From a6e3ae8120a09df8694d2bae51045fb4dd2b16fc Mon Sep 17 00:00:00 2001
From: Marius Cramer <m.cramer@pixcept.de>
Date: Tue, 14 Apr 2015 13:01:12 -0400
Subject: [PATCH] - fixed some syntax errors from previous commit

---
 interface/lib/classes/db_mysql.inc.php |   66 ++++++++++++++++++++++++++------
 1 files changed, 53 insertions(+), 13 deletions(-)

diff --git a/interface/lib/classes/db_mysql.inc.php b/interface/lib/classes/db_mysql.inc.php
index d9ec9b8..d3ca383 100644
--- a/interface/lib/classes/db_mysql.inc.php
+++ b/interface/lib/classes/db_mysql.inc.php
@@ -252,7 +252,7 @@
 		$sQuery = call_user_func_array(array(&$this, '_build_query_string'), $aArgs);
 		$this->securityScan($sQuery);
 
-		$this->_iQueryId = mysqli_query($this->_iConnId, $sQuery);
+		$this->_iQueryId = @mysqli_query($this->_iConnId, $sQuery);
 		if (!$this->_iQueryId) {
 			$this->_sqlerror('Falsche Anfrage / Wrong Query', false, 'SQL-Query = ' . $sQuery);
 			return false;
@@ -425,6 +425,34 @@
 	}
 
 
+	/**
+	 * check if a utf8 string is valid
+	 *
+	 * @access public
+	 * @param string  $string the string to check
+	 * @return bool true if it is valid utf8, false otherwise
+	 */
+	private function check_utf8($str) {
+		$len = strlen($str);
+		for($i = 0; $i < $len; $i++){
+			$c = ord($str[$i]);
+			if ($c > 128) {
+				if (($c > 247)) return false;
+				elseif ($c > 239) $bytes = 4;
+				elseif ($c > 223) $bytes = 3;
+				elseif ($c > 191) $bytes = 2;
+				else return false;
+				if (($i + $bytes) > $len) return false;
+				while ($bytes > 1) {
+					$i++;
+					$b = ord($str[$i]);
+					if ($b < 128 || $b > 191) return false;
+					$bytes--;
+				}
+			}
+		}
+		return true;
+	} // end of check_utf8
 
 	/**
 	 * Escape a string for usage in a query
@@ -442,16 +470,16 @@
 			$sString = '';
 		}
 
-		/*$cur_encoding = mb_detect_encoding($sString);
+		$cur_encoding = mb_detect_encoding($sString);
 		if($cur_encoding != "UTF-8") {
 			if($cur_encoding != 'ASCII') {
-				$app->log('String ' . substr($sString, 0, 25) . '... is ' . $cur_encoding . '.', LOGLEVEL_WARN);
+				$app->log('String ' . substr($sString, 0, 25) . '... is ' . $cur_encoding . '.', LOGLEVEL_INFO);
 				if($cur_encoding) $sString = mb_convert_encoding($sString, 'UTF-8', $cur_encoding);
 				else $sString = mb_convert_encoding($sString, 'UTF-8');
 			}
-		} elseif(!PXBase::check_utf8($sString)) {
+		} elseif(!$this->check_utf8($sString)) {
 			$sString = utf8_encode($sString);
-		}*/
+		}
 
 		if($this->_iConnId) return mysqli_real_escape_string($this->_iConnId, $sString);
 		else return addslashes($sString);
@@ -598,20 +626,26 @@
 		if(is_array($insert_data)) {
 			$key_str = '';
 			$val_str = '';
+			$params = array($tablename);
+			$v_params = array();
 			foreach($insert_data as $key => $val) {
-				$key_str .= "`".$key ."`,";
-				$val_str .= "'".$this->escape($val)."',";
+				$key_str .= '??,';
+				$params[] = $key;
+				
+				$val_str .= '?,';
+				$v_params[] = $val;
 			}
 			$key_str = substr($key_str, 0, -1);
 			$val_str = substr($val_str, 0, -1);
 			$insert_data_str = '('.$key_str.') VALUES ('.$val_str.')';
+			$this->query("INSERT INTO ?? $insert_data_str", true, $params + $v_params);
 		} else {
+			/* TODO: deprecate this method! */
 			$insert_data_str = $insert_data;
+			$this->query("INSERT INTO ?? $insert_data_str", $tablename);
 		}
-		/* TODO: reduce risk of insert_data_str! */
-
+		
 		$old_rec = array();
-		$this->query("INSERT INTO ?? $insert_data_str", $tablename);
 		$index_value = $this->insertID();
 		$new_rec = $this->queryOneRecord("SELECT * FROM ?? WHERE ? = ?", $tablename, $index_field, $index_value);
 		$this->datalogSave($tablename, 'INSERT', $index_field, $index_value, $old_rec, $new_rec);
@@ -630,17 +664,23 @@
 		$old_rec = $this->queryOneRecord("SELECT * FROM ?? WHERE ?? = ?", $tablename, $index_field, $index_value);
 
 		if(is_array($update_data)) {
+			$params = array($tablename);
 			$update_data_str = '';
 			foreach($update_data as $key => $val) {
-				$update_data_str .= "`".$key ."` = '".$this->escape($val)."',";
+				$update_data_str .= '?? = ?,';
+				$params[] = $key;
+				$params[] = $val;
 			}
+			$params[] = $index_field;
+			$params[] = $index_value;
 			$update_data_str = substr($update_data_str, 0, -1);
+			$this->query("UPDATE ?? SET $update_data_str WHERE ?? = ?", true, $params);
 		} else {
+			/* TODO: deprecate this method! */
 			$update_data_str = $update_data;
+			$this->query("UPDATE ?? SET $update_data_str WHERE ?? = ?", $tablename, $index_field, $index_value);
 		}
-		/* TODO: reduce risk of update_data_str */
 
-		$this->query("UPDATE ?? SET $update_data_str WHERE ?? = ?", $tablename, $index_field, $index_value);
 		$new_rec = $this->queryOneRecord("SELECT * FROM ?? WHERE ?? = ?", $tablename, $index_field, $index_value);
 		$this->datalogSave($tablename, 'UPDATE', $index_field, $index_value, $old_rec, $new_rec, $force_update);
 

--
Gitblit v1.9.1