $result = $db->sql_query($sql); + FROM ' . BBCODES_TABLE . ' + WHERE ' . $db->sql_in_set('bbcode_id', $sql); + $result = $db->sql_query($sql, 3600); while ($row = $db->sql_fetchrow($result)) { diff --git a/phpBB/includes/db/dbal.php b/phpBB/includes/db/dbal.php index b12ff81e0f..f774b5dcc3 100644 --- a/phpBB/includes/db/dbal.php +++ b/phpBB/includes/db/dbal.php @@ -193,22 +193,14 @@ class dbal { $fields[] = $key; - if (is_null($var)) - { - $values[] = 'NULL'; - } - else if (is_string($var)) - { - $values[] = "'" . $this->sql_escape($var) . "'"; - } - else if (is_array($var) && is_string($var[0])) + if (is_array($var) && is_string($var[0])) { // This is used for INSERT_SELECT(s) $values[] = $var[0]; } else { - $values[] = (is_bool($var)) ? intval($var) : $var; + $values[] = $this->_sql_validate_value($var); } } @@ -222,25 +214,7 @@ class dbal $values = array(); foreach ($sql_ary as $key => $var) { - if (is_null($var)) - { - $values[] = 'NULL'; - } - else if (is_string($var)) - { - if (strpos($key, 'bitfield') === false) - { - $values[] = "'" . $this->sql_escape($var) . "'"; - } - else - { - $values[] = $this->sql_escape_binary($var); - } - } - else - { - $values[] = (is_bool($var)) ? intval($var) : $var; - } + $values[] = $this->_sql_validate_value($var); } $ary[] = '(' . implode(', ', $values) . ')'; } @@ -252,25 +226,7 @@ class dbal $values = array(); foreach ($assoc_ary as $key => $var) { - if (is_null($var)) - { - $values[] = "$key = NULL"; - } - else if (is_string($var)) - { - if (strpos($key, 'bitfield') === false) - { - $values[] = "$key = '" . $this->sql_escape($var) . "'"; - } - else - { - $values[] = "$key = " . $this->sql_escape_binary($var); - } - } - else - { - $values[] = (is_bool($var)) ? "$key = " . intval($var) : "$key = $var"; - } + $values[] = "$key = " . $this->_sql_validate_value($var); } $query = implode(($query == 'UPDATE') ? ', ' : ' AND ', $values); } @@ -285,30 +241,10 @@ class dbal trigger_error('No values specified for SQL IN comparison', E_USER_ERROR); } - $bitfield = (strpos($field, 'bitfield') !== false); - $values = array(); foreach ($array as $var) { - if (is_null($var)) - { - $values[] = 'NULL'; - } - else if (is_string($var)) - { - if (!$bitfield) - { - $values[] = "'" . $this->sql_escape($var) . "'"; - } - else - { - $values[] = $this->sql_escape_binary($var); - } - } - else - { - $values[] = (is_bool($var)) ? intval($var) : $var; - } + $values[] = $this->_sql_validate_value($var); } if (sizeof($values) == 1) @@ -317,13 +253,28 @@ class dbal } else { - return $field . ($negate ? ' NOT IN ' : ' IN ' ) . '(' . implode(',', $values) . ')'; + return $field . ($negate ? ' NOT IN ' : ' IN ' ) . '(' . implode(', ', $values) . ')'; } } - function sql_escape_binary($msg) + /** + * Function for validating values + * @access private + */ + function _sql_validate_value($var) { - return "'" . $this->sql_escape($msg) . "'"; + if (is_null($var)) + { + return 'NULL'; + } + else if (is_string($var)) + { + return "'" . $this->sql_escape($var) . "'"; + } + else + { + return (is_bool($var)) ? intval($var) : $var; + } } /** diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index a676a717ff..48fec2d795 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -576,13 +576,13 @@ function markread($mode, $forum_id = false, $topic_id = false, $post_time = 0, $ { $sql = 'DELETE FROM ' . TOPICS_TRACK_TABLE . " WHERE user_id = {$user->data['user_id']} - AND forum_id IN (" . implode(', ', $forum_id) . ")"; + AND " . $db->sql_in_set('forum_id', $forum_id); $db->sql_query($sql); $sql = 'SELECT forum_id FROM ' . FORUMS_TRACK_TABLE . " WHERE user_id = {$user->data['user_id']} - AND forum_id IN (" . implode(', ', $forum_id) . ')'; + AND " . $db->sql_in_set('forum_id', $forum_id); $result = $db->sql_query($sql); $sql_update = array(); @@ -597,7 +597,7 @@ function markread($mode, $forum_id = false, $topic_id = false, $post_time = 0, $ $sql = 'UPDATE ' . FORUMS_TRACK_TABLE . ' SET mark_time = ' . time() . " WHERE user_id = {$user->data['user_id']} - AND forum_id IN (" . implode(', ', $sql_update) . ')'; + AND " . $db->sql_in_set('forum_id', $sql_update); $db->sql_query($sql); } @@ -888,7 +888,7 @@ function get_complete_topic_tracking($forum_id, $topic_ids, $global_announce_lis $sql = 'SELECT topic_id, mark_time FROM ' . TOPICS_TRACK_TABLE . " WHERE user_id = {$user->data['user_id']} - AND topic_id IN (" . implode(', ', $topic_ids) . ")"; + AND " . $db->sql_in_set('topic_id', $topic_ids); $result = $db->sql_query($sql); while ($row = $db->sql_fetchrow($result)) @@ -1805,13 +1805,13 @@ function login_forum_box($forum_data) $sql_in = array(); do { - $sql_in[] = "'" . $db->sql_escape($row['session_id']) . "'"; + $sql_in[] = (string) $row['session_id']; } while ($row = $db->sql_fetchrow($result)); // Remove expired sessions $sql = 'DELETE FROM ' . FORUMS_ACCESS_TABLE . ' - WHERE session_id NOT IN (' . implode(', ', $sql_in) . ')'; + WHERE ' . $db->sql_in_set('session_id', $sql_in, true); $db->sql_query($sql); } $db->sql_freeresult($result); diff --git a/phpBB/includes/functions_admin.php b/phpBB/includes/functions_admin.php index 0eec9a5114..3b039d110d 100644 --- a/phpBB/includes/functions_admin.php +++ b/phpBB/includes/functions_admin.php @@ -206,7 +206,7 @@ function group_select_options($group_id, $exclude_ids = false) { global $db, $user, $config; - $exclude_sql = ($exclude_ids !== false && sizeof($exclude_ids)) ? 'WHERE group_id NOT IN (' . implode(', ', array_map('intval', $exclude_ids)) . ')' : ''; + $exclude_sql = ($exclude_ids !== false && sizeof($exclude_ids)) ? 'WHERE ' . $db->sql_in_set('group_id', array_map('intval', $exclude_ids), true) : ''; $sql_and = (!$config['coppa_enable']) ? (($exclude_sql) ? ' AND ' : ' WHERE ') . "group_name NOT IN ('INACTIVE_COPPA', 'REGISTERED_COPPA')" : ''; $sql = 'SELECT group_id, group_name, group_type @@ -376,7 +376,7 @@ function move_topics($topic_ids, $forum_id, $auto_sync = true) } $sql = 'DELETE FROM ' . TOPICS_TABLE . ' - WHERE topic_moved_id IN (' . implode(', ', $topic_ids) . ') + WHERE ' . $db->sql_in_set('topic_moved_id', $topic_ids) . ' AND forum_id = ' . $forum_id; $db->sql_query($sql); @@ -384,7 +384,7 @@ function move_topics($topic_ids, $forum_id, $auto_sync = true) { $sql = 'SELECT DISTINCT forum_id FROM ' . TOPICS_TABLE . ' - WHERE topic_id IN (' . implode(', ', $topic_ids) . ')'; + WHERE ' . $db->sql_in_set('topic_id', $topic_ids); $result = $db->sql_query($sql); while ($row = $db->sql_fetchrow($result)) @@ -399,7 +399,7 @@ function move_topics($topic_ids, $forum_id, $auto_sync = true) { $sql = "UPDATE $table SET forum_id = $forum_id - WHERE topic_id IN (" . implode(', ', $topic_ids) . ')'; + WHERE " . $db->sql_in_set('topic_id', $topic_ids); $db->sql_query($sql); } unset($table_ary); @@ -428,7 +428,7 @@ function move_posts($post_ids, $topic_id, $auto_sync = true) $sql = 'SELECT DISTINCT topic_id, forum_id FROM ' . POSTS_TABLE . ' - WHERE post_id IN (' . implode(', ', $post_ids) . ')'; + WHERE ' . $db->sql_in_set('post_id', $post_ids); $result = $db->sql_query($sql); while ($row = $db->sql_fetchrow($result)) @@ -452,12 +452,12 @@ function move_posts($post_ids, $topic_id, $auto_sync = true) $sql = 'UPDATE ' . POSTS_TABLE . ' SET forum_id = ' . $forum_row['forum_id'] . ", topic_id = $topic_id - WHERE post_id IN (" . implode(', ', $post_ids) . ')'; + WHERE " . $db->sql_in_set('post_id', $post_ids); $db->sql_query($sql); $sql = 'UPDATE ' . ATTACHMENTS_TABLE . " SET topic_id = $topic_id, in_message = 0 - WHERE post_msg_id IN (" . implode(', ', $post_ids) . ')'; + WHERE " . $db->sql_in_set('post_msg_id', $post_ids); $db->sql_query($sql); if ($auto_sync) @@ -487,6 +487,10 @@ function delete_topics($where_type, $where_ids, $auto_sync = true) { $where_ids = array_unique($where_ids); } + else + { + $where_ids = array($where_ids); + } if (!sizeof($where_ids)) { @@ -498,8 +502,8 @@ function delete_topics($where_type, $where_ids, $auto_sync = true) ); $sql = 'SELECT topic_id, forum_id - FROM ' . TOPICS_TABLE . " - WHERE $where_type " . ((!is_array($where_ids)) ? "= $where_ids" : 'IN (' . implode(', ', $where_ids) . ')'); + FROM ' . TOPICS_TABLE . ' + WHERE ' . $db->sql_in_set($where_type, $where_ids); $result = $db->sql_query($sql); while ($row = $db->sql_fetchrow($result)) @@ -516,8 +520,6 @@ function delete_topics($where_type, $where_ids, $auto_sync = true) return $return; } - $sql_where = ' IN (' . implode(', ', $topic_ids) . ')'; - $db->sql_transaction('begin'); $table_ary = array(TOPICS_TRACK_TABLE, TOPICS_POSTED_TABLE, POLL_VOTES_TABLE, POLL_OPTIONS_TABLE, TOPICS_WATCH_TABLE, TOPICS_TABLE); @@ -525,13 +527,13 @@ function delete_topics($where_type, $where_ids, $auto_sync = true) foreach ($table_ary as $table) { $sql = "DELETE FROM $table - WHERE topic_id $sql_where"; + WHERE " . $db->sql_in_set('topic_id', $topic_ids); $db->sql_query($sql); } unset($table_ary); $sql = 'DELETE FROM ' . TOPICS_TABLE . ' - WHERE topic_moved_id' . $sql_where; + WHERE ' . $db->sql_in_set('topic_moved_id', $topic_ids); $db->sql_query($sql); $db->sql_transaction('commit'); @@ -558,8 +560,12 @@ function delete_posts($where_type, $where_ids, $auto_sync = true, $posted_sync = { $where_ids = array_unique($where_ids); } + else + { + $where_ids = array($where_ids); + } - if (empty($where_ids)) + if (!sizeof($where_ids)) { return false; } @@ -567,8 +573,8 @@ function delete_posts($where_type, $where_ids, $auto_sync = true, $posted_sync = $post_ids = $topic_ids = $forum_ids = $post_counts = array(); $sql = 'SELECT post_id, poster_id, post_postcount, topic_id, forum_id - FROM ' . POSTS_TABLE . " - WHERE $where_type " . ((!is_array($where_ids)) ? '= ' . (int) $where_ids : 'IN (' . implode(', ', array_map('intval', $where_ids)) . ')'); + FROM ' . POSTS_TABLE . ' + WHERE ' . $db->sql_in_set($where_type, array_map('intval', $where_ids)); $result = $db->sql_query($sql); while ($row = $db->sql_fetchrow($result)) @@ -590,8 +596,6 @@ function delete_posts($where_type, $where_ids, $auto_sync = true, $posted_sync = return false; } - $sql_where = implode(', ', $post_ids); - $db->sql_transaction('begin'); $table_ary = array(POSTS_TABLE, REPORTS_TABLE); @@ -599,7 +603,7 @@ function delete_posts($where_type, $where_ids, $auto_sync = true, $posted_sync = foreach ($table_ary as $table) { $sql = "DELETE FROM $table - WHERE post_id IN ($sql_where)"; + WHERE " . $db->sql_in_set('post_id', $post_ids); $db->sql_query($sql); } unset($table_ary); @@ -693,7 +697,7 @@ function delete_attachments($mode, $ids, $resync = true) { $sql = 'SELECT post_msg_id as post_id, topic_id, physical_filename, thumbnail, filesize FROM ' . ATTACHMENTS_TABLE . ' - WHERE ' . $sql_id . ' IN (' . implode(', ', $ids) . ')'; + WHERE ' . $db->sql_in_set($sql_id, $ids); $result = $db->sql_query($sql); while ($row = $db->sql_fetchrow($result)) @@ -709,7 +713,7 @@ function delete_attachments($mode, $ids, $resync = true) { $sql = 'SELECT topic_id, physical_filename, thumbnail, filesize FROM ' . ATTACHMENTS_TABLE . ' - WHERE post_msg_id IN (' . implode(', ', $ids) . ') + WHERE ' . $db->sql_in_set('post_msg_id', $ids) . ' AND in_message = 0'; $result = $db->sql_query($sql); @@ -723,7 +727,7 @@ function delete_attachments($mode, $ids, $resync = true) // Delete attachments $sql = 'DELETE FROM ' . ATTACHMENTS_TABLE . ' - WHERE ' . $sql_id . ' IN (' . implode(', ', $ids) . ')'; + WHERE ' . $db->sql_in_set($sql_id, $ids); $db->sql_query($sql); $num_deleted = $db->sql_affectedrows(); @@ -771,7 +775,7 @@ function delete_attachments($mode, $ids, $resync = true) { $sql = 'UPDATE ' . POSTS_TABLE . ' SET post_attachment = 0 - WHERE post_id IN (' . implode(', ', $post_ids) . ')'; + WHERE ' . $db->sql_in_set('post_id', $post_ids); $db->sql_query($sql); } @@ -781,7 +785,7 @@ function delete_attachments($mode, $ids, $resync = true) $sql = 'SELECT post_msg_id FROM ' . ATTACHMENTS_TABLE . ' - WHERE post_msg_id IN (' . implode(', ', $post_ids) . ') + WHERE ' . $db->sql_in_set('post_msg_id', $post_ids) . ' AND in_message = 0'; $result = $db->sql_query($sql); @@ -797,7 +801,7 @@ function delete_attachments($mode, $ids, $resync = true) { $sql = 'UPDATE ' . POSTS_TABLE . ' SET post_attachment = 0 - WHERE post_id IN (' . implode(', ', $unset_ids) . ')'; + WHERE ' . $db->sql_in_set('post_id', $unset_ids); $db->sql_query($sql); } @@ -805,7 +809,7 @@ function delete_attachments($mode, $ids, $resync = true) $sql = 'SELECT post_msg_id FROM ' . ATTACHMENTS_TABLE . ' - WHERE post_msg_id IN (' . implode(', ', $post_ids) . ') + WHERE ' . $db->sql_in_set('post_msg_id', $post_ids) . ' AND in_message = 1'; $result = $db->sql_query($sql); @@ -821,7 +825,7 @@ function delete_attachments($mode, $ids, $resync = true) { $sql = 'UPDATE ' . PRIVMSGS_TABLE . ' SET message_attachment = 0 - WHERE msg_id IN (' . implode(', ', $unset_ids) . ')'; + WHERE ' . $db->sql_in_set('msg_id', $unset_ids); $db->sql_query($sql); } } @@ -834,7 +838,7 @@ function delete_attachments($mode, $ids, $resync = true) { $sql = 'UPDATE ' . TOPICS_TABLE . ' SET topic_attachment = 0 - WHERE topic_id IN (' . implode(', ', $topic_ids) . ')'; + WHERE ' . $db->sql_in_set('topic_id', $topic_ids); $db->sql_query($sql); } @@ -844,7 +848,7 @@ function delete_attachments($mode, $ids, $resync = true) $sql = 'SELECT topic_id FROM ' . ATTACHMENTS_TABLE . ' - WHERE topic_id IN (' . implode(', ', $topic_ids) . ')'; + WHERE ' . $db->sql_in_set('topic_id', $topic_ids); $result = $db->sql_query($sql); while ($row = $db->sql_fetchrow($result)) @@ -859,7 +863,7 @@ function delete_attachments($mode, $ids, $resync = true) { $sql = 'UPDATE ' . TOPICS_TABLE . ' SET topic_attachment = 0 - WHERE topic_id IN (' . implode(', ', $unset_ids) . ')'; + WHERE ' . $db->sql_in_set('topic_id', $unset_ids); $db->sql_query($sql); } } @@ -873,7 +877,7 @@ function delete_attachments($mode, $ids, $resync = true) */ function delete_topic_shadows($max_age, $forum_id = '', $auto_sync = true) { - $where = (is_array($forum_id)) ? 'AND t.forum_id IN (' . implode(', ', array_map('intval', $forum_id)) . ')' : (($forum_id) ? 'AND t.forum_id = ' . (int) $forum_id : ''); + $where = (is_array($forum_id)) ? 'AND ' . $db->sql_in_set('t.forum_id', array_map('intval', $forum_id)) : (($forum_id) ? 'AND t.forum_id = ' . (int) $forum_id : ''); switch (SQL_LAYER) { @@ -905,7 +909,7 @@ function delete_topic_shadows($max_age, $forum_id = '', $auto_sync = true) if (sizeof($topic_ids)) { $sql = 'DELETE FROM ' . TOPICS_TABLE . ' - WHERE topic_id IN (' . implode(',', $topic_ids) . ')'; + WHERE ' . $db->sql_in_set('topic_id', $topic_ids); $db->sql_query($sql); } break; @@ -932,13 +936,13 @@ function update_posted_info(&$topic_ids) // First of all, let us remove any posted information for these topics $sql = 'DELETE FROM ' . TOPICS_POSTED_TABLE . ' - WHERE topic_id IN (' . implode(', ', $topic_ids) . ')'; + WHERE ' . $db->sql_in_set('topic_id', $topic_ids); $db->sql_query($sql); // Now, let us collect the user/topic combos for rebuilding the information $sql = 'SELECT poster_id, topic_id FROM ' . POSTS_TABLE . ' - WHERE topic_id IN (' . implode(', ', $topic_ids) . ') + WHERE ' . $db->sql_in_set('topic_id', $topic_ids) . ' AND poster_id <> ' . ANONYMOUS . ' GROUP BY poster_id, topic_id'; $result = $db->sql_query($sql); @@ -1058,7 +1062,7 @@ function sync($mode, $where_type = '', $where_ids = '', $resync_parents = false, // Limit the topics/forums we are syncing, use specific topic/forum IDs. // $where_type contains the field for the where clause (forum_id, topic_id) - $where_sql = 'WHERE ' . $mode{0} . ".$where_type IN (" . implode(', ', $where_ids) . ')'; + $where_sql = 'WHERE ' . $db->sql_in_set($mode{0} . '.' . $where_type, $where_ids); $where_sql_and = $where_sql . "\n\tAND"; } } @@ -1070,7 +1074,7 @@ function sync($mode, $where_type = '', $where_ids = '', $resync_parents = false, } // $where_type contains the field for the where clause (forum_id, topic_id) - $where_sql = 'WHERE ' . $mode{0} . ".$where_type IN (" . implode(', ', $where_ids) . ')'; + $where_sql = 'WHERE ' . $db->sql_in_set($mode{0} . '.' . $where_type, $where_ids); $where_sql_and = $where_sql . "\n\tAND"; } @@ -1108,7 +1112,7 @@ function sync($mode, $where_type = '', $where_ids = '', $resync_parents = false, } $sql = 'DELETE FROM ' . TOPICS_TABLE . ' - WHERE topic_id IN (' . implode(', ', $topic_id_ary) . ')'; + WHERE ' . $db->sql_in_set('topic_id', $topic_id_ary); $db->sql_query($sql); break; @@ -1147,7 +1151,7 @@ function sync($mode, $where_type = '', $where_ids = '', $resync_parents = false, $sql = 'UPDATE ' . TOPICS_TABLE . ' SET topic_approved = 1 - topic_approved - WHERE topic_id IN (' . implode(', ', $topic_ids) . ')'; + WHERE ' . $db->sql_in_set('topic_id', $topic_ids); $db->sql_query($sql); break; } @@ -1174,7 +1178,7 @@ function sync($mode, $where_type = '', $where_ids = '', $resync_parents = false, $sql = 'SELECT DISTINCT(post_id) FROM ' . REPORTS_TABLE . ' - WHERE post_id IN (' . implode(', ', $post_ids) . ') + WHERE ' . $db->sql_in_set('post_id', $post_ids) . ' AND report_closed = 0'; $result = $db->sql_query($sql); @@ -1203,7 +1207,7 @@ function sync($mode, $where_type = '', $where_ids = '', $resync_parents = false, { $sql = 'UPDATE ' . POSTS_TABLE . ' SET post_reported = 1 - post_reported - WHERE post_id IN (' . implode(', ', $post_ids) . ')'; + WHERE ' . $db->sql_in_set('post_id', $post_ids); $db->sql_query($sql); } break; @@ -1245,7 +1249,7 @@ function sync($mode, $where_type = '', $where_ids = '', $resync_parents = false, { $sql = 'UPDATE ' . TOPICS_TABLE . ' SET topic_reported = 1 - topic_reported - WHERE topic_id IN (' . implode(', ', $topic_ids) . ')'; + WHERE ' . $db->sql_in_set('topic_id', $topic_ids); $db->sql_query($sql); } break; @@ -1271,7 +1275,7 @@ function sync($mode, $where_type = '', $where_ids = '', $resync_parents = false, $sql = 'SELECT DISTINCT(post_msg_id) FROM ' . ATTACHMENTS_TABLE . ' - WHERE post_msg_id IN (' . implode(', ', $post_ids) . ') + WHERE ' . $db->sql_in_set('post_msg_id', $post_ids) . ' AND in_message = 0'; $result = $db->sql_query($sql); @@ -1300,7 +1304,7 @@ function sync($mode, $where_type = '', $where_ids = '', $resync_parents = false, { $sql = 'UPDATE ' . POSTS_TABLE . ' SET post_attachment = 1 - post_attachment - WHERE post_id IN (' . implode(', ', $post_ids) . ')'; + WHERE ' . $db->sql_in_set('post_id', $post_ids); $db->sql_query($sql); } break; @@ -1342,7 +1346,7 @@ function sync($mode, $where_type = '', $where_ids = '', $resync_parents = false, { $sql = 'UPDATE ' . TOPICS_TABLE . ' SET topic_attachment = 1 - topic_attachment - WHERE topic_id IN (' . implode(', ', $topic_ids) . ')'; + WHERE ' . $db->sql_in_set('topic_id', $topic_ids); $db->sql_query($sql); } break; @@ -1385,7 +1389,7 @@ function sync($mode, $where_type = '', $where_ids = '', $resync_parents = false, // 2: Get topic counts for each forum $sql = 'SELECT forum_id, topic_approved, COUNT(topic_id) AS forum_topics FROM ' . TOPICS_TABLE . ' - WHERE forum_id IN (' . implode(', ', $forum_ids) . ') + WHERE ' . $db->sql_in_set('forum_id', $forum_ids) . ' GROUP BY forum_id, topic_approved'; $result = $db->sql_query($sql); @@ -1404,7 +1408,7 @@ function sync($mode, $where_type = '', $where_ids = '', $resync_parents = false, // 3: Get post count and last_post_id for each forum $sql = 'SELECT forum_id, COUNT(post_id) AS forum_posts, MAX(post_id) AS last_post_id FROM ' . POSTS_TABLE . ' - WHERE forum_id IN (' . implode(', ', $forum_ids) . ') + WHERE ' . $db->sql_in_set('forum_id', $forum_ids) . ' AND post_approved = 1 GROUP BY forum_id'; $result = $db->sql_query($sql); @@ -1425,7 +1429,7 @@ function sync($mode, $where_type = '', $where_ids = '', $resync_parents = false, { $sql = 'SELECT p.post_id, p.poster_id, p.post_time, p.post_username, u.username FROM ' . POSTS_TABLE . ' p, ' . USERS_TABLE . ' u - WHERE p.post_id IN (' . implode(', ', $post_ids) . ') + WHERE ' . $db->sql_in_set('p.post_id', $post_ids) . ' AND p.poster_id = u.user_id'; $result = $db->sql_query($sql); @@ -1491,15 +1495,21 @@ function sync($mode, $where_type = '', $where_ids = '', $resync_parents = false, break; case 'topic': - $topic_data = $post_ids = $approved_unapproved_ids = $resync_forums = $delete_topics = $delete_posts = array(); + $topic_data = $post_ids = $approved_unapproved_ids = $resync_forums = $delete_topics = $delete_posts = $moved_topics = array(); - $sql = 'SELECT t.topic_id, t.forum_id, t.topic_approved, ' . (($sync_extra) ? 't.topic_attachment, t.topic_reported, ' : '') . 't.topic_poster, t.topic_time, t.topic_replies, t.topic_replies_real, t.topic_first_post_id, t.topic_first_poster_name, t.topic_last_post_id, t.topic_last_poster_id, t.topic_last_poster_name, t.topic_last_post_time + $sql = 'SELECT t.topic_id, t.forum_id, t.topic_moved_id, t.topic_approved, ' . (($sync_extra) ? 't.topic_attachment, t.topic_reported, ' : '') . 't.topic_poster, t.topic_time, t.topic_replies, t.topic_replies_real, t.topic_first_post_id, t.topic_first_poster_name, t.topic_last_post_id, t.topic_last_poster_id, t.topic_last_poster_name, t.topic_last_post_time FROM ' . TOPICS_TABLE . " t $where_sql"; $result = $db->sql_query($sql); while ($row = $db->sql_fetchrow($result)) { + if ($row['topic_moved_id']) + { + $moved_topics[] = $row['topic_id']; + continue; + } + $topic_id = (int) $row['topic_id']; $topic_data[$topic_id] = $row; $topic_data[$topic_id]['replies_real'] = -1; @@ -1603,9 +1613,34 @@ function sync($mode, $where_type = '', $where_ids = '', $resync_parents = false, unset($delete_topics, $delete_topic_ids); } + // Make sure shadow topics do link to existing topics + if (sizeof($moved_topics)) + { + $delete_topics = array(); + + $sql = 'SELECT t1.topic_id, t1.topic_moved_id + FROM ' . TOPICS_TABLE . ' t1 + LEFT JOIN ' . TOPICS_TABLE . ' t2 ON (t2.topic_id = t1.topic_moved_id) + WHERE ' . $db->sql_in_set('t1.topic_id', $moved_topics) . ' + AND t2.topic_id IS NULL'; + $result = $db->sql_query($sql); + + while ($row = $db->sql_fetchrow($result)) + { + $delete_topics[] = $row['topic_id']; + } + $db->sql_freeresult($result); + + if (sizeof($delete_topics)) + { + delete_topics('topic_id', $delete_topics, false); + } + unset($delete_topics); + } + $sql = 'SELECT p.post_id, p.topic_id, p.post_approved, p.poster_id, p.post_username, p.post_time, u.username FROM ' . POSTS_TABLE . ' p, ' . USERS_TABLE . ' u - WHERE p.post_id IN (' . implode(',', $post_ids) . ') + WHERE ' . $db->sql_in_set('p.post_id', $post_ids) . ' AND u.user_id = p.poster_id'; $result = $db->sql_query($sql); @@ -1639,7 +1674,7 @@ function sync($mode, $where_type = '', $where_ids = '', $resync_parents = false, { $sql = 'UPDATE ' . TOPICS_TABLE . ' SET topic_approved = 1 - topic_approved - WHERE topic_id IN (' . implode(', ', $approved_unapproved_ids) . ')'; + WHERE ' . $db->sql_in_set('topic_id', $approved_unapproved_ids); $db->sql_query($sql); } unset($approved_unapproved_ids); @@ -1726,9 +1761,18 @@ function prune($forum_id, $prune_mode, $prune_date, $prune_flags = 0, $auto_sync { global $db; - $sql_forum = (is_array($forum_id)) ? ' IN (' . implode(', ', array_map('intval', $forum_id)) . ')' : ' = ' . (int) $forum_id; + if (!is_array($forum_id)) + { + $forum_id = array($forum_id); + } + + if (!sizeof($forum_id)) + { + return; + } $sql_and = ''; + if (!