mirror of
https://github.com/FH-Complete/FHC-Core.git
synced 2026-06-24 07:29:28 +00:00
Neue Funktionen zum Escapen von Datenbankparametern
This commit is contained in:
Andreas Österreicher
+39
-39
@@ -76,7 +76,7 @@ class adresse extends basis_db
|
||||
}
|
||||
|
||||
//Daten aus der Datenbank lesen
|
||||
$qry = "SELECT * FROM public.tbl_adresse WHERE adresse_id='".addslashes($adresse_id)."'";
|
||||
$qry = "SELECT * FROM public.tbl_adresse WHERE adresse_id=".$this->db_add_param($adresse_id, FHC_INTEGER, false);
|
||||
|
||||
if(!$this->db_query($qry))
|
||||
{
|
||||
@@ -87,8 +87,8 @@ class adresse extends basis_db
|
||||
if($row = $this->db_fetch_object())
|
||||
{
|
||||
$this->adresse_id = $row->adresse_id;
|
||||
$this->heimatadresse = ($row->heimatadresse=='t'?true:false);
|
||||
$this->zustelladresse = ($row->zustelladresse=='t'?true:false);
|
||||
$this->heimatadresse = $this->db_parse_bool($row->heimatadresse);
|
||||
$this->zustelladresse = $this->db_parse_bool($row->zustelladresse);
|
||||
$this->gemeinde = $row->gemeinde;
|
||||
$this->name = $row->name;
|
||||
$this->nation = $row->nation;
|
||||
@@ -127,7 +127,7 @@ class adresse extends basis_db
|
||||
}
|
||||
|
||||
//Lesen der Daten aus der Datenbank
|
||||
$qry = "SELECT * FROM public.tbl_adresse WHERE person_id='".addslashes($pers_id)."'";
|
||||
$qry = "SELECT * FROM public.tbl_adresse WHERE person_id=".$this->db_add_param($pers_id, FHC_INTEGER, false);
|
||||
|
||||
if(!$this->db_query($qry))
|
||||
{
|
||||
@@ -140,7 +140,7 @@ class adresse extends basis_db
|
||||
$adr_obj = new adresse();
|
||||
|
||||
$adr_obj->adresse_id = $row->adresse_id;
|
||||
$adr_obj->heimatadresse = ($row->heimatadresse=='t'?true:false);
|
||||
$adr_obj->heimatadresse = $this->db_parse_bool($row->heimatadresse);
|
||||
$adr_obj->gemeinde = $row->gemeinde;
|
||||
$adr_obj->name = $row->name;
|
||||
$adr_obj->nation = $row->nation;
|
||||
@@ -154,7 +154,7 @@ class adresse extends basis_db
|
||||
$adr_obj->updatevon = $row->updatevon;
|
||||
$adr_obj->insertamum = $row->insertamum;
|
||||
$adr_obj->insertvon = $row->insertvon;
|
||||
$adr_obj->zustelladresse = ($row->zustelladresse=='t'?true:false);
|
||||
$adr_obj->zustelladresse = $this->db_parse_bool($row->zustelladresse);
|
||||
|
||||
$this->result[] = $adr_obj;
|
||||
}
|
||||
@@ -181,7 +181,7 @@ class adresse extends basis_db
|
||||
}
|
||||
|
||||
//Lesen der Daten aus der Datenbank
|
||||
$qry = "SELECT * FROM public.tbl_adresse WHERE firma_id='".addslashes($firma_id)."'";
|
||||
$qry = "SELECT * FROM public.tbl_adresse WHERE firma_id=".$this->db_add_param($firma_id, FHC_INTEGER, false);
|
||||
|
||||
if(!$this->db_query($qry))
|
||||
{
|
||||
@@ -194,7 +194,7 @@ class adresse extends basis_db
|
||||
$adr_obj = new adresse();
|
||||
|
||||
$adr_obj->adresse_id = $row->adresse_id;
|
||||
$adr_obj->heimatadresse = ($row->heimatadresse=='t'?true:false);
|
||||
