buildSQL can have fields designated as safe

author Joe Presbrey <presbrey@mit.edu>

Thu, 2 Nov 2006 17:24:12 +0000 (17:24 +0000)

committer Joe Presbrey <presbrey@mit.edu>

Thu, 2 Nov 2006 17:24:12 +0000 (17:24 +0000)
author Joe Presbrey <presbrey@mit.edu>
Thu, 2 Nov 2006 17:24:12 +0000 (17:24 +0000)
committer Joe Presbrey <presbrey@mit.edu>
Thu, 2 Nov 2006 17:24:12 +0000 (17:24 +0000)
diff --git a/lib/joe/joe.lib.php b/lib/joe/joe.lib.php

index 93bfc219bf5ab8e69f0b5ffefa34c7e721a34289..dd7be0aa74fd709526d41094797ac899f9126cd8 100644 (file)
--- a/lib/joe/joe.lib.php
+++ b/lib/joe/joe.lib.php
@@ -117,21 +117,27 @@ function printList($class,$err) {
      }
  }
  
-function buildSQLSet($fields, $values=null) {
-    $ex = array('NOW()','NULL');
-    $sql = 'SET';
+function buildSQLSet($fields, $values=null, $safeFields=false) {
+    $ex = array('NOW()','NULL','/FROM_UNIXTIME\(\d+\)/');
+    $sql = '';
      $c = 0;
      if (!is_null($values)) {
          foreach($fields as $field) {
              if ($c++) $sql .= ',';
-            $sql .= " `$field`='".mysql_real_escape_string(array_shift($values))."'";
+                       $value = array_shift($values);
+                       if (is_numeric($value))
+                               $sql .= " `$field`=".mysql_real_escape_string($value);
+                       else
+                               $sql .= " `$field`='".mysql_real_escape_string($value)."'";
          }
      } else {
          foreach($fields as $field=>$value) {
              if ($c++) $sql .= ',';
-            if (in_array($value,$ex)) {
-                $sql .= " `$field`= $value";
-            } else {
+            if (in_array($value,$ex) || (is_array($safeFields) && in_array($field,$safeFields))) {
+                $sql .= " `$field`=$value";
+            } elseif (is_numeric($value)) {
+                $sql .= " `$field`=".mysql_real_escape_string($value);
+                       } else {
                  $sql .= " `$field`='".mysql_real_escape_string($value)."'";
              }
          }
@@ -139,8 +145,8 @@ function buildSQLSet($fields, $values=null) {
      return $sql;
  }
  
-function buildSQLInsert($array, $table=null) {
-    $ex = array('NOW()','NULL');
+function buildSQLInsert($array, $table=null, $safeFields=false) {
+    $ex = array('NOW()','NULL','/FROM_UNIXTIME\(\d+\)/');
      $sql = '(';
      $c = 0;
      foreach($array as $field=>$value) {
@@ -150,12 +156,17 @@ function buildSQLInsert($array, $table=null) {
      $sql .= ') VALUES (';
      $c = 0;
         foreach($array as $field=>$value) {
-        $v = mysql_real_escape_string($value);
          if ($c++) $sql .= ',';
-        if (in_array($v, $ex))
-            $sql .= " $v ";
-        else
-            $sql .= " '$v' ";
+        if (in_array($value, $ex) || (is_array($safeFields) && in_array($field,$safeFields))) {
+            $sql .= " $value ";
+               } else {
+               $value = mysql_real_escape_string($value);
+                       if (is_numeric($value)) {
+                               $sql .= " $value ";
+                       } else {
+                               $sql .= " '$value' ";
+                       }
+               }
      }
      $sql .= ')';
      return (is_null($table)?$sql:('INSERT INTO `'.$table.'` '.$sql));
author	Joe Presbrey <presbrey@mit.edu>
	Thu, 2 Nov 2006 17:24:12 +0000 (17:24 +0000)
committer	Joe Presbrey <presbrey@mit.edu>
	Thu, 2 Nov 2006 17:24:12 +0000 (17:24 +0000)