($prune_flags & 4)) { $sql_and .= ' AND topic_type <> ' . POST_ANNOUNCE; @@ -1750,8 +1794,8 @@ function prune($forum_id, $prune_mode, $prune_date, $prune_flags = 0, $auto_sync } $sql = 'SELECT topic_id - FROM ' . TOPICS_TABLE . " - WHERE forum_id $sql_forum + FROM ' . TOPICS_TABLE . ' + WHERE ' . $db->sql_in_set('forum_id', $forum_id) . " AND poll_start = 0 $sql_and"; $result = $db->sql_query($sql); @@ -1766,8 +1810,8 @@ function prune($forum_id, $prune_mode, $prune_date, $prune_flags = 0, $auto_sync if ($prune_flags & 2) { $sql = 'SELECT topic_id - FROM ' . TOPICS_TABLE . " - WHERE forum_id $sql_forum + FROM ' . TOPICS_TABLE . ' + WHERE ' . $db->sql_in_set('forum_id', $forum_id) . " AND poll_start > 0 AND poll_last_vote < $prune_date $sql_and"; @@ -1934,7 +1978,7 @@ function cache_moderators() AND ((a.auth_setting = ' . ACL_NEVER . ' AND r.auth_setting IS NULL) OR r.auth_setting = ' . ACL_NEVER . ') AND a.group_id = ug.group_id - AND ug.user_id IN (' . implode(', ', $ug_id_ary) . ") + AND ' . $db->sql_in_set('ug.user_id', $ug_id_ary) . " AND ug.user_pending = 0 AND o.auth_option LIKE 'm\_%'", )); @@ -1954,7 +1998,7 @@ function cache_moderators() // Get usernames... $sql = 'SELECT user_id, username FROM ' . USERS_TABLE . ' - WHERE user_id IN (' . implode(', ', array_keys($hold_ary)) . ')'; + WHERE ' . $db->sql_in_set('user_id', array_keys($hold_ary)); $result = $db->sql_query($sql); $usernames_ary = array(); @@ -1989,7 +2033,7 @@ function cache_moderators() // Make sure not hidden or special groups are involved... $sql = 'SELECT group_name, group_id, group_type FROM ' . GROUPS_TABLE . ' - WHERE group_id IN (' . implode(', ', $ug_id_ary) . ')'; + WHERE ' . $db->sql_in_set('group_id', $ug_id_ary); $result = $db->sql_query($sql); $groupnames_ary = array(); @@ -2082,7 +2126,7 @@ function view_log($mode, &$log, &$log_count, $limit = 0, $offset = 0, $forum_id } else if (is_array($forum_id)) { - $sql_forum = 'AND l.forum_id IN (' . implode(', ', array_map('intval', $forum_id)) . ')'; + $sql_forum = 'AND ' . $db->sql_in_set('l.forum_id', array_map('intval', $forum_id)); } else { @@ -2174,7 +2218,7 @@ function view_log($mode, &$log, &$log_count, $limit = 0, $offset = 0, $forum_id // although it's also used to determine if the topic still exists in the database $sql = 'SELECT topic_id, forum_id FROM ' . TOPICS_TABLE . ' - WHERE topic_id IN (' . implode(', ', array_map('intval', $topic_id_list)) . ')'; + WHERE ' . $db->sql_in_set('topic_id', array_map('intval', $topic_id_list)); $result = $db->sql_query($sql); $default_forum_id = 0; @@ -2472,9 +2516,8 @@ function tidy_warnings() { $db->sql_transaction('begin'); - $sql_where = ' IN (' . implode(', ', $warning_list) . ')'; - $sql = 'DELETE FROM ' . WARNINGS_TABLE . " - WHERE warning_id $sql_where"; + $sql = 'DELETE FROM ' . WARNINGS_TABLE . ' + WHERE ' . $db->sql_in_set('warning_id', $warning_list); $db->sql_query($sql); foreach ($user_list as $user_id => $value) diff --git a/phpBB/includes/functions_display.php b/phpBB/includes/functions_display.php index 10de128e31..f6b73afa0e 100644 --- a/phpBB/includes/functions_display.php +++ b/phpBB/includes/functions_display.php @@ -556,18 +556,22 @@ function get_moderators(&$forum_moderators, $forum_id = false) return; } - if ($forum_id !== false && is_array($forum_id)) + $forum_sql = ''; + + if ($forum_id !== false) { + if (!is_array($forum_id)) + { + $forum_id = array($forum_id); + } + // If we don't have a forum then we can't have a moderator if (!sizeof($forum_id)) { return; } - $forum_sql = 'AND forum_id IN (' . implode(', ', $forum_id) . ')'; - } - else - { - $forum_sql = ($forum_id !== false) ? 'AND forum_id = ' . $forum_id : ''; + + $forum_sql = 'AND ' . $db->sql_in_set('forum_id', $forum_id); } $sql = 'SELECT * @@ -1012,7 +1016,7 @@ function display_user_activity(&$userdata) } $forum_ary = array_unique($forum_ary); - $post_count_sql = (sizeof($forum_ary)) ? 'AND f.forum_id NOT IN (' . implode(', ', $forum_ary) . ')' : ''; + $post_count_sql = (sizeof($forum_ary)) ? 'AND ' . $db->sql_in_set('f.forum_id', $forum_ary, true) : ''; // Firebird does not support ORDER BY on aliased columns // MySQL does not support ORDER BY on functions diff --git a/phpBB/includes/functions_posting.php b/phpBB/includes/functions_posting.php index 1e3fd877b3..da3931d371 100644 --- a/phpBB/includes/functions_posting.php +++ b/phpBB/includes/functions_posting.php @@ -114,9 +114,9 @@ function update_post_information($type, $ids, $return_update_sql = false) $update_sql = $empty_forums = array(); $sql = 'SELECT ' . $type . '_id, MAX(post_id) as last_post_id - FROM ' . POSTS_TABLE . " + FROM ' . POSTS_TABLE . ' WHERE post_approved = 1 - AND {$type}_id IN (" . implode(', ', $ids) . ") + AND ' . $db->sql_in_set($type . '_id', $ids) . " GROUP BY {$type}_id"; $result = $db->sql_query($sql); @@ -150,7 +150,7 @@ function update_post_information($type, $ids, $return_update_sql = false) $sql = 'SELECT p.' . $type . '_id, p.post_id, p.post_time, p.poster_id, p.post_username, u.user_id, u.username FROM ' . POSTS_TABLE . ' p, ' . USERS_TABLE . ' u WHERE p.poster_id = u.user_id - AND p.post_id IN (' . implode(', ', $last_post_ids) . ')'; + AND ' . $db->sql_in_set('p.post_id', $last_post_ids); $result = $db->sql_query($sql); while ($row = $db->sql_fetchrow($result)) @@ -757,7 +757,7 @@ function load_drafts($topic_id = 0, $forum_id = 0, $id = 0) { $sql = 'SELECT topic_id, forum_id, topic_title FROM ' . TOPICS_TABLE . ' - WHERE topic_id IN (' . implode(',', array_unique($topic_ids)) . ')'; + WHERE ' . $db->sql_in_set('topic_id', array_unique($topic_ids)); $result = $db->sql_query($sql); while ($row = $db->sql_fetchrow($result)) @@ -1109,7 +1109,7 @@ function user_notification($mode, $subject, $topic_title, $forum_name, $forum_id $sql = 'UPDATE ' . TOPICS_WATCH_TABLE . " SET notify_status = 1 WHERE topic_id = $topic_id - AND user_id IN (" . implode(', ', $update_notification['topic']) . ")"; + AND " . $db->sql_in_set('user_id', $update_notification['topic']); $db->sql_query($sql); } @@ -1118,7 +1118,7 @@ function user_notification($mode, $subject, $topic_title, $forum_name, $forum_id $sql = 'UPDATE ' . FORUMS_WATCH_TABLE . " SET notify_status = 1 WHERE forum_id = $forum_id - AND user_id IN (" . implode(', ', $update_notification['forum']) . ")"; + AND " . $db->sql_in_set('user_id', $update_notification['forum']); $db->sql_query($sql); } @@ -1127,7 +1127,7 @@ function user_notification($mode, $subject, $topic_title, $forum_name, $forum_id { $sql = 'DELETE FROM ' . TOPICS_WATCH_TABLE . " WHERE topic_id = $topic_id - AND user_id IN (" . implode(', ', $delete_ids['topic']) . ")"; + AND " . $db->sql_in_set('user_id', $delete_ids['topic']); $db->sql_query($sql); } @@ -1135,7 +1135,7 @@ function user_notification($mode, $subject, $topic_title, $forum_name, $forum_id { $sql = 'DELETE FROM ' . FORUMS_WATCH_TABLE . " WHERE forum_id = $forum_id - AND user_id IN (" . implode(', ', $delete_ids['forum']) . ")"; + AND " . $db->sql_in_set('user_id', $delete_ids['forum']); $db->sql_query($sql); } diff --git a/phpBB/includes/functions_privmsgs.php b/phpBB/includes/functions_privmsgs.php index 068925b359..fe38b6276b 100644 --- a/phpBB/includes/functions_privmsgs.php +++ b/phpBB/includes/functions_privmsgs.php @@ -387,7 +387,7 @@ function place_pm_into_folder(&$global_privmsgs_rules, $release = false) { $sql = 'SELECT * FROM ' . USER_GROUP_TABLE . ' - WHERE user_id IN (' . implode(', ', $user_ids) . ') + WHERE ' . $db->sql_in_set('user_id', $user_ids) . ' AND user_pending = 0'; $result = $db->sql_query($sql); @@ -506,7 +506,7 @@ function place_pm_into_folder(&$global_privmsgs_rules, $release = false) { $sql = 'UPDATE ' . PRIVMSGS_TO_TABLE . ' SET pm_unread = 0 - WHERE msg_id IN (' . implode(', ', $unread_ids) . ") + WHERE ' . $db->sql_in_set('msg_id', $unread_ids) . " AND user_id = $user_id AND folder_id = " . PRIVMSGS_NO_BOX; $db->sql_query($sql); @@ -519,7 +519,7 @@ function place_pm_into_folder(&$global_privmsgs_rules, $release = false) SET pm_marked = !pm_marked WHERE folder_id = ' . PRIVMSGS_NO_BOX . " AND user_id = $user_id - AND msg_id IN (" . implode(', ', $important_ids) . ')'; + AND " . $db->sql_in_set('msg_id', $important_ids); $db->sql_query($sql); } @@ -531,9 +531,15 @@ function place_pm_into_folder(&$global_privmsgs_rules, $release = false) // Determine Full Folder Action - we need the move to folder id later eventually $full_folder_action = ($user->data['user_full_folder'] == FULL_FOLDER_NONE) ? ($config['full_folder_action'] - (FULL_FOLDER_NONE*(-1))) : $user->data['user_full_folder']; + $sql_folder = array_keys($move_into_folder); + if ($full_folder_action >= 0) + { + $sql_folder[] = $full_folder_action; + } + $sql = 'SELECT folder_id, pm_count FROM ' . PRIVMSGS_FOLDER_TABLE . ' - WHERE folder_id IN (' . implode(', ', array_keys($move_into_folder)) . (($full_folder_action >= 0) ? ', ' . $full_folder_action : '') . ") + WHERE ' . $db->sql_in_set('folder_id', $sql_folder) . " AND user_id = $user_id"; $result = $db->sql_query($sql); @@ -543,6 +549,8 @@ function place_pm_into_folder(&$global_privmsgs_rules, $release = false) } $db->sql_freeresult($result); + unset($sql_folder); + if (in_array(PRIVMSGS_INBOX, array_keys($move_into_folder))) { $sql = 'SELECT folder_id, COUNT(msg_id) as num_messages @@ -610,7 +618,7 @@ function place_pm_into_folder(&$global_privmsgs_rules, $release = false) SET folder_id = ' . PRIVMSGS_HOLD_BOX . ' WHERE folder_id = ' . PRIVMSGS_NO_BOX . " AND user_id = $user_id - AND msg_id IN (" . implode(', ', $msg_ary) . ')'; + AND " . $db->sql_in_set('msg_id', $msg_ary); $db->sql_query($sql); } else @@ -620,7 +628,7 @@ function place_pm_into_folder(&$global_privmsgs_rules, $release = false) WHERE folder_id = " . PRIVMSGS_NO_BOX . " AND user_id = $user_id AND pm_new = 1 - AND msg_id IN (" . implode(', ', $msg_ary) . ')'; + AND " . $db->sql_in_set('msg_id', $msg_ary); $db->sql_query($sql); if ($dest_folder != PRIVMSGS_INBOX) @@ -645,7 +653,7 @@ function place_pm_into_folder(&$global_privmsgs_rules, $release = false) $sql = 'UPDATE ' . PRIVMSGS_TO_TABLE . ' SET folder_id = ' . PRIVMSGS_SENTBOX . ' WHERE folder_id = ' . PRIVMSGS_OUTBOX . ' - AND msg_id IN (' . implode(', ', array_keys($action_ary)) . ')'; + AND ' . $db->sql_in_set('msg_id', array_keys($action_ary)); $db->sql_query($sql); } @@ -730,7 +738,7 @@ function move_pm($user_id, $message_limit, $move_msg_ids, $dest_folder, $cur_fol SET folder_id = $dest_folder WHERE folder_id = $cur_folder_id AND user_id = $user_id - AND msg_id IN (" . implode(', ', $move_msg_ids) . ')'; + AND " . $db->sql_in_set('msg_id', $move_msg_ids); $db->sql_query($sql); $num_moved = $db->sql_affectedrows(); @@ -809,7 +817,7 @@ function handle_mark_actions($user_id, $mark_action) SET pm_marked = !pm_marked WHERE folder_id = $cur_folder_id AND user_id = $user_id - AND msg_id IN (" . implode(', ', $msg_ids) . ')'; + AND " . $db->sql_in_set('msg_id', $msg_ids); $db->sql_query($sql); break; @@ -879,7 +887,7 @@ function delete_pm($user_id, $msg_ids, $folder_id) // Get