[evolvis-commits] r13239: Merged from 4.8: db_query_params transition work

mirabilos at evolvis.org mirabilos at evolvis.org
Mon Feb 28 02:24:19 CET 2011


Author: mirabilos
Date: 2011-02-28 02:24:19 +0100 (Mon, 28 Feb 2011)
New Revision: 13239

Modified:
   trunk/gforge_base/evolvisforge-5.1/Makefile
   trunk/gforge_base/evolvisforge-5.1/gforge/common/forum/Forum.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/forum/ForumFactory.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/frs/FRSFile.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/frs/FRSPackage.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/frs/FRSRelease.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/include/User.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/include/database-mysql.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/include/forms.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/include/system/UNIX.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/include/system/pgsql.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/include/tag_cloud.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/mail/MailingList.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/mail/MailingListFactory.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/pm/ProjectCategory.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/pm/ProjectGroup.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/pm/ProjectGroupFactory.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/pm/ProjectTask.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/pm/ProjectTaskFactory.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/pm/ProjectTasksForUser.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/pm/Validator.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/Artifact.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactBoxOptions.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactCanned.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactExtraField.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactExtraFieldElement.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactFile.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactFromID.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactHistory.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactMessage.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactQuery.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactQueryFactory.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactType.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactTypeFactory.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactTypes.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/Artifacts.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactsForUser.class.php
   trunk/gforge_base/evolvisforge-5.1/gforge/www/softwaremap/full_list.php
Log:
Merged from 4.8: db_query_params transition work

Modified: trunk/gforge_base/evolvisforge-5.1/Makefile
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/Makefile	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/Makefile	2011-02-28 01:24:19 UTC (rev 13239)
@@ -7,7 +7,7 @@
 BUILDRESULT=$(CURDIR)/result
 
 VER=$(shell LANG=C grep '>software_version' gforge/common/include/FusionForge.class.php | cut -d\' -f2)
-TAG=$(shell LANG=C svn log -r HEAD -l 1 | awk '{ if ($$1=="Tag-Release") print $$2}')
+TAG=$(shell LANG=C svn log -r HEAD -l 1 2>/dev/null | awk '{ if ($$1=="Tag-Release") print $$2}')
 ifeq ($(TAG),)
 	VERSION=fusionforge-$(VER)-$(shell LANG=C svn info | grep Revision | cut -d: -f2| sed 's/ //g')
 else

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/forum/Forum.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/forum/Forum.class.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/forum/Forum.class.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -219,7 +219,7 @@
 					) AS threads 
 				FROM forum_group_list_vw AS fgl
 				WHERE group_forum_id='$group_forum_id'";
-			$res = db_query ($sql);
+			$res = db_query_mysql ($sql);
 		} else {
 			$res = db_query_params ('SELECT * FROM forum_group_list_vw WHERE group_forum_id=$1',
 						array ($group_forum_id)) ;
@@ -267,7 +267,7 @@
 				return false;
 			}
 			$sql="select @res";
-			$result = db_query ($sql);
+			$result = db_query_mysql ($sql);
 		} else {
 			$result = db_query_params ('SELECT nextval($1)',
 						   array ('forum_thread_seq')) ;

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/forum/ForumFactory.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/forum/ForumFactory.class.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/forum/ForumFactory.class.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -124,7 +124,7 @@
 			$exists
 			ORDER BY group_forum_id;";
 			
-			$result = db_query ($sql);
+			$result = db_query_mysql ($sql);
 			
 			$rows = db_numrows($result);
 			

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/include/User.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/include/User.class.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/include/User.class.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -776,7 +776,8 @@
 		}
 
 		if ($GLOBALS['sys_require_unique_email']) {
-			if (db_numrows(db_query("SELECT user_id FROM users WHERE email ILIKE '$email' OR email_new ILIKE '$email'")) > 0) {
+			if (db_numrows(db_query_params('SELECT user_id FROM users WHERE email ILIKE $1 OR email_new ILIKE $2',
+						       array ($email, $email))) > 0) {
 				$this->setError(_('User with this email already exists.'));
 			return false;
 			}
@@ -1420,8 +1421,9 @@
 			$this->setError('User::getRole : Unable to get group object');
 			return false;
 		}
-		$sql = "SELECT role_id FROM user_group WHERE user_id=".$this->getID()." AND group_id = ".$group->getID();
-		$res = db_query($sql);
+		$res = db_query_params ('SELECT role_id FROM user_group WHERE user_id=$1 AND group_id=$2',
+					array ($this->getID(),
+					       $group->getID())) ;
 		if (!$res) {
 			$this->setError('User::getRole::DB - Could Not get role_id '.db_error());
 			return false;

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/include/database-mysql.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/include/database-mysql.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/include/database-mysql.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -61,7 +61,7 @@
  *  @param		int		How many rows do you want returned
  *  @param		int		Of matching rows, return only rows starting here
  */
-function db_query($qstring, $limit = '-1', $offset = 0) {
+function db_query_mysql($qstring, $limit = '-1', $offset = 0) {
 	global $sys_dbname, $gfconn;
 
 	db_log_entry('db_query',"$qstring, $limit, $offset");
@@ -189,7 +189,7 @@
  *	may cause unexpected behavior in databases that don't
  */
 function db_begin() {
-	return db_query("BEGIN WORK");
+	return db_query_mysql("BEGIN WORK");
 }
 
 /**
@@ -199,7 +199,7 @@
  * may cause unexpected behavior in databases that don't
  */
 function db_commit() {
-	return db_query("COMMIT");
+	return db_query_mysql("COMMIT");
 }
 
 /**
@@ -209,7 +209,7 @@
  * may cause unexpected behavior in databases that don't
  */
 function db_rollback() {
-	return db_query("ROLLBACK");
+	return db_query_mysql("ROLLBACK");
 }
 
 /**
@@ -355,13 +355,13 @@
 	global $_sys_db_transaction_level;
 	if ($_sys_db_transaction_level > 0) {
 		echo "Open transaction detected!!!";
-		db_query("ROLLBACK");
+		db_query_mysql("ROLLBACK");
 	}
 }
 
 function db_drop_table_if_exists ($tn) {
 	$sql = "DROP TABLE IF EXISTS $tn;";
-	$rel = db_query ($sql);
+	$rel = db_query_mysql ($sql);
 	echo db_error();
 }
 

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/include/forms.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/include/forms.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/include/forms.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -39,7 +39,7 @@
 		$key = md5(microtime() + rand() + $_SERVER["REMOTE_ADDR"]);
 	    if ( $sys_database_type == "mysql" ) {
 			$sql = "SELECT * FROM form_keys WHERE `key`='".$key."'";
-			$res=db_query($sql);
+			$res=db_query_mysql($sql);
 		} else {
 			$res = db_query_params ('SELECT * FROM form_keys WHERE key=$1', array ($key));
 		}
@@ -48,7 +48,7 @@
 		}
 	}
 	if ( $sys_database_type == "mysql" ) {
-		$res = db_query("INSERT INTO form_keys (`key`,is_used,creation_date) VALUES ('".$key."',0,".time().")");
+		$res = db_query_mysql("INSERT INTO form_keys (`key`,is_used,creation_date) VALUES ('".$key."',0,".time().")");
 	} else {
 		$res = db_query_params('INSERT INTO form_keys (key,is_used,creation_date) VALUES ($1, 0, $2)', array ($key,time()));
 	}
@@ -80,7 +80,7 @@
 	db_begin();
 	if ( $sys_database_type == "mysql" ) {
 		$sql = "SELECT * FROM form_keys WHERE `key`='$key' and is_used=0 FOR UPDATE";
-		$res=db_query($sql);
+		$res=db_query_mysql($sql);
 	} else {
 		$res = db_query_params ('SELECT * FROM form_keys WHERE key=$1 and is_used=0 FOR UPDATE', array ($key));
 	}
@@ -90,7 +90,7 @@
 	}
 	if ( $sys_database_type == "mysql" ) {
 		$sql = "UPDATE form_keys SET is_used=1 WHERE `key`='$key'";
-		$res=db_query($sql);
+		$res=db_query_mysql($sql);
 	} else {
 		$res = db_query_params ('UPDATE form_keys SET is_used=1 WHERE key=$1', array ($key));
 	}
@@ -115,7 +115,7 @@
 	db_begin();
 	if ( $sys_database_type == "mysql" ) {
 		$sql = "SELECT * FROM form_keys WHERE `key`='$key' FOR UPDATE";
-		$res=db_query($sql);
+		$res=db_query_mysql($sql);
 	} else {
 		$res = db_query_params ('SELECT * FROM form_keys WHERE key=$1 FOR UPDATE', array ($key));
 	}
@@ -125,7 +125,7 @@
 	}
 	if ( $sys_database_type == "mysql" ) {
 		$sql = "UPDATE form_keys SET is_used=0 WHERE `key`='$key'";
-		$res=db_query($sql);
+		$res=db_query_mysql($sql);
 	} else {
 		$res = db_query_params ('UPDATE form_keys SET is_used=0 WHERE key=$1', array ($key));
 	}

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/include/system/UNIX.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/include/system/UNIX.class.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/include/system/UNIX.class.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -52,11 +52,15 @@
 		if (!$user) {
 			return false;
 		} else {
-			$res=db_query("UPDATE users SET
-			unix_uid=user_id+".$this->UID_ADD.",
-			unix_gid=user_id+".$this->UID_ADD.",
-			unix_status='A'
-			WHERE user_id=$user_id");
+			$res = db_query_params ('UPDATE users SET
+			unix_uid=user_id+$1,
+			unix_gid=user_id+$2,
+			unix_status=$3
+			WHERE user_id=$4',
+						array ($this->UID_ADD,
+						       $this->UID_ADD,
+						       'A',
+						       $user_id)) ;
 	                if (!$res) {
 	                        $this->setError('ERROR - Could Not Update User UID/GID: '.db_error());
 	                        return false;
@@ -73,7 +77,9 @@
  	*
  	*/
 	function sysRemoveUser($user_id) {
-		$res=db_query("UPDATE users SET unix_status='N' WHERE user_id=$user_id");
+		$res = db_query_params ('UPDATE users SET unix_status=$1 WHERE user_id=$2',
+					array ('N',
+					       $user_id));
 		if (!$res) {
 			$this->setError('ERROR - Could Not Update User Unix Status: '.db_error());
 			return false;

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/include/system/pgsql.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/include/system/pgsql.class.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/include/system/pgsql.class.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -90,42 +90,46 @@
 		if (!$user) {
 			return false;
 		} else {
-			$res=db_query("UPDATE users SET
-			unix_uid=user_id+".$this->UID_ADD.",
-			unix_gid=user_id+".$this->UID_ADD.",
-			unix_status='A'
-			WHERE user_id=$user_id");
+			$res = db_query_params ('UPDATE users SET
+			unix_uid=user_id+$1,
+			unix_gid=user_id+$2,
+			unix_status=$3
+			WHERE user_id=$4',
+						array ($this->UID_ADD,
+						       $this->UID_ADD,
+						       'A',
+						       $user_id)) ;
 	                if (!$res) {
 	                        $this->setError('ERROR - Could Not Update User UID/GID: '.db_error());
 	                        return false;
 			} else {
-				$query="DELETE FROM nss_usergroups WHERE user_id=$user_id";
-				$res1=db_query($query);
+				$res1 = db_query_params ('DELETE FROM nss_usergroups WHERE user_id=$1',
+							 array ($user_id)) ;
 	                	if (!$res1) {
 					$this->setError('ERROR - Could Not Delete Group Member(s): '.db_error());
 	                        	return false;
 				}
 				// This is group used for user, not a real project
-				$query="DELETE FROM nss_groups WHERE name IN
-					(SELECT user_name FROM users WHERE user_id=$user_id)";
-				$res2=db_query($query);
+				$res2 = db_query_params ('DELETE FROM nss_groups WHERE name IN
+					(SELECT user_name FROM users WHERE user_id=$1)',
+							 array ($user_id));
 	                	if (!$res2) {
 	                        	$this->setError('ERROR - Could Not Delete Group GID: '.db_error());
 	                        	return false;
 				}
-				$query="INSERT INTO nss_groups
+				$res3 = db_query_params ('INSERT INTO nss_groups
 					(user_id, group_id,name, gid)
 					SELECT user_id, 0, user_name, unix_gid
-					FROM users WHERE user_id=$user_id"; 
-				$res3=db_query($query);
+					FROM users WHERE user_id=$1',
+							 array ($user_id));
 	                	if (!$res3) {
 	                        	$this->setError('ERROR - Could Not Update Group GID: '.db_error());
 	                        	return false;
 				}
-				$query="INSERT INTO nss_usergroups (
+				$res4 = db_query_params ('INSERT INTO nss_usergroups (
 					SELECT
 						users.unix_uid AS uid,
-						groups.group_id + ".$this->GID_ADD." AS gid,
+						groups.group_id + $1 AS gid,
 						users.user_id AS user_id,
 						groups.group_id AS group_id,
 						users.user_name AS user_name,
@@ -136,38 +140,44 @@
 					AND
 						groups.group_id=user_group.group_id
 					AND
-						users.user_id=$user_id
+						users.user_id=$2
 					AND
-						groups.status = 'A'
+						groups.status=$3
 					AND
-						users.unix_status='A'
+						users.unix_status=$4
 					AND
-						users.status = 'A'
+						users.status=$5
 					UNION
 					SELECT
 						users.unix_uid AS uid,
-						groups.group_id + ".$this->SCM_UID_ADD." AS gid,
+						groups.group_id + $6 AS gid,
 						users.user_id AS user_id,
 						groups.group_id AS group_id,
 						users.user_name AS user_name,
-						'scm_' || groups.unix_group_name AS unix_group_name
+						$7 || groups.unix_group_name AS unix_group_name
 					FROM users,groups,user_group
 					WHERE 
 						users.user_id=user_group.user_id
 					AND
 						groups.group_id=user_group.group_id
 					AND
-						users.user_id=$user_id
+						users.user_id=$8
 					AND
-						groups.status = 'A'
+						groups.status=$9
 					AND
-						users.unix_status='A'
+						users.unix_status=$10
 					AND
-						users.status = 'A'
+						users.status=$11
 					AND
 						user_group.cvs_flags > 0)
-				";
-				$res4=db_query($query);
+				',
+							 array ($this->GID_ADD,
+								$user_id,
+								'A', 'A', 'A',
+								$this->SCM_UID_ADD,
+								'scm_',
+								$user_id,
+								'A', 'A', 'A')) ;
 	                	if (!$res4) {
 	                        	$this->setError('ERROR - Could Not Update Group Member(s): '.db_error());
 	                        	return false;
@@ -207,21 +217,23 @@
  	*
  	*/
 	function sysRemoveUser($user_id) {
-		$res=db_query("UPDATE users SET unix_status='N' WHERE user_id=$user_id");
+		$res = db_query_params ('UPDATE users SET unix_status=$1 WHERE user_id=$2',
+					array ('N',
+					       $user_id)) ;
 		if (!$res) {
 			$this->setError('ERROR - Could Not Update User Unix Status: '.db_error());
 			return false;
 		} else {
-			$query="DELETE FROM nss_usergroups WHERE user_id=$user_id";
-			$res1=db_query($query);
+			$res1 = db_query_params ('DELETE FROM nss_usergroups WHERE user_id=$1',
+						 array ($user_id));
 			if (!$res1) {
 				$this->setError('ERROR - Could Not Delete Group Member(s): '.db_error());
 				return false;
 			}
 			// This is group used for user, not a real project
-			$query="DELETE FROM nss_groups WHERE name IN
-				(SELECT user_name FROM users WHERE user_id=$user_id)";
-			$res2=db_query($query);
+			$res2 = db_query_params ('DELETE FROM nss_groups WHERE name IN
+				(SELECT user_name FROM users WHERE user_id=$1)',
+						 array ($user_id)) ;
 			if (!$res2) {
 				$this->setError('ERROR - Could Not Delete Group GID: '.db_error());
 				return false;
@@ -259,8 +271,8 @@
 		if (!$group){
 			return false;
 		} else {
-			$query="SELECT group_id FROM nss_groups WHERE group_id=$group_id";
-			$res=db_query($query);
+			$res = db_query_params ('SELECT group_id FROM nss_groups WHERE group_id=$1',
+						aarray ($group_id));
 			if (db_numrows($res) == 0){
 				return false;
 			} else {
@@ -281,44 +293,46 @@
 		if (!$group) {
 			return false;
 		} else {
-				$query="DELETE FROM nss_usergroups WHERE group_id=$group_id";
-				$res1=db_query($query);
+				$res1 = db_query_params ('DELETE FROM nss_usergroups WHERE group_id=$1',
+							 array ($group_id));
 	                	if (!$res1) {
 					$this->setError('ERROR - Could Not Delete Group Member(s): '.db_error());
 	                        	return false;
 				}
-				$query="DELETE FROM nss_groups WHERE group_id=$group_id";
-				$res3=db_query($query);
+				$res3 = db_query_params ('DELETE FROM nss_groups WHERE group_id=$1',
+							 array ($group_id)) ;
 	                	if (!$res3) {
 	                        	$this->setError('ERROR - Could Not Delete Group GID: '.db_error());
 	                        	return false;
 				}
-				$query="INSERT INTO nss_groups
+				$res4 = db_query_params ('INSERT INTO nss_groups
 					(user_id, group_id, name, gid)
-        				SELECT 0, group_id, unix_group_name, group_id +".$this->GID_ADD."
+        				SELECT 0, group_id, unix_group_name, group_id + $1
 					FROM groups
-					WHERE group_id=$group_id
-					"; 
-				$res4=db_query($query);
+					WHERE group_id=$2',
+							 array ($this->GID_ADD,
+								$group_id)) ;
 	                	if (!$res4) {
 	                        	$this->setError('ERROR - Could Not Insert Group GID: '.db_error());
 	                        	return false;
 				}
-				$query="INSERT INTO nss_groups
+				$res5 = db_query_params ('INSERT INTO nss_groups
 					(user_id, group_id, name, gid)
-        				SELECT 0, group_id, 'scm_' || unix_group_name, group_id +".$this->SCM_UID_ADD."
+        				SELECT 0, group_id, $1 || unix_group_name, group_id + $2
 					FROM groups
-					WHERE group_id=$group_id
-					"; 
-				$res5=db_query($query);
+					WHERE group_id=$3',
+							 array ('scm_',
+								$this->SCM_UID_ADD,
+								$group_id)) ;
+								
 	                	if (!$res5) {
 	                        	$this->setError('ERROR - Could Not Insert SCM Group GID: '.db_error());
 	                        	return false;
 				}
-				$query="INSERT INTO nss_usergroups (
+				$res6 = db_query_params ('INSERT INTO nss_usergroups (
 					SELECT
 						users.unix_uid AS uid,
-						groups.group_id + ".$this->GID_ADD." AS gid,
+						groups.group_id + $1 AS gid,
 						users.user_id AS user_id,
 						groups.group_id AS group_id,
 						users.user_name AS user_name,
@@ -329,38 +343,45 @@
 					AND
 						groups.group_id=user_group.group_id
 					AND
-						groups.group_id=$group_id
+						groups.group_id=$2
 					AND
-						groups.status = 'A'
+						groups.status=$3
 					AND
-						users.unix_status='A'
+						users.unix_status=$4
 					AND
-						users.status = 'A'
+						users.status=$5
 					UNION
 					SELECT
 						users.unix_uid AS uid,
-						groups.group_id + ".$this->SCM_UID_ADD." AS gid,
+						groups.group_id + $6 AS gid,
 						users.user_id AS user_id,
 						groups.group_id AS group_id,
 						users.user_name AS user_name,
-						'scm_' || groups.unix_group_name AS unix_group_name
+						$7 || groups.unix_group_name AS unix_group_name
 					FROM users,groups,user_group
 					WHERE 
 						groups.group_id=user_group.group_id
 					AND
 						users.user_id=user_group.user_id
 					AND
-						groups.group_id=$group_id
+						groups.group_id=$8
 					AND
-						groups.status = 'A'
+						groups.status=$9
 					AND
-						users.unix_status='A'
+						users.unix_status=$10
 					AND
-						users.status = 'A'
+						users.status=$11
 					AND
-						user_group.cvs_flags > 0);
-				";
-				$res6=db_query($query);
+						user_group.cvs_flags > 0)',
+							 array ($this->GID_ADD,
+								$group_id,
+								'A', 'A', 'A',
+								$this->SCM_UID_ADD,
+								'scm_',
+								$group_id,
+								'A', 'A', 'A',
+								
+)) ;;
 	                	if (!$res6) {
 	                        	$this->setError('ERROR - Could Not Update Group Member(s): '.db_error());
 	                        	return false;
@@ -377,19 +398,17 @@
  	*
  	*/
 	function sysRemoveGroup($group_id) {
-		$query="DELETE FROM nss_usergroups WHERE group_id=$group_id";
-//echo "<h2>SYS::sysRemoveGroup: $query</h2>";
-		$res1=db_query($query);
+		$res1 = db_query_params ('DELETE FROM nss_usergroups WHERE group_id=$1',
+					 array ($group_id)) ;
 		if (!$res1) {
 			$this->setError('ERROR - Could Not Delete Group Member(s): '.db_error());
 			return false;
 		}
-		$query="DELETE FROM nss_groups WHERE group_id=$group_id ";
-//echo "<h2>SYS::sysRemoveGroup: $query</h2>";
-		$res3=db_query($query);
-	              	if (!$res3) {
-	                      	$this->setError('ERROR - Could Not Delete Group GID: '.db_error());
-	                      	return false;
+		$res3 = db_query_params ('DELETE FROM nss_groups WHERE group_id=$1',
+					 array ($group_id)) ;
+		if (!$res3) {
+			$this->setError('ERROR - Could Not Delete Group GID: '.db_error());
+			return false;
 		}
 		return true;
 	}
@@ -404,45 +423,38 @@
  	*
  	*/
 	function sysGroupAddUser($group_id,$user_id,$cvs_only=0) {
-		if ($cvs_only) {
-			$query="DELETE FROM nss_usergroups WHERE user_id=$user_id AND group_id=$group_id
-			AND unix_group_name LIKE 'scm_%'";
-		} else {
-			$query="DELETE FROM nss_usergroups WHERE user_id=$user_id AND group_id=$group_id";
-		}
-//echo "<h2>SYS::sysGroupAddUser DELETE: $query</h2>";
-		$res0=db_query($query);
-		if (!$res0) {
-			$this->setError('ERROR - Could Not Delete Group Member(s): '.db_error());
+		if (! sysGroupRemoveUser($group_id,$user_id,$cvs_only))
 			return false;
-		}
-		$query="INSERT INTO nss_usergroups (
+		$res1 = db_query_params ('INSERT INTO nss_usergroups (
 			SELECT
 				users.unix_uid AS uid,
-				groups.group_id + ".$this->SCM_UID_ADD." AS gid,
+				groups.group_id + $1 AS gid,
 				users.user_id AS user_id,
 				groups.group_id AS group_id,
 				users.user_name AS user_name,
-				'scm_' || groups.unix_group_name AS unix_group_name
+				$2 || groups.unix_group_name AS unix_group_name
 			FROM users,groups,user_group
 			WHERE 
 				users.user_id=user_group.user_id
 			AND
 				groups.group_id=user_group.group_id
 			AND
-				users.user_id=$user_id
+				users.user_id=$3
 			AND
-				groups.group_id=$group_id
+				groups.group_id=$4
 			AND
-				groups.status = 'A'
+				groups.status$5
 			AND
-				users.unix_status='A'
+				users.unix_status=$6
 			AND
-				users.status = 'A'
+				users.status=$7
 			AND
-				user_group.cvs_flags > 0) ";
-//echo "<h2>SYS::sysGroupAddUser ADDCVS: $query</h2>";
-		$res1=db_query($query);
+				user_group.cvs_flags > 0)',
+					 array ($this->SCM_UID_ADD,
+						'scm_',
+						$user_id,
+						$group_id,
+						'A', 'A', 'A')) ;
 		if (!$res1) {
 			$this->setError('ERROR - Could Not Add SCM Member(s): '.db_error());
 			return false;
@@ -452,10 +464,10 @@
 			return true;
 		}
 
