From 7f44828ca6935d100bc35ab255d48a06d8696bf3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20=C3=96sterreicher?= <oesi@technikum-wien.at>
Date: Wed, 22 Feb 2012 16:20:22 +0000
Subject: [PATCH] Neue Funktionen zum Escapen von Datenbankparametern

---
 include/adresse.class.php  |  78 ++++++++---------
 include/basis.class.php    |   4 +-
 include/basis_db.class.php |  39 ++++++++-
 include/pgsql.class.php    | 167 +++++++++++++++++++++++++++++++++----
 rdf/adresse.rdf.php        |   5 +-
 5 files changed, 235 insertions(+), 58 deletions(-)

diff --git a/include/adresse.class.php b/include/adresse.class.php
index fe12e4f88..45c390fde 100644
--- a/include/adresse.class.php
+++ b/include/adresse.class.php
@@ -76,7 +76,7 @@ class adresse extends basis_db
 		}
 
 		//Daten aus der Datenbank lesen
-		$qry = "SELECT * FROM public.tbl_adresse WHERE adresse_id='".addslashes($adresse_id)."'";
+		$qry = "SELECT * FROM public.tbl_adresse WHERE adresse_id=".$this->db_add_param($adresse_id, FHC_INTEGER, false);
 
 		if(!$this->db_query($qry))
 		{
@@ -87,8 +87,8 @@ class adresse extends basis_db
 		if($row = $this->db_fetch_object())
 		{
 			$this->adresse_id		= $row->adresse_id;
-			$this->heimatadresse 	= ($row->heimatadresse=='t'?true:false);
-			$this->zustelladresse	= ($row->zustelladresse=='t'?true:false);
+			$this->heimatadresse 	= $this->db_parse_bool($row->heimatadresse);
+			$this->zustelladresse	= $this->db_parse_bool($row->zustelladresse);
 			$this->gemeinde			= $row->gemeinde;
 			$this->name				= $row->name;
 			$this->nation			= $row->nation;
@@ -127,7 +127,7 @@ class adresse extends basis_db
 		}
 
 		//Lesen der Daten aus der Datenbank
-		$qry = "SELECT * FROM public.tbl_adresse WHERE person_id='".addslashes($pers_id)."'";
+		$qry = "SELECT * FROM public.tbl_adresse WHERE person_id=".$this->db_add_param($pers_id, FHC_INTEGER, false);
 
 		if(!$this->db_query($qry))
 		{
@@ -140,7 +140,7 @@ class adresse extends basis_db
 			$adr_obj = new adresse();
 
 			$adr_obj->adresse_id      = $row->adresse_id;
-			$adr_obj->heimatadresse = ($row->heimatadresse=='t'?true:false);
+			$adr_obj->heimatadresse   = $this->db_parse_bool($row->heimatadresse);
 			$adr_obj->gemeinde        = $row->gemeinde;
 			$adr_obj->name            = $row->name;
 			$adr_obj->nation          = $row->nation;
@@ -154,7 +154,7 @@ class adresse extends basis_db
 			$adr_obj->updatevon       = $row->updatevon;
 			$adr_obj->insertamum      = $row->insertamum;
 			$adr_obj->insertvon       = $row->insertvon;
-			$adr_obj->zustelladresse  = ($row->zustelladresse=='t'?true:false);
+			$adr_obj->zustelladresse  = $this->db_parse_bool($row->zustelladresse);
 
 			$this->result[] = $adr_obj;
 		}
@@ -181,7 +181,7 @@ class adresse extends basis_db
 		}
 
 		//Lesen der Daten aus der Datenbank
-		$qry = "SELECT * FROM public.tbl_adresse WHERE firma_id='".addslashes($firma_id)."'";
+		$qry = "SELECT * FROM public.tbl_adresse WHERE firma_id=".$this->db_add_param($firma_id, FHC_INTEGER, false);
 
 		if(!$this->db_query($qry))
 		{
@@ -194,7 +194,7 @@ class adresse extends basis_db
 			$adr_obj = new adresse();
 
