qemudb/include/query.php

<?php
$hAppdbLink = null;
$hBugzillaLink = null;

define("MYSQL_DEADLOCK_ERRNO", 1213);

function query_appdb($sQuery, $sComment="")
{
    global $hAppdbLink;

    if(!is_resource($hAppdbLink))
    {
        // The last argument makes sure we are really opening a new connection
        $hAppdbLink = mysql_connect(APPS_DBHOST, APPS_DBUSER, APPS_DBPASS, true);
        if(!$hAppdbLink)
          die("Database error, please try again soon.");          
        mysql_select_db(APPS_DB, $hAppdbLink);
    }

    $iRetries = 2;

    /* we need to retry queries that hit transaction deadlocks */
    /* as a deadlock isn't really a failure */
    while($iRetries)
    {
        $hResult = mysql_query($sQuery, $hAppdbLink);
        if(!$hResult)
        {
            /* if this error isn't a deadlock OR if it is a deadlock and we've */
            /* run out of retries, report the error */
            $iErrno = mysql_errno($hAppdbLink);
            if(($iErrno != MYSQL_DEADLOCK_ERRNO) || (($iErrno == MYSQL_DEADLOCK_ERRNO) && ($iRetries <= 0)))
            {
                query_error($sQuery, $sComment, $hAppdbLink);
                return $hResult;
            }

            $iRetries--;
        } else
        {
            return $hResult;
        }
    }

    return NULL;
}

/*
 * Wildcard Rules
 * SCALAR  (?) => 'original string quoted'
 * OPAQUE  (&) => 'string from file quoted'
 * MISC    (~) => original string (left 'as-is')
 *
 * NOTE: These rules convienently match those for Pear DB
 *
 * MySQL Prepare Function
 * By: Kage (Alex)
 * KageKonjou@GMail.com
 * http://us3.php.net/manual/en/function.mysql-query.php#53400
 *
 * Modified by CMM 20060622
 *
 * Values are mysql_real_escape_string()'d to prevent against injection attacks
 * See http://php.net/mysql_real_escape_string for more information about why this is the case
 *
 * Usage:
 *  $hResult = query_parameters("Select * from mytable where userid = '?'",
 *                            $iUserId);
 *
 * Note:
 *   Ensure that all variables are passed as parameters to query_parameters()
 *   to ensure that sql injection attacks are prevented against
 *
 */
function query_parameters()
{
    global $hAppdbLink;

    if(!is_resource($hAppdbLink))
    {
        // The last argument makes sure we are really opening a new connection
        $hAppdbLink = mysql_connect(APPS_DBHOST, APPS_DBUSER, APPS_DBPASS, true) or die('Database error, please try again soon: '.mysql_error());
        mysql_select_db(APPS_DB, $hAppdbLink);
    }

    $aData = func_get_args();
    $sQuery = $aData[0];
    $aTokens = split("[&?~]", $sQuery); /* NOTE: no need to escape characters inside of [] in regex */
    $sPreparedquery = $aTokens[0];
    $iCount = strlen($aTokens[0]);

    /* do we have the correct number of tokens to the number of parameters provided? */
    if(count($aTokens) != count($aData))
        return NULL; /* count mismatch, return NULL */

    for ($i=1; $i < count($aTokens); $i++)
    {
        $char = substr($sQuery, $iCount, 1);
        $iCount += (strlen($aTokens[$i])+1);
        if ($char == "&")
        {
            $fp = @fopen($aData[$i], 'r');
            $pdata = "";
            if ($fp)
            {
                while (($sBuf = fread($fp, 4096)) != false)
                {
                    $pdata .= $sBuf;
                }
                fclose($fp);
            }
        } else
        {
            $pdata = &$aData[$i];
        }
        $sPreparedquery .= ($char != "~" ? mysql_real_escape_string($pdata) : $pdata);
        $sPreparedquery .= $aTokens[$i];
    }

    return query_appdb($sPreparedquery);
}

function query_bugzilladb($sQuery,$sComment="")
{
    global $hBugzillaLink;

    if(!is_resource($hBugzillaLink))
    {
        // The last argument makes sure we are really opening a new connection
        $hBugzillaLink = mysql_connect(BUGZILLA_DBHOST, BUGZILLA_DBUSER, BUGZILLA_DBPASS, true);
        if(!$hBugzillaLink) return;
        mysql_select_db(BUGZILLA_DB, $hBugzillaLink);
    }
    
