PageRenderTime 68ms CodeModel.GetById 19ms RepoModel.GetById 3ms app.codeStats 0ms

/class_safesql.php

https://bitbucket.org/ladasoukup/sb_eventlogmonitor
PHP | 267 lines | 145 code | 27 blank | 95 comment | 28 complexity | d1f5fd14586b699c79895ddaa7eeb723 MD5 | raw file
Possible License(s): Unlicense 
    

  1. <?php
    2. 

  2. /*
    3. 

  3.  * Project:     SafeSQL: db access library extension
    4. 

  4.  * File:        SafeSQL.class.php
    5. 

  5.  * Author:      Monte Ohrt <monte@ispi.net>
    6. 

  6.  *
    7. 

  7.  * Version:     2.1
    8. 

  8.  * Date:        August 13, 2004
    9. 

  9.  * Copyright:   2001,2002,2003,2004 ispi of Lincoln, Inc.
    10. 

  10.  *
    11. 

  11.  * This library is free software; you can redistribute it and/or
    12. 

  12.  * modify it under the terms of the GNU Lesser General Public
    13. 

  13.  * License as published by the Free Software Foundation; either
    14. 

  14.  * version 2.1 of the License, or (at your option) any later version.
    15. 

  15.  *
    16. 

  16.  * This library is distributed in the hope that it will be useful,
    17. 

  17.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
    18. 

  18.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
    19. 

  19.  * Lesser General Public License for more details.
    20. 

  20.  *
    21. 

  21.  * You should have received a copy of the GNU Lesser General Public
    22. 

  22.  * License along with this library; if not, write to the Free Software
    23. 

  23.  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
    24. 

  24.  *
    25. 

  25.  */
    26. 

  26. 

  27. class SafeSQL {
    28. 

  28. 	
    29. 

  29. 	// values that determine dropping bracketed sections
    30. 

  30. 	var $_drop_values = array('');
    31. 

  31. 	
    32. 

  32. /*======================================================================*\
    33. 

  33.     Function: SafeSQL
    34. 

  34.     Purpose:  constructor
    35. 

  35. \*======================================================================*/
    36. 

  36. 	function SafeSQL() { }
    37. 

  37. 

  38. /*======================================================================*\
    39. 

  39.     Function: buildquery
    40. 

  40.     Purpose:  process the query string
    41. 

  41. \*======================================================================*/
    42. 

  42. 	function query($query_string, $query_vars)
    43. 

  43. 	{		
    44. 

  44. 

  45. 		if(is_array($query_vars)) {
    46. 

  46. 			
    47. 

  47. 			$_var_count = count($query_vars);
    48. 

  48. 			
    49. 

  49. 			if($_var_count != preg_match_all('!%[sSiIfFcClLqQ]!', $query_string, $_match)) {
    50. 

  50. 				$this->_error_msg('unmatched number of vars and % placeholders: ' . $query_string);
    51. 

  51. 			}
    52. 

  52. 						
    53. 

  53. 			// get string position for each element
    54. 

  54. 			$_var_pos = array();
    55. 

  55. 			$_curr_pos = 0;
    56. 

  56. 			for( $_x = 0; $_x < $_var_count; $_x++ ) {
    57. 

  57. 				$_var_pos[$_x] = strpos($query_string, $_match[0][$_x], $_curr_pos);
    58. 

  58. 				$_curr_pos = $_var_pos[$_x] + 1;
    59. 

  59. 			}
    60. 

  60. 			// build query from passed in variables, escape them
    61. 

  61.             // start from end of query and work backwards so string
    62. 

  62.             // positions are not altered during replacement
    63. 

  63.             $_last_removed_pos = null;
    64. 

  64.             $_last_var_pos = null;
    65. 

  65. 			for( $_x = $_var_count-1; $_x >= 0; $_x-- ) {
    66. 

  66.                 if(isset($_last_removed_pos) && $_last_removed_pos < $_var_pos[$_x]) {
    67. 

  67.                     // already removed, skip
    68. 

  68.                     continue;
    69. 

  69.                 }
    70. 

  70. 				// escape string
    71. 

  71. 				$query_vars[$_x] = $this->_sql_escape($query_vars[$_x]);
    72. 

  72. 				if(in_array($_match[0][$_x], array('%S','%I','%F','%C','%L','%Q'))) {
    73. 

  73. 					// get positions of [ and ]
    74. 

  74.                     if(isset($_last_var_pos))
    75. 

  75. 					    $_right_pos = strpos($query_string, ']', $_last_var_pos);
    76. 

  76.                     else
    77. 

  77. 					    $_right_pos = strpos($query_string, ']', $_var_pos[$_x]);
    78. 

  78. 

  79.                     // no way to get strpos from the right side starting in the middle
    80. 

