PageRenderTime 55ms CodeModel.GetById 15ms RepoModel.GetById 0ms app.codeStats 0ms

/frontend/php/include/database.php

#
PHP | 388 lines | 283 code | 37 blank | 68 comment | 49 complexity | 0c485f8cb9af357f47d93337d5c10861 MD5 | raw file
Possible License(s): AGPL-3.0 
    

  1. <?php
    2. 

  2. # Database access wrappers, with quoting/escaping
    3. 

  3. # Copyright (C) 1999-2000  The SourceForge Crew
    4. 

  4. # Copyright (C) 2004-2005  Elfyn McBratney <elfyn--emcb.co.uk>
    5. 

  5. # Copyright (C) 2004-2005  Mathieu Roy <yeupou--gnu.org>
    6. 

  6. # Copyright (C) 2000-2006  John Lim (ADOdb)
    7. 

  7. # Copyright (C) 2007  Cliss XXI (GCourrier)
    8. 

  8. # Copyright (C) 2006, 2007  Sylvain Beucler
    9. 

  9. #
    10. 

  10. # This file is part of Savane.
    11. 

  11. # 
    12. 

  12. # Savane is free software: you can redistribute it and/or modify
    13. 

  13. # it under the terms of the GNU Affero General Public License as
    14. 

  14. # published by the Free Software Foundation, either version 3 of the
    15. 

  15. # License, or (at your option) any later version.
    16. 

  16. # 
    17. 

  17. # Savane is distributed in the hope that it will be useful,
    18. 

  18. # but WITHOUT ANY WARRANTY; without even the implied warranty of
    19. 

  19. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    20. 

  20. # GNU Affero General Public License for more details.
    21. 

  21. # 
    22. 

  22. # You should have received a copy of the GNU Affero General Public License
    23. 

  23. # along with this program.  If not, see <http://www.gnu.org/licenses/>.
    24. 

  24. 

  25. define('DB_AUTOQUERY_INSERT', 1);
    26. 

  26. define('DB_AUTOQUERY_UPDATE', 2);
    27. 

  27. 

  28. function db_connect() 
    29. 

  29. {
    30. 

  30.   global $sys_dbhost,$sys_dbuser,$sys_dbpasswd,$conn,$sys_dbname;
    31. 

  31. 

  32.   // Test the presence of php-mysql - you get a puzzling blank page
    33. 

  33.   // when it's not installed
    34. 

  34.   if (!extension_loaded('mysql')) {
    35. 

  35.     echo "Please install the MySQL extension for PHP:
    36. 

  36.     <ul>
    37. 

  37.       <li>Debian-based: <code>aptitude install php4-mysql</code>
    38. 

  38.         or <code>aptitude install php5-mysql</code></li>
    39. 

  39.       <li>Fedora Core: <code>yum install php-mysql</code></li>
    40. 

  40.     </ul>";
    41. 

  41.     echo "Check the <a href='{$GLOBALS['sys_url_topdir']}/testconfig.php'>configuration
    42. 

  42.           page</a> and the <a href='http://php.net/mysql'>PHP website</a> for
    43. 

  43.           more information.<br />";
    44. 

  44.     echo "Once the extension is installed, please restart Apache.";
    45. 

  45.     exit;
    46. 

  46.   }
    47. 

  47. 

  48.   $conn = @mysql_connect($sys_dbhost,$sys_dbuser,$sys_dbpasswd);
    49. 

  49.   if (!$conn or !mysql_select_db($sys_dbname, $conn)) {
    50. 

  50.     echo "Failed to connect to database: " . mysql_error() . "<br />";
    51. 

  51.     echo "Please contact as soon as possible server administrators {$GLOBALS['sys_email_adress']}.<br />";
    52. 

  52.     echo "Until this problem get fixed, you will not be able to use this site.";
    53. 

  53.     exit;
    54. 

  54.   }
    55. 

  55. 

  56.   if (version_compare(PHP_VERSION, '5.2.3', '>='))
    57. 

  57.     {
    58. 

  58.       mysql_set_charset('utf8', $conn);
    59. 

  59.     }
    60. 

  60.   else
    61. 

