/** * Method to check the fixed param keyword for validity and further more escape the free text elems (even if this is not semantic) * @param array $whereParam * @param ParameterObject $d * @param bool $escapeFreeText if the function shall also escape the free text of the where clause * @return boolean */ public static function isWhereClauseValid($whereParam, $d, $escapeFreeText = true) { if (Config::useSecureMode() && $whereParam) { //error_log(print_r($whereParam,true)); $validFields = Config::getValidTables()[$d->getAttribute(PO::ATTR_TABLE)]; $validOperators = array('LIKE', '=', '<=', '>=', '!='); $validConcaters = array('OR', 'AND'); foreach ($whereParam as $param_group) { if (in_array($param_group[0], $validFields)) { if (in_array($param_group[1], $validOperators)) { if (in_array($param_group[3], $validConcaters) || $param_group[3] === null) { continue; } } } return false; } if ($escapeFreeText) { // secure free text elems $whereParam = array_map(function ($i) { $i[2] = sprintf('"%s"', addslashes($i[2])); return $i; }, $whereParam); $d->setAttribute(PO::ATTR_CONDITION, $whereParam); } return true; } else { return true; } }