function sql_internal($dblink, $sql)
{
global $opt, $db, $sqldebugger;
$args = func_get_args();
unset($args[0]);
unset($args[1]);
/* as an option, you can give as second parameter an array
* with all values for the placeholder. The array has to be
* with numeric indizes.
*/
if (isset($args[2]) && is_array($args[2])) {
$tmp_args = $args[2];
unset($args);
// correct indizes
$args = array_merge(array(0), $tmp_args);
unset($tmp_args);
unset($args[0]);
}
$sqlpos = 0;
$filtered_sql = '';
// replace every &x in $sql with the placeholder or parameter
$nextarg = strpos($sql, '&');
while ($nextarg !== false) {
// & escaped?
$escapesCount = 0;
while ($nextarg - $escapesCount - 1 > 0 && substr($sql, $nextarg - $escapesCount - 1, 1) == '\\') {
$escapesCount++;
}
if ($escapesCount % 2 == 1) {
$nextarg++;
} else {
$nextchar = substr($sql, $nextarg + 1, 1);
if (is_numeric($nextchar)) {
$arglength = 0;
$arg = '';
// find next non-digit
while (preg_match('/^[0-9]{1}/', $nextchar) == 1) {
$arg .= $nextchar;
$arglength++;
$nextchar = substr($sql, $nextarg + $arglength + 1, 1);
}
// ok ... replace
$filtered_sql .= substr($sql, $sqlpos, $nextarg - $sqlpos);
$sqlpos = $nextarg + $arglength;
if (isset($args[$arg])) {
if (is_numeric($args[$arg])) {
$filtered_sql .= $args[$arg];
} else {
if (substr($sql, $sqlpos - $arglength - 1, 1) == '\'' && substr($sql, $sqlpos + 1, 1) == '\'') {
$filtered_sql .= sql_escape($args[$arg]);
} elseif (substr($sql, $sqlpos - $arglength - 1, 1) == '`' && substr($sql, $sqlpos + 1, 1) == '`') {
$filtered_sql .= sql_escape_backtick($args[$arg]);
} else {
sql_error($sql);
}
}
} else {
// NULL
if (substr($sql, $sqlpos - $arglength - 1, 1) == '\'' && substr($sql, $sqlpos + 1, 1) == '\'') {
// strip apostroph and insert NULL
$filtered_sql = substr($filtered_sql, 0, strlen($filtered_sql) - 1);
$filtered_sql .= 'NULL';
$sqlpos++;
} else {
$filtered_sql .= 'NULL';
}
}
$sqlpos++;
} else {
$arglength = 0;
$arg = '';
// find next non-alphanumeric char
// (added '_' - it is used in temptable names - following 2013/07/18)
while (preg_match('/^[a-zA-Z0-9_]{1}/', $nextchar) == 1) {
$arg .= $nextchar;
$arglength++;
$nextchar = substr($sql, $nextarg + $arglength + 1, 1);
}
// ok ... replace
$filtered_sql .= substr($sql, $sqlpos, $nextarg - $sqlpos);
if (isset($opt['db']['placeholder'][$arg])) {
if (substr($sql, $nextarg - 1, 1) != '`') {
$filtered_sql .= '`';
}
$filtered_sql .= sql_escape_backtick($opt['db']['placeholder'][$arg]);
if (substr($sql, $nextarg + $arglength + 1, 1) != '`') {
$filtered_sql .= '`';
}
} elseif (isset($db['temptables'][$arg])) {
if (substr($sql, $nextarg - 1, 1) != '`') {
$filtered_sql .= '`';
}
$filtered_sql .= sql_escape_backtick($opt['db']['placeholder']['tmpdb']) . '`.`' . sql_escape_backtick($db['temptables'][$arg]);
if (substr($sql, $nextarg + $arglength + 1, 1) != '`') {
$filtered_sql .= '`';
}
} else {
sql_error($sql);
}
$sqlpos = $nextarg + $arglength + 1;
}
}
