function sql_internal($_dblink, $sql, $bSlave)
{
global $opt;
global $sql_debug, $sql_warntime;
global $sql_replacements;
global $sqlcommands;
global $dblink_slave;
$args = func_get_args();
unset($args[0]);
unset($args[1]);
unset($args[2]);
/* as an option, you can give as second parameter an array
* with all values for the placeholder. The array has to be
* with numeric indizes.
*/
if (isset($args[3]) && is_array($args[3])) {
$tmp_args = $args[3];
unset($args);
// correct indizes
$args = array_merge(array(0), $tmp_args);
unset($tmp_args);
unset($args[0]);
}
$sqlpos = 0;
$filtered_sql = '';
// $sql von vorne bis hinten durchlaufen und alle &x ersetzen
$nextarg = mb_strpos($sql, '&');
while ($nextarg !== false) {
// muss dieses & ersetzt werden, oder ist es escaped?
$escapesCount = 0;
while ($nextarg - $escapesCount - 1 > 0 && mb_substr($sql, $nextarg - $escapesCount - 1, 1) == '\\') {
$escapesCount++;
}
if ($escapesCount % 2 == 1) {
$nextarg++;
} else {
$nextchar = mb_substr($sql, $nextarg + 1, 1);
if (is_numeric($nextchar)) {
$arglength = 0;
$arg = '';
// nächstes Zeichen das keine Zahl ist herausfinden
while (mb_ereg_match('^[0-9]{1}', $nextchar) == 1) {
$arg .= $nextchar;
$arglength++;
$nextchar = mb_substr($sql, $nextarg + $arglength + 1, 1);
}
// ok ... ersetzen
$filtered_sql .= mb_substr($sql, $sqlpos, $nextarg - $sqlpos);
$sqlpos = $nextarg + $arglength;
if (isset($args[$arg])) {
if (is_numeric($args[$arg])) {
$filtered_sql .= $args[$arg];
} else {
if (mb_substr($sql, $sqlpos - $arglength - 1, 1) == '\'' && mb_substr($sql, $sqlpos + 1, 1) == '\'') {
$filtered_sql .= sql_escape($args[$arg]);
} else {
if (mb_substr($sql, $sqlpos - $arglength - 1, 1) == '`' && mb_substr($sql, $sqlpos + 1, 1) == '`') {
$filtered_sql .= sql_escape($args[$arg]);
} else {
sql_error();
}
}
}
} else {
// NULL
if (mb_substr($sql, $sqlpos - $arglength - 1, 1) == '\'' && mb_substr($sql, $sqlpos + 1, 1) == '\'') {
// Anführungszeichen weg machen und NULL einsetzen
$filtered_sql = mb_substr($filtered_sql, 0, mb_strlen($filtered_sql) - 1);
$filtered_sql .= 'NULL';
$sqlpos++;
} else {
$filtered_sql .= 'NULL';
}
}
$sqlpos++;
} else {
$arglength = 0;
$arg = '';
// nächstes Zeichen das kein Buchstabe/Zahl ist herausfinden
while (mb_ereg_match('^[a-zA-Z0-9]{1}', $nextchar) == 1) {
$arg .= $nextchar;
$arglength++;
$nextchar = mb_substr($sql, $nextarg + $arglength + 1, 1);
}
// ok ... ersetzen
$filtered_sql .= mb_substr($sql, $sqlpos, $nextarg - $sqlpos);
if (isset($sql_replacements[$arg])) {
$filtered_sql .= $sql_replacements[$arg];
} else {
sql_error();
}
$sqlpos = $nextarg + $arglength + 1;
}
}
$nextarg = mb_strpos($sql, '&', $nextarg + 1);
}
// rest anhängen
$filtered_sql .= mb_substr($sql, $sqlpos);
// \& durch & ersetzen
$nextarg = mb_strpos($filtered_sql, '\\&');
while ($nextarg !== false) {
$escapesCount = 0;
while ($nextarg - $escapesCount - 1 > 0 && mb_substr($filtered_sql, $nextarg - $escapesCount - 1, 1) == '\\') {
