From a2753123d144fff4e0f762e6dcd5a8c090ddcb55 Mon Sep 17 00:00:00 2001 From: Oliver Date: Wed, 14 Jun 2023 21:15:01 +0200 Subject: [PATCH] Makes LIKE compatible with Prepared SQL Statements --- www/includes/forum.inc.php | 26 +-- www/includes/stockbroker.inc.php | 368 +++++++++++++++---------------- 2 files changed, 193 insertions(+), 201 deletions(-) diff --git a/www/includes/forum.inc.php b/www/includes/forum.inc.php index ecb1d9b..2f9aab7 100644 --- a/www/includes/forum.inc.php +++ b/www/includes/forum.inc.php @@ -609,29 +609,20 @@ static function markasunread($comment_id) { if($rs['rights'] < USER_SPECIAL) { - $sql = - " - REPLACE INTO comments_unread (user_id, comment_id) - SELECT - id, - ".$comment_id." - - + $sql = "REPLACE INTO comments_unread (user_id, comment_id) + SELECT id, ".$comment_id." FROM user - - WHERE user.usertype >= ".$rs['rights']." + WHERE user.usertype >= ? AND (UNIX_TIMESTAMP(lastlogin)+".USER_OLD_AFTER.") > UNIX_TIMESTAMP(NOW()) - AND forum_boards_unread LIKE '%".$rs['board']."%' - " + AND forum_boards_unread LIKE CONCAT('%', ?, '%')" /*AND ISNULL( SELECT tignore.thread_id, tignore.user_id FROM comments_threads_ignore tignore WHERE tignore.thread_id = ".$rs['thread_id']." AND tignore.user_id = user.id )*/ - ; - $data = $db->fetch($db->query($sql, __FILE__, __LINE__)); + $data = $db->fetch($db->query($sql, __FILE__, __LINE__, __METHOD__, [$rs['rights'], $rs['board']])); } else { $sql = " @@ -1380,9 +1371,10 @@ static function getQueryString($qstr='') { * * @TODO implement $keyword highlighting in ouput via $smarty->display() * - * @version 1.1 + * @version 2.1 * @since 1.0 Method added * @since 2.0 `07.03.2020` `IneX` Code optimizations + * @since 2.1 `14.06.2023` `IneX` SQL-Query optimizations * * @param string $keyword Search-Text for LIKE %...% search * @return void @@ -1393,9 +1385,9 @@ static function printSearchedComments($keyword) $sql = 'SELECT id, text, UNIX_TIMESTAMP(date) as date FROM comments - WHERE text LIKE "%'.$keyword.'%" + WHERE text LIKE CONCAT("%", ?, "%") ORDER by date DESC'; - $result = $db->query($sql, __FILE__, __LINE__, __METHOD__); + $result = $db->query($sql, __FILE__, __LINE__, __METHOD__, [$keyword]); $num = $db->num($result); if ($num > 0) { diff --git a/www/includes/stockbroker.inc.php b/www/includes/stockbroker.inc.php index 073734d..d88c62e 100644 --- a/www/includes/stockbroker.inc.php +++ b/www/includes/stockbroker.inc.php @@ -24,47 +24,47 @@ * @since 1.0 class added */ class Stockbroker { - + function buyStock($user_id, $symbol, $menge, $max) { global $db; - + if($user_id < 1) { echo '$user_id ist ungültig'; return false; } - + if(!isset($symbol)) { echo '$_POST[\'symbol\'] ist nicht gesetzt.'; return false; } - + if($menge < 1 && !$max) { echo 'Du musst eine Menge grösser als 0 festlegen. ('.$menge.') oder max setzen.'; return false; } - + $symbol = strtoupper($symbol); // müsste eigentlich nicht hier sein, aber um sicher zu gehen... // neuen Preis grabben - Stockbroker::updateKurs($symbol); - + Stockbroker::updateKurs($symbol); + // Kurs holen $kurs = Stockbroker::getKurs($symbol); - + if(!is_numeric($kurs)) { echo 'Konnte keinen Kurs nicht finden für '.