qemudb/include/db.php

<?php
$hAppdbLink = null;
$hBugzillaLink = null;

function query_appdb($sQuery,$sComment="")
{
    global $hAppdbLink;

    if(!is_resource($hAppdbLink))
    {
        // The last argument makes sure we are really opening a new connection
        $hAppdbLink = mysql_connect(APPS_DBHOST, APPS_DBUSER, APPS_DBPASS,true);
        mysql_select_db(APPS_DB, $hAppdbLink);
    }
    
    $hResult = mysql_query($sQuery, $hAppdbLink);
    if(!$hResult) query_error($sQuery, $sComment);
    return $hResult;
}

/*
 * Wildcard Rules
 * SCALAR  (?) => 'original string quoted'
 * OPAQUE  (&) => 'string from file quoted'
 * MISC    (~) => original string (left 'as-is')
 *
 * NOTE: These rules convienently match those for Pear DB
 *
 * MySQL Prepare Function
 * By: Kage (Alex)
 * KageKonjou@GMail.com
 * http://us3.php.net/manual/en/function.mysql-query.php#53400
 *
 * Modified by CMM 20060622
 *
 * Values are mysql_real_escape_string()'d to prevent against injection attacks
 * See http://php.net/mysql_real_escape_string for more information about why this is the case
 *
 * Usage:
 *  $hResult = query_parameters("Select * from mytable where userid = '?'",
 *                            $iUserId);
 *
 * Note:
 *   Ensure that all variables are passed as parameters to query_parameters()
 *   to ensure that sql injection attacks are prevented against
 *
 */
function query_parameters()
{
    global $hAppdbLink;

    if(!is_resource($hAppdbLink))
    {
        // The last argument makes sure we are really opening a new connection
        $hAppdbLink = mysql_connect(APPS_DBHOST, APPS_DBUSER, APPS_DBPASS,true);
        mysql_select_db(APPS_DB, $hAppdbLink);
    }

    $data = func_get_args();
    $query = $data[0];
    $tokens = split("[&?~]", $query); /* NOTE: no need to escape characters inside of [] in regex */
    $preparedquery = $tokens[0];
    $count = strlen($tokens[0]);

    /* do we have the correct number of tokens to the number of parameters provided? */
    if(count($tokens) != count($data))
        return NULL; /* count mismatch, return NULL */

    for ($i=1; $i < count($tokens); $i++)
    {
        $char = substr($query, $count, 1);
        $count += (strlen($tokens[$i])+1);
        if ($char == "&")
        {
            $fp = @fopen($data[$i], 'r');
            $pdata = "";
            if ($fp)
            {
                while (($buf = fread($fp, 4096)) != false)
                {
                    $pdata .= $buf;
                }
                fclose($fp);
            }
        } else
        {
            $pdata = &$data[$i];
        }
        $preparedquery .= ($char != "~" ? mysql_real_escape_string($pdata) : $pdata);
        $preparedquery .= $tokens[$i];
    }

    return query_appdb($preparedquery);
}

function query_bugzilladb($sQuery,$sComment="")
{
    global $hBugzillaLink;

    if(!is_resource($hBugzillaLink))
    {
        // The last argument makes sure we are really opening a new connection
        $hBugzillaLink = mysql_connect(BUGZILLA_DBHOST, BUGZILLA_DBUSER, BUGZILLA_DBPASS,true);
        if(!$hBugzillaLink) return;
        mysql_select_db(BUGZILLA_DB, $hBugzillaLink);
    }
    
    $hResult = mysql_query($sQuery, $hBugzillaLink);
    if(!$hResult) query_error($sQuery, $sComment);
    return $hResult;
}


function query_error($sQuery, $sComment="")
{
    $sStatusMessage  = "<p><b>Database Error!</b><br />";
    $sStatusMessage .= "Query: ".$sQuery."<br />";
    $sStatusMessage .= $sComment ? $sComment."<br />" : "";
    $sStatusMessage .= mysql_error()."</p>\n";
    addmsg($sStatusMessage, "red");
}

?>
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`<?php`
Authors: Jonathan Ernst <Jonathan@ernstfamily.ch>, Paul van Schayck <polleke@gmail.com>, Tony Lambregts <tony_lambregts@telusplanet.net> New preferences fix 2005-01-14 05:28:58 +00:00			`$hAppdbLink = null;`
			`$hBugzillaLink = null;`

