Commit df928794 authored by Penny Leach's avatar Penny Leach Committed by Nigel McNie
Browse files

fixed up some stuff in dml around quoting of identifiers and added prepared...

fixed up some stuff in dml around quoting of identifiers and added prepared statements to execute_sql
parent a9886fee
...@@ -56,6 +56,9 @@ function db_quote_table_placeholders($sql) { ...@@ -56,6 +56,9 @@ function db_quote_table_placeholders($sql) {
function db_quote_identifier($identifier) { function db_quote_identifier($identifier) {
// Currently, postgres and mysql (in postgres compat. mode) both support // Currently, postgres and mysql (in postgres compat. mode) both support
// the sql standard " // the sql standard "
if (strpos($identifier, '"') !== false) {
return $identifier;
}
return '"' . $identifier . '"'; return '"' . $identifier . '"';
} }
...@@ -69,7 +72,7 @@ function db_quote_identifier($identifier) { ...@@ -69,7 +72,7 @@ function db_quote_identifier($identifier) {
* @return string * @return string
* @throws SQLException * @throws SQLException
*/ */
function execute_sql($command) { function execute_sql($command, $values=null) {
global $db; global $db;
if (!is_a($db, 'ADOConnection')) { if (!is_a($db, 'ADOConnection')) {
...@@ -84,7 +87,13 @@ function execute_sql($command) { ...@@ -84,7 +87,13 @@ function execute_sql($command) {
$db->debug = false; $db->debug = false;
try { try {
$result = $db->Execute($command); if (!empty($values) && is_array($values) && count($values) > 0) {
$stmt = $db->Prepare($command);
$result = $db->Execute($stmt, $values);
}
else {
$result = $db->Execute($command);
}
// searching for these rather than just select as subqueries may have select in them. // searching for these rather than just select as subqueries may have select in them.
if (preg_match('/(update|insert|delete|alter|create)/i', $command)) { if (preg_match('/(update|insert|delete|alter|create)/i', $command)) {
increment_perf_db_writes(); increment_perf_db_writes();
...@@ -818,7 +827,7 @@ function set_field_select($table, $newfield, $newvalue, $select, $values) { ...@@ -818,7 +827,7 @@ function set_field_select($table, $newfield, $newvalue, $select, $values) {
$select = db_quote_table_placeholders($select); $select = db_quote_table_placeholders($select);
$values = array_merge(array($newvalue), $values); $values = array_merge(array($newvalue), $values);
$sql = 'UPDATE '. db_table_name($table) .' SET "'. $newfield .'" = ? ' . $select; $sql = 'UPDATE '. db_table_name($table) .' SET '. db_quote_identifier($newfield) .' = ? ' . $select;
try { try {
$stmt = $db->Prepare($sql); $stmt = $db->Prepare($sql);
increment_perf_db_writes(); increment_perf_db_writes();
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment