|
|
@@ -53,7 +53,7 @@ include "root.php";
|
|
|
|
|
|
public function connect() {
|
|
|
|
|
|
- if (strlen($this->type) == 0 && strlen($this->db_name) == 0) {
|
|
|
+ if (strlen($this->db_name) == 0) {
|
|
|
//include config.php
|
|
|
include "root.php";
|
|
|
if (file_exists($_SERVER["PROJECT_ROOT"]."/resources/config.php")) {
|
|
|
@@ -63,7 +63,7 @@ include "root.php";
|
|
|
} elseif (file_exists("/etc/fusionpbx/config.php")){
|
|
|
//linux
|
|
|
include "/etc/fusionpbx/config.php";
|
|
|
- } elseif (file_exists("/usr/local/etc/fusionpbx/config.php")){
|
|
|
+ } elseif (file_exists("/usr/local/etc/fusionpbx/config.php")) {
|
|
|
//bsd
|
|
|
include "/usr/local/etc/fusionpbx/config.php";
|
|
|
}
|
|
|
@@ -92,6 +92,9 @@ include "root.php";
|
|
|
$this->driver = $this->type;
|
|
|
}
|
|
|
|
|
|
+ //sanitize the database name
|
|
|
+ $this->db_name = preg_replace('#[^a-zA-Z0-9_\-]#', '', $this->db_name);
|
|
|
+
|
|
|
if ($this->driver == "sqlite") {
|
|
|
if (strlen($this->db_name) == 0) {
|
|
|
$server_name = $_SERVER["SERVER_NAME"];
|
|
|
@@ -233,6 +236,9 @@ include "root.php";
|
|
|
if (!$this->db) {
|
|
|
$this->connect();
|
|
|
}
|
|
|
+ //sanitize the names
|
|
|
+ $this->table = preg_replace('#[^a-zA-Z0-9_\-]#', '', $this->table);
|
|
|
+ $this->db_name = preg_replace('#[^a-zA-Z0-9_\-]#', '', $this->db_name);
|
|
|
//get the table info
|
|
|
if (strlen($this->table) == 0) { return false; }
|
|
|
if ($this->type == "sqlite") {
|
|
|
@@ -322,45 +328,97 @@ include "root.php";
|
|
|
if (!$this->db) {
|
|
|
$this->connect();
|
|
|
}
|
|
|
+ //sanitize the name
|
|
|
+ $this->table = preg_replace('#[^a-zA-Z0-9_\-]#', '', $this->table);
|
|
|
//get data from the database
|
|
|
$sql = "select * from ".$this->table." ";
|
|
|
if ($this->where) {
|
|
|
$i = 0;
|
|
|
if (is_array($this->where)) {
|
|
|
foreach($this->where as $row) {
|
|
|
+ //sanitize the name
|
|
|
+ $array['name'] = preg_replace('#[^a-zA-Z0-9_\-]#', '', $array['name']);
|
|
|
+
|
|
|
+ //validate the operator
|
|
|
+ switch ($row['operator']) {
|
|
|
+ case "<": break;
|
|
|
+ case ">": break;
|
|
|
+ case "<=": break;
|
|
|
+ case ">=": break;
|
|
|
+ case "=": break;
|
|
|
+ case ">=": break;
|
|
|
+ case "<>": break;
|
|
|
+ case "!=": break;
|
|
|
+ default:
|
|
|
+ //invalid operator
|
|
|
+ return false;
|
|
|
+ }
|
|
|
+
|
|
|
+ //build the sql
|
|
|
if ($i == 0) {
|
|
|
- $sql .= 'where '.$row['name']." ".$row['operator']." '".$row['value']."' ";
|
|
|
+ //$sql .= 'where '.$row['name']." ".$row['operator']." '".$row['value']."' ";
|
|
|
+ $sql .= 'where '.$row['name']." ".$row['operator']." :".$row['name']." ";
|
|
|
}
|
|
|
else {
|
|
|
- $sql .= "and ".$row['name']." ".$row['operator']." '".$row['value']."' ";
|
|
|
+ //$sql .= "and ".$row['name']." ".$row['operator']." '".$row['value']."' ";
|
|
|
+ $sql .= "and ".$row['name']." ".$row['operator']." :".$row['name']." ";
|
|
|
}
|
|
|
+
|
|
|
+ //add the name and value to the params array
|
|
|
+ $params[$row['name']] = $row['value'];