- added an optional parameter to query_*() in order to show more informations about the error and to avoid to make the error handling in the other scripts - added query_bugzilladb to query bugzilla's db so we can get rid of the last mysql_query in the code - factorized duplicated code (query_error) 2005-01-12 02:43:52 +00:00			`function query_appdb($sQuery,$sComment="")`
Initial revision 2004-03-15 16:22:00 +00:00			`{`
- added an optional parameter to query_*() in order to show more informations about the error and to avoid to make the error handling in the other scripts - added query_bugzilladb to query bugzilla's db so we can get rid of the last mysql_query in the code - factorized duplicated code (query_error) 2005-01-12 02:43:52 +00:00			`global $hAppdbLink;`
Initial revision 2004-03-15 16:22:00 +00:00
Authors: Jonathan Ernst <Jonathan@ernstfamily.ch>, Paul van Schayck <polleke@gmail.com>, Tony Lambregts <tony_lambregts@telusplanet.net> New preferences fix 2005-01-14 05:28:58 +00:00			`if(!is_resource($hAppdbLink))`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`{`
* Make sure PHP really opens a new connection. 2005-01-14 16:05:14 +00:00			`// The last argument makes sure we are really opening a new connection`
			`$hAppdbLink = mysql_connect(APPS_DBHOST, APPS_DBUSER, APPS_DBPASS,true);`
			`mysql_select_db(APPS_DB, $hAppdbLink);`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`}`
* Make sure PHP really opens a new connection. 2005-01-14 16:05:14 +00:00
- added an optional parameter to query_*() in order to show more informations about the error and to avoid to make the error handling in the other scripts - added query_bugzilladb to query bugzilla's db so we can get rid of the last mysql_query in the code - factorized duplicated code (query_error) 2005-01-12 02:43:52 +00:00			`$hResult = mysql_query($sQuery, $hAppdbLink);`
Display the query when we display the query error. 2005-01-12 17:29:04 +00:00			`if(!$hResult) query_error($sQuery, $sComment);`
- improved include/db.php - updated TODO regarding db queries 2004-12-29 03:36:57 +00:00			`return $hResult;`
Initial revision 2004-03-15 16:22:00 +00:00			`}`

Protect against sql injection attacks in sql INSERT statements 2006-06-24 04:20:32 +00:00			`/*`
			`* Wildcard Rules`
			`* SCALAR (?) => 'original string quoted'`
			`* OPAQUE (&) => 'string from file quoted'`
			`* MISC (~) => original string (left 'as-is')`
			`*`
			`* NOTE: These rules convienently match those for Pear DB`
			`*`
			`* MySQL Prepare Function`
			`* By: Kage (Alex)`
			`* KageKonjou@GMail.com`
			`* http://us3.php.net/manual/en/function.mysql-query.php#53400`
			`*`
			`* Modified by CMM 20060622`
			`*`
			`* Values are mysql_real_escape_string()'d to prevent against injection attacks`
			`* See http://php.net/mysql_real_escape_string for more information about why this is the case`
			`*`
query_parameters() usage example and the rule that all variables should be passed as parameters 2006-07-04 06:19:06 +00:00			`* Usage:`
			`* $hResult = query_parameters("Select * from mytable where userid = '?'",`
			`* $iUserId);`
			`*`
			`* Note:`
			`* Ensure that all variables are passed as parameters to query_parameters()`
			`* to ensure that sql injection attacks are prevented against`
			`*`
Protect against sql injection attacks in sql INSERT statements 2006-06-24 04:20:32 +00:00			`*/`
			`function query_parameters()`
			`{`
			`global $hAppdbLink;`

			`if(!is_resource($hAppdbLink))`
			`{`
			`// The last argument makes sure we are really opening a new connection`
			`$hAppdbLink = mysql_connect(APPS_DBHOST, APPS_DBUSER, APPS_DBPASS,true);`
			`mysql_select_db(APPS_DB, $hAppdbLink);`
			`}`

			`$data = func_get_args();`
			`$query = $data[0];`
Unit test for query_parameters(), fix bugs in query_parameters() found by the unit test 2006-06-27 16:39:40 +00:00			`$tokens = split("[&?~]", $query); /* NOTE: no need to escape characters inside of [] in regex */`
Protect against sql injection attacks in sql INSERT statements 2006-06-24 04:20:32 +00:00			`$preparedquery = $tokens[0];`
			`$count = strlen($tokens[0]);`

Unit test for query_parameters(), fix bugs in query_parameters() found by the unit test 2006-06-27 16:39:40 +00:00			`/* do we have the correct number of tokens to the number of parameters provided? */`
			`if(count($tokens) != count($data))`
			`return NULL; /* count mismatch, return NULL */`

