PHP verifySQLQuery Examples

Programming Language: PHP

Method/Function: verifySQLQuery

Examples at hotexamples.com: 2

PHP verifySQLQuery - 2 examples found. These are the top rated real world PHP examples of verifySQLQuery extracted from open source projects. You can rate examples to help us improve the quality of examples.

Example #1

Show file

File: search.php Project: Olari0/Finugriling

// set variable to zero (a user with '$userID = 0' definitely doesn't exist) in order to prevent 'Undefined variable...' messages
// --------------------------------------------------------------------
// CONSTRUCT SQL QUERY from user input provided by any of the search forms:
// --- Form 'sql_search.php': ------------------
if ($formType == "sqlSearch") {
    // verify the SQL query specified by the user and modify it if security concerns are encountered:
    // (this function does add/remove user-specific query code as required and will fix problems with escape sequences within the SQL query)
    $query = verifySQLQuery($sqlQuery, $referer, $displayType, $showLinks);
    // function 'verifySQLQuery()' is defined in 'include.inc.php' (since it's also used by 'rss.php')
} elseif ($formType == "duplicateSearch") {
    // find duplicate records within results of the given SQL query (using settings extracted from the 'duplicateSearch' form
    // in 'duplicate_search.php') and return a modified database query that only matches these duplicate entries:
    list($sqlQuery, $displayType) = findDuplicates($sqlQuery, $originalDisplayType);
    // by passing the generated SQL query thru the 'verifySQLQuery()' function we ensure that necessary fields are added as needed:
    // (this function does add/remove user-specific query code as required and will fix problems with escape sequences within the SQL query)
    $query = verifySQLQuery($sqlQuery, $referer, $displayType, $showLinks);
    // function 'verifySQLQuery()' is defined in 'include.inc.php' (since it's also used by 'rss.php')
} elseif ($formType == "simpleSearch") {
    $query = extractFormElementsSimple($showLinks, $userID);
} elseif ($formType == "librarySearch") {
    $query = extractFormElementsLibrary($showLinks, $userID);
} elseif ($formType == "advancedSearch") {
    $query = extractFormElementsAdvanced($showLinks, $loginEmail, $userID);
} elseif ($formType == "refineSearch" or $formType == "displayOptions") {
    list($query, $displayType) = extractFormElementsRefineDisplay($tableRefs, $displayType, $originalDisplayType, $sqlQuery, $showLinks, $citeOrder, $userID);
    // function 'extractFormElementsRefineDisplay()' is defined in 'include.inc.php' since it's also used by 'users.php'
} elseif ($formType == "queryResults") {
    list($query, $displayType) = extractFormElementsQueryResults($displayType, $originalDisplayType, $showLinks, $citeOrder, $orderBy, $userID, $sqlQuery, $referer, $recordSerialsArray, $recordsSelectionRadio);
} elseif ($formType == "extractSearch") {
    $query = extractFormElementsExtract($showLinks, $citeOrder, $userID);
} elseif ($formType == "myRefsSearch") {

Example #2

Show file

File: rss.php Project: Olari0/Finugriling

}
// --------------------------------------------------------------------
// If we made it here, then the script was called with all required parameters (which, currently, is just the 'where' parameter :)
// CONSTRUCT SQL QUERY:
// Note: the 'verifySQLQuery()' function that gets called below will add the user specific fields to the 'SELECT' clause and the
// 'LEFT JOIN...' part to the 'FROM' clause of the SQL query if a user is logged in. It will also add 'orig_record', 'serial', 'file', 'url', 'doi', 'isbn' & 'type' columns
// as required. Therefore it's sufficient to provide just the plain SQL query here:
$sqlQuery = buildSELECTclause("RSS", "1", "", false, false);
// function 'buildSELECTclause()' is defined in 'include.inc.php'
$sqlQuery .= " FROM {$tableRefs} WHERE " . $sanitizedWhereClause;
// add FROM clause and the specified WHERE clause
$sqlQuery .= " ORDER BY created_date DESC, created_time DESC, modified_date DESC, modified_time DESC, serial DESC";
// sort records such that newly added/edited records get listed top of the list
// since a malicious user could change the 'where' parameter manually to gain access to user-specific data of other users, we'll run the SQL query thru the 'verifySQLQuery()' function:
// (this function does also add/remove user-specific query code as required and will fix problems with escape sequences within the SQL query)
$query = verifySQLQuery($sqlQuery, "", "RSS", "1");
// function 'verifySQLQuery()' is defined in 'include.inc.php'
// the 'verifySQLQuery()' function will save an error message to the 'HeaderString' session variable if something went wrong (e.g., if a user who's NOT logged in tries to query user specific fields)
if (isset($_SESSION['HeaderString'])) {
    header("Location: index.php");
    // redirect to main page ('index.php') which will display the error message stored within the 'HeaderString' session variable
    exit;
    // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> !EXIT! <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
}
// --------------------------------------------------------------------
// (1) OPEN CONNECTION, (2) SELECT DATABASE
connectToMySQLDatabase();
// function 'connectToMySQLDatabase()' is defined in 'include.inc.php'
// --------------------------------------------------------------------
// (3) RUN the query on the database through the connection:
$result = queryMySQLDatabase($query);