author | Dan |
Sat, 24 Nov 2007 01:04:30 -0500 (2007-11-24) | |
changeset 231 | 9a1a32bc2050 |
parent 229 | b2f985e4cef3 |
child 232 | 2b60c89dc27f |
permissions | -rw-r--r-- |
1 | 1 |
<?php |
2 |
||
3 |
/* |
|
4 |
* Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between |
|
142
ca9118d9c0f2
Rebrand as 1.0.2 (Coblynau); internal links are now parsed by RenderMan::parse_internal_links()
Dan
parents:
128
diff
changeset
|
5 |
* Version 1.0.2 (Coblynau) |
1 | 6 |
* Copyright (C) 2006-2007 Dan Fuhry |
7 |
* |
|
8 |
* This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License |
|
9 |
* as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. |
|
10 |
* |
|
11 |
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied |
|
12 |
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details. |
|
13 |
*/ |
|
14 |
||
15 |
function db_error_handler($errno, $errstr, $errfile = false, $errline = false, $errcontext = Array() ) |
|
16 |
{ |
|
17 |
if ( !defined('ENANO_DEBUG') ) |
|
18 |
return; |
|
19 |
$e = error_reporting(0); |
|
20 |
error_reporting($e); |
|
21 |
if ( $e < $errno ) |
|
22 |
return; |
|
23 |
$errtype = 'Notice'; |
|
24 |
switch ( $errno ) |
|
25 |
{ |
|
26 |
case E_ERROR: case E_USER_ERROR: case E_CORE_ERROR: case E_COMPILE_ERROR: $errtype = 'Error'; break; |
|
27 |
case E_WARNING: case E_USER_WARNING: case E_CORE_WARNING: case E_COMPILE_WARNING: $errtype = 'Warning'; break; |
|
28 |
} |
|
29 |
$debug = debug_backtrace(); |
|
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
30 |
if ( !isset($debug[0]['file']) ) |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
31 |
return false; |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
32 |
$debug = $debug[0]['file'] . ', line ' . $debug[0]['line']; |
1 | 33 |
echo "<b>$errtype:</b> $errstr<br />Error source:<pre>$debug</pre>"; |
34 |
} |
|
35 |
||
36 |
class mysql { |
|
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
37 |
var $num_queries, $query_backtrace, $query_times, $query_sources, $latest_result, $latest_query, $_conn, $sql_stack_fields, $sql_stack_values, $debug; |
1 | 38 |
var $row = array(); |
39 |
var $rowset = array(); |
|
40 |
var $errhandler; |
|
41 |
||
42 |
function enable_errorhandler() |
|
43 |
{ |
|
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
44 |
// echo "DBAL: enabling error handler<br />"; |
1 | 45 |
if ( function_exists('debug_backtrace') ) |
46 |
{ |
|
47 |
$this->errhandler = set_error_handler('db_error_handler'); |
|
48 |
} |
|
49 |
} |
|
50 |
||
51 |
function disable_errorhandler() |
|
52 |
{ |
|
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
53 |
// echo "DBAL: disabling error handler<br />"; |
1 | 54 |
if ( $this->errhandler ) |
55 |
{ |
|
56 |
set_error_handler($this->errhandler); |
|
57 |
} |
|
58 |
else |
|
59 |
{ |
|
60 |
restore_error_handler(); |
|
61 |
} |
|
62 |
} |
|
63 |
||
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
64 |
function sql_backtrace() |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
65 |
{ |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
66 |
return implode("\n-------------------------------------------------------------------\n", $this->query_backtrace); |
1 | 67 |
} |
68 |
||
69 |
function ensure_connection() |
|
70 |
{ |
|
71 |
if(!$this->_conn) |
|
72 |
{ |
|
73 |
$this->connect(); |
|
74 |
} |
|
75 |
} |
|
76 |
||
77 |
function _die($t = '') { |
|
78 |
if(defined('ENANO_HEADERS_SENT')) { |
|
79 |
ob_clean(); |
|
80 |
} |
|
81 |
header('HTTP/1.1 500 Internal Server Error'); |
|
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
82 |
$bt = $this->latest_query; // $this->sql_backtrace(); |
1 | 83 |
$e = htmlspecialchars(mysql_error()); |
84 |
if($e=='') $e='<none>'; |
|
91 | 85 |
$t = ( !empty($t) ) ? $t : '<No error description provided>'; |
86 |
global $email; |
|
87 |
$email_info = ( defined('ENANO_CONFIG_FETCHED') && is_object($email) ) ? ', at <' . $email->jscode() . $email->encryptEmail(getConfig('contact_email')) . '>' : ''; |
|
88 |
$internal_text = '<h3>The site was unable to finish serving your request.</h3> |
|
89 |
<p>We apologize for the inconveience, but an error occurred in the Enano database layer. Please report the full text of this page to the administrator of this site' . $email_info . '.</p> |
|
90 |
<p>Description or location of error: '.$t.'<br /> |
|
91 |
Error returned by MySQL extension: ' . $e . '<br /> |
|
92 |
Most recent SQL query:</p> |
|
93 |
<pre>'.$bt.'</pre>'; |
|
94 |
if(defined('ENANO_CONFIG_FETCHED')) die_semicritical('Database error', $internal_text); |
|
95 |
else grinding_halt('Database error', $internal_text); |
|
1 | 96 |
exit; |
97 |
} |
|
98 |
||
99 |
function die_json() |
|
100 |
{ |
|
101 |
$e = addslashes(htmlspecialchars(mysql_error())); |
|
102 |
$q = addslashes($this->latest_query); |
|
103 |
$t = "{'mode':'error','error':'An error occurred during database query.\nQuery was:\n $q\n\nError returned by MySQL: $e'}"; |
|
104 |
die($t); |
|
105 |
} |
|
106 |
||
107 |
function get_error($t = '') { |
