Project

General

Profile

« Previous | Next » 

Revision 1885

Added by Dietmar over 11 years ago

  1. protect magic setter to fix security issue in WbDatabase
    + additional arguments for Charset and TablePrefix in WbDatabase::doConnect
    + WbDatabase now can activate SET NAMES by doConnect argument
    + WbDatabase now provide TablePrefix property also (WbDatabase::TablePrefix)
    + initialize.php now also support Charset and TablePrefix settings from setup.ini.php
    ! in setup.ini.php some keys are renamed (WB_URL => AppUrl and ADMIN_DIRECTORY => AcpDir)

View differences:

WbDatabase.php
32 32
 */
33 33

  
34 34
/* -------------------------------------------------------- */
35
define('DATABASE_CLASS_LOADED', true);
35
@define('DATABASE_CLASS_LOADED', true);
36 36

  
37 37
class WbDatabase {
38 38

  
39 39
	private static $_oInstances = array();
40 40

  
41
	private $_db_handle = null; // readonly from outside
42
	private $_db_name   = '';
43
	private $connected  = false;
44
	private $error      = '';
45
	private $error_type = '';
46
	private $iQueryCount= 0;
41
	private $_db_handle  = null; // readonly from outside
42
	private $_db_name    = '';
43
	protected $sTablePrefix = '';
44
	protected $sCharset     = 'utf8';
45
	protected $connected    = false;
46
	protected $error        = '';
47
	protected $error_type   = '';
48
	protected $iQueryCount  = 0;
47 49

  
48 50
/* prevent from public instancing */
49 51
	protected function  __construct() {}
......
81 83
 * Example for SQL-Url:  'mysql://user:password@demo.de[:3306]/datenbank'
82 84
 */
83 85
	public function doConnect($url = '') {
86
		$this->connected = false;
84 87
		if($url != '') {
85 88
			$aIni = parse_url($url);
86 89
			
......
91 94
			$hostport = isset($aIni['port']) ? $aIni['port'] : '3306';
92 95
			$hostport = $hostport == '3306' ? '' : ':'.$hostport;
93 96
			$db_name  = ltrim(isset($aIni['path']) ? $aIni['path'] : '', '/\\');
97
			$sTmp = isset($aIni['query']) ? $aIni['query'] : '';
98
			$aQuery = explode('&', $sTmp);
99
			foreach($aQuery as $sArgument) {
100
				$aArg = explode('=', $sArgument);
101
				switch(strtolower($aArg[0])) {
102
					case 'charset':
103
						$this->sCharset = strtolower(preg_replace('/[^a-z0-9]/i', '', $aArg[1]));
104
						break;
105
					case 'tableprefix':
106
						$this->sTablePrefix = $aArg[1];
107
						break;
108
					default:
109
						break;
110
				}
111
			}
94 112
			$this->_db_name = $db_name;
95 113
		}else {
96
			throw new RuntimeException('Missing parameter: unable to connect database');
114
			throw new WbDatabaseException('Missing parameter: unable to connect database');
97 115
		}
98
		$this->_db_handle = mysql_connect($hostname.$hostport,
116
		$this->_db_handle = @mysql_connect($hostname.$hostport,
99 117
		                                  $username,
100 118
		                                  $password);
101 119
		if(!$this->_db_handle) {
102
			throw new RuntimeException('unable to connect \''.$scheme.'://'.
120
			throw new WbDatabaseException('unable to connect \''.$scheme.'://'.
103 121
			                           $hostname.$hostport.'\'');
104 122
		} else {
105
			if(!mysql_select_db($db_name)) {
106
				throw new RuntimeException('unable to select database \''.$db_name.
123
			if(!@mysql_select_db($db_name)) {
124
				throw new WbDatabaseException('unable to select database \''.$db_name.
107 125
				                           '\' on \''.$scheme.'://'.
108 126
				                           $hostname.$hostport.'\'');
109 127
			} else {
128
				if($this->sCharset) {
129
					@mysql_query('SET NAMES \''.$this->sCharset.'\'');
130
				}
110 131
				$this->connected = true;
111 132
			}
112 133
		}
......
170 191
	public function get_error() {
171 192
		return $this->error;
172 193
	}
173

