PHP mysql_escapefの例

コード例 #1

ファイル: none.php プロジェクト: afineedge/thinkbeforeyoulaunch

 function getDisplayValue($record)
 {
     // format createdBy/updatedBy dates
     require_once SCRIPT_DIR . '/lib/fieldtypes/date.php';
     $dateFields = array('createdDate', 'updatedDate');
     if (in_array($this->name, $dateFields)) {
         return @DateField::getDisplayValue($record);
         // XXX: supress warning about calling a non-static method statically
     }
     // format createByUserNum/updatedByUserNum
     $value = parent::getDatabaseValue($record);
     $userNumFields = array('createdByUserNum', 'updatedByUserNum');
     if (in_array($this->name, $userNumFields)) {
         $accountsTable = "{$GLOBALS['TABLE_PREFIX']}accounts";
         $query = mysql_escapef("SELECT username FROM `{$accountsTable}` WHERE num = ?", $value);
         list($username) = mysql_get_query($query, true);
         $value = $username;
         return $value;
     }
     return parent::getDisplayValue($record);
 }

コード例 #2

ファイル: mysql_functions.php プロジェクト: afineedge/thinkbeforeyoulaunch

function mysql_where($criteriaArray = null, $extraWhere = 'TRUE')
{
    $where = '';
    if ($criteriaArray) {
        foreach ($criteriaArray as $fieldName => $value) {
            if (!preg_match('/^(\\w+)$/', $fieldName)) {
                die(__FUNCTION__ . ": Invalid column name '" . htmlencode($fieldName) . "'!");
            }
            // error checking: whitelist column chars to prevent sql injection
            // if $value is an array, use the IN operator
            if (is_array($value)) {
                $where .= "`{$fieldName}` IN (" . mysql_escapeCSV($value) . ") AND ";
            } else {
                $where .= mysql_escapef("`{$fieldName}` = ? AND ", $value);
            }
        }
    }
    $where .= $extraWhere;
    return $where;
}

コード例 #3

ファイル: view.php プロジェクト: afineedge/thinkbeforeyoulaunch

if ($isSingleMenu) {
    $_REQUEST['num'] = 1;
}
### load record
$num = (int) @$_REQUEST['num'];
// error checking
if ($escapedTableName == '') {
    die("no tablename specified!");
}
if ($num != (int) $num) {
    die("record number value must be an integer!");
}
// load record
$GLOBALS['RECORD'] = array();
if ($num) {
    list($records) = getRecords(array('tableName' => $tableName, 'where' => mysql_escapef(" num = ? ", $num), 'limit' => '1', 'loadCreatedBy' => false, 'allowSearch' => false, 'loadUploads' => false, 'loadPseudoFields' => true, 'ignoreHidden' => true, 'ignorePublishDate' => true, 'ignoreRemoveDate' => true, 'includeDisabledAccounts' => true));
    $GLOBALS['RECORD'] = @$records[0];
    // get first record
}
if (!$GLOBALS['RECORD']) {
    alert(t("Couldn't view record (record no longer exists)!"));
    include 'lib/menus/default/list.php';
    exit;
}
//
//doAction('record_preedit', $tableName, @$_REQUEST['num']);
//
showHeader();
?>

<script type="text/javascript" src="<?php 

コード例 #4

ファイル: save.php プロジェクト: afineedge/thinkbeforeyoulaunch

<?php

global $tableName, $schema, $escapedTableName, $isMyAccountMenu;
// Check if old record exists and load it
$query = mysql_escapef("SELECT * FROM `{$escapedTableName}` WHERE num = ? LIMIT 1", @$_REQUEST['num']);
$oldRecord = mysql_get_query($query);
$recordExists = $oldRecord;
$isNewRecord = !$oldRecord;
//
doAction('record_presave', $tableName, $isNewRecord, $oldRecord);
//
$mySqlColsAndTypes = getMySqlColsAndType($escapedTableName);
$newRecordValues = _getRecordValuesFromFormInput();
### Security Checks
security_dieUnlessPostForm();
security_dieUnlessInternalReferer();
security_dieOnInvalidCsrfToken();
### error checking
$inputErrors = '';
$maxRecordError = $recordExists ? '' : showMaxRecordsError('returnText');
if ($maxRecordError) {
    $inputErrors = $maxRecordError;
} elseif (@$schema['_disableAdd'] && !$recordExists) {
    $inputErrors = t('Adding records has been disabled for this section!') . "\n";
} elseif (@$schema['_disableModify'] && $recordExists) {
    $inputErrors = t('Modifying records has been disabled for this section!') . "\n";
} else {
    $inputErrors = _getInputValidationErrors($mySqlColsAndTypes, $newRecordValues);
}
if ($inputErrors) {
    die($inputErrors);

