/** * Escapes special characters in a string for use in an SQL statement * * @param string * @return string */ public function escape($value) { if (is_float($value)) { return str_replace(',', '.', (double) $value); } return $this->model->escape($value); }
protected function getSql() { $model = new waModel(); $where = array(); if ($discountcard = waRequest::get('discountcard')) { $where[] = "discountcard LIKE '" . $model->escape($discountcard) . "'"; } $sql = "FROM `shop_discountcards`" . ($where ? " WHERE " . implode(" AND ", $where) : "") . " ORDER BY `id` DESC"; return $sql; }
protected function getTables($prefix) { // @todo: use db adapter to get tables $tables = array(); $prefix = $this->model->escape($prefix, 'l'); $sql = "SHOW TABLES LIKE '{$prefix}'"; $tables = array_merge($tables, $this->model->query($sql)->fetchAll(null, true)); $sql = "SHOW TABLES LIKE '{$prefix}\\_%'"; $tables = array_merge($tables, $this->model->query($sql)->fetchAll(null, true)); return $tables; }
public function execute() { $term = waRequest::request('term'); $limit = waRequest::request('limit', 30, 'int'); if (mb_strlen($term) < 2) { return; } $type = waRequest::request('type', null, waRequest::TYPE_STRING_TRIM); $model = new waModel(); if (strpos($term, '@') !== FALSE) { $contacts = new contactsCollection('/search/email*=' . $term); } else { $contacts = new contactsCollection(); $t_a = preg_split("/\\s+/", $term); $cond = array(); foreach ($t_a as $t) { $t = trim($t); if ($t) { $t = $model->escape($t, 'like'); if ($type === 'person') { $cond[] = "(c.firstname LIKE '{$t}%' OR c.middlename LIKE '{$t}%' OR c.lastname LIKE '{$t}%')"; } else { if ($type === 'company') { $cond[] = "c.name LIKE '{$t}%'"; } else { $cond[] = "(c.firstname LIKE '{$t}%' OR c.middlename LIKE '{$t}%' OR c.lastname LIKE '{$t}%' OR c.name LIKE '{$t}%')"; } } } } if ($cond) { $contacts->addWhere(implode(" AND ", $cond)); } } if ($type) { if ($type === 'person') { $contacts->addWhere("is_company = 0"); } else { if ($type === 'company') { $contacts->addWhere("is_company = 1"); } } } $this->response = array(); $term_safe = htmlspecialchars($term); foreach ($contacts->getContacts('id,name,company,email', 0, $limit) as $c) { $name = $this->prepare($c['name'], $term_safe); $email = $this->prepare(ifset($c['email'][0], ''), $term_safe); $company = $this->prepare($c['company'], $term_safe); $this->response[] = array('label' => implode(', ', array_filter(array($name, $company, $email))), 'value' => $c['id'], 'name' => $c['name'], 'email' => ifset($c['email'][0], ''), 'company' => $c['company']); } }
protected function getSql() { $model = new waModel(); $where = array(); if ($discountcard = waRequest::get('discountcard')) { $where[] = "`discountcard` LIKE '" . $model->escape($discountcard) . "'"; } if ($order_id = waRequest::get('order_id')) { $order_id = $this->decodeOrderId($order_id); $where[] = "`order_id` = '" . $order_id . "'"; } $sql = "FROM `shop_discountcards_order`" . ($where ? " WHERE " . implode(" AND ", $where) : "") . " ORDER BY `order_id` DESC"; return $sql; }
public static function getUserCategoryId($contact_id = null) { if ($contact_id === null) { $contact_id = wa()->getUser()->getId(); } $model = new waModel(); $sql = "SELECT * FROM `wa_contact_categories` WHERE `contact_id` = '" . $model->escape($contact_id) . "'"; $categories = $model->query($sql)->fetchAll(); $category_ids = array(); $category_ids[] = 0; foreach ($categories as $category) { $category_ids[] = $category['category_id']; } return $category_ids; }
public function execute() { if (file_exists($this->getConfig()->getPath('config', 'db'))) { $this->redirect($this->getConfig()->getBackendUrl(true)); } if ($config = waRequest::post()) { $database = $config['database']; $error = false; try { $config['database'] = null; $model = new waModel($config); } catch (waDbException $e) { $error = _w('Failed to connect to specified MySQL database server.'); } $config['database'] = $database; if (!$error) { if (!$model->database($database)) { try { // try create database $sql = "CREATE DATABASE " . $model->escape($database); $model->exec($sql); } catch (waDbException $e) { $error = sprintf(_w('Failed to connect to the “%s” database.'), $database); } } } if (!$error) { // try save config $file = $this->getConfig()->getPath('config'); if (!is_writable($file)) { $error = sprintf(_w("Not enough access permissions to write in the folder %s"), $file); } else { $data = array('default' => $config); if (!waUtils::varExportToFile($data, $file . '/db.php')) { $error = sprintf(_w("Error creating file %s"), $file . '/routing.php'); } else { // check routing.php if (!file_exists($file . '/routing.php')) { $apps = wa()->getApps(); $data = array(); $domain = $this->getConfig()->getDomain(); $site = false; foreach ($apps as $app_id => $app) { if ($app_id == 'site') { $site = true; } elseif (!empty($app['frontend'])) { $data[$domain][] = array('url' => $app_id . '/', 'app' => $app_id); } } if ($site) { $data[$domain][] = array('url' => '*', 'app' => 'site'); } waUtils::varExportToFile($data, $file . '/routing.php'); } // redirect to backend $this->redirect($this->getConfig()->getBackendUrl(true)); } } } if ($error) { $this->view->assign('error', $error); } } }