|
108 |
header('HTTP/1.1 500 Internal Server Error'); |
|
109 |
$bt = $this->sql_backtrace(); |
|
110 |
$e = htmlspecialchars(mysql_error()); |
|
111 |
if($e=='') $e='<none>'; |
|
91 | 112 |
global $email; |
113 |
$email_info = ( defined('ENANO_CONFIG_FETCHED') && is_object($email) ) ? ', at <' . $email->jscode() . $email->encryptEmail(getConfig('contact_email')) . '>' : ''; |
|
114 |
$internal_text = '<h3>The site was unable to finish serving your request.</h3> |
|
115 |
<p>We apologize for the inconveience, but an error occurred in the Enano database layer. Please report the full text of this page to the administrator of this site' . $email_info . '.</p> |
|
116 |
<p>Description or location of error: '.$t.'<br /> |
|
117 |
Error returned by MySQL extension: ' . $e . '<br /> |
|
118 |
Most recent SQL query:</p> |
|
119 |
<pre>'.$bt.'</pre>'; |
|
120 |
return $internal_text; |
|
1 | 121 |
} |
122 |
||
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
123 |
function connect() |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
124 |
{ |
1 | 125 |
$this->enable_errorhandler(); |
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
126 |
|
1 | 127 |
dc_here('dbal: trying to connect....'); |
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
128 |
|
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
129 |
if ( defined('IN_ENANO_INSTALL') ) |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
130 |
{ |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
131 |
@include(ENANO_ROOT.'/config.new.php'); |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
132 |
} |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
133 |
else |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
134 |
{ |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
135 |
@include(ENANO_ROOT.'/config.php'); |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
136 |
} |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
137 |
|
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
138 |
if ( isset($crypto_key) ) |
1 | 139 |
unset($crypto_key); // Get this sucker out of memory fast |
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
140 |
|
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
141 |
if ( !defined('ENANO_INSTALLED') && !defined('MIDGET_INSTALLED') && !defined('IN_ENANO_INSTALL') ) |
1 | 142 |
{ |
143 |
dc_here('dbal: oops, looks like Enano isn\'t set up. Constants ENANO_INSTALLED, MIDGET_INSTALLED, and IN_ENANO_INSTALL are all undefined.'); |
|
218
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
parents:
215
diff
changeset
|
144 |
// scriptPath isn't set yet - we need to autodetect it to avoid infinite redirects |
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
parents:
215
diff
changeset
|
145 |
if ( !defined('scriptPath') ) |
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
parents:
215
diff
changeset
|
146 |
{ |
222
acfdccf7a2bf
Re-sync Oxygen and Mint and Oxygen simple with Oxygen main; a couple improvements to the redirect-on-no-config code
Dan
parents:
218
diff
changeset
|
147 |
if ( isset($_SERVER['PATH_INFO']) && !preg_match('/index\.php$/', $_SERVER['PATH_INFO']) ) |
218
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
parents:
215
diff
changeset
|
148 |
{ |
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
parents:
215
diff
changeset
|
149 |
$_SERVER['REQUEST_URI'] = preg_replace(';' . preg_quote($_SERVER['PATH_INFO']) . '$;', '', $_SERVER['REQUEST_URI']); |
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
parents:
215
diff
changeset
|
150 |
} |
231
9a1a32bc2050
Hopefully once again fix scriptPath detection in dbal.php
Dan
parents:
229
diff
changeset
|
151 |
if ( !preg_match('/\.php$/', $_SERVER['REQUEST_URI']) ) |
9a1a32bc2050
Hopefully once again fix scriptPath detection in dbal.php
Dan
parents:
229
diff
changeset
|
152 |
{ |
9a1a32bc2050
Hopefully once again fix scriptPath detection in dbal.php
Dan
parents:
229
diff
changeset
|
153 |
// user requested http://foo/enano as opposed to http://foo/enano/index.php |
9a1a32bc2050
Hopefully once again fix scriptPath detection in dbal.php
Dan
parents:
229
diff
changeset
|
154 |
$_SERVER['REQUEST_URI'] .= '/index.php'; |
9a1a32bc2050
Hopefully once again fix scriptPath detection in dbal.php
Dan
parents:
229
diff
changeset
|
155 |
} |
218
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
parents:
215
diff
changeset
|
156 |
$sp = dirname($_SERVER['REQUEST_URI']); |
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
parents:
215
diff
changeset
|
157 |
if($sp == '/' || $sp == '\\') $sp = ''; |
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
parents:
215
diff
changeset
|
158 |
define('scriptPath', $sp); |
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
parents:
215
diff
changeset
|
159 |
define('contentPath', "$sp/index.php?title="); |
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
parents:
215
diff
changeset
|
160 |
} |
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
parents:
215
diff
