Issues in ez_sql_mysql.php - Fixed Issues - Inspection of "Remove ezSQL, use PDO" - YOURLS/YOURLS - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Pull Request — master (#2282)

by ྅༻ Ǭɀħ

created 2017-09-03 17:39 UTC

includes/ezSQL/ez_sql_mysql.php (2 issues)

Labels

Severity

Major 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

	/**********************************************************************
	*  Author: Justin Vincent ([email protected])
	*  Web...: http://twitter.com/justinvincent
	*  Name..: ezSQL_mysql
	*  Desc..: mySQL component (part of ezSQL databse abstraction library)
	*
	*/

	/**********************************************************************
	*  ezSQL error strings - mySQL
	*/
    
    global $ezsql_mysql_str;

	$ezsql_mysql_str = array
	(
		1 => 'Require $dbuser and $dbpassword to connect to a database server',
		2 => 'Error establishing mySQL database connection. Correct user/password? Correct hostname? Database server running?',
		3 => 'Require $dbname to select a database',
		4 => 'mySQL database connection is not active',
		5 => 'Unexpected error while trying to select database'
	);

	/**********************************************************************
	*  ezSQL Database specific class - mySQL
	*/

	if ( ! function_exists ('mysql_connect') ) die('<b>Fatal Error:</b> ezSQL_mysql requires mySQL Lib to be compiled and or linked in to the PHP engine');
	if ( ! class_exists ('ezSQLcore') ) die('<b>Fatal Error:</b> ezSQL_mysql requires ezSQLcore (ez_sql_core.php) to be included/loaded before it can be used');

	class ezSQL_mysql extends ezSQLcore
	{

		var $dbuser = false;
		var $dbpassword = false;
		var $dbname = false;
		var $dbhost = false;
		var $encoding = false;
		var $rows_affected = false;

		/**********************************************************************
		*  Constructor - allow the user to perform a qucik connect at the
		*  same time as initialising the ezSQL_mysql class
		*/

		function __construct($dbuser='', $dbpassword='', $dbname='', $dbhost='localhost', $encoding='')
		{
			$this->dbuser = $dbuser;
			$this->dbpassword = $dbpassword;
			$this->dbname = $dbname;
			$this->dbhost = $dbhost;
			$this->encoding = $encoding;
		}

		/**********************************************************************
		*  Short hand way to connect to mySQL database server
		*  and select a mySQL database at the same time
		*/

		function quick_connect($dbuser='', $dbpassword='', $dbname='', $dbhost='localhost', $encoding='')
		{
			$return_val = false;
			if ( ! $this->connect($dbuser, $dbpassword, $dbhost,true) ) ;
			else if ( ! $this->select($dbname,$encoding) ) ;
			else $return_val = true;
			return $return_val;
		}

		/**********************************************************************
		*  Try to connect to mySQL database server
		*/

		function connect($dbuser='', $dbpassword='', $dbhost='localhost')
		{
			global $ezsql_mysql_str; $return_val = false;
			
			// Keep track of how long the DB takes to connect
			$this->timer_start('db_connect_time');

			// Must have a user and a password
			if ( ! $dbuser )
			{
				$this->register_error($ezsql_mysql_str[1].' in '.__FILE__.' on line '.__LINE__);
				$this->show_errors ? trigger_error($ezsql_mysql_str[1],E_USER_WARNING) : null;
			}
			// Try to establish the server database handle
			else if ( ! $this->dbh = @mysql_connect($dbhost,$dbuser,$dbpassword,true,131074) )
			{
				$this->register_error($ezsql_mysql_str[2].' in '.__FILE__.' on line '.__LINE__);
				$this->show_errors ? trigger_error($ezsql_mysql_str[2],E_USER_WARNING) : null;
			}
			else
			{
				$this->dbuser = $dbuser;
				$this->dbpassword = $dbpassword;
				$this->dbhost = $dbhost;
				$return_val = true;
			}

			return $return_val;
		}

		/**********************************************************************
		*  Try to select a mySQL database
		*/

		function select($dbname='', $encoding='')
		{
			global $ezsql_mysql_str; $return_val = false;

			// Must have a database name
			if ( ! $dbname )
			{
				$this->register_error($ezsql_mysql_str[3].' in '.__FILE__.' on line '.__LINE__);
				$this->show_errors ? trigger_error($ezsql_mysql_str[3],E_USER_WARNING) : null;
			}

