清理没有使用预处理的 增加登录判断 redis查询权限

app/admin/db_update_cs6_para.php

@@ -1,16 +1,13 @@
 <?php
+#将cscd4 段落编号插入数据库 用于义注跳转
 require_once "../public/_pdo.php";
 require_once "../path.php";
 
-$db_file = _FILE_DB_PALITEXT_;
-PDO_Connect("$db_file");
-
+PDO_Connect(_FILE_DB_PALITEXT_);
 $query = "SELECT * from books where 1";
 $books = PDO_FetchAll($query);
 
-$db_file = _FILE_DB_PAGE_INDEX_;
-PDO_Connect("$db_file");
-
+PDO_Connect(_FILE_DB_PAGE_INDEX_);
 // 打开文件并读取数据
 $irow = 0;
 if (($fp = fopen("./cs6_para.csv", "r")) !== false) {

app/admin/update_user_active_time.php

@@ -1,4 +1,5 @@
 <?php
+#已经废弃
 require_once '../path.php';
 
 date_default_timezone_set("UTC");
@@ -8,12 +9,10 @@ $start = strtotime($last . " +1 day");
 $end = strtotime($last . " +2 day");
 $today = strtotime("today");
 
-$dns = "" . _FILE_DB_USER_ACTIVE_;
-$dbh = new PDO($dns, "", "", array(PDO::ATTR_PERSISTENT => true));
+$dbh = new PDO(_FILE_DB_USER_ACTIVE_, "", "", array(PDO::ATTR_PERSISTENT => true));
 $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING);
 
-$dns = "" . _FILE_DB_USER_ACTIVE_INDEX_;
-$dbh_index = new PDO($dns, "", "", array(PDO::ATTR_PERSISTENT => true));
+$dbh_index = new PDO(_FILE_DB_USER_ACTIVE_INDEX_, "", "", array(PDO::ATTR_PERSISTENT => true));
 $dbh_index->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING);
 /* 开始一个事务，关闭自动提交 */
 $dbh_index->beginTransaction();

app/admin/word_index_weight_refresh.php

@@ -6,8 +6,8 @@ require_once '../path.php';
 require_once './word_index_weight_table.php';
 
 if (isset($_GET["from"])) {
-    $from = $_GET["from"];
-    $to = $_GET["to"];
+    $from = (int)$_GET["from"];
+    $to = (int)$_GET["to"];
 } else {
     if ($argc != 3) {
         echo "无效的参数 ";
@@ -20,18 +20,19 @@ if (isset($_GET["from"])) {
     }
 }
 
-$dh_word = new PDO("" . _FILE_DB_WORD_INDEX_, "", "");
+$dh_word = new PDO( _FILE_DB_WORD_INDEX_, "", "");
 $dh_word->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING);
 
-$dh_pali = new PDO("" . _FILE_DB_PALI_INDEX_, "", "");
+$dh_pali = new PDO( _FILE_DB_PALI_INDEX_, "", "");
 $dh_pali->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING);
 
 echo "from=$from to = $to \n";
 for ($i = $from; $i <= $to; $i++) {
     $time_start = microtime(true);
     echo "正在处理 book= $i ";
-    $query = "SELECT max(paragraph) from word where book={$i}";
-    $stmt = $dh_pali->query($query);
+    $query = "SELECT max(paragraph) from word where book=?";
+	$stmt = $dh_pali->prepare($query);
+    $stmt->execute(array($i));
     $row = $stmt->fetch(PDO::FETCH_NUM);
     if ($row) {
         $max_para = $row[0];

app/article/add_article_to_collect.php

@@ -1,5 +1,5 @@
 <?php
-//查询term字典
+//添加文章到文集
 
 require_once "../path.php";
 require_once "../public/_pdo.php";
@@ -16,7 +16,7 @@ if(isset($_POST["id"])){
     $dirty_collect = array();
     $data = json_decode($_POST["data"]);
     $title = $_POST["title"];
-    PDO_Connect(""._FILE_DB_USER_ARTICLE_);
+    PDO_Connect(_FILE_DB_USER_ARTICLE_);
     $article_id=$_POST["id"];
     //找出脏的collect
     $query = "SELECT collect_id FROM article_list  WHERE article_id = ? ";

