function escapeString($string) { self::connect(); if (version_compare(PHP_VERSION, "5.2", "<")) { return "'" . pg_escape_string($string) . "'"; } else { if (version_compare(PHP_VERSION, "5.4", "<")) { return "'" . pg_escape_string($this->connection, $string) . "'"; } else { return pg_escape_literal($this->connection, $string); } } }
function addItemToDB($name, $description, $price, $picture = "", $seller = "", $status = 'For sale') { $name = pg_escape_literal($name); $description = pg_escape_literal($description); $picture = pg_escape_literal($picture); $seller = pg_escape_literal($seller); $status = pg_escape_literal($status); $price = floatval($price); $query = 'INSERT INTO "items" (name,description,picture,seller,status,price) VALUES (' . "{$name},{$description},{$picture},{$seller},{$status},{$price}) RETURNING id;"; $id = runQuery($query); runQuery('UPDATE "items" SET postlink = \'/item.php?id=' . $id[0]['id'] . '\' WHERE id = ' . $id[0]['id']); return $id; }
public function esc($data, $mode = self::STRING) { switch ($mode) { case "literal": $data = pg_escape_literal($this->connection, $data); break; case "bytea": $data = pg_escape_bytea($this->connection, $data); break; default: $data = pg_escape_string($this->connection, $data); break; } return $data; }
private function setPassword($password) { # Check dependencies self::dependencies(isset($this->albumIDs)); if (strlen($password) > 0) { # Get hashed password $password = getHashedString($password); # Set hashed password # Do not prepare $password because it is hashed and save # Preparing (escaping) the password would destroy the hash $sql = "UPDATE albums SET password = "******" WHERE id = " . intval($this->albumIDs); pg_query($db, $sql); } else { $sql = "UPDATE albums SET password = NULL WHERE id = " . intval($this->albumIDs); pg_query($db, $sql); } return true; }
function escape_literal($value) { if ($value === NULL) { return "NULL"; } if ($value === FALSE) { return "FALSE"; } if ($value === TRUE) { return "TRUE"; } return pg_escape_literal($value); }
$regmsg = "An error occurred with the database.\n"; } else { $insrow = pg_fetch_row($insert); $_SESSION["managerID"] = $insrow[0]; smartRedirect("tasks.php"); } } } else { $regmsg = "One or more of your inputs were incorrect!"; } } if (isset($_POST["signin"])) { $emailsign = $_POST["emailsign"]; $passsign = $_POST["passsign"]; if (filter_var($emailsign, FILTER_VALIDATE_EMAIL) !== false && preg_match("[a-zA-Z0-9@#\$%^&*_-!?<>]", $passsign) !== false) { $filtemailsign = pg_escape_literal($emailsign); $select = pg_query($db, "SELECT id,email,password FROM managers where email={$filtemailsign}"); if (!$select) { $signmsg = "An error occurred with the database."; } if ($row = pg_fetch_row($select)) { if (password_verify($passsign, $row[2]) !== false) { $_SESSION["managerID"] = $row[0]; smartRedirect("tasks.php"); } else { $signmsg = "Wrong password of manager!"; } } else { $signmsg = "No manager with such name exists!"; } } else {
if ($data === pg_unescape_bytea($row['bin'])) { echo "pg_escape_bytea() actually works with database\n"; break; } elseif (!$i) { // Force bytea escaping and retry @pg_query($db, "SET bytea_output = 'escape'"); } else { $result = pg_query($db, $sql); echo "pg_escape_bytea() is broken\n"; break; } } // pg_escape_literal/pg_escape_identifier $before = "ABC\\ABC\\'"; $expect = " E'ABC\\\\ABC\\\\'''"; $after = pg_escape_literal($before); if ($expect === $after) { echo "pg_escape_literal() is Ok\n"; } else { echo "pg_escape_literal() is NOT Ok\n"; var_dump($before); var_dump($after); var_dump($expect); } $before = "ABC\\ABC\\'"; $expect = "\"ABC\\ABC\\'\""; $after = pg_escape_identifier($before); if ($expect === $after) { echo "pg_escape_identifier() is Ok\n"; } else { echo "pg_escape_identifier() is NOT Ok\n";