-		$query="INSERT INTO nss_usergroups (
+		$res2 = db_query_params ('INSERT INTO nss_usergroups (
 			SELECT
 				users.unix_uid AS uid,
-				groups.group_id + ".$this->GID_ADD." AS gid,
+				groups.group_id + $1 AS gid,
 				users.user_id AS user_id,
 				groups.group_id AS group_id,
 				users.user_name AS user_name,
@@ -466,17 +478,19 @@
 			AND
 				groups.group_id=user_group.group_id
 			AND
-				users.user_id=$user_id
+				users.user_id=$2
 			AND
-				groups.group_id=$group_id
+				groups.group_id=$3
 			AND
-				groups.status = 'A'
+				groups.status=$4
 			AND
-				users.unix_status='A'
+				users.unix_status=$5
 			AND
-				users.status = 'A') ";
-//echo "<h2>SYS::sysGroupAddUser ADDSYS: $query</h2>";
-		$res2=db_query($query);
+				users.status=$6)',
+					 array ($this->GID_ADD,
+						$user_id,
+						$group_id,
+						'A', 'A', 'A'));
 		if (!$res2) {
 			$this->setError('ERROR - Could Not Add Shell Group Member(s): '.db_error());
 			return false;
@@ -496,13 +510,15 @@
  	*/
 	function sysGroupRemoveUser($group_id,$user_id,$cvs_only=0) {
 		if ($cvs_only) {
-			$query="DELETE FROM nss_usergroups WHERE group_id=$group_id AND user_id=$user_id
-			AND unix_group_name LIKE 'scm_%'";
+			$res1 = db_query_params ('DELETE FROM nss_usergroups WHERE user_id=$1 AND group_id=$2 AND unix_group_name LIKE $3',
+						 array ($user_id,
+							$group_id,
+							'scm_%')) ;
 		} else {
-			$query="DELETE FROM nss_usergroups WHERE group_id=$group_id AND user_id=$user_id";
+			$res1 = db_query_params ('DELETE FROM nss_usergroups WHERE user_id=$1 AND group_id=$2',
+						 array ($user_id,
+							$group_id)) ;
 		}
-//echo "<h2>SYS::sysGroupRemoveUser REM: $query</h2>";
-		$res1=db_query($query);
 		if (!$res1) {
 			$this->setError('ERROR - Could Not Delete Group Member(s): '.db_error());
 			return false;

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/include/tag_cloud.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/include/tag_cloud.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/include/tag_cloud.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -98,11 +98,12 @@
 
 	$return = '';
 
-	$res = db_query("SELECT name,count(*) AS count
+	$res = db_query_params ('SELECT name,count(*) AS count
 					 FROM project_tags, groups
 					 WHERE project_tags.group_id = groups.group_id
-					 AND status = 'A' AND is_public=1 AND type_id=1 AND register_time > 0
-					 GROUP BY name ORDER BY count DESC");
+					 AND status = $1 AND is_public=1 AND type_id=1 AND register_time > 0
+					 GROUP BY name ORDER BY count DESC',
+				array ('A')) ;
 	if (db_numrows($res) > 0) {
 		$count_min = 0;
 		$count_max = 0;

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/pm/ProjectCategory.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/pm/ProjectCategory.class.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/pm/ProjectCategory.class.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -4,6 +4,7 @@
  *
  * Copyright 1999-2000, Tim Perdue/Sourceforge
  * Copyright 2002, Tim Perdue/GForge, LLC
+ * Copyright 2009, Roland Mas
  *
  * This file is part of FusionForge.
  *
@@ -100,11 +101,10 @@
 			$this->setPermissionDeniedError();
 			return false;
 		}
-		$sql="INSERT INTO project_category (group_project_id,category_name) 
-			VALUES ('".$this->ProjectGroup->getID()."','".htmlspecialchars($name)."')";
+		$result = db_query_params ('INSERT INTO project_category (group_project_id,category_name) VALUES ($1,$2)',
+					   array ($this->ProjectGroup->getID(),
+						  htmlspecialchars($name))) ;
 
-		$result=db_query($sql);
-
 		if ($result && db_affected_rows($result) > 0) {
 			$this->clearError();
 			return true;
@@ -130,7 +130,8 @@
 	 *	@return	boolean	success.
 	 */
 	function fetchData($id) {
-		$res=db_query("SELECT * FROM project_category WHERE category_id='$id'");
+		$res = db_query_params ('SELECT * FROM project_category WHERE category_id=$1',
+					array ($id)) ;
 		if (!$res || db_numrows($res) < 1) {
 			$this->setError('ProjectCategory: Invalid ProjectCategory ID');
 			return false;
@@ -187,7 +188,11 @@
 			SET category_name='".htmlspecialchars($name)."'
 			WHERE category_id='". $this->getID() ."' 
 			AND group_project_id='".$this->ProjectGroup->getID()."'";
-		$result=db_query($sql);
+		$result = db_query_params ('UPDATE project_category SET category_name=$1
+			WHERE category_id=$2 AND group_project_id=$3',
+					   array (htmlspecialchars($name),
+						  $this->getID(),
+						  $this->ProjectGroup->getID())) ;
 		if ($result && db_affected_rows($result) > 0) {
 			return true;
 		} else {

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/pm/ProjectGroup.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/pm/ProjectGroup.class.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/pm/ProjectGroup.class.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -4,6 +4,7 @@
  *
  * Copyright 1999-2000, Tim Perdue/Sourceforge
  * Copyright 2002, Tim Perdue/GForge, LLC
+ * Copyright 2009, Roland Mas
  *
  * This file is part of FusionForge.
  *
@@ -38,8 +39,8 @@
 			if ($data) {
 				//the db result handle was passed in
 			} else {
-				$res=db_query("SELECT * FROM project_group_list_vw
-				WHERE group_project_id='$group_project_id'");
+				$res = db_query_params ('SELECT * FROM project_group_list_vw WHERE group_project_id=$1',
+							array ($group_project_id)) ;
 				if (db_numrows($res) <1 ) {
 					$PROJECTGROUP_OBJ["_".$group_project_id."_"]=false;
 					return false;
@@ -150,13 +151,13 @@
 			return false;
 		}
 
-		$sql="INSERT INTO project_group_list (group_id,project_name,is_public,
-			description,send_all_posts_to)
-			VALUES ('".$this->Group->getId()."','". htmlspecialchars($project_name) ."','$is_public',
-			'". htmlspecialchars($description) ."','$send_all_posts_to')";
-
 		db_begin();
-		$result=db_query($sql);
+		$result = db_query_params ('INSERT INTO project_group_list (group_id,project_name,is_public,description,send_all_posts_to) VALUES ($1,$2,$3,$4,$5)',
+					   array ($this->Group->getId(),
+						  htmlspecialchars($project_name),
+						  $is_public,
+						  htmlspecialchars($description),
+						  $send_all_posts_to)) ;
 		if (!$result) {
 			db_rollback();
 			$this->setError('Error Adding ProjectGroup: '.db_error());
@@ -176,9 +177,9 @@
 	 *  @return	boolean	success.
 	 */
 	function fetchData($group_project_id) {
-		$res=db_query("SELECT * FROM project_group_list_vw
-			WHERE group_project_id='$group_project_id'
-			AND group_id='". $this->Group->getID() ."'");
+		$res = db_query_params ('SELECT * FROM project_group_list_vw WHERE group_project_id=$1 AND group_id=$2',
+					array ($group_project_id,
+					       $this->Group->getID())) ;
 		if (!$res || db_numrows($res) < 1) {
 			$this->setError('ProjectGroup:: Invalid group_project_id');
 			return false;
@@ -267,8 +268,8 @@
 	 */
 	function getStatuses () {
 		if (!$this->statuses) {
-			$sql='SELECT * FROM project_status';
-			$this->statuses=db_query($sql);
+			$this->statuses = db_query_params ('SELECT * FROM project_status',
+							   array());
 		}
 		return $this->statuses;
 	}
@@ -280,10 +281,8 @@
 	 */
 	function getCategories () {
 		if (!$this->categories) {
-			$sql="SELECT category_id,category_name 
-				FROM project_category 
-				WHERE group_project_id='".$this->getID()."'";
-			$this->categories=db_query($sql);
+			$this->categories = db_query_params ('SELECT category_id,category_name FROM project_category WHERE group_project_id=$1',
+							     array ($this->getID()));
 		}
 		return $this->categories;
 	}
@@ -309,15 +308,17 @@
 	 */
 	function getTechnicians () {
 		if (!$this->technicians) {
-			$sql="SELECT users.user_id, users.realname 
+			$sql="";
+			$this->technicians = db_query_params ('SELECT users.user_id, users.realname 
 				FROM users, role_setting, user_group
 				WHERE users.user_id=user_group.user_id
                                 AND role_setting.role_id=user_group.role_id
-                                AND role_setting.ref_id='". $this->getID() ."' 
+                                AND role_setting.ref_id=$1
 				AND role_setting.value::integer IN (1,2) 
-                                AND role_setting.section_name='pm'
-				ORDER BY users.realname";
-			$this->technicians=db_query($sql);
+                                AND role_setting.section_name=$2
+				ORDER BY users.realname',
+							      array ($this->getID(),
+								     'pm')) ;
 		}
 		return $this->technicians;
 	}
@@ -365,13 +366,14 @@
 			return false;
 		}
 
-		$sql="UPDATE project_group_list SET
-			project_name='". htmlspecialchars($project_name) ."',
-			description='". htmlspecialchars($description) ."',
-			send_all_posts_to='$send_all_posts_to'
-			WHERE group_id='".$this->Group->getID()."'
-			AND group_project_id='".$this->getID()."'";
-		$res=db_query($sql);
+		$res = db_query_params ('UPDATE project_group_list SET project_name=$1,
+			description=$2,	send_all_posts_to=$3
+			WHERE group_id=$4 AND group_project_id=$5',
+					array (htmlspecialchars($project_name),
+					       htmlspecialchars($description),
+					       $send_all_posts_to,
+					       $this->Group->getID(),
+					       $this->getID())) ;
 
 		if (!$res || db_affected_rows($res) < 1) {
 			$this->setError('Error On Update: '.db_error().$sql);
@@ -399,114 +401,112 @@
 
 		db_begin();
 
-                $sql = "DELETE FROM project_assigned_to
+                $res = db_query_params ('DELETE FROM project_assigned_to
 			WHERE EXISTS (SELECT project_task_id FROM project_task
-			WHERE group_project_id='".$this->getID()."'
-			AND project_task.project_task_id=project_assigned_to.project_task_id)";
-                $res = db_query($sql);
+			WHERE group_project_id=$1
+			AND project_task.project_task_id=project_assigned_to.project_task_id)',
+					array ($this->getID())) ;
 
                 if (!$res)
                 {
-                        $this->setError('DATABASE '.db_error().' QUERY='.$sql);
+                        $this->setError('DATABASE '.db_error());
                         return false;
                 }
 
-                $sql = "DELETE FROM project_dependencies
+		$res = db_query_params ('DELETE FROM project_dependencies
 			WHERE EXISTS (SELECT project_task_id FROM project_task
-			WHERE group_project_id='".$this->getID()."'
-			AND project_task.project_task_id=project_dependencies.project_task_id)";
-                $res = db_query($sql);
+			WHERE group_project_id=$1
+			AND project_task.project_task_id=project_dependencies.project_task_id)',
+					array ($this->getID())) ;
 
                 if (!$res)
                 {
-                        $this->setError('DATABASE '.db_error().' QUERY='.$sql);
+                        $this->setError('DATABASE '.db_error());
                         return false;
                 }
 
-                $sql = "DELETE FROM project_history
+		$res = db_query_params ('DELETE FROM project_history
 			WHERE EXISTS (SELECT project_task_id FROM project_task
-			WHERE group_project_id='".$this->getID()."'
-			AND project_task.project_task_id=project_history.project_task_id)";
-                $res = db_query($sql);
+			WHERE group_project_id=$1
+			AND project_task.project_task_id=project_history.project_task_id)',
+					array ($this->getID())) ;
 
                 if (!$res)
                 {
-                        $this->setError('DATABASE '.db_error().' QUERY='.$sql);
+                        $this->setError('DATABASE '.db_error());
                         return false;
                 }
 
-                $sql = "DELETE FROM project_messages
+                $res = db_query_params ('DELETE FROM project_messages
 			WHERE EXISTS (SELECT project_task_id FROM project_task
-			WHERE group_project_id='".$this->getID()."'
-			AND project_task.project_task_id=project_messages.project_task_id)";
-                $res = db_query($sql);
+			WHERE group_project_id=$1
+			AND project_task.project_task_id=project_messages.project_task_id)',
+					array ($this->getID())) ;
 
                 if (!$res)
                 {
-                        $this->setError('DATABASE '.db_error().' QUERY='.$sql);
+                        $this->setError('DATABASE '.db_error());
                         return false;
                 }
 