$escapesCount++;
}
if ($escapesCount % 2 == 0) {
// \& ersetzen durch &
$filtered_sql = mb_substr($filtered_sql, 0, $nextarg) . '&' . mb_substr($filtered_sql, $nextarg + 2);
$nextarg--;
}
$nextarg = mb_strpos($filtered_sql, '\\&', $nextarg + 2);
}
//
// ok ... hier ist filtered_sql fertig
//
/* todo:
- errorlogging
- LIMIT
- DROP/DELETE ggf. blocken
*/
if (isset($sql_debug) && $sql_debug == true) {
require_once $opt['rootpath'] . 'lib/sqldebugger.inc.php';
$result = sqldbg_execute($filtered_sql, $bSlave);
if ($result === false) {
sql_error();
}
} else {
// Zeitmessung für die Ausführung
require_once $opt['rootpath'] . 'lib/bench.inc.php';
$cSqlExecution = new Cbench();
$cSqlExecution->start();
$result = mysql_query($filtered_sql, $_dblink);
if ($result === false) {
sql_error();
}
$cSqlExecution->stop();
if ($sql_warntime > 0 && $cSqlExecution->diff() > $sql_warntime) {
$ua = isset($_SERVER['HTTP_USER_AGENT']) ? "\r\n" . $_SERVER['HTTP_USER_AGENT'] : "";
sql_warn("execution took " . $cSqlExecution->diff() . " seconds" . $ua);
}
}
return $result;
}
function sql_internal($dblink, $sql)
{
global $opt, $db, $sqldebugger;
$args = func_get_args();
unset($args[0]);
unset($args[1]);
/* as an option, you can give as second parameter an array
* with all values for the placeholder. The array has to be
* with numeric indizes.
*/
if (isset($args[2]) && is_array($args[2])) {
$tmp_args = $args[2];
unset($args);
// correct indizes
$args = array_merge(array(0), $tmp_args);
unset($tmp_args);
unset($args[0]);
}
$sqlpos = 0;
$filtered_sql = '';
// replace every &x in $sql with the placeholder or parameter
$nextarg = strpos($sql, '&');
while ($nextarg !== false) {
// & escaped?
$escapesCount = 0;
while ($nextarg - $escapesCount - 1 > 0 && substr($sql, $nextarg - $escapesCount - 1, 1) == '\\') {
$escapesCount++;
}
if ($escapesCount % 2 == 1) {
$nextarg++;
} else {
$nextchar = substr($sql, $nextarg + 1, 1);
if (is_numeric($nextchar)) {
$arglength = 0;
$arg = '';
// find next non-digit
while (preg_match('/^[0-9]{1}/', $nextchar) == 1) {
$arg .= $nextchar;
$arglength++;
$nextchar = substr($sql, $nextarg + $arglength + 1, 1);
}
// ok ... replace
$filtered_sql .= substr($sql, $sqlpos, $nextarg - $sqlpos);
$sqlpos = $nextarg + $arglength;
if (isset($args[$arg])) {
if (is_numeric($args[$arg])) {
$filtered_sql .= $args[$arg];
} else {
if (substr($sql, $sqlpos - $arglength - 1, 1) == '\'' && substr($sql, $sqlpos + 1, 1) == '\'') {
$filtered_sql .= sql_escape($args[$arg]);
} elseif (substr($sql, $sqlpos - $arglength - 1, 1) == '`' && substr($sql, $sqlpos + 1, 1) == '`') {
$filtered_sql .= sql_escape_backtick($args[$arg]);
} else {
sql_error($sql);
}
}
} else {
// NULL
if (substr($sql, $sqlpos - $arglength - 1, 1) == '\'' && substr($sql, $sqlpos + 1, 1) == '\'') {
// strip apostroph and insert NULL
$filtered_sql = substr($filtered_sql, 0, strlen($filtered_sql) - 1);
$filtered_sql .= 'NULL';
$sqlpos++;
} else {
$filtered_sql .= 'NULL';