PM Informations for later deleting $sql = 'SELECT msg_id, pm_unread, pm_new FROM ' . PRIVMSGS_TO_TABLE . ' - WHERE msg_id IN (' . implode(', ', array_map('intval', $msg_ids)) . ") + WHERE ' . $db->sql_in_set('msg_id', array_map('intval', $msg_ids)) . " AND folder_id = $folder_id AND user_id = $user_id"; $result = $db->sql_query($sql); @@ -908,19 +916,19 @@ function delete_pm($user_id, $msg_ids, $folder_id) // Remove PM from Outbox $sql = 'DELETE FROM ' . PRIVMSGS_TO_TABLE . " WHERE user_id = $user_id AND folder_id = " . PRIVMSGS_OUTBOX . ' - AND msg_id IN (' . implode(', ', array_keys($delete_rows)) . ')'; + AND ' . $db->sql_in_set('msg_id', array_keys($delete_rows)); $db->sql_query($sql); // Update PM Information for safety $sql = 'UPDATE ' . PRIVMSGS_TABLE . " SET message_text = '' - WHERE msg_id IN (" . implode(', ', array_keys($delete_rows)) . ')'; + WHERE " . $db->sql_in_set('msg_id', array_keys($delete_rows)); $db->sql_query($sql); // Set delete flag for those intended to receive the PM // We do not remove the message actually, to retain some basic informations (sent time for example) $sql = 'UPDATE ' . PRIVMSGS_TO_TABLE . ' SET pm_deleted = 1 - WHERE msg_id IN (' . implode(', ', array_keys($delete_rows)) . ')'; + WHERE ' . $db->sql_in_set('msg_id', array_keys($delete_rows)); $db->sql_query($sql); $num_deleted = $db->sql_affectedrows(); @@ -931,7 +939,7 @@ function delete_pm($user_id, $msg_ids, $folder_id) $sql = 'DELETE FROM ' . PRIVMSGS_TO_TABLE . " WHERE user_id = $user_id AND folder_id = $folder_id - AND msg_id IN (" . implode(', ', array_keys($delete_rows)) . ')'; + AND " . $db->sql_in_set('msg_id', array_keys($delete_rows)); $db->sql_query($sql); $num_deleted = $db->sql_affectedrows(); } @@ -961,7 +969,7 @@ function delete_pm($user_id, $msg_ids, $folder_id) // Now we have to check which messages we can delete completely $sql = 'SELECT msg_id FROM ' . PRIVMSGS_TO_TABLE . ' - WHERE msg_id IN (' . implode(', ', array_keys($delete_rows)) . ')'; + WHERE ' . $db->sql_in_set('msg_id', array_keys($delete_rows)); $result = $db->sql_query($sql); while ($row = $db->sql_fetchrow($result)) @@ -970,12 +978,12 @@ function delete_pm($user_id, $msg_ids, $folder_id) } $db->sql_freeresult($result); - $delete_ids = implode(', ', array_keys($delete_rows)); + $delete_ids = array_keys($delete_rows); - if ($delete_ids) + if (sizeof($delete_ids)) { $sql = 'DELETE FROM ' . PRIVMSGS_TABLE . ' - WHERE msg_id IN (' . $delete_ids . ')'; + WHERE ' . $db->sql_in_set('msg_id', $delete_ids); $db->sql_query($sql); } @@ -1051,7 +1059,7 @@ function write_pm_addresses($check_ary, $author_id, $plaintext = false) { $sql = 'SELECT user_id, username, user_colour FROM ' . USERS_TABLE . ' - WHERE user_id IN (' . implode(', ', $u) . ') + WHERE ' . $db->sql_in_set('user_id', $u) . ' AND user_type IN (' . USER_NORMAL . ', ' . USER_FOUNDER . ')'; $result = $db->sql_query($sql); @@ -1078,7 +1086,7 @@ function write_pm_addresses($check_ary, $author_id, $plaintext = false) { $sql = 'SELECT group_name, group_type FROM ' . GROUPS_TABLE . ' - WHERE group_id IN (' . implode(', ', $g) . ')'; + WHERE ' . $db->sql_in_set('group_id', $g); $result = $db->sql_query($sql); while ($row = $db->sql_fetchrow($result)) @@ -1094,7 +1102,7 @@ function write_pm_addresses($check_ary, $author_id, $plaintext = false) { $sql = 'SELECT g.group_id, g.group_name, g.group_colour, g.group_type, ug.user_id FROM ' . GROUPS_TABLE . ' g, ' . USER_GROUP_TABLE . ' ug - WHERE g.group_id IN (' . implode(', ', $g) . ') + WHERE ' . $db->sql_in_set('g.group_id', $g) . ' AND g.group_id = ug.group_id AND ug.user_pending = 0'; $result = $db->sql_query($sql); @@ -1234,7 +1242,7 @@ function submit_pm($mode, $subject, &$data, $update_message, $put_in_outbox = tr { $sql = 'SELECT group_id, user_id FROM ' . USER_GROUP_TABLE . ' - WHERE group_id IN (' . implode(', ', array_keys($data['address_list']['g'])) . ') + WHERE ' . $db->sql_in_set('group_id', array_keys($data['address_list']['g'])) . ' AND user_pending = 0'; $result = $db->sql_query($sql); @@ -1373,7 +1381,7 @@ function submit_pm($mode, $subject, &$data, $update_message, $put_in_outbox = tr $sql = 'UPDATE ' . USERS_TABLE . ' SET user_new_privmsg = user_new_privmsg + 1, user_unread_privmsg = user_unread_privmsg + 1, user_last_privmsg = ' . time() . ' - WHERE user_id IN (' . implode(', ', array_keys($recipients)) . ')'; + WHERE ' . $db->sql_in_set('user_id', array_keys($recipients)); $db->sql_query($sql); // Put PM into outbox @@ -1501,7 +1509,7 @@ function pm_notification($mode, $author, $recipients, $subject, $message) // Get banned User ID's $sql = 'SELECT ban_userid FROM ' . BANLIST_TABLE . ' - WHERE ban_userid IN (' . implode(', ', array_map('intval', array_keys($recipients))) . ') + WHERE ' . $db->sql_in_set('ban_userid', array_map('intval', array_keys($recipients))) . ' AND ban_exclude = 0'; $result = $db->sql_query($sql); @@ -1516,11 +1524,9 @@ function pm_notification($mode, $author, $recipients, $subject, $message) return; } - $recipient_list = implode(', ', array_map('intval', array_keys($recipients))); - $sql = 'SELECT user_id, username, user_email, user_lang, user_notify_pm, user_notify_type, user_jabber - FROM ' . USERS_TABLE . " - WHERE user_id IN ($recipient_list)"; + FROM ' . USERS_TABLE . ' + WHERE ' . $db->sql_in_set('user_id', array_map('intval', array_keys($recipients))); $result = $db->sql_query($sql); $msg_list_ary = array(); diff --git a/phpBB/includes/functions_profile_fields.php b/phpBB/includes/functions_profile_fields.php index 505e61b67b..6f71724754 100644 --- a/phpBB/includes/functions_profile_fields.php +++ b/phpBB/includes/functions_profile_fields.php @@ -358,14 +358,14 @@ class custom_profile $this->build_cache(); } - if (!implode(', ', $user_id)) + if (!sizeof($user_id)) { return array(); } $sql = 'SELECT * FROM ' . PROFILE_FIELDS_DATA_TABLE . ' - WHERE user_id IN (' . implode(', ', array_map('intval', $user_id)) . ')'; + WHERE ' . $db->sql_in_set('user_id', array_map('intval', $user_id)); $result = $db->sql_query($sql); $field_data = array(); @@ -787,20 +787,13 @@ class custom_profile $sql_not_in = array(); foreach ($cp_data as $key => $null) { - if (strncmp($key, '_', 1) === 0) - { - $sql_not_in[] = "'" . $db->sql_escape(substr($key, 1)) . "'"; - } - else - { - $sql_not_in[] = "'" . $db->sql_escape($key) . "'"; - } + $sql_not_in[] = (strncmp($key, '_', 1) === 0) ? substr($key, 1) : $key; } $sql = 'SELECT f.field_type, f.field_ident, f.field_default_value, l.lang_default_value FROM ' . PROFILE_LANG_TABLE . ' l, ' . PROFILE_FIELDS_TABLE . ' f WHERE l.lang_id = ' . $user->get_iso_lang_id() . ' - ' . ((sizeof($sql_not_in)) ? ' AND f.field_ident NOT IN (' . implode(', ', $sql_not_in) . ')' : '') . ' + ' . ((sizeof($sql_not_in)) ? ' AND ' . $db->sql_in_set('f.field_ident', $sql_not_in, true) : '') . ' AND l.field_id = f.field_id'; $result = $db->sql_query($sql); diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php index bc1c41b087..c03e92d0b0 100644 --- a/phpBB/includes/functions_user.php +++ b/phpBB/includes/functions_user.php @@ -34,7 +34,7 @@ function user_get_id_name(&$user_id_ary, &$username_ary) $$which_ary = array($$which_ary); } - $sql_in = ($which_ary == 'user_id_ary') ? array_map('intval', $$which_ary) : preg_replace('#^\s*(.*)\s*$#e', "\"'\" . \$db->sql_escape('\\1') . \"'\"", $$which_ary); + $sql_in = ($which_ary == 'user_id_ary') ? array_map('intval', $$which_ary) : $$which_ary; unset($$which_ary); $user_id_ary = $username_ary = array(); @@ -42,8 +42,8 @@ function user_get_id_name(&$user_id_ary, &$username_ary) // Grab the user id/username records $sql_where = ($which_ary == 'user_id_ary') ? 'user_id' : 'username'; $sql = 'SELECT user_id, username - FROM ' . USERS_TABLE . " - WHERE $sql_where IN (" . implode(', ', $sql_in) . ')'; + FROM ' . USERS_TABLE . ' + WHERE ' . $db->sql_in_set($sql_where, $sql_in); $result = $db->sql_query($sql); if (!($row = $db->sql_fetchrow($result))) @@ -307,7 +307,7 @@ function user_delete($mode, $user_id, $post_username = false) { $sql = 'SELECT topic_id, topic_replies, topic_replies_real FROM ' . TOPICS_TABLE . ' - WHERE topic_id IN (' . implode(', ', array_keys($topic_id_ary)) . ')'; + WHERE ' . $db->sql_in_set('topic_id', array_keys($topic_id_ary)); $result = $db->sql_query($sql); $del_topic_ary = array(); @@ -323,7 +323,7 @@ function user_delete($mode, $user_id, $post_username = false) if (sizeof($del_topic_ary)) { $sql = 'DELETE FROM ' . TOPICS_TABLE . ' - WHERE topic_id IN (' . implode(', ', $del_topic_ary) . ')'; + WHERE ' . $db->sql_in_set('topic_id', $del_topic_ary); $db->sql_query($sql); } } @@ -528,24 +528,23 @@ function user_ban($mode, $ban, $ban_len, $ban_len_other, $ban_exclude, $ban_reas $username = trim($username); if ($username != '') { - $sql_usernames[] = "'" . $db->sql_escape($username) . "'"; + $sql_usernames[] = strtolower($username); } } - $sql_usernames = implode(', ', $sql_usernames); // Make sure we have been given someone to ban - if (empty($sql_usernames)) + if (!sizeof($sql_usernames)) { trigger_error($user->lang['NO_USER_SPECIFIED']); } $sql = 'SELECT user_id FROM ' . USERS_TABLE . ' - WHERE username IN (' . $sql_usernames . ')'; + WHERE ' . $db->sql_in_set('LOWER(username)', $sql_usernames); if (sizeof($founder)) { - $sql .= ' AND user_id NOT IN (' . implode(', ', array_keys($founder)) . ')'; + $sql .= ' AND ' . $db->sql_in_set('user_id', array_keys($founder), true); } $result = $db->sql_query($sql); @@ -762,17 +761,11 @@ function user_ban($mode, $ban, $ban_len, $ban_len_other, $ban_exclude, $ban_reas switch ($mode) { case 'user': - $sql_where = (in_array('*', $banlist_ary)) ? '' : 'WHERE session_user_id IN (' . implode(', ', $banlist_ary) . ')'; + $sql_where = (in_array('*', $banlist_ary)) ? '' : 'WHERE ' . $db->sql_in_set('session_user_id', $banlist_ary); break; case 'ip': - $banlist_ary_sql = array(); - - foreach ($banlist_ary as $ban_entry) - { - $banlist_ary_sql[] = "'" . $db->sql_escape($ban_entry) . "'"; - } - $sql_where = 'WHERE session_ip IN (' . implode(', ', $banlist_ary_sql) . ')'; + $sql_where = 'WHERE ' . $db->sql_in_set('session_ip', $banlist_ary); break; case 'email': @@ -780,12 +773,12 @@ function user_ban($mode, $ban, $ban_len, $ban_len_other, $ban_exclude, $ban_reas foreach ($banlist_ary as $ban_entry) { - $banlist_ary_sql[] = "'" . $db->sql_escape(str_replace('*', '%', $ban_entry)) . "'"; + $banlist_ary_sql[] = (string) str_replace('*', '%', $ban_entry); } $sql = 'SELECT user_id FROM ' . USERS_TABLE . ' - WHERE user_email IN (' . implode(', ', $banlist_ary_sql) . ')'; + WHERE ' . $db->sql_in_set('user_email', $banlist_ary_sql); $result = $db->sql_query($sql); $sql_in = array(); @@ -798,7 +791,7 @@ function user_ban($mode, $ban, $ban_len, $ban_len_other, $ban_exclude, $ban_reas } while ($row = $db->sql_fetchrow($result)); - $sql_where = 'WHERE session_user_id IN (' . implode(', ', $sql_in) . ")"; + $sql_where = 'WHERE ' . $db->sql_in_set('session_user_id', $sql_in); } $db->sql_freeresult($result); break; @@ -812,7 +805,7 @@ function user_ban($mode, $ban, $ban_len, $ban_len_other, $ban_exclude, $ban_reas if ($mode == 'user') { - $sql = 'DELETE FROM ' . SESSIONS_KEYS_TABLE . ' ' . ((in_array('*', $banlist_ary)) ? '' : 'WHERE user_id IN (' . implode(', ', $banlist_ary) . ')'); + $sql = 'DELETE FROM ' . SESSIONS_KEYS_TABLE . ' ' . ((in_array('*', $banlist_ary)) ? '' : 'WHERE ' . $db->sql_in_set('user_id', $banlist_ary)); $db->sql_query($sql); } } @@ -847,30 +840,30 @@ function user_unban($mode, $ban) $ban = array($ban); } - $unban_sql = implode(', ', array_map('intval', $ban)); + $unban_sql = array_map('intval', $ban); - if ($unban_sql) + if (sizeof($unban_sql)) { // Grab details of bans for logging information later switch ($mode) { case 'user': $sql = 'SELECT u.username AS unban_info - FROM ' . USERS_TABLE . ' u, ' . BANLIST_TABLE . " b - WHERE b.ban_id IN ($unban_sql) - AND u.user_id = b.ban_userid"; + FROM ' . USERS_TABLE . ' u, ' . BANLIST_TABLE . ' b + WHERE ' . $db->sql_in_set('b.ban_id', $unban_sql) . ' + AND u.user_id = b.ban_userid'; break; case 'email': $sql = 'SELECT ban_email AS unban_info - FROM ' . BANLIST_TABLE . " - WHERE ban_id IN ($unban_sql)"; + FROM ' . BANLIST_TABLE . ' + WHERE ' . $db->sql_in_set('ban_id', $unban_sql); break; case 'ip': $sql = 'SELECT ban_ip AS unban_info - FROM ' . BANLIST_TABLE . " - WHERE ban_id IN ($unban_sql)"; + FROM ' . BANLIST_TABLE . ' + WHERE ' . $db->sql_in_set('ban_id', $unban_sql); break; } $result = $db->sql_query($sql); @@ -882,8 +875,8 @@ function user_unban($mode, $ban) } $db->sql_freeresult($result); - $sql = 'DELETE FROM ' . BANLIST_TABLE . " - WHERE ban_id IN ($unban_sql)"; + $sql = 'DELETE FROM ' . BANLIST_TABLE . ' + WHERE ' . $db->sql_in_set('ban_id', $unban_sql); $db->sql_query($sql); add_log('admin', 'LOG_UNBAN_' . strtoupper($mode), $l_unban_list); @@ -1580,7 +1573,7 @@ function group_user_add($group_id, $user_id_ary = false, $username_ary = false, // Remove users who are already members of this group $sql = 'SELECT user_id, group_leader FROM ' . USER_GROUP_TABLE . ' - WHERE user_id IN (' . implode(', ', $user_id_ary) . ") + WHERE ' . $db->sql_in_set('user_id', $user_id_ary) . " AND group_id = $group_id"; $result = $db->sql_query($sql); @@ -1636,7 +1629,7 @@ function group_user_add($group_id, $user_id_ary = false, $username_ary = false, { $sql = 'UPDATE ' . USER_GROUP_TABLE . ' SET group_leader = 1 - WHERE user_id IN (' . implode(', ', $update_id_ary) . ") + WHERE ' . $db->sql_in_set('user_id', $update_id_ary) . " AND group_id = $group_id"; $db->sql_query($sql); } @@ -1682,7 +1675,7 @@ function group_user_del($group_id, $user_id_ary = false, $username_ary = false, $sql = 'SELECT * FROM ' . GROUPS_TABLE . ' - WHERE group_name IN (' . implode(', ', preg_replace('#^(.*)$#', "'\\1'", $group_order)) . ')'; + WHERE ' . $db->sql_in_set('group_name', $group_order); $result = $db->sql_query($sql); $group_order_id = $special_group_data = array(); @@ -1711,7 +1704,7 @@ function group_user_del($group_id, $user_id_ary = false, $username_ary = false, // Get users default groups - we only need to reset default group membership if the group from which the user gets removed is set as default $sql = 'SELECT user_id, group_id FROM ' . USERS_TABLE . ' - WHERE user_id IN (' . implode(', ', $user_id_ary) . ")"; + WHERE ' . $db->sql_in_set('user_id', $user_id_ary); $result = $db->sql_query($sql); $default_groups = array(); @@ -1724,7 +1717,7 @@ function group_user_del($group_id, $user_id_ary = false, $username_ary = false, // What special group memberships exist for these users? $sql = 'SELECT g.group_id, g.group_name, ug.user_id FROM ' . USER_GROUP_TABLE . ' ug, ' . GROUPS_TABLE . ' g - WHERE ug.user_id IN (' . implode(', ', $user_id_ary) . ") + WHERE ' . $db->sql_in_set('ug.user_id', $user_id_ary) . " AND g.group_id = ug.group_id AND g.group_id <> $group_id AND g.group_type = " . GROUP_SPECIAL . ' @@ -1760,7 +1753,7 @@ function group_user_del($group_id, $user_id_ary = false, $username_ary = false, // Ok, get the original avatar data from users having an uploaded one (we need to remove these from the filesystem) $sql = 'SELECT user_id, user_avatar FROM ' . USERS_TABLE . ' - WHERE user_id IN (' . implode(', ', $sql_where_ary[$gid]) . ') + WHERE ' . $db->sql_in_set('user_id', $sql_where_ary[$gid]) . ' AND user_avatar_type = ' . AVATAR_UPLOAD; $result = $db->sql_query($sql); @@ -1772,7 +1765,7 @@ function group_user_del($group_id, $user_id_ary = false, $username_ary = false, } $sql = 'UPDATE ' . USERS_TABLE . ' SET ' . $db->sql_build_array('UPDATE', $special_group_data[$gid]) . ' - WHERE user_id IN (' . implode(', ', $sql_where_ary[$gid]) . ')'; + WHERE ' . $db->sql_in_set('user_id', $sql_where_ary[$gid]); $db->sql_query($sql); } } @@ -1780,7 +1773,7 @@ function group_user_del($group_id, $user_id_ary = false, $username_ary = false, $sql = 'DELETE FROM ' . USER_GROUP_TABLE . " WHERE group_id = $group_id - AND user_id IN (" . implode(', ', $user_id_ary) . ')'; + AND " . $db->sql_in_set('user_id', $user_id_ary); $db->sql_query($sql); // Clear permissions cache of relevant users @@ -1825,7 +1818,7 @@ function group_user_attributes($action, $group_id, $user_id_ary = false, $userna $sql = 'UPDATE ' . USER_GROUP_TABLE . ' SET group_leader = ' . (($action == 'promote') ? 1 : 0) . " WHERE group_id = $group_id - AND user_id IN (" . implode(', ', $user_id_ary) . ')'; + AND " . $db->sql_in_set('user_id', $user_id_ary); $db->sql_query($sql); $log = ($action == 'promote') ? 'LOG_GROUP_PROMOTED' : 'LOG_GROUP_DEMOTED'; @@ -1838,7 +1831,7 @@ function group_user_attributes($action, $group_id, $user_id_ary = false, $userna WHERE ug.group_id = ' . $group_id . ' AND ug.user_pending = 1 AND ug.user_id = u.user_id - AND ug.user_id IN (' . implode(', ', $user_id_ary) . ')'; + AND ' . $db->sql_in_set('ug.user_id', $user_id_ary); $result = $db->sql_query($sql); $user_id_ary = $email_users = array(); @@ -1857,7 +1850,7 @@ function group_user_attributes($action, $group_id, $user_id_ary = false, $userna $sql = 'UPDATE ' . USER_GROUP_TABLE . " SET user_pending = 0 WHERE group_id = $group_id - AND user_id IN (" . implode(', ', $user_id_ary) . ')'; + AND " . $db->sql_in_set('user_id', $user_id_ary); $db->sql_query($sql); // Send approved email to users... @@ -1963,7 +1956,7 @@ function group_set_user_default($group_id, $user_id_ary, $group_attributes = fal // Ok, get the original avatar data from users having an uploaded one (we need to remove these from the filesystem) $sql = 'SELECT user_id, user_avatar FROM ' . USERS_TABLE . ' - WHERE user_id IN (' . implode(', ', $user_id_ary) . ') + WHERE ' . $db->sql_in_set('user_id', $user_id_ary) . ' AND user_avatar_type = ' . AVATAR_UPLOAD; $result = $db->sql_query($sql); @@ -1975,7 +1968,7 @@ function group_set_user_default($group_id, $user_id_ary, $group_attributes = fal } $sql = 'UPDATE ' . USERS_TABLE . ' SET ' . $db->sql_build_array('UPDATE', $sql_ary) . ' - WHERE user_id IN (' . implode(', ', $user_id_ary) . ')'; + WHERE ' . $db->sql_in_set('user_id', $user_id_ary); $db->sql_query($sql); } @@ -2016,22 +2009,29 @@ function group_memberships($group_id_ary = false, $user_id_ary = false, $return_ return true; } + if ($user_id_ary) + { + $user_id_ary = (!is_array($user_id_ary)) ? array($user_id_ary) : $user_id_ary; + } + + if ($group_id_ary) + { + $group_id_ary = (!is_array($group_id_ary)) ? array($group_id_ary) : $group_id_ary; + } + $sql = 'SELECT ug.*, u.username, u.user_email FROM ' . USER_GROUP_TABLE . ' ug, ' . USERS_TABLE . ' u WHERE ug.user_id = u.user_id AND '; - if ($group_id_ary && $user_id_ary) - { - $sql .= " ug.group_id " . ((is_array($group_id_ary)) ? ' IN (' . implode(', ', $group_id_ary) . ')' : " = $group_id_ary") . " - AND ug.user_id " . ((is_array($user_id_ary)) ? ' IN (' . implode(', ', $user_id_ary) . ')' : " = $user_id_ary"); - } - else if ($group_id_ary) + if ($group_id_ary) { - $sql .= " ug.group_id " . ((is_array($group_id_ary)) ? ' IN (' . implode(', ', $group_id_ary) . ')' : " = $group_id_ary"); + $sql .= ' ' . $db->sql_in_set('ug.group_id', $group_id_ary); } - else if ($user_id_ary) + + if ($user_id_ary) { - $sql .= " ug.user_id " . ((is_array($user_id_ary)) ? ' IN (' . implode(', ', $user_id_ary) . ')' : " = $user_id_ary"); + $sql .= ($group_id_ary) ? ' AND ' : ' '; + $sql .= $db->sql_in_set('ug.user_id', $user_id_ary); } $result = ($return_bool) ? $db->sql_query_limit($sql, 1) : $db->sql_query($sql); diff --git a/phpBB/includes/mcp/mcp_forum.php b/phpBB/includes/mcp/mcp_forum.php index 36211ab5b0..09470b8269 100644 --- a/phpBB/includes/mcp/mcp_forum.php +++ b/phpBB/includes/mcp/mcp_forum.php @@ -177,7 +177,7 @@ function mcp_resync_topics($topic_ids) $sql = 'SELECT topic_id, forum_id, topic_title FROM ' . TOPICS_TABLE . ' - WHERE topic_id IN (' . implode(', ', $topic_ids) . ')'; + WHERE ' . $db->sql_in_set('topic_id', $topic_ids); $result = $db->sql_query($sql); // Log this action diff --git a/phpBB/includes/mcp/mcp_front.php b/phpBB/includes/mcp/mcp_front.php index 4ff02c7a43..745b2c0d61 100644 --- a/phpBB/includes/mcp/mcp_front.php +++ b/phpBB/includes/mcp/mcp_front.php @@ -41,7 +41,7 @@ function mcp_front_view($id, $mode, $action) $sql = 'SELECT forum_id, forum_name FROM ' . FORUMS_TABLE . ' - WHERE forum_id IN (' . implode(', ', $forum_list) . ')'; + WHERE ' . $db->sql_in_set('forum_id', $forum_list); $result = $db->sql_query($sql); while ($row = $db->sql_fetchrow($result)) @@ -65,7 +65,7 @@ function mcp_front_view($id, $mode, $action) $sql = 'SELECT p.post_id, p.post_subject, p.post_time, p.poster_id, p.post_username, u.username, t.topic_id, t.topic_title, t.topic_first_post_id, p.forum_id FROM ' . POSTS_TABLE . ' p, ' . TOPICS_TABLE . ' t, ' . USERS_TABLE . ' u - WHERE p.post_id IN (' . implode(', ', $post_list) . ') + WHERE ' . $db->sql_in_set('p.post_id', $post_list) . ' AND t.topic_id = p.topic_id AND p.poster_id = u.user_id ORDER BY p.post_time DESC'; diff --git a/phpBB/includes/mcp/mcp_logs.php b/phpBB/includes/mcp/mcp_logs.php index e14ac094fe..f9cf7d27df 100755 --- a/phpBB/includes/mcp/mcp_logs.php +++ b/phpBB/includes/mcp/mcp_logs.php @@ -84,7 +84,7 @@ class mcp_logs $sql_in[] = $mark; } - $where_sql = ' AND log_id IN (' . implode(', ', $sql_in) . ')'; + $where_sql = ' AND ' . $db->sql_in_set('log_id', $sql_in); unset($sql_in); } diff --git a/phpBB/includes/mcp/mcp_main.php b/phpBB/includes/mcp/mcp_main.php index ce0c47941d..9b2d47c818 100644 --- a/phpBB/includes/mcp/mcp_main.php +++ b/phpBB/includes/mcp/mcp_main.php @@ -224,8 +224,8 @@ function lock_unlock($action, $ids) if (confirm_box(true)) { $sql = "UPDATE $table - SET $set_id = " . (($action == 'lock' || $action == 'lock_post') ? ITEM_LOCKED : ITEM_UNLOCKED) . " - WHERE $sql_id IN (" . implode(', ', $ids) . ")"; + SET $set_id = " . (($action == 'lock' || $action == 'lock_post') ? ITEM_LOCKED : ITEM_UNLOCKED) . ' + WHERE ' . $db->sql_in_set($sql_id, $ids); $db->sql_query($sql); $data = ($action == 'lock' || $action == 'unlock') ? get_topic_data($ids) : get_post_data($ids); @@ -311,7 +311,7 @@ function change_topic_type($action, $topic_ids) { $sql = 'UPDATE ' . TOPICS_TABLE . " SET topic_type = $new_topic_type - WHERE topic_id IN (" . implode(', ', $topic_ids) . ') + WHERE " . $db->sql_in_set('topic_id', $topic_ids) . ' AND forum_id <> 0'; $db->sql_query($sql); @@ -320,14 +320,14 @@ function change_topic_type($action, $topic_ids) { $sql = 'UPDATE ' . TOPICS_TABLE . " SET topic_type = $new_topic_type, forum_id = $forum_id - WHERE topic_id IN (" . implode(', ', $topic_ids) . ') + WHERE " . $db->sql_in_set('topic_id', $topic_ids) . ' AND forum_id = 0'; $db->sql_query($sql); // Update forum_ids for all posts $sql = 'UPDATE ' . POSTS_TABLE . " SET forum_id = $forum_id - WHERE topic_id IN (" . implode(', ', $topic_ids) . ') + WHERE " . $db->sql_in_set('topic_id', $topic_ids) . ' AND forum_id = 0'; $db->sql_query($sql); @@ -339,7 +339,7 @@ function change_topic_type($action, $topic_ids) // Get away with those topics already being a global announcement by re-calculating $topic_ids $sql = 'SELECT topic_id FROM ' . TOPICS_TABLE . ' - WHERE topic_id IN (' . implode(', ', $topic_ids) . ') + WHERE ' . $db->sql_in_set('topic_id', $topic_ids) . ' AND forum_id <> 0'; $result = $db->sql_query($sql); @@ -354,18 +354,18 @@ function change_topic_type($action, $topic_ids) { // Delete topic shadows for global announcements $sql = 'DELETE FROM ' . TOPICS_TABLE . ' - WHERE topic_moved_id IN (' . implode(', ', $topic_ids) . ')'; + WHERE ' . $db->sql_in_set('topic_moved_id', $topic_ids); $db->sql_query($sql); $sql = 'UPDATE ' . TOPICS_TABLE . " SET topic_type = $new_topic_type, forum_id = 0 - WHERE topic_id IN (" . implode(', ', $topic_ids) . ')'; + WHERE " . $db->sql_in_set('topic_id', $topic_ids); $db->sql_query($sql); // Update forum_ids for all posts $sql = 'UPDATE ' . POSTS_TABLE . ' SET forum_id = 0 - WHERE topic_id IN (' . implode(', ', $topic_ids) . ')'; + WHERE ' . $db->sql_in_set('topic_id', $topic_ids); $db->sql_query($sql); sync('forum', 'forum_id', $forum_id); @@ -640,7 +640,7 @@ function mcp_delete_post($post_ids) $sql = 'SELECT DISTINCT topic_id FROM ' . POSTS_TABLE . ' - WHERE post_id IN (' . implode(', ', $post_ids) . ')'; + WHERE ' . $db->sql_in_set('post_id', $post_ids); $result = $db->sql_query($sql); $topic_id_list = array(); @@ -663,7 +663,7 @@ function mcp_delete_post($post_ids) $sql = 'SELECT COUNT(topic_id) AS topics_left FROM ' . TOPICS_TABLE . ' - WHERE topic_id IN (' . implode(', ', $topic_id_list) . ')'; + WHERE ' . $db->sql_in_set('topic_id', $topic_id_list); $result = $db->sql_query_limit($sql, 1); $deleted_topics = ($row = $db->sql_fetchrow($result)) ? ($affected_topics - $row['topics_left']) : $affected_topics; diff --git a/phpBB/includes/mcp/mcp_notes.php b/phpBB/includes/mcp/mcp_notes.php index 0f716f5f9e..cc4ed0e72b 100755 --- a/phpBB/includes/mcp/mcp_notes.php +++ b/phpBB/includes/mcp/mcp_notes.php @@ -106,7 +106,7 @@ class mcp_notes { $sql_in[] = $mark; } - $where_sql = ' AND log_id IN (' . implode(', ', $sql_in) . ')'; + $where_sql = ' AND ' . $db->sql_in_set('log_id', $sql_in); unset($sql_in); } diff --git a/phpBB/includes/mcp/mcp_queue.php b/phpBB/includes/mcp/mcp_queue.php index 25fdc0a90a..95e89fa9dc 100644 --- a/phpBB/includes/mcp/mcp_queue.php +++ b/phpBB/includes/mcp/mcp_queue.php @@ -251,10 +251,10 @@ class mcp_queue if (sizeof($post_ids)) { $sql = 'SELECT t.topic_id, t.topic_title, t.forum_id, p.post_id, p.post_subject, p.post_username, p.poster_id, p.post_time, u.username - FROM ' . POSTS_TABLE . ' p, ' . TOPICS_TABLE . ' t, ' . USERS_TABLE . " u - WHERE p.post_id IN (" . implode(', ', $post_ids) . ") + FROM ' . POSTS_TABLE . ' p, ' . TOPICS_TABLE . ' t, ' . USERS_TABLE . ' u + WHERE ' . $db->sql_in_set('p.post_id', $post_ids) . ' AND t.topic_id = p.topic_id - AND u.user_id = p.poster_id"; + AND u.user_id = p.poster_id'; $result = $db->sql_query($sql); $post_data = $rowset = array(); @@ -306,7 +306,7 @@ class mcp_queue // Select the names for the forum_ids $sql = 'SELECT forum_id, forum_name FROM ' . FORUMS_TABLE . ' - WHERE forum_id IN (' . implode(',', $forum_names) . ')'; + WHERE ' . $db->sql_in_set('forum_id', $forum_names); $result = $db->sql_query($sql, 3600); $forum_names = array(); @@ -449,7 +449,7 @@ function approve_post($post_id_list, $mode) { $sql = 'UPDATE ' . TOPICS_TABLE . ' SET topic_approved = 1 - WHERE topic_id IN (' . implode(', ', $topic_approve_sql) . ')'; + WHERE ' . $db->sql_in_set('topic_id', $topic_approve_sql); $db->sql_query($sql); } @@ -457,7 +457,7 @@ function approve_post($post_id_list, $mode) { $sql = 'UPDATE ' . POSTS_TABLE . ' SET post_approved = 1 - WHERE post_id IN (' . implode(', ', $post_approve_sql) . ')'; + WHERE ' . $db->sql_in_set('post_id', $post_approve_sql); $db->sql_query($sql); } diff --git a/phpBB/includes/mcp/mcp_reports.php b/phpBB/includes/mcp/mcp_reports.php index be4502e23e..a52bc02359 100755 --- a/phpBB/includes/mcp/mcp_reports.php +++ b/phpBB/includes/mcp/mcp_reports.php @@ -191,9 +191,10 @@ class mcp_reports $forum_id = $topic_info['forum_id']; } + $forum_list = array(); + if (!$forum_id) { - $forum_list = array(); foreach ($forum_list_reports as $row) { $forum_list[] = $row['forum_id']; @@ -201,14 +202,14 @@ class mcp_reports $global_id = $forum_list[0]; - if (!($forum_list = implode(', ', $forum_list))) + if (!sizeof($forum_list)) { trigger_error('NOT_MODERATOR'); } $sql = 'SELECT SUM(forum_topics) as sum_forum_topics - FROM ' . FORUMS_TABLE . " - WHERE forum_id IN ($forum_list)"; + FROM ' . FORUMS_TABLE . ' + WHERE ' . $db->sql_in_set('forum_id', $forum_list); $result = $db->sql_query($sql); $forum_info['forum_topics'] = (int) $db->sql_fetchfield('sum_forum_topics'); $db->sql_freeresult($result); @@ -223,11 +224,11 @@ class mcp_reports } $forum_info = $forum_info[$forum_id]; - $forum_list = $forum_id; + $forum_list = array($forum_id); $global_id = $forum_id; } - $forum_list .= ', 0'; + $forum_list[] = 0; $forum_data = array(); $forum_options = '<option value="0"' . (($forum_id == 0) ? ' selected="selected"' : '') . '>' . $user->lang['ALL_FORUMS'] . '</option>'; @@ -256,8 +257,8 @@ class mcp_reports } $sql = 'SELECT r.report_id - FROM ' . POSTS_TABLE . ' p, ' . TOPICS_TABLE . ' t, ' . REPORTS_TABLE . ' r ' . (($sort_order_sql[0] == 'u') ? ', ' . USERS_TABLE . ' u' : '') . (($sort_order_sql[0] == 'r') ? ', ' . USERS_TABLE . ' ru' : '') . " - WHERE p.forum_id IN ($forum_list) + FROM ' . POSTS_TABLE . ' p, ' . TOPICS_TABLE . ' t, ' . REPORTS_TABLE . ' r ' . (($sort_order_sql[0] == 'u') ? ', ' . USERS_TABLE . ' u' : '') . (($sort_order_sql[0] == 'r') ? ', ' . USERS_TABLE . ' ru' : '') . ' + WHERE ' . $db->sql_in_set('p.forum_id', $forum_list) . " $report_state AND r.post_id = p.post_id " . (($sort_order_sql[0] == 'u') ? 'AND u.user_id = p.poster_id' : '') . ' @@ -280,12 +281,12 @@ class mcp_reports if (sizeof($report_ids)) { $sql = 'SELECT t.forum_id, t.topic_id, t.topic_title, p.post_id, p.post_subject, p.post_username, p.poster_id, p.post_time, u.username, r.user_id as reporter_id, ru.username as reporter_name, r.report_time, r.report_id - FROM ' . REPORTS_TABLE . ' r, ' . POSTS_TABLE . ' p, ' . TOPICS_TABLE . ' t, ' . USERS_TABLE . ' u, ' . USERS_TABLE . " ru - WHERE r.report_id IN (" . implode(', ', $report_ids) . ") + FROM ' . REPORTS_TABLE . ' r, ' . POSTS_TABLE . ' p, ' . TOPICS_TABLE . ' t, ' . USERS_TABLE . ' u, ' . USERS_TABLE . ' ru + WHERE ' . $db->sql_in_set('r.report_id', $report_ids) . ' AND t.topic_id = p.topic_id AND r.post_id = p.post_id AND u.user_id = p.poster_id - AND ru.user_id = r.user_id"; + AND ru.user_id = r.user_id'; $result = $db->sql_query($sql); $report_data = $rowset = array(); @@ -387,7 +388,7 @@ function close_report($post_id_list, $mode, $action) $sql = 'SELECT r.post_id, r.report_closed, r.user_id, r.user_notify, u.username, u.user_email, u.user_jabber, u.user_lang, u.user_notify_type FROM ' . REPORTS_TABLE . ' r, ' . USERS_TABLE . ' u - WHERE r.post_id IN (' . implode(',', array_keys($post_info)) . ') + WHERE ' . $db->sql_in_set('r.post_id', array_keys($post_info)) . ' ' . (($action == 'close') ? 'AND r.report_closed = 0' : '') . ' AND r.user_id = u.user_id'; $result = $db->sql_query($sql); @@ -421,9 +422,9 @@ function close_report($post_id_list, $mode, $action) // Get a list of topics that still contain reported posts $sql = 'SELECT DISTINCT topic_id FROM ' . POSTS_TABLE . ' - WHERE topic_id IN (' . implode(', ', $close_report_topics) . ') + WHERE ' . $db->sql_in_set('topic_id', $close_report_topics) . ' AND post_reported = 1 - AND post_id NOT IN (' . implode(', ', $close_report_posts) . ')'; + AND ' . $db->sql_in_set('post_id', $close_report_posts, true); $result = $db->sql_query($sql); $keep_report_topics = array(); @@ -442,25 +443,25 @@ function close_report($post_id_list, $mode, $action) { $sql = 'UPDATE ' . REPORTS_TABLE . ' SET report_closed = 1 - WHERE post_id IN (' . implode(', ', $close_report_posts) . ')'; + WHERE ' . $db->sql_in_set('post_id', $close_report_posts); } else { $sql = 'DELETE FROM ' . REPORTS_TABLE . ' - WHERE post_id IN (' . implode(', ', $close_report_posts) . ')'; + WHERE ' . $db->sql_in_set('post_id', $close_report_posts); } $db->sql_query($sql); $sql = 'UPDATE ' . POSTS_TABLE . ' SET post_reported = 0 - WHERE post_id IN (' . implode(', ', $close_report_posts) . ')'; + WHERE ' . $db->sql_in_set('post_id', $close_report_posts); $db->sql_query($sql); if (sizeof($close_report_topics)) { $sql = 'UPDATE ' . TOPICS_TABLE . ' SET topic_reported = 0 - WHERE topic_id IN (' . implode(', ', $close_report_topics) . ')'; + WHERE ' . $db->sql_in_set('topic_id', $close_report_topics); $db->sql_query($sql); } diff --git a/phpBB/includes/message_parser.php b/phpBB/includes/message_parser.php index 94e4d94d04..6aa78d091f 100644 --- a/phpBB/includes/message_parser.php +++ b/phpBB/includes/message_parser.php @@ -410,12 +410,11 @@ class bbcode_firstpass extends bbcode switch (strtolower($stx)) { case 'php': - $code = trim($code); $remove_tags = false; $code = str_replace(array('<', '>'), array('<', '>'), $code); - if (!preg_match('/^\<\?.*?\?\>/is', $code)) + if (!preg_match('/\<\?.*?\?\>/is', $code)) { $remove_tags = true; $code = "<?php $code ?>"; @@ -438,7 +437,7 @@ class bbcode_firstpass extends bbcode { $str_from[] = '<span class="syntaxdefault"><?php </span>'; $str_to[] = ''; - $str_from[] = '<span class="syntaxdefault"><?php '; + $str_from[] = '<span class="syntaxdefault"><?php '; $str_to[] = '<span class="syntaxdefault">'; } @@ -453,6 +452,12 @@ class bbcode_firstpass extends bbcode $code = preg_replace('#^<span class="[a-z]+"><span class="([a-z]+)">(.*)</span></span>#s', '<span class="$1">$2</span>', $code); $code = preg_replace('#(?:[\n\r\s\t]| )*</span>$#', '</span>', $code); + // remove newline at the end + if (!empty($code) && $code{strlen($code)-1} == "\n") + { + $code = substr($code, 0, -1); + } + $out .= "[code=$stx:" . $this->bbcode_uid . ']' . $code . '[/code:' . $this->bbcode_uid . ']'; break; @@ -1303,7 +1308,7 @@ class parse_message extends bbcode_firstpass // Get the data from the attachments $sql = 'SELECT attach_id, physical_filename, real_filename, extension, mimetype, filesize, filetime, thumbnail FROM ' . ATTACHMENTS_TABLE . ' - WHERE attach_id IN (' . implode(', ', array_keys($attach_ids)) . ') + WHERE ' . $db->sql_in_set('attach_id', array_keys($attach_ids)) . ' AND poster_id = ' . $check_user_id; $result = $db->sql_query($sql); @@ -1332,8 +1337,8 @@ class parse_message extends bbcode_firstpass include_once($phpbb_root_path . 'includes/functions_upload.' . $phpEx); $sql = 'SELECT attach_id - FROM ' . ATTACHMENTS_TABLE . " - WHERE LOWER(physical_filename) IN ('" . implode("', '", array_map('strtolower', $filenames)) . "')"; + FROM ' . ATTACHMENTS_TABLE . ' + WHERE ' . $db->sql_in_set('LOWER(physical_filename)', array_map('strtolower', $filenames)); $result = $db->sql_query_limit($sql, 1); $row = $db->sql_fetchrow($result); $db->sql_freeresult($result); diff --git a/phpBB/includes/search/fulltext_mysql.php b/phpBB/includes/search/fulltext_mysql.php index 0b12e7cea9..827e13676d 100644 --- a/phpBB/includes/search/fulltext_mysql.php +++ b/phpBB/includes/search/fulltext_mysql.php @@ -312,19 +312,19 @@ class fulltext_mysql extends search_backend } else { - $m_approve_fid_sql = ' AND (p.post_approved = 1 OR p.forum_id NOT IN (' . implode(', ', $m_approve_fid_ary) . '))'; + $m_approve_fid_sql = ' AND (p.post_approved = 1 OR ' . $db->sql_in_set('p.forum_id', $m_approve_fid_ary, true) . ')'; } $sql_select = (!