qemudb/include/query.php

<?php
$hAppdbLink = null;
$hBugzillaLink = null;

function query_appdb($sQuery,$sComment="")
{
    global $hAppdbLink;

    if(!is_resource($hAppdbLink))
    {
        // The last argument makes sure we are really opening a new connection
        $hAppdbLink = mysql_connect(APPS_DBHOST, APPS_DBUSER, APPS_DBPASS,true);
        mysql_select_db(APPS_DB, $hAppdbLink);
    }
    
    $hResult = mysql_query($sQuery, $hAppdbLink);
    if(!$hResult) query_error($sQuery, $sComment);
    return $hResult;
}

/*
 * Wildcard Rules
 * SCALAR  (?) => 'original string quoted'
 * OPAQUE  (&) => 'string from file quoted'
 * MISC    (~) => original string (left 'as-is')
 *
 * NOTE: These rules convienently match those for Pear DB
 *
 * MySQL Prepare Function
 * By: Kage (Alex)
 * KageKonjou@GMail.com
 * http://us3.php.net/manual/en/function.mysql-query.php#53400
 *
 * Modified by CMM 20060622
 *
 * Values are mysql_real_escape_string()'d to prevent against injection attacks
 * See http://php.net/mysql_real_escape_string for more information about why this is the case
 *
 * Usage:
 *  $hResult = query_parameters("Select * from mytable where userid = '?'",
 *                            $iUserId);
 *
 * Note:
 *   Ensure that all variables are passed as parameters to query_parameters()
 *   to ensure that sql injection attacks are prevented against
 *
 */
function query_parameters()
{
    global $hAppdbLink;

    if(!is_resource($hAppdbLink))
    {
        // The last argument makes sure we are really opening a new connection
        $hAppdbLink = mysql_connect(APPS_DBHOST, APPS_DBUSER, APPS_DBPASS,true);
        mysql_select_db(APPS_DB, $hAppdbLink);
    }

    $aData = func_get_args();
    $sQuery = $aData[0];
    $aTokens = split("[&?~]", $sQuery); /* NOTE: no need to escape characters inside of [] in regex */
    $sPreparedquery = $aTokens[0];
    $iCount = strlen($aTokens[0]);

    /* do we have the correct number of tokens to the number of parameters provided? */
    if(count($aTokens) != count($aData))
        return NULL; /* count mismatch, return NULL */

    for ($i=1; $i < count($aTokens); $i++)
    {
        $char = substr($sQuery, $iCount, 1);
        $iCount += (strlen($aTokens[$i])+1);
        if ($char == "&")
        {
            $fp = @fopen($aData[$i], 'r');
            $pdata = "";
            if ($fp)
            {
                while (($sBuf = fread($fp, 4096)) != false)
                {
                    $pdata .= $sBuf;
                }
                fclose($fp);
            }
        } else
        {
            $pdata = &$aData[$i];
        }
        $sPreparedquery .= ($char != "~" ? mysql_real_escape_string($pdata) : $pdata);
        $sPreparedquery .= $aTokens[$i];
    }

    return query_appdb($sPreparedquery);
}

function query_bugzilladb($sQuery,$sComment="")
{
    global $hBugzillaLink;

    if(!is_resource($hBugzillaLink))
    {
        // The last argument makes sure we are really opening a new connection
        $hBugzillaLink = mysql_connect(BUGZILLA_DBHOST, BUGZILLA_DBUSER, BUGZILLA_DBPASS,true);
        if(!$hBugzillaLink) return;
        mysql_select_db(BUGZILLA_DB, $hBugzillaLink);
    }
    
    $hResult = mysql_query($sQuery, $hBugzillaLink);
    if(!$hResult) query_error($sQuery, $sComment);
    return $hResult;
}


function query_error($sQuery, $sComment="")
{
    $sStatusMessage = "<p><b>An internal error has occurred and has been logged and reported to appdb admins</b></p>";
    addmsg($sStatusMessage);

    error_log::log_error(ERROR_SQL, "Query: '".$sQuery."' mysql_error(): '".mysql_error()."' comment: '".$sComment."'");
}