			// Must have an active database connection
			else if ( ! $this->dbh )
			{
				$this->register_error($ezsql_mysql_str[4].' in '.__FILE__.' on line '.__LINE__);
				$this->show_errors ? trigger_error($ezsql_mysql_str[4],E_USER_WARNING) : null;
			}

			// Try to connect to the database
			else if ( !@mysql_select_db($dbname,$this->dbh) )
			{
				// Try to get error supplied by mysql if not use our own
				if ( !$str = @mysql_error($this->dbh))
					  $str = $ezsql_mysql_str[5];

				$this->register_error($str.' in '.__FILE__.' on line '.__LINE__);
				$this->show_errors ? trigger_error($str,E_USER_WARNING) : null;
			}
			else
			{
				$this->dbname = $dbname;
                if ( $encoding == '') $encoding = $this->encoding;
				if($encoding!='')
				{
					$encoding = strtolower(str_replace("-","",$encoding));
					$charsets = array();
					$result = mysql_query("SHOW CHARACTER SET");
					while($row = mysql_fetch_array($result,MYSQL_ASSOC))
					{
						$charsets[] = $row["Charset"];
					}
					if(in_array($encoding,$charsets)){
						mysql_query("SET NAMES '".$encoding."'");						
					}
				}
				
				$return_val = true;
			}

			return $return_val;
		}

		/**********************************************************************
		*  Format a mySQL string correctly for safe mySQL insert
		*  (no mater if magic quotes are on or not)
		*/

		function escape($str)
		{
			// If there is no existing database connection then try to connect
			if ( ! isset($this->dbh) || ! $this->dbh )
			{
				$this->connect($this->dbuser, $this->dbpassword, $this->dbhost);
				$this->select($this->dbname, $this->encoding);
			}

			return mysql_real_escape_string(stripslashes($str));
		}

		/**********************************************************************
		*  Return mySQL specific system date syntax
		*  i.e. Oracle: SYSDATE Mysql: NOW()
		*/

		function sysdate()
		{
			return 'NOW()';
		}

		/**********************************************************************
		*  Perform mySQL query and try to detirmin result value
		*/

		function query($query)
		{

			// This keeps the connection alive for very long running scripts
			if ( $this->num_queries >= 500 )
			{
				$this->num_queries = 0;
				$this->disconnect();
				$this->quick_connect($this->dbuser,$this->dbpassword,$this->dbname,$this->dbhost,$this->encoding);
			}

			// Initialise return
			$return_val = 0;

			// Flush cached values..
			$this->flush();

			// For reg expressions
			$query = trim($query);

			// Log how the function was called
			$this->func_call = "\$db->query(\"$query\")";

			// Keep track of the last query for debug..
			$this->last_query = $query;

			// Count how many queries there have been
			$this->num_queries++;
			
			// Start timer
			$this->timer_start($this->num_queries);

			// Use core file cache function
			if ( $cache = $this->get_cache($query) )
			{
				// Keep tack of how long all queries have taken
				$this->timer_update_global($this->num_queries);

				// Trace all queries
				if ( $this->use_trace_log )
				{
					$this->trace_log[] = $this->debug(false);
				}
				
				return $cache;
			}

			// If there is no existing database connection then try to connect
			if ( ! isset($this->dbh) || ! $this->dbh )
			{
				$this->connect($this->dbuser, $this->dbpassword, $this->dbhost);
				$this->select($this->dbname,$this->encoding);
                if ( ! isset($this->dbh) || ! $this->dbh )
                    return false;
			}

			// Perform the query via std mysql_query function..
			$this->result = @mysql_query($query,$this->dbh);

			// If there is an error then take note of it..
			if ( $str = @mysql_error($this->dbh) )
			{
				$is_insert = true;
				$this->register_error($str);
				$this->show_errors ? trigger_error($str,E_USER_WARNING) : null;
				return false;
			}

			// Query was an insert, delete, update, replace
			$is_insert = false;
			if ( preg_match("/^(insert|delete|update|replace|truncate|drop|create|alter|set)\s+/i",$query) )
			{
				$this->rows_affected = @mysql_affected_rows($this->dbh);

				// Take note of the insert_id
				if ( preg_match("/^(insert|replace)\s+/i",$query) )
				{
					$this->insert_id = @mysql_insert_id($this->dbh);
				}