-                $sql = "DELETE FROM project_task_artifact
+                $res = db_query_params ('DELETE FROM project_task_artifact
 			WHERE EXISTS (SELECT project_task_id FROM project_task
-			WHERE group_project_id='".$this->getID()."'
-			AND project_task.project_task_id=project_task_artifact.project_task_id)";
-                $res = db_query($sql);
+			WHERE group_project_id=$1
+			AND project_task.project_task_id=project_task_artifact.project_task_id)',
+					array ($this->getID())) ;
 
                 if (!$res)
                 {
-                        $this->setError('DATABASE '.db_error().' QUERY='.$sql);
+                        $this->setError('DATABASE '.db_error());
                         return false;
                 }
 
-                $sql = "DELETE FROM rep_time_tracking
+                $res = db_query_params ('DELETE FROM rep_time_tracking
 			WHERE EXISTS (SELECT project_task_id FROM project_task
-			WHERE group_project_id='".$this->getID()."'
-			AND project_task.project_task_id=rep_time_tracking.project_task_id)";
-                $res = db_query($sql);
+			WHERE group_project_id=$1
+			AND project_task.project_task_id=rep_time_tracking.project_task_id)',
+					array ($this->getID())) ;
 
                 if (!$res)
                 {
-                        $this->setError('DATABASE '.db_error().' QUERY='.$sql);
+                        $this->setError('DATABASE '.db_error());
                         return false;
                 }
 
-                $sql = "DELETE FROM project_task
-			WHERE group_project_id='".$this->getID()."'";
-                $res = db_query($sql);
+                $res = db_query_params ('DELETE FROM project_task
+			WHERE group_project_id=$1',
+					array ($this->getID())) ;
 
                 if (!$res)
                 {
-                        $this->setError('DATABASE '.db_error().' QUERY='.$sql);
+                        $this->setError('DATABASE '.db_error());
                         return false;
                 }
 
-		$sql = "DELETE FROM project_category WHERE group_project_id='".$this->getID()."'";
-		$res = db_query($sql);
+		$res = db_query_params ('DELETE FROM project_category WHERE group_project_id=$1',
+					array ($this->getID())) ;
 
 		if (!$res)
 		{
-			$this->setError('DATABASE '.db_error().' QUERY='.$sql);
+			$this->setError('DATABASE '.db_error());
 			return false;
 		}
 
-                $sql = "DELETE FROM project_group_list
-			WHERE group_project_id='".$this->getID()."'";
-                $res = db_query($sql);
+		$res = db_query_params ('DELETE FROM project_group_list WHERE group_project_id=$1',
+					array ($this->getID())) ;
 
                 if (!$res)
                 {
-                        $this->setError('DATABASE '.db_error().' QUERY='.$sql);
+                        $this->setError('DATABASE '.db_error());
                         return false;
                 }
 
-                $sql = "DELETE FROM project_counts_agg
-			WHERE group_project_id='".$this->getID()."'";
-                $res = db_query($sql);
+		$res = db_query_params ('DELETE FROM project_counts_agg WHERE group_project_id=$1',
+					array ($this->getID())) ;
 
                 if (!$res)
                 {
-                        $this->setError('DATABASE '.db_error().' QUERY='.$sql);
+                        $this->setError('DATABASE '.db_error());
                         return false;
                 }
 
@@ -593,13 +593,16 @@
 			return -1;
 		} else {
 			if (!isset($this->current_user_perm)) {
-				$sql="SELECT role_setting.value::integer
+				$res = db_query_params ('SELECT role_setting.value::integer
 				FROM role_setting, user_group
-				WHERE role_setting.ref_id='". $this->getID() ."'
+				WHERE role_setting.ref_id=$1
 				AND user_group.role_id = role_setting.role_id
-                                AND user_group.user_id='".user_getid()."'
-                                AND role_setting.section_name='pm'";
-				$this->current_user_perm=db_result(db_query($sql),0,0);
+                                AND user_group.user_id=$2
+                                AND role_setting.section_name=$3',
+							array ($this->getID(),
+							       user_getid(),
+							       'pm')) ;
+				$this->current_user_perm=db_result($res,0,0);
 			}
 			return $this->current_user_perm;
 		}

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/pm/ProjectGroupFactory.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/pm/ProjectGroupFactory.class.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/pm/ProjectGroupFactory.class.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -4,6 +4,7 @@
  *
  * Copyright 1999-2000, Tim Perdue/Sourceforge
  * Copyright 2002, Tim Perdue/GForge, LLC
+ * Copyright 2009, Roland Mas
  *
  * This file is part of FusionForge.
  *
@@ -84,36 +85,32 @@
 		if (session_loggedin()) {
 			$perm =& $this->Group->getPermission( session_get_user() );
 			if (!$perm || !is_object($perm) || !$perm->isMember()) {
-				$public_flag='=1';
-				$exists = '';
+				$result = db_query_params ('SELECT * FROM project_group_list_vw WHERE group_id=$1 AND is_public=1 ORDER BY group_project_id',
+							   array ($this->Group->getID())) ;
 			} else {
-				$public_flag='<3';
 				if ($perm->isPMAdmin()) {
-					$exists='';
+					$result = db_query_params ('SELECT * FROM project_group_list_vw WHERE group_id=$1 AND is_public<3 ORDER BY group_project_id',
+								   array ($this->Group->getID())) ;
 				} else {
-					$exists=" AND group_project_id IN (SELECT role_setting.ref_id
-					FROM role_setting, user_group
-					WHERE role_setting.value::integer >= 0
-                                          AND role_setting.section_name = 'pm'
-                                          AND role_setting.ref_id=project_group_list_vw.group_project_id
-                                          
-   					  AND user_group.role_id = role_setting.role_id
-					  AND user_group.user_id='".user_getid()."') ";
+					$result = db_query_params ('SELECT * FROM project_group_list_vw
+	WHERE group_id=$1 AND is_public<3
+	  AND group_project_id IN (SELECT role_setting.ref_id
+			           FROM role_setting, user_group
+				   WHERE role_setting.value::integer >= 0
+                                     AND role_setting.section_name = $2
+                                     AND role_setting.ref_id=project_group_list_vw.group_project_id
+				     AND user_group.role_id = role_setting.role_id
+				     AND user_group.user_id=$3
+        ORDER BY group_project_id',
+								   array ($this->Group->getID(),
+									  'pm',
+									  user_getid())) ;
 				}
 			}
 		} else {
-			$public_flag='=1';
-			$exists = '';
+				$result = db_query_params ('SELECT * FROM project_group_list_vw WHERE group_id=$1 AND is_public=1 ORDER BY group_project_id',
+							   array ($this->Group->getID())) ;
 		}
-
-		$sql="SELECT *
-			FROM project_group_list_vw
-			WHERE group_id='". $this->Group->getID() ."' 
-			AND is_public $public_flag $exists
-			ORDER BY group_project_id;";
-
-		$result = db_query ($sql);
-
 		$rows = db_numrows($result);
 
 		if (!$result || $rows < 1) {

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/pm/ProjectTask.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/pm/ProjectTask.class.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/pm/ProjectTask.class.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -4,6 +4,7 @@
  *
  * Copyright 1999-2000, Tim Perdue/Sourceforge
  * Copyright 2002, Tim Perdue/GForge, LLC
+ * Copyright 2009, Roland Mas
  *
  * This file is part of FusionForge.
  *
@@ -32,8 +33,8 @@
 			if ($data) {
 				//the db result handle was passed in
 			} else {
-				$res=db_query("SELECT * FROM project_task_vw
-					WHERE project_task_id='$project_task_id'");
+				$res = db_query_params ('SELECT * FROM project_task_vw WHERE project_task_id=$1',
+							array ($project_task_id)) ;
 
 				if (db_numrows($res) <1 ) {
 					$PROJECTTASK_OBJ["_".$project_task_id."_"]=false;
@@ -193,7 +194,8 @@
 			$this->data_array['project_task_id']=$project_task_id;
 
 		} else {
-			$res=db_query("SELECT nextval('project_task_pk_seq') AS id");
+			$res = db_query_params ('SELECT nextval($1) AS id', 
+						aarray ('project_task_pk_seq'));
 			if (!$project_task_id=db_result($res,0,'id')) {
 				$this->setError( 'Could Not Get Next Project Task ID' );
 				db_rollback();
@@ -202,12 +204,22 @@
 
 			$this->data_array['project_task_id']=$project_task_id;
 
-			$sql="INSERT INTO project_task (project_task_id,group_project_id,created_by,summary,
-					details,start_date,end_date,status_id,category_id,priority,percent_complete,hours,duration,parent_id) 
-					VALUES ('$project_task_id','". $this->ProjectGroup->getID() ."', '".user_getid()."', '". htmlspecialchars($summary) ."',
-					'". htmlspecialchars($details) ."','$start_date','$end_date','1','$category_id','$priority','$percent_complete','$hours','$duration','$parent_id')";
+			$result = db_query_params ('INSERT INTO project_task (project_task_id,group_project_id,created_by,summary,details,start_date,end_date,status_id,category_id,priority,percent_complete,hours,duration,parent_id) VALUES ($1,$2,$3,$4,$5,$6,$7,8,$9,$10,$11,$12,$13,$14)',
+						   array ($project_task_id,
+							  $this->ProjectGroup->getID(),
+							  user_getid(),
+							  htmlspecialchars($summary),
+							  htmlspecialchars($details),
+							  $start_date,
+							  $end_date,
+							  1,
+							  $category_id,
+							  $priority,
+							  $percent_complete,
+							  $hours,
+							  $duration,
+							  $parent_id)) ;
 
-			$result=db_query($sql);
 			if (!$result || db_affected_rows($result) < 1) {
 				$this->setError('ProjectTask::create() Posting Failed '.db_error().$sql);
 				db_rollback();
@@ -239,9 +251,11 @@
 	 *  @return	boolean	success.
 	 */
 	function fetchData($project_task_id) {
-		$res=db_query("SELECT * FROM project_task_vw
-			WHERE project_task_id='$project_task_id'
-			AND group_project_id='". $this->ProjectGroup->getID() ."'");
+		$res = db_query_params ('SELECT * FROM project_task_vw
+			WHERE project_task_id=$1
+			AND group_project_id=$2',
+					array ($project_task_id,
+					       $this->ProjectGroup->getID())) ;
 		if (!$res || db_numrows($res) < 1) {
 			$this->setError('ProjectTask::fetchData() Invalid Task ID'.db_error());
 			return false;
@@ -418,11 +432,14 @@
 	 *	an id, for example an ID generated by MS Project, which needs to be restored later
 	 */
 	function setExternalID($id) {
-		$res=db_query("UPDATE project_task_external_order SET external_id='$id' 
-			WHERE project_task_id='".$this->getID()."'");
+		$res = db_query_params ('UPDATE project_task_external_order SET external_id=$1
+			WHERE project_task_id=$2',
+					array ($id,
+					       $this->getID())) ;
 		if (db_affected_rows($res) < 1) {
-			$res=db_query("INSERT INTO project_task_external_order (project_task_id,external_id) 
-				VALUES ('".$this->getID()."','$id')");
+			$res = db_query_params ('INSERT INTO project_task_external_order (project_task_id,external_id) VALUES ($1, $2)', 
+						array ($this->getID(),
+						       $id)) ;
 		}
 	}
 
@@ -443,12 +460,13 @@
 	function getRelatedArtifacts() {
 		if (!$this->relatedartifacts) {
 			$this->relatedartifacts=
-			db_query("SELECT agl.group_id,agl.name,agl.group_artifact_id,a.artifact_id,a.open_date,a.summary 
+				db_query_params ('SELECT agl.group_id,agl.name,agl.group_artifact_id,a.artifact_id,a.open_date,a.summary 
 			FROM artifact_group_list agl, artifact a 
 			WHERE a.group_artifact_id=agl.group_artifact_id
 			AND EXISTS (SELECT artifact_id FROM project_task_artifact 
 				WHERE artifact_id=a.artifact_id
-				AND project_task_id='". $this->getID() ."')");
+				AND project_task_id=$1',
+						 array ($this->getID())) ;
 		}
 		return $this->relatedartifacts;
 	}
@@ -473,8 +491,9 @@
 			if ($art_array[$i] < 1) {
 				continue;
 			}
-			$res=db_query("INSERT INTO project_task_artifact (project_task_id,artifact_id) 
-				VALUES ('".$this->getID()."','".$art_array[$i]."')");
+			$res = db_query_params ('INSERT INTO project_task_artifact (project_task_id,artifact_id) VALUES ($1,$2)', 
+						array ($this->getID(),
+						       $art_array[$i])) ;
 			if (!$res) {
 				$this->setError('Error inserting artifact relationship: '.db_error());
 				return false;
@@ -496,9 +515,11 @@
 		}
 
 		for ($i=0; $i<count($art_array); $i++) {
-			$res=db_query("DELETE FROM project_task_artifact
-				WHERE project_task_id='".$this->getID()."'
-				AND artifact_id='".$art_array[$i]."'");
+			$res = db_query_params ('DELETE FROM project_task_artifact
+				WHERE project_task_id=$1
+				AND artifact_id=$2',
+						array ($this->getID(),
+						       $art_array[$i])) ;
 			if (!$res) {
 				$this->setError('Error deleting artifact relationship: '.db_error());
 				return false;
@@ -524,43 +545,50 @@
 		}
 		db_begin();
 
-		$res = db_query("DELETE FROM project_assigned_to WHERE project_task_id='".$this->getID()."'");
+		$res = db_query_params ('DELETE FROM project_assigned_to WHERE project_task_id=$1',
+					array ($this->getID())) ;
 		if (!$res) {
 			$this->setError('Error deleting assigned users relationship: '.db_error());
 			db_rollback();
 			return false;
 		}
-		$res = db_query("DELETE FROM project_dependencies WHERE project_task_id='".$this->getID()."'");
+		$res = db_query_params ('DELETE FROM project_dependencies WHERE project_task_id=$1',
+					array ($this->getID())) ;
 		if (!$res) {
 			$this->setError('Error deleting dependencies: '.db_error());
 			db_rollback();
 			return false;
 		}
-		$res = db_query("DELETE FROM project_history WHERE project_task_id='".$this->getID()."'");
+		$res = db_query_params ('DELETE FROM project_history WHERE project_task_id=$1',
+					array ($this->getID())) ;
 		if (!$res) {
 			$this->setError('Error deleting history: '.db_error());
 			db_rollback();
 			return false;
 		}
-		$res = db_query("DELETE FROM project_messages WHERE project_task_id='".$this->getID()."'");
+		$res = db_query_params ('DELETE FROM project_messages WHERE project_task_id=$1',
+					array ($this->getID())) ;
 		if (!$res) {
 			$this->setError('Error deleting messages: '.db_error());
 			db_rollback();
 			return false;
 		}
-		$res = db_query("DELETE FROM project_task_artifact	WHERE project_task_id='".$this->getID()."'");
+		$res = db_query_params ('DELETE FROM project_task_artifact WHERE project_task_id=$1',
+					array ($this->getID())) ;
 		if (!$res) {
 			$this->setError('Error deleting artifacts: '.db_error());
 			db_rollback();
 			return false;
 		}
-		$res = db_query("DELETE FROM rep_time_tracking	WHERE project_task_id='".$this->getID()."'");
+		$res = db_query_params ('DELETE FROM rep_time_trackingWHERE project_task_id=$1',
+					array ($this->getID())) ;
 		if (!$res) {
 			$this->setError('Error deleting time tracking report: '.db_error());
 			db_rollback();
 			return false;
 		}
-		$res = db_query("DELETE FROM project_task WHERE project_task_id='".$this->getID()."'");
+		$res = db_query_params ('DELETE FROM project_task WHERE project_task_id=$1',
+					array ($this->getID())) ;
 		if (!$res) {
 			$this->setError('Error deleting task: '.db_error());
 			db_rollback();
@@ -582,15 +610,21 @@
 		//	May not yet have an ID, if we are creating a NEW task
 		//
 		if ($this->getID()) {
-			$addstr=" AND project_task_id <> '". $this->getID() ."' ";
+			return db_query_params ('SELECT project_task_id,summary 
+		FROM project_task 
+		WHERE group_project_id=$1
+		AND project_task_id <> $2
+                ORDER BY project_task_id DESC',
+						array ($this->ProjectGroup->getID(),
+						       $this->getID())) ;
 		} else {
-			$addstr='';
+			return db_query_params ('SELECT project_task_id,summary 
+		FROM project_task 
+		WHERE group_project_id=$1
+		ORDER BY project_task_id DESC',
+						array ($this->ProjectGroup->getID(),
+						       $this->getID())) ;
 		}
-		$sql="SELECT project_task_id,summary 
-		FROM project_task 
-		WHERE group_project_id='". $this->ProjectGroup->getID() ."' 
-		$addstr ORDER BY project_task_id DESC";
-		return db_query($sql);
 	}
 
 	/**
@@ -599,11 +633,12 @@
 	 *  @return database result set.
 	 */
 	function getHistory() {
-		$sql="SELECT * 
+		$sql="";
+		return db_query_params ('SELECT * 
 		FROM project_history_user_vw 
-		WHERE project_task_id='". $this->getID() ."' 
-		ORDER BY mod_date DESC";
-		return db_query($sql);
+		WHERE project_task_id=$1
+		ORDER BY mod_date DESC',
+					array ($this->getID())) ;
 	}
 
 	/**
@@ -612,10 +647,11 @@
 	 *  @return database result set.
 	 */
 	function getMessages() {
-		$sql="select * 
-			FROM project_message_user_vw 
-			WHERE project_task_id='". $this->getID() ."' ORDER BY postdate DESC";
-		return db_query($sql);
+		return db_query_params ('SELECT * 
+		FROM project_message_user_vw 
+		WHERE project_task_id=$1
+		ORDER BY postdate DESC',
+					array ($this->getID())) ;
 	}
 
 	/**
@@ -629,13 +665,17 @@
 		if ($this->getDetails() == htmlspecialchars($message)) {
 			return true;
 		}
-		$res=db_query("SELECT * FROM project_messages 
-			WHERE project_task_id='".$this->getID()."'
-			AND body='". htmlspecialchars($message) ."'");
+		$res = db_query_params ('SELECT * FROM project_messages 
+			WHERE project_task_id=$1
+			AND body=$2',
+					array ($this->getID(),
+					       htmlspecialchars($message))) ;
 		if (!$res || db_numrows($res) < 1) {
-			$sql="INSERT INTO project_messages (project_task_id,body,posted_by,postdate) 
-				VALUES ('". $this->getID() ."','". htmlspecialchars($message) ."','".user_getid()."','". time() ."')";
-			$res=db_query($sql);
+			$res = db_query_params ('INSERT INTO project_messages (project_task_id,body,posted_by,postdate) VALUES ($1,$2,$3,$4)',
+						array ($this->getID(),
+						       htmlspecialchars($message),
+						       user_getid(),
+						       time())) ;
 			if (!$res || db_affected_rows($res) < 1) {
 				$this->setError('AddMessage():: '.db_error());
 				return false;
@@ -657,7 +697,12 @@
 	function addHistory ($field_name,$old_value) {
 		$sql="insert into project_history(project_task_id,field_name,old_value,mod_by,mod_date) 
 			VALUES ('". $this->getID() ."','$field_name','$old_value','".user_getid()."','".time()."')";
-		$result=db_query($sql);
+		$result = db_query_params ('INSERT INTO project_history (project_task_id,field_name,old_value,mod_by,mod_date) VALUES ($1,$2,$3,$4,$5)',
+					   array ($this->getID(),
+						  $field_name,
+						  $old_value,
+						  user_getid(),
+						  time())) ;
 		if (!$result) {
 			$this->setError('ERROR IN AUDIT TRAIL - '.db_error());
 			return false;
@@ -682,9 +727,10 @@
 	 		return false;
 		}
 