}
}
$sqlpos++;
} else {
$arglength = 0;
$arg = '';
// find next non-alphanumeric char
// (added '_' - it is used in temptable names - following 2013/07/18)
while (preg_match('/^[a-zA-Z0-9_]{1}/', $nextchar) == 1) {
$arg .= $nextchar;
$arglength++;
$nextchar = substr($sql, $nextarg + $arglength + 1, 1);
}
// ok ... replace
$filtered_sql .= substr($sql, $sqlpos, $nextarg - $sqlpos);
if (isset($opt['db']['placeholder'][$arg])) {
if (substr($sql, $nextarg - 1, 1) != '`') {
$filtered_sql .= '`';
}
$filtered_sql .= sql_escape_backtick($opt['db']['placeholder'][$arg]);
if (substr($sql, $nextarg + $arglength + 1, 1) != '`') {
$filtered_sql .= '`';
}
} elseif (isset($db['temptables'][$arg])) {
if (substr($sql, $nextarg - 1, 1) != '`') {
$filtered_sql .= '`';
}
$filtered_sql .= sql_escape_backtick($opt['db']['placeholder']['tmpdb']) . '`.`' . sql_escape_backtick($db['temptables'][$arg]);
if (substr($sql, $nextarg + $arglength + 1, 1) != '`') {
$filtered_sql .= '`';
}
} else {
sql_error($sql);
}
$sqlpos = $nextarg + $arglength + 1;
}
}
$nextarg = strpos($sql, '&', $nextarg + 1);
}
// append the rest
$filtered_sql .= substr($sql, $sqlpos);
// strip escapes of &
$nextarg = strpos($filtered_sql, '\\&');
while ($nextarg !== false) {
$escapesCount = 0;
while ($nextarg - $escapesCount - 1 > 0 && substr($filtered_sql, $nextarg - $escapesCount - 1, 1) == '\\') {
$escapesCount++;
}
if ($escapesCount % 2 == 0) {
// strip escapes of &
$filtered_sql = substr($filtered_sql, 0, $nextarg) . '&' . substr($filtered_sql, $nextarg + 2);
$nextarg--;
}
$nextarg = strpos($filtered_sql, '\\&', $nextarg + 2);
}
//
// ok ... filtered_sql is ready for usage
//
/* todo:
- errorlogging
- LIMIT
- block DROP/DELETE
*/
if (isset($db['debug']) && $db['debug'] == true) {
require_once $opt['rootpath'] . 'lib2/sqldebugger.class.php';
$result = $sqldebugger->execute($filtered_sql, $dblink, $dblink === $db['dblink_slave'], $db['slave_server']);
if ($result === false) {
sql_error($filtered_sql);
}
} else {
// measure time
if ($opt['db']['warn']['time'] > 0) {
require_once $opt['rootpath'] . 'lib2/bench.inc.php';
$cSqlExecution = new Cbench();
$cSqlExecution->start();
}
$result = @mysql_query($filtered_sql, $dblink);
if ($result === false) {
sql_error($filtered_sql);
}
if ($opt['db']['warn']['time'] > 0) {
$cSqlExecution->stop();
if ($cSqlExecution->diff() > $opt['db']['warn']['time']) {
$ua = isset($_SERVER['HTTP_USER_AGENT']) ? "\r\n" . $_SERVER['HTTP_USER_AGENT'] : "";
sql_warn("execution took " . $cSqlExecution->diff() . " seconds" . $ua);
}
}
}
return $result;
}
function sql($sql)
{
global $rootpath;
global $sql_debug, $sql_warntime;
global $sql_replacements;
global $dblink, $sqlcommands;
$args = func_get_args();
unset($args[0]);
$sqlpos = 0;
$filtered_sql = '';
// $sql von vorne bis hinten durchlaufen und alle &x ersetzen
$nextarg = mb_strpos($sql, '&');
while ($nextarg !== false) {
// muss dieses & ersetzt werden, oder ist es escaped?
