function update_insert($pkey, $pid, $table, $data = false, $do_replace = false)
{
return module_db::update_insert($pkey, $pid, $table, $data, $do_replace);
}
function update_insert($pkey, $pid, $table, $data = false, $do_replace = false)
{
if (class_exists('module_db', false) && is_callable('module_db::update_insert')) {
return module_db::update_insert($pkey, $pid, $table, $data, $do_replace);
}
if ($data === false) {
$data = $_REQUEST;
}
$fields = get_fields($table, array("date_created", "date_updated"), array(), true);
//
if (isset($fields['system_id']) && defined('_SYSTEM_ID')) {
$data['system_id'] = _SYSTEM_ID;
}
if (isset($fields['date_created'])) {
unset($fields['date_created']);
}
$now_string = mysql_real_escape_string(date('Y-m-d H:i:s'));
if ($do_replace || !is_numeric($pid) || !$pid) {
$pid = 'new';
if ($do_replace) {
$sql = "REPLACE INTO ";
} else {
$sql = "INSERT INTO ";
}
$sql .= "`" . _DB_PREFIX . "{$table}` SET date_created = '{$now_string}', ";
if (isset($fields['create_user_id']) && isset($_SESSION['_user_id']) && $_SESSION['_user_id']) {
$sql .= "`create_user_id` = '" . (int) $_SESSION['_user_id'] . "', ";
unset($fields['create_user_id']);
}
if (isset($fields['create_ip_address'])) {
$sql .= "`create_ip_address` = '" . mysql_real_escape_string($_SERVER['REMOTE_ADDR']) . "', ";
unset($fields['create_ip_address']);
}
// check there's a valid site id
if (isset($fields['site_id']) && (!isset($data['site_id']) || !$data['site_id']) && isset($_SESSION['_site_id'])) {
$data['site_id'] = $_SESSION['_site_id'];
}
$where = "";
//module_security::sanatise_data($table,$data);
// todo - sanatise data here before we go through teh loop.
// if sanatisation fails or data access fails then we stop the update/insert.
if (!$data) {
// dont do this becuase $email->new_email() fails.
// return false;
}
} else {
// TODO - security hook here, check if we can access this data.
/*$security_dummy=array();
if(!module_security::can_access_data($table,$security_dummy,$pid)){
echo 'Security warning - unable to save data';
exit;
return false;
}*/
$updated = false;
if (isset($data['date_updated'])) {
$updated = "'" . mysql_real_escape_string(input_date($data['date_updated'], true)) . "'";
}
if (!$updated) {
$updated = "'{$now_string}'";
}
$sql = "UPDATE `" . _DB_PREFIX . "{$table}` SET date_updated = {$updated},";
if (isset($fields['update_user_id']) && isset($_SESSION['_user_id']) && $_SESSION['_user_id']) {
$sql .= "`update_user_id` = '" . (int) $_SESSION['_user_id'] . "', ";
unset($fields['update_user_id']);
}
if (isset($fields['update_ip_address'])) {
$sql .= "`update_ip_address` = '" . mysql_real_escape_string($_SERVER['REMOTE_ADDR']) . "', ";
unset($fields['update_ip_address']);
}
$where = " WHERE `{$pkey}` = '" . mysql_real_escape_string($pid) . "'";
if (isset($fields['system_id']) && defined('_SYSTEM_ID')) {
$where .= " AND system_id = '" . _SYSTEM_ID . "'";
}
}
//print_r($fields);exit;
//print_r($data);exit;
if (!$do_replace && isset($data[$pkey])) {
unset($data[$pkey]);
}
foreach ($fields as $field) {
if (!isset($data[$field['name']]) || $data[$field['name']] === false) {
continue;
}
// special format for date fields.
if ($field['type'] == 'date') {
$data[$field['name']] = input_date($data[$field['name']]);
}
// special format for int / double fields.
if (($field['type'] == 'decimal' || $field['type'] == 'double') && function_exists('number_in')) {
$data[$field['name']] = number_in($data[$field['name']]);
}
if (is_array($data[$field['name']])) {
$val = serialize($data[$field['name']]);
} else {
$val = $data[$field['name']];
}
$sql .= " `" . $field['name'] . "` = '" . mysql_real_escape_string($val) . "', ";
}
$sql = rtrim($sql, ', ');
$sql .= $where;
query($sql);
if ($pid == "new") {
$pid = mysql_insert_id();
}
return $pid;
}
