Use placeholder parameters to prevent string interpolation in SQL queries.

lib/WebGUI/Macro/UsersOnline.pm

@@ -191,14 +191,13 @@ sub _visitors {
  	# increase the count artificially. Note, that the number determined here
 	# may deviate from the number of items returned in the visitor loop.
 	$var->{'visitors'} = $db->quickScalar("SELECT COUNT(DISTINCT lastIp) FROM " . 
-		"userSession WHERE (lastPageView > $epoch) AND (userId = 1) AND " .
+		"userSession WHERE (lastPageView > ?) AND (userId = 1) AND " .
-		"lastIp NOT LIKE '127.%.%.%'" . $ip_clause);
+		"lastIp NOT LIKE '127.%.%.%'" . $ip_clause, [$epoch]);
 	  
 	# Query session IDs and IPs of visitors
-	my $query = $db->prepare("SELECT sessionId, lastIp, lastPageView FROM " .
+	my $query = $db->read("SELECT sessionId, lastIp, lastPageView FROM " .
-		"userSession WHERE (lastPageView > $epoch) AND (userId = 1) AND " .
+		"userSession WHERE (lastPageView > ?) AND (userId = 1) AND " .
-		"lastIp NOT LIKE '127.%.%.%' " . $ip_clause . "LIMIT $maxVisitors");
+		"lastIp NOT LIKE '127.%.%.%' " . $ip_clause . "LIMIT ?", [$epoch, $maxVisitors]);
-	$query->execute;
 
 	# Iterate through rows
 	while (my %row = $query->hash) {
@@ -255,15 +254,14 @@ sub _members {
 	# Determine the number of registered users that are online. The Admin 
 	# account is excluded from the list.
 	$var->{'members'} = $db->quickScalar("SELECT COUNT(DISTINCT userId) FROM " . 
-		"userSession where (lastPageView > $epoch) and (userId != '1') and " . 
+		"userSession where (lastPageView > ?) and (userId != '1') and " . 
-		"(userId != '3')");
+		"(userId != '3')", [$epoch]);
 
 	# Query the names of registered users that are online. The showOnline flag
 	# in the user profile is respected.
-	my $query = $db->prepare("SELECT userId, sessionId, lastIp, lastPageView " . 
+	my $query = $db->read("SELECT userId, sessionId, lastIp, lastPageView " . 
-		"FROM userSession WHERE (lastPageView > $epoch) AND (userId != '1') " .
+		"FROM userSession WHERE (lastPageView > ?) AND (userId != '1') " .
-		"AND (userId != '3') LIMIT $maxMembers");
+		"AND (userId != '3') LIMIT ?", [$epoch, $maxMembers]);
-	$query->execute;
 
 	# Iterate through rows
 	while (my %row = $query->hash) {