1
+ − 1
<?php
+ − 2
+ − 3
/*
+ − 4
* Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between
142
ca9118d9c0f2
Rebrand as 1.0.2 (Coblynau); internal links are now parsed by RenderMan::parse_internal_links()
Dan
diff
changeset
+ − 5
* Version 1.0.2 (Coblynau)
1
+ − 6
* Copyright (C) 2006-2007 Dan Fuhry
+ − 7
*
+ − 8
* This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License
+ − 9
* as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+ − 10
*
+ − 11
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+ − 12
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details.
+ − 13
*/
+ − 14
+ − 15
function db_error_handler($errno, $errstr, $errfile = false, $errline = false, $errcontext = Array() )
+ − 16
{
+ − 17
if ( !defined('ENANO_DEBUG') )
+ − 18
return;
+ − 19
$e = error_reporting(0);
+ − 20
error_reporting($e);
+ − 21
if ( $e < $errno )
+ − 22
return;
+ − 23
$errtype = 'Notice';
+ − 24
switch ( $errno )
+ − 25
{
+ − 26
case E_ERROR: case E_USER_ERROR: case E_CORE_ERROR: case E_COMPILE_ERROR: $errtype = 'Error'; break;
+ − 27
case E_WARNING: case E_USER_WARNING: case E_CORE_WARNING: case E_COMPILE_WARNING: $errtype = 'Warning'; break;
+ − 28
}
+ − 29
$debug = debug_backtrace();
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 30
if ( !isset($debug[0]['file']) )
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 31
return false;
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 32
$debug = $debug[0]['file'] . ', line ' . $debug[0]['line'];
1
+ − 33
echo "<b>$errtype:</b> $errstr<br />Error source:<pre>$debug</pre>";
+ − 34
}
+ − 35
+ − 36
class mysql {
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 37
var $num_queries, $query_backtrace, $query_times, $query_sources, $latest_result, $latest_query, $_conn, $sql_stack_fields, $sql_stack_values, $debug;
1
+ − 38
var $row = array();
+ − 39
var $rowset = array();
+ − 40
var $errhandler;
+ − 41
+ − 42
function enable_errorhandler()
+ − 43
{
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 44
// echo "DBAL: enabling error handler<br />";
1
+ − 45
if ( function_exists('debug_backtrace') )
+ − 46
{
+ − 47
$this->errhandler = set_error_handler('db_error_handler');
+ − 48
}
+ − 49
}
+ − 50
+ − 51
function disable_errorhandler()
+ − 52
{
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 53
// echo "DBAL: disabling error handler<br />";
1
+ − 54
if ( $this->errhandler )
+ − 55
{
+ − 56
set_error_handler($this->errhandler);
+ − 57
}
+ − 58
else
+ − 59
{
+ − 60
restore_error_handler();
+ − 61
}
+ − 62
}
+ − 63
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 64
function sql_backtrace()
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 65
{
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 66
return implode("\n-------------------------------------------------------------------\n", $this->query_backtrace);
1
+ − 67
}
+ − 68
+ − 69
function ensure_connection()
+ − 70
{
+ − 71
if(!$this->_conn)
+ − 72
{
+ − 73
$this->connect();
+ − 74
}
+ − 75
}
+ − 76
+ − 77
function _die($t = '') {
+ − 78
if(defined('ENANO_HEADERS_SENT')) {
+ − 79
ob_clean();
+ − 80
}
+ − 81
header('HTTP/1.1 500 Internal Server Error');
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 82
$bt = $this->latest_query; // $this->sql_backtrace();
1
+ − 83
$e = htmlspecialchars(mysql_error());
+ − 84
if($e=='') $e='<none>';
91
+ − 85
$t = ( !empty($t) ) ? $t : '<No error description provided>';
+ − 86
global $email;
+ − 87
$email_info = ( defined('ENANO_CONFIG_FETCHED') && is_object($email) ) ? ', at <' . $email->jscode() . $email->encryptEmail(getConfig('contact_email')) . '>' : '';
+ − 88
$internal_text = '<h3>The site was unable to finish serving your request.</h3>
+ − 89
<p>We apologize for the inconveience, but an error occurred in the Enano database layer. Please report the full text of this page to the administrator of this site' . $email_info . '.</p>
+ − 90
<p>Description or location of error: '.$t.'<br />
+ − 91
Error returned by MySQL extension: ' . $e . '<br />
+ − 92
Most recent SQL query:</p>
+ − 93
<pre>'.$bt.'</pre>';
+ − 94
if(defined('ENANO_CONFIG_FETCHED')) die_semicritical('Database error', $internal_text);
+ − 95
else grinding_halt('Database error', $internal_text);
1
+ − 96
exit;
+ − 97
}
+ − 98
+ − 99
function die_json()
+ − 100
{
+ − 101
$e = addslashes(htmlspecialchars(mysql_error()));
+ − 102
$q = addslashes($this->latest_query);
+ − 103
$t = "{'mode':'error','error':'An error occurred during database query.\nQuery was:\n $q\n\nError returned by MySQL: $e'}";
+ − 104
die($t);
+ − 105
}
+ − 106
+ − 107
function get_error($t = '') {
+ − 108
header('HTTP/1.1 500 Internal Server Error');
+ − 109
$bt = $this->sql_backtrace();
+ − 110
$e = htmlspecialchars(mysql_error());
+ − 111
if($e=='') $e='<none>';
91
+ − 112
global $email;
+ − 113
$email_info = ( defined('ENANO_CONFIG_FETCHED') && is_object($email) ) ? ', at <' . $email->jscode() . $email->encryptEmail(getConfig('contact_email')) . '>' : '';
+ − 114
$internal_text = '<h3>The site was unable to finish serving your request.</h3>
+ − 115
<p>We apologize for the inconveience, but an error occurred in the Enano database layer. Please report the full text of this page to the administrator of this site' . $email_info . '.</p>
+ − 116
<p>Description or location of error: '.$t.'<br />
+ − 117
Error returned by MySQL extension: ' . $e . '<br />
+ − 118
Most recent SQL query:</p>
+ − 119
<pre>'.$bt.'</pre>';
+ − 120
return $internal_text;