|
|
|
+
|
|
|
+ //increment $i
|
|
|
$i++;
|
|
|
}
|
|
|
}
|
|
|
}
|
|
|
- if (count($this->order_by) > 0) {
|
|
|
+ if (is_array($this->order_by)) {
|
|
|
$sql .= "order by ";
|
|
|
$i = 1;
|
|
|
if (is_array($this->order_by)) {
|
|
|
foreach($this->order_by as $row) {
|
|
|
+ //sanitize the name
|
|
|
+ $row['name'] = preg_replace('#[^a-zA-Z0-9_\-]#', '', $row['name']);
|
|
|
+
|
|
|
+ //sanitize the order
|
|
|
+ switch ($row['order']) {
|
|
|
+ case "asc":
|
|
|
+ break;
|
|
|
+ case "desc":
|
|
|
+ break;
|
|
|
+ default:
|
|
|
+ $row['order'] = '';
|
|
|
+ }
|
|
|
+
|
|
|
+ //build the sql
|
|
|
if (count($this->order_by) == $i) {
|
|
|
$sql .= $row['name']." ".$row['order']." ";
|
|
|
}
|
|
|
else {
|
|
|
$sql .= $row['name']." ".$row['order'].", ";
|
|
|
}
|
|
|
+
|
|
|
+ //increment $i
|
|
|
$i++;
|
|
|
}
|
|
|
}
|
|
|
}
|
|
|
- if ($this->limit) {
|
|
|
- $sql .= " limit ".$this->limit." offset ".$this->offset." ";
|
|
|
+
|
|
|
+ //limit
|
|
|
+ if (isset($this->limit) && is_numeric($this->limit)) {
|
|
|
+ $sql .= "limit ".$this->limit." ";
|
|
|
+ }
|
|
|
+ //offset
|
|
|
+ if (isset($this->offset) && is_numeric($this->offset)) {
|
|
|
+ $sql .= "offset ".$this->offset." ";
|
|
|
}
|
|
|
- //echo $sql;
|
|
|
+
|
|
|
$prep_statement = $this->db->prepare($sql);
|
|
|
if ($prep_statement) {
|
|
|
- $prep_statement->execute();
|
|
|
- return $prep_statement->fetchAll(PDO::FETCH_ASSOC);
|
|
|
+ $prep_statement->execute($params);
|
|
|
+ $array = $prep_statement->fetchAll(PDO::FETCH_ASSOC);
|
|
|
+ unset($prep_statement);
|
|
|
+ return $array;
|
|
|
}
|
|
|
else {
|
|
|
return false;
|
|
|
@@ -386,145 +444,60 @@ include "root.php";
|
|
|
}
|
|
|
}
|
|
|
|
|
|
- public function add() {
|
|
|
- //connect to the database if needed
|
|
|
- if (!$this->db) {
|
|
|
- $this->connect();
|
|
|
- }
|
|
|
- //add data to the database
|
|
|
- $sql = "insert into ".$this->table;
|
|
|
- $sql .= " (";
|
|
|
- $i = 1;
|
|
|
- if (is_array($this->fields)) {
|
|
|
- foreach($this->fields as $name => $value) {
|
|
|
- if (count($this->fields) == $i) {
|
|
|
- $sql .= $name." ";
|
|
|
- }
|
|
|
- else {
|
|
|
- $sql .= $name.", ";
|
|
|
- }
|
|
|
- $i++;
|
|
|
- }
|
|
|
- }
|
|
|
- $sql .= ") ";
|
|
|
- $sql .= "values ";
|
|
|
- $sql .= "(";
|
|
|
- $i = 1;
|
|
|
- if (is_array($this->fields)) {
|
|
|
- foreach($this->fields as $name => $value) {
|
|
|
- if (count($this->fields) == $i) {
|
|
|
- if (strlen($value) > 0) {
|
|
|
- $sql .= "'".$value."' ";
|
|
|
- }
|
|
|
- else {
|
|
|
- $sql .= "'".$value."' ";
|
|
|
- }
|
|
|
- }
|
|
|
- else {
|
|
|
- if (strlen($value) > 0) {
|
|
|
- $sql .= "'".$value."', ";
|
|
|
- }
|
|
|
- else {
|
|
|
- $sql .= "null, ";
|
|
|
- }
|
|
|
- }
|
|
|
- $i++;
|
|
|
- }
|
|
|
- }
|
|
|
- $sql .= ")";
|
|
|
- //execute the query, show exceptions
|
|
|
- $this->db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
|
|
|
- try {
|
|
|
- $this->sql = $sql;
|
|
|
- $this->db->exec($sql);
|
|
|
- }
|
|
|
