diff --git a/mod/data/field/checkbox/field.class.php b/mod/data/field/checkbox/field.class.php index a4e88626c12..607ea4171a9 100755 --- a/mod/data/field/checkbox/field.class.php +++ b/mod/data/field/checkbox/field.class.php @@ -83,7 +83,10 @@ class data_field_checkbox extends data_field_base { } function generate_sql($tablealias, $value) { - return " ({$tablealias}.fieldid = {$this->field->id} AND {$tablealias}.content = '$value') "; + static $i=0; + $i++; + $name = "df_checkbox_$i"; + return array(" ({$tablealias}.fieldid = {$this->field->id} AND {$tablealias}.content = :$name) ", array($name=>$value)); } function update_content($recordid, $value, $name='') { diff --git a/mod/data/field/date/field.class.php b/mod/data/field/date/field.class.php index fb32f20d733..80b1efb08a5 100755 --- a/mod/data/field/date/field.class.php +++ b/mod/data/field/date/field.class.php @@ -62,7 +62,7 @@ class data_field_date extends data_field_base { } function generate_sql($tablealias, $value) { - return ' 1=1 '; + return array(' 1=1 ', array()); //return " ({$tablealias}.fieldid = {$this->field->id} AND {$tablealias}.content = '$value') "; } diff --git a/mod/data/field/file/field.class.php b/mod/data/field/file/field.class.php index 702012be610..ca9a68c77e8 100755 --- a/mod/data/field/file/field.class.php +++ b/mod/data/field/file/field.class.php @@ -79,7 +79,14 @@ class data_field_file extends data_field_base { } function generate_sql($tablealias, $value) { - return " ({$tablealias}.fieldid = {$this->field->id} AND {$tablealias}.content LIKE '%{$value}%') "; + global $DB; + + $ILIKE = $DB->sql_ilike(); + + static $i=0; + $i++; + $name = "df_file_$i"; + return array(" ({$tablealias}.fieldid = {$this->field->id} AND {$tablealias}.content $ILIKE :$name) ", array($name=>"%$value%")); } function parse_search_field() { diff --git a/mod/data/field/latlong/field.class.php b/mod/data/field/latlong/field.class.php index f12dcc57bb6..61f3fb29949 100755 --- a/mod/data/field/latlong/field.class.php +++ b/mod/data/field/latlong/field.class.php @@ -89,10 +89,16 @@ class data_field_latlong extends data_field_base { } function generate_sql($tablealias, $value) { + static $i=0; + $i++; + $name1 = "df_latlong1_$i"; + $name2 = "df_latlong2_$i"; + $latlong[0] = ''; $latlong[1] = ''; $latlong = explode (',', $value, 2); - return " ({$tablealias}.fieldid = {$this->field->id} AND {$tablealias}.content = '$latlong[0]' AND {$tablealias}.content1 = '$latlong[1]') "; + return array(" ({$tablealias}.fieldid = {$this->field->id} AND {$tablealias}.content = :$name1 AND {$tablealias}.content1 = :$name2) ", + array($name1=>$latlong[0], $name2=>$latlong[1])); } function display_browse_field($recordid, $template) { diff --git a/mod/data/field/menu/field.class.php b/mod/data/field/menu/field.class.php index 8ebe5e60f4b..8ebaf2119a2 100755 --- a/mod/data/field/menu/field.class.php +++ b/mod/data/field/menu/field.class.php @@ -96,7 +96,10 @@ class data_field_menu extends data_field_base { } function generate_sql($tablealias, $value) { - return " ({$tablealias}.fieldid = {$this->field->id} AND {$tablealias}.content = '$value') "; + static $i=0; + $i++; + $name = "df_menu_$i"; + return array(" ({$tablealias}.fieldid = {$this->field->id} AND {$tablealias}.content = :$name) ", array($name=>$value)); } } diff --git a/mod/data/field/multimenu/field.class.php b/mod/data/field/multimenu/field.class.php index e62d28601a4..0101e901dbe 100755 --- a/mod/data/field/multimenu/field.class.php +++ b/mod/data/field/multimenu/field.class.php @@ -137,26 +137,38 @@ class data_field_multimenu extends data_field_base { } function generate_sql($tablealias, $value) { + static $i=0; + $i++; + $name = "df_multimenu_{$i}_"; + $params = array(); + $allrequired = $value['allrequired']; $selected = $value['selected']; if ($selected) { $conditions = array(); + $j=0; foreach ($selected as $sel) { + $j++; + $xname = $name.