SQL指令安全过滤
| public escape_string ( string $str ) : string | ||
| $str | string | SQL字符串 |
| return | string | |
/** Return ID of currently logged in user or NULL if no user is logged in. */
public static function get_user_id()
{
static $cached_result = false;
if ($cached_result !== false) {
return $cached_result;
}
$cookie_name = Settings::get('OC_COOKIE_NAME');
if (!isset($_COOKIE[$cookie_name])) {
return null;
}
$OC_data = unserialize(base64_decode($_COOKIE[$cookie_name]));
if (!isset($OC_data['sessionid'])) {
return null;
}
$OC_sessionid = $OC_data['sessionid'];
if (!$OC_sessionid) {
return null;
}
return Db::select_value("\n select sys_sessions.user_id\n from sys_sessions, user\n where sys_sessions.uuid = '" . Db::escape_string($OC_sessionid) . "'\n and user.user_id = sys_sessions.user_id\n and user.is_active_flag = 1\n ");
}
static function escape_string ($value) {
// Escape the string for MySQL
return mysql_real_escape_string(Db::escape_string($value));
}
/**
* Log detailed geocache data access
* @param OkapiRequest $request
* @param mixed $cache_ids An index based array of geocache ids, or a single geocache id.
* The parameter MUST contain only valid, non duplicated geocache ids.
*/
public static function log_geocache_access(OkapiRequest $request, $cache_ids)
{
if (Settings::get('OCPL_ENABLE_GEOCACHE_ACCESS_LOGS') !== true) {
return;
}
if (Settings::get('OC_BRANCH') == 'oc.pl') {
// TODO: can we use the _SERVER global here? or should we make them abstract, and
// pass along with request object?
$remote_addr_escaped = "'" . Db::escape_string($_SERVER['REMOTE_ADDR']) . "'";
$user_agent_escaped = isset($_SERVER['HTTP_USER_AGENT']) ? "'" . Db::escape_string($_SERVER['HTTP_USER_AGENT']) . "'" : "null";
$forwarded_for_escaped = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? "'" . Db::escape_string($_SERVER['HTTP_X_FORWARDED_FOR']) . "'" : "null";
$consumer_key_escaped = "'" . Db::escape_string($request->consumer->key) . "'";
$original_caller_escaped = "'" . Db::escape_string(self::get_original_caller()) . "'";
$user_id = null;
if ($request->token != null) {
$user_id = $request->token->user_id;
}
$user_id_escaped = $user_id === null ? "null" : "'" . Db::escape_string($user_id) . "'";
if (is_array($cache_ids)) {
if (count($cache_ids) == 1) {
$cache_ids_where = "= '" . Db::escape_string($cache_ids[0]) . "'";
} else {
$cache_ids_where = "in ('" . implode("','", array_map('\\okapi\\Db::escape_string', $cache_ids)) . "')";
}
} else {
$cache_ids_where = "= '" . Db::escape_string($cache_ids) . "'";
}
$sql = "\n select cache_id\n from CACHE_ACCESS_LOGS cal\n where\n cache_id {$cache_ids_where}" . ($user_id === null ? " and cal.user_id is null" : " and cal.user_id = {$user_id_escaped}") . "\n and cal.source = 'O'\n and cal.event = {$original_caller_escaped}\n and cal.okapi_consumer_key = {$consumer_key_escaped}\n and date_sub(now(), interval 1 hour) < cal.event_date ";
if ($user_id === null) {
$sql .= " and cal.ip_addr = {$remote_addr_escaped} ";
$sql .= isset($_SERVER['HTTP_USER_AGENT']) ? " and cal.user_agent = {$user_agent_escaped} " : " and cal.user_agent is null ";
}
$already_logged_cache_ids = Db::select_column($sql);
unset($cache_ids_where);
unset($sql);
// check, if all the geocaches has already been logged
if (is_array($cache_ids) && count($already_logged_cache_ids) == count($cache_ids) || !is_array($cache_ids) && count($already_logged_cache_ids) == 1) {
return;
}
if (is_array($cache_ids)) {
$tmp = array();
foreach ($cache_ids as $cache_id) {
$tmp[$cache_id] = true;
}
foreach ($already_logged_cache_ids as $cache_id) {
unset($tmp[$cache_id]);
}
if (count($tmp) <= 0) {
return;
}
$cache_ids_filterd = array_keys($tmp);
unset($tmp);
} else {
$cache_ids_filterd = $cache_ids;
}
if (is_array($cache_ids_filterd)) {
if (count($cache_ids_filterd) == 1) {
$cache_ids_where = "= '" . Db::escape_string($cache_ids_filterd[0]) . "'";
} else {
$cache_ids_where = "in ('" . implode("','", array_map('\\okapi\\Db::escape_string', $cache_ids_filterd)) . "')";
}
} else {
$cache_ids_where = "= '" . Db::escape_string($cache_ids_filterd) . "'";
}
Db::execute("\n insert into CACHE_ACCESS_LOGS (event_date, cache_id, user_id, source, event, ip_addr,\n user_agent, forwarded_for, okapi_consumer_key)\n select\n now(), cache_id, {$user_id_escaped}, 'O',\n {$original_caller_escaped}, {$remote_addr_escaped}, {$user_agent_escaped}, {$forwarded_for_escaped},\n {$consumer_key_escaped}\n from caches\n where cache_id {$cache_ids_where}\n ");
}
}
