function sql_internal($_dblink, $sql, $bSlave)
{
    global $opt;
    global $sql_debug, $sql_warntime;
    global $sql_replacements;
    global $sqlcommands;
    global $dblink_slave;
    $args = func_get_args();
    unset($args[0]);
    unset($args[1]);
    unset($args[2]);
    /* as an option, you can give as second parameter an array
     * with all values for the placeholder. The array has to be
     * with numeric indizes.
     */
    if (isset($args[3]) && is_array($args[3])) {
        $tmp_args = $args[3];
        unset($args);
        // correct indizes
        $args = array_merge(array(0), $tmp_args);
        unset($tmp_args);
        unset($args[0]);
    }
    $sqlpos = 0;
    $filtered_sql = '';
    // $sql von vorne bis hinten durchlaufen und alle &x ersetzen
    $nextarg = mb_strpos($sql, '&');
    while ($nextarg !== false) {
        // muss dieses & ersetzt werden, oder ist es escaped?
        $escapesCount = 0;
        while ($nextarg - $escapesCount - 1 > 0 && mb_substr($sql, $nextarg - $escapesCount - 1, 1) == '\\') {
            $escapesCount++;
        }
        if ($escapesCount % 2 == 1) {
            $nextarg++;
        } else {
            $nextchar = mb_substr($sql, $nextarg + 1, 1);
            if (is_numeric($nextchar)) {
                $arglength = 0;
                $arg = '';
                // nächstes Zeichen das keine Zahl ist herausfinden
                while (mb_ereg_match('^[0-9]{1}', $nextchar) == 1) {
                    $arg .= $nextchar;
                    $arglength++;
                    $nextchar = mb_substr($sql, $nextarg + $arglength + 1, 1);
                }
                // ok ... ersetzen
                $filtered_sql .= mb_substr($sql, $sqlpos, $nextarg - $sqlpos);
                $sqlpos = $nextarg + $arglength;
                if (isset($args[$arg])) {
                    if (is_numeric($args[$arg])) {
                        $filtered_sql .= $args[$arg];
                    } else {
                        if (mb_substr($sql, $sqlpos - $arglength - 1, 1) == '\'' && mb_substr($sql, $sqlpos + 1, 1) == '\'') {
                            $filtered_sql .= sql_escape($args[$arg]);
                        } else {
                            if (mb_substr($sql, $sqlpos - $arglength - 1, 1) == '`' && mb_substr($sql, $sqlpos + 1, 1) == '`') {
                                $filtered_sql .= sql_escape($args[$arg]);
                            } else {
                                sql_error();
                            }
                        }
                    }
                } else {
                    // NULL
                    if (mb_substr($sql, $sqlpos - $arglength - 1, 1) == '\'' && mb_substr($sql, $sqlpos + 1, 1) == '\'') {
                        // Anführungszeichen weg machen und NULL einsetzen
                        $filtered_sql = mb_substr($filtered_sql, 0, mb_strlen($filtered_sql) - 1);
                        $filtered_sql .= 'NULL';
                        $sqlpos++;
                    } else {
                        $filtered_sql .= 'NULL';
                    }
                }
                $sqlpos++;
            } else {
                $arglength = 0;
                $arg = '';
                // nächstes Zeichen das kein Buchstabe/Zahl ist herausfinden
                while (mb_ereg_match('^[a-zA-Z0-9]{1}', $nextchar) == 1) {
                    $arg .= $nextchar;
                    $arglength++;
                    $nextchar = mb_substr($sql, $nextarg + $arglength + 1, 1);
                }
                // ok ... ersetzen
                $filtered_sql .= mb_substr($sql, $sqlpos, $nextarg - $sqlpos);
                if (isset($sql_replacements[$arg])) {
                    $filtered_sql .= $sql_replacements[$arg];
                } else {
                    sql_error();
                }
                $sqlpos = $nextarg + $arglength + 1;
            }
        }
        $nextarg = mb_strpos($sql, '&', $nextarg + 1);
    }
    // rest anhängen
    $filtered_sql .= mb_substr($sql, $sqlpos);
    // \& durch & ersetzen
    $nextarg = mb_strpos($filtered_sql, '\\&');
    while ($nextarg !== false) {
        $escapesCount = 0;