    $hResult = mysql_query($sQuery, $hBugzillaLink);
    if(!$hResult) query_error($sQuery, $sComment, $hBugzillaLink);
    return $hResult;
}


function query_error($sQuery, $sComment, $hLink)
{
    static $bInQueryError = false;

    // if we are already reporting an error we can't report it again
    // as that indicates that error reporting itself produced an error
    if($bInQueryError)
        return;

    // record that we are inside of this function, we don't want to recurse
    $bInQueryError = true;

    error_log::log_error(ERROR_SQL, "Query: '".$sQuery."' ".
                         "mysql_errno(): '".mysql_errno($hLink)."' ".
                         "mysql_error(): '".mysql_error($hLink)."' ".
                         "comment: '".$sComment."'");

    $sStatusMessage = "<p><b>An internal error has occurred and has been logged and reported to appdb admins</b></p>";
    addmsg($sStatusMessage);

    $bInQueryError = false; // clear variable upon exit
}

function query_fetch_row($hResult)
{
  return mysql_fetch_row($hResult);
}

function query_fetch_object($hResult)
{
  return mysql_fetch_object($hResult);
}

function query_appdb_insert_id()
{
    global $hAppdbLink;
    return mysql_insert_id($hAppdbLink);
}

function query_bugzilla_insert_id()
{
    global $hBugzillaLink;
    return mysql_insert_id($hBugzillaLink);
}

function query_num_rows($hResult)
{
    return mysql_num_rows($hResult);
}

function query_escape_string($sString)
{
    return mysql_real_escape_string($sString);
}

function query_field_type($hResult, $iFieldOffset)
{
    return mysql_field_type($hResult, $iFieldOffset);
}

function query_field_name($hResult, $iFieldOffset)
{
    return mysql_field_name($hResult, $iFieldOffset);
}

function query_field_len($hResult, $ifieldOffset)
{
    return mysql_field_len($hResult, $iFieldOffset);
}

function query_field_flags($hResult, $iFieldOffset)
{
    return mysql_field_flags($hResult, $iFieldOffset);
}

function query_fetch_field($hResult, $iFieldOffset)
{
    return mysql_fetch_field($hResult, $iFieldOffset);
}

?>
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`<?php`
Authors: Jonathan Ernst <Jonathan@ernstfamily.ch>, Paul van Schayck <polleke@gmail.com>, Tony Lambregts <tony_lambregts@telusplanet.net> New preferences fix 2005-01-14 05:28:58 +00:00			`$hAppdbLink = null;`
			`$hBugzillaLink = null;`