1
+ − 121
}
+ − 122
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 123
function connect()
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 124
{
1
+ − 125
$this->enable_errorhandler();
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 126
1
+ − 127
dc_here('dbal: trying to connect....');
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 128
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 129
if ( defined('IN_ENANO_INSTALL') )
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 130
{
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 131
@include(ENANO_ROOT.'/config.new.php');
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 132
}
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 133
else
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 134
{
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 135
@include(ENANO_ROOT.'/config.php');
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 136
}
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 137
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 138
if ( isset($crypto_key) )
1
+ − 139
unset($crypto_key); // Get this sucker out of memory fast
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 140
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 141
if ( !defined('ENANO_INSTALLED') && !defined('MIDGET_INSTALLED') && !defined('IN_ENANO_INSTALL') )
1
+ − 142
{
+ − 143
dc_here('dbal: oops, looks like Enano isn\'t set up. Constants ENANO_INSTALLED, MIDGET_INSTALLED, and IN_ENANO_INSTALL are all undefined.');
218
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
diff
changeset
+ − 144
// scriptPath isn't set yet - we need to autodetect it to avoid infinite redirects
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
diff
changeset
+ − 145
if ( !defined('scriptPath') )
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
diff
changeset
+ − 146
{
222
acfdccf7a2bf
Re-sync Oxygen and Mint and Oxygen simple with Oxygen main; a couple improvements to the redirect-on-no-config code
Dan
diff
changeset
+ − 147
if ( isset($_SERVER['PATH_INFO']) && !preg_match('/index\.php$/', $_SERVER['PATH_INFO']) )
218
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
diff
changeset
+ − 148
{
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
diff
changeset
+ − 149
$_SERVER['REQUEST_URI'] = preg_replace(';' . preg_quote($_SERVER['PATH_INFO']) . '$;', '', $_SERVER['REQUEST_URI']);
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
diff
changeset
+ − 150
}
231
+ − 151
if ( !preg_match('/\.php$/', $_SERVER['REQUEST_URI']) )
+ − 152
{
+ − 153
// user requested http://foo/enano as opposed to http://foo/enano/index.php
+ − 154
$_SERVER['REQUEST_URI'] .= '/index.php';
+ − 155
}
218
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
diff
changeset
+ − 156
$sp = dirname($_SERVER['REQUEST_URI']);
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
diff
changeset
+ − 157
if($sp == '/' || $sp == '\\') $sp = '';
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
diff
changeset
+ − 158
define('scriptPath', $sp);
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
diff
changeset
+ − 159
define('contentPath', "$sp/index.php?title=");
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
diff
changeset
+ − 160
}
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
diff
changeset
+ − 161
$loc = scriptPath . '/install.php';
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
diff
changeset
+ − 162
// header("Location: $loc");
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
diff
changeset
+ − 163
redirect($loc, 'Enano not installed', 'We can\'t seem to find an Enano installation (valid config file). You will be transferred to the installation wizard momentarily...', 3);
1
+ − 164
exit;
+ − 165
}
+ − 166
$this->_conn = @mysql_connect($dbhost, $dbuser, $dbpasswd);
+ − 167
unset($dbuser);
+ − 168
unset($dbpasswd); // Security
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 169
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 170
if ( !$this->_conn )
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 171
{
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 172
dc_here('dbal: uhoh!<br />'.mysql_error());
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 173
grinding_halt('Enano is having a problem', '<p>Error: couldn\'t connect to MySQL.<br />'.mysql_error().'</p>');
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 174
}
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 175
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 176
// Reset some variables
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 177
$this->query_backtrace = array();
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 178
$this->query_times = array();
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 179
$this->query_sources = array();
1
+ − 180
$this->num_queries = 0;
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 181
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 182
$this->debug = ( defined('ENANO_DEBUG') );
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 183
1
+ − 184
dc_here('dbal: we\'re in, selecting database...');
203
acb9d021b860
Database name can now contain dashes (as per requested at http://forum.enanocms.org/viewtopic.php?f=5&t=14); corrected some installer behavior issues with connecting as root and setting up permissions resulting in logs not being flushed, configs not being inserted, and what have you.