 			$adr_obj->adresse_id      = $row->adresse_id;
-			$adr_obj->heimatadresse = ($row->heimatadresse=='t'?true:false);
+			$adr_obj->heimatadresse   = $this->db_parse_bool($row->heimatadresse);
 			$adr_obj->gemeinde        = $row->gemeinde;
 			$adr_obj->name            = $row->name;
 			$adr_obj->nation          = $row->nation;
@@ -208,7 +208,7 @@ class adresse extends basis_db
 			$adr_obj->updatevon       = $row->updatevon;
 			$adr_obj->insertamum      = $row->insertamum;
 			$adr_obj->insertvon       = $row->insertvon;
-			$adr_obj->zustelladresse  = ($row->zustelladresse=='t'?true:false);
+			$adr_obj->zustelladresse  = $this->db_parse_bool($row->zustelladresse);
 
 			$this->result[] = $adr_obj;
 		}
@@ -280,44 +280,44 @@ class adresse extends basis_db
 			//Neuen Datensatz einfuegen
 			$qry='BEGIN;INSERT INTO public.tbl_adresse (person_id, name, strasse, plz, typ, ort, nation, insertamum, insertvon,
 			     gemeinde, heimatadresse, zustelladresse, firma_id, updateamum, updatevon, ext_id) VALUES('.
-			      $this->addslashes($this->person_id).', '.
-			      $this->addslashes($this->name).', '.
-			      $this->addslashes($this->strasse).', '.
-			      $this->addslashes($this->plz).', '.
-			      $this->addslashes(trim($this->typ)).', '.
-			      $this->addslashes($this->ort).', '.
-			      $this->addslashes($this->nation).', now(), '.
-			      $this->addslashes($this->insertvon).', '.
-			      $this->addslashes($this->gemeinde).', '.
-			      ($this->heimatadresse?'true':'false').', '.
-			      ($this->zustelladresse?'true':'false').', '.
-			      ($this->firma_id!=null?$this->addslashes($this->firma_id):'null').', now(), '.
-			      $this->addslashes($this->updatevon).', '.
-			      $this->addslashes($this->ext_id).');';
+			      $this->db_add_param($this->person_id, FHC_INTEGER).', '.
+			      $this->db_add_param($this->name).', '.
+			      $this->db_add_param($this->strasse).', '.
+			      $this->db_add_param($this->plz).', '.
+			      $this->db_add_param(trim($this->typ)).', '.
+			      $this->db_add_param($this->ort).', '.
+			      $this->db_add_param($this->nation).', now(), '.
+			      $this->db_add_param($this->insertvon).', '.
+			      $this->db_add_param($this->gemeinde).', '.
+			      $this->db_add_param($this->heimatadresse,FHC_BOOLEAN, false).', '.
+			      $this->db_add_param($this->zustelladresse,FHC_BOOLEAN, false).', '.
+			      $this->db_add_param($this->firma_id, FHC_INTEGER).', now(), '.
+			      $this->db_add_param($this->updatevon).', '.
+			      $this->db_add_param($this->ext_id, FHC_INTEGER).');';
 		}
 		else
 		{
 			//Pruefen ob adresse_id eine gueltige Zahl ist
 			if(!is_numeric($this->adresse_id))
 			{
-				$this->errormsg = 'adresse_id muss eine gültige Zahl sein: '.$this->adresse_id."\n";
+				$this->errormsg = 'adresse_id muss eine gueltige Zahl sein';
 				return false;
 			}
 			$qry='UPDATE public.tbl_adresse SET'.
-				' person_id='.$this->addslashes($this->person_id).', '.
-				' name='.$this->addslashes($this->name).', '.
-				' strasse='.$this->addslashes($this->strasse).', '.
-				' plz='.$this->addslashes($this->plz).', '.
-		      	' typ='.$this->addslashes(trim($this->typ)).', '.
-		      	' ort='.$this->addslashes($this->ort).', '.
-		      	' nation='.$this->addslashes($this->nation).', '.
-		      	' gemeinde='.$this->addslashes($this->gemeinde).', '.
-		      	' firma_id='.$this->addslashes($this->firma_id).','.
+				' person_id='.$this->db_add_param($this->person_id, FHC_INTEGER).', '.
+				' name='.$this->db_add_param($this->name).', '.
+				' strasse='.$this->db_add_param($this->strasse).', '.
+				' plz='.$this->db_add_param($this->plz).', '.
+		      	' typ='.$this->db_add_param(trim($this->typ)).', '.
+		      	' ort='.$this->db_add_param($this->ort).', '.
+		      	' nation='.$this->db_add_param($this->nation).', '.
+		      	' gemeinde='.$this->db_add_param($this->gemeinde).', '.
+		      	' firma_id='.$this->db_add_param($this->firma_id, FHC_INTEGER).','.
 		      	' updateamum= now(), '.
-		      	' updatevon='.$this->addslashes($this->updatevon).', '.
-		      	' heimatadresse='.($this->heimatadresse?'true':'false').', '.
-		      	' zustelladresse='.($this->zustelladresse?'true':'false').' '.
-		      	'WHERE adresse_id='.$this->adresse_id.';';
+		      	' updatevon='.$this->db_add_param($this->updatevon).', '.
+		      	' heimatadresse='.$this->db_add_param($this->heimatadresse, FHC_BOOLEAN, false).', '.
+		      	' zustelladresse='.$this->db_add_param($this->zustelladresse, FHC_BOOLEAN, false).' '.
+		      	'WHERE adresse_id='.$this->db_add_param($this->adresse_id, FHC_INTEGER, false).';';
 		}
 		
