r89284 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r89283‎ \| r89284 \| r89285 >
Date:	20:32, 1 June 2011
Author:	kaldari
Status:	ok (Comments)
Tags:	todo
Comment:	changing some var names to reflect current naming, fixing some tabs, adding some comments
Modified paths:	/trunk/extensions/CentralNotice/CentralNotice.db.php (modified) (history) /trunk/extensions/CentralNotice/SpecialBannerListLoader.php (modified) (history) /trunk/extensions/CentralNotice/SpecialCentralNotice.php (modified) (history)

Diff [purge]

Index: trunk/extensions/CentralNotice/CentralNotice.db.php
—	—	@@ -11,6 +11,7 @@
12	12	/*
13	13	* Return campaigns in the system within given constraints
14	14	* By default returns enabled campaigns, if $enabled set to false, returns both enabled and disabled campaigns
	15	+ * @return an array of ids
15	16	*/
16	17	static function getCampaigns( $project = false, $language = false, $date = false, $enabled = true, $preferred = false, $location = false ) {
17	18	global $wgCentralDBname;
—	—	@@ -120,6 +121,8 @@
121	122
122	123	/*
123	124	* Given one or more campaign ids, return all banners bound to them
	125	+ * @param $campaigns An array of id numbers
	126	+ * @return a 2D array of banners with associated weights and settings
124	127	*/
125	128	static function selectBannersAssigned( $campaigns ) {
126	129	global $wgCentralDBname;
Index: trunk/extensions/CentralNotice/SpecialBannerListLoader.php
—	—	@@ -56,24 +56,24 @@
57	57	* Generate JSON for the specified site
58	58	*/
59	59	function getJsonList() {
60		~~- $templates = array();~~
	60	+ $banners = array();
61	61
62	62	// See if we have any preferred campaigns for this language and project
63		~~- $notices = CentralNoticeDB::getCampaigns( $this->project, $this->language, null, 1, 1, $this->location );~~
	63	+ $campaigns = CentralNoticeDB::getCampaigns( $this->project, $this->language, null, 1, 1, $this->location );
64	64
65	65	// Quick short circuit to show preferred campaigns
66		~~- if ( $notices ) {~~
	66	+ if ( $campaigns ) {
67	67	// Pull banners
68		~~- $templates = CentralNoticeDB::selectBannersAssigned( $notices );~~
	68	+ $banners = CentralNoticeDB::selectBannersAssigned( $campaigns );
69	69	}
70	70
71	71	// Didn't find any preferred banners so do an old style lookup
72		~~- if ( !$templates ) {~~
73		~~- $templates = CentralNotice::selectNoticeTemplates(~~
	72	+ if ( !$banners ) {
	73	+ $banners = CentralNotice::selectNoticeTemplates(
74	74	$this->project, $this->language, $this->location );
75	75	}
76	76
77		~~- return FormatJson::encode( $templates );~~
	77	+ return FormatJson::encode( $banners );
78	78	}
79	79
80	80	}
Index: trunk/extensions/CentralNotice/SpecialCentralNotice.php
—	—	@@ -1069,7 +1069,7 @@
1070	1070	* Lookup function for active banners under a given language/project/location. This function is
1071	1071	* called by SpecialBannerListLoader::getJsonList() in order to build the banner list JSON for
1072	1072	* each project.
1073		~~- * @return A 2D array of running banners with associated weights and settings~~
	1073	+ * @return a 2D array of running banners with associated weights and settings
1074	1074	*/
1075	1075	static function selectNoticeTemplates( $project, $language, $location = null ) {
1076	1076	global $wgCentralDBname;
—	—	@@ -1285,14 +1285,14 @@
1286	1286	* Lookup the ID for a campaign based on the campaign name
1287	1287	*/
1288	1288	public static function getNoticeId( $noticeName ) {
1289		~~- $dbr = wfGetDB( DB_SLAVE );~~
1290		~~- $eNoticeName = htmlspecialchars( $noticeName );~~
1291		~~- $row = $dbr->selectRow( 'cn_notices', 'not_id', array( 'not_name' => $eNoticeName ) );~~
1292		~~- if ( $row ) {~~
1293		~~- return $row->not_id;~~
1294		~~- } else {~~
1295		~~- return null;~~
1296		~~- }~~
	1289	+ $dbr = wfGetDB( DB_SLAVE );
	1290	+ $eNoticeName = htmlspecialchars( $noticeName );
	1291	+ $row = $dbr->selectRow( 'cn_notices', 'not_id', array( 'not_name' => $eNoticeName ) );
	1292	+ if ( $row ) {
	1293	+ return $row->not_id;
	1294	+ } else {
	1295	+ return null;
	1296	+ }
1297	1297	}
1298	1298
1299	1299	function getNoticeProjects( $noticeName ) {

Comments

#Comment by Brion VIBBER (talk | contribs) 19:40, 3 June 2011

This looks pretty wrong:

+		 $eNoticeName = htmlspecialchars( $noticeName );
		 $row = $dbr->selectRow( 'cn_notices', 'not_id', array( 'not_name' => $eNoticeName ) );

This looks to have actually regressed originally in r42333... where actually it was also wrong (calling mysql_real_escape_string() and then passing that into the wrappers for additional escaping). There seem to be a few other instances of using htmlspecialchars() on notice names before pass them into DB wrappers here; in getNoticeProjects, getNoticeLanguages, getNoticeCountries at least.

#Comment by Catrope (talk | contribs) 21:22, 3 June 2011

Believe it or not, all of their stuff is stored in the DB escaped for HTML. I already complained that this is a horrible idea before the last fundraiser, but I don't think anyone really listened.

#Comment by Brion VIBBER (talk | contribs) 17:51, 27 June 2011

Leaving a todo tag for the extra internal escaping stuff -- they'll get to it as maintenance cleanup later, it works for now and is safe, just confusing. :)

Status & tagging log

17:51, 27 June 2011 Brion VIBBER (talk | contribs) changed the tags for r89284 [added: todo]
17:51, 27 June 2011 Brion VIBBER (talk | contribs) changed the status of r89284 [removed: new added: ok]