Unit tests should run with E_ALL so we can detect all errors. Fix dozens of errors that popped up after enabling all errors. 2006-11-25 17:24:44 +00:00			`define("MYSQL_DEADLOCK_ERRNO", 1213);`
Handle mysql transaction deadlocks more gracefully by making multiple attempts when they occur 2006-07-19 19:20:16 +00:00
Replace direct mysql_xxx() calls with query_xxx() calls. Replace calls to mysql_insert_id() with calls specific to the appdb or bugzilla database. Fixes a bug where a call to mysql_insert_id() can potentially retrieve an id from either the bugzilla or appdb database, depending on whichever database was last opened by mysql_connect(). 2007-08-03 23:27:25 +00:00			`function query_appdb($sQuery, $sComment="")`
Initial revision 2004-03-15 16:22:00 +00:00			`{`
- added an optional parameter to query_*() in order to show more informations about the error and to avoid to make the error handling in the other scripts - added query_bugzilladb to query bugzilla's db so we can get rid of the last mysql_query in the code - factorized duplicated code (query_error) 2005-01-12 02:43:52 +00:00			`global $hAppdbLink;`
Initial revision 2004-03-15 16:22:00 +00:00
Authors: Jonathan Ernst <Jonathan@ernstfamily.ch>, Paul van Schayck <polleke@gmail.com>, Tony Lambregts <tony_lambregts@telusplanet.net> New preferences fix 2005-01-14 05:28:58 +00:00			`if(!is_resource($hAppdbLink))`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`{`
* Make sure PHP really opens a new connection. 2005-01-14 16:05:14 +00:00			`// The last argument makes sure we are really opening a new connection`
Replace direct mysql_xxx() calls with query_xxx() calls. Replace calls to mysql_insert_id() with calls specific to the appdb or bugzilla database. Fixes a bug where a call to mysql_insert_id() can potentially retrieve an id from either the bugzilla or appdb database, depending on whichever database was last opened by mysql_connect(). 2007-08-03 23:27:25 +00:00			`$hAppdbLink = mysql_connect(APPS_DBHOST, APPS_DBUSER, APPS_DBPASS, true);`
Stop script processing upon mysql error. Based on a patch by Alexander Sornes. 2007-09-18 20:51:28 -04:00			`if(!$hAppdbLink)`
			`die("Database error, please try again soon.");`
* Make sure PHP really opens a new connection. 2005-01-14 16:05:14 +00:00			`mysql_select_db(APPS_DB, $hAppdbLink);`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`}`
Handle mysql transaction deadlocks more gracefully by making multiple attempts when they occur 2006-07-19 19:20:16 +00:00
			`$iRetries = 2;`

			`/* we need to retry queries that hit transaction deadlocks */`
			`/* as a deadlock isn't really a failure */`
			`while($iRetries)`
			`{`
			`$hResult = mysql_query($sQuery, $hAppdbLink);`
			`if(!$hResult)`
			`{`
			`/* if this error isn't a deadlock OR if it is a deadlock and we've */`
			`/* run out of retries, report the error */`
Pass database link handle to database error retrieval functions so we retrieve the error from the correct database connection. Add explicit link handle to query_error() and remove the option to not specify an error. 2007-10-28 22:05:26 -04:00			`$iErrno = mysql_errno($hAppdbLink);`
Handle mysql transaction deadlocks more gracefully by making multiple attempts when they occur 2006-07-19 19:20:16 +00:00			`if(($iErrno != MYSQL_DEADLOCK_ERRNO) \|\| (($iErrno == MYSQL_DEADLOCK_ERRNO) && ($iRetries <= 0)))`
			`{`
Pass database link handle to database error retrieval functions so we retrieve the error from the correct database connection. Add explicit link handle to query_error() and remove the option to not specify an error. 2007-10-28 22:05:26 -04:00			`query_error($sQuery, $sComment, $hAppdbLink);`
Handle mysql transaction deadlocks more gracefully by making multiple attempts when they occur 2006-07-19 19:20:16 +00:00			`return $hResult;`
			`}`

			`$iRetries--;`
			`} else`
			`{`
			`return $hResult;`
			`}`
			`}`

			`return NULL;`
Initial revision 2004-03-15 16:22:00 +00:00			`}`

Protect against sql injection attacks in sql INSERT statements 2006-06-24 04:20:32 +00:00			`/*`
			`* Wildcard Rules`
			`* SCALAR (?) => 'original string quoted'`
			`* OPAQUE (&) => 'string from file quoted'`
			`* MISC (~) => original string (left 'as-is')`
			`*`
			`* NOTE: These rules convienently match those for Pear DB`
			`*`
			`* MySQL Prepare Function`
			`* By: Kage (Alex)`
			`* KageKonjou@GMail.com`
			`* http://us3.php.net/manual/en/function.mysql-query.php#53400`
			`*`
			`* Modified by CMM 20060622`
			`*`
			`* Values are mysql_real_escape_string()'d to prevent against injection attacks`
			`* See http://php.net/mysql_real_escape_string for more information about why this is the case`
			`*`
query_parameters() usage example and the rule that all variables should be passed as parameters 2006-07-04 06:19:06 +00:00			`* Usage:`
			`* $hResult = query_parameters("Select * from mytable where userid = '?'",`
			`* $iUserId);`
			`*`
			`* Note:`
			`* Ensure that all variables are passed as parameters to query_parameters()`
			`* to ensure that sql injection attacks are prevented against`
			`*`
Protect against sql injection attacks in sql INSERT statements 2006-06-24 04:20:32 +00:00			`*/`
			`function query_parameters()`
			`{`
			`global $hAppdbLink;`