changeset
|
161 |
$loc = scriptPath . '/install.php'; |
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
parents:
215
diff
changeset
|
162 |
// header("Location: $loc"); |
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
parents:
215
diff
changeset
|
163 |
redirect($loc, 'Enano not installed', 'We can\'t seem to find an Enano installation (valid config file). You will be transferred to the installation wizard momentarily...', 3); |
1 | 164 |
exit; |
165 |
} |
|
166 |
$this->_conn = @mysql_connect($dbhost, $dbuser, $dbpasswd); |
|
167 |
unset($dbuser); |
|
168 |
unset($dbpasswd); // Security |
|
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
169 |
|
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
170 |
if ( !$this->_conn ) |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
171 |
{ |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
172 |
dc_here('dbal: uhoh!<br />'.mysql_error()); |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
173 |
grinding_halt('Enano is having a problem', '<p>Error: couldn\'t connect to MySQL.<br />'.mysql_error().'</p>'); |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
174 |
} |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
175 |
|
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
176 |
// Reset some variables |
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
177 |
$this->query_backtrace = array(); |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
178 |
$this->query_times = array(); |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
179 |
$this->query_sources = array(); |
1 | 180 |
$this->num_queries = 0; |
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
181 |
|
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
182 |
$this->debug = ( defined('ENANO_DEBUG') ); |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
183 |
|
1 | 184 |
dc_here('dbal: we\'re in, selecting database...'); |
203
acb9d021b860
Database name can now contain dashes (as per requested at http://forum.enanocms.org/viewtopic.php?f=5&t=14); corrected some installer behavior issues with connecting as root and setting up permissions resulting in logs not being flushed, configs not being inserted, and what have you.
Dan
parents:
142
diff
changeset
|
185 |
$q = $this->sql_query('USE `'.$dbname.'`;'); |
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
186 |
|
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
187 |
if ( !$q ) |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
188 |
$this->_die('The database could not be selected.'); |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
189 |
|
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
190 |
// We're in! |
1 | 191 |
dc_here('dbal: connected to MySQL'); |
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
192 |
|
1 | 193 |
$this->disable_errorhandler(); |
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
194 |
return true; |
1 | 195 |
} |
196 |
||
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
197 |
function sql_query($q) |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
198 |
{ |
1 | 199 |
$this->enable_errorhandler(); |
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
200 |
|
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
201 |
if ( $this->debug && function_exists('debug_backtrace') ) |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
202 |
{ |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
203 |
$backtrace = @debug_backtrace(); |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
204 |
if ( is_array($backtrace) ) |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
205 |
{ |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
206 |
$bt = $backtrace[0]; |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
207 |
if ( isset($backtrace[1]['class']) ) |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
208 |
{ |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
209 |
if ( $backtrace[1]['class'] == 'sessionManager' ) |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
210 |
{ |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
211 |
$bt = $backtrace[1]; |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
212 |
} |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
213 |
} |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
214 |
$this->query_sources[$q] = substr($bt['file'], strlen(ENANO_ROOT) + 1) . ', line ' . $bt['line']; |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
215 |
} |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
216 |
unset($backtrace); |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
217 |
} |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
218 |
|
1 | 219 |
$this->num_queries++; |
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
220 |
$this->query_backtrace[] = $q; |
1 | 221 |
$this->latest_query = $q; |
222 |
dc_here('dbal: making SQL query:<br /><tt>'.$q.'</tt>'); |
|
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
223 |
