author | Dan |
Sun, 02 Dec 2007 15:27:21 -0500 | |
changeset 280 | dc08c70ca550 |
parent 279 | 8acd77a6c19d |
child 304 | e2cb5f1432c8 |
permissions | -rw-r--r-- |
1 | 1 |
<?php |
2 |
||
3 |
/* |
|
4 |
* Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between |
|
166
d53cc29308f4
Rebrand as 1.1.1; everything should now be bumped to "unstable" status
Dan
parents:
142
diff
changeset
|
5 |
* Version 1.1.1 |
1 | 6 |
* Copyright (C) 2006-2007 Dan Fuhry |
7 |
* |
|
8 |
* This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License |
|
9 |
* as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. |
|
10 |
* |
|
11 |
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied |
|
12 |
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details. |
|
13 |
*/ |
|
14 |
||
15 |
function db_error_handler($errno, $errstr, $errfile = false, $errline = false, $errcontext = Array() ) |
|
16 |
{ |
|
17 |
if ( !defined('ENANO_DEBUG') ) |
|
18 |
return; |
|
19 |
$e = error_reporting(0); |
|
20 |
error_reporting($e); |
|
21 |
if ( $e < $errno ) |
|
22 |
return; |
|
23 |
$errtype = 'Notice'; |
|
24 |
switch ( $errno ) |
|
25 |
{ |
|
26 |
case E_ERROR: case E_USER_ERROR: case E_CORE_ERROR: case E_COMPILE_ERROR: $errtype = 'Error'; break; |
|
27 |
case E_WARNING: case E_USER_WARNING: case E_CORE_WARNING: case E_COMPILE_WARNING: $errtype = 'Warning'; break; |
|
28 |
} |
|
29 |
$debug = debug_backtrace(); |
|
30 |
$debug = $debug[2]['file'] . ', line ' . $debug[2]['line']; |
|
31 |
echo "<b>$errtype:</b> $errstr<br />Error source:<pre>$debug</pre>"; |
|
32 |
} |
|
33 |
||
34 |
class mysql { |
|
35 |
var $num_queries, $query_backtrace, $latest_result, $latest_query, $_conn, $sql_stack_fields, $sql_stack_values; |
|
36 |
var $row = array(); |
|
37 |
var $rowset = array(); |
|
38 |
var $errhandler; |
|
39 |
||
40 |
function enable_errorhandler() |
|
41 |
{ |
|
42 |
if ( function_exists('debug_backtrace') ) |
|
43 |
{ |
|
44 |
$this->errhandler = set_error_handler('db_error_handler'); |
|
45 |
} |
|
46 |
} |
|
47 |
||
48 |
function disable_errorhandler() |
|
49 |
{ |
|
50 |
if ( $this->errhandler ) |
|
51 |
{ |
|
52 |
set_error_handler($this->errhandler); |
|
53 |
} |
|
54 |
else |
|
55 |
{ |
|
56 |
restore_error_handler(); |
|
57 |
} |
|
58 |
} |
|
59 |
||
60 |
function sql_backtrace() { |
|
61 |
$qb = explode("\n", $this->query_backtrace); |
|
62 |
$bt = ''; |
|
63 |
//for($i=sizeof($qb)-1;$i>=0;$i--) { |
|
64 |
for($i=0;$i<sizeof($qb);$i++) { |
|
65 |
$bt .= $qb[$i]."\n"; |
|
66 |
} |
|
67 |
return $bt; |
|
68 |
} |
|
69 |
||
70 |
function ensure_connection() |
|
71 |
{ |
|
72 |
if(!$this->_conn) |
|
73 |
{ |
|
74 |
$this->connect(); |
|
75 |
} |
|
76 |
} |
|
77 |
||
78 |
function _die($t = '') { |
|
79 |
if(defined('ENANO_HEADERS_SENT')) { |
|
80 |
ob_clean(); |
|
81 |
} |
|
82 |
header('HTTP/1.1 500 Internal Server Error'); |
|
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
83 |
$bt = $this->latest_query; // $this->sql_backtrace(); |
1 | 84 |
$e = htmlspecialchars(mysql_error()); |
85 |
if($e=='') $e='<none>'; |
|
91 | 86 |
$t = ( !empty($t) ) ? $t : '<No error description provided>'; |
87 |
global $email; |
|
88 |
$email_info = ( defined('ENANO_CONFIG_FETCHED') && is_object($email) ) ? ', at <' . $email->jscode() . $email->encryptEmail(getConfig('contact_email')) . '>' : ''; |
|
89 |
$internal_text = '<h3>The site was unable to finish serving your request.</h3> |
|
90 |
<p>We apologize for the inconveience, but an error occurred in the Enano database layer. Please report the full text of this page to the administrator of this site' . $email_info . '.</p> |
|
91 |
<p>Description or location of error: '.$t.'<br /> |
|
92 |
Error returned by MySQL extension: ' . $e . '<br /> |
|
93 |
Most recent SQL query:</p> |
|
94 |
<pre>'.$bt.'</pre>'; |
|
95 |
if(defined('ENANO_CONFIG_FETCHED')) die_semicritical('Database error', $internal_text); |
|
96 |
else grinding_halt('Database error', $internal_text); |
|
1 | 97 |
exit; |
98 |
} |
|
99 |
||
100 |
function die_json() |
|
101 |
{ |
|
102 |
$e = addslashes(htmlspecialchars(mysql_error())); |
|
103 |
$q = addslashes($this->latest_query); |
|
104 |
$t = "{'mode':'error','error':'An error occurred during database query.\nQuery was:\n $q\n\nError returned by MySQL: $e'}"; |
|
105 |
die($t); |
|
106 |
} |
|
107 |
||
108 |
function get_error($t = '') { |
|
109 |
header('HTTP/1.1 500 Internal Server Error'); |
|
110 |
$bt = $this->sql_backtrace(); |
|
111 |
$e = htmlspecialchars(mysql_error()); |
|