$j; $likesel = str_replace('%', '\%', $sel); $likeselsel = str_replace('_', '\_', $likesel); - $conditions[] = "({$tablealias}.fieldid = {$this->field->id} AND ({$tablealias}.content = '$sel' - OR {$tablealias}.content LIKE '$likesel##%' - OR {$tablealias}.content LIKE '%##$likesel' - OR {$tablealias}.content LIKE '%##$likesel##%'))"; + $conditions[] = "({$tablealias}.fieldid = {$this->field->id} AND ({$tablealias}.content = :{$xname}a + OR {$tablealias}.content LIKE :{$xname}b + OR {$tablealias}.content LIKE :{$xname}c + OR {$tablealias}.content LIKE :{$xname}d))"; + $params[$xname.'a'] = $sel; + $params[$xname.'b'] = "$likesel##%"; + $params[$xname.'c'] = "%##$likesel"; + $params[$xname.'d'] = "%##$likesel##%"; } if ($allrequired) { - return " (".implode(" AND ", $conditions).") "; + return array(" (".implode(" AND ", $conditions).") ", $params); } else { - return " (".implode(" OR ", $conditions).") "; + return array(" (".implode(" OR ", $conditions).") ", $params); } } else { - return " "; + return array(" ", array()); } } diff --git a/mod/data/field/number/field.class.php b/mod/data/field/number/field.class.php index 63a2cf387fd..fc6eeaec871 100755 --- a/mod/data/field/number/field.class.php +++ b/mod/data/field/number/field.class.php @@ -83,7 +83,10 @@ class data_field_number extends data_field_base { // need to cast? function generate_sql($tablealias, $value) { - return " ({$tablealias}.fieldid = {$this->field->id} AND {$tablealias}.content = '$value') "; + static $i=0; + $i++; + $name = "df_number_$i"; + return array(" ({$tablealias}.fieldid = {$this->field->id} AND {$tablealias}.content = :$name) ", array($name=>$value)); } function get_sort_sql($fieldname) { diff --git a/mod/data/field/picture/field.class.php b/mod/data/field/picture/field.class.php index b10940ce6d0..60872d604a7 100755 --- a/mod/data/field/picture/field.class.php +++ b/mod/data/field/picture/field.class.php @@ -76,7 +76,14 @@ class data_field_picture extends data_field_file { } function generate_sql($tablealias, $value) { - return " ({$tablealias}.fieldid = {$this->field->id} AND {$tablealias}.content LIKE '%{$value}%') "; + global $DB; + + $ILIKE = $DB->sql_ilike(); + + static $i=0; + $i++; + $name = "df_picture_$i"; + return array(" ({$tablealias}.fieldid = {$this->field->id} AND {$tablealias}.content $ILIKE :$name) ", array($name=>"%$value%")); } function display_browse_field($recordid, $template) { diff --git a/mod/data/field/radiobutton/field.class.php b/mod/data/field/radiobutton/field.class.php index 60bc325bcb2..68f7af6a3c4 100755 --- a/mod/data/field/radiobutton/field.class.php +++ b/mod/data/field/radiobutton/field.class.php @@ -85,7 +85,10 @@ class data_field_radiobutton extends data_field_base { } function generate_sql($tablealias, $value) { - return " ({$tablealias}.fieldid = {$this->field->id} AND {$tablealias}.content = '$value') "; + static $i=0; + $i++; + $name = "df_number_$i"; + return array(" ({$tablealias}.fieldid = {$this->field->id} AND {$tablealias}.content = :$name) ", array($name=>$value)); } } diff --git a/mod/data/field/text/field.class.php b/mod/data/field/text/field.class.php index ba13558a5f5..31df447b375 100755 --- a/mod/data/field/text/field.class.php +++ b/mod/data/field/text/field.class.php @@ -39,7 +39,14 @@ class data_field_text extends data_field_base { } function generate_sql($tablealias, $value) { - return " ({$tablealias}.fieldid = {$this->field->id} AND {$tablealias}.content LIKE '%{$value}%') "; + global $DB; + + $ILIKE = $DB->sql_ilike(); + + static $i=0; + $i++; + $name = "df_picture_$i"; + return array(" ({$tablealias}.fieldid = {$this->field->id} AND {$tablealias}.content $ILIKE :$name) ", array($name=>"%$value%")); } } diff --git a/mod/data/field/textarea/field.class.php b/mod/data/field/textarea/field.class.php index 8a3d0c6782d..4933a08ddda 100755 --- a/mod/data/field/textarea/field.class.php +++ b/mod/data/field/textarea/field.class.php @@ -79,7 +79,14 @@ class data_field_textarea extends data_field_base { } function generate_sql($tablealias, $value) { - return " ({$tablealias}.fieldid = {$this->field->id} AND {$tablealias}.content LIKE '%{$value}%') "; + global $DB; + + $ILIKE = $DB->sql_ilike(); + + static $i=0; + $i++; + $name = "df_picture_$i"; + return array(" ({$tablealias}.fieldid = {$this->field->id} AND {$tablealias}.content $ILIKE :$name) ", array($name=>"%$value%")); } function gen_textarea($usehtmleditor, $text='') { diff --git a/mod/data/field/url/field.class.php b/mod/data/field/url/field.class.php index 78ac6877058..e8c3ee54f90 100755 --- a/mod/data/field/url/field.class.php +++ b/mod/data/field/url/field.class.php @@ -64,7 +64,14 @@ class data_field_url extends data_field_base { } function generate_sql($tablealias, $value) { - return " ({$tablealias}.fieldid = {$this->field->id} AND {$tablealias}.content LIKE '%{$value}%') "; + global $DB; + + $ILIKE = $DB->sql_ilike(); + + static $i=0; + $i++; + $name = "df_picture_$i"; + return array(" ({$tablealias}.fieldid = {$this->field->id} AND {$tablealias}.content $ILIKE :$name) ", array($name=>"%$value%")); } function display_browse_field($recordid, $template) { diff --git a/mod/data/view.php b/mod/data/view.php index d5f4b6d336e..6b26e1bae2d 100755 --- a/mod/data/view.php +++ b/mod/data/view.php @@ -169,7 +169,7 @@ } if (!empty($val)) { $search_array[$field->id] = new object(); - $search_array[$field->id]->sql = $searchfield->generate_sql('c'.$field->id, $val); + list($search_array[$field->id]->sql, $search_array[$field->id]->params) = $searchfield->generate_sql('c'.$field->id, $val); $search_array[$field->id]->data = $val; $vals[] = $val; } else { @@ -189,18 +189,20 @@ } if (!empty($fn)) { $search_array[DATA_FIRSTNAME] = new object(); - $search_array[DATA_FIRSTNAME]->sql = ''; - $search_array[DATA_FIRSTNAME]->field = 'u.firstname'; - $search_array[DATA_FIRSTNAME]->data = $fn; + $search_array[DATA_FIRSTNAME]->sql = ''; + $search_array[DATA_FIRSTNAME]->params = array(); + $search_array[DATA_FIRSTNAME]->field = 'u.firstname'; + $search_array[DATA_FIRSTNAME]->data = $fn; $vals[] = $fn; } else { unset($search_array[DATA_FIRSTNAME]); } if (!empty($ln)) { $search_array[DATA_LASTNAME] = new object(); - $search_array[DATA_LASTNAME]->sql = ''; - $search_array[DATA_LASTNAME]->field = 'u.lastname'; - $search_array[DATA_LASTNAME]->data = $ln; + $search_array[DATA_LASTNAME]->sql = ''; + $search_array[DATA_FIRSTNAME]->params = array(); + $search_array[DATA_LASTNAME]->field = 'u.lastname'; + $search_array[DATA_LASTNAME]->data = $ln; $vals[] = $ln; } else { unset($search_array[DATA_LASTNAME]); @@ -370,6 +372,7 @@ } else { /// Approve any requested records + $params = array(); // named params array $approvecap = has_capability('mod/data:approve', $context); @@ -398,7 +401,8 @@ /// setup group and approve restrictions if (!$approvecap && $data->approval) { if (isloggedin()) { - $approveselect = ' AND (r.approved=1 OR r.userid='.$USER->id.') '; + $approveselect = ' AND (r.approved=1 OR r.userid=:myid1) '; + $params['myid1'] = $USER->id; } else { $approveselect = ' AND r.approved=1 '; } @@ -407,7 +411,8 @@ } if ($currentgroup) { - $groupselect = " AND (r.groupid = '$currentgroup' OR r.groupid = 0)"; + $groupselect = " AND (r.groupid = :currentgroup OR r.groupid = 0)"; + $params['currentgroup'] = $currentgroup; } else { $groupselect = ' '; } @@ -438,31 +443,40 @@ $what = ' DISTINCT r.id, r.approved, r.timecreated, r.timemodified, r.userid, u.firstname, u.lastname'; $count = ' COUNT(DISTINCT c.recordid) '; - $tables = $CFG->prefix.'data_content c,'.$CFG->prefix.'data_records r,'.$CFG->prefix.'data_content cs, '.$CFG->prefix.'user u '; + $tables = '{data_content} c,{data_records} r, {data_content} cs, {user} u '; $where = 'WHERE c.recordid = r.id - AND r.dataid = '.$data->id.' + AND r.dataid = :dataid AND r.userid = u.id AND cs.recordid = r.id '; + $params['dataid'] = $data->id; $sortorder = ' ORDER BY '.$ordering.', r.id ASC '; $searchselect = ''; // If requiredentries is not reached, only show current user's entries if (!$requiredentries_allowed) { - $where .= ' AND u.id = ' . $USER->id; + $where .