From 058b79d2d5cc1a03e894215ca3ba2c432b455c06 Mon Sep 17 00:00:00 2001 From: pdontthink Date: Sat, 29 Oct 2016 09:53:01 +0000 Subject: [PATCH] Use PDO for database access if available (adds PHP 7 compatibility) git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@14585 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- functions/abook_database.php | 532 +++++++++++++++++++++++++---------- 1 file changed, 391 insertions(+), 141 deletions(-) diff --git a/functions/abook_database.php b/functions/abook_database.php index f5b094e3..1bc5fa4f 100644 --- a/functions/abook_database.php +++ b/functions/abook_database.php @@ -22,24 +22,34 @@ */ /** - * Needs the DB functions + * Needs either PDO or the DB functions * Don't display errors here. Error will be set in class constructor function. */ -@include_once('DB.php'); +global $use_pdo, $disable_pdo; +if (empty($disable_pdo) && class_exists('PDO')) + $use_pdo = TRUE; +else + $use_pdo = FALSE; + +if (!$use_pdo) + @include_once('DB.php'); /** * Address book in a database backend * * Backend for personal/shared address book stored in a database, - * accessed using the DB-classes in PEAR. + * accessed using the DB-classes in PEAR or PDO, the latter taking + * precedence if available.. * - * IMPORTANT: The PEAR modules must be in the include path - * for this class to work. + * IMPORTANT: If PDO is not available (it should be installed by + * default since PHP 5.1), then the PEAR modules must + * be in the include path for this class to work. * * An array with the following elements must be passed to * the class constructor (elements marked ? are optional): *
- *   dsn       => database DNS (see PEAR for syntax)
+ *   dsn       => database DNS (see PEAR for syntax, but more or
+ *                less it is:  mysql://user:pass@hostname/dbname)
  *   table     => table to store addresses in (must exist)
  *   owner     => current user (owner of address data)
  * ? name      => name of address book
@@ -52,6 +62,32 @@
  *
  *  NOTE. This class should not be used directly. Use the
  *        "AddressBook" class instead.
+ *
+ * Three settings that control PDO behavior can be specified in
+ * config/config_local.php if needed:
+ *    boolean $disable_pdo SquirrelMail uses PDO by default to access the
+ *                         user preferences and address book databases, but
+ *                         setting this to TRUE will cause SquirrelMail to
+ *                         fall back to using Pear DB instead.
+ *    boolean $pdo_show_sql_errors When database errors are encountered,
+ *                                 setting this to TRUE causes the actual
+ *                                 database error to be displayed, otherwise
+ *                                 generic errors are displayed, preventing
+ *                                 internal database information from being
+ *                                 exposed. This should be enabled only for
+ *                                 debugging purposes.
+ *    string $pdo_identifier_quote_char By default, SquirrelMail will quote
+ *                                      table and field names in database
+ *                                      queries with what it thinks is the
+ *                                      appropriate quote character for the
+ *                                      database type being used (backtick
+ *                                      for MySQL (and thus MariaDB), double
+ *                                      quotes for all others), but you can
+ *                                      override the character used by
+ *                                      putting it here, or tell SquirrelMail
+ *                                      NOT to quote identifiers by setting
+ *                                      this to "none"
+ *
  * @package squirrelmail
  * @subpackage addressbook
  */
@@ -72,6 +108,14 @@ class abook_database extends addressbook_backend {
      * @var string
      */
     var $dsn       = '';
+
+    /**
+     * Character used to quote database table
+     * and field names
+     * @var string
+     */
+    var $identifier_quote_char = '';
+
     /**
      * Table that stores addresses
      * @var string
@@ -109,12 +153,12 @@ class abook_database extends addressbook_backend {
     function abook_database($param) {
         $this->sname = _("Personal Address Book");
 
-        /* test if Pear DB class is available and freak out if it is not */
-        if (! class_exists('DB')) {
+        /* test if PDO or Pear DB classes are available and freak out if necessary */
+        global $use_pdo;
+        if (!$use_pdo && !class_exists('DB')) {
             // same error also in db_prefs.php
-            $error  = _("Could not include PEAR database functions required for the database backend.") . "\n";
-            $error .= sprintf(_("Is PEAR installed, and is the include path set correctly to find %s?"),
-                              'DB.php') . "\n";
+            $error  = _("Could not find or include PHP PDO or PEAR database functions required for the database backend.") . "\n";
+            $error .= sprintf(_("PDO should come preinstalled with PHP version 5.1 or higher. Otherwise, is PEAR installed, and is the include path set correctly to find %s?"), 'DB.php') . "\n";
             $error .= _("Please contact your system administrator and report this error.");
             return $this->set_error($error);
         }
@@ -142,6 +186,19 @@ class abook_database extends addressbook_backend {
                $this->listing = $param['listing'];
             }
 