112 |
if($e=='') $e='<none>'; |
|
91 | 113 |
global $email; |
114 |
$email_info = ( defined('ENANO_CONFIG_FETCHED') && is_object($email) ) ? ', at <' . $email->jscode() . $email->encryptEmail(getConfig('contact_email')) . '>' : ''; |
|
115 |
$internal_text = '<h3>The site was unable to finish serving your request.</h3> |
|
116 |
<p>We apologize for the inconveience, but an error occurred in the Enano database layer. Please report the full text of this page to the administrator of this site' . $email_info . '.</p> |
|
117 |
<p>Description or location of error: '.$t.'<br /> |
|
118 |
Error returned by MySQL extension: ' . $e . '<br /> |
|
119 |
Most recent SQL query:</p> |
|
120 |
<pre>'.$bt.'</pre>'; |
|
121 |
return $internal_text; |
|
1 | 122 |
} |
123 |
||
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
124 |
function connect() |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
125 |
{ |
1 | 126 |
$this->enable_errorhandler(); |
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
127 |
|
1 | 128 |
dc_here('dbal: trying to connect....'); |
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
129 |
|
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
130 |
if ( defined('IN_ENANO_INSTALL') ) |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
131 |
{ |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
132 |
@include(ENANO_ROOT.'/config.new.php'); |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
133 |
} |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
134 |
else |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
135 |
{ |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
136 |
@include(ENANO_ROOT.'/config.php'); |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
137 |
} |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
138 |
|
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
139 |
if ( isset($crypto_key) ) |
1 | 140 |
unset($crypto_key); // Get this sucker out of memory fast |
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
141 |
|
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
142 |
if ( !defined('ENANO_INSTALLED') && !defined('MIDGET_INSTALLED') && !defined('IN_ENANO_INSTALL') ) |
1 | 143 |
{ |
144 |
dc_here('dbal: oops, looks like Enano isn\'t set up. Constants ENANO_INSTALLED, MIDGET_INSTALLED, and IN_ENANO_INSTALL are all undefined.'); |
|
272
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
parents:
268
diff
changeset
|
145 |
// scriptPath isn't set yet - we need to autodetect it to avoid infinite redirects |
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
parents:
268
diff
changeset
|
146 |
if ( !defined('scriptPath') ) |
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
parents:
268
diff
changeset
|
147 |
{ |
276
acfdccf7a2bf
Re-sync Oxygen and Mint and Oxygen simple with Oxygen main; a couple improvements to the redirect-on-no-config code
Dan
parents:
272
diff
changeset
|
148 |
if ( isset($_SERVER['PATH_INFO']) && !preg_match('/index\.php$/', $_SERVER['PATH_INFO']) ) |
272
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
parents:
268
diff
changeset
|
149 |
{ |
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
parents:
268
diff
changeset
|
150 |
$_SERVER['REQUEST_URI'] = preg_replace(';' . preg_quote($_SERVER['PATH_INFO']) . '$;', '', $_SERVER['REQUEST_URI']); |
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
parents:
268
diff
changeset
|
151 |
} |
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
parents:
268
diff
changeset
|
152 |
$sp = dirname($_SERVER['REQUEST_URI']); |
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
parents:
268
diff
changeset
|
153 |
if($sp == '/' || $sp == '\\') $sp = ''; |
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
parents:
268
diff
changeset
|
154 |
define('scriptPath', $sp); |
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
parents:
268
diff
changeset
|
155 |
define('contentPath', "$sp/index.php?title="); |
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
parents:
268
diff
changeset
|
156 |
} |
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
parents:
268
diff
changeset
|
157 |
$loc = scriptPath . '/install.php'; |
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
parents:
268
diff
changeset
|
158 |
// header("Location: $loc"); |
e0ec986c0af3
Searching sucks, and Enano's search algorithm was complete bullcrap. So I rewrote it. No, it does not use Google search technology. Like they have a patent for using the Arial font on search result pages anyway.
