Project

General

Profile

Feature #22338 » 13940_trunk_v4.diff

Administrator Admin, 2010-04-13 22:55

View differences:

class.tslib_content.php (working copy)
*/
function getQuery($table, $conf, $returnQueryArray=FALSE) {
// Handle PDO-style named parameter markers first
$queryMarkers = $this->getQueryMarkers($table, $conf);
// replace the markers in the non-stdWrap properties
foreach ($queryMarkers as $marker => $markerValue) {
$properties = array('uidInList', 'selectFields', 'where', 'max',
'begin', 'groupBy', 'orderBy', 'join', 'leftjoin', 'rightjoin');
foreach ($properties as $property) {
if ($conf[$property]) {
$conf[$property] = str_replace('###' . $marker . '###',
$markerValue,
$conf[$property]);
}
}
}
// Construct WHERE clause:
$conf['pidInList'] = trim($this->stdWrap($conf['pidInList'],$conf['pidInList.']));
......
// Compile and return query:
$queryParts['FROM'] = trim($table.' '.$joinPart);
// replace the markers in the queryParts to handle stdWrap
// enabled properties
foreach ($queryMarkers as $marker => $markerValue) {
foreach ($queryParts as $queryPartKey => &$queryPartValue) {
$queryPartValue = str_replace('###' . $marker . '###',
$markerValue,
$queryPartValue);
}
}
$query = $GLOBALS['TYPO3_DB']->SELECTquery(
$queryParts['SELECT'],
$queryParts['FROM'],
......
$queryParts['ORDERBY'],
$queryParts['LIMIT']
);
return $returnQueryArray ? $queryParts : $query;
}
}
......
return $this->checkPid_cache[$uid];
}
/**
* Builds list of marker values for handling PDO-like parameter markers in select parts.
* Marker values support stdWrap functionality thus allowing a way to use stdWrap functionality in various properties of 'select' AND prevents SQL-injection problems by quoting and escaping of numeric values, strings, NULL values and comma separated lists.
*
* @param string $table Table to select records from
* @param array $conf Select part of CONTENT definition
* @return array List of values to replace markers with
* @access private
* @see getQuery()
*/
function getQueryMarkers($table, $conf) {
// parse markers and prepare their values
$markerValues = array();
if (is_array($conf['markers.'])) {
foreach($conf['markers.'] as $dottedMarker => $dummy) {
$marker = rtrim($dottedMarker, '.');
if ($dottedMarker == $marker . '.') {
// parse definition
$tempValue = $this->stdWrap(
$conf['markers.'][$dottedMarker]['value'],
$conf['markers.'][$dottedMarker]
);
// quote/escape if needed
if (is_numeric($tempValue)) {
if ((int)$tempValue == $tempValue) {
// handle integer
$markerValues[$marker] = intval($tempValue);
} else {
// handle float
$markerValues[$marker] = floatval($tempValue);
}
} elseif (is_null($tempValue)) {
// it represents NULL
$markerValues[$marker] = 'NULL';
} elseif ($conf['markers.'][$dottedMarker]['commaSeparatedList'] == 1) {
// see if it is really a comma separated list of values
$explodeValues = t3lib_div::trimExplode(',', $tempValue);
if (count($explodeValues) > 1) {
// handle each element of list separately
$tempArray = array();
foreach ($explodeValues as $listValue) {
if (is_numeric($listValue)) {
if ((int)$listValue == $listValue) {
$tempArray[] = intval($listValue);
} else {
$tempArray[] = floatval($listValue);
}
} else {
// if quoted, remove quotes before
// escaping.
if (preg_match('/^\'([^\']*)\'$/',
$listValue,
$matches)) {
$listValue = $matches[1];
} elseif (preg_match('/^\"([^\"]*)\"$/',
$listValue,
$matches)) {
$listValue = $matches[1];
}
$tempArray[] = $GLOBALS['TYPO3_DB']->fullQuoteStr($listValue, $table);
}
}
$markerValues[$marker] = implode(',', $tempArray);
} else {
// handle remaining values as string
$markerValues[$marker] = $GLOBALS['TYPO3_DB']->fullQuoteStr($tempValue, $table);
}
} else {
// handle remaining values as string
$markerValues[$marker] = $GLOBALS['TYPO3_DB']->fullQuoteStr($tempValue, $table);
}
}
}
}
return $markerValues;
}
......
/***********************************************
*
* Frontend editing functions
(4-4/4)