Browse code

Codingstyle PSR12 + array syntax

Hanno Böck authored on 30/10/2021 21:18:17
Showing 1 changed files
... ...
@@ -32,7 +32,7 @@ class DB extends PDO
32 32
         }
33 33
         $username = config('db_user', true);
34 34
         $password = config('db_pass', true);
35
-        parent::__construct($dsn, $username, $password, array(PDO::ATTR_TIMEOUT => "30"));
35
+        parent::__construct($dsn, $username, $password, [PDO::ATTR_TIMEOUT => "30"]);
36 36
     }
37 37
 
38 38
 
Browse code

PHP 8.0 compatibility

Bernd Wurst authored on 09/12/2020 07:52:39
Showing 1 changed files
... ...
@@ -39,7 +39,7 @@ class DB extends PDO
39 39
     /*
40 40
       Wenn Parameter übergeben werden, werden Queries immer als Prepared statements übertragen
41 41
     */
42
-    public function query($stmt, $params = null, $allowempty = false)
42
+    public function myquery($stmt, $params = null, $allowempty = false)
43 43
     {
44 44
         if (is_array($params)) {
45 45
             if (config("enable_debug") && !$allowempty) {
... ...
@@ -131,7 +131,7 @@ function db_query($stmt, $params = null, $allowempty = false)
131 131
         DEBUG($params);
132 132
     }
133 133
     try {
134
-        $result = $_db->query($stmt, $params, $allowempty);
134
+        $result = $_db->myquery($stmt, $params, $allowempty);
135 135
         DEBUG('=> '.$result->rowCount().' rows');
136 136
     } catch (PDOException $e) {
137 137
         global $debugmode;
Browse code

optional parameter to not warn about empty params to database queries

Hanno authored on 23/07/2018 15:39:24
Showing 1 changed files
... ...
@@ -39,10 +39,10 @@ class DB extends PDO
39 39
     /*
40 40
       Wenn Parameter übergeben werden, werden Queries immer als Prepared statements übertragen
41 41
     */
42
-    public function query($stmt, $params = null)
42
+    public function query($stmt, $params = null, $allowempty = false)
43 43
     {
44 44
         if (is_array($params)) {
45
-            if (config("enable_debug")) {
45
+            if (config("enable_debug") && !$allowempty) {
46 46
                 foreach (array_values($params) as $p) {
47 47
                     if ($p === '') {
48 48
                         DEBUG("Potential bug, empty string found in database parameters");
... ...
@@ -121,7 +121,7 @@ function __ensure_connected()
121 121
 }
122 122
 
123 123
 
124
-function db_query($stmt, $params = null)
124
+function db_query($stmt, $params = null, $allowempty = false)
125 125
 {
126 126
     global $_db;
127 127
     __ensure_connected();
... ...
@@ -131,7 +131,7 @@ function db_query($stmt, $params = null)
131 131
         DEBUG($params);
132 132
     }
133 133
     try {
134
-        $result = $_db->query($stmt, $params);
134
+        $result = $_db->query($stmt, $params, $allowempty);
135 135
         DEBUG('=> '.$result->rowCount().' rows');
136 136
     } catch (PDOException $e) {
137 137
         global $debugmode;
Browse code

Fix coding style with php-cs-checker, see https://cs.sensiolabs.org/

Hanno authored on 26/06/2018 13:58:19
Showing 1 changed files
... ...
@@ -8,7 +8,7 @@ Written 2008-2018 by schokokeks.org Hosting, namely
8 8
 
9 9
 To the extent possible under law, the author(s) have dedicated all copyright and related and neighboring rights to this software to the public domain worldwide. This software is distributed without any warranty.
10 10
 
11
-You should have received a copy of the CC0 Public Domain Dedication along with this software. If not, see 
11
+You should have received a copy of the CC0 Public Domain Dedication along with this software. If not, see
12 12
 http://creativecommons.org/publicdomain/zero/1.0/
13 13
 