  
174
	// Return escape_string
175 194
/**
176
 * escape a string for use in DB
177
 * @param string 
178
 * @return string
195
 * Protect class from property injections
196
 * @param string name of property
197
 * @param mixed value
198
 * @throws WbDatabaseException
179 199
 */	
180
	public function escapeString($string) {
181
		return mysql_real_escape_string($string, $this->_db_handle);
200
	public function __set($name, $value) {
201
		throw new WbDatabaseException('tried to set a readonly or nonexisting property ['.$name.']!! ');
182 202
	}
183

  
184 203
/**
185 204
 * default Getter for some properties
186 205
 * @param string name of the Property
......
195 214
				$retval = $this->_db_handle;
196 215
				break;
197 216
			case 'LastInsertId':
217
			case 'getLastInsertId':
198 218
				$retval = mysql_insert_id($this->_db_handle);
199 219
				break;
200 220
			case 'db_name':
......
202 222
			case 'getDbName':
203 223
				$retval = $this->_db_name;
204 224
				break;
225
			case 'TablePrefix':
226
			case 'getTablePrefix':
227
				$retval = $this->sTablePrefix;			
228
				break;
205 229
			case 'getQueryCount':
206 230
				$retval = $this->iQueryCount;
207 231
				break;
......
211 235
		endswitch;
212 236
		return $retval;
213 237
	} // __get()
214

  
238
/**
239
 * Escapes special characters in a string for use in an SQL statement
240
 * @param string $unescaped_string
241
 * @return string
242
 */
243
	public function escapeString($unescaped_string)
244
	{
245
		return mysql_real_escape_string($unescaped_string, $this->_db_handle);
246
	}
247
/**
248
 * Last inserted Id
249
 * @return bool|int false on error, 0 if no record inserted
250
 */	
251
	public function getLastInsertId()
252
	{
253
		return mysql_insert_id($this->_db_handle);
254
	}
215 255
/*
216 256
 * @param string full name of the table (incl. TABLE_PREFIX)
217 257
 * @param string name of the field to seek for
......
223 263
		$query = $this->query($sql, $this->_db_handle);
224 264
		return ($query->numRows() != 0);
225 265
	}
226

  
227 266
/*
228 267
 * @param string full name of the table (incl. TABLE_PREFIX)
229 268
 * @param string name of the index to seek for
......
322 361
     public function index_add($table_name, $index_name, $field_list, $index_type = 'KEY')
323 362
     {
324 363
        $retval = false;
325
        $field_list = str_replace(' ', '', $field_list);
326
        $field_list = explode(',', $field_list);
364
        $field_list = explode(',', (str_replace(' ', '', $field_list)));
327 365
        $number_fields = sizeof($field_list);
328 366
        $field_list = '`'.implode('`,`', $field_list).'`';
329 367
        $index_name = $index_type == 'PRIMARY' ? $index_type : $index_name;
......
421 459

  
422 460

  
423 461
} /// end of class database
462
// //////////////////////////////////////////////////////////////////////////////////// //
463
/**
464
 * WbDatabaseException
465
 *
466
 * @category     Core
467
 * @package      Core_database
468
 * @author       Werner v.d.Decken <wkl@isteam.de>
469
 * @copyright    Werner v.d.Decken <wkl@isteam.de>
470
 * @license      http://www.gnu.org/licenses/gpl.html   GPL License
471
 * @version      2.9.0
472
 * @revision     $Revision$
473
 * @lastmodified $Date$
474
 * @description  Exceptionhandler for the WbDatabase and depending classes
475
 */
476
class WbDatabaseException extends AppException {}
424 477

  
425 478
define('MYSQL_SEEK_FIRST', 0);
426 479
define('MYSQL_SEEK_LAST', -1);
......
469 522
	}
470 523

  
471 524
}
472

  
525
// //////////////////////////////////////////////////////////////////////////////////// //
473 526
/* this function is placed inside this file temporarely until a better place is found */
474 527
/*  function to update a var/value-pair(s) in table ****************************
475 528
 *  nonexisting keys are inserted

Also available in: Unified diff