Dan
diff
changeset
+ − 185
$q = $this->sql_query('USE `'.$dbname.'`;');
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 186
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 187
if ( !$q )
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 188
$this->_die('The database could not be selected.');
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 189
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 190
// We're in!
1
+ − 191
dc_here('dbal: connected to MySQL');
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 192
1
+ − 193
$this->disable_errorhandler();
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 194
return true;
1
+ − 195
}
+ − 196
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 197
function sql_query($q)
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 198
{
1
+ − 199
$this->enable_errorhandler();
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 200
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 201
if ( $this->debug && function_exists('debug_backtrace') )
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 202
{
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 203
$backtrace = @debug_backtrace();
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 204
if ( is_array($backtrace) )
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 205
{
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 206
$bt = $backtrace[0];
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 207
if ( isset($backtrace[1]['class']) )
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 208
{
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 209
if ( $backtrace[1]['class'] == 'sessionManager' )
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 210
{
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 211
$bt = $backtrace[1];
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 212
}
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 213
}
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 214
$this->query_sources[$q] = substr($bt['file'], strlen(ENANO_ROOT) + 1) . ', line ' . $bt['line'];
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 215
}
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 216
unset($backtrace);
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 217
}
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 218
1
+ − 219
$this->num_queries++;
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 220
$this->query_backtrace[] = $q;
1
+ − 221
$this->latest_query = $q;
+ − 222
dc_here('dbal: making SQL query:<br /><tt>'.$q.'</tt>');
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 223
// First make sure we have a connection
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 224
if ( !$this->_conn )
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 225
{
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 226
$this->_die('A database connection has not yet been established.');
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 227
}
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 228
// Does this query look malicious?
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 229
if ( !$this->check_query($q) )
1
+ − 230
{
+ − 231
$this->report_query($q);
+ − 232
grinding_halt('SQL Injection attempt', '<p>Enano has caught and prevented an SQL injection attempt. Your IP address has been recorded and the administrator has been notified.</p><p>Query was:</p><pre>'.htmlspecialchars($q).'</pre>');
+ − 233
}
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 234
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 235
$time_start = microtime_float();
1
+ − 236
$r = mysql_query($q, $this->_conn);
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 237
$this->query_times[$q] = microtime_float() - $time_start;
1
+ − 238
$this->latest_result = $r;
+ − 239
$this->disable_errorhandler();
+ − 240
return $r;
+ − 241
}
+ − 242
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 243
function sql_unbuffered_query($q)
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 244
{
1
+ − 245
$this->enable_errorhandler();
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 246
1
+ − 247
$this->num_queries++;
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 248
$this->query_backtrace[] = '(UNBUFFERED) ' . $q;
1
+ − 249
$this->latest_query = $q;
+ − 250
dc_here('dbal: making SQL query:<br /><tt>'.$q.'</tt>');
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 251
// First make sure we have a connection
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 252
if ( !$this->_conn )
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 253
{
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 254
$this->_die('A database connection has not yet been established.');
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 255
}
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 256
// Does this query look malicious?
