From: Joe Presbrey <presbrey@mit.edu>
Date: Thu, 2 Nov 2006 17:24:12 +0000 (+0000)
Subject: buildSQL can have fields designated as safe
X-Git-Url: http://andersk.mit.edu/gitweb/sql-web.git/commitdiff_plain/ba40a1cad8e1d95c592016654250d23ad2e96c3a

buildSQL can have fields designated as safe


git-svn-id: svn://presbrey.mit.edu/php/lib@114 a142d4bd-2cfb-0310-9673-cb33a7e74f58
---

diff --git a/lib/joe/joe.lib.php b/lib/joe/joe.lib.php
index 93bfc21..dd7be0a 100644
--- a/lib/joe/joe.lib.php
+++ b/lib/joe/joe.lib.php
@@ -117,21 +117,27 @@ function printList($class,$err) {
     }
 }
 
-function buildSQLSet($fields, $values=null) {
-    $ex = array('NOW()','NULL');
-    $sql = 'SET';
+function buildSQLSet($fields, $values=null, $safeFields=false) {
+    $ex = array('NOW()','NULL','/FROM_UNIXTIME\(\d+\)/');
+    $sql = '';
     $c = 0;
     if (!is_null($values)) {
         foreach($fields as $field) {
             if ($c++) $sql .= ',';
-            $sql .= " `$field`='".mysql_real_escape_string(array_shift($values))."'";
+			$value = array_shift($values);
+			if (is_numeric($value))
+				$sql .= " `$field`=".mysql_real_escape_string($value);
+			else
+				$sql .= " `$field`='".mysql_real_escape_string($value)."'";
         }
     } else {
         foreach($fields as $field=>$value) {
             if ($c++) $sql .= ',';
-            if (in_array($value,$ex)) {
-                $sql .= " `$field`= $value";
-            } else {
+            if (in_array($value,$ex) || (is_array($safeFields) && in_array($field,$safeFields))) {
+                $sql .= " `$field`=$value";
+            } elseif (is_numeric($value)) {
+                $sql .= " `$field`=".mysql_real_escape_string($value);
+			} else {
                 $sql .= " `$field`='".mysql_real_escape_string($value)."'";
             }
         }
@@ -139,8 +145,8 @@ function buildSQLSet($fields, $values=null) {
     return $sql;
 }
 
-function buildSQLInsert($array, $table=null) {
-    $ex = array('NOW()','NULL');
+function buildSQLInsert($array, $table=null, $safeFields=false) {
+    $ex = array('NOW()','NULL','/FROM_UNIXTIME\(\d+\)/');
     $sql = '(';
     $c = 0;
     foreach($array as $field=>$value) {
@@ -150,12 +156,17 @@ function buildSQLInsert($array, $table=null) {
     $sql .= ') VALUES (';
     $c = 0;
        foreach($array as $field=>$value) {
-        $v = mysql_real_escape_string($value);
         if ($c++) $sql .= ',';
-        if (in_array($v, $ex))
-            $sql .= " $v ";
-        else
-            $sql .= " '$v' ";
+        if (in_array($value, $ex) || (is_array($safeFields) && in_array($field,$safeFields))) {
+            $sql .= " $value ";
+		} else {
+        	$value = mysql_real_escape_string($value);
+			if (is_numeric($value)) {
+				$sql .= " $value ";
+			} else {
+				$sql .= " '$value' ";
+			}
+		}
     }
     $sql .= ')';
     return (is_null($table)?$sql:('INSERT INTO `'.$table.'` '.$sql));