sql.php File Reference

SQL database functions. More...

Go to the source code of this file.

Functions

 sql_quote ($value, $dblink)
 quote a value
 sql_kw_parse ($action, $kw, $dblink)
 parse keywords
 sql_query ($action, $kw, $dblink)
 perform an SQL "action"
 sql_init ()
 initalize a SQL database connection
 sql_exit ($dblink)
 close a SQL database connection

Variables

 $sql_actions
 SQL actions.

Detailed Description

SQL database functions.

Definition in file sql.php.

Function Documentation

sql_exit ( dblink  ) 

close a SQL database connection

Parameters:
$dblink an open database handle

Definition at line 329 of file sql.php.

Referenced by do_action(), do_login(), setpw(), show_collection(), show_index(), and show_users().

00329                            {
00330         global $_SESSION;
00331         mysql_close($dblink);
00332 }

sql_init (  ) 

initalize a SQL database connection

Returns:
an open database handle

Definition at line 311 of file sql.php.

Referenced by do_action(), do_login(), main(), show_collection(), show_index(), and show_users().

00311                     {
00312         global $db_host, $db_user, $db_pass, $db_name, $_SESSION;
00313 
00314         ($dblink = mysql_connect($db_host, $db_user, $db_pass)) or
00315                 user_error( "mysql connection to host $db_host failed\n" .
00316                            mysql_error(), E_USER_ERROR );
00317 
00318         mysql_select_db($db_name, $dblink) or
00319                 user_error( "database $db_name not present\n" . mysql_error(),
00320                             E_USER_ERROR );
00321 
00322         return $dblink;
00323 }

sql_kw_parse ( action,
kw,
dblink 
)

parse keywords

Parameters:
$action -- an SQL action
$kw -- user-supplied arguments
$dblink -- SQL database link
Returns:
an associative array for use in strtr()
This is a helper function for sql_query() and returns an associative array that maps "SQL placeholders" (e.g. '@v:foo@', '@vq:foo@', etc.) to the appropriate substitiutions as determined from $kw (e.g. $kw['foo']). Quoting is performed where necessary.

The resulting array is suitable for use in a strtr() function. It can be used to substitute the placeholders in an SQL statement prototype with their real values, thus turning the SQL statement prototype into a real SQL statement.

Definition at line 121 of file sql.php.

References $sql_actions, and sql_quote().

Referenced by sql_query().

00121                                                 {
00122 
00123         global $sql_actions;
00124 
00125         # check arguments
00126  
00127         if (!isset($sql_actions[$action])) {
00128                 user_error("illegal action: $action", E_USER_ERROR);
00129         }
00130 
00131         if (!is_array ($kw)) {
00132                 user_error("illegal parameter type:" . gettype($kw), 
00133                            E_USER_ERROR);
00134         }
00135 
00136         $kw = array_merge($sql_actions[$action]['kw_default'], $kw);
00137 
00138 
00139         foreach ($sql_actions[$action]['kw_args'] as $k) {
00140                 if (!isset($kw[$k])){ 
00141                         user_error("required keyword missing: $k", 
00142                         E_USER_ERROR);
00143                 }
00144         }
00145                 
00146         $kw_out = array();
00147  
00148         foreach ($kw as $key => $val) {
00149 
00150                 $type = gettype($val);
00151 
00152                 switch($type) {
00153 
00154                 case "array":
00155 
00156                         $keys = $vals = $keys_vals = "";
00157                         $vals_q = $keys_vals_q = "";
00158 
00159                         foreach ($val as $k => $v ) {
00160                                 
00161                                 $keys .= "$k,";
00162 
00163                                 # unquoted 
00164 
00165                                 $vals .= "$v,";
00166                                 $keys_vals .= "$k = $v,";
00167 
00168                                 $kw_out["@v:${key}#${k}@"] = $v;
00169 
00170                                 # quoted 
00171 
00172                                 $v = sql_quote($v, $dblink);
00173 
00174                                 $vals_q .= "$v,";
00175                                 $keys_vals_q .= "$k = $v,";
00176 
00177                                 $kw_out["@vq:${key}#${k}@"] = $v;
00178                         }
00179 
00180                         $kw_out["@k:$key@"] = rtrim($keys, ',');
00181                         $kw_out["@v:$key@"] = rtrim($vals, ',');
00182                         $kw_out["@kv:$key@"] = rtrim($keys_vals, ',');
00183 
00184                         $kw_out["@vq:$key@"] = rtrim($vals_q, ',');
00185                         $kw_out["@kvq:$key@"] = rtrim($keys_vals_q, ',');
00186 
00187                         break;
00188 
00189                 case "string": 
00190 
00191                         $kw_out['@v:' . $key . '@'] = $val;
00192                         $kw_out['@vq:' . $key . '@'] = sql_quote($val, $dblink);
00193                         break;
00194 
00195                 default:
00196                         user_error("illegal type $type for key $key",  
00197                                    E_USER_ERROR);
00198                 }
00199         }
00200  
00201         return $kw_out;
00202 }

Here is the call graph for this function:

sql_query ( action,
kw,
dblink 
)

perform an SQL "action"

This function performs one of several well-defined "actions" on the database. The supported actions are defined in $sql_actions[].

