function sql_internal($dblink, $sql) { global $opt, $db, $sqldebugger; $args = func_get_args(); unset($args[0]); unset($args[1]); /* as an option, you can give as second parameter an array * with all values for the placeholder. The array has to be * with numeric indizes. */ if (isset($args[2]) && is_array($args[2])) { $tmp_args = $args[2]; unset($args); // correct indizes $args = array_merge(array(0), $tmp_args); unset($tmp_args); unset($args[0]); } $sqlpos = 0; $filtered_sql = ''; // replace every &x in $sql with the placeholder or parameter $nextarg = strpos($sql, '&'); while ($nextarg !== false) { // & escaped? $escapesCount = 0; while ($nextarg - $escapesCount - 1 > 0 && substr($sql, $nextarg - $escapesCount - 1, 1) == '\\') { $escapesCount++; } if ($escapesCount % 2 == 1) { $nextarg++; } else { $nextchar = substr($sql, $nextarg + 1, 1); if (is_numeric($nextchar)) { $arglength = 0; $arg = ''; // find next non-digit while (preg_match('/^[0-9]{1}/', $nextchar) == 1) { $arg .= $nextchar; $arglength++; $nextchar = substr($sql, $nextarg + $arglength + 1, 1); } // ok ... replace $filtered_sql .= substr($sql, $sqlpos, $nextarg - $sqlpos); $sqlpos = $nextarg + $arglength; if (isset($args[$arg])) { if (is_numeric($args[$arg])) { $filtered_sql .= $args[$arg]; } else { if (substr($sql, $sqlpos - $arglength - 1, 1) == '\'' && substr($sql, $sqlpos + 1, 1) == '\'') { $filtered_sql .= sql_escape($args[$arg]); } elseif (substr($sql, $sqlpos - $arglength - 1, 1) == '`' && substr($sql, $sqlpos + 1, 1) == '`') { $filtered_sql .= sql_escape_backtick($args[$arg]); } else { sql_error($sql); } } } else { // NULL if (substr($sql, $sqlpos - $arglength - 1, 1) == '\'' && substr($sql, $sqlpos + 1, 1) == '\'') { // strip apostroph and insert NULL $filtered_sql = substr($filtered_sql, 0, strlen($filtered_sql) - 1); $filtered_sql .= 'NULL'; $sqlpos++; } else { $filtered_sql .= 'NULL'; } } $sqlpos++; } else { $arglength = 0; $arg = ''; // find next non-alphanumeric char // (added '_' - it is used in temptable names - following 2013/07/18) while (preg_match('/^[a-zA-Z0-9_]{1}/', $nextchar) == 1) { $arg .= $nextchar; $arglength++; $nextchar = substr($sql, $nextarg + $arglength + 1, 1); } // ok ... replace $filtered_sql .= substr($sql, $sqlpos, $nextarg - $sqlpos); if (isset($opt['db']['placeholder'][$arg])) { if (substr($sql, $nextarg - 1, 1) != '`') { $filtered_sql .= '`'; } $filtered_sql .= sql_escape_backtick($opt['db']['placeholder'][$arg]); if (substr($sql, $nextarg + $arglength + 1, 1) != '`') { $filtered_sql .= '`'; } } elseif (isset($db['temptables'][$arg])) { if (substr($sql, $nextarg - 1, 1) != '`') { $filtered_sql .= '`'; } $filtered_sql .= sql_escape_backtick($opt['db']['placeholder']['tmpdb']) . '`.`' . sql_escape_backtick($db['temptables'][$arg]); if (substr($sql, $nextarg + $arglength + 1, 1) != '`') { $filtered_sql .= '`'; } } else { sql_error($sql); } $sqlpos = $nextarg + $arglength + 1; } } $nextarg = strpos($sql, '&', $nextarg + 1); } // append the rest $filtered_sql .