$nextarg = strpos($sql, '&', $nextarg + 1);
}
// append the rest
$filtered_sql .= substr($sql, $sqlpos);
// strip escapes of &
$nextarg = strpos($filtered_sql, '\\&');
while ($nextarg !== false) {
$escapesCount = 0;
while ($nextarg - $escapesCount - 1 > 0 && substr($filtered_sql, $nextarg - $escapesCount - 1, 1) == '\\') {
$escapesCount++;
}
if ($escapesCount % 2 == 0) {
// strip escapes of &
$filtered_sql = substr($filtered_sql, 0, $nextarg) . '&' . substr($filtered_sql, $nextarg + 2);
$nextarg--;
}
$nextarg = strpos($filtered_sql, '\\&', $nextarg + 2);
}
//
// ok ... filtered_sql is ready for usage
//
/* todo:
- errorlogging
- LIMIT
- block DROP/DELETE
*/
if (isset($db['debug']) && $db['debug'] == true) {
require_once $opt['rootpath'] . 'lib2/sqldebugger.class.php';
$result = $sqldebugger->execute($filtered_sql, $dblink, $dblink === $db['dblink_slave'], $db['slave_server']);
if ($result === false) {
sql_error($filtered_sql);
}
} else {
// measure time
if ($opt['db']['warn']['time'] > 0) {
$cSqlExecution = new CBench();
$cSqlExecution->start();
}
$result = @mysql_query($filtered_sql, $dblink);
if ($result === false) {
sql_error($filtered_sql);
}
if ($opt['db']['warn']['time'] > 0) {
$cSqlExecution->stop();
if ($cSqlExecution->diff() > $opt['db']['warn']['time']) {
$ua = isset($_SERVER['HTTP_USER_AGENT']) ? "\r\n" . $_SERVER['HTTP_USER_AGENT'] : "";
sql_warn("execution took " . $cSqlExecution->diff() . " seconds" . $ua);
}
}
}
return $result;
}
public function execute($sql, $dblink, $bQuerySlave, $sServer)
{
global $db;
if (count($this->commands) >= 1000) {
$this->cancel = true;
return mysql_query($sql, $dblink);
}
$command = array();
$command['sql'] = $sql;
$command['explain'] = array();
$command['result'] = array();
$command['warnings'] = array();
$command['runtime'] = 0;
$command['affected'] = 0;
$command['count'] = -1;
$command['mode'] = $db['mode'];
$command['slave'] = $bQuerySlave;
$command['server'] = $sServer;
$command['dblink'] = '' . $dblink;
$bUseExplain = false;
$sql = trim($sql);
$sqlexplain = $sql;
if (strtoupper(substr($sqlexplain, 0, 7)) == 'DELETE ') {
$sqlexplain = $this->strip_from($sqlexplain);
} elseif (strtoupper(substr($sqlexplain, 0, 12)) == 'INSERT INTO ' || strtoupper(substr($sqlexplain, 0, 19)) == 'INSERT IGNORE INTO ') {
$sqlexplain = $this->strip_temptable($sqlexplain);
} elseif (strtoupper(substr($sqlexplain, 0, 23)) == 'CREATE TEMPORARY TABLE ') {
$sqlexplain = $this->strip_temptable($sqlexplain);
}
if (strtoupper(substr($sqlexplain, 0, 7)) == 'SELECT ') {
// we can use EXPLAIN
$c = 0;
$rs = mysql_query($sqlexplain, $dblink);
$command['count'] = sql_num_rows($rs);
while ($r = sql_fetch_assoc($rs)) {
if ($c == 25) {
break;
}
$command['result'][] = $r;
$c++;
}
sql_free_result($rs);
$rs = mysql_query('EXPLAIN EXTENDED ' . $sqlexplain, $dblink);
while ($r = sql_fetch_assoc($rs)) {
$command['explain'][] = $r;
}
sql_free_result($rs);
}
// dont use query cache!