app/article/collect_get.php

@@ -1,5 +1,5 @@
 <?php
-//查询term字典
+#获取文集信息
 
 require_once "../path.php";
 require_once "../public/_pdo.php";
@@ -8,7 +8,7 @@ require_once '../ucenter/function.php';
 
 
 if(isset($_GET["id"])){
-    PDO_Connect(""._FILE_DB_USER_ARTICLE_);
+    PDO_Connect(_FILE_DB_USER_ARTICLE_);
     $id=$_GET["id"];
     $query = "select * from collect  where id = ? ";
     $Fetch = PDO_FetchRow($query,array($id));

app/article/collect_list.php

@@ -1,5 +1,5 @@
 <?php
-//查询term字典
+#某用户的文章列表
 
 require_once "../path.php";
 require_once "../public/_pdo.php";
@@ -10,8 +10,8 @@ require_once '../ucenter/function.php';
 if(isset($_GET["userid"])){
     PDO_Connect(""._FILE_DB_USER_ARTICLE_);
     $userid=$_GET["userid"];
-    $query = "SELECT * from collect  where owner = ".$PDO->quote($userid)." and status <> 0 order by modify_time DESC";
-    $Fetch = PDO_FetchAll($query);
+    $query = "SELECT * from collect  where owner = ? and status <> 0 order by modify_time DESC";
+    $Fetch = PDO_FetchAll($query,array($userid));
     echo json_encode($Fetch, JSON_UNESCAPED_UNICODE);
     exit;
 }

app/article/function.php

@@ -73,15 +73,26 @@ class Article
         }
 	}
 	public function getPower($id){
-		#查询用户对此是否有权限		
-
+		#查询用户对此是否有权限	
+		if(isset($_COOKIE["userid"])){
+			$userId = $_COOKIE["userid"];
+		}
+		else{
+			$userId=0;
+		}
+		if($this->_redis!==false){
+			$power = $this->_redis->hGet("power://article/".$id,$userId);
+			if($power!==FALSE){
+				return $power;
+			}
+		}
 		$iPower = 0;
 		$query = "SELECT owner,status FROM article WHERE id=?  ";
 		$stmt = $this->dbh->prepare($query);
 		$stmt->execute(array($id));
 		$channel = $stmt->fetch(PDO::FETCH_ASSOC);
 		if($channel){
-			if(!isset($_COOKIE["userid"])  ){
+			if(!isset($_COOKIE["userid"])){
 				#未登录用户
 				if($channel["status"]==30){
 					#全网公开有读取和建议权限
@@ -91,14 +102,16 @@ class Article
 					#其他状态没有任何权限
 					return 0;
 				}
-				
-			}
-			if($channel["owner"]==$_COOKIE["userid"]){
-				return 30;
 			}
-			else if($channel["status"]>=30){
-				#全网公开的 可以提交pr
-				$iPower = 10;
+			else{
+				if($channel["owner"]==$_COOKIE["userid"]){
+					#自己的
+					return 30;
+				}
+				else if($channel["status"]>=30){
+					#全网公开的 可以提交pr
+					$iPower = 10;
+				}				
 			}
 		}
 		#查询共享权限，如果共享权限更大，覆盖上面的的
@@ -106,9 +119,9 @@ class Article
 		if($sharePower>$iPower){
 			$iPower=$sharePower;
 		}
+		$this->_redis->hSet("power://article/".$id,$_COOKIE["userid"],$iPower);
 		return $iPower;
 	}
-
 }
 