				// Return number fo rows affected
				$return_val = $this->rows_affected;
			}
			// Query was a select
			else
			{

				// Take note of column info
				$i=0;
				while ($i < @mysql_num_fields($this->result))
				{
					$this->col_info[$i] = @mysql_fetch_field($this->result);
					$i++;
				}

				// Store Query Results
				$num_rows=0;
				while ( $row = @mysql_fetch_object($this->result) )
				{
					// Store relults as an objects within main array
					$this->last_result[$num_rows] = $row;
					$num_rows++;
				}

				@mysql_free_result($this->result);
// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}

				// Log number of rows the query returned
				$this->num_rows = $num_rows;

				// Return number of rows selected
				$return_val = $this->num_rows;
			}

			// disk caching of queries
			$this->store_cache($query,$is_insert);

			// If debug ALL queries
			$this->trace || $this->debug_all ? $this->debug() : null ;

			// Keep tack of how long all queries have taken
			$this->timer_update_global($this->num_queries);

			// Trace all queries
			if ( $this->use_trace_log )
			{
				$this->trace_log[] = $this->debug(false);
			}

			return $return_val;

		}
		
		/**********************************************************************
		*  Close the active mySQL connection
		*/

		function disconnect()
		{
			@mysql_close($this->dbh);	
// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}
		}

