diff options
| author | Thomas Tanghus <thomas@tanghus.net> | 2013-03-25 23:59:34 +0100 |
|---|---|---|
| committer | Thomas Tanghus <thomas@tanghus.net> | 2013-03-25 23:59:34 +0100 |
| commit | 1c3f5ba6ef9d2416d1b83d802ea83fa1df027805 (patch) | |
| tree | a38a30139604852abd4f5749696663b92a12d738 /lib/db.php | |
| parent | c2a49b5c1f7c06497da9285b82775914b0445ddb (diff) | |
| download | nextcloud-server-1c3f5ba6ef9d2416d1b83d802ea83fa1df027805.tar.gz nextcloud-server-1c3f5ba6ef9d2416d1b83d802ea83fa1df027805.zip | |
Properly prepare insertIfNotExist queries.
Diffstat (limited to 'lib/db.php')
| -rw-r--r-- | lib/db.php | 27 |
1 files changed, 15 insertions, 12 deletions
diff --git a/lib/db.php b/lib/db.php index 9699b216f6f..cfa3b6cb979 100644 --- a/lib/db.php +++ b/lib/db.php @@ -633,18 +633,20 @@ class OC_DB { $type = self::$type; $query = ''; + $inserts = array_values($input); // differences in escaping of table names ('`' for mysql) and getting the current timestamp if( $type == 'sqlite' || $type == 'sqlite3' ) { // NOTE: For SQLite we have to use this clumsy approach // otherwise all fieldnames used must have a unique key. $query = 'SELECT * FROM "' . $table . '" WHERE '; foreach($input as $key => $value) { - $query .= $key . " = '" . $value . '\' AND '; + $query .= $key . ' = ? AND '; } $query = substr($query, 0, strlen($query) - 5); try { $stmt = self::prepare($query); - $result = $stmt->execute(); + $result = $stmt->execute($inserts); + } catch(PDOException $e) { $entry = 'DB Error: "'.$e->getMessage() . '"<br />'; $entry .= 'Offending command was: ' . $query . '<br />'; @@ -653,27 +655,28 @@ class OC_DB { OC_Template::printErrorPage( $entry ); } - if($result->numRows() == 0) { + if((int)$result->numRows() === 0) { $query = 'INSERT INTO "' . $table . '" ("' - . implode('","', array_keys($input)) . '") VALUES("' - . implode('","', array_values($input)) . '")'; + . implode('","', array_keys($input)) . '") VALUES(' + . str_repeat('?,', count($input)-1).'? ' . ')'; } else { return true; } } elseif( $type == 'pgsql' || $type == 'oci' || $type == 'mysql' || $type == 'mssql') { - $query = 'INSERT INTO `' .$table . '` (' - . implode(',', array_keys($input)) . ') SELECT \'' - . implode('\',\'', array_values($input)) . '\' FROM ' . $table . ' WHERE '; + $query = 'INSERT INTO `' .$table . '` (`' + . implode('`,`', array_keys($input)) . '`) SELECT ' + . str_repeat('?,', count($input)-1).'? ' // Is there a prettier alternative? + . 'FROM ' . $table . ' WHERE '; foreach($input as $key => $value) { - $query .= $key . " = '" . $value . '\' AND '; + $query .= '`' . $key . '` = ? AND '; } $query = substr($query, 0, strlen($query) - 5); $query .= ' HAVING COUNT(*) = 0'; + $inserts = array_merge($inserts, $inserts); } - // TODO: oci should be use " (quote) instead of ` (backtick). - //OC_Log::write('core', __METHOD__ . ', type: ' . $type . ', query: ' . $query, OC_Log::DEBUG); + // TODO: oci should be use " (quote) instead of ` (backtick)? try { $result = self::prepare($query); @@ -685,7 +688,7 @@ class OC_DB { OC_Template::printErrorPage( $entry ); } - return $result->execute(); + return $result->execute($inserts); } /** |