= substr($sql, $sqlpos); // strip escapes of & $nextarg = strpos($filtered_sql, '\\&'); while ($nextarg !== false) { $escapesCount = 0; while ($nextarg - $escapesCount - 1 > 0 && substr($filtered_sql, $nextarg - $escapesCount - 1, 1) == '\\') { $escapesCount++; } if ($escapesCount % 2 == 0) { // strip escapes of & $filtered_sql = substr($filtered_sql, 0, $nextarg) . '&' . substr($filtered_sql, $nextarg + 2); $nextarg--; } $nextarg = strpos($filtered_sql, '\\&', $nextarg + 2); } // // ok ... filtered_sql is ready for usage // /* todo: - errorlogging - LIMIT - block DROP/DELETE */ if (isset($db['debug']) && $db['debug'] == true) { require_once $opt['rootpath'] . 'lib2/sqldebugger.class.php'; $result = $sqldebugger->execute($filtered_sql, $dblink, $dblink === $db['dblink_slave'], $db['slave_server']); if ($result === false) { sql_error($filtered_sql); } } else { // measure time if ($opt['db']['warn']['time'] > 0) { $cSqlExecution = new CBench(); $cSqlExecution->start(); } $result = @mysql_query($filtered_sql, $dblink); if ($result === false) { sql_error($filtered_sql); } if ($opt['db']['warn']['time'] > 0) { $cSqlExecution->stop(); if ($cSqlExecution->diff() > $opt['db']['warn']['time']) { $ua = isset($_SERVER['HTTP_USER_AGENT']) ? "\r\n" . $_SERVER['HTTP_USER_AGENT'] : ""; sql_warn("execution took " . $cSqlExecution->diff() . " seconds" . $ua); } } } return $result; }
public function execute($sql, $dblink, $bQuerySlave, $sServer) { global $db; if (count($this->commands) >= 1000) { $this->cancel = true; return mysql_query($sql, $dblink); } $command = array(); $command['sql'] = $sql; $command['explain'] = array(); $command['result'] = array(); $command['warnings'] = array(); $command['runtime'] = 0; $command['affected'] = 0; $command['count'] = -1; $command['mode'] = $db['mode']; $command['slave'] = $bQuerySlave; $command['server'] = $sServer; $command['dblink'] = '' . $dblink; $bUseExplain = false; $sql = trim($sql); $sqlexplain = $sql; if (strtoupper(substr($sqlexplain, 0, 7)) == 'DELETE ') { $sqlexplain = $this->strip_from($sqlexplain); } elseif (strtoupper(substr($sqlexplain, 0, 12)) == 'INSERT INTO ' || strtoupper(substr($sqlexplain, 0, 19)) == 'INSERT IGNORE INTO ') { $sqlexplain = $this->strip_temptable($sqlexplain); } elseif (strtoupper(substr($sqlexplain, 0, 23)) == 'CREATE TEMPORARY TABLE ') { $sqlexplain = $this->strip_temptable($sqlexplain); } if (strtoupper(substr($sqlexplain, 0, 7)) == 'SELECT ') { // we can use EXPLAIN $c = 0; $rs = mysql_query($sqlexplain, $dblink); $command['count'] = sql_num_rows($rs); while ($r = sql_fetch_assoc($rs)) { if ($c == 25) { break; } $command['result'][] = $r; $c++; } sql_free_result($rs); $rs = mysql_query('EXPLAIN EXTENDED ' . $sqlexplain, $dblink); while ($r = sql_fetch_assoc($rs)) { $command['explain'][] = $r; } sql_free_result($rs); } // dont use query cache! $sql = $this->insert_nocache($sql); $bSqlExecution = new CBench(); $bSqlExecution->start(); $rsResult = mysql_query($sql, $dblink); $bSqlExecution->stop(); $bError = $rsResult == false; $command['affected'] = mysql_affected_rows($dblink); $rs = mysql_query('SHOW WARNINGS', $dblink); while ($r = sql_fetch_assoc($rs)) { $command['warnings'][] = $r['Message']; } $command['runtime'] = $bSqlExecution->Diff(); $this->commands[] = $command; return $rsResult; }