	}


1		<?php
2
3		/**********************************************************************
4		* Author: Justin Vincent ([email protected])
5		* Web...: http://twitter.com/justinvincent
6		* Name..: ezSQL_mysql
7		* Desc..: mySQL component (part of ezSQL databse abstraction library)
8		*
9		*/
10
11		/**********************************************************************
12		* ezSQL error strings - mySQL
13		*/
14
15		global $ezsql_mysql_str;
16
17		$ezsql_mysql_str = array
18		(
19		1 => 'Require $dbuser and $dbpassword to connect to a database server',
20		2 => 'Error establishing mySQL database connection. Correct user/password? Correct hostname? Database server running?',
21		3 => 'Require $dbname to select a database',
22		4 => 'mySQL database connection is not active',
23		5 => 'Unexpected error while trying to select database'
24		);
25
26		/**********************************************************************
27		* ezSQL Database specific class - mySQL
28		*/
29
30		if ( ! function_exists ('mysql_connect') ) die('<b>Fatal Error:</b> ezSQL_mysql requires mySQL Lib to be compiled and or linked in to the PHP engine');
31		if ( ! class_exists ('ezSQLcore') ) die('<b>Fatal Error:</b> ezSQL_mysql requires ezSQLcore (ez_sql_core.php) to be included/loaded before it can be used');
32
33		class ezSQL_mysql extends ezSQLcore
34		{
35
36		var $dbuser = false;
37		var $dbpassword = false;
38		var $dbname = false;
39		var $dbhost = false;
40		var $encoding = false;
41		var $rows_affected = false;
42
43		/**********************************************************************
44		* Constructor - allow the user to perform a qucik connect at the
45		* same time as initialising the ezSQL_mysql class
46		*/
47
48	View Code Duplication	function __construct($dbuser='', $dbpassword='', $dbname='', $dbhost='localhost', $encoding='')
49		{
50		$this->dbuser = $dbuser;
51		$this->dbpassword = $dbpassword;
52		$this->dbname = $dbname;
53		$this->dbhost = $dbhost;
54		$this->encoding = $encoding;
55		}
56
57		/**********************************************************************
58		* Short hand way to connect to mySQL database server
59		* and select a mySQL database at the same time
60		*/
61
62	View Code Duplication	function quick_connect($dbuser='', $dbpassword='', $dbname='', $dbhost='localhost', $encoding='')
63		{
64		$return_val = false;
65		if ( ! $this->connect($dbuser, $dbpassword, $dbhost,true) ) ;
66		else if ( ! $this->select($dbname,$encoding) ) ;
67		else $return_val = true;
68		return $return_val;
69		}
70
71		/**********************************************************************
72		* Try to connect to mySQL database server
73		*/
74
75		function connect($dbuser='', $dbpassword='', $dbhost='localhost')
76		{
77		global $ezsql_mysql_str; $return_val = false;
78
79		// Keep track of how long the DB takes to connect
80		$this->timer_start('db_connect_time');
81
82		// Must have a user and a password
83		if ( ! $dbuser )
84		{
85		$this->register_error($ezsql_mysql_str[1].' in '.__FILE__.' on line '.__LINE__);
86		$this->show_errors ? trigger_error($ezsql_mysql_str[1],E_USER_WARNING) : null;
87		}
88		// Try to establish the server database handle
89		else if ( ! $this->dbh = @mysql_connect($dbhost,$dbuser,$dbpassword,true,131074) )
90		{
91		$this->register_error($ezsql_mysql_str[2].' in '.__FILE__.' on line '.__LINE__);
92		$this->show_errors ? trigger_error($ezsql_mysql_str[2],E_USER_WARNING) : null;
93		}
94	View Code Duplication	else
95		{
96		$this->dbuser = $dbuser;
97		$this->dbpassword = $dbpassword;
98		$this->dbhost = $dbhost;
99		$return_val = true;
100		}
101
102		return $return_val;
103		}
104
105		/**********************************************************************
106		* Try to select a mySQL database
107		*/
108
109		function select($dbname='', $encoding='')
110		{
111		global $ezsql_mysql_str; $return_val = false;
112
113		// Must have a database name
114		if ( ! $dbname )
115		{
116		$this->register_error($ezsql_mysql_str[3].' in '.__FILE__.' on line '.__LINE__);
117		$this->show_errors ? trigger_error($ezsql_mysql_str[3],E_USER_WARNING) : null;
118		}
119
120		// Must have an active database connection
121		else if ( ! $this->dbh )
122		{
123		$this->register_error($ezsql_mysql_str[4].' in '.__FILE__.' on line '.__LINE__);
124		$this->show_errors ? trigger_error($ezsql_mysql_str[4],E_USER_WARNING) : null;
125		}
126
127		// Try to connect to the database
128		else if ( !@mysql_select_db($dbname,$this->dbh) )
129		{
130		// Try to get error supplied by mysql if not use our own
131		if ( !$str = @mysql_error($this->dbh))
132		$str = $ezsql_mysql_str[5];
133
134		$this->register_error($str.' in '.__FILE__.' on line '.__LINE__);
135		$this->show_errors ? trigger_error($str,E_USER_WARNING) : null;
136		}
137		else
138		{
139		$this->dbname = $dbname;
140		if ( $encoding == '') $encoding = $this->encoding;
141		if($encoding!='')
142		{
143		$encoding = strtolower(str_replace("-","",$encoding));
144		$charsets = array();
145		$result = mysql_query("SHOW CHARACTER SET");
146		while($row = mysql_fetch_array($result,MYSQL_ASSOC))
147		{
148		$charsets[] = $row["Charset"];
149		}
150		if(in_array($encoding,$charsets)){
151		mysql_query("SET NAMES '".$encoding."'");
152		}
153		}
154
155		$return_val = true;
156		}
157
158		return $return_val;
159		}
160
161		/**********************************************************************
162		* Format a mySQL string correctly for safe mySQL insert
163		* (no mater if magic quotes are on or not)
164		*/
165
166		function escape($str)
167		{
168		// If there is no existing database connection then try to connect