コード例 #5

ファイル: upload_functions.php プロジェクト: afineedge/thinkbeforeyoulaunch

function recreateThumbnails()
{
    global $TABLE_PREFIX;
    $tableNameWithoutPrefix = getTablenameWithoutPrefix($_REQUEST['tablename']);
    // error checking
    $stopPrefix = "STOPJS:";
    // this tells javascript to stop creating thumbnails
    $requiredFields = array('tablename', 'fieldname', 'maxHeight', 'maxWidth');
    foreach ($requiredFields as $fieldname) {
        if (!@$_REQUEST[$fieldname]) {
            die($stopPrefix . "Required fieldname '{$fieldname}' not specified!");
        }
    }
    if (preg_match('/[^0-9\\_]/i', $_REQUEST['maxHeight'])) {
        die($stopPrefix . "Invalid value for max height!\n");
    }
    if (preg_match('/[^0-9\\_]/i', $_REQUEST['maxWidth'])) {
        die($stopPrefix . "Invalid value for max width!\n");
    }
    // get upload count
    static $count;
    if ($count == '') {
        $where = mysql_escapef("tableName = ? AND fieldName = ?", $tableNameWithoutPrefix, $_REQUEST['fieldname']);
        $totalUploads = mysql_count('uploads', $where);
    }
    // load upload
    $whereEtc = mysql_escapef("tableName = ? AND fieldname = ?", $tableNameWithoutPrefix, $_REQUEST['fieldname']);
    $whereEtc .= " LIMIT 1 OFFSET " . intval($_REQUEST['offset']);
    @(list($upload) = mysql_select('uploads', $whereEtc));
    //
    if ($upload) {
        // get uploadDir and uploadUrl
        $schema = loadSchema($upload['tableName']);
        list($uploadDir, $uploadUrl) = getUploadDirAndUrl($schema[$upload['fieldName']]);
        // get upload's absolute filepath
        $absoluteFilepath = addUploadPathPrefix($upload['filePath'], $uploadDir);
        // make path absolute
        // error checking
        if (!file_exists($absoluteFilepath)) {
            $error = "Upload doesn't exist '{$absoluteFilepath}'!<br/>\n";
            $error .= "Found in: {$upload['tableName']}, {$upload['fieldName']}, record {$upload['recordNum']}.";
            die($error);
        }
        ### resize image
        $isImage = preg_match("/\\.(gif|jpg|jpeg|png)\$/i", $absoluteFilepath);
        if ($isImage) {
            $thumbNum = $_REQUEST['thumbNum'];
            $thumbSavePath = preg_replace("|([^/]+)\$|", "thumb{$thumbNum}/\$1", $absoluteFilepath);
            $thumbUrlPath = preg_replace("|([^/]+)\$|", "thumb{$thumbNum}/\$1", $upload['urlPath']);
            // erase old thumbnail
            if (file_exists($thumbSavePath)) {
                @unlink($thumbSavePath) || die("Can't erase old thumbnail '{$thumbSavePath}': {$php_errormsg}");
            }
            // create new thumbnail
            list($thumbWidth, $thumbHeight) = saveResampledImageAs($thumbSavePath, $absoluteFilepath, $_REQUEST['maxWidth'], $_REQUEST['maxHeight']);
            doAction('upload_thumbnail_save', array($tableNameWithoutPrefix, $_REQUEST['fieldname'], $thumbNum, $thumbSavePath));
            // update upload database
            $query = "UPDATE `{$TABLE_PREFIX}uploads`\n";
            $query .= "   SET `thumbFilepath{$thumbNum}` = '" . mysql_escape(removeUploadPathPrefix($thumbSavePath, $uploadDir)) . "',\n";
            $query .= "       `thumbUrlPath{$thumbNum}`  = '" . mysql_escape(removeUploadPathPrefix($thumbUrlPath, $uploadUrl)) . "',\n";
            $query .= "       `thumbWidth{$thumbNum}`    = '" . mysql_escape($thumbWidth) . "',\n";
            $query .= "       `thumbHeight{$thumbNum}`   = '" . mysql_escape($thumbHeight) . "'\n";
            $query .= " WHERE num = '" . mysql_escape($upload['num']) . "'";
            mysql_query($query) or die("MySQL Error: " . htmlencode(mysql_error()) . "\n");
        }
    }
    // print status message
    $offset = $_REQUEST['offset'] + 1;
    if ($offset <= $totalUploads) {
        print "{$offset}/{$totalUploads}";
    } else {
        print "done";
    }
    exit;
}