14 14
 Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.
... ...
@@ -19,126 +19,127 @@ require_once('inc/error.php');
19 19
 require_once('inc/debug.php');
20 20
 
21 21
 
22
-class DB extends PDO {
23
-  function __construct() {
24
-    $dsn = "mysql:host=".config('db_host', true);
25
-    if (config('db_port', true)) {
26
-      $dsn .= ';port='.config('db_port', true);
27
-    }
28
-    if (config('db_socket', true)) {
29
-      $dsn = "mysql:unix_socket=".config('db_socket', true);
30
-    }
31
-    $username = config('db_user', true);
32
-    $password = config('db_pass', true);
33
-    parent::__construct($dsn, $username, $password, array(PDO::ATTR_TIMEOUT => "30"));
34
-  }
35
-
36
-
37
-  /*
38
-    Wenn Parameter übergeben werden, werden Queries immer als Prepared statements übertragen
39
-  */
40
-  function query($stmt, $params = NULL) {
41
-    if (is_array($params)) {
42
-      if (config("enable_debug")) {
43
-        foreach (array_values($params) as $p) {
44
-          if ($p === '') {
45
-            DEBUG("Potential bug, empty string found in database parameters");
46
-            warning("Potential bug, empty string found in database parameters");
47
-          }
22
+class DB extends PDO
23
+{
24
+    public function __construct()
25
+    {
26
+        $dsn = "mysql:host=".config('db_host', true);
27
+        if (config('db_port', true)) {
28
+            $dsn .= ';port='.config('db_port', true);
48 29
         }
49
-      }
50
-      $response = parent::prepare($stmt);
51
-      $response->execute($params);
52
-      return $response;
53
-    } else {
54
-      if (strtoupper(substr($stmt, 0, 6)) == "INSERT" ||
30
+        if (config('db_socket', true)) {
31
+            $dsn = "mysql:unix_socket=".config('db_socket', true);
32
+        }
33
+        $username = config('db_user', true);
34
+        $password = config('db_pass', true);
35
+        parent::__construct($dsn, $username, $password, array(PDO::ATTR_TIMEOUT => "30"));
36
+    }
37
+
38
+
39
+    /*
40
+      Wenn Parameter übergeben werden, werden Queries immer als Prepared statements übertragen
41
+    */
42
+    public function query($stmt, $params = null)
43
+    {
44
+        if (is_array($params)) {
45
+            if (config("enable_debug")) {
46
+                foreach (array_values($params) as $p) {
47
+                    if ($p === '') {
48
+                        DEBUG("Potential bug, empty string found in database parameters");
49
+                        warning("Potential bug, empty string found in database parameters");
50
+                    }
51
+                }
52
+            }
53
+            $response = parent::prepare($stmt);
54
+            $response->execute($params);
55
+            return $response;
56
+        } else {
57
+            if (strtoupper(substr($stmt, 0, 6)) == "INSERT" ||
55 58
           strtoupper(substr($stmt, 0, 7)) == "REPLACE" ||
56 59
           strpos(strtoupper($stmt), "WHERE") > 0) { // Das steht nie am Anfang
57
-        $backtrace = debug_backtrace();
58
-        $wherepart = substr(strtoupper($stmt), strpos(strtoupper($stmt), "WHERE"));
59
-        if ((strpos($wherepart, '"') > 0 || strpos($wherepart, "'") > 0) && config("enable_debug")) {
60
-          warning("Possibly unsafe SQL statement in {$backtrace[1]['file']} line {$backtrace[1]['line']}:\n$stmt");
60
+                $backtrace = debug_backtrace();
61
+                $wherepart = substr(strtoupper($stmt), strpos(strtoupper($stmt), "WHERE"));
62
+                if ((strpos($wherepart, '"') > 0 || strpos($wherepart, "'") > 0) && config("enable_debug")) {
63
+                    warning("Possibly unsafe SQL statement in {$backtrace[1]['file']} line {$backtrace[1]['line']}:\n$stmt");
64
+                }
65
+            }
66
+            return parent::query($stmt);
61 67
         }
62
-      }
63
-      return parent::query($stmt);
64 68
     }
65
-  }
66 69
 }
67 70
 