 		if($this->db_query($qry))
@@ -372,7 +372,7 @@ class adresse extends basis_db
 		}
 
 		//loeschen des Datensatzes
-		$qry="DELETE FROM public.tbl_adresse WHERE adresse_id='".addslashes($adresse_id)."';";
+		$qry="DELETE FROM public.tbl_adresse WHERE adresse_id='".$this->db_add_param($adresse_id, FHC_INTEGER, false)."';";
 
 		if($this->db_query($qry))
 		{
@@ -385,4 +385,4 @@ class adresse extends basis_db
 		}
 	}
 }
-?>
\ No newline at end of file
+?>
diff --git a/include/basis.class.php b/include/basis.class.php
index 6e8b372f7..e01158770 100644
--- a/include/basis.class.php
+++ b/include/basis.class.php
@@ -51,6 +51,8 @@ class basis
 	 * wenn $var !='' ist werden Datenbankkritische
 	 * Zeichen mit Backslash versehen und das Ergbnis
 	 * unter Hochkomma gesetzt.
+	 *
+	 * 12/2011 DEPRECATED use db_add_param
 	 */
 	public function addslashes($var)
 	{
@@ -113,4 +115,4 @@ class basis
 		return htmlspecialchars($value);
 	}
 }
-?>
\ No newline at end of file
+?>
diff --git a/include/basis_db.class.php b/include/basis_db.class.php
index 334fed4c9..a3f3cbb26 100644
--- a/include/basis_db.class.php
+++ b/include/basis_db.class.php
@@ -1,4 +1,28 @@
 <?php
+/* Copyright (C) 2011 FH Technikum-Wien
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * Authors: Christian Paminger <christian.paminger@technikum-wien.at>,
+ *          Andreas Oesterreicher <andreas.oesterreicher@technikum-wien.at> 
+ *
+ */
+/**
+ * Klasse fuer Datenbankabstraktion
+ */
+
 require_once(dirname(__FILE__).'/basis.class.php');
 
 abstract class db extends basis
@@ -9,6 +33,12 @@ abstract class db extends basis
 
 	function __construct()
 	{
+		if(!defined('FHC_INTEGER'))
+		{
+			define('FHC_INTEGER',1);
+			define('FHC_STRING',2);
+			define('FHC_BOOLEAN',3);
+		}
 		if (is_null(db::$db_conn))
 			$this->db_connect();
 	}
@@ -26,10 +56,15 @@ abstract class db extends basis
 	abstract function db_last_error();
 	abstract function db_free_result($result=null);	
 	abstract function db_version();
+	abstract function db_escape($var);
+	abstract function db_null_value($var, $qoute=true);
+	abstract function db_qoute($var);
+	abstract function db_add_param($var, $type=FHC_STRING, $nullable=true);
+	abstract function db_parse_bool($var);
 
 	
 	/**
-	 * Erzeugt aus den Funktionsparameter eine SLQ Abfrage
+	 * Erzeugt aus den Funktionsparameter eine SQL Abfrage
 	 * --- Wird in der Art Sonderzeichen gefunden wird dieses als FunktionsParmeter verarbeitet
 	 * @param art die SQL Abfrage die erzeugt werden soll Default ist 'select'
 	 * @param distinct - nur wenn art ist 'select' ist
@@ -125,4 +160,4 @@ abstract class db extends basis
 }
 require_once(dirname(__FILE__).'/'.DB_SYSTEM.'.class.php');
 