-		$res=db_query("SELECT is_dependent_on_task_id AS id 
+		$res = db_query_params ('SELECT is_dependent_on_task_id AS id 
 			FROM project_dependencies 
-			WHERE project_task_id='$depend_on_id'");
+			WHERE project_task_id=$1',
+					array ($depend_on_id)) ;
 		$rows=db_numrows($res);
 
 		for ($i=0; $i<$rows; $i++) {
@@ -719,9 +765,11 @@
 			$del_arr = array_values (array_diff ($arr2, $arr));
 //echo "del arr: ".print_r($del_arr);
 			for ($i=0; $i<count($del_arr); $i++) {
-				db_query("DELETE FROM project_dependencies 
-					WHERE project_task_id='".$this->getID()."'
-					AND is_dependent_on_task_id='". $del_arr[$i] ."'");
+				db_query_params ('DELETE FROM project_dependencies 
+					WHERE project_task_id=$1
+					AND is_dependent_on_task_id=$2',
+						 array ($this->getID(),
+							$del_arr[$i])) ;
 				if (db_error()) {
 					$this->setError('setDependentOn()-1:: '.db_error());
 					return false;
@@ -738,9 +786,10 @@
 				if (!$lnk) {
 					$lnk=PM_LINK_DEFAULT;
 				}
-				$sql="INSERT INTO project_dependencies (project_task_id,is_dependent_on_task_id,link_type) 
-					VALUES ('".$this->getID()."','". $add_arr[$i] ."','$lnk')";
-				db_query($sql);
+				db_query_params ('INSERT INTO project_dependencies (project_task_id,is_dependent_on_task_id,link_type) VALUES ($1,$2,$3)',
+						 array ($this->getID(),
+							$add_arr[$i],
+							$lnk)) ;
 				if (db_error()) {
 					$this->setError('setDependentOn()-2:: '.db_error().$sql);
 					return false;
@@ -786,9 +835,10 @@
 			return $this->dependon;
 		}
 		if (!$this->dependon) {
-			$res=db_query("SELECT is_dependent_on_task_id,link_type
+			$res = db_query_params ('SELECT is_dependent_on_task_id,link_type
 				FROM project_dependencies
-				WHERE project_task_id='".$this->getID()."'");
+				WHERE project_task_id=$1',
+						array ($this->getID())) ;
 			for ($i=0; $i<db_numrows($res); $i++) {
 				$this->dependon[db_result($res,$i,'is_dependent_on_task_id')] = db_result($res,$i,'link_type');
 			}
@@ -818,17 +868,20 @@
 			$add_arr = array_values(array_diff ($arr, $arr2));
 			$del_arr = array_values(array_diff ($arr2, $arr));
 			for ($i=0; $i<count($del_arr); $i++) {
-				db_query("DELETE FROM project_assigned_to
-					WHERE project_task_id='".$this->getID()."'
-					AND assigned_to_id='". $del_arr[$i] ."'");
+				db_query_params ('DELETE FROM project_assigned_to
+					WHERE project_task_id=$1
+					AND assigned_to_id=$2',
+						 array ($this->getID(),
+							$del_arr[$i])) ;
 				if (db_error()) {
 					$this->setError('setAssignedTo()-1:: '.db_error());
 					return false;
 				}
 			}
 			for ($i=0; $i<count($add_arr); $i++) {
-				db_query("INSERT INTO project_assigned_to (project_task_id,assigned_to_id) 
-					VALUES ('".$this->getID()."','". $add_arr[$i] ."')");
+				db_query_params ('INSERT INTO project_assigned_to (project_task_id,assigned_to_id) VALUES ($1,$2)',
+						 array ($this->getID(),
+							$add_arr[$i])) ;
 				if (db_error()) {
 					$this->setError('setAssignedTo()-2:: '.db_error());
 					return false;
@@ -851,9 +904,8 @@
 			return $this->assignedto;
 		}
 		if (!$this->assignedto) {
-			$this->assignedto =& util_result_column_to_array(db_query("SELECT assigned_to_id 
-				FROM project_assigned_to 
-				WHERE project_task_id='".$this->getID()."'"));
+			$this->assignedto =& util_result_column_to_array(db_query_params('SELECT assigned_to_id FROM project_assigned_to WHERE project_task_id=$1',
+											 array ($this->getID()))) ;
 		}
 		return $this->assignedto;
 	}
@@ -1025,22 +1077,33 @@
 			db_rollback();
 			return false;
 		} else {
-			$sql="UPDATE project_task SET
-				summary='".htmlspecialchars($summary)."',
-				priority='$priority',
-				hours='$hours',
-				start_date='$start_date',
-				end_date='$end_date',
-				status_id='$status_id',
-				percent_complete='$percent_complete',
-				category_id='$category_id',
-				group_project_id='$new_group_project_id',
-				duration='$duration',
-				parent_id='$parent_id'
-				WHERE group_project_id='$group_project_id'
-				AND project_task_id='".$this->getID()."'";
-
-			$res=db_query($sql);
+			$res = db_query_params ('UPDATE project_task SET
+				summary=$1,
+				priority=$2,
+				hours=$3,
+				start_date=$4,
+				end_date=$5,
+				status_id=$6,
+				percent_complete=$7,
+				category_id=$8,
+				group_project_id=$9,
+				duration=$10,
+				parent_id=$11
+				WHERE group_project_id=$12
+				AND project_task_id=$13',
+						array (htmlspecialchars($summary),
+						       $priority,
+						       $hours,
+						       $start_date,
+						       $end_date,
+						       $status_id,
+						       $percent_complete,
+						       $category_id,
+						       $new_group_project_id,
+						       $duration,
+						       $parent_id,
+						       $group_project_id,
+						       $this->getID())) ;
 			if (!$res) {
 				$this->setError('Error On ProjectTask::update-5: '.db_error().$sql);
 				db_rollback();

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/pm/ProjectTaskFactory.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/pm/ProjectTaskFactory.class.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/pm/ProjectTaskFactory.class.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -4,6 +4,7 @@
  *
  * Copyright 1999-2000, Tim Perdue/Sourceforge
  * Copyright 2002, Tim Perdue/GForge, LLC
+ * Copyright 2009, Roland Mas
  *
  * This file is part of FusionForge.
  *
@@ -145,7 +146,7 @@
 		}
 		$this->max_rows=$max_rows;
 	}
-
+	
 	/**
 	 *	getTasks - get an array of ProjectTask objects.
 	 *
@@ -156,62 +157,35 @@
 			return $this->project_tasks;
 		}
 
-		//if status selected, and more to where clause
-		if ($this->status && ($this->status != 100)) {
-			//for open tasks, add status=100 to make sure we show all
-			$status_str="AND project_task_vw.status_id IN (".$this->status.(($this->status==1)?',100':'').")";
+		if ($this->order=='priority') {
+			$order = 'ORDER BY priority DESC' ;
 		} else {
-			//no status was chosen, so don't add it to where clause
-			$status_str='';
+			$order = "ORDER BY $this->order ASC" ;
 		}
 
-		//if assigned to selected, and more to where clause
 		if ($this->assigned_to) {
-			if (is_array ($this->assigned_to)) {
-				$assigned_str="AND project_assigned_to.assigned_to_id IN (".join ($this->assigned_to,', ').")";
-			} else {
-				$assigned_str="AND project_assigned_to.assigned_to_id='".$this->assigned_to."'";
-			}
-			$assigned_str2=',project_assigned_to';
-			$assigned_str3='project_task_vw.project_task_id=project_assigned_to.project_task_id AND';
-
+			$tat = $this->assigned_to ;
+			if (! is_array ($tat)) 
+				$tat = array ($tat) ;
+			
+			$result = db_query_params ('SELECT project_task_vw.*, project_task_external_order.external_id
+			FROM project_task_vw natural left join project_task_external_order, project_assigned_to
+			WHERE project_task_vw.project_task_id=project_assigned_to.project_task_id 
+                          AND project_task_vw.group_project_id = $1
+                          AND project_assigned_to.assigned_to_id = ANY ($2)' . $order,
+						   array ($this->ProjectGroup->getID(),
+							  db_int_array_to_any_clause ($tat)),
+						   $this->max_rows,
+						   $this->offset) ;
 		} else {
-			//no assigned to was chosen, so don't add it to where clause
-			$assigned_str='';
-			$assigned_str2='';
-			$assigned_str3='';
+			$result = db_query_params ('SELECT project_task_vw.*, project_task_external_order.external_id
+			FROM project_task_vw natural left join project_task_external_order
+			WHERE project_task_vw.group_project_id = $1' . $order,
+						   array ($this->ProjectGroup->getID()),
+						   $this->max_rows,
+						   $this->offset) ;
 		}
 
-		if ($this->category) {
-			$cat_str="AND project_task_vw.category_id='".$this->category."'";
-		} else {
-			$cat_str='';
-		}
-
-		//
-		//	sort using an external ID useful only to something like MS Project
-		//
-		if ($this->order=='external_id') {
-			$ext_str='natural left join project_task_external_order';
-			$ext_fld_str=',project_task_external_order.external_id';
-		} else {
-			$ext_str='';
-			$ext_fld_str='';
-		}
-
-/*
-select project_task_vw.*,project_assigned_to.* FROM project_task_vw,project_assigned_to 
-WHERE project_assigned_to.project_task_id=project_task_vw.project_task_id;
-*/
-		$sql="SELECT project_task_vw.* $ext_fld_str
-			FROM project_task_vw $ext_str $assigned_str2 
-			WHERE $assigned_str3 project_task_vw.group_project_id='". $this->ProjectGroup->getID() ."' 
-			$assigned_str $status_str $cat_str 
-			ORDER BY ".$this->order.(($this->order=='priority') ? ' DESC ':' ');
-
-//echo $sql;
-	
-		$result=db_query($sql,($this->max_rows),$this->offset);
 		$rows = db_numrows($result);
 		$this->fetched_rows=$rows;
 		if (db_error()) {
@@ -221,6 +195,21 @@
 
 		$this->project_tasks = array();
 		while ($arr =& db_fetch_array($result)) {
+			if ($this->status && ($this->status != 100)) {
+				if ($this->status == 1) {
+					if ($arr['status_id'] != 1 && $arr['status_id'] != 100)
+						continue ;
+				} else {
+					if ($arr['status_id'] != $this->status)
+						continue ;
+				}
+			}
+
+			if ($this->category) {
+				if ($arr['category_id'] != $this->category_id)
+					continue ;
+			}
+					
 			$this->project_tasks[] = new ProjectTask($this->ProjectGroup, $arr['project_task_id'], $arr);
 		}
 		return $this->project_tasks;

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/pm/ProjectTasksForUser.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/pm/ProjectTasksForUser.class.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/pm/ProjectTasksForUser.class.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -4,6 +4,7 @@
  *
  * Copyright 1999-2000, Tim Perdue/Sourceforge
  * Copyright 2002, Tim Perdue/GForge, LLC
+ * Copyright 2009, Roland Mas
  *
  * This file is part of FusionForge.
  *
@@ -54,9 +55,9 @@
 	* @param the SQL query to use to fetch the tasks
 	*	@return	an array of ProjectTask objects
 	*/
-	function &getTasksFromSQL ($sql) {
+	function &getTasksFromSQLwithParams ($sql, $params) {
 		$tasks = array();
-		$result=db_query($sql);
+		$result = db_query_params ($sql, $params);
 		$rows=db_numrows($result);
 		for ($i=0; $i < $rows; $i++) {
 			$project_task_id = db_result($result,$i,'project_task_id');
@@ -73,7 +74,7 @@
 	* @return an array of ProjectTask objects
 	*/
 	function &getTasksByGroupProjectName () {
-		$sql = "SELECT ptv.*,g.group_name,pgl.project_name 
+		return $this->getTasksFromSQLwithParams ('SELECT ptv.*,g.group_name,pgl.project_name 
 			FROM project_task_vw ptv,
 				project_assigned_to pat,
 				groups g,
@@ -82,16 +83,16 @@
 				AND pgl.group_id=g.group_id
 				AND pgl.group_project_id=ptv.group_project_id
 				AND ptv.status_id=1
-				AND pat.assigned_to_id='".$this->User->getID()."'
-			ORDER BY group_name,project_name";
-		return $this->getTasksFromSQL($sql);
+				AND pat.assigned_to_id=$1
+			ORDER BY group_name,project_name',
+							 array ($this->User->getID())) ;
 	}
 	
 	function &getTasksForToday() {
 		$now = getdate();
 		$today = mktime (18, 00, 00, $now['mon'], $now['mday'], $now['year']);
 		
-		$sql = "SELECT ptv.*,g.group_name,pgl.project_name 
+		return $this->getTasksFromSQLwithParams ('SELECT ptv.*,g.group_name,pgl.project_name 
 			FROM project_task_vw ptv,
 				project_assigned_to pat,
 				groups g,
@@ -99,11 +100,12 @@
 			WHERE ptv.project_task_id=pat.project_task_id
 				AND pgl.group_id=g.group_id
 				AND pgl.group_project_id=ptv.group_project_id
-				AND ptv.start_date < '$today'
+				AND ptv.start_date < $1
 				AND ptv.status_id=1
-				AND pat.assigned_to_id='".$this->User->getID()."'
-			ORDER BY group_name,project_name";
-		return $this->getTasksFromSQL($sql);
+				AND pat.assigned_to_id=$2
+			ORDER BY group_name,project_name',
+							 array ($today,
+								$this->User->getID())) ;
 	}
 }
 

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/pm/Validator.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/pm/Validator.class.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/pm/Validator.class.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -4,6 +4,7 @@
  *
  * Copyright 1999-2000, Tim Perdue/Sourceforge
  * Copyright 2002, Tim Perdue/GForge, LLC
+ * Copyright 2009, Roland Mas
  *
  * This file is part of FusionForge.
  *

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/Artifact.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/Artifact.class.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/Artifact.class.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -4,6 +4,7 @@
  *
  * Copyright 1999-2001, VA Linux Systems, Inc.
  * Copyright 2002-2004, GForge, LLC
+ * Copyright 2009, Roland Mas
  *
  * This file is part of FusionForge.
  *
@@ -44,7 +45,8 @@
 			if ($data) {
 				//the db result handle was passed in
 			} else {
-				$res=db_query("SELECT * FROM artifact_vw WHERE artifact_id='$artifact_id'");
+				$res = db_query_params ('SELECT * FROM artifact_vw WHERE artifact_id=$1',
+							array ($artifact_id)) ;
 				if (db_numrows($res) <1 ) {
 					$ARTIFACT_OBJ["_".$artifact_id."_"]=false;
 					return false;
@@ -226,13 +228,18 @@
 
 		db_begin();
 
-		$sql="INSERT INTO artifact 
+		$res = db_query_params ('INSERT INTO artifact 
 			(group_artifact_id,status_id,priority,
 			submitted_by,assigned_to,open_date,summary,details) 
-			VALUES 
-			('".$this->ArtifactType->getID()."','$status_id','$priority',
-			'$user','$assigned_to','". time() ."','". htmlspecialchars($summary)."','". htmlspecialchars($details)."')";
-		$res=db_query($sql);
+			VALUES ($1,$2,$3,$4,$5,$6,$7,$8)',
+					array ($this->ArtifactType->getID(),
+					       $status_id,
+					       $priority,
+					       $user,
+					       $assigned_to,
+					       time(),
+					       htmlspecialchars($summary),
+					       htmlspecialchars($details))) ;
 		if (!$res) {
 			$this->setError('Artifact: '.db_error());
 			db_rollback();
@@ -278,8 +285,9 @@
 	 *	@return	boolean	success.
 	 */
 	function fetchData($artifact_id) {
-		$res=db_query("SELECT * FROM artifact_vw 
-			WHERE artifact_id='$artifact_id' AND group_artifact_id='".$this->ArtifactType->getID()."'");
+		$res = db_query_params ('SELECT * FROM artifact_vw WHERE artifact_id=$1 AND group_artifact_id=$2',
+					array ($artifact_id,
+					       $this->ArtifactType->getID())) ;
 		if (!$res || db_numrows($res) < 1) {
 			$this->setError('Artifact: Invalid ArtifactID');
 			return false;
@@ -467,37 +475,43 @@
 			return false;
 		}
 		db_begin();
-		$res = db_query("DELETE FROM artifact_extra_field_data WHERE artifact_id='".$this->getID()."'");
+		$res = db_query_params ('DELETE FROM artifact_extra_field_data WHERE artifact_id=$1',
+					array ($this->getID())) ;
 		if (!$res) {
 			$this->setError('Error deleting extra field data: '.db_error());
 			db_rollback();
 			return false;
 		}
-		$res = db_query("DELETE FROM artifact_file WHERE artifact_id='".$this->getID()."'");
+		$res = db_query_params ('DELETE FROM artifact_file WHERE artifact_id=$1',
+					array ($this->getID())) ;
 		if (!$res) {
 			$this->setError('Error deleting file from db: '.db_error());
 			db_rollback();
 			return false;
 		}
-		$res = db_query("DELETE FROM artifact_message WHERE artifact_id='".$this->getID()."'");
+		$res = db_query_params ('DELETE FROM artifact_message WHERE artifact_id=$1',
+					array ($this->getID())) ;
 		if (!$res) {
 			$this->setError('Error deleting message: '.db_error());
 			db_rollback();
 			return false;
 		}
-		$res = db_query("DELETE FROM artifact_history WHERE artifact_id='".$this->getID()."'");
+		$res = db_query_params ('DELETE FROM artifact_history WHERE artifact_id=$1',
+					array ($this->getID())) ;
 		if (!$res) {
 			$this->setError('Error deleting history: '.db_error());
 			db_rollback();
 			return false;
 		}
-		$res = db_query("DELETE FROM artifact_monitor WHERE artifact_id='".$this->getID()."'");
+		$res = db_query_params ('DELETE FROM artifact_monitor WHERE artifact_id=$1',
+					array ($this->getID())) ;
 		if (!$res) {
 			$this->setError('Error deleting monitor: '.db_error());
 			db_rollback();
 			return false;
 		}
-		$res = db_query("DELETE FROM artifact WHERE artifact_id='".$this->getID()."'");
+		$res = db_query_params ('DELETE FROM artifact WHERE artifact_id=$1',
+					array ($this->getID())) ;
 		if (!$res) {
 			$this->setError('Error deleting artifact: '.db_error());
 			db_rollback();
@@ -505,16 +519,18 @@
 		}
 		
 		if ($this->getStatusID() == 1) {
-			$res = db_query("UPDATE artifact_counts_agg SET count=count-1,open_count=open_count-1
-				WHERE group_artifact_id='".$this->getID()."'");
+			$res = db_query_params ('UPDATE artifact_counts_agg SET count=count-1,open_count=open_count-1
+				WHERE group_artifact_id=$1',
+						array ($this->getID())) ;
 			if (!$res) {
 				$this->setError('Error updating artifact_counts_agg (1): '.db_error());
 				db_rollback();
 				return false;
 			}
 		} elseif ($this->getStatusID() == 2) {
-			$res = db_query("UPDATE artifact_counts_agg SET count=count-1
-				WHERE group_artifact_id='".$this->getID()."'");
+			$res = db_query_params ('UPDATE artifact_counts_agg SET count=count-1
+				WHERE group_artifact_id=$1',
+						array ($this->getID())) ;
 			if (!$res) {
 				$this->setError('Error updating artifact_counts_agg (2): '.db_error());
 				db_rollback();
@@ -549,14 +565,15 @@
 