$escapesCount = 0;
while ($nextarg - $escapesCount - 1 > 0 && mb_substr($sql, $nextarg - $escapesCount - 1, 1) == '\\') {
$escapesCount++;
}
if ($escapesCount % 2 == 1) {
$nextarg++;
} else {
$nextchar = mb_substr($sql, $nextarg + 1, 1);
if (is_numeric($nextchar)) {
$arglength = 0;
$arg = '';
// nächstes Zeichen das keine Zahl ist herausfinden
while (mb_ereg_match('^[0-9]{1}', $nextchar) == 1) {
$arg .= $nextchar;
$arglength++;
$nextchar = mb_substr($sql, $nextarg + $arglength + 1, 1);
}
// ok ... ersetzen
$filtered_sql .= mb_substr($sql, $sqlpos, $nextarg - $sqlpos);
$sqlpos = $nextarg + $arglength;
if (isset($args[$arg])) {
if (is_numeric($args[$arg])) {
$filtered_sql .= $args[$arg];
} else {
if (mb_substr($sql, $sqlpos - $arglength - 1, 1) == '\'' && mb_substr($sql, $sqlpos + 1, 1) == '\'') {
$filtered_sql .= sql_escape($args[$arg]);
} else {
if (mb_substr($sql, $sqlpos - $arglength - 1, 1) == '`' && mb_substr($sql, $sqlpos + 1, 1) == '`') {
$filtered_sql .= sql_escape($args[$arg]);
} else {
sql_error();
}
}
}
} else {
// NULL
if (mb_substr($sql, $sqlpos - $arglength - 1, 1) == '\'' && mb_substr($sql, $sqlpos + 1, 1) == '\'') {
// Anführungszeichen weg machen und NULL einsetzen
$filtered_sql = mb_substr($filtered_sql, 0, mb_strlen($filtered_sql) - 1);
$filtered_sql .= 'NULL';
$sqlpos++;
} else {
$filtered_sql .= 'NULL';
}
}
$sqlpos++;
} else {
$arglength = 0;
$arg = '';
// nächstes Zeichen das kein Buchstabe/Zahl ist herausfinden
while (mb_ereg_match('^[a-zA-Z0-9]{1}', $nextchar) == 1) {
$arg .= $nextchar;
$arglength++;
$nextchar = mb_substr($sql, $nextarg + $arglength + 1, 1);
}
// ok ... ersetzen
$filtered_sql .= mb_substr($sql, $sqlpos, $nextarg - $sqlpos);
if (isset($sql_replacements[$arg])) {
$filtered_sql .= $sql_replacements[$arg];
} else {
sql_error();
}
$sqlpos = $nextarg + $arglength + 1;
}
}
$nextarg = mb_strpos($sql, '&', $nextarg + 1);
}
// rest anhängen
$filtered_sql .= mb_substr($sql, $sqlpos);
// \& durch & ersetzen
$nextarg = mb_strpos($filtered_sql, '\\&');
while ($nextarg !== false) {
$escapesCount = 0;
while ($nextarg - $escapesCount - 1 > 0 && mb_substr($filtered_sql, $nextarg - $escapesCount - 1, 1) == '\\') {
$escapesCount++;
}
if ($escapesCount % 2 == 0) {
// \& ersetzen durch &
$filtered_sql = mb_substr($filtered_sql, 0, $nextarg) . '&' . mb_substr($filtered_sql, $nextarg + 2);
$nextarg--;
}
$nextarg = mb_strpos($filtered_sql, '\\&', $nextarg + 2);
}
//
// ok ... hier ist filtered_sql fertig
//
/* todo:
- errorlogging
- LIMIT
- DROP/DELETE ggf. blocken
*/
if (isset($sql_debug) && $sql_debug == true) {
require_once $rootpath . 'lib/sqldebugger.inc.php';
$result = sqldbg_execute($filtered_sql);
if ($result === false) {
sql_error();
}
} else {
// Zeitmessung für die Ausführung
require_once $rootpath . 'lib/bench.inc.php';
$cSqlExecution = new Cbench();
$cSqlExecution->start();
$result = mysql_query($filtered_sql, $dblink);
if ($result === false) {
sql_error();
}
$cSqlExecution->stop();
if ($cSqlExecution->diff() > $sql_warntime) {
sql_warn('execution took ' . $cSqlExecution->diff() . ' seconds');
}
}
return $result;
}