} $sLoggedOut = mb_ereg_replace('{target}', $target, $sLoggedOut); tpl_set_var('loginbox', $sLoggedOut); tpl_set_var('login_url', ($opt['page']['https']['force_login'] ? $opt['page']['absolute_https_url'] : '') . 'login.php'); } else { //user logged in $sTmpString = mb_ereg_replace('{username}', $usr['username'], $sLoggedIn); tpl_set_var('loginbox', $sTmpString); unset($sTmpString); } } // are we Ocprop? $ocpropping = isset($_SERVER['HTTP_USER_AGENT']) && strpos($_SERVER['HTTP_USER_AGENT'], "Ocprop/") !== false; // zeitmessung $bScriptExecution = new CBench(); $bScriptExecution->start(); function load_domain_settings() { global $opt, $style; $domain = $opt['page']['domain']; if (isset($opt['domain'][$domain]['style'])) { $style = $opt['domain'][$domain]['style']; } if (isset($opt['domain'][$domain]['cookiedomain'])) { $opt['cookie']['domain'] = $opt['domain'][$domain]['cookiedomain']; } set_common_domain_config($opt); } // get the language from a given shortage // on success return the name, otherwise false function db_LanguageFromShort($langcode)
function sql_internal($_dblink, $sql, $bSlave) { global $opt; global $sql_debug, $sql_warntime; global $sql_replacements; global $sqlcommands; global $dblink_slave; $args = func_get_args(); unset($args[0], $args[1], $args[2]); /* as an option, you can give as second parameter an array * with all values for the placeholder. The array has to be * with numeric indizes. */ if (isset($args[3]) && is_array($args[3])) { $tmp_args = $args[3]; unset($args); // correct indizes $args = array_merge([0], $tmp_args); unset($tmp_args); unset($args[0]); } $sqlpos = 0; $filtered_sql = ''; // $sql von vorne bis hinten durchlaufen und alle &x ersetzen $nextarg = mb_strpos($sql, '&'); while ($nextarg !== false) { // muss dieses & ersetzt werden, oder ist es escaped? $escapesCount = 0; while ($nextarg - $escapesCount - 1 > 0 && mb_substr($sql, $nextarg - $escapesCount - 1, 1) == '\\') { $escapesCount++; } if ($escapesCount % 2 == 1) { $nextarg++; } else { $nextchar = mb_substr($sql, $nextarg + 1, 1); if (is_numeric($nextchar)) { $arglength = 0; $arg = ''; // nächstes Zeichen das keine Zahl ist herausfinden while (mb_ereg_match('^[0-9]{1}', $nextchar) == 1) { $arg .= $nextchar; $arglength++; $nextchar = mb_substr($sql, $nextarg + $arglength + 1, 1); } // ok ... ersetzen $filtered_sql .= mb_substr($sql, $sqlpos, $nextarg - $sqlpos); $sqlpos = $nextarg + $arglength; if (isset($args[$arg])) { if (is_numeric($args[$arg])) { $filtered_sql .= $args[$arg]; } else { if (mb_substr($sql, $sqlpos - $arglength - 1, 1) == '\'' && mb_substr($sql, $sqlpos + 1, 1) == '\'') { $filtered_sql .= sql_escape($args[$arg]); } elseif (mb_substr($sql, $sqlpos - $arglength - 1, 1) == '`' && mb_substr($sql, $sqlpos + 1, 1) == '`') { $filtered_sql .