public function deleteRow($data) { $d = new ParameterObject($data); $qry = sprintf('DELETE FROM %s WHERE %s', $d->getAttribute(PO::ATTR_TABLE), $this->easyBuildQueyClause($d->getAttribute(PO::ATTR_PRIMARY_KEY_DATA))); $affected = $this->dbh->exec($qry); return array('success' => $affected); }
/** * Method to check the fixed param keyword for validity and further more escape the free text elems (even if this is not semantic) * @param array $whereParam * @param ParameterObject $d * @param bool $escapeFreeText if the function shall also escape the free text of the where clause * @return boolean */ public static function isWhereClauseValid($whereParam, $d, $escapeFreeText = true) { if (Config::useSecureMode() && $whereParam) { //error_log(print_r($whereParam,true)); $validFields = Config::getValidTables()[$d->getAttribute(PO::ATTR_TABLE)]; $validOperators = array('LIKE', '=', '<=', '>=', '!='); $validConcaters = array('OR', 'AND'); foreach ($whereParam as $param_group) { if (in_array($param_group[0], $validFields)) { if (in_array($param_group[1], $validOperators)) { if (in_array($param_group[3], $validConcaters) || $param_group[3] === null) { continue; } } } return false; } if ($escapeFreeText) { // secure free text elems $whereParam = array_map(function ($i) { $i[2] = sprintf('"%s"', addslashes($i[2])); return $i; }, $whereParam); $d->setAttribute(PO::ATTR_CONDITION, $whereParam); } return true; } else { return true; } }
use jQDB\ParameterObject as PO; error_reporting(0); // for this script should always only return json -> warnings and errors would destroy everything if (is_readable($kintPath = '../../kint/Kint.class.php')) { // debug lib (not required for use of jQDB) note to self: remove include_once $kintPath; } // inheritance require_once 'inheritance/iConnector.inter.php'; require_once 'inheritance/bConnector.class.php'; require_once 'inheritance/iConfig.inter.php'; // helper require_once 'helper/ConnectorSelector.class.php'; require_once 'helper/ParameterObject.class.php'; require_once 'helper/SecureModeHelper.class.php'; $dObj = new ParameterObject($_POST['options']); require_once 'config.class.inc.php'; // the point where the user config is loaded (removed dynamic path configuration from js for security reasons) $desired_connector = $dObj->getAttribute(PO::ATTR_CONNECTOR); $cs = new ConnectorSelector(); $connector = $cs->getConector($desired_connector); // try to select the connector // host, username, password, db $authRes = $connector->authenticate(Config::getHost(), Config::getUsername(), Config::getPassword(), $dObj->getAttribute(PO::ATTR_DATABASE_NAME)); $checkRes = SecureModeHelper::checkTable($dObj->getAttribute(PO::ATTR_TABLE), $dObj); if (is_numeric($checkRes)) { // we are returned a string in valid case or an int in failure case $data = array('success' => false); if ($checkRes === SecureModeHelper::FAILURE_TABLE_INVALID) { $data['error_str'] = 'You tried to us a table which is not on the whitelist due Secure Mode. Disable Secure Mode or add ' . $dObj->getAttribute(PO::ATTR_TABLE) . ' to the list of allowed tables'; } elseif ($checkRes === SecureModeHelper::FAILURE_FIELD_INVALID) {