<?php
/*
* mm_shared.inc.php
* This file is part of lamos
*
* Copyright 2008 Michel Messerschmidt
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or (at
* your option) any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program in the file LICENSE.
* If not, see http://www.gnu.org/licenses/
*/
error_reporting(E_ERROR);
//error_reporting(E_ALL | E_STRICT);
// sanitize untrusted database input data (from GET, POST, ...)
function mm_db_filter_input($db, $data, $type) {
//TODO: filter unwanted content here (NUL, CTRL-Z, ...)
if (get_magic_quotes_gpc()){
// revert effect of magic_quotes_gpc because it is not
// sufficient and depends on server configuration
$data = stripslashes($data);
}
if ($type === "mysql") {
return mysqli_real_escape_string($db, $data);
}
elseif ($type === "pgsql") {
return pg_escape_string($db, $data);
}
return "";
}
//connect to a database and return db handle
function mm_db_connect($server, $user, $password, $db_name, $type) {
if ($type === "mysql") {
$db = mysqli_connect($server, $user, $password, $db_name);
if ($db) {
if (mysqli_set_charset($db, "utf8")) {
return $db;
}
//close connection if previous call failed
mysqli_close($db);
}
}
elseif ($type === "pgsql") {
$connect_str = "host='". $server .
"' user='". $user .
"' password='". $password .
"' dbname='". $db_name ."'";
$db = pg_connect($connect_str);
if ($db) {
//FIXME: how to specify UTF-8 on all PostgreSQL versions ?
if (pg_set_client_encoding($db, "UNICODE") === 0) {
return $db;
}
//close connection if previous call failed
pg_close($db);
}
}
return FALSE;
}
//close a database connection
function mm_db_close($db_handle, $type) {
if ($type === "mysql") {
return mysqli_close($db_handle);
}
elseif ($type === "pgsql") {
return pg_close($db_handle);
}
return FALSE;
}
//execute a database query
function mm_db_query($query, $db_handle, $type) {
if ($type === "mysql") {
return mysqli_query($db_handle, $query, MYSQLI_STORE_RESULT);
}
elseif ($type === "pgsql") {
return pg_query($db_handle, $query);
}
return FALSE;
}
//get SQL error description
function mm_db_error($db_handle) {
if ($type === "mysql") {
return mysqli_error($db_handle);
}
elseif ($type === "pgsql") {
return pg_last_error($db_handle);
}
return FALSE;
}
//process db query - get number of rows from result
function mm_db_num_rows($result, $type) {
if ($type === "mysql") {
return mysqli_num_rows($result);
}
elseif ($type === "pgsql") {
return pg_num_rows($result);
}
return FALSE;
}
//process db query - get next row from result as array
function mm_db_fetch_array($result, $type) {
if ($type === "mysql") {
return mysqli_fetch_array($result, MYSQLI_BOTH);
}
elseif ($type === "pgsql") {
return pg_fetch_array($result);
}
return FALSE;
}
//process db query - get next row from result as associative array
function mm_db_fetch_assoc($result, $type) {
if ($type === "mysql") {
return mysqli_fetch_assoc($result);
}
elseif ($type === "pgsql") {
return pg_fetch_assoc($result);
}
return FALSE;
}
//process database query - get next row from result as numerical array
function mm_db_fetch_row($result, $type) {
if ($type === "mysql") {
return mysqli_fetch_row($result);
}
elseif ($type === "pgsql") {
return pg_fetch_row($result);
}
return FALSE;
}
//free results of a database query
function mm_db_free_result($res_handle, $type) {
if ($type === "mysql") {
return mysqli_free_result($res_handle);
}
elseif ($type === "pgsql") {
return pg_free_result($res_handle);
}
return FALSE;
}
/*
//prepare a prepared statement
function mm_db_prepare($query, $db_handle, $type) {
//TODO: handle different placeholders transparently
if ($type === "mysql") {
// query must contain a question mark as placeholder for each
// parameter to be bound to a variable
