mirror/librenms-librenms
1
0
Fork 0
mirror of https://github.com/librenms/librenms.git synced 2024-10-07 16:52:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix quoting in dbFacile :)

Browse Source 
git-svn-id: http://www.observium.org/svn/observer/trunk@2288 61d68cd4-352d-0410-923a-c4978735b2b8
This commit is contained in:
Adam Amstrong
2011-05-12 21:46:16 +00:00
parent f04a88ed90
commit e9865c792b
1 changed files with 64 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

121
includes/dbFacile.php
View File

@@ -24,6 +24,7 @@ Usage
function dbQuery($sql, $parameters = array()) { function dbQuery($sql, $parameters = array()) {
global $fullSql; global $fullSql;
$fullSql = dbMakeQuery($sql, $parameters); $fullSql = dbMakeQuery($sql, $parameters);
echo("$fullSql");
/* /*
if($this->logFile) if($this->logFile)
$time_start = microtime(true); $time_start = microtime(true);
@@ -61,7 +62,7 @@ function dbInsert($data, $table) {
//trigger_error('QDB - Parameters passed to insert() were in reverse order, but it has been allowed', E_USER_NOTICE); //trigger_error('QDB - Parameters passed to insert() were in reverse order, but it has been allowed', E_USER_NOTICE);
} }
$sql = 'insert into ' . $table . ' (' . implode(',', array_keys($data)) . ') values(' . implode(',', dbPlaceHolders($data)) . ')'; $sql = 'INSERT INTO `' . $table . '` (`' . implode('`,`', array_keys($data)) . '`) VALUES (' . implode(',', dbPlaceHolders($data)) . ')';
dbBeginTransaction(); dbBeginTransaction();
$result = dbQuery($sql, $data); $result = dbQuery($sql, $data);
@@ -79,7 +80,7 @@ function dbInsert($data, $table) {
} }
/* /*
* Passed an array, table name, where clause, and placeholder parameters, it attempts to update a record. * Passed an array, table name, WHERE clause, and placeholder parameters, it attempts to update a record.
* Returns the number of affected rows * Returns the number of affected rows
* */ * */
function dbUpdate($data, $table, $where = null, $parameters = array()) { function dbUpdate($data, $table, $where = null, $parameters = array()) {
@@ -96,15 +97,15 @@ function dbUpdate($data, $table, $where = null, $parameters = array()) {
} }
// need field name and placeholder value // need field name and placeholder value
// but how merge these field placeholders with actual $parameters array for the where clause // but how merge these field placeholders with actual $parameters array for the WHERE clause
$sql = 'update ' . $table . ' set '; $sql = 'UPDATE `' . $table . '` set ';
foreach($data as $key => $value) { foreach($data as $key => $value) {
$sql .= $key . '=:' . $key . ','; $sql .= "`".$key."` ". '=:' . $key . ',';
} }
$sql = substr($sql, 0, -1); // strip off last comma $sql = substr($sql, 0, -1); // strip off last comma
if($where) { if($where) {
$sql .= ' where ' . $where; $sql .= ' WHERE ' . $where;
$data = array_merge($data, $parameters); $data = array_merge($data, $parameters);
} }
@@ -117,9 +118,9 @@ function dbUpdate($data, $table, $where = null, $parameters = array()) {
} }
function dbDelete($table, $where = null, $parameters = array()) { function dbDelete($table, $where = null, $parameters = array()) {
$sql = 'delete from ' . $table; $sql = 'DELETE FROM `' . $table.'`';
if($where) { if($where) {
$sql .= ' where ' . $where; $sql .= ' WHERE ' . $where;
} }
if(dbQuery($sql, $parameters)) { if(dbQuery($sql, $parameters)) {
return mysql_affected_rows(); return mysql_affected_rows();
@@ -228,65 +229,71 @@ function dbFetchKeyValue($sql, $parameters = array()) {
* PDO drivers don't need to use this * PDO drivers don't need to use this
*/ */
function dbMakeQuery($sql, $parameters) { function dbMakeQuery($sql, $parameters) {
// bypass extra logic if we have no parameters // bypass extra logic if we have no parameters
if(sizeof($parameters) == 0) if(sizeof($parameters) == 0)
return $sql; return $sql;
$parts = explode('?', $sql);
$query = array_shift($parts); // put on first part
$parameters = dbPrepareData($parameters); $parameters = dbPrepareData($parameters);
$newParams = array(); // separate the two types of parameters for easier handling
// replace question marks first $questionParams = array();
foreach($parameters as $key => $value) { $namedParams = array();
if(is_numeric($key)) { foreach($parameters as $key => $value) {
$query .= $value . array_shift($parts); if(is_numeric($key)) {
//$newParams[ $key ] = $value; $questionParams[] = $value;
} else { } else {
$newParams[ ':' . $key ] = $value; $namedParams[ ':' . $key ] = $value;
}
} }
} // sort namedParams in reverse to stop substring squashing
// now replace name place-holders krsort($namedParams);
// replace place-holders with quoted, escaped values
/*
var_dump($query);
var_dump($newParams);exit;
*/
// sort newParams in reverse to stop substring squashing // split on question-mark and named placeholders
krsort($newParams); $result = preg_split('/(\?|:[a-zA-Z0-9_-]+)/', $sql, -1, PREG_SPLIT_NO_EMPTY|PREG_SPLIT_DELIM_CAPTURE);
$query = str_replace( array_keys($newParams), $newParams, $query);
//die($query); // every-other item in $result will be the placeholder that was found
return $query;
$query = '';
for($i = 0; $i < sizeof($result); $i+=2) {
$query .= $result[ $i ];
$j = $i+1;
if(array_key_exists($j, $result)) {
$test = $result[ $j ];
if($test == '?') {
$query .= array_shift($questionParams);
} else {
$query .= $namedParams[ $test ];
}
}
}
return $query;
} }
/*
* This should be protected and overloadable by driver classes
*/
function dbPrepareData($data) { function dbPrepareData($data) {
$values = array(); $values = array();
foreach($data as $key=>$value) { foreach($data as $key=>$value) {
$escape = true; $escape = true;
// new way to determine whether to quote and escape // don't quote or esc if value is an array, we treat it
// if value is an array, we treat it as a "decorator" that tells us not to escape the // as a "decorator" that tells us not to escape the
// value contained in the array // value contained in the array
if(is_array($value) && !is_object($value)) { if(is_array($value) && !is_object($value)) {
$escape = false; $escape = false;
$value = array_shift($value); $value = array_shift($value);
}
// it's not right to worry about invalid fields in this method because we may be operating on fields
// that are aliases, or part of other tables through joins
//if(!in_array($key, $columns)) // skip invalid fields
// continue;
if($escape) {
$values[$key] = "'" . mysql_real_escape_string($value) . "'";
} else
$values[$key] = $value;
} }
// it's not right to worry about invalid fields in this method because we may be operating on fields return $values;
// that are aliases, or part of other tables through joins
//if(!in_array($key, $columns)) // skip invalid fields
// continue;
if($escape)
$values[$key] = "'" . mysql_real_escape_string($value) . "'";
else
$values[$key] = $value;
} }
return $values;
}
/* /*
* Given a data array, this returns an array of placeholders * Given a data array, this returns an array of placeholders