Dan
parents:
268
diff
changeset
|
159 |
redirect($loc, 'Enano not installed', 'We can\'t seem to find an Enano installation (valid config file). You will be transferred to the installation wizard momentarily...', 3); |
1 | 160 |
exit; |
161 |
} |
|
162 |
$this->_conn = @mysql_connect($dbhost, $dbuser, $dbpasswd); |
|
163 |
unset($dbuser); |
|
164 |
unset($dbpasswd); // Security |
|
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
165 |
|
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
166 |
if ( !$this->_conn ) |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
167 |
{ |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
168 |
dc_here('dbal: uhoh!<br />'.mysql_error()); |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
169 |
grinding_halt('Enano is having a problem', '<p>Error: couldn\'t connect to MySQL.<br />'.mysql_error().'</p>'); |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
170 |
} |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
171 |
|
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
172 |
// Reset some variables |
1 | 173 |
$this->query_backtrace = ''; |
174 |
$this->num_queries = 0; |
|
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
175 |
|
1 | 176 |
dc_here('dbal: we\'re in, selecting database...'); |
250
acb9d021b860
Database name can now contain dashes (as per requested at http://forum.enanocms.org/viewtopic.php?f=5&t=14); corrected some installer behavior issues with connecting as root and setting up permissions resulting in logs not being flushed, configs not being inserted, and what have you.
Dan
parents:
142
diff
changeset
|
177 |
$q = $this->sql_query('USE `'.$dbname.'`;'); |
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
178 |
|
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
179 |
if ( !$q ) |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
180 |
$this->_die('The database could not be selected.'); |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
181 |
|
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
182 |
// We're in! |
1 | 183 |
dc_here('dbal: connected to MySQL'); |
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
184 |
|
1 | 185 |
$this->disable_errorhandler(); |
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
186 |
return true; |
1 | 187 |
} |
188 |
||
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
189 |
function sql_query($q) |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
190 |
{ |
1 | 191 |
$this->enable_errorhandler(); |
192 |
$this->num_queries++; |
|
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
193 |
$this->query_backtrace .= $q . "\n"; |
1 | 194 |
$this->latest_query = $q; |
195 |
dc_here('dbal: making SQL query:<br /><tt>'.$q.'</tt>'); |
|
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
196 |
// First make sure we have a connection |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
197 |
if ( !$this->_conn ) |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
198 |
{ |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
199 |
$this->_die('A database connection has not yet been established.'); |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
200 |
} |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
201 |
// Does this query look malicious? |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
202 |
if ( !$this->check_query($q) ) |
1 | 203 |
{ |
204 |
$this->report_query($q); |
|
205 |
grinding_halt('SQL Injection attempt', '<p>Enano has caught and prevented an SQL injection attempt. Your IP address has been recorded and the administrator has been notified.</p><p>Query was:</p><pre>'.htmlspecialchars($q).'</pre>'); |
