Commit 584d6ea02ebd7695410b2530fcb6ec482fff1b20
1 parent
64ea047d
Use DBUtil's autoInsert or autoUpdate for improved security and
simplified code, as well as correct sequence ids for inserts. git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@3091 c91229c3-7414-0410-bfa2-8a42b809f60b
Showing
1 changed file
with
19 additions
and
121 deletions
presentation/lookAndFeel/knowledgeTree/store.inc
| @@ -25,8 +25,6 @@ | @@ -25,8 +25,6 @@ | ||
| 25 | */ | 25 | */ |
| 26 | 26 | ||
| 27 | function constructQuery($aKeys, $aSuppliedValues = null) { | 27 | function constructQuery($aKeys, $aSuppliedValues = null) { |
| 28 | - global $default; | ||
| 29 | - | ||
| 30 | $aQuery = array(); | 28 | $aQuery = array(); |
| 31 | for ($i = 0; $i < count($aKeys); $i++) { | 29 | for ($i = 0; $i < count($aKeys); $i++) { |
| 32 | $sRowStart = $aKeys[$i]; | 30 | $sRowStart = $aKeys[$i]; |
| @@ -62,41 +60,39 @@ function constructQuery($aKeys, $aSuppliedValues = null) { | @@ -62,41 +60,39 @@ function constructQuery($aKeys, $aSuppliedValues = null) { | ||
| 62 | 60 | ||
| 63 | //get all the values for the table | 61 | //get all the values for the table |
| 64 | while ((strncasecmp("unique_end", $sRowStart, 10) != 0) && ($i <= count($aKeys))) { | 62 | while ((strncasecmp("unique_end", $sRowStart, 10) != 0) && ($i <= count($aKeys))) { |
| 65 | - $aColumns[$iColumnCount] = $_POST[$aKeys[$i]]; | ||
| 66 | - if (!in_array($aColumns[$iColumnCount], $aColumnNames)) { | ||
| 67 | - print "Hack attempt! $aColumns[$iColumnCount] is not in "; var_dump($aColumnNames); | 63 | + //$aColumns[$iColumnCount] = $_POST[$aKeys[$i]]; |
| 64 | + | ||
| 65 | + $sColumnName = $_POST[$aKeys[$i]]; | ||
| 66 | + if (!in_array($sColumnName, $aColumnNames)) { | ||
| 67 | + print "Hack attempt! $sColumnName is not in "; var_dump($aColumnNames); | ||
| 68 | return false; | 68 | return false; |
| 69 | } | 69 | } |
| 70 | - $aTypes[$iColumnCount]= $_POST[$aKeys[++$i]]; | 70 | + // $aTypes[$iColumnCount]= $_POST[$aKeys[++$i]]; |
| 71 | 71 | ||
| 72 | - switch ($aTypes[$iColumnCount]) { | ||
| 73 | - case 0: | ||
| 74 | - //id's | ||
| 75 | - $aValues[$iColumnCount] = $_POST[$aKeys[++$i]]; | ||
| 76 | - break; | ||
| 77 | - case 1: | ||
| 78 | - //normal text | ||
| 79 | - $aValues[$iColumnCount] = $_POST[$aKeys[++$i]]; | ||
| 80 | - break; | 72 | + $iType = $_POST[$aKeys[++$i]]; |
| 73 | + | ||
| 74 | + switch ($iType) { | ||
| 81 | case 2: | 75 | case 2: |
| 82 | //uncheck checkboxes don't generate any name/value pairs | 76 | //uncheck checkboxes don't generate any name/value pairs |
| 83 | //so if the next key doesn't contain the word "value" and it's type | 77 | //so if the next key doesn't contain the word "value" and it's type |
| 84 | //is checkbox, then we have an unchecked check box | 78 | //is checkbox, then we have an unchecked check box |
| 85 | if (strpos($aKeys[$i + 1], "value") === false) { | 79 | if (strpos($aKeys[$i + 1], "value") === false) { |
| 86 | - $aValues[$iColumnCount] = false; | 80 | + $mValue = false; |
| 87 | } else { | 81 | } else { |
| 88 | $i++; | 82 | $i++; |
| 89 | - $aValues[$iColumnCount] = true; | 83 | + $mValue = true; |
| 90 | } | 84 | } |
| 91 | //check box | 85 | //check box |
| 92 | break; | 86 | break; |
| 93 | - case 3: | ||
| 94 | - //drop down | ||
| 95 | case 4: | 87 | case 4: |
| 96 | - // user supplied values | ||
| 97 | - $aValues[$iColumnCount] = $_POST[$aKeys[++$i]]; | 88 | + $mValue = $aSuppliedValues[$sColumnName]; |
| 89 | + $i++; | ||
| 90 | + break; | ||
| 91 | + default: | ||
| 92 | + $mValue = $_POST[$aKeys[++$i]]; | ||
| 98 | break; | 93 | break; |
| 99 | } | 94 | } |
| 95 | + $aValues[$sColumnName] = $mValue; | ||
| 100 | 96 | ||
| 101 | $sRowStart = $aKeys[++$i]; | 97 | $sRowStart = $aKeys[++$i]; |
| 102 | $iColumnCount++; | 98 | $iColumnCount++; |
| @@ -104,108 +100,10 @@ function constructQuery($aKeys, $aSuppliedValues = null) { | @@ -104,108 +100,10 @@ function constructQuery($aKeys, $aSuppliedValues = null) { | ||