/** * "Smart" Escape String * * Escapes data based on type * * @param string $str * @return mixed */ public function escape($str) { if (is_php('5.4.4') && (is_string($str) or is_object($str) && method_exists($str, '__toString'))) { return pg_escape_literal($this->conn_id, $str); } elseif (is_bool($str)) { return $str ? 'TRUE' : 'FALSE'; } return parent::escape($str); }
/** * @param string $literal * * @return string */ public function escapeLiteral($literal) { return pg_escape_literal($this->handler, $literal); }
/** * Escape strings array * @param array $array * @return string */ public function instr(array $array) { $array = array_map(function ($value) { return pg_escape_literal((string) $value); }, $array); return sprintf('(%s)', implode(',', $array)); }
public function insert($tablename, array $record) { assert(is_string($tablename)); assert(strlen($tablename) > 0); $columns = ""; $values = ""; // Early exit when creating a row with all default values if (count($record) == 0) { return $this->query('INSERT INTO ' . pg_escape_identifier($tablename) . ' DEFAULT VALUES'); } foreach ($record as $key => $field) { $columns .= ',' . pg_escape_identifier($key); if (is_null($field)) { $values .= ',NULL'; } else { //if (is_string($field)) //{ // $values .= ',' . pg_escape_literal($field); //} //else if (is_bool($field)) { // Check for boolean and convert to SQL true or false if ($field) { $values .= ',true'; } else { $values .= ',false'; } } else { if (is_array($field)) { throw new DatabaseException('Insert can not handle array types'); } else { $values .= ',' . pg_escape_literal($field); } } } } $columns = substr($columns, 1); // chop first ',' $values = substr($values, 1); $result = $this->query('INSERT INTO ' . pg_escape_identifier($tablename) . ' (' . $columns . ') VALUES (' . $values . ')'); if ($result->affected_rows() != 1) { throw new DatabaseException('Expected a single row inserted'); } return $result; }
function escape($string) { return pg_escape_literal($string); }
} else { $editmsg = "One or more of your inputs were incorrect!"; } } // Code to add a task if (isset($_POST["addLink"])) { $addcheck = 0; $addtitle = $_POST["addtitle"]; $addmember = $_POST["addmem"]; $addstart = $_POST["addstart"]; $addend = $_POST["addend"]; if (preg_match("[a-zA-Z- ]", $addtitle) !== false && $_POST["addend"] > $_POST["addstart"]) { $filttitle = pg_escape_literal($addtitle); $filtstart = pg_escape_literal($addstart); $filtend = pg_escape_literal($addend); $filtmem = pg_escape_literal($addmember); $select = pg_query($db, "SELECT title FROM tasks where title={$filttitle}"); if ($row = pg_fetch_row($select)) { $addmsg = "Task with that title already exists"; } else { $addcheck = 1; $insert = pg_query($db, "INSERT into tasks (title,startdate,enddate,status) \n\t\t\t\tVALUES ({$filttitle},{$filtstart},{$filtend}, 1) RETURNING id"); $insrow = pg_fetch_row($insert); $insert = pg_query($db, "INSERT into taskmembers (task_id,member_id) \n\t\t\t\tVALUES ('{$insrow['0']}',{$filtmem})"); $addmsg = "Task added successfully"; } } else { $addmsg = "One or more of your inputs were incorrect!"; } } echo '<div class="mid">';
<?php include 'assets/class.php'; $news_id = pg_escape_literal($_GET['news_id']); // Not yet implemented in Cobol back-end // pg_query("DELETE FROM tbl_news WHERE news_id = $news_id LIMIT 1"); $Success->set("Emma, Jessica, Peter och Bertil"); header('location: index.php');