= ' AND u.id = :myid2 '; + $params['myid2'] = $USER->id; } if (!empty($advanced)) { //If advanced box is checked. + $i = 0; foreach($search_array as $key => $val) { //what does $search_array hold? if ($key == DATA_FIRSTNAME or $key == DATA_LASTNAME) { - $searchselect .= " AND $val->field $ilike '%{$val->data}%'"; + $i++; + $searchselect .= " AND $val->field $ilike :search_flname_$i"; + $params['search_flname_'.$i] = "%$val->data%"; continue; } - $tables .= ', '.$CFG->prefix.'data_content c'.$key.' '; + $tables .= ', {data_content} c'.$key.' '; $where .= ' AND c'.$key.'.recordid = r.id'; $searchselect .= ' AND ('.$val->sql.') '; + $params = array_merge($params, $val->params); } } else if ($search) { - $searchselect = " AND (cs.content $ilike '%$search%' OR u.firstname $ilike '%$search%' OR u.lastname $ilike '%$search%' ) "; + $searchselect = " AND (cs.content $ilike :search1 OR u.firstname $ilike :search2 OR u.lastname $ilike :search3 ) "; + $params['search1'] = "%$search%"; + $params['search2'] = "%$search%"; + $params['search3'] = "%$search%"; } else { $searchselect = ' '; } @@ -474,32 +488,41 @@ $what = ' DISTINCT r.id, r.approved, r.timecreated, r.timemodified, r.userid, u.firstname, u.lastname, c.'.$sortcontent.', '.$sortcontentfull.' AS _order '; $count = ' COUNT(DISTINCT c.recordid) '; - $tables = $CFG->prefix.'data_content c,'.$CFG->prefix.'data_records r,'.$CFG->prefix.'data_content cs, '.$CFG->prefix.'user u '; + $tables = '{data_content} c, {data_records} r, {data_content} cs, {user} u '; $where = 'WHERE c.recordid = r.id - AND c.fieldid = '.$sort.' - AND r.dataid = '.$data->id.' + AND c.fieldid = :sort + AND r.dataid = :dataid AND r.userid = u.id AND cs.recordid = r.id '; + $params['dataid'] = $data->id; + $params['sort'] = $sort; $sortorder = ' ORDER BY _order '.$order.' , r.id ASC '; $searchselect = ''; // If requiredentries is not reached, only show current user's entries if (!$requiredentries_allowed) { $where .= ' AND u.id = ' . $USER->id; + $params['myid2'] = $USER->id; } if (!empty($advanced)) { //If advanced box is checked. foreach($search_array as $key => $val) { //what does $search_array hold? if ($key == DATA_FIRSTNAME or $key == DATA_LASTNAME) { - $searchselect .= " AND $val->field $ilike '%{$val->data}%'"; + $i++; + $searchselect .= " AND $val->field $ilike :search_flname_$i"; + $params['search_flname_'.$i] = "%$val->data%"; continue; } - $tables .= ', '.$CFG->prefix.'data_content c'.$key.' '; + $tables .= ', {data_content} c'.$key.' '; $where .= ' AND c'.$key.'.recordid = r.id'; $searchselect .= ' AND ('.$val->sql.') '; + $params = array_merge($params, $val->params); } } else if ($search) { - $searchselect = " AND (cs.content $ilike '%$search%' OR u.firstname $ilike '%$search%' OR u.lastname $ilike '%$search%' ) "; + $searchselect = " AND (cs.content $ilike :search1 OR u.firstname $ilike :search2 OR u.lastname $ilike :search3 ) "; + $params['search1'] = "%$search%"; + $params['search2'] = "%$search%"; + $params['search3'] = "%$search%"; } else { $searchselect = ' '; } @@ -515,11 +538,11 @@ /// Work out the paging numbers and counts - $totalcount = count_records_sql($sqlcount); + $totalcount = $DB->count_records_sql($sqlcount, $params); if (empty($searchselect)) { $maxcount = $totalcount; } else { - $maxcount = count_records_sql($sqlmax); + $maxcount = $DB->count_records_sql($sqlmax, $params); } if ($record) { // We need to just show one, so where is it in context? @@ -527,7 +550,7 @@ $mode = 'single'; $page = 0; - if ($allrecordids = get_records_sql($sqlrids)) { + if ($allrecordids = $DB->get_records_sql($sqlrids, $params)) { $allrecordids = array_keys($allrecordids); $page = (int)array_search($record->id, $allrecordids); unset($allrecordids); @@ -542,7 +565,7 @@ /// Get the actual records - if (!$records = get_records_sql($sqlselect, $page * $nowperpage, $nowperpage)) { + if (!$records = $DB->get_records_sql($sqlselect, $params, $page * $nowperpage, $nowperpage)) { // Nothing to show! if ($record) { // Something was requested so try to show that at least (bug 5132) if (has_capability('mod/data:manageentries', $context) || empty($data->approval) ||