|
206 |
} |
|
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
207 |
|
1 | 208 |
$r = mysql_query($q, $this->_conn); |
209 |
$this->latest_result = $r; |
|
210 |
$this->disable_errorhandler(); |
|
211 |
return $r; |
|
212 |
} |
|
213 |
||
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
214 |
function sql_unbuffered_query($q) |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
215 |
{ |
1 | 216 |
$this->enable_errorhandler(); |
217 |
$this->num_queries++; |
|
218 |
$this->query_backtrace .= '(UNBUFFERED) ' . $q."\n"; |
|
219 |
$this->latest_query = $q; |
|
220 |
dc_here('dbal: making SQL query:<br /><tt>'.$q.'</tt>'); |
|
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
221 |
// First make sure we have a connection |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
222 |
if ( !$this->_conn ) |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
223 |
{ |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
224 |
$this->_die('A database connection has not yet been established.'); |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
225 |
} |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
226 |
// Does this query look malicious? |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
227 |
if ( !$this->check_query($q) ) |
1 | 228 |
{ |
229 |
$this->report_query($q); |
|
230 |
grinding_halt('SQL Injection attempt', '<p>Enano has caught and prevented an SQL injection attempt. Your IP address has been recorded and the administrator has been notified.</p><p>Query was:</p><pre>'.htmlspecialchars($q).'</pre>'); |
|
231 |
} |
|
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
232 |
|
1 | 233 |
$r = mysql_unbuffered_query($q, $this->_conn); |
234 |
$this->latest_result = $r; |
|
235 |
$this->disable_errorhandler(); |
|
236 |
return $r; |
|
237 |
} |
|
238 |
||
239 |
/** |
|
240 |
* Checks a SQL query for possible signs of injection attempts |
|
241 |
* @param string $q the query to check |
|
242 |
* @return bool true if query passed check, otherwise false |
|
243 |
*/ |
|
244 |
||
245 |
function check_query($q, $debug = false) |
|
246 |
{ |
|
247 |
if($debug) echo "\$db->check_query(): checking query: ".htmlspecialchars($q).'<br />'."\n"; |
|
248 |
$sz = strlen($q); |
|
249 |
$quotechar = false; |
|
250 |
$quotepos = 0; |
|
251 |
$prev_is_quote = false; |
|
252 |
$just_started = false; |
|
128
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
253 |
for ( $i = 0; $i < strlen($q); $i++, $c = substr($q, $i, 1) ) |
1 | 254 |
{ |
255 |
$next = substr($q, $i+1, 1); |
|
256 |
$next2 = substr($q, $i+2, 1); |
|
257 |
$prev = substr($q, $i-1, 1); |
|
258 |
$prev2 = substr($q, $i-2, 1); |
|
259 |
if(isset($c) && in_array($c, Array('"', "'", '`'))) |
|
260 |
{ |
|
261 |
if($quotechar) |
|
262 |
{ |
|
128
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
263 |
if ( |
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
264 |
( $quotechar == $c && $quotechar != $next && ( $quotechar != $prev || $just_started ) && $prev != '\\') || |
1 | 265 |
( $prev2 == '\\' && $prev == $quotechar && $quotechar == $c ) |
266 |
) |
|
267 |
{ |
|
268 |
$quotechar = false; |
|
269 |
if($debug) echo('$db->check_query(): just finishing a quote section, quoted string: '.htmlspecialchars(substr($q, $quotepos, $i - $quotepos + 1)) . '<br />'); |
|
270 |
$q = substr($q, 0, $quotepos) . 'SAFE_QUOTE' . substr($q, $i + 1, strlen($q)); |
|
271 |
if($debug) echo('$db->check_query(): Filtered query: '.$q.'<br />'); |
|
272 |
$i = $quotepos; |
|
273 |
} |
|
274 |
} |
|
275 |
else |
|
276 |
{ |
|
277 |
$quotechar = $c; |
|
278 |