$adr_obj->heimatadresse = $this->db_parse_bool($row->heimatadresse);
|
||||
$adr_obj->gemeinde = $row->gemeinde;
|
||||
$adr_obj->name = $row->name;
|
||||
$adr_obj->nation = $row->nation;
|
||||
@@ -208,7 +208,7 @@ class adresse extends basis_db
|
||||
$adr_obj->updatevon = $row->updatevon;
|
||||
$adr_obj->insertamum = $row->insertamum;
|
||||
$adr_obj->insertvon = $row->insertvon;
|
||||
$adr_obj->zustelladresse = ($row->zustelladresse=='t'?true:false);
|
||||
$adr_obj->zustelladresse = $this->db_parse_bool($row->zustelladresse);
|
||||
|
||||
$this->result[] = $adr_obj;
|
||||
}
|
||||
@@ -280,44 +280,44 @@ class adresse extends basis_db
|
||||
//Neuen Datensatz einfuegen
|
||||
$qry='BEGIN;INSERT INTO public.tbl_adresse (person_id, name, strasse, plz, typ, ort, nation, insertamum, insertvon,
|
||||
gemeinde, heimatadresse, zustelladresse, firma_id, updateamum, updatevon, ext_id) VALUES('.
|
||||
$this->addslashes($this->person_id).', '.
|
||||
$this->addslashes($this->name).', '.
|
||||
$this->addslashes($this->strasse).', '.
|
||||
$this->addslashes($this->plz).', '.
|
||||
$this->addslashes(trim($this->typ)).', '.
|
||||
$this->addslashes($this->ort).', '.
|
||||
$this->addslashes($this->nation).', now(), '.
|
||||
$this->addslashes($this->insertvon).', '.
|
||||
$this->addslashes($this->gemeinde).', '.
|
||||
($this->heimatadresse?'true':'false').', '.
|
||||
($this->zustelladresse?'true':'false').', '.
|
||||
($this->firma_id!=null?$this->addslashes($this->firma_id):'null').', now(), '.
|
||||
$this->addslashes($this->updatevon).', '.
|
||||
$this->addslashes($this->ext_id).');';
|
||||
$this->db_add_param($this->person_id, FHC_INTEGER).', '.
|
||||
$this->db_add_param($this->name).', '.
|
||||
$this->db_add_param($this->strasse).', '.
|
||||
$this->db_add_param($this->plz).', '.
|
||||
$this->db_add_param(trim($this->typ)).', '.
|
||||
$this->db_add_param($this->ort).', '.
|
||||
$this->db_add_param($this->nation).', now(), '.
|
||||
$this->db_add_param($this->insertvon).', '.
|
||||
$this->db_add_param($this->gemeinde).', '.
|
||||
$this->db_add_param($this->heimatadresse,FHC_BOOLEAN, false).', '.
|
||||
$this->db_add_param($this->zustelladresse,FHC_BOOLEAN, false).', '.
|
||||
$this->db_add_param($this->firma_id, FHC_INTEGER).', now(), '.
|
||||
$this->db_add_param($this->updatevon).', '.
|
||||
$this->db_add_param($this->ext_id, FHC_INTEGER).');';
|
||||
}
|
||||
else
|
||||
{
|
||||
//Pruefen ob adresse_id eine gueltige Zahl ist
|
||||
if(!is_numeric($this->adresse_id))
|
||||
{
|
||||
$this->errormsg = 'adresse_id muss eine gültige Zahl sein: '.$this->adresse_id."\n";
|
||||
$this->errormsg = 'adresse_id muss eine gueltige Zahl sein';
|
||||
return false;
|
||||
}
|
||||
$qry='UPDATE public.tbl_adresse SET'.
|
||||
' person_id='.$this->addslashes($this->person_id).', '.
|
||||
' name='.$this->addslashes($this->name).', '.
|
||||
' strasse='.$this->addslashes($this->strasse).', '.