$sql = $this->insert_nocache($sql);
$bSqlExecution = new CBench();
$bSqlExecution->start();
$rsResult = mysql_query($sql, $dblink);
$bSqlExecution->stop();
$bError = $rsResult == false;
$command['affected'] = mysql_affected_rows($dblink);
$rs = mysql_query('SHOW WARNINGS', $dblink);
while ($r = sql_fetch_assoc($rs)) {
$command['warnings'][] = $r['Message'];
}
$command['runtime'] = $bSqlExecution->Diff();
$this->commands[] = $command;
return $rsResult;
}
function tpl_BuildTemplate($dbdisconnect = true)
{
global $sql_debug, $sqldbg_cmdNo;
if (isset($sql_debug) && $sql_debug) {
if (!isset($sqldbg_cmdNo) || $sqldbg_cmdNo == 0) {
echo 'No SQL commands on this page.';
}
die;
}
//template handling vars
global $style, $stylepath, $tplname, $vars, $langpath, $locale, $opt, $oc_nodeid, $translate, $usr;
//language specific expression
global $error_pagenotexist;
//only for debbuging
global $b, $bScriptExecution;
// country dropdown
global $tpl_usercountries;
tpl_set_var('screen_css_time', filemtime($opt['rootpath'] . "resource2/" . $style . "/css/style_screen.css"));
tpl_set_var('screen_msie_css_time', filemtime($opt['rootpath'] . "resource2/" . $style . "/css/style_screen_msie.css"));
tpl_set_var('print_css_time', filemtime($opt['rootpath'] . "resource2/" . $style . "/css/style_print.css"));
if (isset($bScriptExecution)) {
$bScriptExecution->Stop();
tpl_set_var('scripttime', sprintf('%1.3f', $bScriptExecution->Diff()));
} else {
tpl_set_var('scripttime', sprintf('%1.3f', 0));
}
tpl_set_var('sponsorbottom', $opt['page']['sponsor']['bottom']);
if (isset($opt['locale'][$locale]['page']['subtitle1'])) {
$opt['page']['subtitle1'] = $opt['locale'][$locale]['page']['subtitle1'];
}
if (isset($opt['locale'][$locale]['page']['subtitle2'])) {
$opt['page']['subtitle2'] = $opt['locale'][$locale]['page']['subtitle2'];
}
tpl_set_var('opt_page_subtitle1', $opt['page']['subtitle1']);
tpl_set_var('opt_page_subtitle2', $opt['page']['subtitle2']);
tpl_set_var('opt_page_title', $opt['page']['title']);
if ($opt['logic']['license']['disclaimer']) {
if (isset($opt['locale'][$locale]['page']['license_url'])) {
$lurl = $opt['locale'][$locale]['page']['license_url'];
} else {
$lurl = $opt['locale']['EN']['page']['license_url'];
}
if (isset($opt['locale'][$locale]['page']['license'])) {
$ltext = $opt['locale'][$locale]['page']['license'];
} else {
$ltext = $opt['locale']['EN']['page']['license'];
}
$ltext = mb_ereg_replace('%1', $lurl, $ltext);
$ltext = mb_ereg_replace('{site}', $opt['page']['sitename'], $ltext);
$ld = '<p class="sidebar-maintitle">' . $translate->t('Datalicense', '', '', 0) . '</p>' . '<div style="margin:20px 0 16px 0; width:100%; text-align:center;">' . $ltext . '</div>';
tpl_set_var('license_disclaimer', $ld);
} else {
tpl_set_var('license_disclaimer', '');
}
$bTemplateBuild = new CBench();
$bTemplateBuild->Start();
//set {functionsbox}
global $page_functions, $functionsbox_start_tag, $functionsbox_middle_tag, $functionsbox_end_tag;
if (isset($page_functions)) {
$functionsbox = $functionsbox_start_tag;
foreach ($page_functions as $func) {
if ($functionsbox != $functionsbox_start_tag) {
$functionsbox .= $functionsbox_middle_tag;
}
$functionsbox .= $func;
}
$functionsbox .= $functionsbox_end_tag;
tpl_set_var('functionsbox', $functionsbox);
}
/* prepare user country selection
*/
$tpl_usercountries = [];
$rsUserCountries = sql("SELECT `countries_options`.`country`,\n IF(`countries_options`.`nodeId`='&1', 1, IF(`countries_options`.`nodeId`!=0, 2, 3)) AS `group`,\n IFNULL(`sys_trans_text`.`text`, `countries`.`name`) AS `name`\n FROM `countries_options`\n INNER JOIN `countries` ON `countries_options`.`country`=`countries`.`short`\n LEFT JOIN `sys_trans` ON `countries`.`trans_id`=`sys_trans`.`id`\n LEFT JOIN `sys_trans_text` ON `sys_trans`.`id`=`sys_trans_text`.`trans_id` AND `sys_trans_text`.`lang`='&2'\n WHERE `countries_options`.`display`=1\n ORDER BY `group` ASC,\n IFNULL(`sys_trans_text`.`text`, `countries`.`name`) ASC", $oc_nodeid, $locale);
while ($rUserCountries = sql_fetch_assoc($rsUserCountries)) {
$tpl_usercountries[] = $rUserCountries;
}
sql_free_result($rsUserCountries);
//include language specific expressions, so that they are available in the template code
include $langpath . '/expressions.inc.php';
//load main template
tpl_set_var('backgroundimage', '<div id="bg1"> </div><div id="bg2"> </div>');
tpl_set_var('bodystyle', '');
if (isset($_REQUEST['print']) && $_REQUEST['print'] == 'y') {
$sCode = read_file($stylepath . '/main_print.tpl.php');
} else {
if (isset($_REQUEST['popup']) && $_REQUEST['popup'] == 'y') {
$sCode = read_file($stylepath . '/popup.tpl.php');
} else {
$sCode = read_file($stylepath . '/main.tpl.php');
}
}
$sCode = '?>' . $sCode;
//does template exist?
