public static function cleanData ($data, $type = 'standard') { $magicquotes = (get_magic_quotes_gpc() == 1 ? true : false); if (is_array($data)) { foreach ($data as $k => $v) { $data[$k] = janitor::cleanData($v, $type); } } else { # Actual processing switch ($type) { case "standard": $data = ($magicquotes ? $data : addslashes($data)); break; case "sql": $data = ($magicquotes ? database::escape(stripslashes($data)) : database::escape($data)); break; case "html": $data = htmlentities( ($magicquotes ? database::escape(stripslashes($data)) : database::escape($data))); break; case "integer": $data = intval($data); break; } } return $data; }
/** * @en SQL query escaping * @ru Экранирование части SQL запроса * * @param mixed $var * * @return string */ public function escape($var) { return $this->database->escape($var); }
$deleteQuery = "DELETE FROM files WHERE subq_id='" . $sq_id . "'"; $databaseObj->send_sql($deleteQuery); $deletesubque = "DELETE FROM submissionqueue WHERE subq_id='" . $sq_id . "'"; $databaseObj->send_sql($deletesubque); } if (isset($_POST['hid'])) { $course_id = addslashes(strip_tags($_POST['hid'])); // Connect to the database $db = new database(); $db->setup(DB_USER, DB_PASS, DB_HOST, DB_NAME); $flag = false; $subq_id = 0; $s_id = addslashes(strip_tags($_SESSION['cwid'])); $wrongtype = 0; foreach ($_FILES as $x => $x_value) { $mime = $databaseObj->escape($_FILES[$x]['type']); if ($mime != 'application/pdf') { $databaseObj->__destruct(); header('location:waiver.php'); } } foreach ($_FILES as $x => $x_value) { if (isset($_FILES[$x])) { // Make sure the file was sent without errors if ($_FILES[$x]['error'] == 0) { /*echo $_FILES['uploaded_file']['name']; echo $_FILES['uploaded_file']['type']; echo file_get_contents($_FILES ['uploaded_file']['tmp_name']);*/ // Gather all required data if ($flag == false) { $q = "INSERT INTO submissionqueue (s_id, time_stamp, status, comments) VALUES ('{$s_id}', '" . time() . "', 'Pending', ' ')";
function getSuggestions($keyword) { //get DB if (defined('_JEXEC')) { $dbi = JDatabase::getInstance(array('driver' => DB_DRIVER, 'host' => DB_HOST, 'user' => DB_USER, 'password' => DB_PASSWORD, 'database' => DB_DATABASE, 'prefix' => DB_PREFIX)); } else { $dbi = new database(DB_HOST, DB_USER, DB_PASSWORD, DB_DATABASE, DB_PREFIX, DB_OFFLINE); } // escape the keyword string if (get_magic_quotes_gpc()) { //Addded by AW $keyword = stripslashes($keyword); } $keyword = $dbi->escape($keyword); //$patterns = array('/\s+/', '/"+/', '/%+/'); //$replace = array(''); //$keyword = preg_replace($patterns, $replace, $keyword); //set SQL BIG SELECT option to ensure it is set to true $dbi->setQuery("SET OPTION SQL_BIG_SELECTS=1"); $dbi->query(); // build the SQL query that gets the matching functions from the database $tit = "title"; $id = "id"; $link = "link"; // execute the SQL query $output = '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>'; $output .= '<response>'; $filter = '=""'; if ($keyword != '') { $filter = ' LIKE "' . $keyword . '%"'; } // if the keyword is empty build a SQL query that will return no results $query = ''; if (defined('_JEXEC')) { $query = 'SELECT ' . $tit . ',' . $link . ',' . $id . ' FROM (SELECT c.' . $tit . ' ,m.' . $link . ',m.id,c.created FROM #__content c JOIN ( SELECT ' . $link . ',' . $id . ' FROM #__menu WHERE ' . $link . ' like "index.php?option=com_content&view=article&id=%" AND published = 1 ) as m on m.' . $link . ' = concat("index.php?option=com_content&view=article&id=",c.' . $id . ') WHERE c.' . $tit . $filter . ' UNION