Fallos de seguridad solucionados

This commit is contained in:
Juan Ferrer Toribio 2015-02-18 17:13:23 +01:00
parent fbeeb0cd33
commit 5706ce20b7
7 changed files with 87 additions and 115 deletions

View File

@ -1,5 +1,5 @@
Package: php-vn-lib Package: php-vn-lib
Version: 1.0-7 Version: 1.0-10
Architecture: all Architecture: all
Maintainer: Juan Ferrer Toribio <juan@verdnatura.es> Maintainer: Juan Ferrer Toribio <juan@verdnatura.es>
Depends: php5-mysql Depends: php5-mysql

View File

@ -2,11 +2,9 @@
namespace Vn\Db; namespace Vn\Db;
require_once ('vn/sql/sql.php'); require_once ('vn/lib/type.php');
require_once ('vn/db/exception.php'); require_once ('vn/db/exception.php');
use Vn\Sql\Render;
class Conn class Conn
{ {
private $conn = NULL; private $conn = NULL;
@ -125,7 +123,7 @@ class Conn
**/ **/
function query ($query, $params = NULL) function query ($query, $params = NULL)
{ {
$result = $this->conn->query (Render::toString ($query, $params)); $result = $this->conn->query ($this->render ($query, $params));
if (!$result) if (!$result)
$this->checkError (); $this->checkError ();
@ -146,7 +144,7 @@ class Conn
**/ **/
function multiQuery ($query, $params = NULL) function multiQuery ($query, $params = NULL)
{ {
$success = $this->conn->multi_query (Render::toString ($query, $params)); $success = $this->conn->multi_query ($this->render ($query, $params));
if (!$success) if (!$success)
$this->checkError (); $this->checkError ();
@ -217,6 +215,85 @@ class Conn
return NULL; return NULL;
} }
/**
* Renders an SQL string using the given parameters.
*
* @param string $query The SQL string
* @param mixed[] $paramsMap The query parameters
*
* @return mixed The rendered SQL string
**/
function render (&$query, &$paramsMap = NULL)
{
if (isset ($paramsMap) && is_array ($paramsMap) && count ($paramsMap) > 0)
{
$i = 0;
$params = [];
foreach ($paramsMap as $key => $value)
$params[$key] = $this->renderValue ($value);
$replaceFunc = function ($matches) use (&$params, &$i)
{
$key = substr ($matches[0], 1);
if (strlen ($key) == 0)
$key = $i++;
if (isset ($params[$key]))
return $params[$key];
return '#'. $key;
};
return preg_replace_callback ('/#\w*/', $replaceFunc, $query);
}
else
return $query;
}
function renderValue ($value)
{
if ($value !== NULL)
switch (get_type ($value))
{
case TYPE_BOOLEAN:
return ($value) ? 'TRUE' : 'FALSE';
case TYPE_STRING:
return '\'' . $this->conn->escape_string ($value) . '\'';
case TYPE_DATE:
return strftime ('\'%Y-%m-%d\'', $value->getTimestamp ());
case TYPE_TIME:
return strftime ('\'%T\'', $value->getTimestamp ());
case TYPE_DATE_TIME:
return strftime ('\'%Y-%m-%d %T\'', $value->getTimestamp ());
default:
return $this->conn->escape_string ($value);
}
else
return 'NULL';
}
/**
* Renders an SQL string using sprintf like style.
* DEPRECATED
*
* @return mixed The rendered SQL string
**/
static function renderf ($arg)
{
$count = count ($arg);
if ($count > 1)
{
for ($i = 1; $i < $count; $i++)
$arg[$i] = $this->renderValue ($arg[$i]);
return call_user_func_array ('sprintf', $arg);
}
else
return $arg[0];
}
} }
?> ?>

View File

@ -1,6 +1,6 @@
<?php <?php
require_once ('vn/sql/sql.php'); require_once ('vn/lib/lib.php');
require_once ('vn/db/conn.php'); require_once ('vn/db/conn.php');
?> ?>

View File

@ -16,14 +16,14 @@ class Date extends DateTime {}
function get_type ($value) function get_type ($value)
{ {
if (is_int ($value)) if (is_bool ($value))
return TYPE_BOOLEAN;
elseif (is_int ($value))
return TYPE_INTEGER; return TYPE_INTEGER;
elseif (is_float ($value)) elseif (is_float ($value))
return TYPE_DOUBLE; return TYPE_DOUBLE;
elseif (is_string ($value)) elseif (is_string ($value))
return TYPE_STRING; return TYPE_STRING;
elseif (is_bool ($value))
return TYPE_BOOLEAN;
elseif (is_object ($value)) elseif (is_object ($value))
{ {
if ($value instanceof Time) if ($value instanceof Time)

View File

@ -1,57 +0,0 @@
<?php
namespace Vn\Sql;
require_once ('vn/lib/lib.php');
require_once ('vn/sql/value.php');
class Render
{
static function toString (&$query, &$paramsMap = NULL)
{
if (isset ($paramsMap) && is_array ($paramsMap) && count ($paramsMap) > 0)
{
$i = 0;
$params = [];
foreach ($paramsMap as $key => $value)
$params[$key] = (new Value ($value))->render ();
$replaceFunc = function ($matches) use (&$params, &$i)
{
$key = substr ($matches[0], 1);
if (strlen ($key) == 0)
$key = $i++;
if (isset ($params[$key]))
return $params[$key];
return '#'. $key;
};
return preg_replace_callback ('/#\w*/', $replaceFunc, $query);
}
else
return $query;
}
static function printf ($arg)
{
$count = count ($arg);
if ($count > 1)
{
for ($n = 1; $n < $count; $n++)
{
$obj = new Value ($arg[$n]);
$arg[$n] = $obj->render ();
}
return call_user_func_array ('sprintf', $arg);
}
else
return $arg[0];
}
}
?>

View File

@ -1,7 +0,0 @@
<?php
require_once ('vn/lib/lib.php');
require_once ('vn/sql/render.php');
require_once ('vn/sql/value.php');
?>

View File

@ -1,41 +0,0 @@
<?php
namespace Vn\Sql;
require_once ('vn/lib/lib.php');
class Value
{
var $value;
function __construct ($value)
{
$this->value = $value;
}
function render ()
{
$value = $this->value;
if ($value === NULL)
return 'NULL';
switch (get_type ($value))
{
case TYPE_STRING:
return '\'' . addslashes ($value) . '\'';
case TYPE_DATE:
return strftime ('\'%Y-%m-%d\'', $value->getTimestamp ());
case TYPE_TIME:
return strftime ('\'%T\'', $value->getTimestamp ());
case TYPE_DATE_TIME:
return strftime ('\'%Y-%m-%d %T\'', $value->getTimestamp ());
case TYPE_BOOLEAN:
return ($value) ? 'TRUE' : 'FALSE';
default:
return $value;
}
}
}
?>