// First make sure we have a connection |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
224 |
if ( !$this->_conn ) |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
225 |
{ |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
226 |
$this->_die('A database connection has not yet been established.'); |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
227 |
} |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
228 |
// Does this query look malicious? |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
229 |
if ( !$this->check_query($q) ) |
1 | 230 |
{ |
231 |
$this->report_query($q); |
|
232 |
grinding_halt('SQL Injection attempt', '<p>Enano has caught and prevented an SQL injection attempt. Your IP address has been recorded and the administrator has been notified.</p><p>Query was:</p><pre>'.htmlspecialchars($q).'</pre>'); |
|
233 |
} |
|
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
234 |
|
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
235 |
$time_start = microtime_float(); |
1 | 236 |
$r = mysql_query($q, $this->_conn); |
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
237 |
$this->query_times[$q] = microtime_float() - $time_start; |
1 | 238 |
$this->latest_result = $r; |
239 |
$this->disable_errorhandler(); |
|
240 |
return $r; |
|
241 |
} |
|
242 |
||
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
243 |
function sql_unbuffered_query($q) |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
244 |
{ |
1 | 245 |
$this->enable_errorhandler(); |
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
246 |
|
1 | 247 |
$this->num_queries++; |
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
248 |
$this->query_backtrace[] = '(UNBUFFERED) ' . $q; |
1 | 249 |
$this->latest_query = $q; |
250 |
dc_here('dbal: making SQL query:<br /><tt>'.$q.'</tt>'); |
|
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
251 |
// First make sure we have a connection |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
252 |
if ( !$this->_conn ) |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
253 |
{ |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
254 |
$this->_die('A database connection has not yet been established.'); |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
255 |
} |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
256 |
// Does this query look malicious? |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
257 |
if ( !$this->check_query($q) ) |
1 | 258 |
{ |
259 |
$this->report_query($q); |
|
260 |
grinding_halt('SQL Injection attempt', '<p>Enano has caught and prevented an SQL injection attempt. Your IP address has been recorded and the administrator has been notified.</p><p>Query was:</p><pre>'.htmlspecialchars($q).'</pre>'); |
|
261 |
} |
|
215
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
205
diff
changeset
|
262 |
|
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
263 |
$time_start = microtime_float(); |
1 | 264 |
$r = mysql_unbuffered_query($q, $this->_conn); |
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
265 |
$this->query_times[$q] = microtime_float() - $time_start; |
1 | 266 |
$this->latest_result = $r; |
267 |
$this->disable_errorhandler(); |
|
268 |
return $r; |
|
269 |
} |
|
270 |
||
271 |
/** |
|
272 |
* Checks a SQL query for possible signs of injection attempts |
|
273 |
* @param string $q the query to check |
|
274 |
* @return bool true if query passed check, otherwise false |
|
275 |
*/ |
|
276 |
||
277 |
function check_query($q, $debug = false) |
|
278 |
{ |
|
279 |
if($debug) echo "\$db->check_query(): checking query: ".htmlspecialchars($q).'<br />'."\n"; |
|
280 |
$sz = strlen($q); |
|
281 |
$quotechar = false; |
|
282 |
$quotepos = 0; |
|
283 |
$prev_is_quote = false; |
|
284 |
$just_started = false; |
|
128
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
285 |
for ( $i = 0; $i < strlen($q); $i++, $c = substr($q, $i, 1) ) |
1 | 286 |
{ |
287 |
$next = substr($q, $i+1, 1); |
|
288 |
$next2 = substr($q, $i+2, 1); |
|
289 |
$prev = substr($q, $i-1, 1); |
|
290 |
$prev2 = substr($q, $i-2, 1); |
|
291 |
if(isset($c) && in_array($c, Array('"', "'", '`'))) |
|
292 |
{ |
|
293 |
if($quotechar) |
|
294 |
{ |
|
128
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
295 |
if ( |
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
296 |
( $quotechar == $c && $quotechar != $next && ( $quotechar != $prev || $just_started ) && $prev != '\\') || |
1 | 297 |
( $prev2 == '\\' && $prev == $quotechar && $quotechar == $c ) |
298 |
) |
|
299 |
{ |
|
300 |
$quotechar = false; |
|
301 |
if($debug) echo('$db->check_query(): just finishing a quote section, quoted string: '.htmlspecialchars(substr($q, $quotepos, $i - $quotepos + 1)) . '<br />'); |
|
302 |
$q = substr($q, 0, $quotepos) . 'SAFE_QUOTE' . substr($q, $i + 1, strlen($q)); |
|
303 |
if($debug) echo('$db->check_query(): Filtered query: '.$q.'<br />'); |
|
304 |
$i = $quotepos; |
|
305 |
} |
|
306 |
} |
|
307 |
else |
|
308 |
{ |
|
309 |
$quotechar = $c; |
|
310 |
$quotepos = $i; |
|
