diff options
| -rw-r--r-- | it_db_table.class | 4 | ||||
| -rw-r--r-- | it_dbi.class | 29 |
2 files changed, 19 insertions, 14 deletions
diff --git a/it_db_table.class b/it_db_table.class index 5536ccf..455cf2e 100644 --- a/it_db_table.class +++ b/it_db_table.class @@ -55,10 +55,12 @@ function safe_sql_select($query, $fields="*") /** * Create an SQL query (the stuff after 'WHERE'). * @see it_dbi::_where() for more details. + * @param $sql Optional SQL addendum (added after $params), for ORDER BY etc. + * @param $omit_where (optional) Do not add 'WHERE ' at beginning of result (default: false) */ function construct_sql_clause($params='', $sql='', $omit_where=false) { - return it_dbi::_where($params, $sql, $omit_where); + return trim(it_dbi::_where($params, null, $omit_where) . " $sql"); } diff --git a/it_dbi.class b/it_dbi.class index 7c3c965..de5d13a 100644 --- a/it_dbi.class +++ b/it_dbi.class @@ -208,12 +208,12 @@ function _set(&$tags) * fieldname can contain an operator (separated by space), the * default operator is '='. The special operator 'NI' specifies * that the argument must be contained in a comma-separated list. - * @param $sql Optional SQL addendum (added after $params), for ORDER BY etc. - * @param $omit_where (optional) Do not add 'WHERE ' at beginning of result (default: false) + * @param $link DB link used to escape values + * @param $omit_where Do not add 'WHERE ' to result, used in it_db_table * @return The generated SQL clause * @see it_db_record::select, it_db_record::fetch_next */ -function _where($params='', $sql='', $omit_where=false) +function _where($params = "", $link = null, $omit_where = false) { if (is_array($params) && (count($params) > 0)) { @@ -256,7 +256,7 @@ function _where($params='', $sql='', $omit_where=false) $qval = $value; } else if (!is_array($value)) - $qval = "'".mysql_real_escape_string((string)$value)."'"; + $qval = "'" . ($link ? mysql_real_escape_string((string)$value, $link) : mysql_real_escape_string((string)$value)) . "'"; } switch ($op) @@ -270,7 +270,14 @@ function _where($params='', $sql='', $omit_where=false) if (is_array($value)) { if ($value) - $query .= "$sep$field $op ('" . join("','", array_map('mysql_real_escape_string', $value)) . "')"; # null is mapped to '' + { + $qvals = array(); + + foreach ($value as $val) + $qvals[] = $link ? mysql_real_escape_string($val, $link) : mysql_real_escape_string($val); + + $query .= "$sep$field $op ('" . join("','", $qvals) . "')"; # null is mapped to '' + } else $query .= $sep . "0"; @@ -290,12 +297,8 @@ function _where($params='', $sql='', $omit_where=false) } if ($needs_where && !$omit_where) - $query = 'WHERE '.$query; - - if ($sql) - $query .= ' '; + $query = "WHERE $query"; } - $query .= $sql; return $query; } @@ -452,7 +455,7 @@ function select($query = null) $nofetch = $this->_nofetch = isset($query['NOFETCH']) ? $query['NOFETCH'] : false; unset($query['NOFETCH']); - if ($this->_result = $this->query($sql = "SELECT $what FROM $join " . $this->_where($query))) + if ($this->_result = $this->query($sql = "SELECT $what FROM $join " . $this->_where($query, $this->_link))) $result = mysql_num_rows($this->_result); if ($calc_found_rows) @@ -560,7 +563,7 @@ function update($tags = array(), $query = null) $query = array($this->_keyfield => $this->_data[$this->_keyfield]); if ($set = $this->_set($tags)) - if ($result = $this->query("UPDATE $this->_table $set " . $this->_where($query))) + if ($result = $this->query("UPDATE $this->_table $set " . $this->_where($query, $this->_link))) if (isset($this->_key) && $this->read($this->_key)) $this->_nofetch = false; # So we can do while(iterate()) update(); @@ -585,7 +588,7 @@ function delete($query = null) if ($query) { - if ($this->query(($sql = "DELETE FROM $this->_table " . $this->_where($query)))) + if ($this->query(($sql = "DELETE FROM $this->_table " . $this->_where($query, $this->_link)))) $result = mysql_affected_rows($this->_link); } |