if (!file_exists($stylepath . '/' . $tplname . '.tpl.php')) {
//set up the error template
$error = true;
tpl_set_var('error_msg', htmlspecialchars($error_pagenotexist, ENT_COMPAT, 'UTF-8'));
tpl_set_var('tplname', $tplname);
$tplname = 'error';
}
//read the template
$sTemplate = read_file($stylepath . '/' . $tplname . '.tpl.php');
$sCode = mb_ereg_replace('{template}', $sTemplate, $sCode);
//process translations
$sCode = tpl_do_translation($sCode);
//process the template replacements
$sCode = tpl_do_replace($sCode);
// fixing path issue
$sCode = str_replace('lib2/smarty/ocplugins/', 'src/Oc/SmartyPlugins/', $sCode);
//store the cookie
write_cookie_settings();
//send http-no-caching-header
http_write_no_cache();
// write UTF8-Header
header('Content-type: text/html; charset=utf-8');
//run the template code
eval($sCode);
//disconnect the database
if ($dbdisconnect) {
db_disconnect();
}
}
function sql_internal($_dblink, $sql, $bSlave)
{
global $opt;
global $sql_debug, $sql_warntime;
global $sql_replacements;
global $sqlcommands;
global $dblink_slave;
$args = func_get_args();
unset($args[0], $args[1], $args[2]);
/* as an option, you can give as second parameter an array
* with all values for the placeholder. The array has to be
* with numeric indizes.
*/
if (isset($args[3]) && is_array($args[3])) {
$tmp_args = $args[3];
unset($args);
// correct indizes
$args = array_merge([0], $tmp_args);
unset($tmp_args);
unset($args[0]);
}
$sqlpos = 0;
$filtered_sql = '';
// $sql von vorne bis hinten durchlaufen und alle &x ersetzen
$nextarg = mb_strpos($sql, '&');
while ($nextarg !== false) {
// muss dieses & ersetzt werden, oder ist es escaped?
$escapesCount = 0;
while ($nextarg - $escapesCount - 1 > 0 && mb_substr($sql, $nextarg - $escapesCount - 1, 1) == '\\') {
$escapesCount++;
}
if ($escapesCount % 2 == 1) {
$nextarg++;
} else {
$nextchar = mb_substr($sql, $nextarg + 1, 1);
if (is_numeric($nextchar)) {
$arglength = 0;
$arg = '';
// nächstes Zeichen das keine Zahl ist herausfinden
while (mb_ereg_match('^[0-9]{1}', $nextchar) == 1) {
$arg .= $nextchar;
$arglength++;
$nextchar = mb_substr($sql, $nextarg + $arglength + 1, 1);
}
// ok ... ersetzen
$filtered_sql .= mb_substr($sql, $sqlpos, $nextarg - $sqlpos);
$sqlpos = $nextarg + $arglength;
if (isset($args[$arg])) {
if (is_numeric($args[$arg])) {
$filtered_sql .= $args[$arg];
} else {
if (mb_substr($sql, $sqlpos - $arglength - 1, 1) == '\'' && mb_substr($sql, $sqlpos + 1, 1) == '\'') {
$filtered_sql .= sql_escape($args[$arg]);
} elseif (mb_substr($sql, $sqlpos - $arglength - 1, 1) == '`' && mb_substr($sql, $sqlpos + 1, 1) == '`') {
$filtered_sql .= sql_escape($args[$arg]);
} else {
sql_error();
}
}
} else {
// NULL
if (mb_substr($sql, $sqlpos - $arglength - 1, 1) == '\'' && mb_substr($sql, $sqlpos + 1, 1) == '\'') {
// Anführungszeichen weg machen und NULL einsetzen