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 257
if ( !$this->check_query($q) )
1
+ − 258
{
+ − 259
$this->report_query($q);
+ − 260
grinding_halt('SQL Injection attempt', '<p>Enano has caught and prevented an SQL injection attempt. Your IP address has been recorded and the administrator has been notified.</p><p>Query was:</p><pre>'.htmlspecialchars($q).'</pre>');
+ − 261
}
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
diff
changeset
+ − 262
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 263
$time_start = microtime_float();
1
+ − 264
$r = mysql_unbuffered_query($q, $this->_conn);
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 265
$this->query_times[$q] = microtime_float() - $time_start;
1
+ − 266
$this->latest_result = $r;
+ − 267
$this->disable_errorhandler();
+ − 268
return $r;
+ − 269
}
+ − 270
+ − 271
/**
+ − 272
* Checks a SQL query for possible signs of injection attempts
+ − 273
* @param string $q the query to check
+ − 274
* @return bool true if query passed check, otherwise false
+ − 275
*/
+ − 276
+ − 277
function check_query($q, $debug = false)
+ − 278
{
+ − 279
if($debug) echo "\$db->check_query(): checking query: ".htmlspecialchars($q).'<br />'."\n";
+ − 280
$sz = strlen($q);
+ − 281
$quotechar = false;
+ − 282
$quotepos = 0;
+ − 283
$prev_is_quote = false;
+ − 284
$just_started = false;
128
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
diff
changeset
+ − 285
for ( $i = 0; $i < strlen($q); $i++, $c = substr($q, $i, 1) )
1
+ − 286
{
+ − 287
$next = substr($q, $i+1, 1);
+ − 288
$next2 = substr($q, $i+2, 1);
+ − 289
$prev = substr($q, $i-1, 1);
+ − 290
$prev2 = substr($q, $i-2, 1);
+ − 291
if(isset($c) && in_array($c, Array('"', "'", '`')))
+ − 292
{
+ − 293
if($quotechar)
+ − 294
{
128
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
diff
changeset
+ − 295
if (
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
diff
changeset
+ − 296
( $quotechar == $c && $quotechar != $next && ( $quotechar != $prev || $just_started ) && $prev != '\\') ||
1
+ − 297
( $prev2 == '\\' && $prev == $quotechar && $quotechar == $c )
+ − 298
)
+ − 299
{
+ − 300
$quotechar = false;
+ − 301
if($debug) echo('$db->check_query(): just finishing a quote section, quoted string: '.htmlspecialchars(substr($q, $quotepos, $i - $quotepos + 1)) . '<br />');
+ − 302
$q = substr($q, 0, $quotepos) . 'SAFE_QUOTE' . substr($q, $i + 1, strlen($q));
+ − 303
if($debug) echo('$db->check_query(): Filtered query: '.$q.'<br />');
+ − 304
$i = $quotepos;
+ − 305
}
+ − 306
}
+ − 307
else
+ − 308
{
+ − 309
$quotechar = $c;
+ − 310
$quotepos = $i;
128
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
diff
changeset
+ − 311
$just_started = true;
1
+ − 312
}
+ − 313
if($debug) echo '$db->check_query(): found quote char as pos: '.$i.'<br />';
+ − 314
continue;
+ − 315
}
128
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
diff
changeset
+ − 316
$just_started = false;
1
+ − 317
}
+ − 318
if(substr(trim($q), strlen(trim($q))-1, 1) == ';') $q = substr(trim($q), 0, strlen(trim($q))-1);
+ − 319
for($i=0;$i<strlen($q);$i++,$c=substr($q, $i, 1))
+ − 320
{
128
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
diff
changeset
+ − 321
if (
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
diff
changeset
+ − 322
( ( $c == ';' && $i != $sz-1 ) || $c . substr($q, $i+1, 1) == '--' )
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
diff
changeset
+ − 323
|| ( in_array($c, Array('"', "'", '`')) )
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
diff
changeset
+ − 324
) // Don't permit semicolons in mid-query, and never allow comments
1
+ − 325
{
+ − 326
// Injection attempt!