$_POST['symbol']; return false; } - + if($max) { $menge = floor(Stockbroker::getBargeld($user_id)/$kurs); } else if(Stockbroker::getBargeld($user_id) < ($menge * $kurs)) { echo 'Du hast gar nicht soviel Geld! ('.Stockbroker::getBargeld($user_id).' < '.($menge * $kurs).')'; return false; } - + // Handel vollziehen -------------------------------------------------------- - $sql = + $sql = " INSERT INTO stock_trades (tag, zeit, user_id, symbol, menge, action, kurs) @@ -80,13 +80,13 @@ function buyStock($user_id, $symbol, $menge, $max) { " ; $db->query($sql, __FILE__, __LINE__); - + return true; } - + function changeWarning($user_id, $symbol, $comparison, $kurs) { global $db; - $sql = + $sql = " REPLACE INTO stock_warnings (user_id, symbol, comparison, kurs) @@ -101,14 +101,14 @@ function changeWarning($user_id, $symbol, $comparison, $kurs) { $db->query($sql, __FILE__, __LINE__); return true; } - + function getBargeld($user_id) { global $db; $sql = " - SELECT + SELECT (1000+SUM(if(action='buy', -(menge*kurs), +(menge*kurs)))) AS bargeld - FROM + FROM stock_trades WHERE user_id = '".$user_id."' @@ -117,16 +117,16 @@ function getBargeld($user_id) { ; $rs = $db->fetch($db->query($sql, __FILE__, __LINE__)); return $rs['bargeld']; - + } - + function getKurs($symbol) { global $db; - $sql = + $sql = " SELECT kurs - FROM + FROM stock_quotes sq WHERE symbol = '".$symbol."' ORDER BY tag DESC, zeit DESC @@ -136,18 +136,18 @@ function getKurs($symbol) { $rs = $db->fetch($db->query($sql, __FILE__, __LINE__)); return $rs['kurs']; } - + /* function getKurseNeuste() { global $db; - $sql = + $sql = " SELECT sq.symbol , sq.kurs , sq.zeit , si.company - FROM + FROM stock_quotes sq LEFT JOIN stock_items si ON (si.symbol = sq.symbol) ORDER BY tag DESC, zeit DESC @@ -155,44 +155,44 @@ function getKurseNeuste() { " ; $result = $db->query($sql, __FILE__, __LINE__); - + while($rs = $db->fetch($result)) { $kurse[] = $rs; } - + return $kurse; } */ - + function getStocksOldest() { global $db; - $sql = + $sql = " - SELECT + SELECT symbol - FROM + FROM stock_items ORDER BY kurs_last_updated DESC LIMIT 0,3 " ; $result = $db->query($sql, __FILE__, __LINE__); - + while($rs = $db->fetch($result)) { $stocks[] = $rs['symbol']; } return $stocks; } - + function getStocksTraded() { global $db; - $sql = + $sql = " - SELECT + SELECT symbol - FROM + FROM stock_trades - GROUP BY + GROUP BY symbol " ; @@ -203,7 +203,7 @@ function getStocksTraded() { return $stocks; } - + /** * Holt sich die neusten (nicht die heutigen) Kurse eines Wertpapiers. * @@ -222,10 +222,10 @@ function issueStockWarnings($symbol, $kurs) { global $db, $notification; - $sql = 'SELECT - * - FROM - stock_warnings + $sql = 'SELECT + * + FROM + stock_warnings WHERE symbol = "'.$symbol.'"'; $result = $db->query($sql, __FILE__, __LINE__, __METHOD__); @@ -241,7 +241,7 @@ function issueStockWarnings($symbol, $kurs) 59 , $rs['user_id'] , '[Stockbroker] Warning: '.$symbol - , + , 'Stock Information für '.$symbol.'' .'