$quotepos = $i; |
|
128
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
279 |
$just_started = true; |
1 | 280 |
} |
281 |
if($debug) echo '$db->check_query(): found quote char as pos: '.$i.'<br />'; |
|
282 |
continue; |
|
283 |
} |
|
128
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
284 |
$just_started = false; |
1 | 285 |
} |
286 |
if(substr(trim($q), strlen(trim($q))-1, 1) == ';') $q = substr(trim($q), 0, strlen(trim($q))-1); |
|
287 |
for($i=0;$i<strlen($q);$i++,$c=substr($q, $i, 1)) |
|
288 |
{ |
|
128
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
289 |
if ( |
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
290 |
( ( $c == ';' && $i != $sz-1 ) || $c . substr($q, $i+1, 1) == '--' ) |
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
291 |
|| ( in_array($c, Array('"', "'", '`')) ) |
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
292 |
) // Don't permit semicolons in mid-query, and never allow comments |
1 | 293 |
{ |
294 |
// Injection attempt! |
|
295 |
if($debug) |
|
296 |
{ |
|
297 |
$e = ''; |
|
298 |
for($j=$i-5;$j<$i+5;$j++) |
|
299 |
{ |
|
300 |
if($j == $i) $e .= '<span style="color: red; text-decoration: underline;">' . $c . '</span>'; |
|
301 |
else $e .= $c; |
|
302 |
} |
|
303 |
echo 'Injection attempt caught at pos: '.$i.'<br />'; |
|
304 |
} |
|
305 |
return false; |
|
306 |
} |
|
307 |
} |
|
128
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
308 |
if ( preg_match('/[\s]+(SAFE_QUOTE|[\S]+)=\\1($|[\s]+)/', $q, $match) ) |
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
309 |
{ |
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
310 |
if ( $debug ) echo 'Found always-true test in query, injection attempt caught, match:<br />' . '<pre>' . print_r($match, true) . '</pre>'; |
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
311 |
return false; |
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
312 |
} |
1 | 313 |
return true; |
314 |
} |
|
315 |
||
316 |
/** |
|
317 |
* Set the internal result pointer to X |
|
318 |
* @param int $pos The number of the row |
|
319 |
* @param resource $result The MySQL result resource - if not given, the latest cached query is assumed |
|
320 |
* @return true on success, false on failure |
|
321 |
*/ |
|
322 |
||
323 |
function sql_data_seek($pos, $result = false) |
|
324 |
{ |
|
325 |
$this->enable_errorhandler(); |
|
326 |
if(!$result) |
|
327 |
$result = $this->latest_result; |
|
328 |
if(!$result) |
|
329 |
{ |
|
330 |
$this->disable_errorhandler(); |
|
331 |
return false; |
|
332 |
} |
|
333 |
if(mysql_data_seek($result, $pos)) |
|
334 |
{ |
|
335 |
$this->disable_errorhandler(); |
|
336 |
return true; |
|
337 |
} |
|
338 |
else |
|
339 |
{ |
|
340 |
$this->disable_errorhandler(); |
|
341 |
return false; |
|
342 |
} |
|
343 |
} |
|
344 |
||
345 |
/** |
|
346 |
* Reports a bad query to the admin |
|
347 |
* @param string $query the naughty query |
|
348 |
* @access private |
|
349 |
*/ |
|
350 |
||
351 |
function report_query($query) |
|
352 |
{ |
|
353 |
global $session; |
|
354 |
if(is_object($session) && defined('ENANO_MAINSTREAM')) |
|
355 |
$username = $session->username; |
|
356 |
else |
|
357 |
$username = 'Unavailable'; |
|
358 |
$query = $this->escape($query); |
|
359 |
$q = $this->sql_query('INSERT INTO '.table_prefix.'logs(log_type, action, time_id, date_string, page_text, author, edit_summary) |
|
360 |
VALUES(\'security\', \'sql_inject\', '.time().', \'\', \''.$query.'\', \''.$username.'\', \''.$_SERVER['REMOTE_ADDR'].'\');'); |
|
361 |
} |
|
362 |
||
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
363 |