= sql_escape($args[$arg]); } else { sql_error(); } } } else { // NULL if (mb_substr($sql, $sqlpos - $arglength - 1, 1) == '\'' && mb_substr($sql, $sqlpos + 1, 1) == '\'') { // Anführungszeichen weg machen und NULL einsetzen $filtered_sql = mb_substr($filtered_sql, 0, mb_strlen($filtered_sql) - 1); $filtered_sql .= 'NULL'; $sqlpos++; } else { $filtered_sql .= 'NULL'; } } $sqlpos++; } else { $arglength = 0; $arg = ''; // nächstes Zeichen das kein Buchstabe/Zahl ist herausfinden while (mb_ereg_match('^[a-zA-Z0-9]{1}', $nextchar) == 1) { $arg .= $nextchar; $arglength++; $nextchar = mb_substr($sql, $nextarg + $arglength + 1, 1); } // ok ... ersetzen $filtered_sql .= mb_substr($sql, $sqlpos, $nextarg - $sqlpos); if (isset($sql_replacements[$arg])) { $filtered_sql .= $sql_replacements[$arg]; } else { sql_error(); } $sqlpos = $nextarg + $arglength + 1; } } $nextarg = mb_strpos($sql, '&', $nextarg + 1); } // rest anhängen $filtered_sql .= mb_substr($sql, $sqlpos); // \& durch & ersetzen $nextarg = mb_strpos($filtered_sql, '\\&'); while ($nextarg !== false) { $escapesCount = 0; while ($nextarg - $escapesCount - 1 > 0 && mb_substr($filtered_sql, $nextarg - $escapesCount - 1, 1) == '\\') { $escapesCount++; } if ($escapesCount % 2 == 0) { // \& ersetzen durch & $filtered_sql = mb_substr($filtered_sql, 0, $nextarg) . '&' . mb_substr($filtered_sql, $nextarg + 2); $nextarg--; } $nextarg = mb_strpos($filtered_sql, '\\&', $nextarg + 2); } // // ok ... hier ist filtered_sql fertig // /* todo: - errorlogging - LIMIT - DROP/DELETE ggf. blocken */ if (isset($sql_debug) && $sql_debug == true) { require_once $opt['rootpath'] . 'lib/sqldebugger.inc.php'; $result = sqldbg_execute($filtered_sql, $bSlave); if ($result === false) { sql_error(); } } else { // Zeitmessung für die Ausführung $cSqlExecution = new CBench(); $cSqlExecution->start(); $result = mysql_query($filtered_sql, $_dblink); if ($result === false) { sql_error(); } $cSqlExecution->stop(); if ($sql_warntime > 0 && $cSqlExecution->diff() > $sql_warntime) { $ua = isset($_SERVER['HTTP_USER_AGENT']) ? "\r\n" . $_SERVER['HTTP_USER_AGENT'] : ""; sql_warn("execution took " . $cSqlExecution->diff() . " seconds" . $ua); } } return $result; }
function sqldbg_execute($sql, $bSlave) { global $dblink; global $sqldbg_cmdNo; global $sqldbg_sumTimes; $sqldbg_cmdNo++; echo '<p class="sqlno"><span class="white">/*</span> SQL command ' . $sqldbg_cmdNo . ' '; if ($bSlave) { echo '<span class="slave_title">(slave)</span>'; } echo '<span class="white">*/</span>'; echo '</p>'; echo '<p class="sqlcommand">'; if ($bSlave) { echo '<span class="slave_sql">'; } echo htmlspecialchars($sql, ENT_COMPAT, 'UTF-8'); if ($bSlave) { echo '</span>'; } echo ' ;</p>'; echo '<div class="comments"><div class="white">/*</div><br>'; // Explains $bUseExplain = true; $sqlexplain = $sql; $usebr = false; if (mb_strtoupper(mb_substr($sqlexplain, 0, 6)) == 'ALTER ') { $bUseExplain = false; } else { if (mb_strtoupper(mb_substr($sqlexplain, 0, 7)) == 