Parameters:
$action -- the action to be performed
$kw -- an associative array containing user-supplied arguments for the action
$dblink -- an open database handle
Returns:
the result of the query
Each action is defined as an SQL statement prototype that may contain placeholders. It is possible for the caller to submit data to an action via the $kw parameter. First, the placeholders in the prototype are replaced by the data from $kw[]. Afterwards, the SQL statement is executed.

Note:
To prevent SQL injection attacks, a mechanism has been devised to ensure proper quotation of all arguments. Where so required, special placeholders can be used to enforce quotation of string-valued arguments (e.g. inside an INSERT statement). (Integer-valued arguments are never quoted, regardless of whether quotation is required.)
Recognized placeholders in SQL statements include:

Some special placeholders are supported if $kw['foo'] is itself an associative array:

Definition at line 252 of file sql.php.

References $sql_actions, and sql_kw_parse().

Referenced by coll_set_state(), do_delete_item(), do_login(), edit_item(), expire(), extend_loan(), get_html_options(), get_item_owner(), main(), may_delete_item(), report(), send_reminder(), set_item_state(), set_random_pw(), setpw(), show_collection(), show_index(), show_users(), view_email(), and view_item().

00252                                              {
00253 
00254         global $sql_actions, $debug_level;
00255 
00256 
00257 
00258         if (!isset($sql_actions[$action])) {
00259                 user_error("illegal action: $action" , E_USER_ERROR);
00260         }
00261 
00262         if ($debug_level > 10) {
00263                 print "action: $action";
00264                 print "<hr><pre>SQL Keywords before parsing:\n";
00265                 print_r($kw);
00266                 print "</pre><hr>";
00267         }       
00268 
00269         $kw = sql_kw_parse($action, $kw, $dblink);
00270 
00271         if ($debug_level > 10) {
00272                 print "<hr><pre>SQL Keywords after parsing:\n";
00273                 print_r($kw);
00274                 print "</pre><hr>";
00275         }       
00276 
00277         $q = $sql_actions[$action]['sql']; 
00278         $q = strtr($q, $kw);
00279 
00280         if ($debug_level > 10) {
00281                 print "<hr><pre>SQL query: $q </pre><hr>\n";
00282         }       
00283 
00284         $result = mysql_query($q, $dblink) or 
00285                 user_error( "mysql query failed: \"$q\"\n" . mysql_error(),
00286                                 E_USER_ERROR );
00287 
00288         $ans = array();
00289 
00290         if ($result) {
00291                 $i = 0;
00292                 while ( $ans[$i++] = mysql_fetch_assoc($result) )
00293                          ;
00294 
00295                 unset($ans[$i-1]);
00296         }
00297 
00298         if ($debug_level > 20) {
00299                 print "<hr><pre>SQL answer: \n";
00300                 print_r($ans);
00301                 print "<hr>\n";
00302         }       
00303 
00304         return $ans;
00305 }

Here is the call graph for this function:

sql_quote ( value,
dblink 
)

quote a value

Parameters:
$value -- unquoted value
$dblink -- open database handle
Returns:
quoted value, suitable for use in an SQL statement

Definition at line 73 of file sql.php.

Referenced by sql_kw_parse().

00073                                      {
00074 
00075    # Strip slashes
00076 
00077    if (get_magic_quotes_gpc()) {
00078        $value = stripslashes($value);
00079    }
00080 
00081    $type = gettype($value);
00082 
00083    switch($type) {
00084         
00085         case "string":
00086              $value = "'" . mysql_real_escape_string($value, $dblink) . "'";
00087              break;
00088 
00089         case "boolean":
00090              $value = ($value) ? 1 : 0; # xxx mysql specific??
00091              break;
00092 
00093         case "integer": 
00094         case "float": 
00095              break;
00096         
00097         default:
00098                 user_error("unsupported type: $type", E_USER_ERROR);
00099     }
00100 
00101     return $value;
00102 }

Variable Documentation

$sql_actions

SQL actions.

This array defines SQL "actions" to be performed by sql_query().

Definition at line 16 of file sql.php.

Referenced by sql_kw_parse(), and sql_query().

Generated on Fri Jul 14 17:38:59 2006 for semapp by  doxygen 1.4.7