 		}
 
-		$res=db_query("SELECT * FROM artifact_monitor 
-			WHERE artifact_id='". $this->getID() ."' 
-			AND user_id='$user_id'");
+		$res = db_query_params ('SELECT * FROM artifact_monitor WHERE artifact_id=$1 AND user_id=$2',
+					array ($this->getID(),
+					       $user_id)) ;
 
 		if (!$res || db_numrows($res) < 1) {
 			//not yet monitoring
-			$res=db_query("INSERT INTO artifact_monitor (artifact_id,user_id) 
-				VALUES ('". $this->getID() ."','$user_id')");
+			$res = db_query_params ('INSERT INTO artifact_monitor (artifact_id,user_id) VALUES ($1,$2)',
+						array ($this->getID(),
+						       $user_id)) ;
 			if (!$res) {
 				$this->setError(db_error());
 				return false;
@@ -566,9 +583,11 @@
 			}
 		} else {
 			//already monitoring - remove their monitor
-			db_query("DELETE FROM artifact_monitor 
-				WHERE artifact_id='". $this->getID() ."' 
-				AND user_id='$user_id'");
+			db_query_params ('DELETE FROM artifact_monitor 
+				WHERE artifact_id=$1
+				AND user_id=$2',
+					 array ($this->getID(),
+						$user_id)) ;
 			$this->setError(_('Artifact Monitoring Deactivated'));
 			return false;
 		}
@@ -578,8 +597,9 @@
 		if (!session_loggedin()) {
 			return false;
 		}
-		$sql="SELECT count(*) AS count FROM artifact_monitor WHERE user_id='".user_getid()."' AND artifact_id='".$this->getID()."';";
-		$result = db_query($sql);
+		$result = db_query_params ('SELECT count(*) AS count FROM artifact_monitor WHERE user_id=$1 AND artifact_id=$2',
+					   array (user_getid(),
+						  $this->getID())) ;
 		$row_count = db_fetch_array($result);
 		return $result && $row_count['count'] > 0;
 	}
@@ -590,9 +610,8 @@
 	 *  @return array of email addresses monitoring this Artifact.
 	 */
 	function getMonitorIds() {
-		$res=db_query("SELECT user_id
-			FROM artifact_monitor 
-			WHERE artifact_id='". $this->getID() ."'");
+		$res = db_query_params ('SELECT user_id	FROM artifact_monitor WHERE artifact_id=$1',
+					array ($this->getID())) ;
 		return array_unique(array_merge($this->ArtifactType->getMonitorIds(),util_result_column_to_array($res)));
 	}
 
@@ -602,11 +621,8 @@
 	 *	@return database result set.
 	 */
 	function getHistory() {
-		$sql="SELECT * ".
-		"FROM artifact_history_user_vw ".
-		"WHERE artifact_id='". $this->getID() ."' ".
-		"ORDER BY entrydate DESC";
-		return db_query($sql);
+		return db_query_params ('SELECT * FROM artifact_history_user_vw WHERE artifact_id=$1 ORDER BY entrydate DESC',
+					array ($this->getID())) ;
 	}
 
 	/**
@@ -615,10 +631,8 @@
 	 *	@return database result set.
 	 */
 	function getMessages() {
-		$sql="select * ".
-			"FROM artifact_message_user_vw ".
-			"WHERE artifact_id='". $this->getID() ."' ORDER BY adddate DESC";
-		return db_query($sql);
+		return db_query_params ('SELECT * FROM artifact_message_user_vw WHERE artifact_id=$1 ORDER BY adddate DESC',
+					array ($this->getID())) ;
 	}
 
 	/**
@@ -643,10 +657,8 @@
 	 */
 	function &getFiles() {
 		if (!isset($this->files)) {
-			$sql="select * ".
-			"FROM artifact_file_user_vw ".
-			"WHERE artifact_id='". $this->getID() ."'";
-			$res=db_query($sql);
+			$res = db_query_params ('SELECT * FROM artifact_file_user_vw WHERE artifact_id=$1',
+						array ($this->getID())) ;
 			$rows=db_numrows($res);
 			if ($rows > 0) {
 				for ($i=0; $i < $rows; $i++) {
@@ -666,13 +678,13 @@
 	 */
 	function getRelatedTasks() {
 		if (!$this->relatedtasks) {
-			$this->relatedtasks=
-			db_query("SELECT pt.group_project_id,pt.project_task_id,pt.summary,pt.start_date,pt.end_date,pgl.group_id
+			$this->relatedtasks = db_query_params ('SELECT pt.group_project_id,pt.project_task_id,pt.summary,pt.start_date,pt.end_date,pgl.group_id
 			FROM project_task pt, project_group_list pgl
 			WHERE pt.group_project_id = pgl.group_project_id AND
 			EXISTS (SELECT project_task_id FROM project_task_artifact
 				WHERE project_task_id=pt.project_task_id
-				AND artifact_id = ". $this->getID() . ")");
+				AND artifact_id = $1',
+							       array ($this->getID())) ;
 		}
 		return $this->relatedtasks;
 	}
@@ -712,9 +724,12 @@
 			}
 		}
 
-		$sql="insert into artifact_message (artifact_id,submitted_by,from_email,adddate,body) ".
-			"VALUES ('". $this->getID() ."','$user_id','$by','". time() ."','". htmlspecialchars($body). "')";
-		$res = db_query($sql);
+		$res = db_query_params ('INSERT INTO artifact_message (artifact_id,submitted_by,from_email,adddate,body) VALUES ($1,$2,$3,$4,$5)',
+					array ($this->getID(),
+					       $user_id,
+					       $by,
+					       time(),
+					       htmlspecialchars($body))) ;
 		if ($send_followup) {
 			$this->mailFollowup(2,false);
 		}
@@ -735,9 +750,12 @@
 		} else {
 			$user=user_getid();
 		}
-		$sql="insert into artifact_history(artifact_id,field_name,old_value,mod_by,entrydate) 
-			VALUES ('". $this->getID() ."','$field_name','".addslashes($old_value)."','$user','". time() ."')";
-		return db_query($sql);
+		return db_query_params ('INSERT INTO artifact_history(artifact_id,field_name,old_value,mod_by,entrydate) VALUES ($1,$2,$3,$4,$5)',
+					array ($this->getID(),
+					       $field_name,
+					       addslashes($old_value),
+					       $user,
+					       time())) ;
 	}
 
 	/**
@@ -806,7 +824,8 @@
 		//
 		//	Get a lock on this row in the database
 		//
-		$lock=db_query("SELECT * FROM artifact WHERE artifact_id='".$this->getID()."' FOR UPDATE");
+		$lock = db_query_params ('SELECT * FROM artifact WHERE artifact_id=$1 FOR UPDATE',
+					 array ($this->getID())) ;
 		$artifact_type_id = $this->ArtifactType->getID();
 		//
 		//	Attempt to move this Artifact to a new ArtifactType
@@ -842,7 +861,8 @@
 			//	exist in the new tracker. All extra_fields will be deleted and 
 			//	then set to 100 in the new tracker.
 			//
-			$res=db_query("DELETE FROM artifact_extra_field_data WHERE artifact_id='".$this->getID()."'");
+			$res = db_query_params ('DELETE FROM artifact_extra_field_data WHERE artifact_id=$1',
+						array ($this->getID())) ;
 			$extra_fields=array();
 		}
 		
@@ -1028,20 +1048,18 @@
 				} elseif (($type == ARTIFACT_EXTRAFIELDTYPE_MULTISELECT) || ($type == ARTIFACT_EXTRAFIELDTYPE_CHECKBOX)) {
 					$extra_fields[$efid]=array('100');
 				} else {
-					$resdel=db_query("DELETE FROM artifact_extra_field_data
-					WHERE
-					artifact_id='".$this->getID()."'
-					AND extra_field_id='".$efid."'");
+					$resdel = db_query_params ('DELETE FROM artifact_extra_field_data WHERE artifact_id=$1 AND extra_field_id=$2',
+								   array ($this->getID(),
+									  $efid)) ;
 					continue;
 				}
 			}
 			//
 			//	get the old rows of data
 			//
-			$resd=db_query("SELECT * FROM artifact_extra_field_data
-				WHERE
-				artifact_id='".$this->getID()."'
-				AND extra_field_id='".$efid."'");
+			$resd = db_query_params ('SELECT * FROM artifact_extra_field_data WHERE artifact_id=$1 AND extra_field_id=$2',
+						 array ($this->getID(),
+							$efid)) ;
 			$rows=db_numrows($resd);
 			if ($resd && $rows) {
 //
@@ -1069,11 +1087,10 @@
 							$this->addHistory($field_name, $this->ArtifactType->getElementName($deleted_values));
 						}
 						
-
-						$resdel=db_query("DELETE FROM artifact_extra_field_data
-						WHERE
-						artifact_id='".$this->getID()."'
-						AND extra_field_id='".$efid."'");
+						
+						$resdel = db_query_params ('DELETE FROM artifact_extra_field_data WHERE	artifact_id=$1 AND extra_field_id=$2',
+									   array ($this->getID(),
+										  $efid)) ;
 					} else {
 						continue;
 					}
@@ -1084,10 +1101,9 @@
 					//element DID change - do a history entry
 					$field_name = $ef[$efid]['field_name'];
 					$changes["extra_fields"][$efid] = 1;
-					$resdel=db_query("DELETE FROM artifact_extra_field_data
-					WHERE
-					artifact_id='".$this->getID()."'
-					AND extra_field_id='".$efid."'");
+					$resdel = db_query_params ('DELETE FROM artifact_extra_field_data WHERE	artifact_id=$1 AND extra_field_id=$2',
+								   array ($this->getID(),
+									  $efid)) ;
 					if (($type == ARTIFACT_EXTRAFIELDTYPE_SELECT) || ($type == ARTIFACT_EXTRAFIELDTYPE_RADIO) || ($type == ARTIFACT_EXTRAFIELDTYPE_STATUS)) {
 //don't add history for text fields
 						$this->addHistory($field_name,$this->ArtifactType->getElementName(db_result($resd,0,'field_data')));
@@ -1110,10 +1126,10 @@
 					$multi_rows=true;
 					$count=count($extra_fields[$efid]);
 					for ($fin=0; $fin<$count; $fin++) {
-						$sql="INSERT INTO artifact_extra_field_data (artifact_id,extra_field_id,field_data) 
-							values ('".$this->getID()."','".$efid."',
-							'".$extra_fields[$efid][$fin]."')";
-						$res=db_query($sql);
+						$res = db_query_params ('INSERT INTO artifact_extra_field_data (artifact_id,extra_field_id,field_data) VALUES ($1,$2,$3)',
+									array ($this->getID(),
+									       $efid,
+									       $extra_fields[$efid][$fin])) ;
 						if (!$res) {
 							$this->setError('Artifact::updateExtraFields:: '.$sql.db_error());
 							return false;
@@ -1122,9 +1138,10 @@
 				} else {
 					$multi_rows=false;
 					$count=1;
-					$res=db_query("INSERT INTO artifact_extra_field_data (artifact_id,extra_field_id,field_data) 
-						values ('".$this->getID()."','".$efid."',
-						'".htmlspecialchars($extra_fields[$efid])."')");
+					$res = db_query_params ('INSERT INTO artifact_extra_field_data (artifact_id,extra_field_id,field_data) VALUES ($1,$2,$3)',
+								array ($this->getID(),
+								       $efid,
+								       htmlspecialchars($extra_fields[$efid]))) ;
 					if (!$res) {
 						$this->setError('Artifact::updateExtraFields:: '.db_error());
 						return false;
@@ -1144,8 +1161,8 @@
 	function &getExtraFieldData() {
 		if (!isset($this->extra_field_data)) {
 			$this->extra_field_data = array();
-			$res=db_query("SELECT * FROM artifact_extra_field_data 
-				WHERE artifact_id='".$this->getID()."' ORDER BY extra_field_id");
+			$res = db_query_params ('SELECT * FROM artifact_extra_field_data WHERE artifact_id=$1 ORDER BY extra_field_id',
+						array ($this->getID())) ;
 			$ef = $this->ArtifactType->getExtraFields();
 			while ($arr = db_fetch_array($res)) {
 				$type=$ef[$arr['extra_field_id']]['field_type'];

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactBoxOptions.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactBoxOptions.class.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactBoxOptions.class.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -3,6 +3,7 @@
  * FusionForge trackers
  *
  * Copyright 2004, Anthony J. Pugliese
+ * Copyright 2009, Roland Mas
  *
  * This file is part of FusionForge.
  *
@@ -97,10 +98,10 @@
 			$this->setPermissionDeniedError();
 			return false;
 		}
-		$sql="INSERT INTO artifact_group_selection_box_options (artifact_box_id,box_options_name) 
-			VALUES ('$id','".htmlspecialchars($name)."')";
+		$result = db_query_params ('INSERT INTO artifact_group_selection_box_options (artifact_box_id,box_options_name) VALUES ($1,$2)',
+					   array ($id,
+						  htmlspecialchars($name))) ;
 
-		$result=db_query($sql);
 		if ($result && db_affected_rows($result) > 0) {
 			$this->clearError();
 			return true;
@@ -127,7 +128,8 @@
 	 *	@return	boolean	success.
 	 */
 	function fetchData($id) {
-		$res=db_query("SELECT * FROM artifact_group_selection_box_options WHERE id='$id'");
+		$res = db_query_params ('SELECT * FROM artifact_group_selection_box_options WHERE id=$1',
+					array ($id)) ;
 		if (!$res || db_numrows($res) < 1) {
 			$this->setError('ArtifactSelectionBox: Invalid Artifact ID');
 			return false;
@@ -193,11 +195,11 @@
 			$this->setMissingParamsError();
 			return false;
 		}   
-		$sql="UPDATE artifact_group_selection_box_options 
-			SET box_options_name='".htmlspecialchars($name)."' 
-			WHERE id='$id'"; 
-//			AND artifact_box_id='$boxid'";
-		$result=db_query($sql);
+		$result = db_query_params ('UPDATE artifact_group_selection_box_options 
+			SET box_options_name=$1
+			WHERE id=$2',
+					   array (htmlspecialchars($name),
+						  $id)) ;
 		if ($result && db_affected_rows($result) > 0) {
 			return true;
 		} else {

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactCanned.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactCanned.class.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactCanned.class.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -4,6 +4,7 @@
  *
  * Copyright 1999-2001, VA Linux Systems, Inc.
  * Copyright 2002-2004, GForge, LLC
+ * Copyright 2009, Roland Mas
  *
  * This file is part of FusionForge.
  *
@@ -96,13 +97,11 @@
 			$this->setPermissionDeniedError();
 			return false;
 		}
+		$result = db_query_params ('INSERT INTO artifact_canned_responses (group_artifact_id,title,body) VALUES ($1,$2,$3)',
+					   array ($this->ArtifactType->getID(),
+						  htmlspecialchars($title),
+						  htmlspecialchars($body))) ;
 
-		$sql="INSERT INTO artifact_canned_responses (group_artifact_id,title,body) 
-			VALUES ('".$this->ArtifactType->getID()."',
-			'". htmlspecialchars($title) ."','". htmlspecialchars($body) ."')";
-
-		$result=db_query($sql);
-
 		if ($result && db_affected_rows($result) > 0) {
 			$this->clearError();
 			return true;
@@ -128,7 +127,8 @@
 	 *	@return	boolean	success.
 	 */
 	function fetchData($id) {
-		$res=db_query("SELECT * FROM artifact_canned_responses WHERE id='$id'");
+		$res = db_query_params ('SELECT * FROM artifact_canned_responses WHERE id=$1',
+					array ($id)) ;
 		if (!$res || db_numrows($res) < 1) {
 			$this->setError('ArtifactCanned: Invalid ArtifactCanned ID');
 			return false;
@@ -195,7 +195,13 @@
 			SET title='". htmlspecialchars($title) ."',body='". htmlspecialchars($body) ."'
 			WHERE group_artifact_id='". $this->ArtifactType->getID() ."' AND id='". $this->getID() ."'";
 
-		$result=db_query($sql);
+		$result = db_query_params ('UPDATE artifact_canned_responses
+			SET title=$1,body=$2,
+			WHERE group_artifact_id=$3 AND id=$4',
+					   array (htmlspecialchars($title),
+						  htmlspecialchars($body),
+						  $this->ArtifactType->getID(),
+						  $this->getID())) ;
 
 		if ($result && db_affected_rows($result) > 0) {
 			return true;

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactExtraField.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactExtraField.class.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactExtraField.class.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -3,6 +3,7 @@
  * FusionForge trackers
  *
  * Copyright 2004, Anthony J. Pugliese
+ * Copyright 2009, Roland Mas
  *
  * This file is part of FusionForge.
  *
@@ -121,13 +122,16 @@
 			return false;
 		}
 		