'DELETE ') { $sqlexplain = sqldbg_strip_from($sqlexplain); } else { if (mb_strtoupper(mb_substr($sqlexplain, 0, 12)) == 'INSERT INTO ' || mb_strtoupper(mb_substr($sqlexplain, 0, 19)) == 'INSERT IGNORE INTO ') { $sqlexplain = sqldbg_strip_temptable($sqlexplain); if ($sqlexplain == '') { $bUseExplain = false; } } else { if (mb_strtoupper(mb_substr($sqlexplain, 0, 7)) == 'INSERT ') { $bUseExplain = false; } else { if (mb_strtoupper(mb_substr($sqlexplain, 0, 7)) == 'UPDATE ') { $bUseExplain = false; } else { if (mb_strtoupper(mb_substr($sqlexplain, 0, 11)) == 'DROP TABLE ') { $bUseExplain = false; } else { if (mb_strtoupper(mb_substr($sqlexplain, 0, 23)) == 'CREATE TEMPORARY TABLE ') { $sqlexplain = sqldbg_strip_temptable($sqlexplain); if ($sqlexplain == '') { $bUseExplain = false; } } } } } } } } if ($bUseExplain == true) { $bFirstLine = true; $nLine = 0; $rs = mysql_query($sqlexplain, $dblink); echo '<div class="selrows">Number of selected rows: ' . mysql_num_rows($rs) . '</div>'; echo '<table class="firstresultrow" border="1">'; while ($r = sql_fetch_assoc($rs)) { $usebr = true; $nLine++; if ($bFirstLine == true) { echo '<tr>' . "\n"; foreach ($r as $field => $value) { echo '<th>' . htmlspecialchars($field, ENT_COMPAT, 'UTF-8') . '</th>' . "\n"; } echo '</tr>' . "\n"; } if ($bFirstLine) { echo '<tr>'; } else { echo '<tr class="result">'; } foreach ($r as $value) { echo '<td>' . htmlspecialchars($value != null ? $value : 'NULL', ENT_COMPAT, 'UTF-8') . '</td>'; } echo '</tr>' . "\n"; if ($nLine == 25) { break; } $bFirstLine = false; } echo '</table>'; mysql_free_result($rs); echo '<table class="explain" border="1">'; $bFirstLine = true; $rs = mysql_query('EXPLAIN EXTENDED ' . $sqlexplain); while ($r = sql_fetch_assoc($rs)) { if ($bFirstLine == true) { echo '<tr>'; foreach ($r as $field => $value) { echo '<th>' . htmlspecialchars($field, ENT_COMPAT, 'UTF-8') . '</th>'; } echo '</tr>' . "\n"; $bFirstLine = false; } echo '<tr>'; foreach ($r as $value) { echo '<td>' . htmlspecialchars($value != null ? mb_ereg_replace('\\*/', '* /', $value) : 'NULL', ENT_COMPAT, 'UTF-8') . '</td>'; } echo '</tr>' . "\n"; } echo '</table>'; $usebr = true; } // dont use query cache! $sql = sqldbg_insert_nocache($sql); $bSqlExecution = new CBench(); $bSqlExecution->start(); $rsResult = mysql_query($sql, $dblink); $bError = $rsResult == false; $bSqlExecution->stop(); $sqldbg_sumTimes += $bSqlExecution->Diff(); if ($bError == true) { echo '<div class="error">Error while executing SQL command!</div>'; echo '<div class="errormsg">'; echo '<table>'; $rs = mysql_query('SHOW WARNINGS', $dblink); while ($r = sql_fetch_assoc($rs)) { echo '<tr><td>' . htmlspecialchars($r['Message'], ENT_COMPAT, 'UTF-8') . '</td></tr>'; } echo '</table>'; echo '</div>'; } echo '<div class="runtime">Runtime: ' . sprintf('%01.5f', $bSqlExecution->Diff()) . ' sek.</div>'; echo '<div class="affectedrows">Number of affected rows: ' . mysql_affected_rows($dblink) . '</div>'; echo '<div class="white">*/</div></div>'; return $rsResult; }