  61.     {
    62. 

  62.       // Not available in Etch (5.2.0 < 5.2.3...) - using a
    63. 

  63.       // work-around meanwhile. Apparently this means
    64. 

  64.       // mysql_real_escape_string() isn't aware of the charset, hence
    65. 

  65.       // why this isn't recommended.
    66. 

  66.       mysql_query('SET NAMES utf8');
    67. 

  67.     }
    68. 

  68. }
    69. 

  69. 

  70. // sprinf-like function to auto-escape SQL strings
    71. 

  71. // db_query_escape("SELECT * FROM user WHERE user_name='%s'", $_GET['myuser']);
    72. 

  72. function db_query_escape()
    73. 

  73. {
    74. 

  74.   $num_args = func_num_args();
    75. 

  75.   if ($num_args < 1)
    76. 

  76.     util_die(_("db_query_escape: Missing parameter"));
    77. 

  77.   $args = func_get_args();
    78. 

  78. 

  79.   // Escape all params except the query itself
    80. 

  80.   for ($i = 1; $i < $num_args; $i++)
    81. 

  81.     $args[$i] = mysql_real_escape_string($args[$i]);
    82. 

  82. 

  83.   $query = call_user_func_array('sprintf', $args);
    84. 

  84.   return db_query($query);
    85. 

  85. }
    86. 

  86. 

  87. // Substitute '?' with one of the values in the $inputarr array,
    88. 

  88. // properly escaped for inclusion in an SQL query
    89. 

  89. function db_variable_binding($sql, $inputarr=null) {
    90. 

  90.   $sql_expanded = $sql;
    91. 

  91.   if ($inputarr) {
    92. 

  92.     if (!is_array($inputarr))
    93. 

  93.       util_die("db_variable_binding: \$inputarr is not an array. Query is: <code>"
    94. 

  94. 	  . htmlspecialchars($sql) . "</code>, \$inputarr is <code>"
    95. 

  95. 	  . print_r($inputarr, 1) . "</code>");
    96. 

  96. 

  97.     $sql_exploded = explode('?', $sql);
    98. 

  98.     
    99. 

  99.     $i = 0;
    100. 

  100.     $sql_expanded = '';
    101. 

  101.     //Use each() instead of foreach to reduce memory usage -mikefedyk
    102. 

  102.     while(list(, $v) = each($inputarr)) {
    103. 

  103.       $sql_expanded .= $sql_exploded[$i];
    104. 

  104.       // from Ron Baldwin <ron.baldwin#sourceprose.com>
    105. 

  105.       // Only quote string types
    106. 

  106.       $typ = gettype($v);
    107. 

  107.       if ($typ == 'string')
    108. 

  108. 	$sql_expanded .= "'" . mysql_real_escape_string($v) . "'";
    109. 

  109.       else if ($typ == 'double')
    110. 

  110. 	$sql_expanded .= str_replace(',','.',$v); // locales fix so 1.1 does not get converted to 1,1
    111. 

  111.       else if ($typ == 'boolean')
    112. 

  112. 	$sql_expanded .= $v ? '1' : '0';
    113. 

  113.       else if ($typ == 'object')
    114. 

  114. 	util_die("Don't use db_execute with objects.");
    115. 

  115.       else if ($v === null)
    116. 

  116. 	$sql_expanded .= 'NULL';
    117. 

  117.       else
    118. 

  118. 	$sql_expanded .= $v;
    119. 

  119.       $i += 1;
    120. 

  120.     }
    121. 

  121. 

  122.     $match = true;
    123. 

  123.     if (isset($sql_exploded[$i])) {
    124. 

  124.       $sql_expanded .= $sql_exploded[$i];
    125. 

  125.       if ($i+1 != sizeof($sql_exploded))
    126. 

  126. 	$match = false;
    127. 

  127.     } else {
    128. 

  128.       $match = false;
    129. 

  129.     }
    130. 

  130.     if (!$match) {
    131. 

  131.       util_die("db_variable_binding: input array does not match query: <pre>"
    132. 

  132. 	   .htmlspecialchars($sql)
    133. 

  133. 	   ."<br />"
    134. 

  134. 	   .print_r($inputarr, true));
    135. 

  135.     }
    136. 

  136.   }
    137. 

  137.   return $sql_expanded;
    138. 

  138. }
    139. 

  139. 

  140. /* Like ADOConnection->AutoExecute, without ignoring non-existing
    141. 

  141.  fields (you'll get a nice mysql_error() instead) and with a modified
    142. 

  142.  argument list to allow variable binding in the where clause
    143. 

    144. 

  144. This allows hopefully more reable lengthy INSERT and UPDATE queries.
    145. 

    146. 

  146. Check http://phplens.com/adodb/reference.functions.getupdatesql.html ,
    147. 

  147. http://phplens.com/adodb/tutorial.generating.update.and.insert.sql.html
    148. 

  148. and adodb.inc.php
    149. 

    150. 

  150. eg: 
    151. 

    152. 

  152. $success = db_autoexecute('user', array('realname' => $newvalue),
    153. 

  153. 		          DB_AUTOQUERY_UPDATE,
    154. 

  154. 			  "user_id=?", array(user_getid()));
    155. 

  155. */
    156. 

  156. function db_autoexecute($table, $dict, $mode=DB_AUTOQUERY_INSERT,
    157. 

  157. 			$where_condition=false, $where_inputarr=null)
    158. 

  158. {
    159. 

  159.   // table name validation and quoting
    160. 

  160.   $tables = preg_split('/[\s,]+/', $table);
    161. 

  161.   $tables_string = '';
    162. 

  162.   $first = true;
    163. 

  163.   foreach ($tables as $table)
    164. 

  164.     {
    165. 

  165.       if (!preg_match('/^[a-zA-Z_][a-zA-Z0-9_]+$/', $table))
    166. 

  166. 	util_die("db_autoexecute: invalid table name: " . htmlspecialchars($table));
    167. 

  167. 

  168.       if ($first)
    169. 

  169. 	{
    170. 

  170. 	  $tables_string = "`$table`";
    171. 

  171. 	  $first = false;
    172. 

  172. 	}
    173. 

  173.       else 
    174. 

  174. 	{
    175. 

  175. 	  $tables_string .= ",`$table`";
    176. 

  176. 	}
    177. 

  177.     }
    178. 

  178. 

  179.   switch((string) $mode) {
    180. 

  180.   case 'INSERT':
    181. 

  181.   case '1':
    182. 

  182.     // Quote fields to avoid problem with reserved words (bug #8898@gna)
    183. 

  183.     // TODO: do connections with ANSI_QUOTES mode and use the standard
    184. 

  184.     // "'" field delimiter
    185. 

  185.     $first = true;
    186. 

  186.     foreach (array_keys($dict) as $field)
    187. 

  187.       {
    188. 

  188. 	if ($first)
    189. 

  189. 	  {
    190. 

  190. 	    $fields = "`$field`";
    191. 

  191. 	    $first = false;
    192. 

  192. 	  }
    193. 

  193. 	else 
    194. 

  194. 	  {
    195. 

  195. 	    $fields .= ",`$field`";
    196. 

  196. 	  }
    197. 

  197.       }
    198. 

  198.     // $fields = `date`,`summary`,...
    199. 

  199.     $question_marks = implode(',', array_fill(0, count($dict), '?')); // ?,?,...
    200. 

  200.     return db_execute("INSERT INTO $tables_string ($fields) VALUES ($question_marks)",
    201. 

  201. 		     array_values($dict));
    202. 

  202.     break;
    203. 

  203.   case 'UPDATE':
    204. 

  204.   case '2':
    205. 

  205.     $sql_fields = '';
    206. 

  206.     $values = array();
    207. 

  207.     while (list($field,$value) = each($dict)) {
    208. 

  208.       $sql_fields .= "`$field`=?,";
    209. 

  209.       $values[] = $value;
    210. 

  210.     }
    211. 

  211.     $sql_fields = rtrim($sql_fields, ',');
    212. 

  212.     $values = array_merge($values, $where_inputarr);
    213. 

  213.     $where_sql = $where_condition ? "WHERE $where_condition" : '';
    214. 

