Back to index

awl  0.53
Classes | Namespaces | Functions | Variables
PgQuery.php File Reference

Go to the source code of this file.

Classes

class  PgQuery

Namespaces

namespace  awl
 Authentication handling class.

Functions

 connect_configured_database ()
 Connect to the database defined in the $c->dbconn[] array.

Variables

 if (!function_exists('pg_Connect'))

$dbconn

 $dbconn = null
if(!function_exists('duration')) qpg ($str=null)
 Quote the given string (depending on its type) so that it can be used safely in a PostgreSQL query without fear of SQL injection errors.
 clean_string ($unclean, $type= 'full')
 Clean a string of many suspicious characters.
 awl_replace_sql_args ()
 Replaces PostgreSQL query with escaped parameters in preparation for execution.

Function Documentation

Replaces PostgreSQL query with escaped parameters in preparation for execution.

The function takes a variable number of arguments, the first is the SQL string, with replaceable '?' characters (a la DBI). The subsequent parameters being the values to replace into the SQL string.

The values passed to the routine are analyzed for type, and quoted if they appear to need quoting. This can go wrong for (e.g.) NULL or other special SQL values which are not straightforwardly identifiable as needing quoting (or not). In such cases the parameter can be forced to be inserted unquoted by passing it as "array( 'plain' => $param )".

This function is outside the PgQuery class because it is sometimes desirable to build SQL command strings in circumstances where there is no benefit to using the class.

Parameters:
stringThe query string with replacable '?' characters.
mixedThe values to replace into the SQL string.
Returns:
The built query string

Definition at line 219 of file PgQuery.php.

                                {
  $argc = func_num_args(); //number of arguments passed to the function
  $qry = func_get_arg(0); //first argument
  $args = func_get_args(); //all argument in an array

  if ( is_array($qry) ) {
    $qry = $args[0][0];
    $args = $args[0];
    $argc = count($args);
  }

// building query string by replacing ? with
// escaped parameters
  $parts = explode( '?', $qry );
  $querystring = $parts[0];
  $z = min( count($parts), $argc );

  for( $i = 1; $i < $z; $i++ ) {
    $arg = $args[$i];
    if ( !isset($arg) ) {
      $querystring .= 'NULL';
    }
    elseif ( is_array($arg) && $arg['plain'] != '' ) {
      // We abuse this, but people should access it through the PgQuery::Plain($v) function
      $querystring .= $arg['plain'];
    }
    else {
  $querystring .= qpg($arg);  //parameter
    }
    $querystring .= $parts[$i]; //extras eg. ","
  }
  if ( isset($parts[$z]) ) $querystring .= $parts[$z]; //puts last part on the end

  return $querystring;
}

Here is the call graph for this function:

Here is the caller graph for this function:

clean_string ( unclean,
type = 'full' 
)

Clean a string of many suspicious characters.

While this is a fairly aggressive approach, it applies in many circumstances where various strings should not contain things that might screw up (e.g.) filesystem semantics. Although not strictly a PgQuery function it's here for the time being until I invent a new "generally useful functions" include.

Parameters:
string$uncleanThe dirty filthy string needing washing.
Returns:
string The pristine uncontaminated string we can safely use for Just About Anything(tm).

Definition at line 182 of file PgQuery.php.

                                                  {
  if ( ! isset($unclean) ) return null;
  if ( is_array($unclean) ) {
    $result = array();
    foreach( $unclean AS $k => $v ) {
      $result[$k] = clean_string( $v, $type );
    }
    return $result;
  }
  if ( $type != 'basic' ) $cleaned = strtolower($unclean); else $cleaned = &$unclean;
  $cleaned = preg_replace( "/['\"!\\\\()\[\]|*\/{}&%@~;:?<>]/", '', $cleaned ); //"// Stupid Bluefish Syntax highlighting...
  dbg_error_log( "PgQuery", "clean_string: Cleaned string from <<%s>> to <<%s>>", $unclean, $cleaned );
  return $cleaned;
}

Here is the caller graph for this function:

Connect to the database defined in the $c->dbconn[] array.

Attempt to connect to the configured connect strings

Definition at line 61 of file PgQuery.php.

                                       {
  global $c, $dbconn;

  if ( isset($dbconn) ) return;
  $dbconn = false;
  dbg_error_log('pgquery', 'Attempting to connect to database');
  if ( isset($c->pg_connect) && is_array($c->pg_connect) ) {
    foreach( $c->pg_connect AS $k => $v ) {
      if ( !$dbconn ) {
        if ( $dbconn = ((isset($c->use_persistent) && $c->use_persistent) ? pg_pConnect($v) : pg_Connect($v) ) ) break;
      }
    }
  }
  if ( ! $dbconn ) {
    echo <<<EOERRMSG
  <html><head><title>Database Connection Failure</title></head><body>
  <h1>Database Error</h1>
  <h3>Could not connect to PostgreSQL database</h3>
  </body>
  </html>
EOERRMSG;
    if ( isset($c->pg_connect) && is_array($c->pg_connect) ) {
      dbg_error_log("ERROR", "Failed to connect to database" );
    }
    exit;
  }

  if ( isset($c->db_schema) && $c->db_schema != '' ) {
    $result = pg_exec( $dbconn, "SET Search_path TO ".$c->db_schema.",public;" );
    $row = pg_fetch_array($result, 0);
  }

  $result = pg_exec( $dbconn, "SELECT version()" );
  $row = pg_fetch_array($result, 0);
  $c->found_dbversion = preg_replace( '/^PostgreSQL (\d+\.\d+)\..*$/i', '$1', $row[0]);
}

Here is the caller graph for this function:

if (!function_exists('duration')) qpg ( str = null)

Quote the given string (depending on its type) so that it can be used safely in a PostgreSQL query without fear of SQL injection errors.

Although this function effectively achieves a similar goal to the pg_escape_string() function, it is needed for older versions of PHP (< 4.2.0) and older versions of PostgreSQL (< 7.2.0), however. PgQuery does not attempt to use the newer pg_escape_string() function at this stage.

This function is outside the PgQuery class because it is sometimes desirable to quote values for SQL command strings in circumstances where there is no benefit to using the class.

Parameters:
mixed$strData to be converted to a string suitable for including as a value in SQL.
Returns:
string NULL, TRUE, FALSE, a plain number, or the original string quoted and with ' and \ characters escaped

Definition at line 147 of file PgQuery.php.

                          {
  global $c;

  switch (strtolower(gettype($str))) {
    case 'null':
      $rv = 'NULL';
      break;
    case 'integer':
    case 'double' :
      return $str;
    case 'boolean':
      $rv = $str ? 'TRUE' : 'FALSE';
      break;
    case 'string':
    default:
      $str = str_replace("'", "''", $str);
      //PostgreSQL treats a backslash as an escape character.
      $str = str_replace('\\', '\\\\', $str);
      $rv = "'$str'";
      if ( !isset($c->found_dbversion) || $c->found_dbversion > 8.0 ) $rv = 'E'.$rv;
  }
  return $rv;
}

Here is the caller graph for this function:


Variable Documentation

$dbconn = null

Definition at line 107 of file PgQuery.php.

if(!function_exists('pg_Connect'))

Definition at line 36 of file PgQuery.php.