/** |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
364 |
* Returns the ID of the row last inserted. |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
365 |
* @return int |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
366 |
*/ |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
367 |
|
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
368 |
function insert_id() |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
369 |
{ |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
370 |
return @mysql_insert_id(); |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
371 |
} |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
372 |
|
1 | 373 |
function fetchrow($r = false) { |
374 |
$this->enable_errorhandler(); |
|
375 |
if(!$this->_conn) return false; |
|
376 |
if(!$r) $r = $this->latest_result; |
|
377 |
if(!$r) $this->_die('$db->fetchrow(): an invalid MySQL resource was passed.'); |
|
378 |
$row = mysql_fetch_assoc($r); |
|
379 |
$this->disable_errorhandler(); |
|
380 |
return $row; |
|
381 |
} |
|
382 |
||
383 |
function fetchrow_num($r = false) { |
|
384 |
$this->enable_errorhandler(); |
|
385 |
if(!$r) $r = $this->latest_result; |
|
386 |
if(!$r) $this->_die('$db->fetchrow(): an invalid MySQL resource was passed.'); |
|
387 |
$row = mysql_fetch_row($r); |
|
388 |
$this->disable_errorhandler(); |
|
389 |
return $row; |
|
390 |
} |
|
391 |
||
392 |
function numrows($r = false) { |
|
393 |
$this->enable_errorhandler(); |
|
394 |
if(!$r) $r = $this->latest_result; |
|
395 |
if(!$r) $this->_die('$db->fetchrow(): an invalid MySQL resource was passed.'); |
|
396 |
$n = mysql_num_rows($r); |
|
397 |
$this->disable_errorhandler(); |
|
398 |
return $n; |
|
399 |
} |
|
400 |
||
401 |
function escape($str) |
|
402 |
{ |
|
403 |
$this->enable_errorhandler(); |
|
404 |
$str = mysql_real_escape_string($str); |
|
405 |
$this->disable_errorhandler(); |
|
406 |
return $str; |
|
407 |
} |
|
408 |
||
409 |
function free_result($result = false) |
|
410 |
{ |
|
411 |
$this->enable_errorhandler(); |
|
412 |
if(!$result) |
|
413 |
$result = $this->latest_result; |
|
414 |
if(!$result) |
|
415 |
{ |
|
416 |
$this->disable_errorhandler(); |
|
417 |
return null; |
|
418 |
} |
|
419 |
mysql_free_result($result); |
|
420 |
$this->disable_errorhandler(); |
|
421 |
return null; |
|
422 |
} |
|
423 |
||
424 |
function close() { |
|
425 |
dc_here('dbal: closing MySQL connection'); |
|
426 |
mysql_close($this->_conn); |
|
427 |
unset($this->_conn); |
|
428 |
} |
|
429 |
||
430 |
// phpBB DBAL compatibility |
|
431 |
function sql_fetchrow($r = false) |
|
432 |
{ |
|
433 |
return $this->fetchrow($r); |
|
434 |
} |
|
435 |
function sql_freeresult($r = false) |
|
436 |
{ |
|
437 |
if(!$this->_conn) return false; |
|
438 |
if(!$r) $r = $this->latest_result; |
|
439 |
if(!$r) $this->_die('$db->fetchrow(): an invalid MySQL resource was passed.'); |
|
440 |
mysql_free_result($r); |
|
441 |
} |
|
442 |
function sql_numrows($r = false) |
|
443 |
{ |
|
444 |
if(!$this->_conn) return false; |
|
445 |
if(!$r) $r = $this->latest_result; |
|
446 |
if(!$r) $this->_die('$db->fetchrow(): an invalid MySQL resource was passed.'); |
|
447 |
return mysql_num_rows($r); |
|
448 |
} |
|
449 |
function sql_affectedrows($r = false, $f, $n) |
|
450 |
{ |
|
451 |
if(!$this->_conn) return false; |
|
452 |
if(!$r) $r = $this->latest_result; |
|
453 |
if(!$r) $this->_die('$db->fetchrow(): an invalid MySQL resource was passed.'); |
|
454 |
return mysql_affected_rows(); |
|
455 |
} |
|
456 |
||
457 |
function sql_type_cast(&$value) |
|
458 |
{ |
|
459 |
if ( is_float($value) ) |
|
460 |
{ |
|