|
||||
' plz='.$this->addslashes($this->plz).', '.
|
||||
' typ='.$this->addslashes(trim($this->typ)).', '.
|
||||
' ort='.$this->addslashes($this->ort).', '.
|
||||
' nation='.$this->addslashes($this->nation).', '.
|
||||
' gemeinde='.$this->addslashes($this->gemeinde).', '.
|
||||
' firma_id='.$this->addslashes($this->firma_id).','.
|
||||
' person_id='.$this->db_add_param($this->person_id, FHC_INTEGER).', '.
|
||||
' name='.$this->db_add_param($this->name).', '.
|
||||
' strasse='.$this->db_add_param($this->strasse).', '.
|
||||
' plz='.$this->db_add_param($this->plz).', '.
|
||||
' typ='.$this->db_add_param(trim($this->typ)).', '.
|
||||
' ort='.$this->db_add_param($this->ort).', '.
|
||||
' nation='.$this->db_add_param($this->nation).', '.
|
||||
' gemeinde='.$this->db_add_param($this->gemeinde).', '.
|
||||
' firma_id='.$this->db_add_param($this->firma_id, FHC_INTEGER).','.
|
||||
' updateamum= now(), '.
|
||||
' updatevon='.$this->addslashes($this->updatevon).', '.
|
||||
' heimatadresse='.($this->heimatadresse?'true':'false').', '.
|
||||
' zustelladresse='.($this->zustelladresse?'true':'false').' '.
|
||||
'WHERE adresse_id='.$this->adresse_id.';';
|
||||
' updatevon='.$this->db_add_param($this->updatevon).', '.
|
||||
' heimatadresse='.$this->db_add_param($this->heimatadresse, FHC_BOOLEAN, false).', '.
|
||||
' zustelladresse='.$this->db_add_param($this->zustelladresse, FHC_BOOLEAN, false).' '.
|
||||
'WHERE adresse_id='.$this->db_add_param($this->adresse_id, FHC_INTEGER, false).';';
|
||||
}
|
||||
|
||||
if($this->db_query($qry))
|
||||
@@ -372,7 +372,7 @@ class adresse extends basis_db
|
||||
}
|
||||
|
||||
//loeschen des Datensatzes
|
||||
$qry="DELETE FROM public.tbl_adresse WHERE adresse_id='".addslashes($adresse_id)."';";
|
||||
$qry="DELETE FROM public.tbl_adresse WHERE adresse_id='".$this->db_add_param($adresse_id, FHC_INTEGER, false)."';";
|
||||
|
||||
if($this->db_query($qry))
|
||||
{
|
||||
@@ -385,4 +385,4 @@ class adresse extends basis_db
|
||||
}
|
||||
}
|
||||
}
|
||||
?>
|
||||
?>
|
||||
|
||||
@@ -51,6 +51,8 @@ class basis
|
||||
* wenn $var !='' ist werden Datenbankkritische
|
||||
* Zeichen mit Backslash versehen und das Ergbnis
|
||||
* unter Hochkomma gesetzt.
