From 983823c499ab3aea81298a8284dbb8d28b4a1b1b Mon Sep 17 00:00:00 2001 From: Christian Schneider Date: Wed, 8 Aug 2007 12:33:16 +0000 Subject: Make _where use proper db link and moved db_table only code to db_table.class --- it_dbi.class | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) (limited to 'it_dbi.class') diff --git a/it_dbi.class b/it_dbi.class index 7c3c965..de5d13a 100644 --- a/it_dbi.class +++ b/it_dbi.class @@ -208,12 +208,12 @@ function _set(&$tags) * fieldname can contain an operator (separated by space), the * default operator is '='. The special operator 'NI' specifies * that the argument must be contained in a comma-separated list. - * @param $sql Optional SQL addendum (added after $params), for ORDER BY etc. - * @param $omit_where (optional) Do not add 'WHERE ' at beginning of result (default: false) + * @param $link DB link used to escape values + * @param $omit_where Do not add 'WHERE ' to result, used in it_db_table * @return The generated SQL clause * @see it_db_record::select, it_db_record::fetch_next */ -function _where($params='', $sql='', $omit_where=false) +function _where($params = "", $link = null, $omit_where = false) { if (is_array($params) && (count($params) > 0)) { @@ -256,7 +256,7 @@ function _where($params='', $sql='', $omit_where=false) $qval = $value; } else if (!is_array($value)) - $qval = "'".mysql_real_escape_string((string)$value)."'"; + $qval = "'" . ($link ? mysql_real_escape_string((string)$value, $link) : mysql_real_escape_string((string)$value)) . "'"; } switch ($op) @@ -270,7 +270,14 @@ function _where($params='', $sql='', $omit_where=false) if (is_array($value)) { if ($value) - $query .= "$sep$field $op ('" . join("','", array_map('mysql_real_escape_string', $value)) . "')"; # null is mapped to '' + { + $qvals = array(); + + foreach ($value as $val) + $qvals[] = $link ? mysql_real_escape_string($val, $link) : mysql_real_escape_string($val); + + $query .= "$sep$field $op ('" . join("','", $qvals) . "')"; # null is mapped to '' + } else $query .= $sep . "0"; @@ -290,12 +297,8 @@ function _where($params='', $sql='', $omit_where=false) } if ($needs_where && !$omit_where) - $query = 'WHERE '.$query; - - if ($sql) - $query .= ' '; + $query = "WHERE $query"; } - $query .= $sql; return $query; } @@ -452,7 +455,7 @@ function select($query = null) $nofetch = $this->_nofetch = isset($query['NOFETCH']) ? $query['NOFETCH'] : false; unset($query['NOFETCH']); - if ($this->_result = $this->query($sql = "SELECT $what FROM $join " . $this->_where($query))) + if ($this->_result = $this->query($sql = "SELECT $what FROM $join " . $this->_where($query, $this->_link))) $result = mysql_num_rows($this->_result); if ($calc_found_rows) @@ -560,7 +563,7 @@ function update($tags = array(), $query = null) $query = array($this->_keyfield => $this->_data[$this->_keyfield]); if ($set = $this->_set($tags)) - if ($result = $this->query("UPDATE $this->_table $set " . $this->_where($query))) + if ($result = $this->query("UPDATE $this->_table $set " . $this->_where($query, $this->_link))) if (isset($this->_key) && $this->read($this->_key)) $this->_nofetch = false; # So we can do while(iterate()) update(); @@ -585,7 +588,7 @@ function delete($query = null) if ($query) { - if ($this->query(($sql = "DELETE FROM $this->_table " . $this->_where($query)))) + if ($this->query(($sql = "DELETE FROM $this->_table " . $this->_where($query, $this->_link)))) $result = mysql_affected_rows($this->_link); } -- cgit v1.2.3