protected function prepareQuery($query, $params) { if (!is_array($params)) { return $query; } reset($params); $this->modifyQuery($query, function ($part) use(&$params) { $newPart = ""; while ($pos = strpos($part, "?")) { $newPart .= substr($part, 0, $pos); $part = substr($part, $pos + 1); $value = current($params); next($params); switch (gettype($value)) { case "boolean": $value = (int) $value; break; case "integer": case "double": break; case "NULL": $value = "NULL"; break; default: switch ($this->mode) { case "mysql": $value = $this->server->real_escape_string($value); break; case "postgres": case "redshift": $value = pg_escape_literal($this->server, $value); break; case "sqlite": $value = $this->server->escapeString($value); break; case "mssql": case "odbc": $value = str_replace("'", "''", $value); break; } # Postgres does it's own quoting if (!in_array($this->mode, ["postgres", "redshift"], true)) { $value = "'" . $value . "'"; } break; } $newPart .= $value; } return $newPart . $part; }); return $query; }
public function delete() { # Functions deletes a photo with all its data and files # Returns the following: # (boolean) true = Success # (boolean) false = Failure # Check dependencies self::dependencies(isset($this->photoIDs)); # Get photos $sql = "SELECT id, url, thumbUrl, checksum FROM photos WHERE id IN (" . $this->photoIDs . ")"; $res = pg_query($db, $sql); while ($photo = pg_fetch_array($res)) { if ($this->exists($photo['checksum'], $photo['id']) === false) { # Get retina thumb url $thumbUrl2x = explode(".", $photo['thumbUrl']); $thumbUrl2x = $thumbUrl2x[0] . '@2x.' . $thumbUrl2x[1]; # Delete big if (file_exists(LYCHEE_UPLOADS_BIG . $photo['url']) && !unlink(LYCHEE_UPLOADS_BIG . $photo['url'])) { return false; } # Delete medium if (file_exists(LYCHEE_UPLOADS_MEDIUM . $photo['url']) && !unlink(LYCHEE_UPLOADS_MEDIUM . $photo['url'])) { return false; } # Delete thumb if (file_exists(LYCHEE_UPLOADS_THUMB . $photo['thumbUrl']) && !unlink(LYCHEE_UPLOADS_THUMB . $photo['thumbUrl'])) { return false; } # Delete thumb@2x if (file_exists(LYCHEE_UPLOADS_THUMB . $thumbUrl2x) && !unlink(LYCHEE_UPLOADS_THUMB . $thumbUrl2x)) { return false; } } # Delete db entry $sql = "DELETE FROM photos WHERE id = " . pg_escape_literal($photo->id); pg_query($db, $sql); } pg_free_result($res); return true; }
curl_setopt($ch, CURLOPT_POSTFIELDS, $fields_string); //execute post $result = curl_exec($ch); if ($result === false) { $Error->set("Kan ej kontakta servern: {$url}"); } // We dont really know status (TODO implement) $Success->set("Betyget har nu ändrats."); //close connection curl_close($ch); // move back to main course page to re-read change header('location: course.php'); } } } elseif ($function == "addNews") { $news_title = pg_escape_literal($_POST['news_title']); $news_content = pg_escape_literal($_POST['news_content']); $news_author = pg_escape_literal($_SESSION['user_id']); if (empty($news_author) or empty($news_content) or empty($news_title)) { $Error->set("Fyll i alla fält."); header('location: index.create.php'); } else { // Not yet converted to Cobol back-end $date = date('Y-m-d'); // pg_query("INSERT INTO tbl_news (news_title, news_content, news_author, news_date) VALUES ('".$news_title."', '".$news_content."', '".$news_author."', '".$date."')") or die(pg_last_error()); // $Success->set("Nyheten har skapats."); header('location: index.php'); } } else { header('location: /index.php'); }
public function quoteString($value) { if (function_exists('pg_escape_literal')) { return pg_escape_literal($this->dbConn, $value); } else { return "'" . $this->escapeString($value) . "'"; } }