?>
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`<?php`
Authors: Jonathan Ernst <Jonathan@ernstfamily.ch>, Paul van Schayck <polleke@gmail.com>, Tony Lambregts <tony_lambregts@telusplanet.net> New preferences fix 2005-01-14 05:28:58 +00:00			`$hAppdbLink = null;`
			`$hBugzillaLink = null;`

- added an optional parameter to query_*() in order to show more informations about the error and to avoid to make the error handling in the other scripts - added query_bugzilladb to query bugzilla's db so we can get rid of the last mysql_query in the code - factorized duplicated code (query_error) 2005-01-12 02:43:52 +00:00			`function query_appdb($sQuery,$sComment="")`
Initial revision 2004-03-15 16:22:00 +00:00			`{`
- added an optional parameter to query_*() in order to show more informations about the error and to avoid to make the error handling in the other scripts - added query_bugzilladb to query bugzilla's db so we can get rid of the last mysql_query in the code - factorized duplicated code (query_error) 2005-01-12 02:43:52 +00:00			`global $hAppdbLink;`
Initial revision 2004-03-15 16:22:00 +00:00
Authors: Jonathan Ernst <Jonathan@ernstfamily.ch>, Paul van Schayck <polleke@gmail.com>, Tony Lambregts <tony_lambregts@telusplanet.net> New preferences fix 2005-01-14 05:28:58 +00:00			`if(!is_resource($hAppdbLink))`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`{`
* Make sure PHP really opens a new connection. 2005-01-14 16:05:14 +00:00			`// The last argument makes sure we are really opening a new connection`
			`$hAppdbLink = mysql_connect(APPS_DBHOST, APPS_DBUSER, APPS_DBPASS,true);`
			`mysql_select_db(APPS_DB, $hAppdbLink);`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`}`
* Make sure PHP really opens a new connection. 2005-01-14 16:05:14 +00:00
- added an optional parameter to query_*() in order to show more informations about the error and to avoid to make the error handling in the other scripts - added query_bugzilladb to query bugzilla's db so we can get rid of the last mysql_query in the code - factorized duplicated code (query_error) 2005-01-12 02:43:52 +00:00			`$hResult = mysql_query($sQuery, $hAppdbLink);`
Display the query when we display the query error. 2005-01-12 17:29:04 +00:00			`if(!$hResult) query_error($sQuery, $sComment);`
- improved include/db.php - updated TODO regarding db queries 2004-12-29 03:36:57 +00:00			`return $hResult;`
Initial revision 2004-03-15 16:22:00 +00:00			`}`

Protect against sql injection attacks in sql INSERT statements 2006-06-24 04:20:32 +00:00			`/*`
			`* Wildcard Rules`
			`* SCALAR (?) => 'original string quoted'`
			`* OPAQUE (&) => 'string from file quoted'`
			`* MISC (~) => original string (left 'as-is')`
			`*`
			`* NOTE: These rules convienently match those for Pear DB`
			`*`
			`* MySQL Prepare Function`
			`* By: Kage (Alex)`
			`* KageKonjou@GMail.com`
			`* http://us3.php.net/manual/en/function.mysql-query.php#53400`
			`*`
			`* Modified by CMM 20060622`
			`*`
			`* Values are mysql_real_escape_string()'d to prevent against injection attacks`
			`* See http://php.net/mysql_real_escape_string for more information about why this is the case`
			`*`
query_parameters() usage example and the rule that all variables should be passed as parameters 2006-07-04 06:19:06 +00:00			`* Usage:`
			`* $hResult = query_parameters("Select * from mytable where userid = '?'",`
			`* $iUserId);`
			`*`
			`* Note:`
			`* Ensure that all variables are passed as parameters to query_parameters()`
			`* to ensure that sql injection attacks are prevented against`
			`*`
Protect against sql injection attacks in sql INSERT statements 2006-06-24 04:20:32 +00:00			`*/`
			`function query_parameters()`
			`{`
			`global $hAppdbLink;`