$stmt = mysqli_stmt_init($db_handle);
if (mysqli_stmt_prepare($stmt, $query)) {
return $stmt;
}
}
elseif ($type === "pgsql") {
// query must contain numbered placeholders $1, $2, ... for
// each parameter to be bound to a variable
if (pg_prepare($db_handle, "", $query)) {
return "";
}
}
return FALSE;
}
//execute a prepared statement
function mm_db_execute($db_stmt, $db_handle, $type, \$param) {
if ($type === "mysql") {
return mysqli_stmt_bind_param($db_handle, $stmt);
}
elseif ($type === "pgsql") {
return pg_execute($db_handle, $db_stmt, $param);
}
return FALSE;
}
*/
// escape each quotation mark (") in the input string
// so that it is safe to be used as quoted string in output functions
function mm_esc_quot($in) {
$out = preg_replace('/"/', '\"', $in);
return $out;
}
// escape chars in the input string so that it is safe to be
// inserted into javascript code
function mm_esc_js($in) {
$out = preg_replace('-/-', '\/', $in);
$out = preg_replace('-\x0A-', '\\n', $out);
$out = preg_replace('-\x0D-', '\\r', $out);
return $out;
}
// escape chars in the input string so that it is safe to be
// inserted into html code
function mm_esc_html($in) {
// this rule must be executed first because it would corrupt
// the other replacements
$out = preg_replace('-&-', '&', $in);
$out = preg_replace('-<-', '<', $out);
$out = preg_replace('->-', '>', $out);
$out = preg_replace('-"-', '"', $out);
$out = preg_replace("-'-", ''', $out);
return $out;
}
// remove html tags from a text string
function mm_strip_html($in) {
$out = preg_replace("-<[^ <][^>]*>-", '', $in);
return $out;
}
//TODO:
function mm_allow_only_basic_html($text) {
// allow line break
$text = preg_replace("-<br ?/?>-", "<br />", $text);
// allow simple logical text formatting
$text = preg_replace("-<(/)?(pre|em|strong|code|samp|kbd|var|cite|dfn|abbr|acronym|q) *>-", "<$1$2>", $text);
// optional attributes should not be allowed here (potential security hole)
//ERROR: not working for more than one attribute:
//$text = preg_replace("-<(pre|em|strong|code|samp|kbd|var|cite|dfn|abbr|acronym|q) (class|id|style|title|dir|lang)="(.*)" *>-", "<$1 $2=\"$3\">", $text);
//$text = preg_replace("-<(pre|em|strong|code|samp|kbd|var|cite|dfn|abbr|acronym|q) (class|id|style|title|dir|lang)='(.*)' *>-", "<$1 $2='$3'>", $text);
// 'q' has the additional attribute 'cite'
$text = preg_replace('-<q +cite="([^"]*)" *>-', "<q cite=\"$1\">", $text);
$text = preg_replace("-<q +cite='([^']*)' *>-", "<q cite='$1'>", $text);
// allow hyperlinks
$text = preg_replace('-<a +href="([^"]*)"( +(accesskey|charset|hreflang|name|tabindex|type)="[^"]*")* *>-', '<a href="$1"$2>', $text);
$text = preg_replace("-<a +href='([^']*)'( +(accesskey|charset|hreflang|name|tabindex|type)='[^']*')* *>-", "<a href='$1$2'>", $text);
$text = preg_replace("-</a>-", "</a>", $text);
// allow image references
//ERROR: not working for more than one attribute:
$text = preg_replace('-<img ((src|alt|height|longdesc|width)="([^"]*)")+ */?>-', "<img $1 />", $text);
//TODO: object tag
// $text = preg_replace("", "", $text);
return $text;
}
//compute next month of given date in format 'YYYYMM'
function mm_next_month($in) {
$y = intval(substr($in, 0, 4));
$m = intval(substr($in, 4, 2));
$m++;
if ($m > 12) {
$m = 1;
$y++;
}
$out = sprintf("%04u%02u", $y, $m);
return $out;
}
//compute previous month of given date in format 'YYYYMM'
function mm_prev_month($in) {
$y = intval(substr($in, 0, 4));
$m = intval(substr($in, 4, 2));
$m--;
if ($m < 1) {
$m = 12;
$y--;
}
$out = sprintf("%04u%02u", $y, $m);
return $out;
}
//test if 32bit integers are supported by the platform
function mm_test_int() {
$i = 2147483647;
if (!is_int($i) or $i != intval($i)) {
return FALSE;
}
return TRUE;
}
?>