-		$sql="INSERT INTO artifact_extra_field_list (group_artifact_id,field_name,
-			field_type,attribute1,attribute2,is_required,alias) 
-			VALUES ('".$this->ArtifactType->getID()."','".htmlspecialchars($name)."',
-			'$field_type','$attribute1','$attribute2','$is_required','$alias')";
-
 		db_begin();
-		$result=db_query($sql);
+		$result = db_query_params ('INSERT INTO artifact_extra_field_list (group_artifact_id,field_name,field_type,attribute1,attribute2,is_required,alias) 
+			VALUES ($1,$2,$3,$4,$5,$6,$7)',
+					   array ($this->ArtifactType->getID(),
+						  htmlspecialchars($name),
+						  $field_type,
+						  $attribute1,
+						  $attribute2,
+						  $is_required,
+						  $alias));
 
 		if ($result && db_affected_rows($result) > 0) {
 			$this->clearError();
@@ -147,35 +151,47 @@
 //
 //	Must insert some default statuses for each artifact
 //
-					$reso=db_query("INSERT INTO artifact_extra_field_elements(extra_field_id,element_name,status_id) 
-						values ('$id','Open','1')");
+					$reso = db_query_params ('INSERT INTO artifact_extra_field_elements(extra_field_id,element_name,status_id) VALUES ($1,$2,$3)',
+								 array ($id,
+									'Open',
+									1)) ;
 					if (!$reso) {
 						echo db_error();
 					} else {
 						$resoid=db_insertid($reso,'artifact_extra_field_elements','element_id');
-						db_query("INSERT INTO artifact_extra_field_data(artifact_id,field_data,extra_field_id) 
-							SELECT artifact_id,$resoid,$id FROM artifact 
-							WHERE group_artifact_id='".$this->ArtifactType->getID()."'
-							AND status_id=1");
+						db_query_params ('INSERT INTO artifact_extra_field_data(artifact_id,field_data,extra_field_id) 
+							SELECT artifact_id,$1,$2 FROM artifact 
+							WHERE group_artifact_id=$3
+							AND status_id=1',
+								 array ($resoid,
+									$id,
+									$this->ArtifactType->getID())) ;
 					}
-					$resc=db_query("INSERT INTO artifact_extra_field_elements(extra_field_id,element_name,status_id)
-						values ('$id','Closed','2')");
+					$resc = db_query_params ('INSERT INTO artifact_extra_field_elements(extra_field_id,element_name,status_id) VALUES ($1,$2,$3)',
+								 array ($id,
+									'Closed',
+									2)) ;
 					if (!$resc) {
 						echo db_error();
 					} else {
 						$rescid=db_insertid($resc,'artifact_extra_field_elements','element_id');
-						db_query("INSERT INTO artifact_extra_field_data(artifact_id,field_data,extra_field_id) 
-							SELECT artifact_id,$rescid,$id FROM artifact 
-							WHERE group_artifact_id='".$this->ArtifactType->getID()."'
-							AND status_id != 1");
+						db_query_params ('INSERT INTO artifact_extra_field_data(artifact_id,field_data,extra_field_id) 
+							SELECT artifact_id,$1,$2 FROM artifact 
+							WHERE group_artifact_id=$3
+							AND status_id != 1',
+								 array ($rescid,
+									$id,
+									$this->ArtifactType->getID())) ;
 					}
 				}
 			} elseif (strstr(ARTIFACT_EXTRAFIELD_FILTER_INT,$field_type) !== false) {
 //
 //	Must insert some default 100 rows for the data table so None queries will work right
 //
-				$resdefault=db_query("INSERT INTO artifact_extra_field_data(artifact_id,field_data,extra_field_id) 
-					SELECT artifact_id,100,$id FROM artifact WHERE group_artifact_id='".$this->ArtifactType->getID()."'");
+				$resdefault = db_query_params ('INSERT INTO artifact_extra_field_data(artifact_id,field_data,extra_field_id) 
+					SELECT artifact_id,100,$1 FROM artifact WHERE group_artifact_id=$2',
+							       array ($id,
+								      $this->ArtifactType->getID())) ;
 				if (!$resdefault) {
 					echo db_error();
 				}
@@ -197,7 +213,8 @@
 	 */
 	function fetchData($id) {
 		$this->id=$id;
-		$res=db_query("SELECT * FROM artifact_extra_field_list WHERE extra_field_id='$id'");
+		$res = db_query_params ('SELECT * FROM artifact_extra_field_list WHERE extra_field_id=$1',
+					array ($id)) ;
 		
 		if (!$res || db_numrows($res) < 1) {
 			$this->setError('ArtifactExtraField: Invalid ArtifactExtraField ID');
@@ -313,9 +330,8 @@
 	 *	@return array
 	 */
 	function getAvailableValues() {
-		$sql = "SELECT * FROM artifact_extra_field_elements WHERE extra_field_id=".$this->getID();
-		$res = db_query($sql);
-		
+		$res = db_query_params ('SELECT * FROM artifact_extra_field_elements WHERE extra_field_id=$1',
+					array ($this->getID()));
 		$return = array();
 		while ($row = db_fetch_array($res)) {
 			$return[] = $row;
@@ -358,16 +374,21 @@
 			return false;
 		}		
 
-		$sql="UPDATE artifact_extra_field_list 
-			SET 
-			field_name='".htmlspecialchars($name)."',
-			attribute1='$attribute1',
-			attribute2='$attribute2',
-			is_required='$is_required',
-			alias='$alias'
-			WHERE extra_field_id='". $this->getID() ."' 
-			AND group_artifact_id='".$this->ArtifactType->getID()."'";
-		$result=db_query($sql);
+		$result = db_query_params ('UPDATE artifact_extra_field_list 
+			SET field_name=$1,
+			attribute1=$2,
+			attribute2=$3,
+			is_required=$4,
+			alias=$5
+			WHERE extra_field_id=$6
+			AND group_artifact_id=$7',
+					   array (htmlspecialchars($name),
+						  $attribute1,
+						  $attribute2,
+						  $is_required,
+						  $alias,
+						  $this->getID(),
+						  $this->ArtifactType->getID())) ;
 		if ($result && db_affected_rows($result) > 0) {
 			return true;
 		} else {
@@ -390,17 +411,14 @@
 			return false;
 		}
 		db_begin();
-		$sql="DELETE FROM artifact_extra_field_data 
-			WHERE extra_field_id='".$this->getID()."'";
-		$result=db_query($sql);
+		$result = db_query_params ('DELETE FROM artifact_extra_field_data WHERE extra_field_id=$1',
+					   array ($this->getID())) ;
 		if ($result) {
-			$sql="DELETE FROM artifact_extra_field_elements
-				WHERE extra_field_id='".$this->getID()."'";
-			$result=db_query($sql);
+			$result = db_query_params ('DELETE FROM artifact_extra_field_elements WHERE extra_field_id=$1',
+						   array ($this->getID())) ;
 			if ($result) {
-				$sql="DELETE FROM artifact_extra_field_list
-                WHERE extra_field_id='".$this->getID()."'";
-				$result=db_query($sql);
+				$result = db_query_params ('DELETE FROM artifact_extra_field_list WHERE extra_field_id=$1',
+							   array ($this->getID())) ;
 				if ($result) {
 					if ($this->getType() == ARTIFACT_EXTRAFIELDTYPE_STATUS) {
 						if (!$this->ArtifactType->setCustomStatusField(0)) {
@@ -485,14 +503,19 @@
 		$serial = 1;
 		$conflict = false;	
 		do {
-			$sql = "SELECT * FROM artifact_extra_field_list ".
-					"WHERE LOWER(alias)='".$alias."' AND ".
-					"group_artifact_id=".$this->ArtifactType->getID();
 			if ($this->data_array['extra_field_id']) {
-				$sql .= " AND extra_field_id <> ".$this->data_array['extra_field_id'];
+				$res = db_query_params ('SELECT * FROM artifact_extra_field_list
+                                                         WHERE LOWER (alias)=$1
+                                                         AND group_artifact_id=$2
+                                                         AND extra_field_id <> $3',
+							array ($alias,
+							       $this->ArtifactType->getID(),
+							       $this->data_array['extra_field_id'])) ;
+			} else {
+				$res = db_query_params ('SELECT * FROM artifact_extra_field_list WHERE LOWER (alias)=$1 AND group_artifact_id=$2',
+							array ($alias,
+							       $this->ArtifactType->getID()));
 			}
-			$res = db_query($sql);
-
 			if (!$res) {
 				$this->setError(db_error());
 				return false;

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactExtraFieldElement.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactExtraFieldElement.class.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactExtraFieldElement.class.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -3,6 +3,7 @@
  * FusionForge trackers
  *
  * Copyright 2004, Anthony J. Pugliese
+ * Copyright 2009, Roland Mas
  *
  * This file is part of FusionForge.
  *
@@ -106,16 +107,18 @@
 			$this->setPermissionDeniedError();
 			return false;
 		}
-		$sql = "SELECT element_name FROM artifact_extra_field_elements WHERE element_name='$name' AND extra_field_id=".$this->ArtifactExtraField->getID();
-		$res = db_query($sql);
+		$res = db_query_params ('SELECT element_name FROM artifact_extra_field_elements WHERE element_name=$1 AND extra_field_id=$2',
+					array (htmlspecialchars ($name),
+					       $this->ArtifactExtraField->getID())) ;
 		if (db_numrows($res) > 0) {
 			$this->setError(_('Element name already exists'));
 			return false;
 		}
-		$sql="INSERT INTO artifact_extra_field_elements (extra_field_id,element_name,status_id) 
-			VALUES ('".$this->ArtifactExtraField->getID()."','".htmlspecialchars($name)."','$status_id')";
 		db_begin();
-		$result=db_query($sql);
+		$result = db_query_params ('INSERT INTO artifact_extra_field_elements (extra_field_id,element_name,status_id) VALUES ($1,$2,$3)',
+					   array ($this->ArtifactExtraField->getID(),
+						  htmlspecialchars($name),
+						  $status_id)) ;
 		if ($result && db_affected_rows($result) > 0) {
 			$this->clearError();
 			$id=db_insertid($result,'artifact_extra_field_elements','element_id');
@@ -144,7 +147,8 @@
 	 *	@return	boolean	success.
 	 */
 	function fetchData($id) {
-		$res=db_query("SELECT * FROM artifact_extra_field_elements WHERE element_id='$id'");
+		$res = db_query_params ('SELECT * FROM artifact_extra_field_elements WHERE element_id=$1',
+					array ($id)) ;
 		if (!$res || db_numrows($res) < 1) {
 			$this->setError('ArtifactExtraField: Invalid ArtifactExtraFieldElement ID');
 			return false;
@@ -231,11 +235,12 @@
 		} else {
 			$status_id=0;
 		}
-		$sql="UPDATE artifact_extra_field_elements 
-			SET element_name='".htmlspecialchars($name)."',
-			status_id='$status_id' 
-			WHERE element_id='".$this->getID()."'"; 
-		$result=db_query($sql);
+		$result = db_query_params ('UPDATE artifact_extra_field_elements 
+			SET element_name=$1, status_id=$2
+			WHERE element_id=$3',
+					   array (htmlspecialchars($name),
+						  $status_id,
+						  $this->getID())) ;
 		if ($result && db_affected_rows($result) > 0) {
 			return true;
 		} else {

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactFile.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactFile.class.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactFile.class.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -3,6 +3,7 @@
  * FusionForge trackers
  *
  * Copyright 1999-2001, VA Linux Systems, Inc.
+ * Copyright 2009, Roland Mas
  *
  * This file is part of FusionForge.
  *
@@ -35,9 +36,10 @@
 	global $ARTIFACTFILE_OBJ;
 	if (!isset($ARTIFACTFILE_OBJ["_".$artifact_file_id."_"])) {
 		if ($data) {
-		//the db result handle was passed in
+			//the db result handle was passed in
 		} else {
-			$res=db_query("SELECT * FROM artifact_file_user_vw WHERE id='$artifact_file_id'");
+			$res = db_query_params ('SELECT * FROM artifact_file_user_vw WHERE id=$1',
+						array ($artifact_file_id)) ;
 			if (db_numrows($res) <1 ) {
 				$ARTIFACTFILE_OBJ["_".$artifact_file_id."_"]=false;
 				return false;
@@ -145,11 +147,17 @@
 
 		db_begin();
 
-		$res=db_query("INSERT INTO artifact_file
+		$res = db_query_params ('INSERT INTO artifact_file
 			(artifact_id,description,bin_data,filename,filesize,filetype,adddate,submitted_by)
-			VALUES 
-			('".$this->Artifact->getID()."','$description','". base64_encode($bin_data) ."','$filename',
-			'$filesize','$filetype','". time() ."','$userid')"); 
+			VALUES ($1,$2,$3,$4,$5,$6,$7,$8)',
+					array ($this->Artifact->getID(),
+					       $description,
+					       base64_encode($bin_data),
+					       $filename,
+					       $filesize,
+					       $filetype,
+					       time(),
+					       $userid)) ; 
 
 		$id=db_insertid($res,'artifact_file','id');
 
@@ -187,7 +195,8 @@
 			$this->setPermissionDeniedError();
 			return false;
 		}
-		$res=db_query("DELETE FROM artifact_file WHERE id='". $this->getID() ."'");
+		$res = db_query_params ('DELETE FROM artifact_file WHERE id=$1',
+					array ($this->getID())) ;
 		if (!$res || db_affected_rows($res) < 1) {
 			$this->setError('ArtifactFile: Unable to Delete');
 			return false;
@@ -204,7 +213,8 @@
 	 *	@return	boolean	success.
 	 */
 	function fetchData($id) {
-		$res=db_query("SELECT * FROM artifact_file_user_vw WHERE id='$id'");
+		$res = db_query_params ('SELECT * FROM artifact_file_user_vw WHERE id=$1',
+					array ($id)) ;
 		if (!$res || db_numrows($res) < 1) {
 			$this->setError('ArtifactFile: Invalid ArtifactFile ID');
 			return false;

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactFromID.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactFromID.class.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactFromID.class.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -3,6 +3,7 @@
  * FusionForge trackers
  *
  * Copyright 2002, GForge, LLC
+ * Copyright 2009, Roland Mas
  *
  * This file is part of FusionForge.
  *
@@ -26,8 +27,6 @@
 
 class ArtifactFromID extends Error {
 
-//artifact_vw
-
 	var $Group;
 	var $ArtifactType;
 	var $Artifact;
@@ -36,7 +35,8 @@
 		if ($data) {
 			$art_arr =& $data;
 		} else {
-			$res=db_query("SELECT * FROM artifact_vw WHERE artifact_id='$id'");
+			$res = db_query_params ('SELECT * FROM artifact_vw WHERE artifact_id=$1',
+						array ($id)) ;
 			if (!$res || db_numrows($res) < 1) {
 				$this->setError("Invalid Artifact ID");
 				return false;

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactHistory.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactHistory.class.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactHistory.class.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -3,6 +3,7 @@
  * FusionForge trackers
  *
  * Copyright 2004, GForge, LLC
+ * Copyright 2009, Roland Mas
  *
  * This file is part of FusionForge.
  *
@@ -95,10 +96,12 @@
 			$this->setPermissionDeniedError();
 			return false;
 		}
-		$sql="INSERT INTO artifact_category (group_artifact_id,category_name,auto_assign_to) 
-			VALUES ('".$this->Artifact->getID()."','".htmlspecialchars($name)."','$auto_assign_to')";
+		$result = db_query_params ('INSERT INTO artifact_category (group_artifact_id,category_name,auto_assign_to) 
+			VALUES ($1,$2,$3)',
+					   array ($this->Artifact->getID(),
+						  htmlspecialchars($name),
+						  $auto_assign_to)) ;
 
-		$result=db_query($sql);
 
 		if ($result && db_affected_rows($result) > 0) {
 			$this->clearError();
@@ -121,7 +124,8 @@
 	 *	@return	boolean	success.
 	 */
 	function fetchData($id) {
-		$res=db_query("SELECT * FROM artifact_category WHERE id='$id'");
+		$res = db_query_params ('SELECT * FROM artifact_category WHERE id=$1',
+					array ($id)) ;
 		if (!$res || db_numrows($res) < 1) {
 			$this->setError('ArtifactHistory: Invalid ArtifactHistory ID');
 			return false;

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactMessage.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactMessage.class.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactMessage.class.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -3,6 +3,7 @@
  * FusionForge trackers
  *
  * Copyright 2004, GForge, LLC
+ * Copyright 2009, Roland Mas
  *
  * This file is part of FusionForge.
  *
@@ -110,10 +111,13 @@
 			}
 		}
 
-		$sql="insert into artifact_message (artifact_id,submitted_by,from_email,adddate,body) 
-			VALUES ('". $this->Artifact->getID() ."','$user_id','$by','". time() ."','". htmlspecialchars($body). "')";
-		$res = db_query($sql);
-
+		$res = db_query_params ('INSERT INTO artifact_message (artifact_id,submitted_by,from_email,adddate,body) 
+			VALUES ($1,$2,$3,$4,$5)',
+					array ($this->Artifact->getID(),
+					       $user_id,
+					       $by,
+					       time(),
+					       htmlspecialchars($body))) ;
 		if (!$res) {
 			$this->setError(db_error());
 			return false;
@@ -137,7 +141,8 @@
 	 *	@return	boolean	success.
 	 */
 	function fetchData($id) {
-		$res=db_query("SELECT * FROM artifact_message_user_vw WHERE id='$id'");
+		$res = db_query_params ('SELECT * FROM artifact_message_user_vw WHERE id=$1',
+					array ($id)) ;
 		if (!$res || db_numrows($res) < 1) {
 			$this->setError('ArtifactMessage: Invalid ArtifactMessage ID');
 			return false;

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactQuery.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactQuery.class.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactQuery.class.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -4,6 +4,7 @@
  *
  * Copyright 2005, Anthony J. Pugliese
  * Copyright 2005, GForge, LLC
+ * Copyright 2009, Roland Mas
  *
  * This file is part of FusionForge.
  *
@@ -111,11 +112,11 @@
 			return false;
 		}
 