+ − 327
if($debug)
+ − 328
{
+ − 329
$e = '';
+ − 330
for($j=$i-5;$j<$i+5;$j++)
+ − 331
{
+ − 332
if($j == $i) $e .= '<span style="color: red; text-decoration: underline;">' . $c . '</span>';
+ − 333
else $e .= $c;
+ − 334
}
+ − 335
echo 'Injection attempt caught at pos: '.$i.'<br />';
+ − 336
}
+ − 337
return false;
+ − 338
}
+ − 339
}
128
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
diff
changeset
+ − 340
if ( preg_match('/[\s]+(SAFE_QUOTE|[\S]+)=\\1($|[\s]+)/', $q, $match) )
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
diff
changeset
+ − 341
{
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
diff
changeset
+ − 342
if ( $debug ) echo 'Found always-true test in query, injection attempt caught, match:<br />' . '<pre>' . print_r($match, true) . '</pre>';
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
diff
changeset
+ − 343
return false;
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
diff
changeset
+ − 344
}
1
+ − 345
return true;
+ − 346
}
+ − 347
+ − 348
/**
+ − 349
* Set the internal result pointer to X
+ − 350
* @param int $pos The number of the row
+ − 351
* @param resource $result The MySQL result resource - if not given, the latest cached query is assumed
+ − 352
* @return true on success, false on failure
+ − 353
*/
+ − 354
+ − 355
function sql_data_seek($pos, $result = false)
+ − 356
{
+ − 357
$this->enable_errorhandler();
+ − 358
if(!$result)
+ − 359
$result = $this->latest_result;
+ − 360
if(!$result)
+ − 361
{
+ − 362
$this->disable_errorhandler();
+ − 363
return false;
+ − 364
}
+ − 365
if(mysql_data_seek($result, $pos))
+ − 366
{
+ − 367
$this->disable_errorhandler();
+ − 368
return true;
+ − 369
}
+ − 370
else
+ − 371
{
+ − 372
$this->disable_errorhandler();
+ − 373
return false;
+ − 374
}
+ − 375
}
+ − 376
+ − 377
/**
+ − 378
* Reports a bad query to the admin
+ − 379
* @param string $query the naughty query
+ − 380
* @access private
+ − 381
*/
+ − 382
+ − 383
function report_query($query)
+ − 384
{
+ − 385
global $session;
+ − 386
if(is_object($session) && defined('ENANO_MAINSTREAM'))
+ − 387
$username = $session->username;
+ − 388
else
+ − 389
$username = 'Unavailable';
+ − 390
$query = $this->escape($query);
+ − 391
$q = $this->sql_query('INSERT INTO '.table_prefix.'logs(log_type, action, time_id, date_string, page_text, author, edit_summary)
+ − 392
VALUES(\'security\', \'sql_inject\', '.time().', \'\', \''.$query.'\', \''.$username.'\', \''.$_SERVER['REMOTE_ADDR'].'\');');
+ − 393
}
+ − 394
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 395
/**
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 396
* Returns the ID of the row last inserted.
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 397
* @return int
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 398
*/
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 399
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 400
function insert_id()
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 401
{
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 402
return @mysql_insert_id();
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 403
}
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 404
1
+ − 405
function fetchrow($r = false) {
+ − 406
$this->enable_errorhandler();
+ − 407
if(!$this->_conn) return false;
+ − 408
if(!$r) $r = $this->latest_result;
+ − 409
if(!$r) $this->_die('$db->fetchrow(): an invalid MySQL resource was passed.');
+ − 410
$row = mysql_fetch_assoc($r);
+ − 411
$this->disable_errorhandler();
+ − 412
return $row;
+ − 413
}
+ − 414
+ − 415
function fetchrow_num($r = false) {
+ − 416
$this->enable_errorhandler();
+ − 417
if(!$r) $r = $this->latest_result;
+ − 418
if(!$r) $this->_die('$db->fetchrow(): an invalid MySQL resource was passed.');
+ − 419
$row = mysql_fetch_row($r);
+ − 420
$this->disable_errorhandler();
+ − 421
return $row;
+ − 422
}
+ − 423
+ − 424
function numrows($r = false) {
+ − 425
$this->enable_errorhandler();
+ − 426
if(!$r) $r = $this->latest_result;
+ − 427
if(!$r) $this->_die('$db->fetchrow(): an invalid MySQL resource was passed.');
+ − 428
$n = mysql_num_rows($r);
+ − 429
$this->disable_errorhandler();
+ − 430
return $n;
+ − 431
}
+ − 432
+ − 433
function escape($str)
+ − 434
{
+ − 435
$this->enable_errorhandler();
+ − 436
$str = mysql_real_escape_string($str);
+ − 437
$this->disable_errorhandler();
+ − 438
return $str;
+ − 439
}
+ − 440
+ − 441
function free_result($result = false)
+ − 442
{
+ − 443
$this->enable_errorhandler();
+ − 444
if(!$result)
+ − 445