68 71
 
69
-/* FIXME 
72
+/* FIXME
70 73
    Das ist etwas unelegant. Soll nur übergangsweise verwendet werden bis alles auf prepared statements umgestellt ist
71 74
 */
72 75
 function db_escape_string($string)
73 76
 {
74
-  if (config("enable_debug")) {
75
-    $backtrace = debug_backtrace();
76
-    warning("call to db_escape_string() in {$backtrace[0]['file']} line {$backtrace[0]['line']}");
77
-  }
78
-  global $_db;
79
-  __ensure_connected();
80
-  $quoted = $_db->quote($string);
81
-  // entferne die quotes, damit wird es drop-in-Kompatibel zu db_escape_string()
82
-  $ret = substr($quoted, 1, -1);
83
-  return $ret;
77
+    if (config("enable_debug")) {
78
+        $backtrace = debug_backtrace();
79
+        warning("call to db_escape_string() in {$backtrace[0]['file']} line {$backtrace[0]['line']}");
80
+    }
81
+    global $_db;
82
+    __ensure_connected();
83
+    $quoted = $_db->quote($string);
84
+    // entferne die quotes, damit wird es drop-in-Kompatibel zu db_escape_string()
85
+    $ret = substr($quoted, 1, -1);
86
+    return $ret;
84 87
 }
85 88
 
86 89
 
87 90
 function db_insert_id()
88 91
 {
89
-  global $_db;
90
-  __ensure_connected();
91
-  return $_db->lastInsertId();
92
+    global $_db;
93
+    __ensure_connected();
94
+    return $_db->lastInsertId();
92 95
 }
93 96
 
94 97
 
95 98
 function __ensure_connected()
96 99
 {
97
-  /*
98
-    Dieses Kontrukt ist vermultich noch schlimmer als ein normales singleton
99
-    aber es hilft uns in unserem prozeduralen Kontext
100
-  */
101
-  global $_db;
102
-  if (! isset($_db)) {
103
-    try {
104
-      DEBUG("Neue Datenbankverbindung!");
105
-      $_db = new DB();
106
-      $_db->query("SET NAMES utf8mb4");
107
-      $_db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
108
-      $_db->setAttribute(PDO::ATTR_AUTOCOMMIT, true);
109
-    } catch (PDOException $e) {
110
-      global $debugmode;
111
-      if ($debugmode) {
112
-        die("MySQL-Fehler: ".$e->getMessage());
113
-      } else {
114
-        die("Fehler bei der Datenbankverbindung!");
115
-      }
100
+    /*
101
+      Dieses Kontrukt ist vermultich noch schlimmer als ein normales singleton
102
+      aber es hilft uns in unserem prozeduralen Kontext
103
+    */
104
+    global $_db;
105
+    if (! isset($_db)) {
106
+        try {
107
+            DEBUG("Neue Datenbankverbindung!");
108
+            $_db = new DB();
109
+            $_db->query("SET NAMES utf8mb4");
110
+            $_db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
111
+            $_db->setAttribute(PDO::ATTR_AUTOCOMMIT, true);
112
+        } catch (PDOException $e) {
113
+            global $debugmode;
114
+            if ($debugmode) {
115
+                die("MySQL-Fehler: ".$e->getMessage());
116
+            } else {
117
+                die("Fehler bei der Datenbankverbindung!");
118
+            }
119
+        }
116 120
     }
117
-  }
118 121
 }
119 122
 