  214.     return db_execute("UPDATE $tables_string SET $sql_fields $where_sql", $values);
    215. 

  215.     break;
    216. 

  216.   default:
    217. 

  217.     // no default
    218. 

  218.   }
    219. 

  219.   util_die("db_autoexecute: unknown mode=$mode");
    220. 

  220. }
    221. 

  221. 

  222. /* Like ADOConnection->Execute, with variables binding emulation for
    223. 

  223. MySQL, but simpler (not 2D-array, namely). Example:
    224. 

    225. 

  225. db_execute("SELECT * FROM utilisateur WHERE name=?", array("Gogol d'Algol"));
    226. 

    227. 

  227. 'db_autoexecute' replaces '?' with the matching parameter, taking its
    228. 

  228. type into account (int -> int, string -> quoted string, float ->
    229. 

  229. canonical representation, etc.)
    230. 

    231. 

  231. Check http://phplens.com/adodb/reference.functions.execute.html and
    232. 

  232. adodb.inc.php
    233. 

  233. */
    234. 

  234. function db_execute($sql, $inputarr=null)
    235. 

  235. {
    236. 

  236. #    echo a; # makes xdebug produce a stacktrace
    237. 

  237.   $expanded_sql = db_variable_binding($sql, $inputarr);
    238. 

  238.   return db_query($expanded_sql);
    239. 

  239. }
    240. 

  240. 

  241. function db_query($qstring,$print=0) 
    242. 

  242. {
    243. 

  243.   // echo a; // makes xdebug produce a stacktrace
    244. 

  244. 

  245.   // Store query for recap display
    246. 

  246.   if ($GLOBALS['sys_debug_on']) {
    247. 

  247.     $GLOBALS['debug_query_count']++;
    248. 

  248.     $backtrace = debug_backtrace();
    249. 

  249.     $outside = null;
    250. 

  250.     foreach ($backtrace as $step) {
    251. 

  251.       if ($step['file'] != __FILE__) {
    252. 

  252. 	$outside = $step;
    253. 

  253. 	break;
    254. 

  254.       }
    255. 

  255.     }
    256. 

  256.     // strip installation prefix
    257. 

  257.     $relative_path = str_replace($GLOBALS['sys_www_topdir'].'/', '', $outside['file']);
    258. 

  258.     $location = "$relative_path:{$outside['line']}";
    259. 

  259.     array_push($GLOBALS['debug_queries'], array($qstring, $location));
    260. 

  260.   }
    261. 

  261. 

  262.   if ($GLOBALS['sys_debug_sqlprofiler'] && extension_loaded('XCache'))
    263. 

  263.     {
    264. 

  264.       $backtrace = debug_backtrace();
    265. 

  265.       $outside = null;
    266. 

  266.       foreach ($backtrace as $step) {
    267. 

  267.         if ($step['file'] != __FILE__) {
    268. 

  268.           $outside = $step;
    269. 

  269.           break;
    270. 

  270.         }
    271. 

  271.       }
    272. 

  272.       // strip installation prefix
    273. 

  273.       $relative_path = str_replace($GLOBALS['sys_www_topdir'].'/', '', $outside['file']);
    274. 

  274.       $location = "$relative_path:{$outside['line']}";
    275. 

  275. 

  276.       xcache_inc($location);
    277. 

  277.     }
    278. 

  278. 

  279.   if ($print)
    280. 

  280.     {
    281. 

  281.       print "<pre>[";
    282. 

  282.       print_r($qstring);
    283. 

  283.       print "</pre>]";
    284. 

  284.     }
    285. 

  285. 

  286.   $GLOBALS['db_qhandle'] = mysql_query($qstring);
    287. 

  287.   if (!$GLOBALS['db_qhandle']) {
    288. 

  288.     // throw new Exception('db_query: SQL query error in ['.$qstring.']: ' . mysql_error());
    289. 

  289.     util_die('db_query: SQL query error ' .
    290. 

  290. 	     '<em>'.mysql_error().'</em> in ['
    291. 

  291. 	     . htmlspecialchars($qstring) . ']');
    292. 

  292.   }
    293. 

  293.   return $GLOBALS['db_qhandle'];
    294. 