- catch(PDOException $e) {
|
|
|
- echo "<b>Error:</b><br />\n";
|
|
|
- echo "<table>\n";
|
|
|
- echo "<tr>\n";
|
|
|
- echo "<td>\n";
|
|
|
- echo $e->getMessage();
|
|
|
- echo "</td>\n";
|
|
|
- echo "</tr>\n";
|
|
|
- echo "</table>\n";
|
|
|
- }
|
|
|
- unset($this->fields);
|
|
|
- unset($sql);
|
|
|
- }
|
|
|
-
|
|
|
- public function update() {
|
|
|
- //connect to the database if needed
|
|
|
- if (!$this->db) {
|
|
|
- $this->connect();
|
|
|
- }
|
|
|
- //udate the database
|
|
|
- $sql = "update ".$this->table." set ";
|
|
|
- $i = 1;
|
|
|
- if (is_array($this->fields)) {
|
|
|
- foreach($this->fields as $name => $value) {
|
|
|
- if (count($this->fields) == $i) {
|
|
|
- if (strlen($name) > 0 && $value == null) {
|
|
|
- $sql .= $name." = null ";
|
|
|
- }
|
|
|
- else {
|
|
|
- $sql .= $name." = '".$value."' ";
|
|
|
- }
|
|
|
- }
|
|
|
- else {
|
|
|
- if (strlen($name) > 0 && $value == null) {
|
|
|
- $sql .= $name." = null, ";
|
|
|
- }
|
|
|
- else {
|
|
|
- $sql .= $name." = '".$value."', ";
|
|
|
- }
|
|
|
- }
|
|
|
- $i++;
|
|
|
- }
|
|
|
- }
|
|
|
- $i = 0;
|
|
|
- if (is_array($this->where)) {
|
|
|
- foreach($this->where as $row) {
|
|
|
- if ($i == 0) {
|
|
|
- $sql .= 'where '.$row['name']." ".$row['operator']." '".$row['value']."' ";
|
|
|
- }
|
|
|
- else {
|
|
|
- $sql .= "and ".$row['name']." ".$row['operator']." '".$row['value']."' ";
|
|
|
- }
|
|
|
- $i++;
|
|
|
- }
|
|
|
- }
|
|
|
- $this->db->exec(check_sql($sql));
|
|
|
- unset($this->fields);
|
|
|
- unset($this->where);
|
|
|
- unset($sql);
|
|
|
- }
|
|
|
-
|
|
|
public function delete($array) {
|
|
|
//connect to the database if needed
|
|
|
if (!$this->db) {
|
|
|
$this->connect();
|
|
|
}
|
|
|
|
|
|
+ //sanitize the table name
|
|
|
+ $this->table = preg_replace('#[^a-zA-Z0-9_\-]#', '', $this->table);
|
|
|
+
|
|
|
//delete from the database
|
|
|
if (isset($this->table) && isset($this->where)) {
|
|
|
- $sql = "delete from ".$this->table." ";
|
|
|
$i = 0;
|
|
|
+ $sql = "delete from ".$this->table." ";
|
|
|
if (is_array($this->where)) {
|
|
|
foreach($this->where as $row) {
|
|
|
+ //sanitize the name
|
|
|
+ $row['name'] = preg_replace('#[^a-zA-Z0-9_\-]#', '', $row['name']);
|
|
|
+
|
|
|
+ //validate the operator
|
|
|
+ switch ($row['operator']) {
|
|
|
+ case "<": break;
|
|
|
+ case ">": break;
|
|
|
+ case "<=": break;
|
|
|
+ case ">=": break;
|
|
|
+ case "=": break;
|
|
|
+ case ">=": break;
|
|
|
+ case "<>": break;
|
|
|
+ case "!=": break;
|
|
|
+ default:
|
|
|
+ //invalid operator
|
|
|
+ return false;
|
|
|
+ }
|
|
|
+
|
|
|
+ //build the sql
|
|
|
if ($i == 0) {
|
|
|
- $sql .= "where ".$row['name']." ".$row['operator']." '".$row['value']."' ";
|
|
|
+ //$sql .= $row['name']." ".$row['operator']." '".$row['value']."' ";
|
|
|
+ $sql .= "where ".$row['name']." ".$row['operator']." :".$row['name']." ";
|
|
|
}
|
|
|
else {
|
|
|
- $sql .= "and ".$row['name']." ".$row['operator']." '".$row['value']."' ";
|
|
|
