function escapeString($string)
{
self::connect();
if (version_compare(PHP_VERSION, "5.2", "<")) {
return "'" . pg_escape_string($string) . "'";
} else {
if (version_compare(PHP_VERSION, "5.4", "<")) {
return "'" . pg_escape_string($this->connection, $string) . "'";
} else {
return pg_escape_literal($this->connection, $string);
}
}
}
function addItemToDB($name, $description, $price, $picture = "", $seller = "", $status = 'For sale')
{
$name = pg_escape_literal($name);
$description = pg_escape_literal($description);
$picture = pg_escape_literal($picture);
$seller = pg_escape_literal($seller);
$status = pg_escape_literal($status);
$price = floatval($price);
$query = 'INSERT INTO "items" (name,description,picture,seller,status,price) VALUES (' . "{$name},{$description},{$picture},{$seller},{$status},{$price}) RETURNING id;";
$id = runQuery($query);
runQuery('UPDATE "items" SET postlink = \'/item.php?id=' . $id[0]['id'] . '\' WHERE id = ' . $id[0]['id']);
return $id;
}
public function esc($data, $mode = self::STRING)
{
switch ($mode) {
case "literal":
$data = pg_escape_literal($this->connection, $data);
break;
case "bytea":
$data = pg_escape_bytea($this->connection, $data);
break;
default:
$data = pg_escape_string($this->connection, $data);
break;
}
return $data;
}
private function setPassword($password)
{
# Check dependencies
self::dependencies(isset($this->albumIDs));
if (strlen($password) > 0) {
# Get hashed password
$password = getHashedString($password);
# Set hashed password
# Do not prepare $password because it is hashed and save
# Preparing (escaping) the password would destroy the hash
$sql = "UPDATE albums SET password = "******" WHERE id = " . intval($this->albumIDs);
pg_query($db, $sql);
} else {
$sql = "UPDATE albums SET password = NULL WHERE id = " . intval($this->albumIDs);
pg_query($db, $sql);
}
return true;
}
function escape_literal($value)
{
if ($value === NULL) {
return "NULL";
}
if ($value === FALSE) {
return "FALSE";
}
if ($value === TRUE) {
return "TRUE";
}
return pg_escape_literal($value);
}
$regmsg = "An error occurred with the database.\n";
} else {
$insrow = pg_fetch_row($insert);
$_SESSION["managerID"] = $insrow[0];
smartRedirect("tasks.php");
}
}
} else {
$regmsg = "One or more of your inputs were incorrect!";
}
}
if (isset($_POST["signin"])) {
$emailsign = $_POST["emailsign"];
$passsign = $_POST["passsign"];
if (filter_var($emailsign, FILTER_VALIDATE_EMAIL) !== false && preg_match("[a-zA-Z0-9@#\$%^&*_-!?<>]", $passsign) !== false) {
$filtemailsign = pg_escape_literal($emailsign);
$select = pg_query($db, "SELECT id,email,password FROM managers where email={$filtemailsign}");
if (!$select) {
$signmsg = "An error occurred with the database.";
}
if ($row = pg_fetch_row($select)) {
if (password_verify($passsign, $row[2]) !== false) {
$_SESSION["managerID"] = $row[0];
smartRedirect("tasks.php");
} else {
$signmsg = "Wrong password of manager!";
}
} else {
$signmsg = "No manager with such name exists!";
}
} else {
if ($data === pg_unescape_bytea($row['bin'])) {
echo "pg_escape_bytea() actually works with database\n";
break;
} elseif (!$i) {
// Force bytea escaping and retry
@pg_query($db, "SET bytea_output = 'escape'");
} else {
$result = pg_query($db, $sql);
echo "pg_escape_bytea() is broken\n";
break;
}
}
// pg_escape_literal/pg_escape_identifier
$before = "ABC\\ABC\\'";
$expect = " E'ABC\\\\ABC\\\\'''";
$after = pg_escape_literal($before);
if ($expect === $after) {
echo "pg_escape_literal() is Ok\n";
} else {
echo "pg_escape_literal() is NOT Ok\n";
var_dump($before);
var_dump($after);
var_dump($expect);
}
$before = "ABC\\ABC\\'";
$expect = "\"ABC\\ABC\\'\"";
$after = pg_escape_identifier($before);
if ($expect === $after) {
echo "pg_escape_identifier() is Ok\n";
} else {