|
||||
*
|
||||
* 12/2011 DEPRECATED use db_add_param
|
||||
*/
|
||||
public function addslashes($var)
|
||||
{
|
||||
@@ -113,4 +115,4 @@ class basis
|
||||
return htmlspecialchars($value);
|
||||
}
|
||||
}
|
||||
?>
|
||||
?>
|
||||
|
||||
@@ -1,4 +1,28 @@
|
||||
<?php
|
||||
/* Copyright (C) 2011 FH Technikum-Wien
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as
|
||||
* published by the Free Software Foundation; either version 2 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
|
||||
*
|
||||
* Authors: Christian Paminger <christian.paminger@technikum-wien.at>,
|
||||
* Andreas Oesterreicher <andreas.oesterreicher@technikum-wien.at>
|
||||
*
|
||||
*/
|
||||
/**
|
||||
* Klasse fuer Datenbankabstraktion
|
||||
*/
|
||||
|
||||
require_once(dirname(__FILE__).'/basis.class.php');
|
||||
|
||||
abstract class db extends basis
|
||||
@@ -9,6 +33,12 @@ abstract class db extends basis
|
||||
|
||||
function __construct()
|
||||
{
|
||||
if(!defined('FHC_INTEGER'))
|
||||
{
|
||||
define('FHC_INTEGER',1);
|
||||
define('FHC_STRING',2);
|
||||
define('FHC_BOOLEAN',3);
|
||||
}
|
||||
if (is_null(db::$db_conn))
|
||||
$this->db_connect();
|
||||
}
|
||||
@@ -26,10 +56,15 @@ abstract class db extends basis
|
||||
abstract function db_last_error();
|
||||
abstract function db_free_result($result=null);
|
||||
abstract function db_version();
|
||||
abstract function db_escape($var);
|
||||
abstract function db_null_value($var, $qoute=true);
|
||||
abstract function db_qoute($var);
|
||||
abstract function db_add_param($var, $type=FHC_STRING, $nullable=true);
|
||||
abstract function db_parse_bool($var);
|
||||
|
||||
|
||||
/**
|
||||
* Erzeugt aus den Funktionsparameter eine SLQ Abfrage
|
||||
* Erzeugt aus den Funktionsparameter eine SQL Abfrage
|
||||
* --- Wird in der Art Sonderzeichen gefunden wird dieses als FunktionsParmeter verarbeitet
|
||||
* @param art die SQL Abfrage die erzeugt werden soll Default ist 'select'
|
||||
* @param distinct - nur wenn art ist 'select' ist
|
||||
@@ -125,4 +160,4 @@ abstract class db extends basis
|
||||
}
|
||||
require_once(dirname(__FILE__).'/'.DB_SYSTEM.'.class.php');
|
||||
|
||||
?>
|
||||
?>
|
||||
|
||||
+153
-14
@@ -1,8 +1,31 @@
|
||||
<?php
|
||||
/* Copyright (C) 2011 FH Technikum-Wien
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as
|
||||
* published by the Free Software Foundation; either version 2 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
|
||||
*
|
||||
* Authors: Christian Paminger <christian.paminger@technikum-wien.at>,
|
||||
* Andreas Oesterreicher <andreas.oesterreicher@technikum-wien.at>
|
||||
*
|
||||
*/
|
||||
/**
|
||||
* Datenbank Abstraktionsklasse fuer Postgresql Datenbank
|
||||
*/
|
||||
|
||||
class basis_db extends db
|
||||
{
|
||||
function db_connect()
|
||||
public function db_connect()
|
||||
{
|
||||
$conn_str='host='.DB_HOST.' port='.DB_PORT.' dbname='.DB_NAME.' user='.DB_USER.' password='.DB_PASSWORD;
|
||||
//Connection Herstellen
|
||||
@@ -18,7 +41,7 @@ class basis_db extends db
|
||||
}
|
||||
}
|
||||
|
||||
function db_query($sql)
|
||||
public function db_query($sql)
|
||||
{
|
||||
if ($this->db_result=pg_query(basis_db::$db_conn,$sql))
|
||||
return $this->db_result;
|
||||
@@ -29,7 +52,7 @@ class basis_db extends db
|
||||
}
|
||||
}
|
||||
|
||||
function db_num_rows($result=null)
|
||||
public function db_num_rows($result=null)
|
||||
{
|
||||
if(is_null($result))
|
||||
return pg_num_rows($this->db_result);
|
||||
@@ -37,7 +60,7 @@ class basis_db extends db
|
||||
return pg_num_rows($result);
|
||||
}
|
||||
|
||||
function db_fetch_object($result = null, $i=null)
|
||||
public function db_fetch_object($result = null, $i=null)
|
||||
{
|
||||
if(is_null($result))
|
||||
{
|
||||
@@ -55,7 +78,7 @@ class basis_db extends db
|
||||
}