  80.                     // of the string, so slice the first part out then find it
    81. 

  81. 					$_str_slice = substr($query_string, 0, $_var_pos[$_x]);
    82. 

  82. 					$_left_pos = strrpos($_str_slice, '[');
    83. 

  83.                     
    84. 

  84. 					if($_right_pos === false || $_left_pos === false) {
    85. 

  85. 						$this->_error_msg('missing or unmatched brackets: ' . $query_string);
    86. 

  86. 					}
    87. 

  87. 					if(in_array($query_vars[$_x], $this->_drop_values, true)) {
    88. 

  88.                         $_last_removed_pos = $_left_pos;
    89. 

  89. 						// remove entire part of string
    90. 

  90. 						$query_string = substr_replace($query_string, '', $_left_pos, $_right_pos - $_left_pos + 1);
    91. 

  91.                         $_last_var_pos = null;			
    92. 

  92.                     } else if ($_x > 0 && $_var_pos[$_x-1] > $_left_pos) {
    93. 

  93.                         // still variables left in brackets, leave them and just replace var
    94. 

  94.                         $_convert_var = $this->_convert_var($query_vars[$_x], $_match[0][$_x]);
    95. 

  95. 						$query_string = substr_replace($query_string, $_convert_var, $_var_pos[$_x], 2);
    96. 

  96.                         $_last_var_pos = $_var_pos[$_x] + strlen($_convert_var);
    97. 

  97. 					} else {
    98. 

  98. 						// remove the brackets only, and replace %S
    99. 

  99. 						$query_string = substr_replace($query_string, '', $_right_pos, 1);											
    100. 

  100. 						$query_string = substr_replace($query_string, $this->_convert_var($query_vars[$_x], $_match[0][$_x]), $_var_pos[$_x], 2);
    101. 

  101. 						$query_string = substr_replace($query_string, '', $_left_pos, 1);
    102. 

  102.                         $_last_var_pos = null;
    103. 

  103. 					}
    104. 

  104. 				} else {
    105. 

  105. 					$query_string = substr_replace($query_string, $this->_convert_var($query_vars[$_x], $_match[0][$_x]), $_var_pos[$_x], 2);
    106. 

  106. 				}
    107. 

  107. 			}			
    108. 

  108. 		}
    109. 

  109. 		
    110. 

  110. 		return $query_string;
    111. 

  111. 						
    112. 

  112. 	}
    113. 

  113. 	
    114. 

  114. /*======================================================================*\
    115. 

  115.     Function: _convert_var
    116. 

  116.     Purpose:  convert a variable to the given type
    117. 

  117. 	Input:    $var - the variable
    118. 

  118. 			  $type - the type to convert to:
    119. 

  119. 			  	%i, %I - cast to integer
    120. 

  120. 				%f, %F - cast to float
    121. 

  121. 				%c, %C - comma separate, cast each element to integer
    122. 

  122. 				%l, %L - comma separate, no quotes, no casting
    123. 

  123. 				%q, %Q - quote/comma separate
    124. 

  124. \*======================================================================*/
    125. 

  125. 	function _convert_var($var, $type) {
    126. 

  126. 		switch($type) {
    127. 

  127. 			case '%i':
    128. 

  128. 			case '%I':
    129. 

  129. 				// cast to integer
    130. 

  130. 				settype($var, 'integer');
    131. 

  131. 				break;
    132. 

  132. 			case '%f':
    133. 

  133. 			case '%F':
    134. 

  134. 				// cast to float
    135. 

  135. 				settype($var, 'float');
    136. 

  136. 				break;
    137. 

  137. 			case '%c':
    138. 

  138. 			case '%C':
    139. 

  139. 				// comma separate
    140. 

  140. 				settype($var, 'array');
    141. 

  141. 				for($_x = 0 , $_y = count($var); $_x < $_y; $_x++) {
    142. 

  142. 					// cast to integers
    143. 

  143. 					settype($var[$_x], 'integer');
    144. 

  144. 				}
    145. 

  145. 				$var = implode(',', $var);
    146. 

  146. 				if($var == '') {
    147. 

  147. 					// force 0, keep syntax from breaking
    148. 

  148. 					$var = '0';
    149. 

  149. 				}
    150. 

  150. 				break;
    151. 

  151. 			case '%l':
    152. 

  152. 			case '%L':
    153. 

  153. 				// comma separate
    154. 

  154. 				settype($var, 'array');
    155. 

  155. 				$var = implode(',', $var);
    156. 

  156. 				break;
    157. 

  157. 			case '%q':
    158. 

  158. 			case '%Q':
    159. 

  159. 				settype($var, 'array');
    160. 

  160. 				// quote comma separate
    161. 

  161. 				$var = "'" . implode("','", $var) . "'";
    162. 

