Mercurial > defr > drupal > core
comparison includes/database.inc @ 7:fff6d4c8c043 6.3
Drupal 6.3
| author | Franck Deroche <webmaster@defr.org> |
|---|---|
| date | Tue, 23 Dec 2008 14:30:28 +0100 |
| parents | c1f4ac30525a |
| children | 8b6c45761e01 |
comparison
equal
deleted
inserted
replaced
| 6:2cfdc3c92142 | 7:fff6d4c8c043 |
|---|---|
| 1 <?php | 1 <?php |
| 2 // $Id: database.inc,v 1.92.2.1 2008/02/08 22:44:59 goba Exp $ | 2 // $Id: database.inc,v 1.92.2.2 2008/07/09 21:48:28 goba Exp $ |
| 3 | 3 |
| 4 /** | 4 /** |
| 5 * @file | 5 * @file |
| 6 * Wrapper for database interface code. | 6 * Wrapper for database interface code. |
| 7 */ | 7 */ |
| 208 switch ($match[1]) { | 208 switch ($match[1]) { |
| 209 case '%d': // We must use type casting to int to convert FALSE/NULL/(TRUE?) | 209 case '%d': // We must use type casting to int to convert FALSE/NULL/(TRUE?) |
| 210 return (int) array_shift($args); // We don't need db_escape_string as numbers are db-safe | 210 return (int) array_shift($args); // We don't need db_escape_string as numbers are db-safe |
| 211 case '%s': | 211 case '%s': |
| 212 return db_escape_string(array_shift($args)); | 212 return db_escape_string(array_shift($args)); |
| 213 case '%n': | |
| 214 // Numeric values have arbitrary precision, so can't be treated as float. | |
| 215 // is_numeric() allows hex values (0xFF), but they are not valid. | |
| 216 $value = trim(array_shift($args)); | |
| 217 return is_numeric($value) && !preg_match('/x/i', $value) ? $value : '0'; | |
| 213 case '%%': | 218 case '%%': |
| 214 return '%'; | 219 return '%'; |
| 215 case '%f': | 220 case '%f': |
| 216 return (float) array_shift($args); | 221 return (float) array_shift($args); |
| 217 case '%b': // binary data | 222 case '%b': // binary data |
| 236 } | 241 } |
| 237 | 242 |
| 238 /** | 243 /** |
| 239 * Indicates the place holders that should be replaced in _db_query_callback(). | 244 * Indicates the place holders that should be replaced in _db_query_callback(). |
| 240 */ | 245 */ |
| 241 define('DB_QUERY_REGEXP', '/(%d|%s|%%|%f|%b)/'); | 246 define('DB_QUERY_REGEXP', '/(%d|%s|%%|%f|%b|%n)/'); |
| 242 | 247 |
| 243 /** | 248 /** |
| 244 * Helper function for db_rewrite_sql. | 249 * Helper function for db_rewrite_sql. |
| 245 * | 250 * |
| 246 * Collects JOIN and WHERE statements via hook_db_rewrite_sql() | 251 * Collects JOIN and WHERE statements via hook_db_rewrite_sql() |
| 549 switch ($type) { | 554 switch ($type) { |
| 550 case 'varchar': | 555 case 'varchar': |
| 551 case 'char': | 556 case 'char': |
| 552 case 'text': | 557 case 'text': |
| 553 case 'datetime': | 558 case 'datetime': |
| 554 return '\'%s\''; | 559 return "'%s'"; |
| 555 | 560 |
| 556 case 'numeric': | 561 case 'numeric': |
| 557 // For 'numeric' values, we use '%s', not '\'%s\'' as with | 562 // Numeric values are arbitrary precision numbers. Syntacically, numerics |
| 558 // string types, because numeric values should not be enclosed | 563 // should be specified directly in SQL. However, without single quotes |
| 559 // in quotes in queries (though they can be, at least on mysql | 564 // the %s placeholder does not protect against non-numeric characters such |
| 560 // and pgsql). Numerics should only have [0-9.+-] and | 565 // as spaces which would expose us to SQL injection. |
| 561 // presumably no db's "escape string" function will mess with | 566 return '%n'; |
| 562 // those characters. | |
| 563 return '%s'; | |
| 564 | 567 |
| 565 case 'serial': | 568 case 'serial': |
| 566 case 'int': | 569 case 'int': |
| 567 return '%d'; | 570 return '%d'; |
| 568 | 571 |