From 37b29231e47a0c4458dc1c15d98588f16f07e1e2 Mon Sep 17 00:00:00 2001
From: Marius Cramer <m.cramer@pixcept.de>
Date: Thu, 06 Aug 2015 03:18:44 -0400
Subject: [PATCH] - don't set password via remoting if field is empty
---
interface/lib/classes/db_mysql.inc.php | 88 +++++++++++++++++++++++++++++++++-----------
1 files changed, 66 insertions(+), 22 deletions(-)
diff --git a/interface/lib/classes/db_mysql.inc.php b/interface/lib/classes/db_mysql.inc.php
index 59dcff8..edd1f7a 100644
--- a/interface/lib/classes/db_mysql.inc.php
+++ b/interface/lib/classes/db_mysql.inc.php
@@ -36,6 +36,7 @@
private $_iConnId;
private $dbHost = ''; // hostname of the MySQL server
+ private $dbPort = ''; // port of the MySQL server
private $dbName = ''; // logical database name on that server
private $dbUser = ''; // database authorized user
private $dbPass = ''; // user's password
@@ -54,7 +55,9 @@
private $autoCommit = 1; // Autocommit Transactions
private $currentRow; // current row number
private $errorNumber = 0; // last error number
+ */
public $errorMessage = ''; // last error message
+ /*
private $errorLocation = '';// last error location
private $isConnected = false; // needed to know if we have a valid mysqli object from the constructor
////
@@ -65,6 +68,7 @@
global $conf;
if($prefix != '') $prefix .= '_';
$this->dbHost = $conf[$prefix.'db_host'];
+ $this->dbPort = $conf[$prefix.'db_port'];
$this->dbName = $conf[$prefix.'db_database'];
$this->dbUser = $conf[$prefix.'db_user'];
$this->dbPass = $conf[$prefix.'db_password'];
@@ -72,13 +76,13 @@
$this->dbNewLink = $conf[$prefix.'db_new_link'];
$this->dbClientFlags = $conf[$prefix.'db_client_flags'];
- $this->_iConnId = mysqli_connect($this->dbHost, $this->dbUser, $this->dbPass);
+ $this->_iConnId = mysqli_connect($this->dbHost, $this->dbUser, $this->dbPass, '', (int)$this->dbPort);
$try = 0;
while((!is_object($this->_iConnId) || mysqli_connect_error()) && $try < 5) {
if($try > 0) sleep(1);
$try++;
- $this->_iConnId = mysqli_connect($this->dbHost, $this->dbUser, $this->dbPass);
+ $this->_iConnId = mysqli_connect($this->dbHost, $this->dbUser, $this->dbPass, '', (int)$this->dbPort);
}
if(!is_object($this->_iConnId) || mysqli_connect_error()) {
@@ -128,8 +132,10 @@
$sTxt = $this->escape($sValue);
$sTxt = str_replace('`', '', $sTxt);
- if(strpos($sTxt, '.') !== false) $sTxt = preg_replace('/^(.+)\.(.+)$/', '`$1`.`$2`', $sTxt);
- else $sTxt = '`' . $sTxt . '`';
+ if(strpos($sTxt, '.') !== false) {
+ $sTxt = preg_replace('/^(.+)\.(.+)$/', '`$1`.`$2`', $sTxt);
+ $sTxt = str_replace('.`*`', '.*', $sTxt);
+ } else $sTxt = '`' . $sTxt . '`';
$sQuery = substr_replace($sQuery, $sTxt, $iPos2, 2);
$iPos2 += strlen($sTxt);
@@ -137,13 +143,17 @@
} else {
if(is_int($sValue) || is_float($sValue)) {
$sTxt = $sValue;
- } elseif(is_string($sValue) && (strcmp($sValue, '#NULL#') == 0)) {
+ } elseif(is_null($sValue) || (is_string($sValue) && (strcmp($sValue, '#NULL#') == 0))) {
$sTxt = 'NULL';
} elseif(is_array($sValue)) {
- $sTxt = '';
- foreach($sValue as $sVal) $sTxt .= ',\'' . $this->escape($sVal) . '\'';
- $sTxt = '(' . substr($sTxt, 1) . ')';
- if($sTxt == '()') $sTxt = '(0)';
+ if(isset($sValue['SQL'])) {
+ $sTxt = $sValue['SQL'];
+ } else {
+ $sTxt = '';
+ foreach($sValue as $sVal) $sTxt .= ',\'' . $this->escape($sVal) . '\'';
+ $sTxt = '(' . substr($sTxt, 1) . ')';
+ if($sTxt == '()') $sTxt = '(0)';
+ }
} else {
$sTxt = '\'' . $this->escape($sValue) . '\'';
}
@@ -234,7 +244,7 @@
$try++;
$ok = mysqli_ping($this->_iConnId);
if(!$ok) {
- if(!mysqli_connect($this->dbHost, $this->dbUser, $this->dbPass, $this->dbName)) {
+ if(!mysqli_connect($this->dbHost, $this->dbUser, $this->dbPass, $this->dbName, (int)$this->dbPort)) {
if($try > 4) {
$this->_sqlerror('DB::query -> reconnect');
return false;
@@ -254,7 +264,7 @@
$this->_iQueryId = @mysqli_query($this->_iConnId, $sQuery);
if (!$this->_iQueryId) {
- $this->_sqlerror('Falsche Anfrage / Wrong Query', false, 'SQL-Query = ' . $sQuery);
+ $this->_sqlerror('Falsche Anfrage / Wrong Query', 'SQL-Query = ' . $sQuery);
return false;
}
@@ -473,7 +483,7 @@
$cur_encoding = mb_detect_encoding($sString);