			`if(!is_resource($hAppdbLink))`
			`{`
			`// The last argument makes sure we are really opening a new connection`
			`$hAppdbLink = mysql_connect(APPS_DBHOST, APPS_DBUSER, APPS_DBPASS,true);`
			`mysql_select_db(APPS_DB, $hAppdbLink);`
			`}`

Clean up variable naming in query_parameters() 2006-07-11 19:25:16 +00:00			`$aData = func_get_args();`
			`$sQuery = $aData[0];`
			`$aTokens = split("[&?~]", $sQuery); /* NOTE: no need to escape characters inside of [] in regex */`
			`$sPreparedquery = $aTokens[0];`
			`$iCount = strlen($aTokens[0]);`
Protect against sql injection attacks in sql INSERT statements 2006-06-24 04:20:32 +00:00
Unit test for query_parameters(), fix bugs in query_parameters() found by the unit test 2006-06-27 16:39:40 +00:00			`/* do we have the correct number of tokens to the number of parameters provided? */`
Clean up variable naming in query_parameters() 2006-07-11 19:25:16 +00:00			`if(count($aTokens) != count($aData))`
Unit test for query_parameters(), fix bugs in query_parameters() found by the unit test 2006-06-27 16:39:40 +00:00			`return NULL; /* count mismatch, return NULL */`

Clean up variable naming in query_parameters() 2006-07-11 19:25:16 +00:00			`for ($i=1; $i < count($aTokens); $i++)`
Protect against sql injection attacks in sql INSERT statements 2006-06-24 04:20:32 +00:00			`{`
Clean up variable naming in query_parameters() 2006-07-11 19:25:16 +00:00			`$char = substr($sQuery, $iCount, 1);`
			`$iCount += (strlen($aTokens[$i])+1);`
Protect against sql injection attacks in sql INSERT statements 2006-06-24 04:20:32 +00:00			`if ($char == "&")`
			`{`
Clean up variable naming in query_parameters() 2006-07-11 19:25:16 +00:00			`$fp = @fopen($aData[$i], 'r');`
Protect against sql injection attacks in sql INSERT statements 2006-06-24 04:20:32 +00:00			`$pdata = "";`
			`if ($fp)`
			`{`
Clean up variable naming in query_parameters() 2006-07-11 19:25:16 +00:00			`while (($sBuf = fread($fp, 4096)) != false)`
Protect against sql injection attacks in sql INSERT statements 2006-06-24 04:20:32 +00:00			`{`
Clean up variable naming in query_parameters() 2006-07-11 19:25:16 +00:00			`$pdata .= $sBuf;`
Protect against sql injection attacks in sql INSERT statements 2006-06-24 04:20:32 +00:00			`}`
			`fclose($fp);`
			`}`
			`} else`
			`{`
Clean up variable naming in query_parameters() 2006-07-11 19:25:16 +00:00			`$pdata = &$aData[$i];`
Protect against sql injection attacks in sql INSERT statements 2006-06-24 04:20:32 +00:00			`}`
Clean up variable naming in query_parameters() 2006-07-11 19:25:16 +00:00			`$sPreparedquery .= ($char != "~" ? mysql_real_escape_string($pdata) : $pdata);`
			`$sPreparedquery .= $aTokens[$i];`
Protect against sql injection attacks in sql INSERT statements 2006-06-24 04:20:32 +00:00			`}`

