Peter M. Groen / knowledgetree

Commit 584d6ea02ebd7695410b2530fcb6ec482fff1b20

Authored by nbm
1 parent 64ea047d

Use DBUtil's autoInsert or autoUpdate for improved security and 

simplified code, as well as correct sequence ids for inserts.


git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@3091 c91229c3-7414-0410-bfa2-8a42b809f60b
Inline Side-by-side
Showing 1 changed file with 19 additions and 121 deletions
presentation/lookAndFeel/knowledgeTree/store.inc
  View file @584d6ea
... ... @@ -25,8 +25,6 @@
25 25 */
26 26  
27 27 function constructQuery($aKeys, $aSuppliedValues = null) {
28   - global $default;
29   -
30 28 $aQuery = array();
31 29 for ($i = 0; $i < count($aKeys); $i++) {
32 30 $sRowStart = $aKeys[$i];
... ... @@ -62,41 +60,39 @@ function constructQuery($aKeys, $aSuppliedValues = null) {
62 60  
63 61 //get all the values for the table
64 62 while ((strncasecmp("unique_end", $sRowStart, 10) != 0) && ($i <= count($aKeys))) {
65   - $aColumns[$iColumnCount] = $_POST[$aKeys[$i]];
66   - if (!in_array($aColumns[$iColumnCount], $aColumnNames)) {
67   - print "Hack attempt! $aColumns[$iColumnCount] is not in "; var_dump($aColumnNames);
  63 + //$aColumns[$iColumnCount] = $_POST[$aKeys[$i]];
  64 +
  65 + $sColumnName = $_POST[$aKeys[$i]];
  66 + if (!in_array($sColumnName, $aColumnNames)) {
  67 + print "Hack attempt! $sColumnName is not in "; var_dump($aColumnNames);
68 68 return false;
69 69 }
70   - $aTypes[$iColumnCount]= $_POST[$aKeys[++$i]];
  70 + // $aTypes[$iColumnCount]= $_POST[$aKeys[++$i]];
71 71  
72   - switch ($aTypes[$iColumnCount]) {
73   - case 0:
74   - //id's
75   - $aValues[$iColumnCount] = $_POST[$aKeys[++$i]];
76   - break;
77   - case 1:
78   - //normal text
79   - $aValues[$iColumnCount] = $_POST[$aKeys[++$i]];
80   - break;
  72 + $iType = $_POST[$aKeys[++$i]];
  73 +
  74 + switch ($iType) {
81 75 case 2:
82 76 //uncheck checkboxes don't generate any name/value pairs
83 77 //so if the next key doesn't contain the word "value" and it's type
84 78 //is checkbox, then we have an unchecked check box
85 79 if (strpos($aKeys[$i + 1], "value") === false) {
86   - $aValues[$iColumnCount] = false;
  80 + $mValue = false;
87 81 } else {
88 82 $i++;
89   - $aValues[$iColumnCount] = true;
  83 + $mValue = true;
90 84 }
91 85 //check box
92 86 break;
93   - case 3:
94   - //drop down
95 87 case 4:
96   - // user supplied values
97   - $aValues[$iColumnCount] = $_POST[$aKeys[++$i]];
  88 + $mValue = $aSuppliedValues[$sColumnName];
  89 + $i++;
  90 + break;
  91 + default:
  92 + $mValue = $_POST[$aKeys[++$i]];
98 93 break;
99 94 }
  95 + $aValues[$sColumnName] = $mValue;
100 96  
101 97 $sRowStart = $aKeys[++$i];
102 98 $iColumnCount++;
... ... @@ -104,108 +100,10 @@ function constructQuery($aKeys, $aSuppliedValues = null) {
104 100  
105 101 if ($iPrimaryKey < 0) {
106 102 //perform an insert
107   - $sQuery = "INSERT INTO $sTableName (";
108   - for ($j = 0; $j < count($aColumns) - 1; $j++) {
109   - $sQuery .= $aColumns[$j] . ", ";
110   - }
111   - $sQuery .= $aColumns[count($aColumns) -1] . ") VALUES (";
112   -
113   - for ($j = 0; $j < count($aColumns) - 1; $j++) {
114   - switch ($aTypes[$j]) {
115   - case 0 :
116   - $sQuery .= $aValues[$j] . ", ";
117   - break;
118   - case 1:
119   - //text
120   - $sQuery .= "'" . $aValues[$j] . "', ";
121   - break;
122   - case 2:
123   - //boolean
124   - $sQuery .= $aValues[$j] . ", ";
125   - break;
126   - case 3:
127   - //drop down list
128   - $sQuery .= $aValues[$j] . ", ";
129   - break;
130   - case 4:
131   - // user supplied values
132   - $sQuery .= $aSuppliedValues[$aColumns[$j]] . ", ";
133   - break;
134   - default:
135   - break;
136   - }
137   - }
138   - switch ($aTypes[count($aColumns) - 1]) {
139   - case 0:
140   - //id
141   - $sQuery .= $aValues[count($aColumns) - 1] . ") ";
142   - break;
143   - case 1:
144   - //text
145   - $sQuery .= "'" . $aValues[count($aColumns) - 1] . "') ";
146   - break;
147   - case 2:
148   - //boolean
149   - $sQuery .= ($aValues[count($aColumns) - 1] ? 1 : 0) . ") ";
150   - break;
151   - case 3:
152   - //drop down list
153   - $sQuery .= $aValues[count($aColumns) - 1] . ") ";
154   - break;
155   - case 4:
156   - // user supplied values
157   - $sQuery .= $aSuppliedValues[$aColumns[count($aColumns) - 1]] . ", ";
158   - break;
159   - default:
160   - break;
161   - }
162 103 // add query to array
163   - $aQuery[] = $sQuery;
  104 + $id = DBUtil::autoInsert($sTableName, $aValues);
164 105 } else {
165   - //perform an update
166   - $sQuery = "UPDATE $sTableName SET ";
167   - for ($j = 0; $j < count($aColumns) -1; $j++) {
168   - $sQuery .= $aColumns[$j] . " = ";
169   - switch ($aTypes[$j]) {
170   - case 0:
171   - //id
172   - $sQuery .= $aValues[$j] . ", ";
173   - break;
174   - case 1:
175   - $sQuery .= "'" . $aValues[$j] . "', ";
176   - break;
177   - case 2:
178   - $sQuery .= ($aValues[$j] ? 1 : 0) . ", ";
179   - break;
180   - case 3:
181   - $sQuery .= $aValues[$j] . ", ";
182   - break;
183   - default:
184   - break;
185   - }
186   -
187   - }
188   - $sQuery .= $aColumns[count($aTypes) -1] . " = ";
189   - switch ($aTypes[count($aTypes) -1]) {
190   - case 0:
191   - //id
192   - $sQuery .= $aValues[count($aTypes) -1] . " ";
193   - break;
194   - case 1:
195   - $sQuery .= "'" . $aValues[count($aTypes) -1] . "' ";
196   - break;
197   - case 2:
198   - $sQuery .= ($aValues[count($aTypes) -1] ? 1 : 0) . " ";
199   - break;
200   - case 3:
201   - $sQuery .= $aValues[count($aTypes) -1] . " ";
202   - break;
203   - default:
204   - break;
205   - }
206   - $sQuery .= "WHERE id = $iPrimaryKey";
207   - // add query to array
208   - $aQuery[] = $sQuery;
  106 + $res = DBUtil::autoUpdate($sTableName, $aValues, $iPrimaryKey);
209 107 }
210 108 }
211 109 }
... ...