SELECT i.' . $tit . ' as title,concat(concat(concat("index.php?option=com_content&view=article&catid=",c.' . $id . '),"&id="),cast(i.' . $id . ' as char(11))) as link, mc.' . $id . ' as id,i.created FROM #__content AS i JOIN #__categories AS c ON i.catid = c.' . $id . ' JOIN #__menu AS mc ON mc.' . $link . ' = concat("index.php?option=com_content&view=category&layout=blog&id=",c.' . $id . ') OR mc.' . $link . ' = concat("index.php?option=com_content&view=category&id=",c.' . $id . ') WHERE mc.published=1 AND i.' . $tit . $filter . ' UNION select i.' . $tit . ',concat(concat(concat("index.php?option=com_content&view=article&catid=",c.' . $id . '),"&id="),cast(i.' . $id . ' as char(11))) as link, 0 as id,i.created FROM #__content i LEFT join #__menu m on m.link = concat("index.php?option=com_content&view=article&id=",i.' . $id . ') JOIN #__categories AS c ON i.catid = c.' . $id . ' LEFT JOIN #__menu AS mc ON mc.' . $link . ' = concat("index.php?option=com_content&view=category&layout=blog&id=",c.' . $id . ') OR mc.' . $link . ' = concat("index.php?option=com_content&view=category&id=",c.' . $id . ') WHERE m.' . $id . ' is null AND mc.' . $id . ' is null AND state = 1 AND i.' . $tit . $filter . ' UNION SELECT c.' . $tit . ',m.link,m.id,"0000-00-00 00:00:00" as created FROM #__menu AS m JOIN #__categories AS c ON m.' . $link . ' = concat("index.php?option=com_content&view=category&layout=blog&id=",c.' . $id . ') OR m.' . $link . ' = concat("index.php?option=com_content&view=category&id=",c.' . $id . ') WHERE m.published = 1 AND m.parent_id = 1 AND c.' . $tit . $filter . ' UNION SELECT c.title,concat("index.php?option=com_content&view=categories&id=",cast(c.' . $id . ' as char(11))) as link,0 as id,"0000-00-00 00:00:00" as created FROM #__categories AS c JOIN #__menu AS m ON m.' . $link . ' = concat("index.php?option=com_content&view=categories&id=",c.' . $id . ') WHERE m.published = 1 AND c.' . $tit . $filter . ' ORDER BY created desc) a WHERE ' . $tit . $filter; } // execute the SQL query //get DB intstance $dbi->setQuery($query); $rows = $dbi->loadAssocList(); // if we have results, loop through them and add them to the output if ($rows) { foreach ($rows as $row) { //$output .= '<name>' . '<![CDATA[' . htmlentities($row[$tit], ENT_QUOTES) . ']]>' . '</name>'; $output .= '<name>' . '<![CDATA[' . $row[$tit] . ']]>' . '</name>'; $output .= '<pid>' . $row[$id] . '</pid>'; $output .= '<link>' . '<![CDATA[' . $row[$link] . ']]>' . '</link>'; } } // add debug information // $output .= '<query>' . $query . '</query>'; $output .= '<error>' . $dbi->getErrorMsg() . '</error>'; // add the final closing tag $output .= '</response>'; // return the results return $output; }
<?php //get //votePost.php?p_id=1&up //votePost.php?p_id=1&down require_once "include/databaseClassMySQLi.php"; require_once "include/session.php"; header('Content-Type: application/json'); $db = new database(); $results = array(); if (isset($_POST['p_id']) && $_POST['p_id'] != '') { $p_id = $db->escape($_POST['p_id']); if (isset($_POST['up'])) { $query = 'select value from post_votes where p_id=\'' . $p_id . '\' and u_id=\'' . $session->uid . '\''; $db->send_sql($query); $row = $db->next_row(); if ($row === false || empty($row)) { $query = 'insert into post_votes (p_id, u_id, value) values(\'' . $p_id . '\', \'' . $session->uid . '\', 1)'; $db->send_sql($query); $query = 'update posts set votes = votes + 1 where p_id=' . $p_id; $db->send_sql($query); } else { $query = 'update post_votes set value=1 where p_id=\'' . $p_id . '\' and u_id=\'' . $session->uid . '\''; $db->send_sql($query); $value = $row['value']; if ($value == -1) { $query = 'update posts set votes = votes + 2 where p_id=\'' . $p_id . '\''; $db->send_sql($query); } } } else {