$result_count) ? 'SQL_CALC_FOUND_ROWS ' : ''; $sql_select = ($type == 'posts') ? $sql_select . 'p.post_id' : 'DISTINCT ' . $sql_select . 't.topic_id'; $sql_from = ($join_topic) ? TOPICS_TABLE . ' t, ' : ''; $field = ($type == 'posts') ? 'post_id' : 'topic_id'; - $sql_author = (sizeof($author_ary) == 1) ? ' = ' . $author_ary[0] : 'IN (' . implode(',', $author_ary) . ')'; + $sql_author = (sizeof($author_ary) == 1) ? ' = ' . $author_ary[0] : 'IN (' . implode(', ', $author_ary) . ')'; $sql_where_options = $sql_sort_join; $sql_where_options .= ($topic_id) ? ' AND p.topic_id = ' . $topic_id : ''; $sql_where_options .= ($join_topic) ? ' AND t.topic_id = p.topic_id' : ''; - $sql_where_options .= (sizeof($ex_fid_ary)) ? ' AND p.forum_id NOT IN (' . implode(',', $ex_fid_ary) . ')' : ''; + $sql_where_options .= (sizeof($ex_fid_ary)) ? ' AND ' . $db->sql_in_set('p.forum_id', $ex_fid_ary, true) : ''; $sql_where_options .= $m_approve_fid_sql; $sql_where_options .= (sizeof($author_ary)) ? ' AND p.poster_id ' . $sql_author : ''; $sql_where_options .= ($sort_days) ? ' AND p.post_time >= ' . (time() - ($sort_days * 86400)) : ''; @@ -451,8 +451,8 @@ class fulltext_mysql extends search_backend $id_ary = array(); // Create some display specific sql strings - $sql_author = 'p.poster_id ' . ((sizeof($author_ary) > 1) ? 'IN (' . implode(',', $author_ary) . ')' : '= ' . $author_ary[0]); - $sql_fora = (sizeof($ex_fid_ary)) ? ' AND p.forum_id NOT IN (' . implode(',', $ex_fid_ary) . ')' : ''; + $sql_author = $db->sql_in_set('p.poster_id', $author_ary); + $sql_fora = (sizeof($ex_fid_ary)) ? ' AND ' . $db->sql_in_set('p.forum_id', $ex_fid_ary, true) : ''; $sql_topic_id = ($topic_id) ? ' AND p.topic_id = ' . (int) $topic_id : ''; $sql_time = ($sort_days) ? ' AND p.post_time >= ' . (time() - ($sort_days * 86400)) : ''; @@ -487,7 +487,7 @@ class fulltext_mysql extends search_backend } else { - $m_approve_fid_sql = ' AND (p.post_approved = 1 OR p.forum_id IN (' . implode($m_approve_fid_ary) . '))'; + $m_approve_fid_sql = ' AND (p.post_approved = 1 OR ' . $db->sql_in_set('p.forum_id', $m_approve_fid_ary) . ')'; } // If the cache was completely empty count the results diff --git a/phpBB/includes/search/fulltext_native.php b/phpBB/includes/search/fulltext_native.php index 679ab3127e..bbe7542571 100755 --- a/phpBB/includes/search/fulltext_native.php +++ b/phpBB/includes/search/fulltext_native.php @@ -142,15 +142,9 @@ class fulltext_native extends search_backend if (sizeof($exact_words)) { - // we can match exact words with one IN - foreach ($exact_words as $i => $word) - { - $exact_words[$i] = '\'' . $db->sql_escape($word) . '\''; - } - $sql = 'SELECT word_id, word_text, word_common FROM ' . SEARCH_WORDLIST_TABLE . ' - WHERE word_text ' . ((sizeof($exact_words) > 1) ? 'IN (' . implode(', ', $exact_words) . ')' : '= ' . $exact_words[0]); + WHERE ' . $db->sql_in_set('word_text', $exact_words); $result = $db->sql_query($sql); // store an array of words and ids, remove common words @@ -419,7 +413,7 @@ class fulltext_native extends search_backend } } - $sql_where[] = (sizeof($word_ids) > 1) ? "m$m_num.word_id IN (" . implode(', ', $word_ids) . ')' : "m$m_num.word_id = {$word_ids[0]}"; + $sql_where[] = $db->sql_in_set("m$m_num.word_id", $word_ids); unset($word_id_sql); unset($word_ids); @@ -473,7 +467,7 @@ class fulltext_native extends search_backend { $sql_array['LEFT_JOIN'][] = array( 'FROM' => array(SEARCH_WORDMATCH_TABLE => 'm' . $m_num), - 'ON' => ((sizeof($this->must_not_contain_ids) > 1) ? "m$m_num.word_id IN (" . implode(', ', $this->must_not_contain_ids) . ')' : "m$m_num.word_id = " . $this->must_not_contain_ids[0]) . (($title_match) ? "m$m_num.$title_match" : '') . " AND m$m_num.post_id = m0.post_id" + 'ON' => $db->sql_in_set("m$m_num.word_id", $this->must_not_contain_ids) . (($title_match) ? "m$m_num.$title_match" : '') . " AND m$m_num.post_id = m0.post_id" ); $sql_where[] = "m$m_num.word_id IS NULL"; @@ -514,7 +508,7 @@ class fulltext_native extends search_backend } else if ($m_approve_fid_ary !== array(-1)) { - $sql_where[] = '(p.post_approved = 1 OR p.forum_id ' . ((sizeof($m_approve_fid_ary) == 1) ? '= ' . $m_approve_fid_ary[0] : 'NOT IN (' . implode(', ', $m_approve_fid_ary) . ')' ) . ')'; + $sql_where[] = '(p.post_approved = 1 OR ' . $db->sql_in_set('p.forum_id', $m_approve_fid_ary) . ')'; } if ($topic_id) @@ -524,12 +518,12 @@ class fulltext_native extends search_backend if (sizeof($author_ary)) { - $sql_where[] = 'p.poster_id ' . ((sizeof($author_ary) == 1) ? ' = ' . $author_ary[0] : 'IN (' . implode(',', $author_ary) . ')'); + $sql_where[] = $db->sql_in_set('p.poster_id', $author_ary); } if (sizeof($ex_fid_ary)) { - $sql_where[] = 'p.forum_id ' . ((sizeof($ex_fid_ary) == 1) ? '<> ' . $ex_fid_ary[0] : 'NOT IN (' . implode(',', $ex_fid_ary) . ')'); + $sql_where[] = $db->sql_in_set('p.forum_id', $ex_fid_ary, true); } if ($sort_days) @@ -696,8 +690,8 @@ class fulltext_native extends search_backend $id_ary = array(); // Create some display specific sql strings - $sql_author = 'p.poster_id ' . ((sizeof($author_ary) > 1) ? 'IN (' . implode(',', $author_ary) . ')' : '= ' . $author_ary[0]); - $sql_fora = (sizeof($ex_fid_ary)) ? ' AND p.forum_id ' . ((sizeof($ex_fid_ary) == 1) ? '<> ' . $ex_fid_ary[0] : 'NOT IN (' . implode(',', $ex_fid_ary) . ')') : ''; + $sql_author = $db->sql_in_set('p.poster_id', $author_ary); + $sql_fora = (sizeof($ex_fid_ary)) ? ' AND ' . $db->sql_in_set('p.forum_id', $ex_fid_ary, true) : ''; $sql_time = ($sort_days) ? ' AND p.post_time >= ' . (time() - ($sort_days * 86400)) : ''; $sql_topic_id = ($topic_id) ? ' AND p.topic_id = ' . (int) $topic_id : ''; @@ -732,7 +726,7 @@ class fulltext_native extends search_backend } else { - $m_approve_fid_sql = ' AND (p.post_approved = 1 OR p.forum_id ' . ((sizeof($m_approve_fid_ary) == 1) ? '= ' . $m_approve_fid_ary[0] : 'IN (' . implode($m_approve_fid_ary) . ')' ) . ')'; + $m_approve_fid_sql = ' AND (p.post_approved = 1 OR ' . $db->sql_in_set('p.forum_id', $m_approve_fid_ary) . ')'; } $select = ($type == 'posts') ? 'p.post_id' : 't.topic_id'; @@ -1015,8 +1009,8 @@ class fulltext_native extends search_backend if (sizeof($unique_add_words)) { $sql = 'SELECT word_id, word_text - FROM ' . SEARCH_WORDLIST_TABLE . " - WHERE word_text IN ('" . implode("','", array_map(array(&$db, 'sql_escape'), $unique_add_words)) . "')"; + FROM ' . SEARCH_WORDLIST_TABLE . ' + WHERE ' . $db->sql_in_set('word_text', $unique_add_words); $result = $db->sql_query($sql); $word_ids = array(); @@ -1026,7 +1020,7 @@ class fulltext_native extends search_backend } $db->sql_freeresult($result); - $new_words = array_map(array(&$db, 'sql_escape'), array_diff($unique_add_words, array_keys($word_ids))); + $new_words = array_diff($unique_add_words, array_keys($word_ids)); if (sizeof($new_words)) { @@ -1066,7 +1060,7 @@ class fulltext_native extends search_backend } $sql = 'DELETE FROM ' . SEARCH_WORDMATCH_TABLE . ' - WHERE word_id IN (' . implode(', ', $sql_in) . ') + WHERE ' . $db->sql_in_set('word_id', $sql_in) . ' AND post_id = ' . intval($post_id) . " AND title_match = $title_match"; $db->sql_query($sql); @@ -1082,8 +1076,8 @@ class fulltext_native extends search_backend { $sql = 'INSERT INTO ' . SEARCH_WORDMATCH_TABLE . " (post_id, word_id, title_match) SELECT $post_id, word_id, $title_match - FROM " . SEARCH_WORDLIST_TABLE . " - WHERE word_text IN ('" . implode("','", array_map(array(&$db, 'sql_escape'), $word_ary)) . "')"; + FROM " . SEARCH_WORDLIST_TABLE . ' + WHERE ' . $db->sql_in_set('word_text', $word_ary); $db->sql_query($sql); } } @@ -1119,12 +1113,14 @@ class fulltext_native extends search_backend { global $db; - $sql = 'DELETE FROM ' . SEARCH_WORDMATCH_TABLE . ' - WHERE post_id IN (' . implode(', ', $post_ids) . ')'; - $db->sql_query($sql); + if (sizeof($post_ids)) + { + $sql = 'DELETE FROM ' . SEARCH_WORDMATCH_TABLE . ' + WHERE ' . $db->sql_in_set('post_id', $post_ids); + $db->sql_query($sql); + } // SEARCH_WORDLIST_TABLE will be updated by tidy() - $this->destroy_cache(array(), $author_ids); } @@ -1156,42 +1152,39 @@ class fulltext_native extends search_backend HAVING COUNT(word_id) > ' . floor($config['num_posts'] * 0.6); $result = $db->sql_query($sql); - if ($row = $db->sql_fetchrow($result)) + $sql_in = array(); + while ($row = $db->sql_fetchrow($result)) { - $sql_in = array(); - do - { - $sql_in[] = $row['word_id']; - } - while ($row = $db->sql_fetchrow($result)); - - $sql_in = implode(', ', $sql_in); + $sql_in[] = $row['word_id']; + } + $db->sql_freeresult($result); + if (sizeof($sql_in)) + { // Get the text of those new common words $sql = 'SELECT word_text - FROM ' . SEARCH_WORDLIST_TABLE . " - WHERE word_id IN ($sql_in)"; + FROM ' . SEARCH_WORDLIST_TABLE . ' + WHERE ' . $db->sql_in_set('word_id', $sql_in); $result = $db->sql_query($sql); while ($row = $db->sql_fetchrow($result)) { $destroy_cache_words[] = $row['word_text']; } + $db->sql_freeresult($result); // Flag the words - $sql = 'UPDATE ' . SEARCH_WORDLIST_TABLE . " + $sql = 'UPDATE ' . SEARCH_WORDLIST_TABLE . ' SET word_common = 1 - WHERE word_id IN ($sql_in)"; + WHERE ' . $db->sql_in_set('word_id', $sql_in); $db->sql_query($sql); // Delete the matches - $sql = 'DELETE FROM ' . SEARCH_WORDMATCH_TABLE . " - WHERE word_id IN ($sql_in)"; + $sql = 'DELETE FROM ' . SEARCH_WORDMATCH_TABLE . ' + WHERE ' . $db->sql_in_set('word_id', $sql_in); $db->sql_query($sql); - - unset($sql_in); } - $db->sql_freeresult($result); + unset($sql_in); } // destroy cached search results containing any of the words that are now common or were removed diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 7514d070e5..46785158a5 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -131,7 +131,7 @@ class session * @todo Introduce further user types, bot, guest * @todo Change user_type (as above) to a bitfield? user_type & USER_FOUNDER for example */ - function session_begin($update_session_page = true, $loose_validation = false) + function session_begin($update_session_page = true) { global $phpEx, $SID, $_SID, $db, $config, $phpbb_root_path; @@ -658,33 +658,30 @@ class session GROUP BY session_user_id, session_page'; $result = $db->sql_query_limit($sql, 5); - $del_user_id = ''; + $del_user_id = array(); $del_sessions = 0; - if ($row = $db->sql_fetchrow($result)) + + while ($row = $db->sql_fetchrow($result)); { - do + if ($row['session_user_id'] != ANONYMOUS) { - if ($row['session_user_id'] != ANONYMOUS) - { - $sql = 'UPDATE ' . USERS_TABLE . ' - SET user_lastvisit = ' . $row['recent_time'] . ", user_lastpage = '" . $db->sql_escape($row['session_page']) . "' - WHERE user_id = " . $row['session_user_id']; - $db->sql_query($sql); - } - - $del_user_id .