$filtered_sql = mb_substr($filtered_sql, 0, mb_strlen($filtered_sql) - 1);
$filtered_sql .= 'NULL';
$sqlpos++;
} else {
$filtered_sql .= 'NULL';
}
}
$sqlpos++;
} else {
$arglength = 0;
$arg = '';
// nächstes Zeichen das kein Buchstabe/Zahl ist herausfinden
while (mb_ereg_match('^[a-zA-Z0-9]{1}', $nextchar) == 1) {
$arg .= $nextchar;
$arglength++;
$nextchar = mb_substr($sql, $nextarg + $arglength + 1, 1);
}
// ok ... ersetzen
$filtered_sql .= mb_substr($sql, $sqlpos, $nextarg - $sqlpos);
if (isset($sql_replacements[$arg])) {
$filtered_sql .= $sql_replacements[$arg];
} else {
sql_error();
}
$sqlpos = $nextarg + $arglength + 1;
}
}
$nextarg = mb_strpos($sql, '&', $nextarg + 1);
}
// rest anhängen
$filtered_sql .= mb_substr($sql, $sqlpos);
// \& durch & ersetzen
$nextarg = mb_strpos($filtered_sql, '\\&');
while ($nextarg !== false) {
$escapesCount = 0;
while ($nextarg - $escapesCount - 1 > 0 && mb_substr($filtered_sql, $nextarg - $escapesCount - 1, 1) == '\\') {
$escapesCount++;
}
if ($escapesCount % 2 == 0) {
// \& ersetzen durch &
$filtered_sql = mb_substr($filtered_sql, 0, $nextarg) . '&' . mb_substr($filtered_sql, $nextarg + 2);
$nextarg--;
}
$nextarg = mb_strpos($filtered_sql, '\\&', $nextarg + 2);
}
//
// ok ... hier ist filtered_sql fertig
//
/* todo:
- errorlogging
- LIMIT
- DROP/DELETE ggf. blocken
*/
if (isset($sql_debug) && $sql_debug == true) {
require_once $opt['rootpath'] . 'lib/sqldebugger.inc.php';
$result = sqldbg_execute($filtered_sql, $bSlave);
if ($result === false) {
sql_error();
}
} else {
// Zeitmessung für die Ausführung
$cSqlExecution = new CBench();
$cSqlExecution->start();
$result = mysql_query($filtered_sql, $_dblink);
if ($result === false) {
sql_error();
}
$cSqlExecution->stop();
if ($sql_warntime > 0 && $cSqlExecution->diff() > $sql_warntime) {
$ua = isset($_SERVER['HTTP_USER_AGENT']) ? "\r\n" . $_SERVER['HTTP_USER_AGENT'] : "";
sql_warn("execution took " . $cSqlExecution->diff() . " seconds" . $ua);
}
}
return $result;
}
function sqldbg_execute($sql, $bSlave)
{
global $dblink;
global $sqldbg_cmdNo;
global $sqldbg_sumTimes;
$sqldbg_cmdNo++;
echo '<p class="sqlno"><span class="white">/*</span> SQL command ' . $sqldbg_cmdNo . ' ';
if ($bSlave) {
echo '<span class="slave_title">(slave)</span>';
}
echo '<span class="white">*/</span>';
echo '</p>';
echo '<p class="sqlcommand">';
if ($bSlave) {
echo '<span class="slave_sql">';
}
echo htmlspecialchars($sql, ENT_COMPAT, 'UTF-8');
if ($bSlave) {
echo '</span>';
}
echo ' ;</p>';
echo '<div class="comments"><div class="white">/*</div><br>';
// Explains
$bUseExplain = true;
$sqlexplain = $sql;
$usebr = false;
if (mb_strtoupper(mb_substr($sqlexplain, 0, 6)) == 'ALTER ') {
$bUseExplain = false;
} else {
if (mb_strtoupper(mb_substr($sqlexplain, 0, 7)) == 'DELETE ') {
$sqlexplain = sqldbg_strip_from($sqlexplain);
} else {
if (mb_strtoupper(mb_substr($sqlexplain, 0, 12)) == 'INSERT INTO ' || mb_strtoupper(mb_substr($sqlexplain, 0, 19)) == 'INSERT IGNORE INTO ') {
