bugfix: Made comment token clean-up work in PostgreSQL also (#826)

HQJaTu · Jari Turkia · web-flow · commit ba544f9839f7 · 2024-03-13T22:08:06.000+01:00
* bugfix: Made comment token clean-up work in PostgreSQL also

* feat: Improvement on comment token -cleanup

* feat: Improved serendipity_db_cast() to support unsigned. Using proper cast in autologin.

---------

Co-authored-by: Jari Turkia &lt;jmjt@jari.turkia.name&gt;
diff --git a/include/db/db.inc.php b/include/db/db.inc.php
@@ -183,4 +183,27 @@ function serendipity_db_implode($string, &$array, $type = 'int') {
     return $string;
 }
 
+/**
+ * @access public
+ * @param   string Database table column name
+ * @param   string Database column type
+ * @return  string Column CAST() to chosen database
+ */
+function serendipity_db_cast($columnName, $type) {
+    global $serendipity;
+
+    if (stristr($serendipity['dbType'], 'sqlite')) {
+        return $columnName;
+    }
+
+    // MySQL (and variants) have unsigned integer. ANSI SQL does not.
+    if ($type == 'unsigned') {
+        if (!stristr($serendipity['dbType'], 'mysqli'))
+            $type = 'integer';
+    }
+
+    // Adds explicits casting for ANSI SQL -compliant DBs, like mysql and postgresql.
+    return "cast($columnName as $type)";
+}
+
 /* vim: set sts=4 ts=4 expandtab : */
diff --git a/include/functions_comments.inc.php b/include/functions_comments.inc.php
@@ -19,9 +19,8 @@ function serendipity_checkCommentToken($token, $cid) {
 
     $goodtoken = false;
     if ($serendipity['useCommentTokens']) {
-        // Delete any comment tokens older than 1 week.
-        serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}options
-                              WHERE okey LIKE 'comment_%' AND name < " . (time() - 604800) );
+        serendipity_cleanCTokens();
+
         // Get the token for this comment id
         $tokencheck = serendipity_db_query("SELECT * FROM {$serendipity['dbPrefix']}options
                                              WHERE okey = 'comment_" . (int)$cid . "' LIMIT 1", true, 'assoc');
@@ -964,16 +963,11 @@ function serendipity_insertComment($id, $commentInfo, $type = 'NORMAL', $source
 function serendipity_commentSubscriptionConfirm($hash) {
     global $serendipity;
 
-    // Delete possible current cookie. Also delete any confirmation hashs that smell like 3-week-old, dead fish.
-    if (stristr($serendipity['dbType'], 'sqlite')) {
-        $cast = "name";
-    } else {
-        // Adds explicits casting for mysql, postgresql and others.
-        $cast = "cast(name as integer)";
-    }
-
+    // Delete possible current cookie. Also delete any confirmation hashes that smell like dead fish.
+    $threeWeeksAgo = time() - 1814400;
+    $nameCast = serendipity_db_cast('name', 'integer');
     serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}options
-                                WHERE okey LIKE 'commentsub_%' AND $cast < (" . (time() - 1814400) . ")");
+                                WHERE okey LIKE 'commentsub_%' AND $nameCast < {$threeWeeksAgo}");
 
     $hashinfo = serendipity_db_query("SELECT value
                                         FROM {$serendipity['dbPrefix']}options
@@ -1226,15 +1220,27 @@ function serendipity_generateCToken($cid) {
 
     global $serendipity;
 
+    serendipity_cleanCTokens();
+
+    // Issue new comment moderation hash
     $ctoken = bin2hex(random_bytes(16));
-    
-        //Delete any comment tokens older than 1 week.
-        serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}options
-                              WHERE okey LIKE 'comment_%' AND name < " . (time() - 604800) );
+    serendipity_db_query("INSERT INTO {$serendipity['dbPrefix']}options (name, value, okey)
+                          VALUES ('" . time() . "', '" . $ctoken . "', 'comment_" . $cid ."')");
 
-        // Issue new comment moderation hash
-        serendipity_db_query("INSERT INTO {$serendipity['dbPrefix']}options (name, value, okey)
-                              VALUES ('" . time() . "', '" . $ctoken . "', 'comment_" . $cid ."')");
     return $ctoken;
-                              
+}
+
+/**
+ * Clean over week-old comment tokens from DB
+ *
+ * @return null
+ */
+function serendipity_cleanCTokens() {
+    global $serendipity;
+
+    //Delete any comment tokens older than 1 week.
+    $oneWeekAgo = time() - 604800;
+    $nameCast = serendipity_db_cast('name', 'integer');
+    serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}options
+                          WHERE okey LIKE 'comment_%' AND $nameCast < {$oneWeekAgo}");
 }
diff --git a/include/functions_config.inc.php b/include/functions_config.inc.php
@@ -445,19 +445,11 @@ function serendipity_issueAutologin($user) {
     
 
     // Delete possible current cookie. Also delete any autologin keys that smell like 3-week-old, dead fish.
-    if (stristr($serendipity['dbType'], 'sqlite')) {
-        $cast = "okey";
-    } elseif (stristr($serendipity['dbType'], 'mysqli')) {
-        // Adds explicit casting for mysql.
-        $cast = "cast(okey as unsigned)";
-    } else {
-        // Adds explicit casting for postgresql and others.
-        $cast = "cast(okey as integer)";
-    }
-
+    $threeWeeksAgo = time() - 1814400;
+    $okeyCast = serendipity_db_cast('okey', 'unsigned');
     serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}options 
                                 WHERE name = 'autologin_" . serendipity_db_escape_string($user) . "'
-                                   OR (name LIKE 'autologin_%' AND $cast < " . (time() - 1814400) . ")");
+                                   OR (name LIKE 'autologin_%' AND $okeyCast < {$threeWeeksAgo}");
 
     // Issue new autologin cookie
     serendipity_db_query("INSERT INTO {$serendipity['dbPrefix']}options (name, value, okey) VALUES ('autologin_" . serendipity_db_escape_string($user) . "', '" . $rnd  . "', '" . time() . "')");
@@ -473,18 +465,14 @@ function serendipity_issueAutologin($user) {
 function serendipity_checkAutologin($user) {
     global $serendipity;
 
-    if (stristr($serendipity['dbType'], 'sqlite')) {
-        $cast = "okey";
-    } elseif (stristr($serendipity['dbType'], 'mysqli')) {
-        // Adds explicit casting for mysql.
-        $cast = "cast(okey as unsigned)";
-    } else {
-        // Adds explicit casting for postgresql and others.
-        $cast = "cast(okey as integer)";
-    }
+    $threeWeeksAgo = time() - 1814400;
+    $okeyCast = serendipity_db_cast('okey', 'unsigned');
 
     // Fetch autologin data from DB
-    $autologin_stored = serendipity_db_query("SELECT name, value, okey FROM {$serendipity['dbPrefix']}options WHERE name = 'autologin_" . serendipity_db_escape_string($user) . "' AND $cast > " . (time() - 1814400) . " LIMIT 1", true, 'assoc');
+    $autologin_stored = serendipity_db_query("SELECT name, value, okey FROM {$serendipity['dbPrefix']}options
+                                WHERE name = 'autologin_" . serendipity_db_escape_string($user) . "'
+                                   AND $okeyCast > {$threeWeeksAgo} LIMIT 1",
+                                   true, 'assoc');
     
     if (!is_array($autologin_stored)) {
         return false;