120 123
 
121
-function db_query($stmt, $params = NULL)
124
+function db_query($stmt, $params = null)
122 125
 {
123
-  global $_db;
124
-  __ensure_connected();
125
-  $backtrace = debug_backtrace();
126
-  DEBUG($backtrace[0]['file'].':'.$backtrace[0]['line'].': '.htmlspecialchars($stmt));
127
-  if ($params) {
128
-    DEBUG($params);
129
-  }
130
-  try {
131
-    $result = $_db->query($stmt, $params);
132
-    DEBUG('=> '.$result->rowCount().' rows');
133
-  } catch (PDOException $e) {
134
-    global $debugmode;
135
-    if ($debugmode) {
136
-      system_failure("MySQL-Fehler: ".$e->getMessage()."\nQuery:\n".$stmt."\nParameters:\n".print_r($params, true));
137
-    } else {
138
-      system_failure("Datenbankfehler");
126
+    global $_db;
127
+    __ensure_connected();
128
+    $backtrace = debug_backtrace();
129
+    DEBUG($backtrace[0]['file'].':'.$backtrace[0]['line'].': '.htmlspecialchars($stmt));
130
+    if ($params) {
131
+        DEBUG($params);
132
+    }
133
+    try {
134
+        $result = $_db->query($stmt, $params);
135
+        DEBUG('=> '.$result->rowCount().' rows');
136
+    } catch (PDOException $e) {
137
+        global $debugmode;
138
+        if ($debugmode) {
139
+            system_failure("MySQL-Fehler: ".$e->getMessage()."\nQuery:\n".$stmt."\nParameters:\n".print_r($params, true));
140
+        } else {
141
+            system_failure("Datenbankfehler");
142
+        }
139 143
     }
140
-  }
141
-  return $result;
144
+    return $result;
142 145
 }
143
-
144
-
Browse code

Verify-Funktion für Kunden-Mailadressen eingebaut. Vorbereitung für Self-service-Änderungen

Bernd Wurst authored on 11/11/2017 11:49:10
Showing 1 changed files
... ...
@@ -123,7 +123,7 @@ function db_query($stmt, $params = NULL)
123 123
   global $_db;
124 124
   __ensure_connected();
125 125
   $backtrace = debug_backtrace();
126
-  DEBUG($backtrace[0]['file'].':'.$backtrace[0]['line'].': '.$stmt);
126
+  DEBUG($backtrace[0]['file'].':'.$backtrace[0]['line'].': '.htmlspecialchars($stmt));
127 127
   if ($params) {
128 128
     DEBUG($params);
129 129
   }
Browse code

Copyright year update

Bernd Wurst authored on 13/01/2018 06:07:05
Showing 1 changed files
... ...
@@ -2,7 +2,7 @@
2 2
 /*
3 3
 This file belongs to the Webinterface of schokokeks.org Hosting
4 4
 
5
-Written 2008-2014 by schokokeks.org Hosting, namely
5
+Written 2008-2018 by schokokeks.org Hosting, namely
6 6
   Bernd Wurst <bernd@schokokeks.org>
7 7
   Hanno Böck <hanno@schokokeks.org>
8 8
 
Browse code

Ermögliche die Verwendung von erweiterten Zeichen (z.B. im Domainnamen)

Bernd Wurst authored on 22/12/2017 07:39:52
Showing 1 changed files
... ...
@@ -103,7 +103,7 @@ function __ensure_connected()
103 103
     try {
104 104
       DEBUG("Neue Datenbankverbindung!");
105 105
       $_db = new DB();
106
-      $_db->query("SET NAMES utf8");
106
+      $_db->query("SET NAMES utf8mb4");
107 107
       $_db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
108 108
       $_db->setAttribute(PDO::ATTR_AUTOCOMMIT, true);
109 109
     } catch (PDOException $e) {
Browse code

Zeige Warnung für unsichere Datenbank-Abfrage nur, wenn im WHERE-Teil ein Anführungszeichen steht.