' .$symbol.' ist '.$rs['comparison'].' '.$rs['kurs'].' (aktueller Kurs: '.$kurs.')' @@ -252,17 +252,17 @@ function issueStockWarnings($symbol, $kurs) $notification_status = $notification->send($rs['user_id'], 'stockbroker', ['from_user_id'=>BARBARA_HARRIS, 'subject'=>t('message-subject', 'stockbroker'), 'text'=>$notification_text, 'message'=>$notification_text]); if (DEVELOPMENT) error_log(sprintf('[DEBUG] <%s:%d> Notification status "%s" for $symbol %s to user %d', __METHOD__, __LINE__, ($notification_status===true?'true':'false'), $symbol, $rs['user_id'])); - $sql = 'DELETE - FROM stock_warnings - WHERE - user_id = '.$rs['user_id'].' - AND symbol = "'.$symbol.'" + $sql = 'DELETE + FROM stock_warnings + WHERE + user_id = '.$rs['user_id'].' + AND symbol = "'.$symbol.'" AND comparison = "'.$rs['comparison'].'"'; $db->query($sql, __FILE__, __LINE__, __METHOD__); } } - } - + } + /** * Holt sich die neusten (nicht die heutigen) Kurse eines Wertpapiers. * @@ -271,23 +271,23 @@ function issueStockWarnings($symbol, $kurs) */ function getSymbol($symbol) { global $db; - $sql = + $sql = " SELECT * - FROM + FROM stock_items si LEFT JOIN stock_quotes sq ON (sq.symbol = si.symbol AND sq.tag = (SELECT MAX(tag) FROM stock_quotes WHERE symbol = sq.symbol)) - WHERE + WHERE si.symbol = '".$symbol."' " ; return $db->fetch($db->query($sql, __FILE__, __LINE__)); } - + function searchstocks($searchstring) { global $db; - $sql = + $sql = " SELECT si.symbol @@ -298,30 +298,30 @@ function searchstocks($searchstring) { , sq.kurs , sq.proz_steigerung , sq.kurs_gestern - FROM + FROM stock_items si LEFT JOIN stock_quotes sq ON (sq.symbol = si.symbol AND tag = (SELECT max(tag) from stock_quotes WHERE symbol = sq.symbol)) - WHERE - si.symbol LIKE '%".$searchstring."%' + WHERE + si.symbol LIKE CONCAT('%', ?, '%') OR - si.company LIKE '%".$searchstring."%' + si.company LIKE CONCAT('%', ?, '%') " ; - - $result = $db->query($sql, __FILE__, __LINE__); - + + $result = $db->query($sql, __FILE__, __LINE__, __METHOD__, [$searchstring, $searchstring]); + while($rs = $db->fetch($result)) { $stocks[] = $rs; } - + return $stocks; } - + function getTodaysWinners() { - + global $db; - - $sql = + + $sql = " SELECT * @@ -332,19 +332,19 @@ function getTodaysWinners() { " ; $result = $db->query($sql, __FILE__, __LINE__); - + while($rs = $db->fetch($result)) { $kurse[] = $rs; } - + return $kurse; } - + function getTodaysLosers() { - + global $db; - - $sql = + + $sql = " SELECT * @@ -355,56 +355,56 @@ function getTodaysLosers() { " ; $result = $db->query($sql, __FILE__, __LINE__); - + while($rs = $db->fetch($result)) { $kurse[] = $rs; } - + return $kurse; } - + function getStocksOwned($user_id) { global $db; - $sql = + $sql = " SELECT symbol , SUM(if(action='buy', menge, -menge)) AS amount - FROM + FROM stock_trades WHERE user_id = '".$user_id."' GROUP BY user_id, symbol " ; - + $result = $db->query($sql, __FILE__, __LINE__); - + while($rs = $db->fetch($result)) { $ownedstocks[] = $rs; } - + return $ownedstocks; } - + /* function getCurrentProperty($user_id) { global $db; - $sql = + $sql = " SELECT * - FROM + FROM stock_trades st WHERE user_id = '".