Replace occurences of deprecated `db_query` API

Question

Replace occurences of deprecated `db_query` API

dregad opened this issue 11 years ago · 1 comments

In MantisBT 1.3, the db_query() function will be removed from the API (see mantisbt/mantisbt#128).
The following occurences have been found in this plugin; they should be replaced
by db_query_bound() calls

pages/edit_xmpp_login.php:28:db_query( $query );
pages/change_can_xmpp_login.php:30:  db_query( $query );
pages/change_can_xmpp_login.php:33:  db_query( $query );
pages/change_xmpp_login.php:27:$res_user_name = db_query( $query_rep_user_name );
pages/change_xmpp_login.php:37:  $res_xmpp_login   = db_query( $query_xmpp_login );
pages/change_xmpp_login.php:42:      db_query( $add_user_query );
pages/delete_proj_user.php:28:$res = db_query( $query );
pages/delete_proj_user.php:44:db_query( $query_upd_proj );
pages/config_custom_proj_user.php:30:$res = db_query( $query );
pages/config_custom_proj_user.php:77:               $res = db_query( $query );
pages/config_custom_proj_user.php:122:      $res = db_query( $query );
pages/config_custom_proj_user.php:126:              $res_user = db_query( $query_user );
pages/config_custom_proj_user.php:141:                  $res_proj = db_query( $query_proj );
pages/add_xmpp_user.php:30:  $res = db_query( $username_query );
pages/add_xmpp_user.php:35:  db_query( $add_user_query );
pages/delete_xmpp_login.php:27:db_query( $query );
pages/add_custom_proj_user_page.php:50:  $res = db_query( $query_proj );
pages/add_custom_proj_user_page.php:55:  $res = db_query( $query );
pages/JabberNotifierSystem_API.php:38:  $res_xmpp_login = db_query( $query_xmpp_login );
pages/JabberNotifierSystem_API.php:45:    $res_user_name   = db_query( $query_user_name );
pages/JabberNotifierSystem_API.php:59:  $res_rep_user_name = db_query( $query_rep_user_name );
pages/JabberNotifierSystem_API.php:78:   $res             = db_query($query);
pages/config_xmpp_login.php:31:$res   = db_query( $query );
pages/config_xmpp_login.php:75:             $res = db_query( $query );
pages/config_xmpp_login.php:108:        $res = db_query( $query );
pages/add_proj_user.php:32:    db_query( $add_user_query );
pages/add_custom_proj_user.php:28:$res_proj_id = db_query( $query_proj_id );
pages/add_custom_proj_user.php:40:db_query( $res_query );
pages/delete_custom_proj_user.php:27:db_query( $query );
JabberNotifierSystem.php:254:    $res_can_change   = db_query( $query_can_change );

Answer 1 · 2014-01-29T11:55:37.000Z

It's worth mentioning that simply replacing the function call is not sufficient; to avoid risk of sql injection attacks, any inline query parameters should be replaced by calls to db_param(). For example:

$t_query = "SELECT * FROM $table WHERE id = '$p_id'";
db_query($t_query);

Would become

$t_query = "SELECT * FROM $table WHERE id = '" . db_param() . "'";
db_query_bound($t_query, array( $p_id ) );