Bernd Wurst authored on 06/02/2017 11:35:00
Showing 1 changed files
... ...
@@ -55,8 +55,9 @@ class DB extends PDO {
55 55
           strtoupper(substr($stmt, 0, 7)) == "REPLACE" ||
56 56
           strpos(strtoupper($stmt), "WHERE") > 0) { // Das steht nie am Anfang
57 57
         $backtrace = debug_backtrace();
58
-        if (config("enable_debug")) {
59
-          warning("Unsafe SQL statement in {$backtrace[1]['file']} line {$backtrace[1]['line']}");
58
+        $wherepart = substr(strtoupper($stmt), strpos(strtoupper($stmt), "WHERE"));
59
+        if ((strpos($wherepart, '"') > 0 || strpos($wherepart, "'") > 0) && config("enable_debug")) {
60
+          warning("Possibly unsafe SQL statement in {$backtrace[1]['file']} line {$backtrace[1]['line']}:\n$stmt");
60 61
         }
61 62
       }
62 63
       return parent::query($stmt);
... ...
@@ -132,7 +133,7 @@ function db_query($stmt, $params = NULL)
132 133
   } catch (PDOException $e) {
133 134
     global $debugmode;
134 135
     if ($debugmode) {
135
-      system_failure("MySQL-Fehler: ".$e->getMessage()."\nQuery:\n".$stmt);
136
+      system_failure("MySQL-Fehler: ".$e->getMessage()."\nQuery:\n".$stmt."\nParameters:\n".print_r($params, true));
136 137
     } else {
137 138
       system_failure("Datenbankfehler");
138 139
     }
Browse code

Zeige fehlerhaftes SQL-Query an im Debug-modus

Bernd Wurst authored on 18/02/2015 17:05:28
Showing 1 changed files
... ...
@@ -132,7 +132,7 @@ function db_query($stmt, $params = NULL)
132 132
   } catch (PDOException $e) {
133 133
     global $debugmode;
134 134
     if ($debugmode) {
135
-      system_failure("MySQL-Fehler: ".$e->getMessage());
135
+      system_failure("MySQL-Fehler: ".$e->getMessage()."\nQuery:\n".$stmt);
136 136
     } else {
137 137
       system_failure("Datenbankfehler");
138 138
     }
Browse code

kürzerer Datenbank-Timeout und direkte, unformatierte Fehlermeldung damit nicht noch mehr Versuche unternommen werden die Datenbank zu erreichen

Bernd Wurst authored on 20/02/2014 17:47:41
Showing 1 changed files
... ...
@@ -30,7 +30,7 @@ class DB extends PDO {
30 30
     }
31 31
     $username = config('db_user', true);
32 32
     $password = config('db_pass', true);
33
-    parent::__construct($dsn, $username, $password);
33
+    parent::__construct($dsn, $username, $password, array(PDO::ATTR_TIMEOUT => "30"));
34 34
   }
35 35
 
36 36
 
... ...
@@ -108,9 +108,9 @@ function __ensure_connected()
108 108
     } catch (PDOException $e) {
109 109
       global $debugmode;
110 110
       if ($debugmode) {
111
-        system_failure("MySQL-Fehler: ".$e->getMessage());
111
+        die("MySQL-Fehler: ".$e->getMessage());
112 112
       } else {
113
-        system_failure("Fehler bei der Datenbankverbindung!");
113
+        die("Fehler bei der Datenbankverbindung!");
114 114
       }
115 115
     }
116 116
   }
Browse code

Lizenzinfos in eigenes Modul ausgelagert und Copyright auf 2014 angepasst

Bernd Wurst authored on 08/02/2014 05:45:07
Showing 1 changed files
... ...
@@ -2,7 +2,7 @@
2 2
 /*
3 3
 This file belongs to the Webinterface of schokokeks.org Hosting
4 4
 
5
-Written 2008-2013 by schokokeks.org Hosting, namely
5
+Written 2008-2014 by schokokeks.org Hosting, namely
6 6
   Bernd Wurst <bernd@schokokeks.org>
7 7
   Hanno Böck <hanno@schokokeks.org>
8 8
 