<?php //get //post.php?start=0&count=20 //post.php require_once "include/databaseClassMySQLi.php"; require_once "include/session.php"; header('Content-Type: application/json'); $db = new database(); $results = array(); if (isset($_GET['start']) && isset($_GET['count'])) { $start = $db->escape($_GET['start']); $count = $db->escape($_GET['count']); if (!is_numeric($start) || !is_numeric($count)) { $start = 0; $count = 20; } } else { $start = 0; $count = 20; } //value = whether the use voted 1 or -1 or null if (isset($_GET['top'])) { $query = 'select posts.p_id, users.u_id, for_name, name, post, date, showName, votes, a.value, ownage_id from posts natural join users left join (select value, p_id from post_votes where u_id=\'' . $session->uid . '\') a on posts.p_id=a.p_id where hidden=0 order by votes desc limit ' . $start . ', ' . $count; } else { $query = 'select posts.p_id, users.u_id, for_name, name, post, date, showName, votes, a.value, ownage_id from posts natural join users left join (select value, p_id from post_votes where u_id=\'' . $session->uid . '\') a on posts.p_id=a.p_id where hidden=0 order by date desc limit ' . $start . ', ' . $count; } $db->send_sql($query); while (($row = $db->next_row()) !== false && !empty($row)) { if ($row['showName'] == 0) { $row['name'] = "anon";
//userPost.php?post=postcontent&showName=1 //userPost.php?post=postcontent //POST //delete //userPost.php?delete=p_id //get //userPost.php?start=0&count=10 //userPost.php require_once "include/session.php"; require_once "include/databaseClassMySQLi.php"; header('Content-Type: application/json'); $db = new database(); $results = array(); if (isset($_POST['post']) && isset($_POST['for_name']) && $_POST['post'] != '') { if (isset($_POST['showName'])) { $showName = $db->escape($_POST['showName']); if ($showName === true || $showName === 'true') { $showName = 1; } else { $showName = 0; } } else { $showName = 0; } if ($session->checkLoggedIn() === true) { $db->send_sql("insert into ownage(u_id) values ('{$session->uid}')"); $ownage = $db->insert_id(); date_default_timezone_set('UTC'); $post = $db->escape($_POST['post']); $for_name = $db->escape($_POST['for_name']); $query = 'insert into posts(u_id, post, showName, ownage_id, for_name) values (\'' . $session->uid . '\', \'' . $post . '\', \'' . $showName . '\', \'' . $ownage . '\', \'' . $for_name . '\')';
<?php //post //comment.php?p_id=1&comment=content&showName=1 //comment.php?p_id=1&comment=content //get //userPost.php?post=p_id=1 //userPost.php?post=p_id=1&start=0&count=1 require_once "include/session.php"; require_once "include/databaseClassMySQLi.php"; header('Content-Type: application/json'); $db = new database(); $results = array(); if (isset($_POST['comment']) && isset($_POST['p_id']) && $_POST['comment'] != '' && $_POST['p_id'] != '') { $p_id = $db->escape($_POST['p_id']); if (isset($_POST['showName'])) { $showName = $db->escape($_POST['showName']); if ($showName === true || $showName === 'true') { $showName = 1; } else { $showName = 0; } } else { $showName = 0; } if ($session->checkLoggedIn() === true) { $db->send_sql("insert into ownage(u_id) values ('{$session->uid}')"); $ownage = $db->insert_id(); date_default_timezone_set('UTC'); $comment = $db->escape($_POST['comment']); $query = "insert into comments(u_id, p_id, comment, showName, ownage_id) values ('{$session->uid}', '{$p_id}', '{$comment}', '{$showName}', {$ownage})";