$user_id."' " ; - + $result = $db->query($sql, __FILE__, __LINE__); - + $assets['Bargeld'] = 1000; // Anfangsvermögen - + while($rs = $db->fetch($result)) { if($rs['action'] == 'buy') { $assets['Bargeld'] -= $rs['menge'] * $rs['kurs']; @@ -414,23 +414,23 @@ function getCurrentProperty($user_id) { $assets[$rs['symbol']] -= $rs['menge']; } } - + return $assets; }*/ - + function getKursBought($user_id, $symbol) { global $db; $sql = " - SELECT + SELECT kurs - FROM + FROM stock_trades WHERE action='buy' AND symbol = '".$symbol."' - AND + AND user_id = ".$user_id." ORDER by tag DESC, zeit DESC LIMIT 0,1 @@ -439,18 +439,18 @@ function getKursBought($user_id, $symbol) { $rs = $db->fetch($db->query($sql, __FILE__, __LINE__)); return $rs['kurs']; } - + function getMengeOwned($user_id, $symbol) { global $db; $sql = " - SELECT + SELECT SUM(if(action='buy', menge, -menge)) AS amount - FROM + FROM stock_trades WHERE symbol = '".$symbol."' - AND + AND user_id = ".$user_id." GROUP BY user_id " @@ -458,86 +458,86 @@ function getMengeOwned($user_id, $symbol) { $rs = $db->fetch($db->query($sql, __FILE__, __LINE__)); return $rs['amount']; } - - + + function getHighscore() { global $db, $user; - - $sql = + + $sql = " - SELECT DISTINCT - + SELECT DISTINCT + user_id - + , FLOOR( - 1000 + + 1000 + ( ( - SUM(IF (ACTION = 'sell', (menge * st.kurs), 0 )) + SUM(IF (ACTION = 'sell', (menge * st.kurs), 0 )) - SUM(IF (ACTION = 'buy', (menge * st.kurs), 0 )) ) - - + - + + + + ( - SUM(IF (ACTION = 'buy', (menge * sq.kurs), 0 )) - - SUM(IF (ACTION = 'sell', (menge * sq.kurs), 0 )) + SUM(IF (ACTION = 'buy', (menge * sq.kurs), 0 )) + - SUM(IF (ACTION = 'sell', (menge * sq.kurs), 0 )) ) ) ) AS betrag - + FROM stock_trades st - - LEFT JOIN stock_quotes sq - ON ( - sq.tag = (SELECT MAX(tag) FROM stock_quotes WHERE symbol = st.symbol) - AND - sq.symbol = st.symbol + + LEFT JOIN stock_quotes sq + ON ( + sq.tag = (SELECT MAX(tag) FROM stock_quotes WHERE symbol = st.symbol) + AND + sq.symbol = st.symbol ) - + GROUP BY user_id ORDER BY betrag DESC " ; - + $result = $db->query($sql, __FILE__, __LINE__); - + while($rs = $db->fetch($result)) { $highscore[] = $rs; } - + return $highscore; } - + function getYesterdaysMosttraded() { global $db; - - $sql = + + $sql = " SELECT symbol, sum(menge*kurs) AS menge - FROM `stock_trades` - WHERE tag = DATE_SUB(now(), INTERVAL 1 DAY) - GROUP BY symbol + FROM `stock_trades` + WHERE tag = DATE_SUB(now(), INTERVAL 1 DAY) + GROUP BY symbol ORDER by menge desc " ; - + $result = $db->query($sql, __FILE__, __LINE__); - + while($rs = $db->fetch($result)) { if($rs['menge'] > 0) $stocks[] = $rs; } - + return $stocks; } - + function getWarnings($user_id) { global $db; - - $sql = + + $sql = " SELECT * - FROM `stock_warnings` + FROM `stock_warnings` WHERE user_id = '".$user_id."' ORDER by symbol ASC " @@ -548,12 +548,12 @@ function getWarnings($user_id) { } return $warnings; } - - + + function getStocklist($anzahl, $page) { global $db; - - $sql = + + $sql = " SELECT si.symbol @@ -561,7 +561,7 @@ function getStocklist($anzahl, $page) { , sq.kurs , sq.tag , sq.zeit - FROM + FROM stock_items si LEFT JOIN stock_quotes sq ON (sq.symbol = si.symbol AND tag = (SELECT max(tag) from stock_quotes WHERE symbol = sq.symbol)) ORDER BY si.symbol ASC @@ -569,22 +569,22 @@ function getStocklist($anzahl, $page) { " ; $result = $db->query($sql, __FILE__, __LINE__); - + while($rs = $db->fetch($result)) { $stocklist[] = $rs; } - + return $stocklist; } - + function getTrades($user_id) { global $db; - - $sql = + + $sql = " SELECT * - FROM + FROM stock_trades st WHERE user_id = '".