Project

General

Profile

« Previous | Next » 

Revision 1951

Added by darkviper about 11 years ago

solved problems with escaped strings in /modules/droplets/droplets.functions.php

View differences:

droplets.functions.php
77 77
		$msgSql = '';
78 78
		$extraSql = '';
79 79
		$sDropletName = pathinfo ($sDropletFile, PATHINFO_FILENAME);
80
		$sql = 'SELECT `code` FROM `'.$oDb->TablePrefix.'mod_droplets` WHERE `name` LIKE "'.$sDropletName.'" ';
81
		if( !($oDb->get_one($sql)) ) {
80
		$sql = 'SELECT `name` FROM `'.$oDb->TablePrefix.'mod_droplets` '
81
		     . 'WHERE `name` LIKE \''.addcslashes($oDb->escapeString($sDropletName), '%_').'\' ';
82
		if( !( $sTmpName = $oDb->get_one($sql)) )
83
		{
82 84
			$sql = 'INSERT INTO `'.$oDb->TablePrefix.'mod_droplets`';
83
			$msgSql = 'INSERT Droplet `'.$sDropletName.'` INTO`'.$oDb->TablePrefix.'mod_droplets`'." $OK";
84
		} elseif ($bOverwriteDroplets) {
85
			$msgSql = 'INSERT Droplet `'.$oDb->escapeString($sDropletName).'` INTO`'.$oDb->TablePrefix.'mod_droplets`'." $OK";
86
		} elseif ($bOverwriteDroplets) 
87
		{
88
			$sDropletName = $sTmpName;
85 89
			$sql = 'UPDATE `'.$oDb->TablePrefix.'mod_droplets` ';
86
			$extraSql = 'WHERE `name` = \''.$sDropletName.'\' ';
90
			$extraSql = 'WHERE `name` = \''.addcslashes($oDb->escapeString($sDropletName), '%_').'\' ';
87 91
			$msgSql = 'UPDATE Droplet `'.$sDropletName.'` INTO`'.$oDb->TablePrefix.'mod_droplets`'." $OK";
88 92
		}
89 93
// get description, comments and oode
90 94
		$sDropletFile = preg_replace('/^\xEF\xBB\xBF/', '', $sDropletFile);
91 95
		if( ($msgSql!='') && ($aFileData = file($sDropletFile)) ) {
92
			$bDescription = false;
93
			$bComments = false;
94
			$bCode = false;
95
			$sDescription = '';
96
			$sComments = '';
97
			$sCode = '';
98
			$sPattern = "#//:#im";
99
			while ( sizeof($aFileData) > 0 ) {
100
				$sSqlLine = trim(array_shift($aFileData));
101
				$isNotCode = (bool)preg_match($sPattern, $sSqlLine);
102
				if( $isNotCode==true ) {
96
				$bDescription = false;
97
				$bComments = false;
98
				$bCode = false;
99
				$sDescription = '';
100
				$sComments = '';
101
				$sCode = '';
102
				$sPattern = "#//:#im";
103
				while ( sizeof($aFileData) > 0 ) {
104
					$sSqlLine = trim(array_shift($aFileData));
105
					$isNotCode = (bool)preg_match($sPattern, $sSqlLine);
106
					if( $isNotCode==true ) {
103 107
// first step line is description
104
					if($bDescription==false) {
105
						$sDescription .= str_replace('//:','',$sSqlLine);
106
						$bDescription = true;
108
						if($bDescription==false) {
109
							$sDescription .= str_replace('//:','',$sSqlLine);
110
							$bDescription = true;
111
						} else {
112
// second step fill comments
113
							$sComments .= str_replace('//:','',$sSqlLine).PHP_EOL;
114
						}
107 115
					} else {
108
// second step fill comments
109
						$sComments .= str_replace('//:','',$sSqlLine).PHP_EOL;
116
// third step fill code
117
						$sCode .= str_replace('//:','',$sSqlLine).PHP_EOL;
110 118
					}
111
				} else {
112
// third step fill code
113
					$sCode .= str_replace('//:','',$sSqlLine).PHP_EOL;
114 119
				}
115
			}
116
		$iModifiedWhen = time();
117
		$iModifiedBy = (method_exists($admin, 'get_user_id') && ($admin->get_user_id()!=null) ? $admin->get_user_id() : 1);
118
		$sql .= 'SET  `name` =\''.$oDb->escapeString($sDropletName).'\','
119
		     .       '`description` =\''.$oDb->escapeString($sDescription).'\','
120
		     .       '`comments` =\''.$oDb->escapeString($sComments).'\','
121
		     .       '`code` =\''.$oDb->escapeString($sCode).'\','
122
		     .       '`modified_when` = '.$iModifiedWhen.','
123
		     .       '`modified_by` = '.$iModifiedBy.','
124
		     .       '`active` = 1'
125
		     .       $extraSql;
120
			$iModifiedWhen = time();
121
			$iModifiedBy = (method_exists($admin, 'get_user_id') && ($admin->get_user_id()!=null) ? $admin->get_user_id() : 1);
122
			$sql .= 'SET  `name` =\''.$oDb->escapeString($sDropletName).'\','
123
				 .       '`description` =\''.$oDb->escapeString($sDescription).'\','
124
				 .       '`comments` =\''.$oDb->escapeString($sComments).'\','
125
				 .       '`code` =\''.$oDb->escapeString($sCode).'\','
126
				 .       '`modified_when` = '.$iModifiedWhen.','
127
				 .       '`modified_by` = '.$iModifiedBy.','
128
				 .       '`active` = 1'
129
				 .       $extraSql;
126 130
		}
127 131
		if( $oDb->query($sql) ) {
128 132
			if( $msgSql!='' ) { $msg[] = $msgSql; }

Also available in: Unified diff