<?php require_once 'include/databaseClassMySQLi.php'; require_once "include/session.php"; $db = new database(); header('Content-Type: application/json'); $result = array(); if (isset($_POST['name']) && isset($_POST['password']) && isset($_POST['email']) && $_POST['name'] != '' && $_POST['password'] != '' && $_POST['email'] != '') { $name = $db->escape($_POST['name']); $password = $db->escape($_POST['password']); $email = $db->escape($_POST['email']); $query = 'select email from users where email=\'' . $email . '\''; $db->send_sql($query); $row = $db->next_row(); if (!($row === false || empty($row))) { array_push($result, "Email is already taken"); } else { if (count($result) == 0) { $query = 'insert into users(name, password, email) values (\'' . $name . '\', \'' . password_hash($password, PASSWORD_DEFAULT) . '\', \'' . $email . '\')'; $db->send_sql($query); array_push($result, "Success"); $session->login($email, $password); } } } else { array_push($result, "Missing a field"); } echo json_encode($result);
include "databaseClassMySQLi.php"; //include("projconfig.php"); $databaseObj = new database(); $databaseObj->setup(DB_USER, DB_PASS, DB_HOST, DB_NAME); if (isset($_POST)) { foreach ($_POST as $key => $value) { if (is_array($value)) { $jsonData = "{\\\"{$key}\\\":["; $numfiles = sizeof($value); foreach ($value as $element) { $jsonData = $jsonData . '\\"' . $element . '\\"'; if ($numfiles != 1) { $jsonData = $jsonData . ', '; } $numfiles = $numfiles - 1; } $jsonData = $jsonData . ']}'; $jsonDataString = $databaseObj->escape($jsonData); //echo $jsonDataString; $query = "insert into submissiontype(course_id, submission_type, refreshOnUpdate) values ('{$course_id}','{$jsonDataString}',false)"; $result = $databaseObj->send_sql($query); } } } echo "Course designed successfully"; } else { header("location:designCourse.php"); } ?> </body> </html>
/** * Get a database escaped string. For LIKE statemends: $db->Quote( $db->getEscaped( $text, true ) . '%', false ) * * @param string $text * @param boolean $escapeForLike : escape also % and _ wildcards for LIKE statements with % or _ in search strings (since CB 1.2.3) * @return string */ function getEscaped($text, $escapeForLike = false) { if (checkJversion() >= 2) { $result = $this->_db->escape($text); } else { $result = $this->_db->getEscaped($text); } if ($escapeForLike) { $result = str_replace(array('%', '_'), array("\\%", "\\_"), $result); } return $result; }
//message.php?to=ownage_id&message=content&showName=1 //message.php?to=ownage_id&message=content //GET //delete //message.php?delete=m_id //get //message.php?start=0&count=10 //message.php require_once "include/session.php"; require_once "include/databaseClassMySQLi.php"; header('Content-Type: application/json'); $db = new database(); $results = array(); if (isset($_POST['message']) && isset($_POST['to'])) { if (isset($_POST['showName'])) { $showName = $db->escape($_POST['showName']); if ($showName === true || $showName === 'true') { $showName = 1; } else { $showName = 0; } } else { $showName = 0; } if ($session->checkLoggedIn() === true) { $db->send_sql("insert into ownage(u_id) values ('{$session->uid}')"); $ownage = $db->insert_id(); date_default_timezone_set('UTC'); $message = $db->escape($_POST['message']); $to = $db->escape($_POST['to']); $query = 'insert into messages(to_ownage, ownage_id, message, showName) values (\'' . $to . '\', \'' . $ownage . '\', \'' . $message . '\', \'' . $showName . '\')';