$user_id."' @@ -592,47 +592,47 @@ function getTrades($user_id) { " ; $result = $db->query($sql, __FILE__, __LINE__); - + while($rs = $db->fetch($result)) { $trades[] = $rs; } - + return $trades; } - + function sellStock($user_id, $symbol, $menge, $max) { global $db; - + if(!isset($symbol)) { echo '$symbol ist nicht gesetzt.'; return false; } - + if($menge < 1 && !$max) { echo 'Du musst eine Menge grösser als 0 festlegen. ('.$menge.') oder max setzen.'; return false; } - + $symbol = strtoupper($symbol); // müsste eigentlich nicht hier sein, aber um sicher zu gehen... // neuen Preis grabben - Stockbroker::updateKurs($symbol); + Stockbroker::updateKurs($symbol); $kurs = Stockbroker::getKurs($symbol); - + if(!is_numeric($kurs)) { echo 'Konnte keinen Kurs finden für '.$symbol; return false; } - + if($max) { $menge = Stockbroker::getMengeOwned($user_id, $symbol); } else if($menge > Stockbroker::getMengeOwned($user_id, $symbol)) { echo 'Du kannst gar nicht soviel verkaufen!'; return false; } - + // Handel vollziehen -------------------------------------------------------- - $sql = + $sql = " INSERT INTO stock_trades (tag, zeit, user_id, symbol, menge, action, kurs) @@ -648,43 +648,43 @@ function sellStock($user_id, $symbol, $menge, $max) { " ; $db->query($sql, __FILE__, __LINE__); - + return true; } - - + + function updateKurs($symbol) { - + if($symbol == '') return false; - + $symbol = strtoupper($symbol); - + global $db; //link machen $source = "http://finance.yahoo.com/q?s=".$symbol; $html = join("",file($source)); //unnützi war löschä $html = strip_tags(str_replace(" "," ",$html)," "); - + //kurs ermittlä $pattern = "(Last\sTrade:(\d+\.\d+)<\/b>)"; preg_match_all($pattern,$html,$out); - + //checkä öbs klapt hät if(isset($out[1][0])) { $kurs = trim($out[1][0]); - + if($kurs > 0) { - + $rs = $db->fetch($db->query( "SELECT * FROM stock_quotes where symbol = '".$symbol."' AND tag = DATE_SUB(now(), INTERVAL 1 DAY)" , __FILE__ , __LINE__ )); - + $sql = " - REPLACE INTO - stock_quotes (symbol, kurs, zeit, tag, kurs_gestern, proz_steigerung) + REPLACE INTO + stock_quotes (symbol, kurs, zeit, tag, kurs_gestern, proz_steigerung) VALUES ( '".$symbol."' @@ -696,19 +696,19 @@ function updateKurs($symbol) { ) "; $db->query($sql,__FILE__,__LINE__); - - $sql = + + $sql = " UPDATE stock_items - SET kurs_last_updated = now() + SET kurs_last_updated = now() WHERE symbol = '".$symbol."' " ; $db->query($sql,__FILE__,__LINE__); - + Stockbroker::issueStockWarnings($symbol, $kurs); - + return true; } else { /* @@ -737,11 +737,11 @@ function updateKurs($symbol) { return false; } } - + function update_orders($symbol) { - + $source = "http://finance.yahoo.com/q/ecn?s="; - + $html = join("",file($source.$symbol)); $html = strip_tags($html,"
"); $html = str_replace(" ","",$html); @@ -749,10 +749,10 @@ function update_orders($symbol) { $html = substr($html,strpos($html,"Bid Orders")); $html = substr($html,0,strpos($html,"Add to Portfolio")); $array = explode("",$html); - + $c = 0; $d = 0; - + //echo count($array); $i = 0; for($i = 4;$i"; $d++; } - + } $bez = array("","price","volume","institution"); $key_new = 0; @@ -778,19 +778,19 @@ function update_orders($symbol) { if(is_numeric($ar[1])) { foreach($ar as $kk => $vv) { $orders[$typ][$key_new][$bez[$kk]] = $vv; - - //echo $key." ".$kk." = ".$vv."
"; + + //echo $key." ".$kk." = ".$vv."
"; } $key_new++; } else { $w = TRUE; $key_new = 0; - + } //echo "

"; - + } return $orders; - + } }