        while ($nextarg - $escapesCount - 1 > 0 && mb_substr($filtered_sql, $nextarg - $escapesCount - 1, 1) == '\\') {
            $escapesCount++;
        }
        if ($escapesCount % 2 == 0) {
            // \& ersetzen durch &
            $filtered_sql = mb_substr($filtered_sql, 0, $nextarg) . '&' . mb_substr($filtered_sql, $nextarg + 2);
            $nextarg--;
        }
        $nextarg = mb_strpos($filtered_sql, '\\&', $nextarg + 2);
    }
    //
    // ok ... hier ist filtered_sql fertig
    //
    /* todo:
    			- errorlogging
    			- LIMIT
    			- DROP/DELETE ggf. blocken
    		*/
    if (isset($sql_debug) && $sql_debug == true) {
        require_once $opt['rootpath'] . 'lib/sqldebugger.inc.php';
        $result = sqldbg_execute($filtered_sql, $bSlave);
        if ($result === false) {
            sql_error();
        }
    } else {
        // Zeitmessung für die Ausführung
        require_once $opt['rootpath'] . 'lib/bench.inc.php';
        $cSqlExecution = new Cbench();
        $cSqlExecution->start();
        $result = mysql_query($filtered_sql, $_dblink);
        if ($result === false) {
            sql_error();
        }
        $cSqlExecution->stop();
        if ($sql_warntime > 0 && $cSqlExecution->diff() > $sql_warntime) {
            $ua = isset($_SERVER['HTTP_USER_AGENT']) ? "\r\n" . $_SERVER['HTTP_USER_AGENT'] : "";
            sql_warn("execution took " . $cSqlExecution->diff() . " seconds" . $ua);
        }
    }
    return $result;
}
Ejemplo n.º 2
0
function sql_internal($dblink, $sql)
{
    global $opt, $db, $sqldebugger;
    $args = func_get_args();
    unset($args[0]);
    unset($args[1]);
    /* as an option, you can give as second parameter an array
     * with all values for the placeholder. The array has to be
     * with numeric indizes.
     */
    if (isset($args[2]) && is_array($args[2])) {
        $tmp_args = $args[2];
        unset($args);
        // correct indizes
        $args = array_merge(array(0), $tmp_args);
        unset($tmp_args);
        unset($args[0]);
    }
    $sqlpos = 0;
    $filtered_sql = '';
    // replace every &x in $sql with the placeholder or parameter
    $nextarg = strpos($sql, '&');
    while ($nextarg !== false) {
        // & escaped?
        $escapesCount = 0;
        while ($nextarg - $escapesCount - 1 > 0 && substr($sql, $nextarg - $escapesCount - 1, 1) == '\\') {
            $escapesCount++;
        }
        if ($escapesCount % 2 == 1) {
            $nextarg++;
        } else {
            $nextchar = substr($sql, $nextarg + 1, 1);
            if (is_numeric($nextchar)) {
                $arglength = 0;
                $arg = '';
                // find next non-digit
                while (preg_match('/^[0-9]{1}/', $nextchar) == 1) {
                    $arg .= $nextchar;
                    $arglength++;
                    $nextchar = substr($sql, $nextarg + $arglength + 1, 1);
                }
                // ok ... replace
                $filtered_sql .= substr($sql, $sqlpos, $nextarg - $sqlpos);
                $sqlpos = $nextarg + $arglength;
                if (isset($args[$arg])) {
                    if (is_numeric($args[$arg])) {
                        $filtered_sql .= $args[$arg];
                    } else {
                        if (substr($sql, $sqlpos - $arglength - 1, 1) == '\'' && substr($sql, $sqlpos + 1, 1) == '\'') {
                            $filtered_sql .= sql_escape($args[$arg]);
                        } elseif (substr($sql, $sqlpos - $arglength - 1, 1) == '`' && substr($sql, $sqlpos + 1, 1) == '`') {
                            $filtered_sql .= sql_escape_backtick($args[$arg]);
                        } else {
                            sql_error($sql);
                        }
                    }
                } else {
                    // NULL
                    if (substr($sql, $sqlpos - $arglength - 1, 1) == '\'' && substr($sql, $sqlpos + 1, 1) == '\'') {
                        // strip apostroph and insert NULL
                        $filtered_sql = substr($filtered_sql, 0, strlen($filtered_sql) - 1);
                        $filtered_sql .= 'NULL';
                        $sqlpos++;