-		$sql="INSERT INTO artifact_query (group_artifact_id,query_name,user_id) 
-			VALUES ('".$this->ArtifactType->getID()."','".htmlspecialchars($name)."','".user_getid()."')";
-
 		db_begin();
-		$result=db_query($sql);
+		$result = db_query_params ('INSERT INTO artifact_query (group_artifact_id,query_name,user_id) VALUES ($1,$2,$3)',
+					   array ($this->ArtifactType->getID(),
+						  htmlspecialchars($name),
+						  user_getid())) ;
 		if ($result && db_affected_rows($result) > 0) {
 			$this->clearError();
 			$id=db_insertid($result,'artifact_query','artifact_query_id');
@@ -153,7 +154,8 @@
 	 *	@return	boolean	success.
 	 */
 	function fetchData($id) {
-		$res=db_query("SELECT * FROM artifact_query WHERE artifact_query_id='$id'");
+			$res = db_query_params ('SELECT * FROM artifact_query WHERE artifact_query_id=$1',
+						array ($id)) ;
 		
 		if (!$res || db_numrows($res) < 1) {
 			$this->setError('ArtifactQuery: Invalid ArtifactQuery ID'.db_error());
@@ -161,7 +163,8 @@
 		}
 		$this->data_array =& db_fetch_array($res);
 		db_free_result($res);
-		$res=db_query("SELECT * FROM artifact_query_fields WHERE artifact_query_id='$id'");
+			$res = db_query_params ('SELECT * FROM artifact_query_fields WHERE artifact_query_id=$1',
+						array ($id)) ;
 		unset($this->element_array);
 		while ($arr = db_fetch_array($res)) {
 			//
@@ -189,15 +192,19 @@
 	 *
 	 */
 	function insertElements($id,$status,$assignee,$moddaterange,$sort_col,$sort_ord,$extra_fields,$opendaterange,$closedaterange) {
-		$res=db_query("DELETE FROM artifact_query_fields WHERE artifact_query_id='$id'");
+		$res = db_query_params ('DELETE FROM artifact_query_fields WHERE artifact_query_id=$1',
+					array ($id)) ;
 		if (!$res) {
 			$this->setError('Deleting Old Elements: '.db_error());
 			return false;
 		}
 		$id = intval($id);
-		$res=db_query("INSERT INTO artifact_query_fields 
+		$res = db_query_params ('INSERT INTO artifact_query_fields 
 			(artifact_query_id,query_field_type,query_field_id,query_field_values) 
-			VALUES ('$id','".ARTIFACT_QUERY_STATE."','0','".intval($status)."')");
+                        VALUES ($1,$2,0,$3)',
+					array ($id,
+					       ARTIFACT_QUERY_STATE,
+					       intval($status))) ;
 		if (!$res) {
 			$this->setError('Setting Status: '.db_error());
 			return false;
@@ -223,9 +230,12 @@
 		}
 
 		//CSV LIST OF ASSIGNEES
-		$res=db_query("INSERT INTO artifact_query_fields 
+		$res = db_query_params ('INSERT INTO artifact_query_fields 
 			(artifact_query_id,query_field_type,query_field_id,query_field_values) 
-			VALUES ('$id','".ARTIFACT_QUERY_ASSIGNEE."','0','".$assignee."')");
+			VALUES ($1,$2,0,$3)',
+					array ($id,
+					       ARTIFACT_QUERY_ASSIGNEE,
+					       $assignee)) ;
 		if (!$res) {
 			$this->setError('Setting Assignee: '.db_error());
 			return false;
@@ -236,9 +246,12 @@
 			$this->setError('Invalid Mod Date Range');
 			return false;
 		}
-		$res=db_query("INSERT INTO artifact_query_fields 
+		$res = db_query_params ('INSERT INTO artifact_query_fields 
 			(artifact_query_id,query_field_type,query_field_id,query_field_values) 
-			VALUES ('$id','".ARTIFACT_QUERY_MODDATE."','0','".$moddaterange."')");
+			VALUES ($1,$2,0,$3)',
+					array ($id,
+					       ARTIFACT_QUERY_MODDATE,
+					       $moddaterange)) ;
 		if (!$res) {
 			$this->setError('Setting Last Modified Date Range: '.db_error());
 			return false;
@@ -249,9 +262,12 @@
 			$this->setError('Invalid Open Date Range');
 			return false;
 		}
-		$res=db_query("INSERT INTO artifact_query_fields 
+		$res = db_query_params ('INSERT INTO artifact_query_fields 
 			(artifact_query_id,query_field_type,query_field_id,query_field_values) 
-			VALUES ('$id','".ARTIFACT_QUERY_OPENDATE."','0','".$opendaterange."')");
+			VALUES ($1,$2,0,$3)',
+					array ($id,
+					       ARTIFACT_QUERY_OPENDATE,
+					       $opendaterange)) ;
 		if (!$res) {
 			$this->setError('Setting Open Date Range: '.db_error());
 			return false;
@@ -262,25 +278,34 @@
 			$this->setError('Invalid Close Date Range');
 			return false;
 		}
-		$res=db_query("INSERT INTO artifact_query_fields 
+		$res = db_query_params ('INSERT INTO artifact_query_fields 
 			(artifact_query_id,query_field_type,query_field_id,query_field_values) 
-			VALUES ('$id','".ARTIFACT_QUERY_CLOSEDATE."','0','".$closedaterange."')");
+			VALUES ($1,$2,0,$3)',
+					array ($id,
+					       ARTIFACT_QUERY_CLOSEDATE,
+					       $closedaterange)) ;
 		if (!$res) {
 			$this->setError('Setting Close Date Range: '.db_error());
 			return false;
 		}
 
 		// SORT COLUMN
-		$res=db_query("INSERT INTO artifact_query_fields 
+		$res = db_query_params ('INSERT INTO artifact_query_fields 
 			(artifact_query_id,query_field_type,query_field_id,query_field_values) 
-			VALUES ('$id','".ARTIFACT_QUERY_SORTCOL."','0','".$sort_col."')");
+			VALUES ($1,$2,0,$3)',
+					array ($id,
+					       ARTIFACT_QUERY_SORTCOL,
+					       $sort_col)) ;
 		if (!$res) {
 			$this->setError('Setting Sort Col: '.db_error());
 			return false;
 		}
-		$res=db_query("INSERT INTO artifact_query_fields 
+		$res = db_query_params ('INSERT INTO artifact_query_fields 
 			(artifact_query_id,query_field_type,query_field_id,query_field_values) 
-			VALUES ('$id','".ARTIFACT_QUERY_SORTORD."','0','".$sort_ord."')");
+			VALUES ($1,$2,0,$3)',
+					array ($id,
+					       ARTIFACT_QUERY_SORTORD,
+					       $sort_ord)) ;
 		if (!$res) {
 			$this->setError('Setting Sort Order: '.db_error());
 			return false;
@@ -307,9 +332,13 @@
 			} else {
 				$vals[$i] =	 intval($vals[$i]);
 			}
-			$res=db_query("INSERT INTO artifact_query_fields 
-				(artifact_query_id,query_field_type,query_field_id,query_field_values) 
-				VALUES ('$id','".ARTIFACT_QUERY_EXTRAFIELD."','".((int)$keys[$i]) ."','". $vals[$i] ."')");
+			$res = db_query_params ('INSERT INTO artifact_query_fields 
+			(artifact_query_id,query_field_type,query_field_id,query_field_values) 
+			VALUES ($1,$2,$3,$4)',
+						array ($id,
+						       ARTIFACT_QUERY_EXTRAFIELD,
+						       intval ($keys[$i]),
+						       $vals[$i])) ;
 			if (!$res) {
 				$this->setError('Setting values: '.db_error());
 				return false;
@@ -450,13 +479,14 @@
 			$this->setError(_('Query does not exist'));
 			return false;
 		}
-		$sql="UPDATE artifact_query
-			SET 
-			query_name='".htmlspecialchars($name)."'
-			WHERE artifact_query_id='".$this->getID()."'
-			AND user_id='".user_getid()."'";
 		db_begin();
-		$result=db_query($sql);
+		$result = db_query_params ('UPDATE artifact_query
+			SET query_name=$1
+			WHERE artifact_query_id=$2
+			AND user_id=$3',
+					   array (htmlspecialchars($name),
+						  $this->getID(),
+						  user_getid())) ;
 		if ($result && db_affected_rows($result) > 0) {
 			if (!$this->insertElements($this->getID(),$status,$assignee,$moddaterange,$sort_col,$sort_ord,$extra_fields,$opendaterange,$closedaterange)) {
 				db_rollback();
@@ -488,10 +518,12 @@
 	}
 
 	function delete() {
-		$res=db_query("DELETE FROM artifact_query WHERE artifact_query_id='".$this->getID()."'
-            AND user_id='".user_getid()."'");
-		$res=db_query("DELETE FROM user_preferences WHERE preference_value='".$this->getID()."'
-            AND preference_name 'art_query".$this->ArtifactType->getID()."'");
+		$res = db_query_params ('DELETE FROM artifact_query WHERE artifact_query_id=$1 AND user_id=$2',
+					array ($this->getID(),
+					       user_getid())) ;
+		$res = db_query_params ('DELETE FROM user_preferences WHERE preference_value=$1 AND preference_name =$2',
+					array ($this->getID(),
+					       'art_query'.$this->ArtifactType->getID())) ;
 		unset($this->data_array);
 		unset($this->element_array);
 	}
@@ -504,8 +536,10 @@
 	function Exist($name) {
 		$user_id = user_getid();
 		$art_id = $this->ArtifactType->getID();
-		$sql = "SELECT * FROM artifact_query WHERE group_artifact_id = '$art_id' AND query_name = '$name' AND user_id = '$user_id'";
-		$res = db_query($sql);
+		$res = db_query_params ('SELECT * FROM artifact_query WHERE group_artifact_id = $1 AND query_name = $2 AND user_id = $3',
+					array ($art_id,
+					       $name,
+					       $user_id)) ;
 		if (db_numrows($res)>0) {
 			return true;
 		} else {

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactQueryFactory.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactQueryFactory.class.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactQueryFactory.class.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -3,6 +3,7 @@
  * FusionForge trackers
  *
  * Copyright 2002, GForge, LLC
+ * Copyright 2009, Roland Mas
  *
  * This file is part of FusionForge.
  *
@@ -62,15 +63,17 @@
 		return true;
 	}
 	
-	function& getArtifactQueries() {
+	function &getArtifactQueries() {
 		if (!is_null($this->ArtifactQueries)) {
 			return $this->ArtifactQueries;
 		}
 		
 		$this->ArtifactQueries = array();
 		
-		$res = db_query("SELECT * FROM artifact_query WHERE user_id='".user_getid()."' ".
-					"AND group_artifact_id='".$this->ArtifactType->getID()."'");
+		$res = db_query_params ('SELECT * FROM artifact_query WHERE user_id=$1
+					 AND group_artifact_id=$2',
+					array (user_getid(),
+					       $this->ArtifactType->getID())) ;
 		if (!$res) {
 			$this->setError("ArtifactQueryFactory:: Database error");
 		}

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactType.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactType.class.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactType.class.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -4,6 +4,7 @@
  *
  * Copyright 1999-2001, VA Linux Systems, Inc.
  * Copyright 2002-2004, GForge, LLC
+ * Copyright 2009, Roland Mas
  *
  * This file is part of FusionForge.
  *
@@ -38,8 +39,8 @@
 			if ($res) {
 				//the db result handle was passed in
 			} else {
-				$res=db_query("SELECT * FROM artifact_group_list_vw
-						WHERE group_artifact_id='$artType_id'");
+				$res = db_query_params ('SELECT * FROM artifact_group_list_vw WHERE group_artifact_id=$1',
+							array ($artType_id)) ;
 			}
 			if (!$res || db_numrows($res) < 1 ){
 				$ARTIFACTTYPE_OBJ["_".$artType_id."_"]=false;
@@ -225,8 +226,9 @@
 		$allow_anon = ((!$allow_anon) ? 0 : $allow_anon);
 		$email_all = ((!$email_all) ? 0 : $email_all);
 
-
-		$sql="INSERT INTO 
+		db_begin();
+		
+		$res = db_query_params ('INSERT INTO 
 			artifact_group_list 
 			(group_id,
 			name,
@@ -241,22 +243,19 @@
 			browse_instructions,
 			datatype) 
 			VALUES 
-			('". $this->Group->getID() ."',
-			'". htmlspecialchars($name) ."',
-			'". htmlspecialchars($description) ."',
-			'$is_public',
-			'$allow_anon',
-			'$email_all',
-			'$email_address',
-			'". ($due_period*(60*60*24)) ."',
-			'1209600',
-			'".htmlspecialchars($submit_instructions)."',
-			'".htmlspecialchars($browse_instructions)."',
-			'$datatype')";
-		
-		db_begin();
-		
-		$res = db_query($sql);
+			($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12)',
+					array ($this->Group->getID(),
+					       htmlspecialchars($name),
+					       htmlspecialchars($description),
+					       $is_public,
+					       $allow_anon,
+					       $email_all,
+					       $email_address,
+					       $due_period*(60*60*24),
+					       1209600,
+					       htmlspecialchars($submit_instructions),
+					       htmlspecialchars($browse_instructions),
+					       $datatype)) ;
 
 		$id = db_insertid($res,'artifact_group_list','group_artifact_id');
 		
@@ -282,9 +281,11 @@
 	 *  @return boolean	success.
 	 */
 	function fetchData($artifact_type_id) {
-		$res=db_query("SELECT * FROM artifact_group_list_vw
-			WHERE group_artifact_id='$artifact_type_id' 
-			AND group_id='". $this->Group->getID() ."'");
+		$res = db_query_params ('SELECT * FROM artifact_group_list_vw
+			WHERE group_artifact_id=$1
+			AND group_id=$2',
+					array ($artifact_type_id,
+					       $this->Group->getID())) ;
 		if (!$res || db_numrows($res) < 1) {
 			$this->setError('ArtifactType: Invalid ArtifactTypeID');
 			return false;
@@ -472,8 +473,10 @@
 	 *	@return	boolean	success.
 	 */
 	function setCustomStatusField($extra_field_id) {
-		$res=db_query("UPDATE artifact_group_list SET custom_status_field='$extra_field_id'
-			WHERE group_artifact_id='".$this->getID()."'");
+		$res = db_query_params ('UPDATE artifact_group_list SET custom_status_field=$1
+			WHERE group_artifact_id=$2',
+					array ($extra_field_id,
+					       $this->getID())) ;
 		return $res;
 	}
 
@@ -500,7 +503,8 @@
 				$element_id=$extra_fields[$csfield];
 
 				//convert that element_id into the status_id
-				$res=db_query("SELECT status_id FROM artifact_extra_field_elements WHERE element_id='$element_id'");
+				$res = db_query_params ('SELECT status_id FROM artifact_extra_field_elements WHERE element_id=$1',
+							array ($element_id)) ;
 				if (!$res) {
 					$this->setError('Error Remapping Status: '.db_error());
 					return false;
@@ -508,7 +512,8 @@
 				$status_id=db_result($res,0,'status_id');
 			} else {
 				// custom status was not passed... use the first status from the database
-				$res = db_query("SELECT status_id FROM artifact_extra_field_elements WHERE extra_field_id='".$csfield."' ORDER BY element_id ASC LIMIT 1 OFFSET 0");
+				$res = db_query_prams ('SELECT status_id FROM artifact_extra_field_elements WHERE extra_field_id=$1 ORDER BY element_id ASC LIMIT 1 OFFSET 0',
+						       array ($csfield)) ;
 				if (db_numrows($res) == 0) {		// No values available
 					$this->setError('Error Remapping Status');
 					return false;
@@ -553,14 +558,15 @@
 
 		}
 
-		$res=db_query("SELECT * FROM artifact_type_monitor
-			WHERE group_artifact_id='". $this->getID() ."'
-			AND user_id='$user_id'");
+		$res = db_query_params ('SELECT * FROM artifact_type_monitor WHERE group_artifact_id=$1 AND user_id=$2',
+					array ($this->getID(),
+					       $user_id)) ;
 
 		if (!$res || db_numrows($res) < 1) {
 			//not yet monitoring
-			$res=db_query("INSERT INTO artifact_type_monitor (group_artifact_id,user_id)
-				VALUES ('". $this->getID() ."','$user_id')");
+			$res = db_query_params ('INSERT INTO artifact_type_monitor (group_artifact_id,user_id) VALUES ($1,$2)',
+						array ($this->getID(),
+						       $user_id)) ;
 			if (!$res) {
 				$this->setError(db_error());
 				return false;
@@ -570,9 +576,11 @@
 			}
 		} else {
 			//already monitoring - remove their monitor
-			db_query("DELETE FROM artifact_type_monitor
-				WHERE group_artifact_id='". $this->getID() ."'
-				AND user_id='$user_id'");
+			db_query_params ('DELETE FROM artifact_type_monitor
+				WHERE group_artifact_id=$1
+				AND user_id=$2',
+					 array ($this->getID(),
+						$user_id)) ;
 			$this->setError(_('Tracker Monitoring Deactivated'));
 			return false;
 		}
@@ -582,9 +590,10 @@
 		if (!session_loggedin()) {
 			return false;
 		}
-		$sql="SELECT count(*) AS count FROM artifact_type_monitor 
-			WHERE user_id='".user_getid()."' AND group_artifact_id='".$this->getID()."';";
-		$result = db_query($sql);
+		$result = db_query_params ('SELECT count(*) AS count FROM artifact_type_monitor 
+			WHERE user_id=$1 AND group_artifact_id=$2',
+					   array (user_getid(),
+						  $this->getID())) ;
 		$row_count = db_fetch_array($result);
 		return $result && $row_count['count'] > 0;
 	}
@@ -595,9 +604,8 @@
 	 *  @return array of email addresses monitoring this Artifact.
 	 */
 	function &getMonitorIds() {
-		$res=db_query("SELECT user_id
-			FROM artifact_type_monitor
-			WHERE group_artifact_id='". $this->getID() ."'");
+		$res = db_query_params ('SELECT user_id	FROM artifact_type_monitor WHERE group_artifact_id=$1',
+					array ($this->getID())) ;
 		return util_result_column_to_array($res);
 	}
 