128
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
311 |
$just_started = true; |
1 | 312 |
} |
313 |
if($debug) echo '$db->check_query(): found quote char as pos: '.$i.'<br />'; |
|
314 |
continue; |
|
315 |
} |
|
128
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
316 |
$just_started = false; |
1 | 317 |
} |
318 |
if(substr(trim($q), strlen(trim($q))-1, 1) == ';') $q = substr(trim($q), 0, strlen(trim($q))-1); |
|
319 |
for($i=0;$i<strlen($q);$i++,$c=substr($q, $i, 1)) |
|
320 |
{ |
|
128
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
321 |
if ( |
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
322 |
( ( $c == ';' && $i != $sz-1 ) || $c . substr($q, $i+1, 1) == '--' ) |
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
323 |
|| ( in_array($c, Array('"', "'", '`')) ) |
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
324 |
) // Don't permit semicolons in mid-query, and never allow comments |
1 | 325 |
{ |
326 |
// Injection attempt! |
|
327 |
if($debug) |
|
328 |
{ |
|
329 |
$e = ''; |
|
330 |
for($j=$i-5;$j<$i+5;$j++) |
|
331 |
{ |
|
332 |
if($j == $i) $e .= '<span style="color: red; text-decoration: underline;">' . $c . '</span>'; |
|
333 |
else $e .= $c; |
|
334 |
} |
|
335 |
echo 'Injection attempt caught at pos: '.$i.'<br />'; |
|
336 |
} |
|
337 |
return false; |
|
338 |
} |
|
339 |
} |
|
128
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
340 |
if ( preg_match('/[\s]+(SAFE_QUOTE|[\S]+)=\\1($|[\s]+)/', $q, $match) ) |
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
341 |
{ |
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
342 |
if ( $debug ) echo 'Found always-true test in query, injection attempt caught, match:<br />' . '<pre>' . print_r($match, true) . '</pre>'; |
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
343 |
return false; |
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
344 |
} |
1 | 345 |
return true; |
346 |
} |
|
347 |
||
348 |
/** |
|
349 |
* Set the internal result pointer to X |
|
350 |
* @param int $pos The number of the row |
|
351 |
* @param resource $result The MySQL result resource - if not given, the latest cached query is assumed |
|
352 |
* @return true on success, false on failure |
|
353 |
*/ |
|
354 |
||
355 |
function sql_data_seek($pos, $result = false) |
|
356 |
{ |
|
357 |
$this->enable_errorhandler(); |
|
358 |
if(!$result) |
|
359 |
$result = $this->latest_result; |
|
360 |
if(!$result) |
|
361 |
{ |
|
362 |
$this->disable_errorhandler(); |
|
363 |
return false; |
|
364 |
} |
|
365 |
if(mysql_data_seek($result, $pos)) |
|
366 |
{ |
|
367 |
$this->disable_errorhandler(); |
|
368 |
return true; |
|
369 |
} |
|
370 |
else |
|
371 |
{ |
|
372 |
$this->disable_errorhandler(); |
|
373 |
return false; |
|
374 |
} |
|
375 |
} |
|
376 |
||
377 |
/** |
|
378 |
* Reports a bad query to the admin |
|
379 |
* @param string $query the naughty query |
|
380 |
* @access private |
|
381 |
*/ |
|
382 |
||
383 |
function report_query($query) |
|
384 |
{ |
|
385 |
global $session; |
|
386 |
if(is_object($session) && defined('ENANO_MAINSTREAM')) |
|
387 |
$username = $session->username; |
|
388 |
else |
|
389 |
$username = 'Unavailable'; |
|
390 |
$query = $this->escape($query); |
|
391 |
$q = $this->sql_query('INSERT INTO '.table_prefix.'logs(log_type, action, time_id, date_string, page_text, author, edit_summary) |
|
392 |
VALUES(\'security\', \'sql_inject\', '.time().', \'\', \''.$query.'\', \''.$username.'\', \''.$_SERVER['REMOTE_ADDR'].'\');'); |
|
393 |
} |
|
394 |
||
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
395 |
/** |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
396 |
* Returns the ID of the row last inserted. |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
397 |
* @return int |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
398 |
*/ |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
399 |
|
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
400 |
function insert_id() |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
401 |
{ |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
402 |
return @mysql_insert_id(); |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
403 |
} |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
404 |
|
1 | 405 |
function fetchrow($r = false) { |
406 |
$this->enable_errorhandler(); |
|
407 |
if(!$this->_conn) return false; |
|
408 |
if(!$r) $r = $this->latest_result; |
|
409 |
if(!$r) $this->_die('$db->fetchrow(): an invalid MySQL resource was passed.'); |
|
410 |
$row = mysql_fetch_assoc($r); |
|
411 |
$this->disable_errorhandler(); |
|
412 |
return $row; |
|
413 |
} |
|
414 |
||
415 |
function fetchrow_num($r = false) { |
|
416 |
$this->enable_errorhandler(); |
|
417 |
if(!$r) $r = $this->latest_result; |
|
418 |
if(!$r) $this->_die('$db->fetchrow(): an invalid MySQL resource was passed.'); |
|
419 |
$row = mysql_fetch_row($r); |
|
420 |
$this->disable_errorhandler(); |
|
421 |
return $row; |
|
422 |
} |
|
423 |
||
424 |
function numrows($r = false) { |
