mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #2567 from owncloud/fix_insertIfNotExist 

Properly prepare insertIfNotExist queries.
This commit is contained in:
Thomas Tanghus 2013-03-26 08:59:10 -07:00
parent d49e8ffb5e 5b66b317b1
commit 74852243e2
1 changed files with 16 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
lib/db.php
View File

@ -633,18 +633,20 @@ class OC_DB {
$type = self::$type; $type = self::$type;
$query = ''; $query = '';
$inserts = array_values($input);
// differences in escaping of table names ('`' for mysql) and getting the current timestamp // differences in escaping of table names ('`' for mysql) and getting the current timestamp
if( $type == 'sqlite' || $type == 'sqlite3' ) { if( $type == 'sqlite' || $type == 'sqlite3' ) {
// NOTE: For SQLite we have to use this clumsy approach // NOTE: For SQLite we have to use this clumsy approach
// otherwise all fieldnames used must have a unique key. // otherwise all fieldnames used must have a unique key.
$query = 'SELECT * FROM "' . $table . '" WHERE '; $query = 'SELECT * FROM `' . $table . '` WHERE ';
foreach($input as $key => $value) { foreach($input as $key => $value) {
$query .= $key . " = '" . $value . '\' AND '; $query .= '`' . $key . '` = ? AND ';
} }
$query = substr($query, 0, strlen($query) - 5); $query = substr($query, 0, strlen($query) - 5);
try { try {
$stmt = self::prepare($query); $stmt = self::prepare($query);
$result = $stmt->execute(); $result = $stmt->execute($inserts);
} catch(PDOException $e) { } catch(PDOException $e) {
$entry = 'DB Error: "'.$e->getMessage() . '"<br />'; $entry = 'DB Error: "'.$e->getMessage() . '"<br />';
$entry .= 'Offending command was: ' . $query . '<br />'; $entry .= 'Offending command was: ' . $query . '<br />';
@ -653,28 +655,27 @@ class OC_DB {
OC_Template::printErrorPage( $entry ); OC_Template::printErrorPage( $entry );
} }
if($result->numRows() == 0) { if((int)$result->numRows() === 0) {
$query = 'INSERT INTO "' . $table . '" ("' $query = 'INSERT INTO `' . $table . '` (`'
. implode('","', array_keys($input)) . '") VALUES("' . implode('`,`', array_keys($input)) . '`) VALUES('
. implode('","', array_values($input)) . '")'; . str_repeat('?,', count($input)-1).'? ' . ')';
} else { } else {
return true; return true;
} }
} elseif( $type == 'pgsql' || $type == 'oci' || $type == 'mysql' || $type == 'mssql') { } elseif( $type == 'pgsql' || $type == 'oci' || $type == 'mysql' || $type == 'mssql') {
$query = 'INSERT INTO `' .$table . '` (' $query = 'INSERT INTO `' .$table . '` (`'
. implode(',', array_keys($input)) . ') SELECT \'' . implode('`,`', array_keys($input)) . '`) SELECT '
. implode('\',\'', array_values($input)) . '\' FROM ' . $table . ' WHERE '; . str_repeat('?,', count($input)-1).'? ' // Is there a prettier alternative?
. 'FROM `' . $table . '` WHERE ';
foreach($input as $key => $value) { foreach($input as $key => $value) {
$query .= $key . " = '" . $value . '\' AND '; $query .= '`' . $key . '` = ? AND ';
} }
$query = substr($query, 0, strlen($query) - 5); $query = substr($query, 0, strlen($query) - 5);
$query .= ' HAVING COUNT(*) = 0'; $query .= ' HAVING COUNT(*) = 0';
$inserts = array_merge($inserts, $inserts);
} }
// TODO: oci should be use " (quote) instead of ` (backtick).
//OC_Log::write('core', __METHOD__ . ', type: ' . $type . ', query: ' . $query, OC_Log::DEBUG);
try { try {
$result = self::prepare($query); $result = self::prepare($query);
} catch(PDOException $e) { } catch(PDOException $e) {
@ -685,7 +686,7 @@ class OC_DB {
OC_Template::printErrorPage( $entry ); OC_Template::printErrorPage( $entry );
} }
return $result->execute(); return $result->execute($inserts);
} }
/** /**