if($cur_encoding != "UTF-8") {
if($cur_encoding != 'ASCII') {
- $app->log('String ' . substr($sString, 0, 25) . '... is ' . $cur_encoding . '.', LOGLEVEL_INFO);
+ if(is_object($app) && method_exists($app, 'log')) $app->log('String ' . substr($sString, 0, 25) . '... is ' . $cur_encoding . '.', LOGLEVEL_INFO);
if($cur_encoding) $sString = mb_convert_encoding($sString, 'UTF-8', $cur_encoding);
else $sString = mb_convert_encoding($sString, 'UTF-8');
}
@@ -495,6 +505,7 @@
$mysql_error = (is_object($this->_iConnId) ? mysqli_error($this->_iConnId) : mysqli_connect_error());
$mysql_errno = (is_object($this->_iConnId) ? mysqli_errno($this->_iConnId) : mysqli_connect_errno());
+ $this->errorMessage = $mysql_error;
//$sAddMsg .= getDebugBacktrace();
@@ -534,7 +545,27 @@
}
return $out;
}
-
+
+ public function insertFromArray($tablename, $data) {
+ if(!is_array($data)) return false;
+
+ $k_query = '';
+ $v_query = '';
+
+ $params = array($tablename);
+ $v_params = array();
+
+ foreach($data as $key => $value) {
+ $k_query .= ($k_query != '' ? ', ' : '') . '??';
+ $v_query .= ($v_query != '' ? ', ' : '') . '?';
+ $params[] = $key;
+ $v_params[] = $value;
+ }
+
+ $query = 'INSERT INTO ?? (' . $k_query . ') VALUES (' . $v_query . ')';
+ return $this->query($query, true, $params + $v_params);
+ }
+
public function diffrec($record_old, $record_new) {
$diffrec_full = array();
$diff_num = 0;
@@ -578,7 +609,6 @@
if(!preg_match('/^[a-zA-Z0-9\-\_\.]{1,64}$/',$db_table)) $app->error('Invalid table name '.$db_table);
if(!preg_match('/^[a-zA-Z0-9\-\_]{1,64}$/',$primary_field)) $app->error('Invalid primary field '.$primary_field.' in table '.$db_table);
- $primary_field = $this->quote($primary_field);
$primary_id = intval($primary_id);
if($force_update == true) {
@@ -626,20 +656,27 @@
if(is_array($insert_data)) {
$key_str = '';
$val_str = '';
+ $params = array($tablename);
+ $v_params = array();
foreach($insert_data as $key => $val) {
- $key_str .= "`".$key ."`,";
- $val_str .= "'".$this->escape($val)."',";
+ $key_str .= '??,';
+ $params[] = $key;
+
+ $val_str .= '?,';
+ $v_params[] = $val;
}
$key_str = substr($key_str, 0, -1);
$val_str = substr($val_str, 0, -1);
$insert_data_str = '('.$key_str.') VALUES ('.$val_str.')';
+ $this->query("INSERT INTO ?? $insert_data_str", true, array_merge($params, $v_params));
} else {
+ /* TODO: deprecate this method! */
$insert_data_str = $insert_data;
+ $this->query("INSERT INTO ?? $insert_data_str", $tablename);
+ $app->log("deprecated use of passing values to datalogInsert() - table " . $tablename, 1);
}
- /* TODO: reduce risk of insert_data_str! */
-
+
$old_rec = array();
- $this->query("INSERT INTO ?? $insert_data_str", $tablename);
$index_value = $this->insertID();
$new_rec = $this->queryOneRecord("SELECT * FROM ?? WHERE ? = ?", $tablename, $index_field, $index_value);
$this->datalogSave($tablename, 'INSERT', $index_field, $index_value, $old_rec, $new_rec);
@@ -658,17 +695,24 @@
$old_rec = $this->queryOneRecord("SELECT * FROM ?? WHERE ?? = ?", $tablename, $index_field, $index_value);
if(is_array($update_data)) {
+ $params = array($tablename);
$update_data_str = '';
foreach($update_data as $key => $val) {
- $update_data_str .= "`".$key ."` = '".$this->escape($val)."',";
+ $update_data_str .= '?? = ?,';
+ $params[] = $key;
+ $params[] = $val;
}
+ $params[] = $index_field;
+ $params[] = $index_value;
$update_data_str = substr($update_data_str, 0, -1);
+ $this->query("UPDATE ?? SET $update_data_str WHERE ?? = ?", true, $params);
} else {
+ /* TODO: deprecate this method! */
$update_data_str = $update_data;
+ $this->query("UPDATE ?? SET $update_data_str WHERE ?? = ?", $tablename, $index_field, $index_value);
+ $app->log("deprecated use of passing values to datalogUpdate() - table " . $tablename, 1);
}
- /* TODO: reduce risk of update_data_str */
- $this->query("UPDATE ?? SET $update_data_str WHERE ?? = ?", $tablename, $index_field, $index_value);
$new_rec = $this->queryOneRecord("SELECT * FROM ?? WHERE ?? = ?", $tablename, $index_field, $index_value);
$this->datalogSave($tablename, 'UPDATE', $index_field, $index_value, $old_rec, $new_rec, $force_update);
--
Gitblit v1.9.1