|
425 |
$this->enable_errorhandler(); |
|
426 |
if(!$r) $r = $this->latest_result; |
|
427 |
if(!$r) $this->_die('$db->fetchrow(): an invalid MySQL resource was passed.'); |
|
428 |
$n = mysql_num_rows($r); |
|
429 |
$this->disable_errorhandler(); |
|
430 |
return $n; |
|
431 |
} |
|
432 |
||
433 |
function escape($str) |
|
434 |
{ |
|
435 |
$this->enable_errorhandler(); |
|
436 |
$str = mysql_real_escape_string($str); |
|
437 |
$this->disable_errorhandler(); |
|
438 |
return $str; |
|
439 |
} |
|
440 |
||
441 |
function free_result($result = false) |
|
442 |
{ |
|
443 |
$this->enable_errorhandler(); |
|
444 |
if(!$result) |
|
445 |
$result = $this->latest_result; |
|
446 |
if(!$result) |
|
447 |
{ |
|
448 |
$this->disable_errorhandler(); |
|
449 |
return null; |
|
450 |
} |
|
451 |
mysql_free_result($result); |
|
452 |
$this->disable_errorhandler(); |
|
453 |
return null; |
|
454 |
} |
|
455 |
||
456 |
function close() { |
|
457 |
dc_here('dbal: closing MySQL connection'); |
|
458 |
mysql_close($this->_conn); |
|
459 |
unset($this->_conn); |
|
460 |
} |
|
461 |
||
462 |
// phpBB DBAL compatibility |
|
463 |
function sql_fetchrow($r = false) |
|
464 |
{ |
|
465 |
return $this->fetchrow($r); |
|
466 |
} |
|
467 |
function sql_freeresult($r = false) |
|
468 |
{ |
|
469 |
if(!$this->_conn) return false; |
|
470 |
if(!$r) $r = $this->latest_result; |
|
471 |
if(!$r) $this->_die('$db->fetchrow(): an invalid MySQL resource was passed.'); |
|
472 |
mysql_free_result($r); |
|
473 |
} |
|
474 |
function sql_numrows($r = false) |
|
475 |
{ |
|
476 |
if(!$this->_conn) return false; |
|
477 |
if(!$r) $r = $this->latest_result; |
|
478 |
if(!$r) $this->_die('$db->fetchrow(): an invalid MySQL resource was passed.'); |
|
479 |
return mysql_num_rows($r); |
|
480 |
} |
|
481 |
function sql_affectedrows($r = false, $f, $n) |
|
482 |
{ |
|
483 |
if(!$this->_conn) return false; |
|
484 |
if(!$r) $r = $this->latest_result; |
|
485 |
if(!$r) $this->_die('$db->fetchrow(): an invalid MySQL resource was passed.'); |
|
486 |
return mysql_affected_rows(); |
|
487 |
} |
|
488 |
||
489 |
function sql_type_cast(&$value) |
|
490 |
{ |
|
491 |
if ( is_float($value) ) |
|
492 |
{ |
|
493 |
return doubleval($value); |
|
494 |
} |
|
495 |
if ( is_integer($value) || is_bool($value) ) |
|
496 |
{ |
|
497 |
return intval($value); |
|
498 |
} |
|
499 |
if ( is_string($value) || empty($value) ) |
|
500 |
{ |
|
501 |
return '\'' . $this->sql_escape_string($value) . '\''; |
|
502 |
} |
|
503 |
// uncastable var : let's do a basic protection on it to prevent sql injection attempt |
|
504 |
return '\'' . $this->sql_escape_string(htmlspecialchars($value)) . '\''; |
|
505 |
} |
|
506 |
||
507 |
function sql_statement(&$fields, $fields_inc='') |
|
508 |
{ |
|
509 |
// init result |
|
510 |
$this->sql_fields = $this->sql_values = $this->sql_update = ''; |
|
511 |
if ( empty($fields) && empty($fields_inc) ) |
|
512 |
{ |
|
513 |
return; |
|
514 |
} |
|
515 |
||
516 |
// process |
|
517 |
if ( !empty($fields) ) |
|
518 |
{ |
|
519 |
$first = true; |
|
520 |
foreach ( $fields as $field => $value ) |
|
521 |
{ |
|
522 |
// field must contain a field name |
|
523 |
if ( !empty($field) && is_string($field) ) |
|
524 |
{ |
|
525 |
$value = $this->sql_type_cast($value); |
|
526 |
$this->sql_fields .= ( $first ? '' : ', ' ) . $field; |
|
527 |
$this->sql_values .= ( $first ? '' : ', ' ) . $value; |
|
528 |
$this->sql_update .= ( $first ? '' : ', ' ) . $field . ' = ' . $value; |
|
529 |
$first = false; |
|
530 |
} |
|
531 |
} |
|
532 |
} |
|
533 |
if ( !empty($fields_inc) ) |
|
534 |
{ |
|
535 |
foreach ( $fields_inc as $field => $indent ) |
|
536 |
{ |
|
537 |
if ( $indent != 0 ) |
|
538 |
{ |
|
539 |
$this->sql_update .= (empty($this->sql_update) ? '' : ', ') . $field . ' = ' . $field . ($indent < 0 ? ' - ' : ' + ') . abs($indent); |
|
540 |
} |
|
541 |
} |
|
542 |
} |
|
543 |
} |
|
544 |
||
545 |
function sql_stack_reset($id='') |
|
546 |
{ |
|
547 |
if ( empty($id) ) |
|
548 |
{ |
|
549 |
$this->sql_stack_fields = array(); |
|
550 |
$this->sql_stack_values = array(); |
|
551 |
} |
|
552 |
else |
|
553 |
{ |
|
554 |
$this->sql_stack_fields[$id] = array(); |
|
555 |
$this->sql_stack_values[$id] = array(); |
|
556 |
} |
|
557 |
} |
|
558 |
||
559 |
function sql_stack_statement(&$fields, $id='') |
|
560 |
{ |
|
561 |
$this->sql_statement($fields); |
|
562 |
if ( empty($id) ) |
|
563 |
{ |
|
564 |
$this->sql_stack_fields = $this->sql_fields; |
|
565 |
$this->sql_stack_values[] = '(' . $this->sql_values . ')'; |
|
566 |
} |
|
567 |
else |
|
568 |
{ |
|
569 |
$this->sql_stack_fields[$id] = $this->sql_fields; |
|
570 |
$this->sql_stack_values[$id][] = '(' . $this->sql_values . ')'; |
|
571 |
} |
|
572 |
} |
|
573 |
||
574 |
function sql_stack_insert($table, $transaction=false, $line='', $file='', $break_on_error=true, $id='') |
|
575 |
{ |
|
576 |
if ( (empty($id) && empty($this->sql_stack_values)) || (!empty($id) && empty($this->sql_stack_values[$id])) ) |