			`if(!is_resource($hAppdbLink))`
			`{`
			`// The last argument makes sure we are really opening a new connection`
Die if failing to establish a MySQL connection 2008-01-27 17:36:26 +01:00			`$hAppdbLink = mysql_connect(APPS_DBHOST, APPS_DBUSER, APPS_DBPASS, true) or die('Database error, please try again soon: '.mysql_error());`
Protect against sql injection attacks in sql INSERT statements 2006-06-24 04:20:32 +00:00			`mysql_select_db(APPS_DB, $hAppdbLink);`
			`}`

Clean up variable naming in query_parameters() 2006-07-11 19:25:16 +00:00			`$aData = func_get_args();`
			`$sQuery = $aData[0];`
			`$aTokens = split("[&?~]", $sQuery); /* NOTE: no need to escape characters inside of [] in regex */`
			`$sPreparedquery = $aTokens[0];`
			`$iCount = strlen($aTokens[0]);`
Protect against sql injection attacks in sql INSERT statements 2006-06-24 04:20:32 +00:00
Unit test for query_parameters(), fix bugs in query_parameters() found by the unit test 2006-06-27 16:39:40 +00:00			`/* do we have the correct number of tokens to the number of parameters provided? */`
Clean up variable naming in query_parameters() 2006-07-11 19:25:16 +00:00			`if(count($aTokens) != count($aData))`
Unit test for query_parameters(), fix bugs in query_parameters() found by the unit test 2006-06-27 16:39:40 +00:00			`return NULL; /* count mismatch, return NULL */`

Clean up variable naming in query_parameters() 2006-07-11 19:25:16 +00:00			`for ($i=1; $i < count($aTokens); $i++)`
Protect against sql injection attacks in sql INSERT statements 2006-06-24 04:20:32 +00:00			`{`
Clean up variable naming in query_parameters() 2006-07-11 19:25:16 +00:00			`$char = substr($sQuery, $iCount, 1);`
			`$iCount += (strlen($aTokens[$i])+1);`
Protect against sql injection attacks in sql INSERT statements 2006-06-24 04:20:32 +00:00			`if ($char == "&")`
			`{`
Clean up variable naming in query_parameters() 2006-07-11 19:25:16 +00:00			`$fp = @fopen($aData[$i], 'r');`
Protect against sql injection attacks in sql INSERT statements 2006-06-24 04:20:32 +00:00			`$pdata = "";`
			`if ($fp)`
			`{`
Clean up variable naming in query_parameters() 2006-07-11 19:25:16 +00:00			`while (($sBuf = fread($fp, 4096)) != false)`
Protect against sql injection attacks in sql INSERT statements 2006-06-24 04:20:32 +00:00			`{`
Clean up variable naming in query_parameters() 2006-07-11 19:25:16 +00:00			`$pdata .= $sBuf;`
Protect against sql injection attacks in sql INSERT statements 2006-06-24 04:20:32 +00:00			`}`
			`fclose($fp);`
			`}`
			`} else`
			`{`
Clean up variable naming in query_parameters() 2006-07-11 19:25:16 +00:00			`$pdata = &$aData[$i];`
Protect against sql injection attacks in sql INSERT statements 2006-06-24 04:20:32 +00:00			`}`
Clean up variable naming in query_parameters() 2006-07-11 19:25:16 +00:00			`$sPreparedquery .= ($char != "~" ? mysql_real_escape_string($pdata) : $pdata);`
			`$sPreparedquery .= $aTokens[$i];`
Protect against sql injection attacks in sql INSERT statements 2006-06-24 04:20:32 +00:00			`}`