 ?>

app/article/list_new.php

@@ -24,7 +24,7 @@ require_once '../collect/function.php';
     else{
         $begin = 0;
     }
-    PDO_Connect(""._FILE_DB_USER_ARTICLE_);
+    PDO_Connect(_FILE_DB_USER_ARTICLE_);
     $query = "SELECT id,title,subtitle,summary,owner,modify_time from article  where status >= 30 ";
     
     if(isset($_GET["orderby"])){

app/article/my_article_post.php

@@ -129,6 +129,7 @@ if (!$sth || ($sth && $sth->errorCode() != 0)) {
 else{
 	if($redis){
 		$redis->del("article://".$_POST["id"]);
+		$redis->del("power://article/".$_POST["id"]);
 	}
 	
 }

app/article/my_article_put.php

@@ -9,6 +9,20 @@ require_once '../hostsetting/function.php';
 require_once "../ucenter/active.php";
 
 $respond=array("status"=>0,"message"=>"");
+if(!isset($_COOKIE["userid"])){
+	#不登录不能新建
+	$respond['status']=1;
+	$respond['message']="no power create article";
+	echo json_encode($respond, JSON_UNESCAPED_UNICODE);
+	exit;
+}
+if(!isset($_POST["title"])){
+	#无标题不能新建
+	$respond['status']=1;
+	$respond['message']="no title";
+	echo json_encode($respond, JSON_UNESCAPED_UNICODE);
+	exit;
+}
 PDO_Connect(_FILE_DB_USER_ARTICLE_);
 
 $query="INSERT INTO article ( id,  title  , subtitle  , summary , content   , tag  , owner, setting  , status  , create_time , modify_time , receive_time   )  VALUES  ( ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? ) ";

app/article/my_collect_post.php

@@ -5,11 +5,18 @@ require_once '../public/function.php';
 require_once '../hostsetting/function.php';
 require_once "../ucenter/active.php";
 
-add_edit_event(_COLLECTION_EDIT_,$_POST["id"]);
-
 $respond=array("status"=>0,"message"=>"");
+if(!isset($_COOKIE["userid"])){
+	#不登录不能新建
+	$respond['status']=1;
+	$respond['message']="no power create article";
+	echo json_encode($respond, JSON_UNESCAPED_UNICODE);
+	exit;
+}
+
+add_edit_event(_COLLECTION_EDIT_,$_POST["id"]);
 
-PDO_Connect(""._FILE_DB_USER_ARTICLE_);
+PDO_Connect(_FILE_DB_USER_ARTICLE_);
 
 $query="UPDATE collect SET title = ? , subtitle = ? , summary = ?, article_list = ?  ,  status = ? , lang = ? , receive_time= ?  , modify_time= ?   where  id = ?  ";
 $sth = $PDO->prepare($query);

app/article/my_collect_put.php

@@ -6,6 +6,20 @@ require_once '../hostsetting/function.php';
 require_once "../ucenter/active.php";
 
 $respond=array("status"=>0,"message"=>"");
+if(!isset($_COOKIE["userid"])){
+	#不登录不能新建
+	$respond['status']=1;
+	$respond['message']="no power create article";
+	echo json_encode($respond, JSON_UNESCAPED_UNICODE);
+	exit;
+}
+if(!isset($_POST["title"])){
+	#无标题不能新建
+	$respond['status']=1;
+	$respond['message']="no title";
+	echo json_encode($respond, JSON_UNESCAPED_UNICODE);
+	exit;
+}
 PDO_Connect(""._FILE_DB_USER_ARTICLE_);
 
 $query="INSERT INTO collect ( id,  title  , subtitle  , summary , article_list   , owner, lang  , status  , create_time , modify_time , receive_time   )  VALUES  ( ? , ? , ? , ?  , ? , ? , ? , ? , ? , ? , ? ) ";

app/dict/redis_comp_part.php

@@ -1,5 +1,6 @@
 <?php
 #从自动复合词数据库中提取数据到ridis
+#已经废弃
 require_once "../path.php";
 require_once "../redis/function.php";