= (($del_user_id != '') ? ', ' : '') . (int) $row['session_user_id']; - $del_sessions++; + $sql = 'UPDATE ' . USERS_TABLE . ' + SET user_lastvisit = ' . $row['recent_time'] . ", user_lastpage = '" . $db->sql_escape($row['session_page']) . "' + WHERE user_id = " . $row['session_user_id']; + $db->sql_query($sql); } - while ($row = $db->sql_fetchrow($result)); + + $del_user_id[] = (int) $row['session_user_id']; + $del_sessions++; } $db->sql_freeresult($result); - if ($del_user_id) + if (sizeof($del_user_id)) { // Delete expired sessions - $sql = 'DELETE FROM ' . SESSIONS_TABLE . " - WHERE session_user_id IN ($del_user_id) - AND session_time < " . ($this->time_now - $config['session_length']); + $sql = 'DELETE FROM ' . SESSIONS_TABLE . ' + WHERE ' . $db->sql_in_set('session_user_id', $del_user_id) . ' + AND session_time < ' . ($this->time_now - $config['session_length']); $db->sql_query($sql); } diff --git a/phpBB/includes/ucp/ucp_groups.php b/phpBB/includes/ucp/ucp_groups.php index 1943db0190..9ac929fcea 100644 --- a/phpBB/includes/ucp/ucp_groups.php +++ b/phpBB/includes/ucp/ucp_groups.php @@ -318,7 +318,7 @@ class ucp_groups $sql_and = ($auth->acl_gets('a_group', 'a_groupadd', 'a_groupdel')) ? '<> ' . GROUP_SPECIAL : 'NOT IN (' . GROUP_SPECIAL . ', ' . GROUP_HIDDEN . ')'; $sql = 'SELECT group_id, group_name, group_desc, group_desc_uid, group_desc_bitfield, group_desc_options, group_type FROM ' . GROUPS_TABLE . ' - WHERE group_id NOT IN (' . implode(', ', $group_id_ary) . ") + WHERE ' . $db->sql_in_set('group_id', $group_id_ary, true) . ") AND group_type $sql_and ORDER BY group_type DESC, group_name"; $result = $db->sql_query($sql); diff --git a/phpBB/includes/ucp/ucp_main.php b/phpBB/includes/ucp/ucp_main.php index e0c51204ed..8936a7728b 100644 --- a/phpBB/includes/ucp/ucp_main.php +++ b/phpBB/includes/ucp/ucp_main.php @@ -65,7 +65,7 @@ class ucp_main if (sizeof($forum_ary)) { - $sql .= ' AND forum_id NOT IN ( ' . implode(', ', $forum_ary) . ')'; + $sql .= ' AND ' . $db->sql_in_set('forum_id', $forum_ary); } $result = $db->sql_query_limit($sql, 1); $g_forum_id = (int) $db->sql_fetchfield('forum_id'); @@ -186,27 +186,27 @@ class ucp_main if ($unwatch) { - $forums = (isset($_POST['f'])) ? implode(', ', array_map('intval', array_keys($_POST['f']))) : false; - $topics = (isset($_POST['t'])) ? implode(', ', array_map('intval', array_keys($_POST['t']))) : false; + $forums = (isset($_POST['f'])) ? array_map('intval', array_keys($_POST['f'])) : array(); + $topics = (isset($_POST['t'])) ? array_map('intval', array_keys($_POST['t'])) : array(); - if ($forums || $topics) + if (sizeof($forums) || sizeof($topics)) { $l_unwatch = ''; - if ($forums) + if (sizeof($forums)) { - $sql = 'DELETE FROM ' . FORUMS_WATCH_TABLE . " - WHERE forum_id IN ($forums) - AND user_id = " . $user->data['user_id']; + $sql = 'DELETE FROM ' . FORUMS_WATCH_TABLE . ' + WHERE ' . $db->sql_in_set('forum_id', $forums) . ' + AND user_id = ' . $user->data['user_id']; $db->sql_query($sql); $l_unwatch .= '_FORUMS'; } - if ($topics) + if (sizeof($topics)) { - $sql = 'DELETE FROM ' . TOPICS_WATCH_TABLE . " - WHERE topic_id IN ($topics) - AND user_id = " . $user->data['user_id']; + $sql = 'DELETE FROM ' . TOPICS_WATCH_TABLE . ' + WHERE ' . $db->sql_in_set('topic_id', $topics) . ' + AND user_id = ' . $user->data['user_id']; $db->sql_query($sql); $l_unwatch .= '_TOPICS'; @@ -511,7 +511,7 @@ class ucp_main { $sql = 'DELETE FROM ' . BOOKMARKS_TABLE . ' WHERE user_id = ' . $user->data['user_id'] . ' - AND topic_id IN (' . implode(', ', $topics) . ')'; + AND ' . $db->sql_in_set('topic_id', $topics); $db->sql_query($sql); // Re-Order bookmarks (possible with one query? This query massaker is not really acceptable...) @@ -620,13 +620,13 @@ class ucp_main if ($delete) { - $drafts = (isset($_POST['d'])) ? implode(', ', array_map('intval', array_keys($_POST['d']))) : ''; + $drafts = (!empty($_POST['d'])) ? array_map('intval', array_keys($_POST['d'])) : array(); - if ($drafts) + if (sizeof($drafts)) { - $sql = 'DELETE FROM ' . DRAFTS_TABLE . " - WHERE draft_id IN ($drafts) - AND user_id = " .$user->data['user_id']; + $sql = 'DELETE FROM ' . DRAFTS_TABLE . ' + WHERE ' . $db->sql_in_set('draft_id', $drafts) . ' + AND user_id = ' . $user->data['user_id']; $db->sql_query($sql); $message = $user->lang['DRAFTS_DELETED'] . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . $this->u_action . '">', '</a>'); @@ -634,6 +634,8 @@ class ucp_main meta_refresh(3, $this->u_action); trigger_error($message); } + + unset($drafts); } if ($submit && $edit) @@ -701,7 +703,7 @@ class ucp_main { $sql = 'SELECT topic_id, forum_id, topic_title FROM ' . TOPICS_TABLE . ' - WHERE topic_id IN (' . implode(',', array_unique($topic_ids)) . ')'; + WHERE ' . $db->sql_in_set('topic_id', array_unique($topic_ids)); $result = $db->sql_query($sql); while ($row = $db->sql_fetchrow($result)) diff --git a/phpBB/includes/ucp/ucp_pm_compose.php b/phpBB/includes/ucp/ucp_pm_compose.php index 27a9735d35..ff95bfc307 100644 --- a/phpBB/includes/ucp/ucp_pm_compose.php +++ b/phpBB/includes/ucp/ucp_pm_compose.php @@ -663,7 +663,7 @@ function compose_pm($id, $mode, $action) { $sql = 'SELECT user_id as id, username as name, user_colour as colour FROM ' . USERS_TABLE . ' - WHERE user_id IN (' . implode(', ', array_map('intval', array_keys($address_list['u']))) . ')'; + WHERE ' . $db->sql_in_set('user_id', array_map('intval', array_keys($address_list['u']))); $result['u'] = $db->sql_query($sql); } @@ -672,7 +672,7 @@ function compose_pm($id, $mode, $action) $sql = 'SELECT group_id as id, group_name as name, group_colour as colour, group_type FROM ' . GROUPS_TABLE . ' WHERE group_receive_pm = 1 - AND group_id IN (' . implode(', ', array_map('intval', array_keys($address_list['g']))) . ')'; + AND ' . $db->sql_in_set('group_id', array_map('intval', array_keys($address_list['g']))); $result['g'] = $db->sql_query($sql); } @@ -894,7 +894,7 @@ function handle_message_list_actions(&$address_list, $remove_u, $remove_g, $add_ { $sql = 'SELECT user_id FROM ' . USERS_TABLE . ' - WHERE user_id IN (' . implode(', ', $user_id_ary) . ') + WHERE ' . $db->sql_in_set('user_id', $user_id_ary) . ' AND user_allow_pm = 1'; $result = $db->sql_query($sql); diff --git a/phpBB/includes/ucp/ucp_pm_viewfolder.php b/phpBB/includes/ucp/ucp_pm_viewfolder.php index ef245e9d11..91a44c31c1 100644 --- a/phpBB/includes/ucp/ucp_pm_viewfolder.php +++ b/phpBB/includes/ucp/ucp_pm_viewfolder.php @@ -133,15 +133,15 @@ function view_folder($id, $mode, $folder_id, $folder) { $sql = 'SELECT user_id as id, username as name, user_colour as colour FROM ' . USERS_TABLE . ' - WHERE user_id'; + WHERE '; } else { $sql = 'SELECT group_id as id, group_name as name, group_colour as colour, group_type FROM ' . GROUPS_TABLE . ' - WHERE group_id'; + WHERE '; } - $sql .= ' IN (' . implode(', ', array_map('intval', array_keys($recipient_list[$ug_type]))) . ')'; + $sql .= $db->sql_in_set(($ug_type == 'u') ? 'user_id' : 'group_id', array_map('intval', array_keys($recipient_list[$ug_type]))); $result = $db->sql_query($sql); @@ -277,15 +277,15 @@ function view_folder($id, $mode, $folder_id, $folder) { $sql = 'SELECT user_id as id, username as name FROM ' . USERS_TABLE . ' - WHERE user_id'; + WHERE '; } else { $sql = 'SELECT group_id as id, group_name as name FROM ' . GROUPS_TABLE . ' - WHERE group_id'; + WHERE '; } - $sql .= ' IN (' . implode(', ', array_map('intval', array_keys($address[$message_id][$ug_type]))) . ')'; + $sql .= $db->sql_in_set(($ug_type == 'u') ? 'user_id' : 'group_id', array_map('intval', array_keys($address[$message_id][$ug_type]))); $result = $db->sql_query($sql); diff --git a/phpBB/includes/ucp/ucp_pm_viewmessage.php b/phpBB/includes/ucp/ucp_pm_viewmessage.php index 620bc9701f..4a399d847d 100644 --- a/phpBB/includes/ucp/ucp_pm_viewmessage.php +++ b/phpBB/includes/ucp/ucp_pm_viewmessage.php @@ -134,7 +134,7 @@ function view_message($id, $mode, $folder_id, $msg_id, $folder, $message_row) { $sql = 'UPDATE ' . ATTACHMENTS_TABLE . ' SET download_count = download_count + 1 - WHERE attach_id IN (' . implode(', ', array_unique($update_count)) . ')'; + WHERE ' . $db->sql_in_set('attach_id', array_unique($update_count)); $db->sql_query($sql); } } diff --git a/phpBB/includes/ucp/ucp_profile.php b/phpBB/includes/ucp/ucp_profile.php index 52f17a8048..d757d6e14d 100644 --- a/phpBB/includes/ucp/ucp_profile.php +++ b/phpBB/includes/ucp/ucp_profile.php @@ -153,7 +153,7 @@ class ucp_profile $sql = 'SELECT user_id, username, user_email, user_lang, user_jabber, user_notify_type FROM ' . USERS_TABLE . ' - WHERE user_id IN (' . implode(', ', $admin_ary[0]['a_user']) .')'; + WHERE ' . $db->sql_in_set('user_id', $admin_ary[0]['a_user']); $result = $db->sql_query($sql); while ($row = $db->sql_fetchrow($result)) @@ -585,7 +585,11 @@ class ucp_profile // Delete old avatar if present if ($user->data['user_avatar'] && $filename != $user->data['user_avatar'] && $user->data['user_avatar_type'] != AVATAR_GALLERY) { - avatar_delete($user->data['user_avatar']); + // Check if the users avatar is actually a group avatar + if (strpos($user->data['user_avatar'], 'g' . $user->data['group_id'] . '_') !== 0 && strpos($user->data['user_avatar'], $user->data['user_id'] . '_') === 0) + { + avatar_delete($user->data['user_avatar']); + } } } diff --git a/phpBB/includes/ucp/ucp_register.php b/phpBB/includes/ucp/ucp_register.php index 620b388f99..01b92125ac 100644 --- a/phpBB/includes/ucp/ucp_register.php +++ b/phpBB/includes/ucp/ucp_register.php @@ -323,7 +323,7 @@ class ucp_register $sql = 'SELECT user_id, username, user_email, user_lang, user_jabber, user_notify_type FROM ' . USERS_TABLE . ' - WHERE user_id IN (' . implode(', ', $admin_ary[0]['a_user']) .')'; + WHERE ' . $db->sql_in_set('user_id', $admin_ary[0]['a_user']); $result = $db->sql_query($sql); while ($row = $db->sql_fetchrow($result)) @@ -375,12 +375,12 @@ class ucp_register $sql_in = array(); do { - $sql_in[] = "'" . $db->sql_escape($row['session_id']) . "'"; + $sql_in[] = (string) $row['session_id']; } while ($row = $db->sql_fetchrow($result)); $sql = 'DELETE FROM ' . CONFIRM_TABLE . ' - WHERE session_id NOT IN (' . implode(', ', $sql_in) . ') + WHERE ' . $db->sql_in_set('session_id', $sql_in, true) . ' AND confirm_type = ' . CONFIRM_REG; $db->sql_query($sql); } diff --git a/phpBB/includes/ucp/ucp_resend.php b/phpBB/includes/ucp/ucp_resend.php index 0e59c7560c..84ce3fe9b7 100644 --- a/phpBB/includes/ucp/ucp_resend.php +++ b/phpBB/includes/ucp/ucp_resend.php @@ -105,7 +105,7 @@ class ucp_resend $sql = 'SELECT user_id, username, user_email, user_lang, user_jabber, user_notify_type FROM ' . USERS_TABLE . ' - WHERE user_id IN (' . implode(', ', $admin_ary[0]['a_user']) .')'; + WHERE ' . $db->sql_in_set('user_id', $admin_ary[0]['a_user']); $result = $db->sql_query($sql); while ($row = $db->sql_fetchrow($result)) diff --git a/phpBB/includes/ucp/ucp_zebra.php b/phpBB/includes/ucp/ucp_zebra.php index fb9925e248..2cf6edcac4 100644 --- a/phpBB/includes/ucp/ucp_zebra.php +++ b/phpBB/includes/ucp/ucp_zebra.php @@ -97,13 +97,11 @@ class ucp_zebra unset($friends, $foes, $n); - $data['add'] = implode(', ', preg_replace('#^(.*?)$#', "'$1'", array_map(array(&$db, 'sql_escape'), $data['add']))); - - if ($data['add']) + if (sizeof($data['add'])) { $sql = 'SELECT user_id, user_type FROM ' . USERS_TABLE . ' - WHERE LOWER(username) IN (' . $data['add'] . ') + WHERE ' . $db->sql_in_set('LOWER(username)', $data['add']) . ' AND user_type <> ' . USER_INACTIVE; $result = $db->sql_query($sql); @@ -197,7 +195,7 @@ class ucp_zebra $sql = 'DELETE FROM ' . ZEBRA_TABLE . ' WHERE user_id = ' . $user->data['user_id'] . ' - AND zebra_id IN (' . implode(', ', $data['usernames']) . ')'; + AND ' . $db->sql_in_set('zebra_id', $data['usernames']); $db->sql_query($sql); } |