|
||||
}
|
||||
|
||||
function db_fetch_row($result = null, $i=null)
|
||||
public function db_fetch_row($result = null, $i=null)
|
||||
{
|
||||
if(is_null($result))
|
||||
{
|
||||
@@ -73,7 +96,7 @@ class basis_db extends db
|
||||
}
|
||||
}
|
||||
|
||||
function db_result($result = null, $i,$item)
|
||||
public function db_result($result = null, $i,$item)
|
||||
{
|
||||
if(is_null($result))
|
||||
{
|
||||
@@ -85,12 +108,12 @@ class basis_db extends db
|
||||
}
|
||||
}
|
||||
|
||||
function db_last_error()
|
||||
public function db_last_error()
|
||||
{
|
||||
return pg_last_error();
|
||||
}
|
||||
|
||||
function db_affected_rows($result=null)
|
||||
public function db_affected_rows($result=null)
|
||||
{
|
||||
if(is_null($result))
|
||||
return pg_affected_rows($this->db_result);
|
||||
@@ -98,7 +121,7 @@ class basis_db extends db
|
||||
return pg_affected_rows($result);
|
||||
}
|
||||
|
||||
function db_fetch_array($result=null)
|
||||
public function db_fetch_array($result=null)
|
||||
{
|
||||
if(is_null($result))
|
||||
return pg_fetch_array($this->db_result);
|
||||
@@ -106,7 +129,7 @@ class basis_db extends db
|
||||
return pg_fetch_array($result);
|
||||
}
|
||||
|
||||
function db_num_fields($result=null)
|
||||
public function db_num_fields($result=null)
|
||||
{
|
||||
if(is_null($result))
|
||||
return pg_num_fields($this->db_result);
|
||||
@@ -114,7 +137,10 @@ class basis_db extends db
|
||||
return pg_num_fields($result);
|
||||
}
|
||||
|
||||
function db_field_name($result=null, $i)
|
||||
/**
|
||||
* Liefert den Feldnamen mit index i
|
||||
*/
|
||||
public function db_field_name($result=null, $i)
|
||||
{
|
||||
if(is_null($result))
|
||||
return pg_field_name($this->db_result, $i);
|
||||
@@ -122,7 +148,11 @@ class basis_db extends db
|
||||
return pg_field_name($result, $i);
|
||||
}
|
||||
|
||||
function db_free_result($result = null)
|
||||
/**
|
||||
* Gibt den Speicher wieder Frei.
|
||||
* (ist das sinnvoll wenn es per Value uebergeben wird??)
|
||||
*/
|
||||
public function db_free_result($result = null)
|
||||
{
|
||||
if(is_null($result))
|
||||
{
|
||||
@@ -134,9 +164,118 @@ class basis_db extends db
|
||||
}
|
||||
}
|
||||
|
||||
function db_version()
|
||||
/**
|
||||
* Liefert die aktuelle Datenbankversion
|
||||
*/
|
||||
public function db_version()
|
||||
{
|
||||
return pg_version(basis_db::$db_conn);
|
||||
}
|
||||
|
||||
/**
|
||||
* Escaped Sonderzeichen in Variablen vor der Verwendung in SQL Statements
|
||||
* um SQL Injections zu verhindern
|
||||
*
|
||||
*/
|
||||
public function db_escape($var)
|
||||
{
|
||||
return pg_escape_string($var);
|
||||
}
|
||||
|
||||
/**
|
||||
* Null Value Handling und Hochkomma für Inserts / Updates
|
||||
* Wenn die Uebergebe Variable leer ist, wird ein String mit null
|
||||
* zurueckgeliefert, wenn nicht dann wird der string unter Hochkomma zurueckgeliefert
|
||||
* es sei denn qoute=false dann wird nur der String zurueckgeliefert
|
||||
*
|
||||
* @param $var String-Value fuer SQL Request
|
||||
* @return string
|
||||
*/
|
||||
public function db_null_value($var, $qoute=true)
|
||||
{
|
||||
if($qoute)
|
||||
return ($var!=''?$this->db_qoute($var):'null');
|
||||
else
|
||||
return ($var!=''?$var:'null');
|
||||
}
|
||||
|
||||
/**
|
||||
* Setzt einen String unter Hochkomma
|
||||
* @param $var Value fuer Insert/Update
|
||||
* @return value unter Hochkomma
|
||||
*/
|
||||
public function db_qoute($var)
|
||||
{
|
||||
return "'".$var."'";
|
||||
}
|
||||
|
||||
/**
|
||||
* Escaped einen Parameter fuer die Verwendung in Insert/Update SQL Befehlen
|
||||
* Es werden abhaengig vom Typ Hochkomma oder Null hinzugefuegt
|
||||
* @param $var Value der gesetzt werden soll
|
||||
* @param $type Typ des Values (FHC_STRING | FHC_BOOLEAN | FHC_INTEGER | ...)