Browse code

String 'NULL' eliminiert

Bernd Wurst authored on 07/02/2014 14:21:11
Showing 1 changed files
... ...
@@ -42,6 +42,7 @@ class DB extends PDO {
42 42
       if (config("enable_debug")) {
43 43
         foreach (array_values($params) as $p) {
44 44
           if ($p === '') {
45
+            DEBUG("Potential bug, empty string found in database parameters");
45 46
             warning("Potential bug, empty string found in database parameters");
46 47
           }
47 48
         }
... ...
@@ -71,7 +72,7 @@ function db_escape_string($string)
71 72
 {
72 73
   if (config("enable_debug")) {
73 74
     $backtrace = debug_backtrace();
74
-    warning("call to db_escape_string() in {$backtrace[1]['file']} line {$backtrace[1]['line']}");
75
+    warning("call to db_escape_string() in {$backtrace[0]['file']} line {$backtrace[0]['line']}");
75 76
   }
76 77
   global $_db;
77 78
   __ensure_connected();
Browse code

Bugfix: E-Mail-User konnte sein Passwort nicht mehr ändern

Bernd Wurst authored on 07/02/2014 05:13:04
Showing 1 changed files
... ...
@@ -120,7 +120,8 @@ function db_query($stmt, $params = NULL)
120 120
 {
121 121
   global $_db;
122 122
   __ensure_connected();
123
-  DEBUG($stmt);
123
+  $backtrace = debug_backtrace();
124
+  DEBUG($backtrace[0]['file'].':'.$backtrace[0]['line'].': '.$stmt);
124 125
   if ($params) {
125 126
     DEBUG($params);
126 127
   }
Browse code

Weitere Umstellungen auf prepared statements

Bernd Wurst authored on 03/02/2014 20:49:24
Showing 1 changed files
... ...
@@ -39,6 +39,13 @@ class DB extends PDO {
39 39
   */
40 40
   function query($stmt, $params = NULL) {
41 41
     if (is_array($params)) {
42
+      if (config("enable_debug")) {
43
+        foreach (array_values($params) as $p) {
44
+          if ($p === '') {
45
+            warning("Potential bug, empty string found in database parameters");
46
+          }
47
+        }
48
+      }
42 49
       $response = parent::prepare($stmt);
43 50
       $response->execute($params);
44 51
       return $response;
Browse code

* Weitere Module auf prepared-statements umgestellt * Warnung beim Aufruf von db_escape_string() und maybe_null() hinzugefügt

Bernd Wurst authored on 03/02/2014 16:57:44
Showing 1 changed files
... ...
@@ -62,6 +62,10 @@ class DB extends PDO {
62 62
 */
63 63
 function db_escape_string($string)
64 64
 {
65
+  if (config("enable_debug")) {
66
+    $backtrace = debug_backtrace();
67
+    warning("call to db_escape_string() in {$backtrace[1]['file']} line {$backtrace[1]['line']}");
68
+  }
65 69
   global $_db;
66 70
   __ensure_connected();
67 71
   $quoted = $_db->quote($string);
Browse code

Einige Statements auf Prepared-statements umgestellt

Bernd Wurst authored on 02/02/2014 16:31:00
Showing 1 changed files
... ...
@@ -44,6 +44,7 @@ class DB extends PDO {
44 44
       return $response;
45 45
     } else {
46 46
       if (strtoupper(substr($stmt, 0, 6)) == "INSERT" ||
47
+          strtoupper(substr($stmt, 0, 7)) == "REPLACE" ||
47 48
           strpos(strtoupper($stmt), "WHERE") > 0) { // Das steht nie am Anfang
48 49
         $backtrace = debug_backtrace();
49 50
         if (config("enable_debug")) {
Browse code

Interne variabe anders nenne, da es Kollissionen mit dem MySQL-Modul gibt

Bernd Wurst authored on 02/02/2014 10:48:58
Showing 1 changed files
... ...
@@ -61,9 +61,9 @@ class DB extends PDO {
61 61
 */
62 62
 function db_escape_string($string)
63 63
 {
64
-  global $db;
64
+  global $_db;
65 65
   __ensure_connected();
66
-  $quoted = $db->quote($string);
66
+  $quoted = $_db->quote($string);
67 67
   // entferne die quotes, damit wird es drop-in-Kompatibel zu db_escape_string()
68 68
   $ret = substr($quoted, 1, -1);
69 69
   return $ret;
... ...
@@ -72,9 +72,9 @@ function db_escape_string($string)
72 72
 