461 |
return doubleval($value); |
|
462 |
} |
|
463 |
if ( is_integer($value) || is_bool($value) ) |
|
464 |
{ |
|
465 |
return intval($value); |
|
466 |
} |
|
467 |
if ( is_string($value) || empty($value) ) |
|
468 |
{ |
|
469 |
return '\'' . $this->sql_escape_string($value) . '\''; |
|
470 |
} |
|
471 |
// uncastable var : let's do a basic protection on it to prevent sql injection attempt |
|
472 |
return '\'' . $this->sql_escape_string(htmlspecialchars($value)) . '\''; |
|
473 |
} |
|
474 |
||
475 |
function sql_statement(&$fields, $fields_inc='') |
|
476 |
{ |
|
477 |
// init result |
|
478 |
$this->sql_fields = $this->sql_values = $this->sql_update = ''; |
|
479 |
if ( empty($fields) && empty($fields_inc) ) |
|
480 |
{ |
|
481 |
return; |
|
482 |
} |
|
483 |
||
484 |
// process |
|
485 |
if ( !empty($fields) ) |
|
486 |
{ |
|
487 |
$first = true; |
|
488 |
foreach ( $fields as $field => $value ) |
|
489 |
{ |
|
490 |
// field must contain a field name |
|
491 |
if ( !empty($field) && is_string($field) ) |
|
492 |
{ |
|
493 |
$value = $this->sql_type_cast($value); |
|
494 |
$this->sql_fields .= ( $first ? '' : ', ' ) . $field; |
|
495 |
$this->sql_values .= ( $first ? '' : ', ' ) . $value; |
|
496 |
$this->sql_update .= ( $first ? '' : ', ' ) . $field . ' = ' . $value; |
|
497 |
$first = false; |
|
498 |
} |
|
499 |
} |
|
500 |
} |
|
501 |
if ( !empty($fields_inc) ) |
|
502 |
{ |
|
503 |
foreach ( $fields_inc as $field => $indent ) |
|
504 |
{ |
|
505 |
if ( $indent != 0 ) |
|
506 |
{ |
|
507 |
$this->sql_update .= (empty($this->sql_update) ? '' : ', ') . $field . ' = ' . $field . ($indent < 0 ? ' - ' : ' + ') . abs($indent); |
|
508 |
} |
|
509 |
} |
|
510 |
} |
|
511 |
} |
|
512 |
||
513 |
function sql_stack_reset($id='') |
|
514 |
{ |
|
515 |
if ( empty($id) ) |
|
516 |
{ |
|
517 |
$this->sql_stack_fields = array(); |
|
518 |
$this->sql_stack_values = array(); |
|
519 |
} |
|
520 |
else |
|
521 |
{ |
|
522 |
$this->sql_stack_fields[$id] = array(); |
|
523 |
$this->sql_stack_values[$id] = array(); |
|
524 |
} |
|
525 |
} |
|
526 |
||
527 |
function sql_stack_statement(&$fields, $id='') |
|
528 |
{ |
|
529 |
$this->sql_statement($fields); |
|
530 |
if ( empty($id) ) |
|
531 |
{ |
|
532 |
$this->sql_stack_fields = $this->sql_fields; |
|
533 |
$this->sql_stack_values[] = '(' . $this->sql_values . ')'; |
|
534 |
} |
|
535 |
else |
|
536 |
{ |
|
537 |
$this->sql_stack_fields[$id] = $this->sql_fields; |
|
538 |
$this->sql_stack_values[$id][] = '(' . $this->sql_values . ')'; |
|
539 |
} |
|
540 |
} |
|
541 |
||
542 |
function sql_stack_insert($table, $transaction=false, $line='', $file='', $break_on_error=true, $id='') |
|
543 |
{ |
|
544 |
if ( (empty($id) && empty($this->sql_stack_values)) || (!empty($id) && empty($this->sql_stack_values[$id])) ) |
|
545 |
{ |
|
546 |
return false; |
|
547 |
} |
|
548 |
switch( SQL_LAYER ) |
|
549 |
{ |
|
550 |
case 'mysql': |
|
551 |
case 'mysql4': |
|
552 |
if ( empty($id) ) |
|
553 |
{ |
|
554 |
$sql = 'INSERT INTO ' . $table . ' |
|
555 |
(' . $this->sql_stack_fields . ') VALUES ' . implode(",\n", $this->sql_stack_values); |
|
556 |
} |
|
557 |
else |
|
558 |
{ |
|
559 |
$sql = 'INSERT INTO ' . $table . ' |
|
560 |
(' . $this->sql_stack_fields[$id] . ') VALUES ' . implode(",\n", $this->sql_stack_values[$id]); |
|
561 |
} |
|
562 |
$this->sql_stack_reset($id); |
|
563 |
return $this->sql_query($sql, $transaction, $line, $file, $break_on_error); |
|
564 |
break; |
|
565 |
default: |
|
566 |
$count_sql_stack_values = empty($id) ? count($this->sql_stack_values) : count($this->sql_stack_values[$id]); |
|
567 |