|
||||
* @param $nullable boolean gibt an ob das Feld NULL sein darf. Wenn true wird
|
||||
* NULL statt einem Leerstring zurueckgeliefert
|
||||
* @return Escapter Value inklusive Hochkomma wenn noetig
|
||||
*
|
||||
* Verwendungsbeispiel:
|
||||
* Update tbl_person set nachname=$this->db_add_param($var)
|
||||
* Update tbl_person set aktiv=$this->db_add_param($var, FHC_BOOL, false)
|
||||
* Update tbl_person set anzahlkinder=$this->db_add_param($var, FHC_INT)
|
||||
*/
|
||||
public function db_add_param($var, $type=FHC_STRING, $nullable=true)
|
||||
{
|
||||
if($var=='' && $type!=FHC_BOOLEAN)
|
||||
{
|
||||
if($nullable)
|
||||
return 'null';
|
||||
else
|
||||
return '';
|
||||
}
|
||||
|
||||
switch($type)
|
||||
{
|
||||
case FHC_INTEGER:
|
||||
$var = $this->db_escape($var);
|
||||
if(!is_numeric($var))
|
||||
die('Invalid Integer Parameter detected');
|
||||
$var = $this->db_null_value($var, false);
|
||||
break;
|
||||
|
||||
case FHC_BOOLEAN:
|
||||
if($var===true)
|
||||
$var='true';
|
||||
elseif($var===false)
|
||||
$var='false';
|
||||
elseif($var=='' && $nullable)
|
||||
$var = 'null';
|
||||
else
|
||||
die('Invalid Boolean Parameter detected');
|
||||
break;
|
||||
|
||||
case FHC_STRING:
|
||||
default:
|
||||
$var = $this->db_escape($var);
|
||||
$var = $this->db_null_value($var);
|
||||
break;
|
||||
}
|
||||
return $var;
|
||||
}
|
||||
|
||||
/**
|
||||
* Erzeugt aus einem DB-Result-Boolean einen PHP Boolean
|
||||
*/
|
||||
public function db_parse_bool($var)
|
||||
{
|
||||
if($var=='t')
|
||||
return true;
|
||||
elseif($var=='f')
|
||||
return false;
|
||||
elseif($var=='')
|
||||
return '';
|
||||
else
|
||||
die('Invalid DB Boolean. Wrong DB-Engine?');
|
||||
}
|
||||
|
||||
}
|
||||
?>
|
||||
?>
|
||||
|
||||
+3
-2
@@ -60,7 +60,8 @@ echo '
|
||||
|
||||
if($adresse_id!='')
|
||||
{
|
||||
$adresse->load($adresse_id);
|
||||
if(!$adresse->load($adresse_id))
|
||||
die('Fehler: '.$adresse->errormsg);
|
||||
draw_rdf($adresse);
|
||||
}
|
||||
else
|
||||
@@ -119,4 +120,4 @@ function draw_rdf($row)
|
||||
}
|
||||
?>
|
||||
</RDF:Seq>
|
||||
</RDF:RDF>
|
||||
</RDF:RDF>
|
||||
|
||||
Reference in New Issue
Block a user