| 104 | 100 | ||
| 105 | if ($iPrimaryKey < 0) { | 101 | if ($iPrimaryKey < 0) { |
| 106 | //perform an insert | 102 | //perform an insert |
| 107 | - $sQuery = "INSERT INTO $sTableName ("; | ||
| 108 | - for ($j = 0; $j < count($aColumns) - 1; $j++) { | ||
| 109 | - $sQuery .= $aColumns[$j] . ", "; | ||
| 110 | - } | ||
| 111 | - $sQuery .= $aColumns[count($aColumns) -1] . ") VALUES ("; | ||
| 112 | - | ||
| 113 | - for ($j = 0; $j < count($aColumns) - 1; $j++) { | ||
| 114 | - switch ($aTypes[$j]) { | ||
| 115 | - case 0 : | ||
| 116 | - $sQuery .= $aValues[$j] . ", "; | ||
| 117 | - break; | ||
| 118 | - case 1: | ||
| 119 | - //text | ||
| 120 | - $sQuery .= "'" . $aValues[$j] . "', "; | ||
| 121 | - break; | ||
| 122 | - case 2: | ||
| 123 | - //boolean | ||
| 124 | - $sQuery .= $aValues[$j] . ", "; | ||
| 125 | - break; | ||
| 126 | - case 3: | ||
| 127 | - //drop down list | ||
| 128 | - $sQuery .= $aValues[$j] . ", "; | ||
| 129 | - break; | ||
| 130 | - case 4: | ||
| 131 | - // user supplied values | ||
| 132 | - $sQuery .= $aSuppliedValues[$aColumns[$j]] . ", "; | ||
| 133 | - break; | ||
| 134 | - default: | ||
| 135 | - break; | ||
| 136 | - } | ||
| 137 | - } | ||
| 138 | - switch ($aTypes[count($aColumns) - 1]) { | ||
| 139 | - case 0: | ||
| 140 | - //id | ||
| 141 | - $sQuery .= $aValues[count($aColumns) - 1] . ") "; | ||
| 142 | - break; | ||
| 143 | - case 1: | ||
| 144 | - //text | ||
| 145 | - $sQuery .= "'" . $aValues[count($aColumns) - 1] . "') "; | ||
| 146 | - break; | ||
| 147 | - case 2: | ||
| 148 | - //boolean | ||
| 149 | - $sQuery .= ($aValues[count($aColumns) - 1] ? 1 : 0) . ") "; | ||
| 150 | - break; | ||
| 151 | - case 3: | ||
| 152 | - //drop down list | ||
| 153 | - $sQuery .= $aValues[count($aColumns) - 1] . ") "; | ||
| 154 | - break; | ||
| 155 | - case 4: | ||
| 156 | - // user supplied values | ||
| 157 | - $sQuery .= $aSuppliedValues[$aColumns[count($aColumns) - 1]] . ", "; | ||
| 158 | - break; | ||
| 159 | - default: | ||
| 160 | - break; | ||
| 161 | - } | ||
| 162 | // add query to array | 103 | // add query to array |
| 163 | - $aQuery[] = $sQuery; | 104 | + $id = DBUtil::autoInsert($sTableName, $aValues); |
| 164 | } else { | 105 | } else { |
| 165 | - //perform an update | ||
| 166 | - $sQuery = "UPDATE $sTableName SET "; | ||
| 167 | - for ($j = 0; $j < count($aColumns) -1; $j++) { | ||
| 168 | - $sQuery .= $aColumns[$j] . " = "; | ||
| 169 | - switch ($aTypes[$j]) { | ||
| 170 | - case 0: | ||
| 171 | - //id | ||
| 172 | - $sQuery .= $aValues[$j] . ", "; | ||
| 173 | - break; | ||
| 174 | - case 1: | ||
| 175 | - $sQuery .= "'" . $aValues[$j] . "', "; | ||
| 176 | - break; | ||
| 177 | - case 2: | ||
| 178 | - $sQuery .= ($aValues[$j] ? 1 : 0) . ", "; | ||
| 179 | - break; | ||
| 180 | - case 3: | ||
| 181 | - $sQuery .= $aValues[$j] . ", "; | ||
| 182 | - break; | ||
| 183 | - default: | ||
| 184 | - break; | ||
| 185 | - } | ||
| 186 | - | ||
| 187 | - } | ||
| 188 | - $sQuery .= $aColumns[count($aTypes) -1] . " = "; | ||
| 189 | - switch ($aTypes[count($aTypes) -1]) { | ||
| 190 | - case 0: | ||
| 191 | - //id | ||
| 192 | - $sQuery .= $aValues[count($aTypes) -1] . " "; | ||
| 193 | - break; | ||
| 194 | - case 1: | ||
| 195 | - $sQuery .= "'" . $aValues[count($aTypes) -1] . "' "; | ||
| 196 | - break; | ||
| 197 | - case 2: | ||
| 198 | - $sQuery .= ($aValues[count($aTypes) -1] ? 1 : 0) . " "; | ||
| 199 | - break; | ||
| 200 | - case 3: | ||
| 201 | - $sQuery .= $aValues[count($aTypes) -1] . " "; | ||
| 202 | - break; | ||
| 203 | - default: | ||
| 204 | - break; | ||
| 205 | - } | ||
| 206 | - $sQuery .= "WHERE id = $iPrimaryKey"; | ||
| 207 | - // add query to array | ||
| 208 | - $aQuery[] = $sQuery; | 106 | + $res = DBUtil::autoUpdate($sTableName, $aValues, $iPrimaryKey); |
| 209 | } | 107 | } |
| 210 | } | 108 | } |
| 211 | } | 109 | } |