<?php include "assets/_header.php"; ?> <a href="users.php"><span class="label label-default">Tillbaka</span></a> <?php // $user_id = mysql_escape_string($_GET['user_id']); // $user_result = mysql_query("SELECT * FROM tbl_user WHERE user_id='".$user_id."' LIMIT 1"); // $user_row = mysql_fetch_assoc($user_result); $user_id = pg_escape_literal($_GET[user_id]); $user_result = pg_query("SELECT * FROM tbl_user WHERE user_id=" . $user_id . " LIMIT 1"); $user_row = pg_fetch_assoc($user_result); ?> <h1><?php echo $user_row['user_firstname'] . " " . $user_row['user_lastname']; ?> </h1> <form method="POST" action="./process.php?function=editUser&user_id=<?php echo $user_row['user_id']; ?> "> <?php $Error->show(); $Success->show(); ?> <input type="text" name="firstname" class="form-control" placeholder="Förnamn" value="<?php echo $user_row['user_firstname']; ?> "> <br> <input type="text" name="lastname" class="form-control" placeholder="Efternamn" value="<?php
public function convertStringToSql($value) { return pg_escape_literal($this->connection, $value); }
function db_set_application_name($name) { if (DB_TYPE == 'mysql') { # not implemented return 0; } elseif (DB_TYPE == 'postgres') { # pg_query_params doesn't work with SET it appears. return pg_query("SET application_name = " . pg_escape_literal($name)); } }
} } else { $editmsg = "One or more of your inputs were incorrect!"; } } if (isset($_POST["addLink"])) { $addcheck = 0; $addemail = $_POST["addemail"]; $addfname = $_POST["addfname"]; $addsname = $_POST["addsname"]; $addpass = $_POST["addpass"]; if (filter_var($addemail, FILTER_VALIDATE_EMAIL) !== false && preg_match("[a-zA-Z- ]", $addfname) !== false && preg_match("[a-zA-Z- ]", $addsname) !== false && preg_match("[a-zA-Z0-9@#\$%^&*_-!?<>]", $addpass) !== false) { $filtemail = pg_escape_literal($addemail); $filtfirstname = pg_escape_literal($addfname); $filtsurname = pg_escape_literal($addsname); $filtpass = pg_escape_literal($addpass); $select = pg_query($db, "SELECT email FROM members where email={$filtemail}"); if ($row = pg_fetch_row($select)) { $addmsg = "Member with that email already exists"; } else { $addcheck = 1; $insert = pg_query($db, "INSERT into members (email,firstname,surname,password) \n\t\t\t\tVALUES ({$filtemail},{$filtfirstname},{$filtsurname},{$filtpass}) RETURNING id"); $addmsg = "Member added successfully"; } } else { $addmsg = "One or more of your inputs were incorrect!"; } } echo '<div class="mid">'; if (isset($_GET["search"])) { $search = $_GET["search"];
/** * Удаление * @param $table * @param $column * @param int $id * @return void */ public function delete($table, $column, $id) { $this->query("DELETE FROM " . pg_escape_identifier($table) . " WHERE " . $this->escape_identifier($column) . " = " . pg_escape_literal($id) . ";"); }
public function convertToSql($value, $type) { switch ($type) { case self::TYPE_STRING: return pg_escape_literal($this->connection, $value); case self::TYPE_BOOL: return $value ? 'TRUE' : 'FALSE'; case self::TYPE_IDENTIFIER: $parts = explode('.', $value); foreach ($parts as &$part) { if ($part !== '*') { $part = pg_escape_identifier($this->connection, $part); } } return implode('.', $parts); case self::TYPE_DATETIME: if ($value->getTimezone()->getName() !== $this->connectionTz->getName()) { $value = clone $value; $value->setTimezone($this->connectionTz); } return "'" . $value->format('Y-m-d H:i:s') . "'"; case self::TYPE_DATETIME_SIMPLE: if ($value->getTimezone()->getName() !== $this->simpleStorageTz->getName()) { $value = clone $value; $value->setTimezone($this->simpleStorageTz); } return "'" . $value->format('Y-m-d H:i:s') . "'"; case self::TYPE_DATE_INTERVAL: return $value->format('P%yY%mM%dDT%hH%iM%sS'); case self::TYPE_BLOB: return "'" . pg_escape_bytea($this->connection, $value) . "'"; default: throw new InvalidArgumentException(); } }