$result = $this->latest_result;
+ − 446
if(!$result)
+ − 447
{
+ − 448
$this->disable_errorhandler();
+ − 449
return null;
+ − 450
}
+ − 451
mysql_free_result($result);
+ − 452
$this->disable_errorhandler();
+ − 453
return null;
+ − 454
}
+ − 455
+ − 456
function close() {
+ − 457
dc_here('dbal: closing MySQL connection');
+ − 458
mysql_close($this->_conn);
+ − 459
unset($this->_conn);
+ − 460
}
+ − 461
+ − 462
// phpBB DBAL compatibility
+ − 463
function sql_fetchrow($r = false)
+ − 464
{
+ − 465
return $this->fetchrow($r);
+ − 466
}
+ − 467
function sql_freeresult($r = false)
+ − 468
{
+ − 469
if(!$this->_conn) return false;
+ − 470
if(!$r) $r = $this->latest_result;
+ − 471
if(!$r) $this->_die('$db->fetchrow(): an invalid MySQL resource was passed.');
+ − 472
mysql_free_result($r);
+ − 473
}
+ − 474
function sql_numrows($r = false)
+ − 475
{
+ − 476
if(!$this->_conn) return false;
+ − 477
if(!$r) $r = $this->latest_result;
+ − 478
if(!$r) $this->_die('$db->fetchrow(): an invalid MySQL resource was passed.');
+ − 479
return mysql_num_rows($r);
+ − 480
}
+ − 481
function sql_affectedrows($r = false, $f, $n)
+ − 482
{
+ − 483
if(!$this->_conn) return false;
+ − 484
if(!$r) $r = $this->latest_result;
+ − 485
if(!$r) $this->_die('$db->fetchrow(): an invalid MySQL resource was passed.');
+ − 486
return mysql_affected_rows();
+ − 487
}
+ − 488
+ − 489
function sql_type_cast(&$value)
+ − 490
{
+ − 491
if ( is_float($value) )
+ − 492
{
+ − 493
return doubleval($value);
+ − 494
}
+ − 495
if ( is_integer($value) || is_bool($value) )
+ − 496
{
+ − 497
return intval($value);
+ − 498
}
+ − 499
if ( is_string($value) || empty($value) )
+ − 500
{
+ − 501
return '\'' . $this->sql_escape_string($value) . '\'';
+ − 502
}
+ − 503
// uncastable var : let's do a basic protection on it to prevent sql injection attempt
+ − 504
return '\'' . $this->sql_escape_string(htmlspecialchars($value)) . '\'';
+ − 505
}
+ − 506
+ − 507
function sql_statement(&$fields, $fields_inc='')
+ − 508
{
+ − 509
// init result
+ − 510
$this->sql_fields = $this->sql_values = $this->sql_update = '';
+ − 511
if ( empty($fields) && empty($fields_inc) )
+ − 512
{
+ − 513
return;
+ − 514
}
+ − 515
+ − 516
// process
+ − 517
if ( !empty($fields) )
+ − 518
{
+ − 519
$first = true;
+ − 520
foreach ( $fields as $field => $value )
+ − 521
{
+ − 522
// field must contain a field name
+ − 523
if ( !empty($field) && is_string($field) )
+ − 524
{
+ − 525
$value = $this->sql_type_cast($value);
+ − 526
$this->sql_fields .= ( $first ? '' : ', ' ) . $field;
+ − 527
$this->sql_values .= ( $first ? '' : ', ' ) . $value;
+ − 528
$this->sql_update .= ( $first ? '' : ', ' ) . $field . ' = ' . $value;
+ − 529
$first = false;
+ − 530
}
+ − 531
}
+ − 532
}
+ − 533
if ( !empty($fields_inc) )
+ − 534
{
+ − 535
foreach ( $fields_inc as $field => $indent )
+ − 536
{
+ − 537
if ( $indent != 0 )
+ − 538
{
+ − 539
$this->sql_update .= (empty($this->sql_update) ? '' : ', ') . $field . ' = ' . $field . ($indent < 0 ? ' - ' : ' + ') . abs($indent);
+ − 540
}
+ − 541
}
+ − 542
}
+ − 543
}
+ − 544
+ − 545
function sql_stack_reset($id='')
+ − 546
{
+ − 547
if ( empty($id) )
+ − 548
{
+ − 549
$this->sql_stack_fields = array();
+ − 550
$this->sql_stack_values = array();
+ − 551
}
+ − 552
else
+ − 553
{
+ − 554
$this->sql_stack_fields[$id] = array();
+ − 555
$this->sql_stack_values[$id] = array();
+ − 556
}
+ − 557
}
+ − 558
+ − 559
function sql_stack_statement(&$fields, $id='')
+ − 560
{
+ − 561
$this->sql_statement($fields);
+ − 562
if ( empty($id) )
+ − 563
{
+ − 564
$this->sql_stack_fields = $this->sql_fields;
+ − 565
$this->sql_stack_values[] = '(' . $this->sql_values . ')';
+ − 566
}
+ − 567
else
+ − 568
{
+ − 569
$this->sql_stack_fields[$id] = $this->sql_fields;
+ − 570
$this->sql_stack_values[$id][] = '(' . $this->sql_values . ')';
+ − 571
}
+ − 572
}
+ − 573
+ − 574
function sql_stack_insert($table, $transaction=false, $line='', $file='', $break_on_error=true, $id='')
+ − 575
{
+ − 576
if ( (empty($id) && empty($this->sql_stack_values)) || (!empty($id) && empty($this->sql_stack_values[$id])) )
+ − 577
{
+ − 578
return false;
+ − 579
}
+ − 580
switch( SQL_LAYER )
+ − 581
{
+ − 582
case 'mysql':
+ − 583
case 'mysql4':
+ − 584
if ( empty($id) )
+ − 585
{
+ − 586
$sql = 'INSERT INTO ' . $table . '
+ − 587
(' . $this->sql_stack_fields . ') VALUES ' . implode(",\n", $this->sql_stack_values);
+ − 588
}
+ − 589
else
+ − 590
{
+ − 591
$sql = 'INSERT INTO ' . $table . '
+ − 592
(' . $this->sql_stack_fields[$id] . ') VALUES ' . implode(",\n", $this->sql_stack_values[$id]);