echo "pg_escape_identifier() is NOT Ok\n";
/**
* "Smart" Escape String
*
* Escapes data based on type
*
* @param string $str
* @return mixed
*/
public function escape($str)
{
if (is_php('5.4.4') && (is_string($str) or is_object($str) && method_exists($str, '__toString'))) {
return pg_escape_literal($this->conn_id, $str);
} elseif (is_bool($str)) {
return $str ? 'TRUE' : 'FALSE';
}
return parent::escape($str);
}
/**
* @param string $literal
*
* @return string
*/
public function escapeLiteral($literal)
{
return pg_escape_literal($this->handler, $literal);
}
/**
* Escape strings array
* @param array $array
* @return string
*/
public function instr(array $array)
{
$array = array_map(function ($value) {
return pg_escape_literal((string) $value);
}, $array);
return sprintf('(%s)', implode(',', $array));
}
public function insert($tablename, array $record)
{
assert(is_string($tablename));
assert(strlen($tablename) > 0);
$columns = "";
$values = "";
// Early exit when creating a row with all default values
if (count($record) == 0) {
return $this->query('INSERT INTO ' . pg_escape_identifier($tablename) . ' DEFAULT VALUES');
}
foreach ($record as $key => $field) {
$columns .= ',' . pg_escape_identifier($key);
if (is_null($field)) {
$values .= ',NULL';
} else {
//if (is_string($field))
//{
// $values .= ',' . pg_escape_literal($field);
//}
//else
if (is_bool($field)) {
// Check for boolean and convert to SQL true or false
if ($field) {
$values .= ',true';
} else {
$values .= ',false';
}
} else {
if (is_array($field)) {
throw new DatabaseException('Insert can not handle array types');
} else {
$values .= ',' . pg_escape_literal($field);
}
}
}
}
$columns = substr($columns, 1);
// chop first ','
$values = substr($values, 1);
$result = $this->query('INSERT INTO ' . pg_escape_identifier($tablename) . ' (' . $columns . ') VALUES (' . $values . ')');
if ($result->affected_rows() != 1) {
throw new DatabaseException('Expected a single row inserted');
}
return $result;
}
function escape($string)
{
return pg_escape_literal($string);
}
} else {
$editmsg = "One or more of your inputs were incorrect!";
}
}
// Code to add a task
if (isset($_POST["addLink"])) {
$addcheck = 0;
$addtitle = $_POST["addtitle"];
$addmember = $_POST["addmem"];
$addstart = $_POST["addstart"];
$addend = $_POST["addend"];
if (preg_match("[a-zA-Z- ]", $addtitle) !== false && $_POST["addend"] > $_POST["addstart"]) {
$filttitle = pg_escape_literal($addtitle);
$filtstart = pg_escape_literal($addstart);
$filtend = pg_escape_literal($addend);
$filtmem = pg_escape_literal($addmember);
$select = pg_query($db, "SELECT title FROM tasks where title={$filttitle}");
if ($row = pg_fetch_row($select)) {
$addmsg = "Task with that title already exists";
} else {
$addcheck = 1;
$insert = pg_query($db, "INSERT into tasks (title,startdate,enddate,status) \n\t\t\t\tVALUES ({$filttitle},{$filtstart},{$filtend}, 1) RETURNING id");
$insrow = pg_fetch_row($insert);
$insert = pg_query($db, "INSERT into taskmembers (task_id,member_id) \n\t\t\t\tVALUES ('{$insrow['0']}',{$filtmem})");
$addmsg = "Task added successfully";
}
} else {
$addmsg = "One or more of your inputs were incorrect!";
}
}
echo '<div class="mid">';
<?php
include 'assets/class.php';
$news_id = pg_escape_literal($_GET['news_id']);
// Not yet implemented in Cobol back-end
// pg_query("DELETE FROM tbl_news WHERE news_id = $news_id LIMIT 1");
$Success->set("Emma, Jessica, Peter och Bertil");
header('location: index.php');
protected function prepareQuery($query, $params)
{
if (!is_array($params)) {
return $query;
}
reset($params);
$this->modifyQuery($query, function ($part) use(&$params) {
$newPart = "";
while ($pos = strpos($part, "?")) {
$newPart .= substr($part, 0, $pos);
$part = substr($part, $pos + 1);
$value = current($params);
next($params);