/** * @param $url * @param waModel $context * @param int $length * @param string $field * @return string */ public static function genUniqueUrl($url, $context, &$counter = 0, $length = 512, $field = 'url') { $counter = 0; $url = preg_replace('/\\s+/', '-', $url); $url = shopHelper::transliterate($url); if (strlen($url) == 0) { $url = (time() << 24) + $counter++; } else { $url = mb_substr($url, 0, $length); } $url = mb_strtolower($url); $pattern = mb_substr($context->escape($url, 'like'), 0, $length - 3) . '%'; $sql = "SELECT `{$field}` FROM {$context->getTableName()} WHERE url LIKE '{$pattern}' ORDER BY LENGTH(`{$field}`)"; $alike = $context->query($sql)->fetchAll('url'); if (is_array($alike) && isset($alike[$url])) { $last = array_shift($alike); $counter = 1; do { $modifier = "-{$counter}"; $_length = mb_strlen($modifier); $url = mb_substr($last['url'], 0, $length - $_length) . $modifier; } while (isset($alike[$url]) && ++$counter < 100); if (isset($alike[$url])) { $short_uuid = (time() << 24) + $counter++; $_length = mb_strlen($short_uuid); $url = mb_substr($last['url'], 0, $length - $_length) . $short_uuid; } } return mb_strtolower($url); }
public function contactsAutocomplete($q, $limit = null) { $m = new waModel(); // The plan is: try queries one by one (starting with fast ones), // until we find 5 rows total. $sqls = array(); // Name starts with requested string $sqls[] = "SELECT c.id, c.name\n FROM wa_contact AS c\n WHERE c.name LIKE '" . $m->escape($q, 'like') . "%'\n LIMIT {LIMIT}"; // Email starts with requested string $sqls[] = "SELECT c.id, c.name, e.email\n FROM wa_contact AS c\n JOIN wa_contact_emails AS e\n ON e.contact_id=c.id\n WHERE e.email LIKE '" . $m->escape($q, 'like') . "%'\n LIMIT {LIMIT}"; // Phone contains requested string if (preg_match('~^[wp0-9\\-\\+\\#\\*\\(\\)\\. ]+$~', $q)) { $dq = preg_replace("/[^\\d]+/", '', $q); $sqls[] = "SELECT c.id, c.name, d.value as phone\n FROM wa_contact AS c\n JOIN wa_contact_data AS d\n ON d.contact_id=c.id AND d.field='phone'\n WHERE d.value LIKE '%" . $m->escape($dq, 'like') . "%'\n LIMIT {LIMIT}"; } // Name contains requested string $sqls[] = "SELECT c.id, c.name\n FROM wa_contact AS c\n WHERE c.name LIKE '_%" . $m->escape($q, 'like') . "%'\n LIMIT {LIMIT}"; // Email contains requested string $sqls[] = "SELECT c.id, c.name, e.email\n FROM wa_contact AS c\n JOIN wa_contact_emails AS e\n ON e.contact_id=c.id\n WHERE e.email LIKE '_%" . $m->escape($q, 'like') . "%'\n LIMIT {LIMIT}"; $limit = $limit !== null ? $limit : 5; $result = array(); $term_safe = htmlspecialchars($q); foreach ($sqls as $sql) { if (count($result) >= $limit) { break; } foreach ($m->query(str_replace('{LIMIT}', $limit, $sql)) as $c) { if (empty($result[$c['id']])) { $name = $this->prepare($c['name'], $term_safe); $email = $this->prepare(ifset($c['email'], ''), $term_safe); $phone = $this->prepare(ifset($c['phone'], ''), $term_safe); $phone && ($phone = '<i class="icon16 phone"></i>' . $phone); $email && ($email = '<i class="icon16 email"></i>' . $email); $result[$c['id']] = array('id' => $c['id'], 'value' => $c['id'], 'name' => $c['name'], 'label' => implode(' ', array_filter(array($name, $email, $phone)))); if (count($result) >= $limit) { break 2; } } } } foreach ($result as &$c) { $contact = new waContact($c['id']); $c['label'] = "<i class='icon16 userpic20' style='background-image: url(\"" . $contact->getPhoto(20) . "\");'></i>" . $c['label']; } unset($c); return array_values($result); }
<?php $model = new waModel(); // remove characters +-() $model->exec("UPDATE wa_contact_data SET value = REPLACE(value, '+', '') WHERE field = 'phone' AND value LIKE '%+%'"); $model->exec("UPDATE wa_contact_data SET value = REPLACE(value, '-', '') WHERE field = 'phone' AND value LIKE '%-%'"); $model->exec("UPDATE wa_contact_data SET value = REPLACE(value, '(', '') WHERE field = 'phone' AND value LIKE '%(%'"); $model->exec("UPDATE wa_contact_data SET value = REPLACE(value, ')', '') WHERE field = 'phone' AND value LIKE '%)%'"); // remove spaces between digits $rows = $model->query("SELECT id, value FROM wa_contact_data WHERE field='phone' AND value LIKE '% %'"); foreach ($rows as $row) { $sql = "UPDATE wa_contact_data SET value = '" . $model->escape(preg_replace('/(\\d)\\s+(\\d)/i', '$1$2', trim($row['value']))) . "' WHERE id = " . (int) $row['id']; $model->exec($sql); }
public function search($query) { $model = new waModel(); return array('where' => array("p.name LIKE '" . $model->escape($query, 'like') . "'")); }