[geeklog-hg] geeklog: Introduced DB_escapeString (feature request #0001146)

Mon Jan 21 08:50:54 EST 2013

changeset 8924:44b55b16dea8
url:  http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/44b55b16dea8
user: Kenji ITO <mystralkk at gmail.com>
date: Mon Jan 21 22:49:35 2013 +0900
description:
Introduced DB_escapeString (feature request #0001146)

diffstat:

 system/databases/mssql.class.php  |  20 +++++++++++++++++++-
 system/databases/mysql.class.php  |  18 ++++++++++++++++++
 system/databases/mysqli.class.php |  32 +++++++++++++++++++++-----------
 system/databases/pgsql.class.php  |  18 ++++++++++++++++++
 system/lib-database.php           |  13 +++++++++++++
 5 files changed, 89 insertions(+), 12 deletions(-)

diffs (164 lines):

diff -r d89701cc9d65 -r 44b55b16dea8 system/databases/mssql.class.php

--- a/system/databases/mssql.class.php	Mon Jan 21 22:23:52 2013 +0900
+++ b/system/databases/mssql.class.php	Mon Jan 21 22:49:35 2013 +0900
@@ -1176,7 +1176,25 @@
         $v = $this->dbFetchArray($q, true);
         return $v[0];
     }
-    
+
+    /**
+    * Escapes a string so that it can be safely used in a query
+    *
+    * @param   string   $str          a string to be escaped
+    * @param   boolean  $isEnclose    whether to enclose the string with "'"
+    * @return  string
+    */
+    function dbEscapeString($str, $isEnclose = TRUE)
+    {
+        $retval = str_replace("'", "''", $str);
+
+        if ($isEnclose) {
+            $retval = "'" . $retval . "'";
+        }
+
+        return $retval;
+    }
+
 }//end class
 
 ?>
diff -r d89701cc9d65 -r 44b55b16dea8 system/databases/mysql.class.php
--- a/system/databases/mysql.class.php	Mon Jan 21 22:23:52 2013 +0900
+++ b/system/databases/mysql.class.php	Mon Jan 21 22:49:35 2013 +0900
@@ -830,6 +830,24 @@
         return @mysql_get_server_info();
     }
 
+    /**
+    * Escapes a string so that it can be safely used in a query
+    *
+    * @param   string   $str          a string to be escaped
+    * @param   boolean  $isEnclose    whether to enclose the string with "'"
+    * @return  string
+    */
+    function dbEscapeString($str, $isEnclose = TRUE)
+    {
+        $retval = mysql_real_escape_string($str, $this->_db);
+
+        if ($isEnclose) {
+            $retval = "'" . $retval . "'";
+        }
+
+        return $retval;
+    }
+
 }
 
 ?>
diff -r d89701cc9d65 -r 44b55b16dea8 system/databases/mysqli.class.php
--- a/system/databases/mysqli.class.php	Mon Jan 21 22:23:52 2013 +0900
+++ b/system/databases/mysqli.class.php	Mon Jan 21 22:49:35 2013 +0900
@@ -344,8 +344,8 @@
                 $retval .= ' WHERE ';
 
                 for ($i = 1; $i <= $num_ids; $i ++) {
-                    $retval .= current($id) . " = '"
-                            .  $this->dbEscape(current($value)) . "'";
+                    $retval .= current($id) . " = "
+                            .  $this->dbEscapeString(current($value));
                     if ($i !== $num_ids) {
                         $retval .= " AND ";
                     }
@@ -765,15 +765,6 @@
         return $this->_db->server_info;
     }
 
-    public function dbEscape($value, $is_numeric = FALSE)
-    {
-        if (!$is_numeric) {
-            $value = $this->_db->escape_string($value);
-        }
-
-        return $value;
-    }
-
     public function dbStartTransaction()
     {
         return $this->_db->autocommit(FALSE);
@@ -788,6 +779,25 @@
     {
         return $this->_db->rollback();
     }
+
+    /**
+    * Escapes a string so that it can be safely used in a query
+    *
+    * @param   string   $str          a string to be escaped
+    * @param   boolean  $isEnclose    whether to enclose the string with "'"
+    * @return  string
+    */
+    public function dbEscapeString($str, $isEnclose = TRUE)
+    {
+        $retval = $this->_db->real_escape_string($str);
+
+        if ($isEnclose) {
+            $retval = "'" . $retval . "'";
+        }
+
+        return $retval;
+    }
+
 }
 
 ?>
diff -r d89701cc9d65 -r 44b55b16dea8 system/databases/pgsql.class.php
--- a/system/databases/pgsql.class.php	Mon Jan 21 22:23:52 2013 +0900
+++ b/system/databases/pgsql.class.php	Mon Jan 21 22:49:35 2013 +0900
@@ -911,6 +911,24 @@
         return $v['server'];
     }
 
+    /**
+    * Escapes a string so that it can be safely used in a query
+    *
+    * @param   string   $str          a string to be escaped
+    * @param   boolean  $isEnclose    whether to enclose the string with "'"
+    * @return  string
+    */
+    function dbEscapeString($str, $isEnclose = TRUE)
+    {
+        $retval = pg_escape_string($this->_db, $str);
+
+        if ($isEnclose) {
+            $retval = "'" . $retval . "'";
+        }
+
+        return $retval;
+    }
+
 }
 
 ?>
diff -r d89701cc9d65 -r 44b55b16dea8 system/lib-database.php
--- a/system/lib-database.php	Mon Jan 21 22:23:52 2013 +0900
+++ b/system/lib-database.php	Mon Jan 21 22:49:35 2013 +0900
@@ -662,5 +662,18 @@
     return $_DB->dbGetVersion();
 }
 
+/**
+* Escapes a string so that it can be safely used in a query
+*
+* @param   string   $str          a string to be escaped
+* @param   boolean  $isEnclose    whether to enclose the string with "'"
+* @return  string
+*/
+function DB_escapeString($str, $isEnclose = TRUE)
+{
+    global $_DB;
+
+	return $_DB->dbEscapeString($str, $isEnclose);
+}
 
 ?>