$sqlexplain = sqldbg_strip_temptable($sqlexplain);
if ($sqlexplain == '') {
$bUseExplain = false;
}
} else {
if (mb_strtoupper(mb_substr($sqlexplain, 0, 7)) == 'INSERT ') {
$bUseExplain = false;
} else {
if (mb_strtoupper(mb_substr($sqlexplain, 0, 7)) == 'UPDATE ') {
$bUseExplain = false;
} else {
if (mb_strtoupper(mb_substr($sqlexplain, 0, 11)) == 'DROP TABLE ') {
$bUseExplain = false;
} else {
if (mb_strtoupper(mb_substr($sqlexplain, 0, 23)) == 'CREATE TEMPORARY TABLE ') {
$sqlexplain = sqldbg_strip_temptable($sqlexplain);
if ($sqlexplain == '') {
$bUseExplain = false;
}
}
}
}
}
}
}
}
if ($bUseExplain == true) {
$bFirstLine = true;
$nLine = 0;
$rs = mysql_query($sqlexplain, $dblink);
echo '<div class="selrows">Number of selected rows: ' . mysql_num_rows($rs) . '</div>';
echo '<table class="firstresultrow" border="1">';
while ($r = sql_fetch_assoc($rs)) {
$usebr = true;
$nLine++;
if ($bFirstLine == true) {
echo '<tr>' . "\n";
foreach ($r as $field => $value) {
echo '<th>' . htmlspecialchars($field, ENT_COMPAT, 'UTF-8') . '</th>' . "\n";
}
echo '</tr>' . "\n";
}
if ($bFirstLine) {
echo '<tr>';
} else {
echo '<tr class="result">';
}
foreach ($r as $value) {
echo '<td>' . htmlspecialchars($value != null ? $value : 'NULL', ENT_COMPAT, 'UTF-8') . '</td>';
}
echo '</tr>' . "\n";
if ($nLine == 25) {
break;
}
$bFirstLine = false;
}
echo '</table>';
mysql_free_result($rs);
echo '<table class="explain" border="1">';
$bFirstLine = true;
$rs = mysql_query('EXPLAIN EXTENDED ' . $sqlexplain);
while ($r = sql_fetch_assoc($rs)) {
if ($bFirstLine == true) {
echo '<tr>';
foreach ($r as $field => $value) {
echo '<th>' . htmlspecialchars($field, ENT_COMPAT, 'UTF-8') . '</th>';
}
echo '</tr>' . "\n";
$bFirstLine = false;
}
echo '<tr>';
foreach ($r as $value) {
echo '<td>' . htmlspecialchars($value != null ? mb_ereg_replace('\\*/', '* /', $value) : 'NULL', ENT_COMPAT, 'UTF-8') . '</td>';
}
echo '</tr>' . "\n";
}
echo '</table>';
$usebr = true;
}
// dont use query cache!
$sql = sqldbg_insert_nocache($sql);
$bSqlExecution = new CBench();
$bSqlExecution->start();
$rsResult = mysql_query($sql, $dblink);
$bError = $rsResult == false;
$bSqlExecution->stop();
$sqldbg_sumTimes += $bSqlExecution->Diff();
if ($bError == true) {
echo '<div class="error">Error while executing SQL command!</div>';
echo '<div class="errormsg">';
echo '<table>';
$rs = mysql_query('SHOW WARNINGS', $dblink);
while ($r = sql_fetch_assoc($rs)) {
echo '<tr><td>' . htmlspecialchars($r['Message'], ENT_COMPAT, 'UTF-8') . '</td></tr>';
}
echo '</table>';
echo '</div>';
}
echo '<div class="runtime">Runtime: ' . sprintf('%01.5f', $bSqlExecution->Diff()) . ' sek.</div>';
echo '<div class="affectedrows">Number of affected rows: ' . mysql_affected_rows($dblink) . '</div>';
echo '<div class="white">*/</div></div>';
return $rsResult;
}