+ − 593
}
+ − 594
$this->sql_stack_reset($id);
+ − 595
return $this->sql_query($sql, $transaction, $line, $file, $break_on_error);
+ − 596
break;
+ − 597
default:
+ − 598
$count_sql_stack_values = empty($id) ? count($this->sql_stack_values) : count($this->sql_stack_values[$id]);
+ − 599
$result = !empty($count_sql_stack_values);
+ − 600
for ( $i = 0; $i < $count_sql_stack_values; $i++ )
+ − 601
{
+ − 602
if ( empty($id) )
+ − 603
{
+ − 604
$sql = 'INSERT INTO ' . $table . '
+ − 605
(' . $this->sql_stack_fields . ') VALUES ' . $this->sql_stack_values[$i];
+ − 606
}
+ − 607
else
+ − 608
{
+ − 609
$sql = 'INSERT INTO ' . $table . '
+ − 610
(' . $this->sql_stack_fields[$id] . ') VALUES ' . $this->sql_stack_values[$id][$i];
+ − 611
}
+ − 612
$result &= $this->sql_query($sql, $transaction, $line, $file, $break_on_error);
+ − 613
}
+ − 614
$this->sql_stack_reset($id);
+ − 615
return $result;
+ − 616
break;
+ − 617
}
+ − 618
}
+ − 619
+ − 620
function sql_subquery($field, $sql, $line='', $file='', $break_on_error=true, $type=TYPE_INT)
+ − 621
{
+ − 622
// sub-queries doable
+ − 623
$this->sql_get_version();
+ − 624
if ( !in_array(SQL_LAYER, array('mysql', 'mysql4')) || (($this->sql_version[0] + ($this->sql_version[1] / 100)) >= 4.01) )
+ − 625
{
+ − 626
return $sql;
+ − 627
}
+ − 628
+ − 629
// no sub-queries
+ − 630
$ids = array();
+ − 631
$result = $this->sql_query(trim($sql), false, $line, $file, $break_on_error);
+ − 632
while ( $row = $this->sql_fetchrow($result) )
+ − 633
{
+ − 634
$ids[] = $type == TYPE_INT ? intval($row[$field]) : '\'' . $this->sql_escape_string($row[$field]) . '\'';
+ − 635
}
+ − 636
$this->sql_freeresult($result);
+ − 637
return empty($ids) ? 'NULL' : implode(', ', $ids);
+ − 638
}
+ − 639
+ − 640
function sql_col_id($expr, $alias)
+ − 641
{
+ − 642
$this->sql_get_version();
+ − 643
return in_array(SQL_LAYER, array('mysql', 'mysql4')) && (($this->sql_version[0] + ($this->sql_version[1] / 100)) <= 4.01) ? $alias : $expr;
+ − 644
}
+ − 645
+ − 646
function sql_get_version()
+ − 647
{
+ − 648
if ( empty($this->sql_version) )
+ − 649
{
+ − 650
$this->sql_version = array(0, 0, 0);
+ − 651
switch ( SQL_LAYER )
+ − 652
{
+ − 653
case 'mysql':
+ − 654
case 'mysql4':
+ − 655
if ( function_exists('mysql_get_server_info') )
+ − 656
{
+ − 657
$lo_version = explode('-', mysql_get_server_info());
+ − 658
$this->sql_version = explode('.', $lo_version[0]);
+ − 659
$this->sql_version = array(intval($this->sql_version[0]), intval($this->sql_version[1]), intval($this->sql_version[2]), $lo_version[1]);
+ − 660
}
+ − 661
break;
+ − 662
+ − 663
case 'postgresql':
+ − 664
case 'mssql':
+ − 665
case 'mssql-odbc':
+ − 666
default:
+ − 667
break;
+ − 668
}
+ − 669
}
+ − 670
return $this->sql_version;
+ − 671
}
+ − 672
+ − 673
function sql_error()
+ − 674
{
+ − 675
if ( $this->_conn )
+ − 676
{
+ − 677
return mysql_error();
+ − 678
}
+ − 679
else
+ − 680
{
+ − 681
return array();
+ − 682
}
+ − 683
}
+ − 684
function sql_escape_string($t)
+ − 685
{
+ − 686
return mysql_real_escape_string($t);
+ − 687
}
+ − 688
function sql_close()
+ − 689
{
+ − 690
$this->close();
+ − 691
}
+ − 692
function sql_fetchrowset($query_id = 0)
+ − 693
{
+ − 694
if( !$query_id )
+ − 695
{
+ − 696
$query_id = $this->query_result;
+ − 697
}
+ − 698
+ − 699
if( $query_id )
+ − 700
{
+ − 701
unset($this->rowset[$query_id]);
+ − 702
unset($this->row[$query_id]);
+ − 703
+ − 704
while($this->rowset[$query_id] = mysql_fetch_array($query_id, MYSQL_ASSOC))
+ − 705
{
+ − 706
$result[] = $this->rowset[$query_id];
+ − 707
}
+ − 708
+ − 709
return $result;
+ − 710
}
+ − 711
else
+ − 712
{
+ − 713
return false;
+ − 714
}
+ − 715
}
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 716
/**
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 717
* Generates and outputs a report of all the SQL queries made during execution. Should only be called after everything's over with.
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 718
*/
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 719
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 720
function sql_report()
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 721
{
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 722
global $db, $session, $paths, $template, $plugins; // Common objects
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 723
if ( !$session->get_permissions('mod_misc') )
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 724
{
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 725