Protect against sql injection attacks in sql INSERT statements 2006-06-24 04:20:32 +00:00			`for ($i=1; $i < count($tokens); $i++)`
			`{`
			`$char = substr($query, $count, 1);`
			`$count += (strlen($tokens[$i])+1);`
			`if ($char == "&")`
			`{`
			`$fp = @fopen($data[$i], 'r');`
			`$pdata = "";`
			`if ($fp)`
			`{`
			`while (($buf = fread($fp, 4096)) != false)`
			`{`
			`$pdata .= $buf;`
			`}`
			`fclose($fp);`
			`}`
			`} else`
			`{`
			`$pdata = &$data[$i];`
			`}`
			`$preparedquery .= ($char != "~" ? mysql_real_escape_string($pdata) : $pdata);`
			`$preparedquery .= $tokens[$i];`
			`}`

			`return query_appdb($preparedquery);`
			`}`
Initial revision 2004-03-15 16:22:00 +00:00
- added an optional parameter to query_*() in order to show more informations about the error and to avoid to make the error handling in the other scripts - added query_bugzilladb to query bugzilla's db so we can get rid of the last mysql_query in the code - factorized duplicated code (query_error) 2005-01-12 02:43:52 +00:00			`function query_bugzilladb($sQuery,$sComment="")`
			`{`
			`global $hBugzillaLink;`

Authors: Jonathan Ernst <Jonathan@ernstfamily.ch>, Paul van Schayck <polleke@gmail.com>, Tony Lambregts <tony_lambregts@telusplanet.net> New preferences fix 2005-01-14 05:28:58 +00:00			`if(!is_resource($hBugzillaLink))`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`{`
* Make sure PHP really opens a new connection. 2005-01-14 16:05:14 +00:00			`// The last argument makes sure we are really opening a new connection`
			`$hBugzillaLink = mysql_connect(BUGZILLA_DBHOST, BUGZILLA_DBUSER, BUGZILLA_DBPASS,true);`
Don't continue working on the bugzilla database if we were unable to connect to it 2005-08-01 20:53:44 +00:00			`if(!$hBugzillaLink) return;`
* Make sure PHP really opens a new connection. 2005-01-14 16:05:14 +00:00			`mysql_select_db(BUGZILLA_DB, $hBugzillaLink);`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`}`
* Make sure PHP really opens a new connection. 2005-01-14 16:05:14 +00:00
- added an optional parameter to query_*() in order to show more informations about the error and to avoid to make the error handling in the other scripts - added query_bugzilladb to query bugzilla's db so we can get rid of the last mysql_query in the code - factorized duplicated code (query_error) 2005-01-12 02:43:52 +00:00			`$hResult = mysql_query($sQuery, $hBugzillaLink);`
Display the query when we display the query error. 2005-01-12 17:29:04 +00:00			`if(!$hResult) query_error($sQuery, $sComment);`
- improved include/db.php - updated TODO regarding db queries 2004-12-29 03:36:57 +00:00			`return $hResult;`
Initial revision 2004-03-15 16:22:00 +00:00			`}`
Add functions to compile a update or insert query 2004-12-29 18:42:34 +00:00
- added an optional parameter to query_*() in order to show more informations about the error and to avoid to make the error handling in the other scripts - added query_bugzilladb to query bugzilla's db so we can get rid of the last mysql_query in the code - factorized duplicated code (query_error) 2005-01-12 02:43:52 +00:00
Display the query when we display the query error. 2005-01-12 17:29:04 +00:00			`function query_error($sQuery, $sComment="")`
- added an optional parameter to query_*() in order to show more informations about the error and to avoid to make the error handling in the other scripts - added query_bugzilladb to query bugzilla's db so we can get rid of the last mysql_query in the code - factorized duplicated code (query_error) 2005-01-12 02:43:52 +00:00			`{`
			`$sStatusMessage = "<p><b>Database Error!</b><br />";`
Authors: Jonathan Ernst <Jonathan@ernstfamily.ch>, Paul van Schayck <polleke@gmail.com>, Tony Lambregts <tony_lambregts@telusplanet.net> New preferences fix 2005-01-14 05:28:58 +00:00			`$sStatusMessage .= "Query: ".$sQuery."<br />";`
- added an optional parameter to query_*() in order to show more informations about the error and to avoid to make the error handling in the other scripts - added query_bugzilladb to query bugzilla's db so we can get rid of the last mysql_query in the code - factorized duplicated code (query_error) 2005-01-12 02:43:52 +00:00			`$sStatusMessage .= $sComment ? $sComment."<br />" : "";`
			`$sStatusMessage .= mysql_error()."</p>\n";`
			`addmsg($sStatusMessage, "red");`
			`}`

Initial revision 2004-03-15 16:22:00 +00:00			`?>`