switch (gettype($value)) {
case "boolean":
$value = (int) $value;
break;
case "integer":
case "double":
break;
case "NULL":
$value = "NULL";
break;
default:
switch ($this->mode) {
case "mysql":
$value = $this->server->real_escape_string($value);
break;
case "postgres":
case "redshift":
$value = pg_escape_literal($this->server, $value);
break;
case "sqlite":
$value = $this->server->escapeString($value);
break;
case "mssql":
case "odbc":
$value = str_replace("'", "''", $value);
break;
}
# Postgres does it's own quoting
if (!in_array($this->mode, ["postgres", "redshift"], true)) {
$value = "'" . $value . "'";
}
break;
}
$newPart .= $value;
}
return $newPart . $part;
});
return $query;
}
public function delete()
{
# Functions deletes a photo with all its data and files
# Returns the following:
# (boolean) true = Success
# (boolean) false = Failure
# Check dependencies
self::dependencies(isset($this->photoIDs));
# Get photos
$sql = "SELECT id, url, thumbUrl, checksum FROM photos WHERE id IN (" . $this->photoIDs . ")";
$res = pg_query($db, $sql);
while ($photo = pg_fetch_array($res)) {
if ($this->exists($photo['checksum'], $photo['id']) === false) {
# Get retina thumb url
$thumbUrl2x = explode(".", $photo['thumbUrl']);
$thumbUrl2x = $thumbUrl2x[0] . '@2x.' . $thumbUrl2x[1];
# Delete big
if (file_exists(LYCHEE_UPLOADS_BIG . $photo['url']) && !unlink(LYCHEE_UPLOADS_BIG . $photo['url'])) {
return false;
}
# Delete medium
if (file_exists(LYCHEE_UPLOADS_MEDIUM . $photo['url']) && !unlink(LYCHEE_UPLOADS_MEDIUM . $photo['url'])) {
return false;
}
# Delete thumb
if (file_exists(LYCHEE_UPLOADS_THUMB . $photo['thumbUrl']) && !unlink(LYCHEE_UPLOADS_THUMB . $photo['thumbUrl'])) {
return false;
}
# Delete thumb@2x
if (file_exists(LYCHEE_UPLOADS_THUMB . $thumbUrl2x) && !unlink(LYCHEE_UPLOADS_THUMB . $thumbUrl2x)) {
return false;
}
}
# Delete db entry
$sql = "DELETE FROM photos WHERE id = " . pg_escape_literal($photo->id);
pg_query($db, $sql);
}
pg_free_result($res);
return true;
}
curl_setopt($ch, CURLOPT_POSTFIELDS, $fields_string);
//execute post
$result = curl_exec($ch);
if ($result === false) {
$Error->set("Kan ej kontakta servern: {$url}");
}
// We dont really know status (TODO implement)
$Success->set("Betyget har nu ändrats.");
//close connection
curl_close($ch);
// move back to main course page to re-read change
header('location: course.php');
}
}
} elseif ($function == "addNews") {
$news_title = pg_escape_literal($_POST['news_title']);
$news_content = pg_escape_literal($_POST['news_content']);
$news_author = pg_escape_literal($_SESSION['user_id']);
if (empty($news_author) or empty($news_content) or empty($news_title)) {
$Error->set("Fyll i alla fält.");
header('location: index.create.php');
} else {
// Not yet converted to Cobol back-end
$date = date('Y-m-d');
// pg_query("INSERT INTO tbl_news (news_title, news_content, news_author, news_date) VALUES ('".$news_title."', '".$news_content."', '".$news_author."', '".$date."')") or die(pg_last_error());
// $Success->set("Nyheten har skapats.");
header('location: index.php');
}
} else {
header('location: /index.php');
}
public function quoteString($value)
{
if (function_exists('pg_escape_literal')) {
return pg_escape_literal($this->dbConn, $value);
} else {
return "'" . $this->escapeString($value) . "'";
}
}
<?php
include "assets/_header.php";
?>
<a href="users.php"><span class="label label-default">Tillbaka</span></a>
<?php
// $user_id = mysql_escape_string($_GET['user_id']);
// $user_result = mysql_query("SELECT * FROM tbl_user WHERE user_id='".$user_id."' LIMIT 1");
// $user_row = mysql_fetch_assoc($user_result);
$user_id = pg_escape_literal($_GET[user_id]);
$user_result = pg_query("SELECT * FROM tbl_user WHERE user_id=" . $user_id . " LIMIT 1");
$user_row = pg_fetch_assoc($user_result);