|
577 |
{ |
|
578 |
return false; |
|
579 |
} |
|
580 |
switch( SQL_LAYER ) |
|
581 |
{ |
|
582 |
case 'mysql': |
|
583 |
case 'mysql4': |
|
584 |
if ( empty($id) ) |
|
585 |
{ |
|
586 |
$sql = 'INSERT INTO ' . $table . ' |
|
587 |
(' . $this->sql_stack_fields . ') VALUES ' . implode(",\n", $this->sql_stack_values); |
|
588 |
} |
|
589 |
else |
|
590 |
{ |
|
591 |
$sql = 'INSERT INTO ' . $table . ' |
|
592 |
(' . $this->sql_stack_fields[$id] . ') VALUES ' . implode(",\n", $this->sql_stack_values[$id]); |
|
593 |
} |
|
594 |
$this->sql_stack_reset($id); |
|
595 |
return $this->sql_query($sql, $transaction, $line, $file, $break_on_error); |
|
596 |
break; |
|
597 |
default: |
|
598 |
$count_sql_stack_values = empty($id) ? count($this->sql_stack_values) : count($this->sql_stack_values[$id]); |
|
599 |
$result = !empty($count_sql_stack_values); |
|
600 |
for ( $i = 0; $i < $count_sql_stack_values; $i++ ) |
|
601 |
{ |
|
602 |
if ( empty($id) ) |
|
603 |
{ |
|
604 |
$sql = 'INSERT INTO ' . $table . ' |
|
605 |
(' . $this->sql_stack_fields . ') VALUES ' . $this->sql_stack_values[$i]; |
|
606 |
} |
|
607 |
else |
|
608 |
{ |
|
609 |
$sql = 'INSERT INTO ' . $table . ' |
|
610 |
(' . $this->sql_stack_fields[$id] . ') VALUES ' . $this->sql_stack_values[$id][$i]; |
|
611 |
} |
|
612 |
$result &= $this->sql_query($sql, $transaction, $line, $file, $break_on_error); |
|
613 |
} |
|
614 |
$this->sql_stack_reset($id); |
|
615 |
return $result; |
|
616 |
break; |
|
617 |
} |
|
618 |
} |
|
619 |
||
620 |
function sql_subquery($field, $sql, $line='', $file='', $break_on_error=true, $type=TYPE_INT) |
|
621 |
{ |
|
622 |
// sub-queries doable |
|
623 |
$this->sql_get_version(); |
|
624 |
if ( !in_array(SQL_LAYER, array('mysql', 'mysql4')) || (($this->sql_version[0] + ($this->sql_version[1] / 100)) >= 4.01) ) |
|
625 |
{ |
|
626 |
return $sql; |
|
627 |
} |
|
628 |
||
629 |
// no sub-queries |
|
630 |
$ids = array(); |
|
631 |
$result = $this->sql_query(trim($sql), false, $line, $file, $break_on_error); |
|
632 |
while ( $row = $this->sql_fetchrow($result) ) |
|
633 |
{ |
|
634 |
$ids[] = $type == TYPE_INT ? intval($row[$field]) : '\'' . $this->sql_escape_string($row[$field]) . '\''; |
|
635 |
} |
|
636 |
$this->sql_freeresult($result); |
|
637 |
return empty($ids) ? 'NULL' : implode(', ', $ids); |
|
638 |
} |
|
639 |
||
640 |
function sql_col_id($expr, $alias) |
|
641 |
{ |
|
642 |
$this->sql_get_version(); |
|
643 |
return in_array(SQL_LAYER, array('mysql', 'mysql4')) && (($this->sql_version[0] + ($this->sql_version[1] / 100)) <= 4.01) ? $alias : $expr; |
|
644 |
} |
|
645 |
||
646 |
function sql_get_version() |
|
647 |
{ |
|
648 |
if ( empty($this->sql_version) ) |
|
649 |
{ |
|
650 |
$this->sql_version = array(0, 0, 0); |
|
651 |
switch ( SQL_LAYER ) |
|
652 |
{ |
|
653 |
case 'mysql': |
|
654 |
case 'mysql4': |
|
655 |
if ( function_exists('mysql_get_server_info') ) |
|
656 |
{ |
|
657 |
$lo_version = explode('-', mysql_get_server_info()); |
|
658 |
$this->sql_version = explode('.', $lo_version[0]); |
|
659 |
$this->sql_version = array(intval($this->sql_version[0]), intval($this->sql_version[1]), intval($this->sql_version[2]), $lo_version[1]); |
|
660 |
} |
|
661 |
break; |
|
662 |
||
663 |
case 'postgresql': |
|
664 |
case 'mssql': |
|
665 |
case 'mssql-odbc': |
|
666 |
default: |
|
667 |
break; |
|
668 |
} |
|
669 |
} |
|
670 |
return $this->sql_version; |
|
671 |
} |
|
672 |
||
673 |
function sql_error() |
|
674 |
{ |
|
675 |
if ( $this->_conn ) |
|
676 |
{ |
|
677 |
return mysql_error(); |
|
678 |
} |
|
679 |
else |
|
680 |
{ |
|
681 |
return array(); |
|
682 |
} |
|
683 |
} |
|
684 |
function sql_escape_string($t) |
|
685 |
{ |
|
686 |
return mysql_real_escape_string($t); |
|
687 |
} |
|
688 |
function sql_close() |
|
689 |
{ |
|
690 |
$this->close(); |
|
691 |
} |
|
692 |
function sql_fetchrowset($query_id = 0) |
|
693 |
{ |
|
694 |
if( !$query_id ) |
|
695 |
{ |
|
696 |
$query_id = $this->query_result; |
|
697 |
} |
|
698 |
||
699 |
if( $query_id ) |
|
700 |
{ |
|
701 |
unset($this->rowset[$query_id]); |
|
702 |
unset($this->row[$query_id]); |
|
703 |
||
704 |
while($this->rowset[$query_id] = mysql_fetch_array($query_id, MYSQL_ASSOC)) |
|
705 |
{ |
|
706 |
$result[] = $this->rowset[$query_id]; |
|
707 |
} |
|
708 |
||
709 |
return $result; |
|
710 |
} |
|
711 |
else |
|
712 |
{ |
|
713 |
return false; |
|
714 |
} |
|
715 |
} |
|
229
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
716 |
/** |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
717 |
* Generates and outputs a report of all the SQL queries made during execution. Should only be called after everything's over with. |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
718 |
*/ |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
719 |
|
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
720 |
function sql_report() |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
721 |
{ |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
722 |
