function dbkiss_filter_id($id) { if (preg_match('#^[_a-z][a-z0-9_\\-]*$#i', $id)) { return $id; } return false; } $get = get(array('table' => 'string', 'pk' => 'string', 'id' => 'string')); $get['table'] = html_once($get['table']); $get['pk'] = html_once($get['pk']); $title_edit = sprintf('Edit row (%s=%s)', $get['pk'], $get['id']); $title = ' > ' . $get['table'] . ' > ' . $title_edit; if (!dbkiss_filter_id($get['table'])) { error('Invalid table name'); } if (!dbkiss_filter_id($get['pk'])) { error('Invalid pk'); } $row = false; if (!error()) { $table_enq = quote_table($get['table']); $test = db_row("SELECT * FROM {$table_enq}"); if ($test) { if (!array_key_exists($get['pk'], $test)) { error('Invalid pk'); } } if (!error()) { $table_enq = quote_table($get['table']); $query = db_bind("SELECT * FROM {$table_enq} WHERE {$get['pk']} = %0", $get['id']); $query = db_limit($query, 0, 2);
} $_GET['table'] = htmlspecialchars($_GET['table']); $_GET['pk'] = htmlspecialchars($_GET['pk']); $title_edit = sprintf('Edit (%s=%s)', $_GET['pk'], $_GET['id']); $title = ' > ' . $_GET['table'] . ' > ' . $title_edit; if (!dbkiss_filter_id($_GET['table'])) { error('Invalid table name'); } if ($_pkeys) { foreach ($_pkeys as $key) { if (!dbkiss_filter_id($key)) { error('Invalid pk'); } } } else { if (!dbkiss_filter_id($_pk)) { error('Invalid pk'); } } $row = false; if (!error()) { $table_enq = quote_table($_GET['table']); $test = db_row("SELECT * FROM {$table_enq}"); if ($test) { if ($_pkeys) { foreach ($_pkeys as $key) { if (!array_key_exists($key, $test)) { error('Invalid pk'); } } } else {