Clean up variable naming in query_parameters() 2006-07-11 19:25:16 +00:00			`return query_appdb($sPreparedquery);`
Protect against sql injection attacks in sql INSERT statements 2006-06-24 04:20:32 +00:00			`}`
Initial revision 2004-03-15 16:22:00 +00:00
- added an optional parameter to query_*() in order to show more informations about the error and to avoid to make the error handling in the other scripts - added query_bugzilladb to query bugzilla's db so we can get rid of the last mysql_query in the code - factorized duplicated code (query_error) 2005-01-12 02:43:52 +00:00			`function query_bugzilladb($sQuery,$sComment="")`
			`{`
			`global $hBugzillaLink;`

Authors: Jonathan Ernst <Jonathan@ernstfamily.ch>, Paul van Schayck <polleke@gmail.com>, Tony Lambregts <tony_lambregts@telusplanet.net> New preferences fix 2005-01-14 05:28:58 +00:00			`if(!is_resource($hBugzillaLink))`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`{`
* Make sure PHP really opens a new connection. 2005-01-14 16:05:14 +00:00			`// The last argument makes sure we are really opening a new connection`
			`$hBugzillaLink = mysql_connect(BUGZILLA_DBHOST, BUGZILLA_DBUSER, BUGZILLA_DBPASS,true);`
Don't continue working on the bugzilla database if we were unable to connect to it 2005-08-01 20:53:44 +00:00			`if(!$hBugzillaLink) return;`
* Make sure PHP really opens a new connection. 2005-01-14 16:05:14 +00:00			`mysql_select_db(BUGZILLA_DB, $hBugzillaLink);`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`}`
* Make sure PHP really opens a new connection. 2005-01-14 16:05:14 +00:00
- added an optional parameter to query_*() in order to show more informations about the error and to avoid to make the error handling in the other scripts - added query_bugzilladb to query bugzilla's db so we can get rid of the last mysql_query in the code - factorized duplicated code (query_error) 2005-01-12 02:43:52 +00:00			`$hResult = mysql_query($sQuery, $hBugzillaLink);`
Display the query when we display the query error. 2005-01-12 17:29:04 +00:00			`if(!$hResult) query_error($sQuery, $sComment);`
- improved include/db.php - updated TODO regarding db queries 2004-12-29 03:36:57 +00:00			`return $hResult;`
Initial revision 2004-03-15 16:22:00 +00:00			`}`
Add functions to compile a update or insert query 2004-12-29 18:42:34 +00:00
- added an optional parameter to query_*() in order to show more informations about the error and to avoid to make the error handling in the other scripts - added query_bugzilladb to query bugzilla's db so we can get rid of the last mysql_query in the code - factorized duplicated code (query_error) 2005-01-12 02:43:52 +00:00
Display the query when we display the query error. 2005-01-12 17:29:04 +00:00			`function query_error($sQuery, $sComment="")`
- added an optional parameter to query_*() in order to show more informations about the error and to avoid to make the error handling in the other scripts - added query_bugzilladb to query bugzilla's db so we can get rid of the last mysql_query in the code - factorized duplicated code (query_error) 2005-01-12 02:43:52 +00:00			`{`
Modify query_error() to log errors to a database table instead of displaying them on the screen. This should let us more easily debug difficult or intermittent issues that users may not report. Add a cron to report logged errors to appdb admins every night. Implement some basic unit tests for the new error logging code 2006-07-19 16:37:54 +00:00			`$sStatusMessage = "<p><b>An internal error has occurred and has been logged and reported to appdb admins</b></p>";`
			`addmsg($sStatusMessage);`

			`error_log::log_error(ERROR_SQL, "Query: '".$sQuery."' mysql_error(): '".mysql_error()."' comment: '".$sComment."'");`
- added an optional parameter to query_*() in order to show more informations about the error and to avoid to make the error handling in the other scripts - added query_bugzilladb to query bugzilla's db so we can get rid of the last mysql_query in the code - factorized duplicated code (query_error) 2005-01-12 02:43:52 +00:00			`}`

Initial revision 2004-03-15 16:22:00 +00:00			`?>`