?>
<h1><?php
echo $user_row['user_firstname'] . " " . $user_row['user_lastname'];
?>
</h1>
<form method="POST" action="./process.php?function=editUser&user_id=<?php
echo $user_row['user_id'];
?>
">
<?php
$Error->show();
$Success->show();
?>
<input type="text" name="firstname" class="form-control" placeholder="Förnamn" value="<?php
echo $user_row['user_firstname'];
?>
">
<br>
<input type="text" name="lastname" class="form-control" placeholder="Efternamn" value="<?php
public function convertStringToSql($value)
{
return pg_escape_literal($this->connection, $value);
}
function db_set_application_name($name)
{
if (DB_TYPE == 'mysql') {
# not implemented
return 0;
} elseif (DB_TYPE == 'postgres') {
# pg_query_params doesn't work with SET it appears.
return pg_query("SET application_name = " . pg_escape_literal($name));
}
}
}
} else {
$editmsg = "One or more of your inputs were incorrect!";
}
}
if (isset($_POST["addLink"])) {
$addcheck = 0;
$addemail = $_POST["addemail"];
$addfname = $_POST["addfname"];
$addsname = $_POST["addsname"];
$addpass = $_POST["addpass"];
if (filter_var($addemail, FILTER_VALIDATE_EMAIL) !== false && preg_match("[a-zA-Z- ]", $addfname) !== false && preg_match("[a-zA-Z- ]", $addsname) !== false && preg_match("[a-zA-Z0-9@#\$%^&*_-!?<>]", $addpass) !== false) {
$filtemail = pg_escape_literal($addemail);
$filtfirstname = pg_escape_literal($addfname);
$filtsurname = pg_escape_literal($addsname);
$filtpass = pg_escape_literal($addpass);
$select = pg_query($db, "SELECT email FROM members where email={$filtemail}");
if ($row = pg_fetch_row($select)) {
$addmsg = "Member with that email already exists";
} else {
$addcheck = 1;
$insert = pg_query($db, "INSERT into members (email,firstname,surname,password) \n\t\t\t\tVALUES ({$filtemail},{$filtfirstname},{$filtsurname},{$filtpass}) RETURNING id");
$addmsg = "Member added successfully";
}
} else {
$addmsg = "One or more of your inputs were incorrect!";
}
}
echo '<div class="mid">';
if (isset($_GET["search"])) {
$search = $_GET["search"];
/**
* Удаление
* @param $table
* @param $column
* @param int $id
* @return void
*/
public function delete($table, $column, $id)
{
$this->query("DELETE FROM " . pg_escape_identifier($table) . " WHERE " . $this->escape_identifier($column) . " = " . pg_escape_literal($id) . ";");
}
public function convertToSql($value, $type)
{
switch ($type) {
case self::TYPE_STRING:
return pg_escape_literal($this->connection, $value);
case self::TYPE_BOOL:
return $value ? 'TRUE' : 'FALSE';
case self::TYPE_IDENTIFIER:
$parts = explode('.', $value);
foreach ($parts as &$part) {
if ($part !== '*') {
$part = pg_escape_identifier($this->connection, $part);
}
}
return implode('.', $parts);
case self::TYPE_DATETIME:
if ($value->getTimezone()->getName() !== $this->connectionTz->getName()) {
$value = clone $value;
$value->setTimezone($this->connectionTz);
}
return "'" . $value->format('Y-m-d H:i:s') . "'";
case self::TYPE_DATETIME_SIMPLE:
if ($value->getTimezone()->getName() !== $this->simpleStorageTz->getName()) {
$value = clone $value;
$value->setTimezone($this->simpleStorageTz);
}
return "'" . $value->format('Y-m-d H:i:s') . "'";
case self::TYPE_DATE_INTERVAL:
return $value->format('P%yY%mM%dDT%hH%iM%sS');
case self::TYPE_BLOB:
return "'" . pg_escape_bytea($this->connection, $value) . "'";
default:
throw new InvalidArgumentException();
}
}
function email($email)
{
$email = pg_escape_literal($email);
// $result = mysql_query("SELECT email FROM users WHERE email = '".$email."'");
// $num_rows = mysql_num_rows($result);
$result = pg_query("SELECT email FROM users WHERE email = '" . $email . "'");
$num_rows = pg_num_rows($result);
if ($num_rows < 1) {
return "0";
} else {
return $num_rows;
}
}
/**
* escapeLiteral
*
* Escape a text value.
