/**
* Quotes the column value to help prevent SQL injection attacks.
*
* This method makes educated guesses on the scalar type based on the
* passed value. Make sure to correctly cast the value and/or pass the
* $column parameter to get the best results.
*
* @param mixed $value The scalar value to quote, a Horde_Db_Value,
* Horde_Date, or DateTime instance, or an object
* implementing quotedId().
* @param object $column An object implementing getType().
*
* @return string The correctly quoted value.
*/
public function quote($value, $column = null)
{
if (is_object($value) && is_callable(array($value, 'quotedId'))) {
return $value->quotedId();
}
if ($value instanceof Horde_Db_Value) {
return $value->quote($this->_adapter);
}
$type = isset($column) ? $column->getType() : null;
if (is_null($value)) {
return 'NULL';
} elseif ($value === true) {
return $type == 'integer' ? '1' : $this->quoteTrue();
} elseif ($value === false) {
return $type == 'integer' ? '0' : $this->quoteFalse();
} elseif (is_float($value)) {
return sprintf('%F', $value);
} elseif (is_int($value)) {
return $value;
} elseif ($value instanceof DateTime || $value instanceof Horde_Date) {
return $this->_adapter->quoteString($type == 'integer' ? $value->format('U') : $value->format('Y-m-d H:i:s'));
} elseif ($type == 'integer') {
return (int) $value;
} elseif ($type == 'float') {
return sprintf('%F', $value);
} else {
return $this->_adapter->quoteString($value);
}
}
protected function _generateWhere($table, $fields, &$info, $type)
{
$where = '';
$this->_mapFields($info);
foreach ($fields as $field) {
if (isset($info[$field])) {
$prop = $info[$field];
if (is_array($info[$field])) {
$clauses = array();
foreach ($prop as $pprop) {
if (@settype($pprop, $type)) {
$clauses[] = "{$table}.{$field} = " . $this->_db->quoteString($pprop);
}
}
if (count($clauses)) {
$where = $this->_addWhere($where, true, implode(' OR ', $clauses));
}
} else {
$success = @settype($prop, $type);
$where = $this->_addWhere($where, !is_null($prop) && $success, "{$table}.{$field} = " . $this->_db->quoteString($prop));
}
}
}
foreach ($fields as $field) {
if (isset($info["not{$field}"])) {
$prop = $info["not{$field}"];
if (strpos($prop, ',') === false) {
$success = @settype($prop, $type);
$where = $this->_addWhere($where, $prop && $success, "{$table}.{$field} <> " . $this->_db->quoteString($prop));
} else {
$set = explode(',', $prop);
foreach ($set as $prop) {
$success = @settype($prop, $type);
$where = $this->_addWhere($where, $prop && $success, "{$table}.{$field} <> " . $this->_db->quoteString($prop));
}
}
}
}
return $where;
}