169		if ( ! isset($this->dbh) \|\| ! $this->dbh )
170		{
171		$this->connect($this->dbuser, $this->dbpassword, $this->dbhost);
172		$this->select($this->dbname, $this->encoding);
173		}
174
175		return mysql_real_escape_string(stripslashes($str));
176		}
177
178		/**********************************************************************
179		* Return mySQL specific system date syntax
180		* i.e. Oracle: SYSDATE Mysql: NOW()
181		*/
182
183		function sysdate()
184		{
185		return 'NOW()';
186		}
187
188		/**********************************************************************
189		* Perform mySQL query and try to detirmin result value
190		*/
191
192		function query($query)
193		{
194
195		// This keeps the connection alive for very long running scripts
196	View Code Duplication	if ( $this->num_queries >= 500 )
197		{
198		$this->num_queries = 0;
199		$this->disconnect();
200		$this->quick_connect($this->dbuser,$this->dbpassword,$this->dbname,$this->dbhost,$this->encoding);
201		}
202
203		// Initialise return
204		$return_val = 0;
205
206		// Flush cached values..
207		$this->flush();
208
209		// For reg expressions
210		$query = trim($query);
211
212		// Log how the function was called
213		$this->func_call = "\$db->query(\"$query\")";
214
215		// Keep track of the last query for debug..
216		$this->last_query = $query;
217
218		// Count how many queries there have been
219		$this->num_queries++;
220
221		// Start timer
222		$this->timer_start($this->num_queries);
223
224		// Use core file cache function
225	View Code Duplication	if ( $cache = $this->get_cache($query) )
226		{
227		// Keep tack of how long all queries have taken
228		$this->timer_update_global($this->num_queries);
229
230		// Trace all queries
231		if ( $this->use_trace_log )
232		{
233		$this->trace_log[] = $this->debug(false);
234		}
235
236		return $cache;
237		}
238
239		// If there is no existing database connection then try to connect
240	View Code Duplication	if ( ! isset($this->dbh) \|\| ! $this->dbh )
241		{
242		$this->connect($this->dbuser, $this->dbpassword, $this->dbhost);
243		$this->select($this->dbname,$this->encoding);
244		if ( ! isset($this->dbh) \|\| ! $this->dbh )
245		return false;
246		}
247
248		// Perform the query via std mysql_query function..
249		$this->result = @mysql_query($query,$this->dbh);
250
251		// If there is an error then take note of it..
252	View Code Duplication	if ( $str = @mysql_error($this->dbh) )
253		{
254		$is_insert = true;
255		$this->register_error($str);
256		$this->show_errors ? trigger_error($str,E_USER_WARNING) : null;
257		return false;
258		}
259
260		// Query was an insert, delete, update, replace
261		$is_insert = false;
262		if ( preg_match("/^(insert\|delete\|update\|replace\|truncate\|drop\|create\|alter\|set)\s+/i",$query) )
263		{
264		$this->rows_affected = @mysql_affected_rows($this->dbh);
265
266		// Take note of the insert_id
267		if ( preg_match("/^(insert\|replace)\s+/i",$query) )
268		{
269		$this->insert_id = @mysql_insert_id($this->dbh);
270		}
271
272		// Return number fo rows affected
273		$return_val = $this->rows_affected;
274		}
275		// Query was a select
276		else
277		{
278
279		// Take note of column info
280		$i=0;
281		while ($i < @mysql_num_fields($this->result))
282		{
283		$this->col_info[$i] = @mysql_fetch_field($this->result);
284		$i++;
285		}
286
287		// Store Query Results
288		$num_rows=0;
289		while ( $row = @mysql_fetch_object($this->result) )
290		{
291		// Store relults as an objects within main array
292		$this->last_result[$num_rows] = $row;
293		$num_rows++;
294		}
295
296		@mysql_free_result($this->result);
		0 ignored issues – show Security Best Practice introduced 2015-11-27 01:43 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you do not handle an error condition here. This can introduce security issues, and is generally not recommended. If you suppress an error, we recommend checking for the error condition explicitly: // For example instead of @mkdir($dir); // Better use if (@mkdir($dir) === false) { throw new \RuntimeException('The directory '.$dir.' could not be created.'); } Loading history...
297
298		// Log number of rows the query returned
299		$this->num_rows = $num_rows;
300
301		// Return number of rows selected
302		$return_val = $this->num_rows;
303		}
304
305		// disk caching of queries
306		$this->store_cache($query,$is_insert);
307
308		// If debug ALL queries
309		$this->trace \|\| $this->debug_all ? $this->debug() : null ;
310
311		// Keep tack of how long all queries have taken
312		$this->timer_update_global($this->num_queries);
313
314		// Trace all queries
315		if ( $this->use_trace_log )
316		{
317		$this->trace_log[] = $this->debug(false);
318		}
319
320		return $return_val;
321
322		}
323
324		/**********************************************************************
325		* Close the active mySQL connection
326		*/
327
328		function disconnect()
329		{
330		@mysql_close($this->dbh);
		0 ignored issues – show Security Best Practice introduced 2017-04-18 10:34 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you do not handle an error condition here. This can introduce security issues, and is generally not recommended. If you suppress an error, we recommend checking for the error condition explicitly: // For example instead of @mkdir($dir); // Better use if (@mkdir($dir) === false) { throw new \RuntimeException('The directory '.$dir.' could not be created.'); } Loading history...
331		}
332
333		}
334

YOURLS / YOURLS

Pull Request — master (#2282)

includes/ezSQL/ez_sql_mysql.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like