die_friendly('Access denied', '<p>You are not authorized to generate a SQL backtrace.</p>');
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 726
}
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 727
// Create copies of variables that may be changed after header is called
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 728
$backtrace = $this->query_backtrace;
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 729
$times = $this->query_times;
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 730
$template->header();
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 731
echo '<h3>SQL query log and timetable</h3>';
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 732
echo '<div class="tblholder">
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 733
<table border="0" cellspacing="1" cellpadding="4">';
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 734
$i = 0;
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 735
foreach ( $backtrace as $query )
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 736
{
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 737
$i++;
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 738
$unbuffered = false;
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 739
if ( substr($query, 0, 13) == '(UNBUFFERED) ' )
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 740
{
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 741
$query = substr($query, 13);
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 742
$unbuffered = true;
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 743
}
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 744
if ( $i == 1 )
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 745
{
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 746
echo '<tr>
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 747
<th colspan="2">SQL backtrace for a normal page load of ' . htmlspecialchars($paths->cpage['urlname']) . '</th>
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 748
</tr>';
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 749
}
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 750
else
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 751
{
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 752
echo '<tr>
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 753
<th class="subhead" colspan="2"> </th>
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 754
</tr>';
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 755
}
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 756
echo '<tr>
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 757
<td class="row2">Query:</td>
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 758
<td class="row1"><pre>' . htmlspecialchars($query) . '</pre></td>
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 759
</tr>
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 760
<tr>
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 761
<td class="row2">Time:</td>
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 762
<td class="row1">' . number_format($this->query_times[$query], 6) . ' seconds</td>
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 763
</tr>
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 764
<tr>
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 765
<td class="row2">Unbuffered:</td>
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 766
<td class="row1">' . ( $unbuffered ? 'Yes' : 'No' ) . '</td>
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 767
</tr>';
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 768
if ( isset($this->query_sources[$query]) )
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 769
{
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 770
echo '<tr>
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 771
<td class="row2">Called from:</td>
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 772
<td class="row1">' . $this->query_sources[$query] . '</td>
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 773
</tr>';
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 774
}
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 775
}
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 776
echo ' </table>
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 777
</div>';
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 778
$template->footer();
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
diff
changeset
+ − 779
}
1
+ − 780
}
+ − 781
+ − 782
?>