Clean up variable naming in query_parameters() 2006-07-11 19:25:16 +00:00			`return query_appdb($sPreparedquery);`
Protect against sql injection attacks in sql INSERT statements 2006-06-24 04:20:32 +00:00			`}`
Initial revision 2004-03-15 16:22:00 +00:00
- added an optional parameter to query_*() in order to show more informations about the error and to avoid to make the error handling in the other scripts - added query_bugzilladb to query bugzilla's db so we can get rid of the last mysql_query in the code - factorized duplicated code (query_error) 2005-01-12 02:43:52 +00:00			`function query_bugzilladb($sQuery,$sComment="")`
			`{`
			`global $hBugzillaLink;`

Authors: Jonathan Ernst <Jonathan@ernstfamily.ch>, Paul van Schayck <polleke@gmail.com>, Tony Lambregts <tony_lambregts@telusplanet.net> New preferences fix 2005-01-14 05:28:58 +00:00			`if(!is_resource($hBugzillaLink))`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`{`
* Make sure PHP really opens a new connection. 2005-01-14 16:05:14 +00:00			`// The last argument makes sure we are really opening a new connection`
Stop script processing upon mysql error. Based on a patch by Alexander Sornes. 2007-09-18 20:51:28 -04:00			`$hBugzillaLink = mysql_connect(BUGZILLA_DBHOST, BUGZILLA_DBUSER, BUGZILLA_DBPASS, true);`
Don't continue working on the bugzilla database if we were unable to connect to it 2005-08-01 20:53:44 +00:00			`if(!$hBugzillaLink) return;`
* Make sure PHP really opens a new connection. 2005-01-14 16:05:14 +00:00			`mysql_select_db(BUGZILLA_DB, $hBugzillaLink);`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`}`
* Make sure PHP really opens a new connection. 2005-01-14 16:05:14 +00:00
- added an optional parameter to query_*() in order to show more informations about the error and to avoid to make the error handling in the other scripts - added query_bugzilladb to query bugzilla's db so we can get rid of the last mysql_query in the code - factorized duplicated code (query_error) 2005-01-12 02:43:52 +00:00			`$hResult = mysql_query($sQuery, $hBugzillaLink);`
Pass database link handle to database error retrieval functions so we retrieve the error from the correct database connection. Add explicit link handle to query_error() and remove the option to not specify an error. 2007-10-28 22:05:26 -04:00			`if(!$hResult) query_error($sQuery, $sComment, $hBugzillaLink);`
- improved include/db.php - updated TODO regarding db queries 2004-12-29 03:36:57 +00:00			`return $hResult;`
Initial revision 2004-03-15 16:22:00 +00:00			`}`
Add functions to compile a update or insert query 2004-12-29 18:42:34 +00:00
- added an optional parameter to query_*() in order to show more informations about the error and to avoid to make the error handling in the other scripts - added query_bugzilladb to query bugzilla's db so we can get rid of the last mysql_query in the code - factorized duplicated code (query_error) 2005-01-12 02:43:52 +00:00
Pass database link handle to database error retrieval functions so we retrieve the error from the correct database connection. Add explicit link handle to query_error() and remove the option to not specify an error. 2007-10-28 22:05:26 -04:00			`function query_error($sQuery, $sComment, $hLink)`
- added an optional parameter to query_*() in order to show more informations about the error and to avoid to make the error handling in the other scripts - added query_bugzilladb to query bugzilla's db so we can get rid of the last mysql_query in the code - factorized duplicated code (query_error) 2005-01-12 02:43:52 +00:00			`{`
query_error() can infinitely recurse as errors are inserted into the database and if the database doesn't exist then the db insertion will fail and result in a call to query_error(). Once we've entered query_error() once if we enter it again we should simply return 2006-09-26 02:10:57 +00:00			`static $bInQueryError = false;`