73 73
 function db_insert_id()
74 74
 {
75
-  global $db;
75
+  global $_db;
76 76
   __ensure_connected();
77
-  return $db->lastInsertId();
77
+  return $_db->lastInsertId();
78 78
 }
79 79
 
80 80
 
... ...
@@ -84,14 +84,14 @@ function __ensure_connected()
84 84
     Dieses Kontrukt ist vermultich noch schlimmer als ein normales singleton
85 85
     aber es hilft uns in unserem prozeduralen Kontext
86 86
   */
87
-  global $db;
88
-  if (! isset($db)) {
87
+  global $_db;
88
+  if (! isset($_db)) {
89 89
     try {
90 90
       DEBUG("Neue Datenbankverbindung!");
91
-      $db = new DB();
92
-      $db->query("SET NAMES utf8");
93
-      $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
94
-      $db->setAttribute(PDO::ATTR_AUTOCOMMIT, true);
91
+      $_db = new DB();
92
+      $_db->query("SET NAMES utf8");
93
+      $_db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
94
+      $_db->setAttribute(PDO::ATTR_AUTOCOMMIT, true);
95 95
     } catch (PDOException $e) {
96 96
       global $debugmode;
97 97
       if ($debugmode) {
... ...
@@ -106,14 +106,14 @@ function __ensure_connected()
106 106
 
107 107
 function db_query($stmt, $params = NULL)
108 108
 {
109
-  global $db;
109
+  global $_db;
110 110
   __ensure_connected();
111 111
   DEBUG($stmt);
112 112
   if ($params) {
113 113
     DEBUG($params);
114 114
   }
115 115
   try {
116
-    $result = $db->query($stmt, $params);
116
+    $result = $_db->query($stmt, $params);
117 117
     DEBUG('=> '.$result->rowCount().' rows');
118 118
   } catch (PDOException $e) {
119 119
     global $debugmode;
Browse code

Warnung im dev-branch bzgl. unsicheren SQL-Statements

Bernd Wurst authored on 02/02/2014 10:44:48
Showing 1 changed files
... ...
@@ -43,6 +43,13 @@ class DB extends PDO {
43 43
       $response->execute($params);
44 44
       return $response;
45 45
     } else {
46
+      if (strtoupper(substr($stmt, 0, 6)) == "INSERT" ||
47
+          strpos(strtoupper($stmt), "WHERE") > 0) { // Das steht nie am Anfang
48
+        $backtrace = debug_backtrace();
49
+        if (config("enable_debug")) {
50
+          warning("Unsafe SQL statement in {$backtrace[1]['file']} line {$backtrace[1]['line']}");
51
+        }
52
+      }
46 53
       return parent::query($stmt);
47 54
     }
48 55
   }
Browse code

Ermögliche Socket-Angabe für Datenbankverbindung

schokokeks.org web services authored on 02/02/2014 05:46:02
Showing 1 changed files
... ...
@@ -21,10 +21,13 @@ require_once('inc/debug.php');
21 21
 
22 22
 class DB extends PDO {
23 23
   function __construct() {
24
-    $dsn = "mysql:host=".config('db_host');
24
+    $dsn = "mysql:host=".config('db_host', true);
25 25
     if (config('db_port', true)) {
26 26
       $dsn .= ';port='.config('db_port', true);
27 27
     }
28
+    if (config('db_socket', true)) {
29
+      $dsn = "mysql:unix_socket=".config('db_socket', true);
30
+    }
28 31
     $username = config('db_user', true);
29 32
     $password = config('db_pass', true);
30 33
     parent::__construct($dsn, $username, $password);
Browse code