-?>
\ No newline at end of file
+?>
diff --git a/include/pgsql.class.php b/include/pgsql.class.php
index 245691f7c..1b81ec749 100644
--- a/include/pgsql.class.php
+++ b/include/pgsql.class.php
@@ -1,8 +1,31 @@
 <?php
+/* Copyright (C) 2011 FH Technikum-Wien
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * Authors: Christian Paminger <christian.paminger@technikum-wien.at>,
+ *          Andreas Oesterreicher <andreas.oesterreicher@technikum-wien.at> 
+ *
+ */
+/**
+ * Datenbank Abstraktionsklasse fuer Postgresql Datenbank
+ */
 
 class basis_db extends db
 {
-	function db_connect()
+	public function db_connect()
 	{
 		$conn_str='host='.DB_HOST.' port='.DB_PORT.' dbname='.DB_NAME.' user='.DB_USER.' password='.DB_PASSWORD;
 		//Connection Herstellen
@@ -18,7 +41,7 @@ class basis_db extends db
 		}
 	}
 
-	function db_query($sql)
+	public function db_query($sql)
 	{
 		if ($this->db_result=pg_query(basis_db::$db_conn,$sql))
 			return $this->db_result;
@@ -29,7 +52,7 @@ class basis_db extends db
 		}
 	}
 
-	function db_num_rows($result=null)
+	public function db_num_rows($result=null)
 	{
 		if(is_null($result))
 			return pg_num_rows($this->db_result);
@@ -37,7 +60,7 @@ class basis_db extends db
 			return pg_num_rows($result);
 	}
 
-	function db_fetch_object($result = null, $i=null)
+	public function db_fetch_object($result = null, $i=null)
 	{
 		if(is_null($result))
 		{
@@ -55,7 +78,7 @@ class basis_db extends db
 		}			
 	}
 	
-	function db_fetch_row($result = null, $i=null)
+	public function db_fetch_row($result = null, $i=null)
 	{
 		if(is_null($result))
 		{
@@ -73,7 +96,7 @@ class basis_db extends db
 		}			
 	}
 	
-	function db_result($result = null, $i,$item)
+	public function db_result($result = null, $i,$item)
 	{
 		if(is_null($result))
 		{
@@ -85,12 +108,12 @@ class basis_db extends db
 		}			
 	}
 	
-	function db_last_error()
+	public function db_last_error()
 	{
 		return pg_last_error();
 	}
 	
-	function db_affected_rows($result=null)
+	public function db_affected_rows($result=null)
 	{
 		if(is_null($result))
 			return pg_affected_rows($this->db_result);
@@ -98,7 +121,7 @@ class basis_db extends db
 			return pg_affected_rows($result);
 	}
 	
-	function db_fetch_array($result=null)
+	public function db_fetch_array($result=null)
 	{
 		if(is_null($result))
 			return pg_fetch_array($this->db_result);
@@ -106,7 +129,7 @@ class basis_db extends db
 			return pg_fetch_array($result);
 	}
 	
-	function db_num_fields($result=null)
+	public function db_num_fields($result=null)
 	{
 		if(is_null($result))
 			return pg_num_fields($this->db_result);
@@ -114,7 +137,10 @@ class basis_db extends db
 			return pg_num_fields($result);
 	}
 	
-	function db_field_name($result=null, $i)
+	/**
+	 * Liefert den Feldnamen mit index i
+	 */
+	public function db_field_name($result=null, $i)
 	{
 		if(is_null($result))
 			return pg_field_name($this->db_result, $i);
@@ -122,7 +148,11 @@ class basis_db extends db
 			return pg_field_name($result, $i);
 	}
 
-	function db_free_result($result = null)
+	/**
+	 * Gibt den Speicher wieder Frei.
+	 * (ist das sinnvoll wenn es per Value uebergeben wird??)
+	 */
+	public function db_free_result($result = null)
 	{
 		if(is_null($result))
 		{
@@ -134,9 +164,118 @@ class basis_db extends db
 		}			
 	}	
 	
