Congegni
/
sintonia
7
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Make sure not to double-escape strings used in SQL. Fixed some formatting to comply with style guidelines.

This commit is contained in:
paul 2006-10-25 20:33:35 +00:00
parent 49187026cb
commit 6ad26b3080
1 changed files with 18 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
campcaster/src/modules/alib/var/m2tree.php
View File

@ -82,7 +82,7 @@ class M2tree {
* @param string $type * @param string $type
* type of new object * type of new object
* @param int $parid * @param int $parid
* optional, parent id * parent id
* @return mixed * @return mixed
* int/err - new id of inserted object or PEAR::error * int/err - new id of inserted object or PEAR::error
*/ */
@ -109,9 +109,11 @@ class M2tree {
if ($this->dbc->isError($oid)) { if ($this->dbc->isError($oid)) {
return $this->_dbRollback($oid); return $this->_dbRollback($oid);
} }
$escapedName = pg_escape_string($name);
$escapedType = pg_escape_string($type);
$r = $this->dbc->query(" $r = $this->dbc->query("
INSERT INTO {$this->treeTable} (id, name, type) INSERT INTO {$this->treeTable} (id, name, type)
VALUES ($oid, '$name', '$type') VALUES ($oid, '$escapedName', '$escapedType')
"); ");
if ($this->dbc->isError($r)) { if ($this->dbc->isError($r)) {
return $this->_dbRollback($r); return $this->_dbRollback($r);
@ -321,8 +323,7 @@ class M2tree {
* object id to rename * object id to rename
* @param string $newName * @param string $newName
* new name * new name
* @return mixed * @return TRUE/PEAR_Error
* boolean/err - True or PEAR::error
*/ */
function renameObj($oid, $newName) function renameObj($oid, $newName)
{ {
@ -340,10 +341,10 @@ class M2tree {
if ($this->dbc->isError($xid)) { if ($this->dbc->isError($xid)) {
return $xid; return $xid;
} }
$newName = pg_escape_string($newName); $escapedName = pg_escape_string($newName);
$r = $this->dbc->query(" $r = $this->dbc->query("
UPDATE {$this->treeTable} UPDATE {$this->treeTable}
SET name='$newName' SET name='$escapedName'
WHERE id=$oid WHERE id=$oid
"); ");
if ($this->dbc->isError($r)) { if ($this->dbc->isError($r)) {
@ -360,7 +361,7 @@ class M2tree {
* @param string $name * @param string $name
* searched name * searched name
* @param int $parId * @param int $parId
* optional, parent id (default is root node) * parent id (default is root node)
* @return mixed * @return mixed
* int/null/err - child id (if found) or null or PEAR::error * int/null/err - child id (if found) or null or PEAR::error
*/ */
@ -369,13 +370,13 @@ class M2tree {
if ( ($name == '') && is_null($parId)) { if ( ($name == '') && is_null($parId)) {
$name = $this->rootNodeName; $name = $this->rootNodeName;
} }
$name = pg_escape_string($name); $escapedName = pg_escape_string($name);
$parcond = (is_null($parId) ? "parid is null" : $parcond = (is_null($parId) ? "parid is null" :
"parid='$parId' AND level=1"); "parid='$parId' AND level=1");
$r = $this->dbc->getOne(" $r = $this->dbc->getOne("
SELECT id FROM {$this->treeTable} t SELECT id FROM {$this->treeTable} t
LEFT JOIN {$this->structTable} s ON id=objid LEFT JOIN {$this->structTable} s ON id=objid
WHERE name='$name' AND $parcond" WHERE name='$escapedName' AND $parcond"
); );
if ($this->dbc->isError($r)) { if ($this->dbc->isError($r)) {
return $r; return $r;
@ -389,7 +390,7 @@ class M2tree {
* *
* @param int $oid * @param int $oid
* @param string $fld * @param string $fld
* optional, requested field (default: name) * requested field (default: name)
* @return mixed * @return mixed
* string/err * string/err
*/ */
@ -435,7 +436,7 @@ class M2tree {
* Get array of nodes in object's path from root node * Get array of nodes in object's path from root node
* *
* @param int $oid * @param int $oid
* @param string $flds, optional * @param string $flds
* @param boolean $withSelf * @param boolean $withSelf
* flag for include specified object to the path * flag for include specified object to the path
* @return array/err * @return array/err
@ -471,9 +472,9 @@ class M2tree {
* *
* @param int $oid * @param int $oid
* @param string $flds * @param string $flds
* optional, comma separated list of requested fields * comma separated list of requested fields
* @param string $order * @param string $order
* optional, fieldname for order by clause * fieldname for order by clause
* @return array/err * @return array/err
*/ */
function getDir($oid, $flds='id', $order='name') function getDir($oid, $flds='id', $order='name')
@ -496,10 +497,9 @@ class M2tree {
* object id * object id
* @param string $flds * @param string $flds
* list of field names for select * list of field names for select
* (optional - default: 'level')
* @param int $rootId * @param int $rootId
* root for relative levels * root for relative levels
* (optional - default: NULL - use root of whole tree) * (if NULL - use root of whole tree)
* @return hash-array with field name/value pairs * @return hash-array with field name/value pairs
*/ */
function getObjLevel($oid, $flds='level', $rootId=NULL) function getObjLevel($oid, $flds='level', $rootId=NULL)
@ -525,11 +525,11 @@ class M2tree {
* Get subtree of specified node * Get subtree of specified node
* *
* @param int $oid * @param int $oid
* optional, default: root node * default: root node
* @param boolean $withRoot * @param boolean $withRoot
* optional, include/exclude specified node * include/exclude specified node
* @param int $rootId * @param int $rootId
* root for relative levels, optional * root for relative levels
* @return mixed * @return mixed
* array/err * array/err
*/ */