*
* @access public
* @param string $string The string to be escaped
* @return string the escaped string.
*/
public function escapeLiteral($string)
{
return \pg_escape_literal($this->getHandler(), $string);
}
public function setSortingAlbums($type, $order)
{
# Check dependencies
self::dependencies(isset($type, $order));
$sorting = 'ORDER BY ';
# Set row
switch ($type) {
case 'id':
$sorting .= 'id';
break;
case 'title':
$sorting .= 'title';
break;
case 'description':
$sorting .= 'description';
break;
case 'public':
$sorting .= 'public';
break;
default:
exit('Error: Unknown type for sorting!');
}
$sorting .= ' ';
# Set order
switch ($order) {
case 'ASC':
$sorting .= 'ASC';
break;
case 'DESC':
$sorting .= 'DESC';
break;
default:
exit('Error: Unknown order for sorting!');
}
# Execute query
# Do not prepare $sorting because it is a true statement
# Preparing (escaping) the sorting would destroy it
# $sorting is save and can't contain user-input
$sql = "UPDATE settings SET \"value\"=" . pg_escape_literal($sorting) . " WHERE \"key\"='sortingAlbums'";
pg_query($db, $sql);
return true;
}
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
AUTHORS SPECIFICALLY DISCLAIM ANY WARRANTIES INCLUDING, BUT NOT
LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, AND NON-INFRINGEMENT.
THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND AUTHORS HAVE NO
OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR
MODIFICATIONS.*/
class Input
{
public function getInput()
{
return $_GET['UserData'];
}
}
$temp = new Input();
$tainted = $temp->getInput();
$tainted = pg_escape_literal($tainted);
$query = "(&(objectCategory=person)(objectClass=user)(cn=' {$tainted} '))";
$ds = ldap_connect("localhost");
$r = ldap_bind($ds);
$sr = ldap_search($ds, "o=My Company, c=US", $query);
ldap_close($ds);
/**
* Escape a variable in the literal way to be compliant and Safe (against SQL Injection) with PgSQL standards.
* This function WILL ADD the SINGLE QUOTES (') arround the string as needed and will escape expressions containing backslashes \ in the postgresql way using E'' escapes.
* This is the preferred way to escape variables inside PostgreSQL SQL Statements, and is better than escape_str().
*
* @param STRING $y_string :: A String or a Number to be Escaped
* @param YES/NO $y_escape_likes :: Escape LIKE / ILIKE Syntax (% _) ; Default is NO
* @param RESOURCE $y_connection :: the connection
* @return STRING :: The Escaped String / Number
*
*/
public static function escape_literal($y_string, $y_escape_likes = 'no', $y_connection = 'DEFAULT')
{
//==
$y_connection = self::check_connection($y_connection, 'ESCAPE-LITERAL');
//==
//-- Fix
$y_string = (string) SmartUnicode::fix_charset((string) $y_string);
//--
//--
if ((string) $y_escape_likes == 'yes') {
// extra special escape: _ = \_ ; % = \%
$y_string = str_replace(array('_', '%'), array('\\_', '\\%'), $y_string);
}
//end if else
//--
$y_string = (string) @pg_escape_literal($y_connection, (string) $y_string);
// [CONN]
//--
//--
return (string) $y_string;
//--
}