+ //$sql .= $row['name']." ".$row['operator']." '".$row['value']."' ";
|
|
|
+ $sql .= "and ".$row['name']." ".$row['operator']." :".$row['name']." ";
|
|
|
}
|
|
|
+
|
|
|
+ //add the name and value to the params array
|
|
|
+ $params[$row['name']] = $row['value'];
|
|
|
+
|
|
|
+ //increment $i
|
|
|
$i++;
|
|
|
}
|
|
|
}
|
|
|
//echo $sql."<br>\n";
|
|
|
$prep_statement = $this->db->prepare($sql);
|
|
|
- $prep_statement->execute();
|
|
|
- unset($sql);
|
|
|
- unset($this->where);
|
|
|
+ $prep_statement->execute($params);
|
|
|
+ unset($sql, $this->where);
|
|
|
return;
|
|
|
}
|
|
|
|
|
|
@@ -923,30 +896,60 @@ include "root.php";
|
|
|
} //delete
|
|
|
|
|
|
public function count() {
|
|
|
+
|
|
|
//connect to the database if needed
|
|
|
if (!$this->db) {
|
|
|
$this->connect();
|
|
|
}
|
|
|
+ //sanitize the table name
|
|
|
+ $this->table = preg_replace('#[^a-zA-Z0-9_\-]#', '', $this->table);
|
|
|
+
|
|
|
//get the number of rows
|
|
|
$sql = "select count(*) as num_rows from ".$this->table." ";
|
|
|
if ($this->where) {
|
|
|
$i = 0;
|
|
|
if (is_array($this->where)) {
|
|
|
foreach($this->where as $row) {
|
|
|
+ //sanitize the name
|
|
|
+ $row['name'] = preg_replace('#[^a-zA-Z0-9_\-]#', '', $row['name']);
|
|
|
+
|
|
|
+ //validate the operator
|
|
|
+ switch ($row['operator']) {
|
|
|
+ case "<": break;
|
|
|
+ case ">": break;
|
|
|
+ case "<=": break;
|
|
|
+ case ">=": break;
|
|
|
+ case "=": break;
|
|
|
+ case ">=": break;
|
|
|
+ case "<>": break;
|
|
|
+ case "!=": break;
|
|
|
+ default:
|
|
|
+ //invalid operator
|
|
|
+ return false;
|
|
|
+ }
|
|
|
+
|
|
|
+ //build the sql
|
|
|
if ($i == 0) {
|
|
|
- $sql .= "where ".$row['name']." ".$row['operator']." '".$row['value']."' ";
|
|
|
+ //$sql .= $row['name']." ".$row['operator']." '".$row['value']."' ";
|
|
|
+ $sql .= "where ".$row['name']." ".$row['operator']." :".$row['name']." ";
|
|
|
}
|
|
|
else {
|
|
|
- $sql .= "and ".$row['name']." ".$row['operator']." '".$row['value']."' ";
|
|
|
+ //$sql .= $row['name']." ".$row['operator']." '".$row['value']."' ";
|
|
|
+ $sql .= "and ".$row['name']." ".$row['operator']." :".$row['name']." ";
|
|
|
}
|
|
|
+
|
|
|
+ //add the name and value to the params array
|
|
|
+ $params[$row['name']] = $row['value'];
|
|
|
+
|
|
|
+ //increment $i
|
|
|
$i++;
|
|
|
}
|
|
|
}
|
|
|
}
|
|
|
unset($this->where);
|
|
|
- $prep_statement = $this->db->prepare(check_sql($sql));
|
|
|
+ $prep_statement = $this->db->prepare($sql);
|
|
|
if ($prep_statement) {
|
|
|
- $prep_statement->execute();
|
|
|
+ $prep_statement->execute($params);
|
|
|
$row = $prep_statement->fetch(PDO::FETCH_ASSOC);
|
|
|
if ($row['num_rows'] > 0) {
|
|
|
return $row['num_rows'];
|
|
|
@@ -956,6 +959,7 @@ include "root.php";
|
|
|
}
|
|
|
}
|
|
|
unset($prep_statement);
|
|
|
+
|
|
|
} //count
|
|
|
|
|
|
public function select($sql) {
|
|
|
@@ -1008,7 +1012,7 @@ include "root.php";
|
|
|
$this->name = preg_replace('#[^a-zA-Z0-9_\-]#', '', $array['name']);
|
|
|
}
|
|
|
//set the uuid
|
|
|