  294. }
    295. 

  295. 

  296. function db_numrows($qhandle) 
    297. 

  297. {
    298. 

  298.   # return only if qhandle exists, otherwise 0
    299. 

  299.   if ($qhandle) {
    300. 

  300.     return mysql_numrows($qhandle);
    301. 

  301.   } else {
    302. 

  302.     return 0;
    303. 

  303.   }
    304. 

  304. }
    305. 

  305. 

  306. function db_free_result($qhandle) 
    307. 

  307. {
    308. 

  308.   return mysql_free_result($qhandle);
    309. 

  309. }
    310. 

  310. 

  311. function db_result($qhandle,$row,$field) 
    312. 

  312. {
    313. 

  313.   return mysql_result($qhandle,$row,$field);
    314. 

  314. }
    315. 

  315. 

  316. function db_numfields($lhandle) 
    317. 

  317. {
    318. 

  318.   return mysql_numfields($lhandle);
    319. 

  319. }
    320. 

  320. 

  321. function db_fieldname($lhandle,$fnumber) 
    322. 

  322. {
    323. 

  323.   return mysql_field_name($lhandle,$fnumber);
    324. 

  324. }
    325. 

  325. 

  326. function db_affected_rows($qhandle) 
    327. 

  327. {
    328. 

  328.   return mysql_affected_rows();
    329. 

  329. }
    330. 

  330. 	
    331. 

  331. function db_fetch_array($qhandle = 0) 
    332. 

  332. {
    333. 

  333. 

  334.   if ($qhandle) {
    335. 

  335.     return mysql_fetch_array($qhandle);
    336. 

  336.   } else {
    337. 

  337.     if (isset($GLOBALS['db_qhandle'])) {
    338. 

  338.       return mysql_fetch_array($GLOBALS['db_qhandle']);
    339. 

  339.     } else {
    340. 

  340.       return (array());
    341. 

  341.     }
    342. 

  342.   }
    343. 

  343. }
    344. 

  344. 	
    345. 

  345. function db_insertid($qhandle) 
    346. 

  346. {
    347. 

  347. 

  348.   return mysql_insert_id();
    349. 

  349. }
    350. 

  350. 

  351. function db_error() 
    352. 

  352. {
    353. 

  353.   return mysql_error();
    354. 

  354. }
    355. 

  355. 

  356. # Return an sql insert command taking in input a qhandle:
    357. 

  357. # it is supposed to ease copy a a row into another, ignoring the autoincrement
    358. 

  358. # field + replacing another field value (like group_id)
    359. 

  359. function db_createinsertinto ($result, $table, $row, $autoincrement_fieldname, $replace_fieldname='zxry', $replace_value='axa')
    360. 

  360. {
    361. 

  361.   $fields = array();
    362. 

  362.   for ($i = 0; $i < db_numfields($result); $i++) 
    363. 

  363.     { 
    364. 

  364.       $fieldname = db_fieldname($result, $i);
    365. 

  365.       // Create the sql by ignoring the autoincremental id
    366. 

  366.       if ($fieldname != $autoincrement_fieldname)
    367. 

  367. 	{
    368. 

  368. 	  // If the value is empty
    369. 

  369. 	  if (db_result($result, $row, $fieldname) != NULL)
    370. 

  370. 	    {
    371. 

  371. 	      // Replace another field
    372. 

  372. 	      if ($fieldname == $replace_fieldname)
    373. 

  373. 		{
    374. 

  374. 		  $fields[$fieldname] = $replace_value;
    375. 

  375. 		}
    376. 

  376. 	      else
    377. 

  377. 		{
    378. 

  378. 		  $fields[$fieldname] = db_result($result, $row, $fieldname);
    379. 

  379. 		}
    380. 

  380. 	    }
    381. 

  381. 	    }
    382. 

  382.     }
    383. 

  383.   // No fields? Ignore
    384. 

  384.   if (count($fields) == 0)
    385. 

  385.     { return 0; }
    386. 

  386. 

  387.   return db_autoexecute($table, $fields, DB_AUTOQUERY_INSERT);
    388. 

  388. }
    389. 

  389.