-	function db_version()
+	/**
+	 * Liefert die aktuelle Datenbankversion
+	 */
+	public function db_version()
 	{
 		return pg_version(basis_db::$db_conn);
 	}
+
+	/**
+	 * Escaped Sonderzeichen in Variablen vor der Verwendung in SQL Statements
+	 * um SQL Injections zu verhindern
+	 * 
+	 */
+	public function db_escape($var)
+	{
+		return pg_escape_string($var);
+	}
+
+	/**
+	 * Null Value Handling und Hochkomma für Inserts / Updates
+	 * Wenn die Uebergebe Variable leer ist, wird ein String mit null
+	 * zurueckgeliefert, wenn nicht dann wird der string unter Hochkomma zurueckgeliefert
+	 * es sei denn qoute=false dann wird nur der String zurueckgeliefert
+	 *
+	 * @param $var String-Value fuer SQL Request
+	 * @return string
+	 */
+	public function db_null_value($var, $qoute=true)
+	{
+		if($qoute)
+			return ($var!=''?$this->db_qoute($var):'null');
+		else
+			return ($var!=''?$var:'null');		
+	}
+
+	/**
+	 * Setzt einen String unter Hochkomma
+	 * @param $var Value fuer Insert/Update
+	 * @return value unter Hochkomma
+	 */
+	public function db_qoute($var)
+	{
+		return "'".$var."'";
+	}
+
+	/**
+	 * Escaped einen Parameter fuer die Verwendung in Insert/Update SQL Befehlen
+     * Es werden abhaengig vom Typ Hochkomma oder Null hinzugefuegt
+	 * @param $var Value der gesetzt werden soll
+	 * @param $type Typ des Values (FHC_STRING | FHC_BOOLEAN | FHC_INTEGER | ...)
+	 * @param $nullable boolean gibt an ob das Feld NULL sein darf. Wenn true wird 
+	 *                  NULL statt einem Leerstring zurueckgeliefert
+	 * @return Escapter Value inklusive Hochkomma wenn noetig
+	 * 
+     * Verwendungsbeispiel:
+	 *	Update tbl_person set nachname=$this->db_add_param($var)
+	 *  Update tbl_person set aktiv=$this->db_add_param($var, FHC_BOOL, false)
+     *	Update tbl_person set anzahlkinder=$this->db_add_param($var, FHC_INT)
+	 */
+	public function db_add_param($var, $type=FHC_STRING, $nullable=true)
+	{
+		if($var=='' && $type!=FHC_BOOLEAN)
+		{
+			if($nullable)
+				return 'null';
+			else
+				return '';
+		}
+
+		switch($type)
+		{
+			case FHC_INTEGER: 
+				$var = $this->db_escape($var);
+				if(!is_numeric($var))
+					die('Invalid Integer Parameter detected');
+				$var = $this->db_null_value($var, false);
+				break;
+
+			case FHC_BOOLEAN:
+				if($var===true)
+					$var='true';
+				elseif($var===false)
+					$var='false';
+				elseif($var=='' && $nullable)
+					$var = 'null';
+				else
+					die('Invalid Boolean Parameter detected');
+				break;
+
+			case FHC_STRING:
+			default: 
+				$var = $this->db_escape($var);
+				$var = $this->db_null_value($var);
+				break;
+		}
+		return $var;		
+	}
+
+	/**
+	 * Erzeugt aus einem DB-Result-Boolean einen PHP Boolean
+	 */
+	public function db_parse_bool($var)
+	{
+		if($var=='t')
+			return true;
+		elseif($var=='f')
+			return false;
+		elseif($var=='')
+			return '';
+		else
+			die('Invalid DB Boolean. Wrong DB-Engine?');
+	}
+
 }
-?>
\ No newline at end of file
+?>
diff --git a/rdf/adresse.rdf.php b/rdf/adresse.rdf.php
index 2e3eea90a..7d155b9bd 100644
--- a/rdf/adresse.rdf.php
+++ b/rdf/adresse.rdf.php
@@ -60,7 +60,8 @@ echo '
 
 if($adresse_id!='')
 {
-	$adresse->load($adresse_id);
+	if(!$adresse->load($adresse_id))
+		die('Fehler: '.$adresse->errormsg);
 	draw_rdf($adresse);
 }
 else
@@ -119,4 +120,4 @@ function draw_rdf($row)
 }
 ?>
    </RDF:Seq>
-</RDF:RDF>
\ No newline at end of file
+</RDF:RDF>