commit c58ab04d1b2eb04b4521517b9b2cbcd0514f9078 from: mischa date: Wed Aug 24 13:04:16 2022 UTC change mysqli -> PDO, prepared statements commit - 258edc97f7211884ce460f8c5d443a242471f6bc commit + c58ab04d1b2eb04b4521517b9b2cbcd0514f9078 blob - 235d30c3d00146649b72b6ccb058f7196b6c4991 blob + 69c9fdaad0630ed2ef36234428def67541c94b4c --- index.php +++ index.php @@ -3,7 +3,7 @@ require_once './conf.php'; define("SHORTER_NAME", "shortr"); define("SHORTER_VERSION", "v0.1"); -define("HASH_LENGTH", 4); +define("HASH_LENGTH", 8); define("CHARSET", "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"); $url = ""; @@ -11,19 +11,17 @@ $link = ""; $callback = "NO"; function db_connect() { - if (!$mysqli = mysqli_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME)) { - return false; - } - return $mysqli; + $dbh = new PDO('mysql:host='. DB_HOST . ';dbname='. DB_NAME , DB_USER, DB_PASS); + return $dbh; } -function count_urls($mysqli) { - $count = mysqli_num_rows(mysqli_query($mysqli, "SELECT * FROM ". DB_TABLE)); - return $count; +function count_urls($dbh) { + $sth = $dbh->query("SELECT id FROM ". DB_TABLE); + return $sth->fetchColumn(); } -function generate_short($url, $mysqli) { - $url = mysqli_real_escape_string($mysqli, $url); +function generate_short($url, $dbh) { + if(!preg_match("/^((https?|ftp)[:\/\/].*\/{2,})/i",$url)) { return false; } @@ -35,30 +33,48 @@ function generate_short($url, $mysqli) { } else { $clientip = $_SERVER['REMOTE_ADDR']; } - $result = mysqli_query($mysqli, "SELECT id FROM " . DB_TABLE . " WHERE url='$url'"); - if ($row = mysqli_fetch_assoc($result)) { + + + $sth = $dbh->prepare("SELECT id FROM " . DB_TABLE . " WHERE url=?"); + $sth->bindParam(1, $url, PDO::PARAM_STR); + $sth->execute(); + if ($row = $sth->fetch(PDO::FETCH_ASSOC)) { $hash = $row['id']; } else { + $charset = str_shuffle(CHARSET); $hash = substr($charset, 0, HASH_LENGTH); - while (mysqli_num_rows(mysqli_query($mysqli, "SELECT * FROM " . DB_TABLE . " WHERE id='$hash'")) > 0) { + + $sth = $dbh->prepare("SELECT COUNT(*) FROM " . DB_TABLE . " WHERE id=?"); + $sth->bindParam(1, $hash, PDO::PARAM_STR, HASH_LENGTH); + $sth->execute(); + + while ($sth->fetchColumn() > 0) { $hash = substr($charset, 0, HASH_LENGTH); + $sth->bindParam(1, $hash, PDO::PARAM_STR, HASH_LENGTH); + $sth->execute(); } - $result = mysqli_query($mysqli, "INSERT INTO " . DB_TABLE . " (id, url, ip, count) VALUES ('$hash', '$url', '$clientip', '0')"); - if (!mysqli_affected_rows($mysqli)) { + + $sth = $dbh->prepare("INSERT INTO " . DB_TABLE . " (id, url, ip, count) VALUES (?, ?, ?, '0')"); + $sth->bindParam(1, $hash, PDO::PARAM_STR, HASH_LENGTH); + $sth->bindParam(2, $url, PDO::PARAM_STR); + $sth->bindParam(3, $clientip, PDO::PARAM_STR, 255); + if (!$sth->execute()) { print "FAILURE INSERTING\n"; } } return $hash; } -function find_short($hash, $mysqli) { - $hash = mysqli_real_escape_string($mysqli, $hash); - $result = mysqli_query($mysqli, "SELECT * FROM " . DB_TABLE . " WHERE id='$hash'"); - if ($row = mysqli_fetch_assoc($result)) { +function find_short($hash, $dbh) { + $sth = $dbh->prepare("SELECT * FROM " . DB_TABLE . " WHERE id=?"); + $sth->bindParam(1, $hash, PDO::PARAM_STR, HASH_LENGTH); + $sth->execute(); + if ($row = $sth->fetch(PDO::FETCH_ASSOC)) { $link = $row['url']; - mysqli_query($mysqli, "UPDATE " . DB_TABLE . " SET count='" . ($row['count'] + 1) . "' WHERE id='" . $row['id'] . "'"); - + $sth = $dbh->prepare("UPDATE " . DB_TABLE . " SET count = count + 1 WHERE id=?"); + $sth->bindParam(1, $row['id'], PDO::PARAM_STR, HASH_LENGTH); + $sth->execute(); } else { $link = false; }