global $db, $session, $paths, $template, $plugins; // Common objects |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
723 |
if ( !$session->get_permissions('mod_misc') ) |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
724 |
{ |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
725 |
die_friendly('Access denied', '<p>You are not authorized to generate a SQL backtrace.</p>'); |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
726 |
} |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
727 |
// Create copies of variables that may be changed after header is called |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
728 |
$backtrace = $this->query_backtrace; |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
729 |
$times = $this->query_times; |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
730 |
$template->header(); |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
731 |
echo '<h3>SQL query log and timetable</h3>'; |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
732 |
echo '<div class="tblholder"> |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
733 |
<table border="0" cellspacing="1" cellpadding="4">'; |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
734 |
$i = 0; |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
735 |
foreach ( $backtrace as $query ) |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
736 |
{ |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
737 |
$i++; |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
738 |
$unbuffered = false; |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
739 |
if ( substr($query, 0, 13) == '(UNBUFFERED) ' ) |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
740 |
{ |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
741 |
$query = substr($query, 13); |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
742 |
$unbuffered = true; |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
743 |
} |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
744 |
if ( $i == 1 ) |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
745 |
{ |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
746 |
echo '<tr> |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
747 |
<th colspan="2">SQL backtrace for a normal page load of ' . htmlspecialchars($paths->cpage['urlname']) . '</th> |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
748 |
</tr>'; |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
749 |
} |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
750 |
else |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
751 |
{ |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
752 |
echo '<tr> |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
753 |
<th class="subhead" colspan="2"> </th> |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
754 |
</tr>'; |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
755 |
} |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
756 |
echo '<tr> |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
757 |
<td class="row2">Query:</td> |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
758 |
<td class="row1"><pre>' . htmlspecialchars($query) . '</pre></td> |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
759 |
</tr> |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
760 |
<tr> |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
761 |
<td class="row2">Time:</td> |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
762 |
<td class="row1">' . number_format($this->query_times[$query], 6) . ' seconds</td> |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
763 |
</tr> |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
764 |
<tr> |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
765 |
<td class="row2">Unbuffered:</td> |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
766 |
<td class="row1">' . ( $unbuffered ? 'Yes' : 'No' ) . '</td> |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
767 |
</tr>'; |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
768 |
if ( isset($this->query_sources[$query]) ) |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
769 |
{ |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
770 |
echo '<tr> |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
771 |
<td class="row2">Called from:</td> |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
772 |
<td class="row1">' . $this->query_sources[$query] . '</td> |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
773 |
</tr>'; |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
774 |
} |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
775 |
} |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
776 |
echo ' </table> |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
777 |
</div>'; |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
778 |
$template->footer(); |
b2f985e4cef3
Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
Dan
parents:
222
diff
changeset
|
779 |
} |
1 | 780 |
} |
781 |
||
782 |
?> |