Umstellung auf PDO-Datenbankverbindung

Bernd Wurst authored on 01/02/2014 18:38:23
Showing 1 changed files
1 1
new file mode 100644
... ...
@@ -0,0 +1,119 @@
1
+<?php
2
+/*
3
+This file belongs to the Webinterface of schokokeks.org Hosting
4
+
5
+Written 2008-2013 by schokokeks.org Hosting, namely
6
+  Bernd Wurst <bernd@schokokeks.org>
7
+  Hanno Böck <hanno@schokokeks.org>
8
+
9
+To the extent possible under law, the author(s) have dedicated all copyright and related and neighboring rights to this software to the public domain worldwide. This software is distributed without any warranty.
10
+
11
+You should have received a copy of the CC0 Public Domain Dedication along with this software. If not, see 
12
+http://creativecommons.org/publicdomain/zero/1.0/
13
+
14
+Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.
15
+*/
16
+
17
+require_once('inc/base.php');
18
+require_once('inc/error.php');
19
+require_once('inc/debug.php');
20
+
21
+
22
+class DB extends PDO {
23
+  function __construct() {
24
+    $dsn = "mysql:host=".config('db_host');
25
+    if (config('db_port', true)) {
26
+      $dsn .= ';port='.config('db_port', true);
27
+    }
28
+    $username = config('db_user', true);
29
+    $password = config('db_pass', true);
30
+    parent::__construct($dsn, $username, $password);
31
+  }
32
+
33
+
34
+  /*
35
+    Wenn Parameter übergeben werden, werden Queries immer als Prepared statements übertragen
36
+  */
37
+  function query($stmt, $params = NULL) {
38
+    if (is_array($params)) {
39
+      $response = parent::prepare($stmt);
40
+      $response->execute($params);
41
+      return $response;
42
+    } else {
43
+      return parent::query($stmt);
44
+    }
45
+  }
46
+}
47
+
48
+
49
+/* FIXME 
50
+   Das ist etwas unelegant. Soll nur übergangsweise verwendet werden bis alles auf prepared statements umgestellt ist
51
+*/
52
+function db_escape_string($string)
53
+{
54
+  global $db;
55
+  __ensure_connected();
56
+  $quoted = $db->quote($string);
57
+  // entferne die quotes, damit wird es drop-in-Kompatibel zu db_escape_string()
58
+  $ret = substr($quoted, 1, -1);
59
+  return $ret;
60
+}
61
+
62
+
63
+function db_insert_id()
64
+{
65
+  global $db;
66
+  __ensure_connected();
67
+  return $db->lastInsertId();
68
+}
69
+
70
+
71
+function __ensure_connected()
72
+{
73
+  /*
74
+    Dieses Kontrukt ist vermultich noch schlimmer als ein normales singleton
75
+    aber es hilft uns in unserem prozeduralen Kontext
76
+  */
77
+  global $db;
78
+  if (! isset($db)) {
79
+    try {
80
+      DEBUG("Neue Datenbankverbindung!");
81
+      $db = new DB();
82
+      $db->query("SET NAMES utf8");
83
+      $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
84
+      $db->setAttribute(PDO::ATTR_AUTOCOMMIT, true);
85
+    } catch (PDOException $e) {
86
+      global $debugmode;
87
+      if ($debugmode) {
88
+        system_failure("MySQL-Fehler: ".$e->getMessage());
89
+      } else {
90
+        system_failure("Fehler bei der Datenbankverbindung!");
91
+      }
92
+    }
93
+  }
94
+}
95
+
96
+
97
+function db_query($stmt, $params = NULL)
98
+{
99
+  global $db;
100
+  __ensure_connected();
101
+  DEBUG($stmt);
102
+  if ($params) {
103
+    DEBUG($params);
104
+  }
105
+  try {
106
+    $result = $db->query($stmt, $params);
107
+    DEBUG('=> '.$result->rowCount().' rows');
108
+  } catch (PDOException $e) {
109
+    global $debugmode;
110
+    if ($debugmode) {
111
+      system_failure("MySQL-Fehler: ".$e->getMessage());
112
+    } else {
113
+      system_failure("Datenbankfehler");
114
+    }
115
+  }
116
+  return $result;
117
+}
118
+
119
+