@@ -611,16 +619,20 @@
 		if (!isset($this->extra_fields["$filter"])) {
 			$this->extra_fields["$filter"] = array();
 			if ($filter) {
-				$filter_str=" AND field_type IN ($filter) ";
+				$res = db_query_params ('SELECT *
+				FROM artifact_extra_field_list 
+				WHERE group_artifact_id=$1
+                                AND field_type = ANY ($2)
+				ORDER BY field_type ASC',
+							array ($this->getID(),
+							       db_int_array_to_any_clause (explode (',', $filter)))) ;
 			} else {
-				$filter_str="";
+				$res = db_query_params ('SELECT *
+				FROM artifact_extra_field_list 
+				WHERE group_artifact_id=$1
+				ORDER BY field_type ASC',
+							array ($this->getID())) ;
 			}
-			$sql="select *
-				FROM artifact_extra_field_list 
-				WHERE group_artifact_id='".$this->getID() ."'
-				$filter_str
-				ORDER BY field_type ASC";
-			$res=db_query($sql);
 			while($arr = db_fetch_array($res)) {
 				$this->extra_fields["$filter"][$arr['extra_field_id']] = $arr;
 			}
@@ -670,7 +682,8 @@
 			//
 			//	Iterate the elements
 			//
-			$resel=db_query("SELECT * FROM artifact_extra_field_elements WHERE extra_field_id='".$ef['extra_field_id']."'");
+			$resel = db_query_params ('SELECT * FROM artifact_extra_field_elements WHERE extra_field_id=$1',
+						  array ($ef['extra_field_id'])) ;
 			while ($el =& db_fetch_array($resel)) {
 				//new element
 				$nel = new ArtifactExtraFieldElement($nef);
@@ -712,12 +725,11 @@
 		}
 		if (!isset($this->extra_field[$id])) {
 			$this->extra_field[$id] = array();
-			$sql="select element_id,element_name,status_id
+			$res = db_query_params  ('SELECT element_id,element_name,status_id
 				FROM artifact_extra_field_elements
-				WHERE extra_field_id ='".$id."'  
-				ORDER BY element_id ASC";
-
-			$res=db_query($sql);
+				WHERE extra_field_id = $1
+				ORDER BY element_id ASC',
+						 array ($id)) ;
 			$i=0;
 			while($arr =& db_fetch_array($res)) {
 				$this->extra_field[$id][$i++] = $arr;
@@ -748,10 +760,10 @@
 			return 'None';
 		}
 		if (!isset($this->element_name["$choiceid"])) {
-			$sql="select element_id,extra_field_id,element_name
+			$res = db_query_params ('SELECT element_id,extra_field_id,element_name
 				FROM artifact_extra_field_elements
-				WHERE element_id IN ($choiceid)";
-			$res=db_query($sql);
+				WHERE element_id = ANY ($1)',
+						array (db_int_array_to_any_clause (explode (',', $choiceid)))) ;
 			if (db_numrows($res) > 1) {
 				$arr=util_result_column_to_array($res,2);
 				$this->element_name["$choiceid"]=implode(',',$arr);
@@ -778,10 +790,10 @@
 			return 0;
 		}
 		if (!$this->element_status["$choiceid"]) {
-			$sql="select element_id,extra_field_id,status_id
+			$res = db_query_params ('SELECT element_id,extra_field_id,status_id
 				FROM artifact_extra_field_elements
-				WHERE element_id IN ($choiceid)";
-			$res=db_query($sql);
+				WHERE element_id = ANY ($1)',
+						array (db_int_array_to_any_clause (explode (',', $choiceid)))) ;
 			if (db_numrows($res) > 1) {
 				$arr=util_result_column_to_array($res,2);
 				$this->element_status["$choiceid"]=implode(',',$arr);
@@ -810,50 +822,61 @@
 			return false;
 		}
 		db_begin();
-		db_query("DELETE FROM artifact_extra_field_data
+		db_query_params ('DELETE FROM artifact_extra_field_data
 			WHERE EXISTS (SELECT artifact_id FROM artifact 
-			WHERE group_artifact_id='".$this->getID()."'
-			AND artifact.artifact_id=artifact_extra_field_data.artifact_id)");
+			WHERE group_artifact_id=$1
+			AND artifact.artifact_id=artifact_extra_field_data.artifact_id)',
+				 array ($this->getID())) ;
 //echo '0.1'.db_error();
-		db_query("DELETE FROM artifact_extra_field_elements
+		db_query_params ('DELETE FROM artifact_extra_field_elements
 			WHERE EXISTS (SELECT extra_field_id FROM artifact_extra_field_list 
-			WHERE group_artifact_id='".$this->getID()."'
-			AND artifact_extra_field_list.extra_field_id = artifact_extra_field_elements.extra_field_id)");
+			WHERE group_artifact_id=$1
+			AND artifact_extra_field_list.extra_field_id = artifact_extra_field_elements.extra_field_id)',
+				 array ($this->getID())) ;
 //echo '0.2'.db_error();
-		db_query ("DELETE FROM artifact_extra_field_list
-			WHERE group_artifact_id='".$this->getID()."'");
+		db_query_params ('DELETE FROM artifact_extra_field_list
+			WHERE group_artifact_id=$1',
+			array ($this->getID())) ;
 //echo '0.3'.db_error();
-		db_query("DELETE FROM artifact_canned_responses 
-			WHERE group_artifact_id='".$this->getID()."'");
+		db_query_params ('DELETE FROM artifact_canned_responses 
+			WHERE group_artifact_id=$1',
+				 array ($this->getID())) ;
 //echo '1'.db_error();
-		db_query("DELETE FROM artifact_counts_agg
-			WHERE group_artifact_id='".$this->getID()."'");
+		db_query_params ('DELETE FROM artifact_counts_agg
+			WHERE group_artifact_id=$1',
+				 array ($this->getID())) ;
 //echo '5'.db_error();
-		db_query("DELETE FROM artifact_file
+		db_query_params ('DELETE FROM artifact_file
 			WHERE EXISTS (SELECT artifact_id FROM artifact 
-			WHERE group_artifact_id='".$this->getID()."'
-			AND artifact.artifact_id=artifact_file.artifact_id)");
+			WHERE group_artifact_id=$1
+			AND artifact.artifact_id=artifact_file.artifact_id)',
+				 array ($this->getID())) ;
 //echo '6'.db_error();
-		db_query("DELETE FROM artifact_message
+		db_query_params ('DELETE FROM artifact_message
 			WHERE EXISTS (SELECT artifact_id FROM artifact 
-			WHERE group_artifact_id='".$this->getID()."'
-			AND artifact.artifact_id=artifact_message.artifact_id)");
+			WHERE group_artifact_id=$1
+			AND artifact.artifact_id=artifact_message.artifact_id)',
+				 array ($this->getID())) ;
 //echo '7'.db_error();
-		db_query("DELETE FROM artifact_history
+		db_query_params ('DELETE FROM artifact_history
 			WHERE EXISTS (SELECT artifact_id FROM artifact 
-			WHERE group_artifact_id='".$this->getID()."'
-			AND artifact.artifact_id=artifact_history.artifact_id)");
+			WHERE group_artifact_id=$1
+			AND artifact.artifact_id=artifact_history.artifact_id)',
+				 array ($this->getID())) ;
 //echo '8'.db_error();
-		db_query("DELETE FROM artifact_monitor
+		db_query_params ('DELETE FROM artifact_monitor
 			WHERE EXISTS (SELECT artifact_id FROM artifact 
-			WHERE group_artifact_id='".$this->getID()."'
-			AND artifact.artifact_id=artifact_monitor.artifact_id)");
+			WHERE group_artifact_id=$1
+			AND artifact.artifact_id=artifact_monitor.artifact_id)',
+				 array ($this->getID())) ;
 //echo '9'.db_error();
-		db_query("DELETE FROM artifact
-			WHERE group_artifact_id='".$this->getID()."'");
+		db_query_params ('DELETE FROM artifact
+			WHERE group_artifact_id=$1',
+				 array ($this->getID())) ;
 //echo '4'.db_error();
-		db_query("DELETE FROM artifact_group_list
-			WHERE group_artifact_id='".$this->getID()."'");
+		db_query_params ('DELETE FROM artifact_group_list
+			WHERE group_artifact_id=$1',
+				 array ($this->getID())) ;
 //echo '11'.db_error();
 		
 		db_commit();
@@ -867,12 +890,13 @@
 	 */
 	function getTechnicians() {
 		if (!isset($this->technicians_res)) {
-			$sql="SELECT user_id,realname 
+			$this->technicians_res = db_query_params ('SELECT user_id,realname 
 				FROM artifactperm_user_vw
-				WHERE group_artifact_id='". $this->getID() ."' 
+				WHERE group_artifact_id=$1
 				AND perm_level in (1,2)
-				ORDER BY realname";
-			$this->technicians_res = db_query($sql);
+				ORDER BY realname',
+								  array ($this->getID())) ;
+			($sql);
 		}
 		return $this->technicians_res;
 	}
@@ -895,10 +919,10 @@
 	 */
 	function getCannedResponses() {
 		if (!isset($this->cannedresponses_res)) {
-			$sql="SELECT id,title
+			$this->cannedresponses_res = db_query_params ('SELECT id,title
 				FROM artifact_canned_responses 
-				WHERE group_artifact_id='". $this->getID() ."'";
-			$this->cannedresponses_res = db_query($sql);
+				WHERE group_artifact_id=$1',
+								      array ($this->getID()));
 		}
 		return $this->cannedresponses_res;
 	}
@@ -916,8 +940,7 @@
 	 */
 	function getStatuses() {
 		if (!isset($this->status_res)) {
-			$sql="select * from artifact_status";
-			$this->status_res=db_query($sql);
+			$this->status_res = db_query_params ('SELECT * FROM artifact_status');
 		}
 		return $this->status_res;
 	}
@@ -929,8 +952,8 @@
 	 * @return	string	name.
 	 */
 	function getStatusName($id) {
-		$sql="select status_name from artifact_status WHERE id='$id'";
-		$result=db_query($sql);
+		$result = db_query_params ('select status_name from artifact_status WHERE id=$1',
+					   array ($id)) ;
 		if ($result && db_numrows($result) > 0) {
 			return db_result($result,0,'status_name');
 		} else {
@@ -1016,13 +1039,15 @@
 			return 0;
 		} else {
 			if (!isset($this->current_user_perm)) {
-				$sql="SELECT role_setting.value::integer
+				$this->current_user_perm=db_result(db_query_params ('SELECT role_setting.value::integer
 				FROM role_setting, user_group
-				WHERE role_setting.ref_id='". $this->getID() ."'
-				AND user_group.role_id = role_setting.role_id
-                                AND user_group.user_id='".user_getid()."'
-                                AND role_setting.section_name='tracker'";
-				$this->current_user_perm=db_result(db_query($sql),0,0);
+				WHERE role_setting.ref_id=$1
+				AND user_group.role_id=role_setting.role_id
+                                AND user_group.user_id=$2
+                                AND role_setting.section_name=$3',
+										    array ($this->getID(),
+											   user_getid(),
+											   'tracker'))) ;
 			}
 			return $this->current_user_perm;
 		}
@@ -1071,20 +1096,29 @@
 		$email_all = ((!$email_all) ? 0 : $email_all); 
 		$use_resolution = ((!$use_resolution) ? 0 : $use_resolution); 
 
-		$sql="UPDATE artifact_group_list SET 
-			name='". htmlspecialchars($name). "',
-			description='". htmlspecialchars($description) ."',
-			email_all_updates='$email_all',
-			email_address='$email_address',
-			due_period='". ($due_period * (60*60*24)) ."',
-			status_timeout='". ($status_timeout * (60*60*24)) . "',
-			submit_instructions='". htmlspecialchars($submit_instructions)."',
-			browse_instructions='" .htmlspecialchars($browse_instructions)."'
-			WHERE 
-			group_artifact_id='". $this->getID() ."' 
-			AND group_id='". $this->Group->getID() ."'";
+		$res = db_query_params  ('UPDATE artifact_group_list SET 
+			name=$1,
+			description=$2,
+			email_all_updates=$3,
+			email_address=$4,
+			due_period=$5,
+			status_timeout=$6,
+			submit_instructions=$7,
+			browse_instructions=$8
+			WHERE group_artifact_id=$9 AND group_id=$10',
+					 array (
+						 htmlspecialchars($name),
+						 htmlspecialchars($description),
+						 $email_all,
+						 $email_address,
+						 $due_period * (60*60*24),
+						 $status_timeout * (60*60*24),
+						 htmlspecialchars($submit_instructions),
+						 htmlspecialchars($browse_instructions),
+						 $this->getID(),
+						 $this->Group->getID())) ;
 
-		$res=db_query($sql);
+		($sql);
 		if (!$res || db_affected_rows($res) < 1) {
 			$this->setError('ArtifactType::Update(): '.db_error());
 			return false;

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactTypeFactory.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactTypeFactory.class.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactTypeFactory.class.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -3,6 +3,7 @@
  * FusionForge trackers
  *
  * Copyright 2002, GForge, LLC
+ * Copyright 2009, Roland Mas
  *
  * This file is part of FusionForge.
  *
@@ -90,36 +91,44 @@
 		if (session_loggedin()) {
 			$perm =& $this->Group->getPermission( session_get_user() );
 			if (!$perm || !is_object($perm) || !$perm->isMember()) {
-				$public_flag='=1';
-				$exists = '';
+				$result = db_query_params ('SELECT * FROM artifact_group_list_vw
+			WHERE group_id=$1
+			AND is_public=1
+			ORDER BY group_artifact_id ASC',
+							   array ($this->Group->getID())) ;
 			} else {
-				$public_flag='<3';
 				if ($perm->isArtifactAdmin()) {
-					$exists='';
+					$result = db_query_params ('SELECT * FROM artifact_group_list_vw
+			WHERE group_id=$1
+			AND is_public<3
+			ORDER BY group_artifact_id ASC',
+								   array ($this->Group->getID())) ;
 				} else {
-					$exists=" AND group_artifact_id IN (SELECT role_setting.ref_id
+					$result = db_query_params ('SELECT * FROM artifact_group_list_vw
+			WHERE group_id=$1
+			AND is_public<3
+                        AND group_artifact_id IN (SELECT role_setting.ref_id
 					FROM role_setting, user_group
 					WHERE role_setting.value::integer >= 0
-                                          AND role_setting.section_name = 'tracker'
+                                          AND role_setting.section_name = $2
                                           AND role_setting.ref_id=artifact_group_list_vw.group_artifact_id
                                           
    					  AND user_group.role_id = role_setting.role_id
-					  AND user_group.user_id='".user_getid()."') ";
+					  AND user_group.user_id = $3
+			ORDER BY group_artifact_id ASC',
+								   array ($this->Group->getID(),
+									  'tracker',
+									  user_getid ())) ;
 				}
 			}
 		} else {
-			$public_flag='=1';
-			$exists = '';
+			$result = db_query_params ('SELECT * FROM artifact_group_list_vw
+			WHERE group_id=$1
+			AND is_public=1
+			ORDER BY group_artifact_id ASC',
+						   array ($this->Group->getID())) ;
 		}
 
-		$sql="SELECT * FROM artifact_group_list_vw
-			WHERE group_id='". $this->Group->getID() ."'
-			AND is_public $public_flag
-			$exists
-			ORDER BY group_artifact_id ASC";
-
-		$result = db_query ($sql);
-
 		$rows = db_numrows($result);
 
 		if (!$result || $rows < 1) {

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactTypes.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactTypes.class.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactTypes.class.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -4,6 +4,7 @@
  *
  * Copyright 1999-2001, VA Linux Systems, Inc.
  * Copyright 2002-2004, GForge, LLC
+ * Copyright 2009, Roland Mas
  *
  * This file is part of FusionForge.
  *
@@ -71,8 +72,9 @@
 	function createTrackers() {
 
 		// first, check if trackers already exist
-		$res=db_query("SELECT * FROM artifact_group_list 
-			WHERE group_id='".$this->Group->getID()."' AND datatype > 0");
+		$res = db_query_params ('SELECT * FROM artifact_group_list 
+			WHERE group_id=$1 AND datatype > 0',
+					array ($this->Group->getID()));
 		if (db_numrows($res) > 0) {
 			return true;
 		}

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/Artifacts.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/Artifacts.class.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/Artifacts.class.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -4,6 +4,7 @@
  *
  * Copyright 1999-2001, VA Linux Systems, Inc.
  * Copyright 2002-2004, GForge, LLC
+ * Copyright 2009, Roland Mas
  *
  * This file is part of FusionForge.
  *
@@ -88,16 +89,11 @@
 		if (!$offset) {
 			$offset = 0;
 		}
+		$res = db_query_params ('SELECT * FROM artifact_vw WHERE group_artifact_id=$1',
+					array ($this->ArtifactType->getID()),
+					500,
+					$offset) ;
 
-		$sql = "SELECT 
-					* 
-				FROM 
-					artifact_vw 
-				WHERE 
-					group_artifact_id='". $this->ArtifactType->getID() ."'";
-	
-		$res = db_query($sql,500,$offset);
-
 		if (!$res) {
 			$this->setError('Could not get artifacts: ' . db_error());
 			return false;

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactsForUser.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactsForUser.class.php	2011-02-28 01:24:15 UTC (rev 13238)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/common/tracker/ArtifactsForUser.class.php	2011-02-28 01:24:19 UTC (rev 13239)
@@ -3,6 +3,7 @@
  * FusionForge trackers
  *
  * Copyright 2002, GForge, LLC
+ * Copyright 2009, Roland Mas
  *
  * This file is part of FusionForge.
  *
@@ -50,9 +51,9 @@
 	*	@param	sql	The sql that returns artifact_id
 	*	@return	Artifact[]	The array of Artifacts
 	*/
-	function & getArtifactsFromSQL($sql) {
+	function &getArtifactsFromSQLwithParams ($sql, $params) {
 		$artifacts = array();
-		$result=db_query($sql);
+		$result = db_query_params ($sql, $params);
 		$rows=db_numrows($result);
 		if ($rows<=0) {
 			return $artifacts;
@@ -74,10 +75,10 @@
 	*	getAssignedArtifacts	- Get the users's assigned artifacts
 	*	@return	Artifact[]	The array of Artifacts
 	*/
-	function & getAssignedArtifactsByGroup() {
-		$sql="SELECT * FROM artifact_vw av WHERE av.assigned_to=".$this->User->getID()."
-			AND av.status_id='1' ORDER BY av.group_artifact_id, av.artifact_id DESC";
-		return $this->getArtifactsFromSQL($sql);
+	function &getAssignedArtifactsByGroup() {
+		return $this->getArtifactsFromSQLwithParams('SELECT * FROM artifact_vw av WHERE av.assigned_to=$1 AND av.status_id=1 ORDER BY av.group_artifact_id, av.artifact_id DESC',
+							    array($this->User->getID())) ;
+								  
 	}
 
 	/**
@@ -85,13 +86,9 @@
 	*
 	*	@return Artifact[] The array of Artifacts
 	*/
-	function & getSubmittedArtifactsByGroup() {
-		$sql="SELECT *
-			FROM artifact_vw av
-			WHERE av.submitted_by=".$this->User->getID()."
-			AND av.status_id='1'
-			ORDER BY av.group_artifact_id, av.artifact_id DESC";
-		return $this->getArtifactsFromSQL($sql);
+	function &getSubmittedArtifactsByGroup() {
+		return $this->getArtifactsFromSQLwithParams('SELECT * FROM artifact_vw av WHERE av.submitted_by=$1 AND av.status_id=1 ORDER BY av.group_artifact_id, av.artifact_id DESC',
+							    array($this->User->getID())) ;
 	}
 }
 



More information about the evolvis-commits mailing list