Example #1
0
 function update_insert($pkey, $pid, $table, $data = false, $do_replace = false)
 {
     return module_db::update_insert($pkey, $pid, $table, $data, $do_replace);
 }
Example #2
0
function update_insert($pkey, $pid, $table, $data = false, $do_replace = false)
{
    if (class_exists('module_db', false) && is_callable('module_db::update_insert')) {
        return module_db::update_insert($pkey, $pid, $table, $data, $do_replace);
    }
    if ($data === false) {
        $data = $_REQUEST;
    }
    $fields = get_fields($table, array("date_created", "date_updated"), array(), true);
    //
    if (isset($fields['system_id']) && defined('_SYSTEM_ID')) {
        $data['system_id'] = _SYSTEM_ID;
    }
    if (isset($fields['date_created'])) {
        unset($fields['date_created']);
    }
    $now_string = mysql_real_escape_string(date('Y-m-d H:i:s'));
    if ($do_replace || !is_numeric($pid) || !$pid) {
        $pid = 'new';
        if ($do_replace) {
            $sql = "REPLACE INTO ";
        } else {
            $sql = "INSERT INTO ";
        }
        $sql .= "`" . _DB_PREFIX . "{$table}` SET date_created = '{$now_string}', ";
        if (isset($fields['create_user_id']) && isset($_SESSION['_user_id']) && $_SESSION['_user_id']) {
            $sql .= "`create_user_id` = '" . (int) $_SESSION['_user_id'] . "', ";
            unset($fields['create_user_id']);
        }
        if (isset($fields['create_ip_address'])) {
            $sql .= "`create_ip_address` = '" . mysql_real_escape_string($_SERVER['REMOTE_ADDR']) . "', ";
            unset($fields['create_ip_address']);
        }
        // check there's a valid site id
        if (isset($fields['site_id']) && (!isset($data['site_id']) || !$data['site_id']) && isset($_SESSION['_site_id'])) {
            $data['site_id'] = $_SESSION['_site_id'];
        }
        $where = "";
        //module_security::sanatise_data($table,$data);
        // todo - sanatise data here before we go through teh loop.
        // if sanatisation fails or data access fails then we stop the update/insert.
        if (!$data) {
            // dont do this becuase $email->new_email() fails.
            // return false;
        }
    } else {
        // TODO - security hook here, check if we can access this data.
        /*$security_dummy=array();
        		if(!module_security::can_access_data($table,$security_dummy,$pid)){
        			echo 'Security warning - unable to save data';
        			exit;
        			return false;
        		}*/
        $updated = false;
        if (isset($data['date_updated'])) {
            $updated = "'" . mysql_real_escape_string(input_date($data['date_updated'], true)) . "'";
        }
        if (!$updated) {
            $updated = "'{$now_string}'";
        }
        $sql = "UPDATE `" . _DB_PREFIX . "{$table}` SET date_updated = {$updated},";
        if (isset($fields['update_user_id']) && isset($_SESSION['_user_id']) && $_SESSION['_user_id']) {
            $sql .= "`update_user_id` = '" . (int) $_SESSION['_user_id'] . "', ";
            unset($fields['update_user_id']);
        }
        if (isset($fields['update_ip_address'])) {
            $sql .= "`update_ip_address` = '" . mysql_real_escape_string($_SERVER['REMOTE_ADDR']) . "', ";
            unset($fields['update_ip_address']);
        }
        $where = " WHERE `{$pkey}` = '" . mysql_real_escape_string($pid) . "'";
        if (isset($fields['system_id']) && defined('_SYSTEM_ID')) {
            $where .= " AND system_id = '" . _SYSTEM_ID . "'";
        }
    }
    //print_r($fields);exit;
    //print_r($data);exit;
    if (!$do_replace && isset($data[$pkey])) {
        unset($data[$pkey]);
    }
    foreach ($fields as $field) {
        if (!isset($data[$field['name']]) || $data[$field['name']] === false) {
            continue;
        }
        // special format for date fields.
        if ($field['type'] == 'date') {
            $data[$field['name']] = input_date($data[$field['name']]);
        }
        // special format for int / double fields.
        if (($field['type'] == 'decimal' || $field['type'] == 'double') && function_exists('number_in')) {
            $data[$field['name']] = number_in($data[$field['name']]);
        }
        if (is_array($data[$field['name']])) {
            $val = serialize($data[$field['name']]);
        } else {
            $val = $data[$field['name']];
        }
        $sql .= " `" . $field['name'] . "` = '" . mysql_real_escape_string($val) . "', ";
    }
    $sql = rtrim($sql, ', ');
    $sql .= $where;
    query($sql);
    if ($pid == "new") {
        $pid = mysql_insert_id();
    }
    return $pid;
}