$result = !empty($count_sql_stack_values); |
|
568 |
for ( $i = 0; $i < $count_sql_stack_values; $i++ ) |
|
569 |
{ |
|
570 |
if ( empty($id) ) |
|
571 |
{ |
|
572 |
$sql = 'INSERT INTO ' . $table . ' |
|
573 |
(' . $this->sql_stack_fields . ') VALUES ' . $this->sql_stack_values[$i]; |
|
574 |
} |
|
575 |
else |
|
576 |
{ |
|
577 |
$sql = 'INSERT INTO ' . $table . ' |
|
578 |
(' . $this->sql_stack_fields[$id] . ') VALUES ' . $this->sql_stack_values[$id][$i]; |
|
579 |
} |
|
580 |
$result &= $this->sql_query($sql, $transaction, $line, $file, $break_on_error); |
|
581 |
} |
|
582 |
$this->sql_stack_reset($id); |
|
583 |
return $result; |
|
584 |
break; |
|
585 |
} |
|
586 |
} |
|
587 |
||
588 |
function sql_subquery($field, $sql, $line='', $file='', $break_on_error=true, $type=TYPE_INT) |
|
589 |
{ |
|
590 |
// sub-queries doable |
|
591 |
$this->sql_get_version(); |
|
592 |
if ( !in_array(SQL_LAYER, array('mysql', 'mysql4')) || (($this->sql_version[0] + ($this->sql_version[1] / 100)) >= 4.01) ) |
|
593 |
{ |
|
594 |
return $sql; |
|
595 |
} |
|
596 |
||
597 |
// no sub-queries |
|
598 |
$ids = array(); |
|
599 |
$result = $this->sql_query(trim($sql), false, $line, $file, $break_on_error); |
|
600 |
while ( $row = $this->sql_fetchrow($result) ) |
|
601 |
{ |
|
602 |
$ids[] = $type == TYPE_INT ? intval($row[$field]) : '\'' . $this->sql_escape_string($row[$field]) . '\''; |
|
603 |
} |
|
604 |
$this->sql_freeresult($result); |
|
605 |
return empty($ids) ? 'NULL' : implode(', ', $ids); |
|
606 |
} |
|
607 |
||
608 |
function sql_col_id($expr, $alias) |
|
609 |
{ |
|
610 |
$this->sql_get_version(); |
|
611 |
return in_array(SQL_LAYER, array('mysql', 'mysql4')) && (($this->sql_version[0] + ($this->sql_version[1] / 100)) <= 4.01) ? $alias : $expr; |
|
612 |
} |
|
613 |
||
614 |
function sql_get_version() |
|
615 |
{ |
|
616 |
if ( empty($this->sql_version) ) |
|
617 |
{ |
|
618 |
$this->sql_version = array(0, 0, 0); |
|
619 |
switch ( SQL_LAYER ) |
|
620 |
{ |
|
621 |
case 'mysql': |
|
622 |
case 'mysql4': |
|
623 |
if ( function_exists('mysql_get_server_info') ) |
|
624 |
{ |
|
625 |
$lo_version = explode('-', mysql_get_server_info()); |
|
626 |
$this->sql_version = explode('.', $lo_version[0]); |
|
627 |
$this->sql_version = array(intval($this->sql_version[0]), intval($this->sql_version[1]), intval($this->sql_version[2]), $lo_version[1]); |
|
628 |
} |
|
629 |
break; |
|
630 |
||
631 |
case 'postgresql': |
|
632 |
case 'mssql': |
|
633 |
case 'mssql-odbc': |
|
634 |
default: |
|
635 |
break; |
|
636 |
} |
|
637 |
} |
|
638 |
return $this->sql_version; |
|
639 |
} |
|
640 |
||
641 |
function sql_error() |
|
642 |
{ |
|
643 |
if ( $this->_conn ) |
|
644 |
{ |
|
645 |
return mysql_error(); |
|
646 |
} |
|
647 |
else |
|
648 |
{ |
|
649 |
return array(); |
|
650 |
} |
|
651 |
} |
|
652 |
function sql_escape_string($t) |
|
653 |
{ |
|
654 |
return mysql_real_escape_string($t); |
|
655 |
} |
|
656 |
function sql_close() |
|
657 |
{ |
|
658 |
$this->close(); |
|
659 |
} |
|
660 |
function sql_fetchrowset($query_id = 0) |
|
661 |
{ |
|
662 |
if( !$query_id ) |
|
663 |
{ |
|
664 |
$query_id = $this->query_result; |
|
665 |
} |
|
666 |
||
667 |
if( $query_id ) |
|
668 |
{ |
|
669 |
unset($this->rowset[$query_id]); |
|
670 |
unset($this->row[$query_id]); |
|
671 |
||
672 |
while($this->rowset[$query_id] = mysql_fetch_array($query_id, MYSQL_ASSOC)) |
|
673 |
{ |
|
674 |
$result[] = $this->rowset[$query_id]; |
|
675 |
} |
|
676 |
||
677 |
return $result; |
|
678 |
} |
|
679 |
else |
|
680 |
{ |
|
681 |
return false; |
|
682 |
} |
|
683 |
} |
|
684 |
} |
|
685 |
||
686 |
?> |