} if (!isset($global_dd[$campo]['name'])) { $global_dd[$campo]['name'] = null; } $sql_fix .= "ALTER TABLE {$data->name} ADD COLUMN " . genColumnSQL($data->dd[$campo], $dbtype, $global_dd[$campo]['name'] === $data->key) . ";\n"; } } } } else { $tables_output .= "{$green}<br/>"; } } break; case 'exec': if (isset($_REQUEST['sqlcmd'])) { $sqlcmd = almdata::escape($_REQUEST['sqlcmd']); } else { $sqlcmd = ''; } if (!isset($_REQUEST['fix'])) { $output .= '<form><input type="hidden" name="action" value="exec"/><textarea name="sqlcmd" cols="80">' . $sqlcmd . '</textarea><br/><input type="submit" value="Ejecutar SQL"></form>'; } else { $output .= "SQL Aplicado: " . $sqlcmd; } if ($sqlcmd) { $data = new Data(); $data->execSql($sqlcmd); $sqldata = $data->getArray(); $output .= "<pre>" . print_r($sqldata, 1) . "</pre>"; } break;
<?php if ($this->database) { $tmpvar = almdata::escape($tmpvar); } switch ($type) { case 'varchar': $type = 'string'; break; case 'numeric': $tmpvar = number_format((double) str_replace(',', '', $tmpvar), 2, '.', ''); $type = 'float'; break; case 'int': case 'smallint': case 'serial': $tmpvar = (int) str_replace(',', '', $tmpvar); $type = 'int'; break; default: $type = 'string'; } settype($tmpvar, $type); #if ($type == 'string') { if ($type == 'string' && !$allow_js) { $tmpvar = preg_replace("/<script[^>]*?>.*?<\\/script>/i", "", $tmpvar); } if ($type == 'string' && !$html) { $tmpvar = strip_tags($tmpvar, ALM_ALLOW_TAGS); }
break; case 'bool': case 'boolean': $value = isset($this->request[$column['name']]) ? $this->request[$column['name']] : '0'; $value = !$value || $value == 'false' || $value == '0' ? '0' : '1'; $values .= $column['name'] . "=" . "'" . $value . "'"; break; case 'date': case 'datenull': $value = $this->request[$column['name']]; if (isset($value) && $value != '0-00-0') { $value = almdata::escape($this->request[$column['name']]); $values .= $column['name'] . "= '" . $value . "'"; } else { $values .= $column['name'] . "=NULL"; } break; default: if (isset($this->request[$column['name']])) { $value = $this->escaped ? $this->request[$column['name']] : almdata::escape($this->request[$column['name']]); $values .= $column['name'] . "=" . "'" . $value . "'"; } else { $values .= $column['name'] . "=NULL"; } break; } $n++; if ($maxcols && $n + $skipped_cols >= $maxcols) { break; } }
/** * "escapea" una cadena para poder usarla de manera segura en comando sql * @param string $var cadena a "escapear" * @return string escaped string, lista para usar en sql */ function escape($var) { return almdata::escape($var); }