- if (isset($array['uuid'])) {
|
|
|
+ if (isset($array['uuid']) and $this->is_uuid($array['uuid'])) {
|
|
|
$this->uuid = $array['uuid'];
|
|
|
}
|
|
|
//build the query
|
|
|
@@ -1022,32 +1026,59 @@ include "root.php";
|
|
|
$i = 0;
|
|
|
if (is_array($array)) {
|
|
|
foreach($array['where'] as $row) {
|
|
|
+ //sanitize the name
|
|
|
+ $array['name'] = preg_replace('#[^a-zA-Z0-9_\-]#', '', $array['name']);
|
|
|
+
|
|
|
+ //validate the operator
|
|
|
+ switch ($row['operator']) {
|
|
|
+ case "<": break;
|
|
|
+ case ">": break;
|
|
|
+ case "<=": break;
|
|
|
+ case ">=": break;
|
|
|
+ case "=": break;
|
|
|
+ case ">=": break;
|
|
|
+ case "<>": break;
|
|
|
+ case "!=": break;
|
|
|
+ default:
|
|
|
+ //invalid operator
|
|
|
+ return false;
|
|
|
+ }
|
|
|
+
|
|
|
+ //build the sql
|
|
|
if ($i == 0) {
|
|
|
- $sql .= "WHERE ".$row['name']." ".$row['operator']." '".$row['value']."' ";
|
|
|
+ //$sql .= "WHERE ".$row['name']." ".$row['operator']." '".$row['value']."' ";
|
|
|
+ $sql .= "WHERE ".$row['name']." ".$row['operator']." :".$row['value']." ";
|
|
|
}
|
|
|
else {
|
|
|
- $sql .= "AND ".$row['name']." ".$row['operator']." '".$row['value']."' ";
|
|
|
+ //$sql .= "AND ".$row['name']." ".$row['operator']." '".$row['value']."' ";
|
|
|
+ $sql .= "AND ".$row['name']." ".$row['operator']." :".$row['value']." ";
|
|
|
}
|
|
|
+
|
|
|
+ //add the name and value to the params array
|
|
|
+ $params[$row['name']] = $row['value'];
|
|
|
+
|
|
|
+ //increment $i
|
|
|
$i++;
|
|
|
}
|
|
|
}
|
|
|
//order by
|
|
|
- if (is_array($array['order_by'])) {
|
|
|
+ if (isset($array['order_by'])) {
|
|
|
+ $array['order_by'] = preg_replace('#[^a-zA-Z0-9_\-]#', '', $array['order_by']);
|
|
|
$sql .= "ORDER BY ".$array['order_by']." ";
|
|
|
}
|
|
|
//limit
|
|
|
- if (isset($array['limit'])) {
|
|
|
+ if (isset($array['limit']) && is_numeric($array['limit'])) {
|
|
|
$sql .= "LIMIT ".$array['limit']." ";
|
|
|
}
|
|
|
//offset
|
|
|
- if (isset($array['offset'])) {
|
|
|
+ if (isset($array['offset']) && is_numeric($array['offset'])) {
|
|
|
$sql .= "OFFSET ".$array['offset']." ";
|
|
|
}
|
|
|
}
|
|
|
//execute the query, and return the results
|
|
|
try {
|
|
|
- $prep_statement = $this->db->prepare(check_sql($sql));
|
|
|
- $prep_statement->execute();
|
|
|
+ $prep_statement = $this->db->prepare($sql);
|
|
|
+ $prep_statement->execute($params);
|
|
|
$message["message"] = "OK";
|
|
|
$message["code"] = "200";
|
|
|
$message["details"][$m]["name"] = $this->name;
|
|
|
@@ -1879,12 +1910,9 @@ include "root.php";
|
|
|
require_once "resources/classes/database.php";
|
|
|
$database = new database;
|
|
|
$database->domain_uuid = $_SESSION["domain_uuid"];
|
|
|
- $database->type = $db_type;
|
|
|
$database->table = "v_ivr_menus";
|
|
|
$fields[0]['name'] = 'domain_uuid';
|
|
|
$fields[0]['value'] = $_SESSION["domain_uuid"];
|
|
|
- $database->add();
|
|
|
- print_r($database->result);
|
|
|
-*/
|
|
|
+ echo $database->count();
|
|
|
|
|
|
?>
|
FusionPBX