                    } else {
                        $filtered_sql .= 'NULL';
                    }
                }
                $sqlpos++;
            } else {
                $arglength = 0;
                $arg = '';
                // find next non-alphanumeric char
                // (added '_' - it is used in temptable names - following 2013/07/18)
                while (preg_match('/^[a-zA-Z0-9_]{1}/', $nextchar) == 1) {
                    $arg .= $nextchar;
                    $arglength++;
                    $nextchar = substr($sql, $nextarg + $arglength + 1, 1);
                }
                // ok ... replace
                $filtered_sql .= substr($sql, $sqlpos, $nextarg - $sqlpos);
                if (isset($opt['db']['placeholder'][$arg])) {
                    if (substr($sql, $nextarg - 1, 1) != '`') {
                        $filtered_sql .= '`';
                    }
                    $filtered_sql .= sql_escape_backtick($opt['db']['placeholder'][$arg]);
                    if (substr($sql, $nextarg + $arglength + 1, 1) != '`') {
                        $filtered_sql .= '`';
                    }
                } elseif (isset($db['temptables'][$arg])) {
                    if (substr($sql, $nextarg - 1, 1) != '`') {
                        $filtered_sql .= '`';
                    }
                    $filtered_sql .= sql_escape_backtick($opt['db']['placeholder']['tmpdb']) . '`.`' . sql_escape_backtick($db['temptables'][$arg]);
                    if (substr($sql, $nextarg + $arglength + 1, 1) != '`') {
                        $filtered_sql .= '`';
                    }
                } else {
                    sql_error($sql);
                }
                $sqlpos = $nextarg + $arglength + 1;
            }
        }
        $nextarg = strpos($sql, '&', $nextarg + 1);
    }
    // append the rest
    $filtered_sql .= substr($sql, $sqlpos);
    // strip escapes of &
    $nextarg = strpos($filtered_sql, '\\&');
    while ($nextarg !== false) {
        $escapesCount = 0;
        while ($nextarg - $escapesCount - 1 > 0 && substr($filtered_sql, $nextarg - $escapesCount - 1, 1) == '\\') {
            $escapesCount++;
        }
        if ($escapesCount % 2 == 0) {
            // strip escapes of &
            $filtered_sql = substr($filtered_sql, 0, $nextarg) . '&' . substr($filtered_sql, $nextarg + 2);
            $nextarg--;
        }
        $nextarg = strpos($filtered_sql, '\\&', $nextarg + 2);
    }
    //
    // ok ... filtered_sql is ready for usage
    //
    /* todo:
           - errorlogging
           - LIMIT
           - block DROP/DELETE
       */
    if (isset($db['debug']) && $db['debug'] == true) {
        require_once $opt['rootpath'] . 'lib2/sqldebugger.class.php';
        $result = $sqldebugger->execute($filtered_sql, $dblink, $dblink === $db['dblink_slave'], $db['slave_server']);
        if ($result === false) {
            sql_error($filtered_sql);
        }
    } else {
        // measure time
        if ($opt['db']['warn']['time'] > 0) {
            require_once $opt['rootpath'] . 'lib2/bench.inc.php';
            $cSqlExecution = new Cbench();
            $cSqlExecution->start();
        }
        $result = @mysql_query($filtered_sql, $dblink);
        if ($result === false) {
            sql_error($filtered_sql);
        }
        if ($opt['db']['warn']['time'] > 0) {
            $cSqlExecution->stop();
            if ($cSqlExecution->diff() > $opt['db']['warn']['time']) {
                $ua = isset($_SERVER['HTTP_USER_AGENT']) ? "\r\n" . $_SERVER['HTTP_USER_AGENT'] : "";
                sql_warn("execution took " . $cSqlExecution->diff() . " seconds" . $ua);
            }
        }
    }
    return $result;
}
function sql($sql)
{
    global $rootpath;
    global $sql_debug, $sql_warntime;
    global $sql_replacements;
    global $dblink, $sqlcommands;
    $args = func_get_args();
    unset($args[0]);
    $sqlpos = 0;
    $filtered_sql = '';
    // $sql von vorne bis hinten durchlaufen und alle &x ersetzen
    $nextarg = mb_strpos($sql, '&');
    while ($nextarg !== false) {
        // muss dieses & ersetzt werden, oder ist es escaped?
