/** * Quotes the column value to help prevent SQL injection attacks. * * This method makes educated guesses on the scalar type based on the * passed value. Make sure to correctly cast the value and/or pass the * $column parameter to get the best results. * * @param mixed $value The scalar value to quote, a Horde_Db_Value, * Horde_Date, or DateTime instance, or an object * implementing quotedId(). * @param object $column An object implementing getType(). * * @return string The correctly quoted value. */ public function quote($value, $column = null) { if (is_object($value) && is_callable(array($value, 'quotedId'))) { return $value->quotedId(); } if ($value instanceof Horde_Db_Value) { return $value->quote($this->_adapter); } $type = isset($column) ? $column->getType() : null; if (is_null($value)) { return 'NULL'; } elseif ($value === true) { return $type == 'integer' ? '1' : $this->quoteTrue(); } elseif ($value === false) { return $type == 'integer' ? '0' : $this->quoteFalse(); } elseif (is_float($value)) { return sprintf('%F', $value); } elseif (is_int($value)) { return $value; } elseif ($value instanceof DateTime || $value instanceof Horde_Date) { return $this->_adapter->quoteString($type == 'integer' ? $value->format('U') : $value->format('Y-m-d H:i:s')); } elseif ($type == 'integer') { return (int) $value; } elseif ($type == 'float') { return sprintf('%F', $value); } else { return $this->_adapter->quoteString($value); } }
protected function _generateWhere($table, $fields, &$info, $type) { $where = ''; $this->_mapFields($info); foreach ($fields as $field) { if (isset($info[$field])) { $prop = $info[$field]; if (is_array($info[$field])) { $clauses = array(); foreach ($prop as $pprop) { if (@settype($pprop, $type)) { $clauses[] = "{$table}.{$field} = " . $this->_db->quoteString($pprop); } } if (count($clauses)) { $where = $this->_addWhere($where, true, implode(' OR ', $clauses)); } } else { $success = @settype($prop, $type); $where = $this->_addWhere($where, !is_null($prop) && $success, "{$table}.{$field} = " . $this->_db->quoteString($prop)); } } } foreach ($fields as $field) { if (isset($info["not{$field}"])) { $prop = $info["not{$field}"]; if (strpos($prop, ',') === false) { $success = @settype($prop, $type); $where = $this->_addWhere($where, $prop && $success, "{$table}.{$field} <> " . $this->_db->quoteString($prop)); } else { $set = explode(',', $prop); foreach ($set as $prop) { $success = @settype($prop, $type); $where = $this->_addWhere($where, $prop && $success, "{$table}.{$field} <> " . $this->_db->quoteString($prop)); } } } } return $where; }