function email($email) { $email = pg_escape_literal($email); // $result = mysql_query("SELECT email FROM users WHERE email = '".$email."'"); // $num_rows = mysql_num_rows($result); $result = pg_query("SELECT email FROM users WHERE email = '" . $email . "'"); $num_rows = pg_num_rows($result); if ($num_rows < 1) { return "0"; } else { return $num_rows; } }
/** * escapeLiteral * * Escape a text value. * * @access public * @param string $string The string to be escaped * @return string the escaped string. */ public function escapeLiteral($string) { return \pg_escape_literal($this->getHandler(), $string); }
public function setSortingAlbums($type, $order) { # Check dependencies self::dependencies(isset($type, $order)); $sorting = 'ORDER BY '; # Set row switch ($type) { case 'id': $sorting .= 'id'; break; case 'title': $sorting .= 'title'; break; case 'description': $sorting .= 'description'; break; case 'public': $sorting .= 'public'; break; default: exit('Error: Unknown type for sorting!'); } $sorting .= ' '; # Set order switch ($order) { case 'ASC': $sorting .= 'ASC'; break; case 'DESC': $sorting .= 'DESC'; break; default: exit('Error: Unknown order for sorting!'); } # Execute query # Do not prepare $sorting because it is a true statement # Preparing (escaping) the sorting would destroy it # $sorting is save and can't contain user-input $sql = "UPDATE settings SET \"value\"=" . pg_escape_literal($sorting) . " WHERE \"key\"='sortingAlbums'"; pg_query($db, $sql); return true; }
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. AUTHORS SPECIFICALLY DISCLAIM ANY WARRANTIES INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND AUTHORS HAVE NO OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.*/ class Input { public function getInput() { return $_GET['UserData']; } } $temp = new Input(); $tainted = $temp->getInput(); $tainted = pg_escape_literal($tainted); $query = "(&(objectCategory=person)(objectClass=user)(cn=' {$tainted} '))"; $ds = ldap_connect("localhost"); $r = ldap_bind($ds); $sr = ldap_search($ds, "o=My Company, c=US", $query); ldap_close($ds);
/** * Escape a variable in the literal way to be compliant and Safe (against SQL Injection) with PgSQL standards. * This function WILL ADD the SINGLE QUOTES (') arround the string as needed and will escape expressions containing backslashes \ in the postgresql way using E'' escapes. * This is the preferred way to escape variables inside PostgreSQL SQL Statements, and is better than escape_str(). * * @param STRING $y_string :: A String or a Number to be Escaped * @param YES/NO $y_escape_likes :: Escape LIKE / ILIKE Syntax (% _) ; Default is NO * @param RESOURCE $y_connection :: the connection * @return STRING :: The Escaped String / Number * */ public static function escape_literal($y_string, $y_escape_likes = 'no', $y_connection = 'DEFAULT') { //== $y_connection = self::check_connection($y_connection, 'ESCAPE-LITERAL'); //== //-- Fix $y_string = (string) SmartUnicode::fix_charset((string) $y_string); //-- //-- if ((string) $y_escape_likes == 'yes') { // extra special escape: _ = \_ ; % = \% $y_string = str_replace(array('_', '%'), array('\\_', '\\%'), $y_string); } //end if else //-- $y_string = (string) @pg_escape_literal($y_connection, (string) $y_string); // [CONN] //-- //-- return (string) $y_string; //-- }