  162. 				break;
    163. 

  163. 		}
    164. 

  164. 		return $var;
    165. 

  165. 	}	
    166. 

  166. 

  167. /*======================================================================*\
    168. 

  168.     Function: error
    169. 

  169.     Purpose:  handle error messages
    170. 

  170. \*======================================================================*/
    171. 

  171. 	function _error_msg($error_msg) {
    172. 

  172. 		trigger_error('SafeSQL: ' . $error_msg);	
    173. 

  173. 	}
    174. 

  174. 

  175. /*======================================================================*\
    176. 

  176.     Function: SetDropValues
    177. 

  177.     Purpose:  
    178. 

  178. \*======================================================================*/
    179. 

  179. 	function set_drop_values($drop_values) {
    180. 

  180. 		if(is_array($drop_values)) {
    181. 

  181. 			$this->_drop_values = $drop_values;
    182. 

  182. 		} else {
    183. 

  183. 			$this->_error_msg('drop values must be an array');			
    184. 

  184. 		}
    185. 

  185. 	}
    186. 

  186. 

  187. /*======================================================================*\
    188. 

  188.     Function: GetDropValues
    189. 

  189.     Purpose:  
    190. 

  190. \*======================================================================*/
    191. 

  191. 	function get_drop_values() {
    192. 

  192. 		return $this->_drop_values;
    193. 

  193. 	}
    194. 

  194. 				
    195. 

  195. 		
    196. 

  196. /*======================================================================*\
    197. 

  197.     Function: _sql_escape
    198. 

  198.     Purpose:  method overridden by subclass
    199. 

  199. \*======================================================================*/
    200. 

  200. 	function _sql_escape() { }
    201. 

  201. 	
    202. 

  202. }
    203. 

  203. 		
    204. 

  204. class SafeSQL_MySQL extends SafeSQL {
    205. 

  205. 	
    206. 

  206. 	var $_link_id;	
    207. 

  207. 	
    208. 

  208. /*======================================================================*\
    209. 

  209.     Function: SafeSQL_MySQL
    210. 

  210.     Purpose:  constructor
    211. 

  211. \*======================================================================*/
    212. 

  212. 	function SafeSQL_MySQL($link_id = null) {
    213. 

  213. 		$this->_link_id = $link_id;
    214. 

  214. 	}
    215. 

  215. 

  216. /*======================================================================*\
    217. 

  217.     Function: _sql_escape
    218. 

  218.     Purpose:  recursively escape variables/arrays for SQL use
    219. 

  219. \*======================================================================*/
    220. 

  220. 	function _sql_escape($var) {
    221. 

  221. 		if(is_array($var)) {
    222. 

  222. 			foreach($var as $_element) {
    223. 

  223. 				$_newvar[] = $this->_sql_escape($_element);
    224. 

  224. 			}
    225. 

  225. 			return $_newvar;
    226. 

  226. 		}
    227. 

  227. 		if(function_exists('mysql_real_escape_string')) {
    228. 

  228. 			if(!isset($this->_link_id)) {
    229. 

  229. 				return mysql_real_escape_string($var);
    230. 

  230. 			} else {
    231. 

  231. 				return mysql_real_escape_string($var, $this->_link_id);
    232. 

  232. 			}
    233. 

  233. 		} elseif(function_exists('mysql_escape_string')) {
    234. 

  234. 			return mysql_escape_string($var);
    235. 

  235. 		} else {
    236. 

  236. 			return addslashes($var);
    237. 

  237. 		}	
    238. 

  238. 		break;
    239. 

  239. 	}	
    240. 

  240. }
    241. 

  241. 

  242. class SafeSQL_ANSI extends SafeSQL {
    243. 

  243. 	
    244. 

  244. 	
    245. 

  245. /*======================================================================*\
    246. 

  246.     Function: SafeSQL_ANSI
    247. 

  247.     Purpose:  constructor
    248. 

  248. \*======================================================================*/
    249. 

  249. 	function SafeSQL_ANSI() { }
    250. 

  250. 

  251. /*======================================================================*\
    252. 

  252.     Function: _sql_escape
    253. 

  253.     Purpose:  recursively escape variables/arrays for SQL use
    254. 

  254. \*======================================================================*/
    255. 

  255. 	function _sql_escape($var) {
    256. 

  256. 		if(is_array($var)) {
    257. 

  257. 			foreach($var as $_element) {
    258. 

  258. 				$_newvar[] = $this->_sql_escape($_element);
    259. 

  259. 			}
    260. 

  260. 			return $_newvar;
    261. 

  261. 		}
    262. 

  262. 		return str_replace("'", "''", $var);
    263. 

  263. 		break;
    264. 

  264. 	}	
    265. 

  265. }
    266. 

  266. 

  267. ?>
    268. 

  268.