        $escapesCount = 0;
        while ($nextarg - $escapesCount - 1 > 0 && mb_substr($sql, $nextarg - $escapesCount - 1, 1) == '\\') {
            $escapesCount++;
        }
        if ($escapesCount % 2 == 1) {
            $nextarg++;
        } else {
            $nextchar = mb_substr($sql, $nextarg + 1, 1);
            if (is_numeric($nextchar)) {
                $arglength = 0;
                $arg = '';
                // nächstes Zeichen das keine Zahl ist herausfinden
                while (mb_ereg_match('^[0-9]{1}', $nextchar) == 1) {
                    $arg .= $nextchar;
                    $arglength++;
                    $nextchar = mb_substr($sql, $nextarg + $arglength + 1, 1);
                }
                // ok ... ersetzen
                $filtered_sql .= mb_substr($sql, $sqlpos, $nextarg - $sqlpos);
                $sqlpos = $nextarg + $arglength;
                if (isset($args[$arg])) {
                    if (is_numeric($args[$arg])) {
                        $filtered_sql .= $args[$arg];
                    } else {
                        if (mb_substr($sql, $sqlpos - $arglength - 1, 1) == '\'' && mb_substr($sql, $sqlpos + 1, 1) == '\'') {
                            $filtered_sql .= sql_escape($args[$arg]);
                        } else {
                            if (mb_substr($sql, $sqlpos - $arglength - 1, 1) == '`' && mb_substr($sql, $sqlpos + 1, 1) == '`') {
                                $filtered_sql .= sql_escape($args[$arg]);
                            } else {
                                sql_error();
                            }
                        }
                    }
                } else {
                    // NULL
                    if (mb_substr($sql, $sqlpos - $arglength - 1, 1) == '\'' && mb_substr($sql, $sqlpos + 1, 1) == '\'') {
                        // Anführungszeichen weg machen und NULL einsetzen
                        $filtered_sql = mb_substr($filtered_sql, 0, mb_strlen($filtered_sql) - 1);
                        $filtered_sql .= 'NULL';
                        $sqlpos++;
                    } else {
                        $filtered_sql .= 'NULL';
                    }
                }
                $sqlpos++;
            } else {
                $arglength = 0;
                $arg = '';
                // nächstes Zeichen das kein Buchstabe/Zahl ist herausfinden
                while (mb_ereg_match('^[a-zA-Z0-9]{1}', $nextchar) == 1) {
                    $arg .= $nextchar;
                    $arglength++;
                    $nextchar = mb_substr($sql, $nextarg + $arglength + 1, 1);
                }
                // ok ... ersetzen
                $filtered_sql .= mb_substr($sql, $sqlpos, $nextarg - $sqlpos);
                if (isset($sql_replacements[$arg])) {
                    $filtered_sql .= $sql_replacements[$arg];
                } else {
                    sql_error();
                }
                $sqlpos = $nextarg + $arglength + 1;
            }
        }
        $nextarg = mb_strpos($sql, '&', $nextarg + 1);
    }
    // rest anhängen
    $filtered_sql .= mb_substr($sql, $sqlpos);
    // \& durch & ersetzen
    $nextarg = mb_strpos($filtered_sql, '\\&');
    while ($nextarg !== false) {
        $escapesCount = 0;
        while ($nextarg - $escapesCount - 1 > 0 && mb_substr($filtered_sql, $nextarg - $escapesCount - 1, 1) == '\\') {
            $escapesCount++;
        }
        if ($escapesCount % 2 == 0) {
            // \& ersetzen durch &
            $filtered_sql = mb_substr($filtered_sql, 0, $nextarg) . '&' . mb_substr($filtered_sql, $nextarg + 2);
            $nextarg--;
        }
        $nextarg = mb_strpos($filtered_sql, '\\&', $nextarg + 2);
    }
    //
    // ok ... hier ist filtered_sql fertig
    //
    /* todo:
        - errorlogging
        - LIMIT
        - DROP/DELETE ggf. blocken
       */
    if (isset($sql_debug) && $sql_debug == true) {
        require_once $rootpath . 'lib/sqldebugger.inc.php';
        $result = sqldbg_execute($filtered_sql);
        if ($result === false) {
            sql_error();
        }
    } else {
        // Zeitmessung für die Ausführung
        require_once $rootpath . 'lib/bench.inc.php';
        $cSqlExecution = new Cbench();
        $cSqlExecution->start();
        $result = mysql_query($filtered_sql, $dblink);
        if ($result === false) {
            sql_error();
        }
        $cSqlExecution->stop();
        if ($cSqlExecution->diff() > $sql_warntime) {
            sql_warn('execution took ' . $cSqlExecution->diff() . ' seconds');
        }
    }
    return $result;
}