			`// if we are already reporting an error we can't report it again`
			`// as that indicates that error reporting itself produced an error`
			`if($bInQueryError)`
			`return;`

			`// record that we are inside of this function, we don't want to recurse`
			`$bInQueryError = true;`

Add mysql_errno() output to error logging 2006-07-19 17:34:59 +00:00			`error_log::log_error(ERROR_SQL, "Query: '".$sQuery."' ".`
Pass database link handle to database error retrieval functions so we retrieve the error from the correct database connection. Add explicit link handle to query_error() and remove the option to not specify an error. 2007-10-28 22:05:26 -04:00			`"mysql_errno(): '".mysql_errno($hLink)."' ".`
			`"mysql_error(): '".mysql_error($hLink)."' ".`
Add mysql_errno() output to error logging 2006-07-19 17:34:59 +00:00			`"comment: '".$sComment."'");`
Swap error logging and addmsg() calls as addmsg() performs a database transaction and will clear out any error that we wanted to report when error logging and calling mysql_error() 2006-07-19 17:18:16 +00:00
Modify query_error() to log errors to a database table instead of displaying them on the screen. This should let us more easily debug difficult or intermittent issues that users may not report. Add a cron to report logged errors to appdb admins every night. Implement some basic unit tests for the new error logging code 2006-07-19 16:37:54 +00:00			`$sStatusMessage = "<p><b>An internal error has occurred and has been logged and reported to appdb admins</b></p>";`
			`addmsg($sStatusMessage);`
query_error() can infinitely recurse as errors are inserted into the database and if the database doesn't exist then the db insertion will fail and result in a call to query_error(). Once we've entered query_error() once if we enter it again we should simply return 2006-09-26 02:10:57 +00:00
			`$bInQueryError = false; // clear variable upon exit`
- added an optional parameter to query_*() in order to show more informations about the error and to avoid to make the error handling in the other scripts - added query_bugzilladb to query bugzilla's db so we can get rid of the last mysql_query in the code - factorized duplicated code (query_error) 2005-01-12 02:43:52 +00:00			`}`

Replace direct mysql_xxx() calls with query_xxx() calls. Replace calls to mysql_insert_id() with calls specific to the appdb or bugzilla database. Fixes a bug where a call to mysql_insert_id() can potentially retrieve an id from either the bugzilla or appdb database, depending on whichever database was last opened by mysql_connect(). 2007-08-03 23:27:25 +00:00			`function query_fetch_row($hResult)`
			`{`
			`return mysql_fetch_row($hResult);`
			`}`

			`function query_fetch_object($hResult)`
			`{`
			`return mysql_fetch_object($hResult);`
			`}`

			`function query_appdb_insert_id()`
			`{`
			`global $hAppdbLink;`
			`return mysql_insert_id($hAppdbLink);`
			`}`

			`function query_bugzilla_insert_id()`
			`{`
			`global $hBugzillaLink;`
			`return mysql_insert_id($hBugzillaLink);`
			`}`

			`function query_num_rows($hResult)`
			`{`
			`return mysql_num_rows($hResult);`
			`}`

			`function query_escape_string($sString)`
			`{`
			`return mysql_real_escape_string($sString);`
			`}`

			`function query_field_type($hResult, $iFieldOffset)`
			`{`
			`return mysql_field_type($hResult, $iFieldOffset);`
			`}`

			`function query_field_name($hResult, $iFieldOffset)`
			`{`
			`return mysql_field_name($hResult, $iFieldOffset);`
			`}`

			`function query_field_len($hResult, $ifieldOffset)`
			`{`
			`return mysql_field_len($hResult, $iFieldOffset);`
			`}`

			`function query_field_flags($hResult, $iFieldOffset)`
			`{`
			`return mysql_field_flags($hResult, $iFieldOffset);`
			`}`

			`function query_fetch_field($hResult, $iFieldOffset)`
			`{`
			`return mysql_fetch_field($hResult, $iFieldOffset);`
			`}`

Initial revision 2004-03-15 16:22:00 +00:00			`?>`