+            // figure out identifier quoting (only used for PDO, though we could change that)
+            global $pdo_identifier_quote_char;
+            if (empty($pdo_identifier_quote_char)) {
+                if (strpos($this->dsn, 'mysql') === 0)
+                    $this->identifier_quote_char = '`';
+                else
+                    $this->identifier_quote_char = '"';
+            } else if ($pdo_identifier_quote_char === 'none')
+                $this->identifier_quote_char = '';
+            else
+                $this->identifier_quote_char = $pdo_identifier_quote_char;
+
+
             $this->open(true);
         }
         else {
@@ -156,6 +213,7 @@ class abook_database extends addressbook_backend {
      * @return bool
      */
     function open($new = false) {
+        global $use_pdo;
         $this->error = '';
 
         /* Return true is file is open and $new is unset */
@@ -168,21 +226,48 @@ class abook_database extends addressbook_backend {
             $this->close();
         }
 
-        $dbh = DB::connect($this->dsn, true);
+        if ($use_pdo) {
+            // parse and convert DSN to PDO style
+            // $matches will contain:
+            // 1: database type
+            // 2: username
+            // 3: password
+            // 4: hostname
+            // 5: database name
+//TODO: add support for unix_socket and charset
+            if (!preg_match('|^(.+)://(.+):(.+)@(.+)/(.+)$|i', $this->dsn, $matches)) {
+                return $this->set_error(_("Could not parse prefs DSN"));
+            }
+            if (preg_match('|^(.+):(\d+)$|', $matches[4], $host_port_matches)) {
+                $matches[4] = $host_port_matches[1];
+                $matches[6] = $host_port_matches[2];
+            } else
+                $matches[6] = NULL;
+            $pdo_prefs_dsn = $matches[1] . ':host=' . $matches[4] . (!empty($matches[6]) ? ';port=' . $matches[6] : '') . ';dbname=' . $matches[5];
+            try {
+                $dbh = new PDO($pdo_prefs_dsn, $matches[2], $matches[3]);
+            } catch (Exception $e) {
+                return $this->set_error(sprintf(_("Database error: %s"), $e->getMessage()));
+            }
 
-        if (DB::isError($dbh)) {
-            return $this->set_error(sprintf(_("Database error: %s"),
-                                            DB::errorMessage($dbh)));
-        }
+            $dbh->setAttribute(PDO::ATTR_CASE, PDO::CASE_LOWER);
 
-        $this->dbh = $dbh;
+        } else {
+            $dbh = DB::connect($this->dsn, true);
+
+            if (DB::isError($dbh)) {
+                return $this->set_error(sprintf(_("Database error: %s"),
+                                                DB::errorMessage($dbh)));
+            }
 
-        /**
-         * field names are lowercased.
-         * We use unquoted identifiers and they use upper case in Oracle
-         */
-        $this->dbh->setOption('portability', DB_PORTABILITY_LOWERCASE);
+            /**
+             * field names are lowercased.
+             * We use unquoted identifiers and they use upper case in Oracle
+             */
+            $dbh->setOption('portability', DB_PORTABILITY_LOWERCASE);
+        }
 
+        $this->dbh = $dbh;
         return true;
     }
 
@@ -190,8 +275,13 @@ class abook_database extends addressbook_backend {
      * Close the file and forget the filehandle
      */
     function close() {
-        $this->dbh->disconnect();
-        $this->dbh = false;
+        global $use_pdo;
+        if ($use_pdo) {
+            $this->dbh = NULL;
+        } else {
+            $this->dbh->disconnect();
+            $this->dbh = false;
+        }
     }
 
     /**
@@ -257,36 +347,65 @@ class abook_database extends addressbook_backend {
         /* Convert wildcards to SQL syntax  */
         $expr = str_replace('?', '_', $expr);
         $expr = str_replace('*', '%', $expr);
-        $expr = $this->dbh->quoteString($expr);
+
         $expr = "%$expr%";
 
-        /* create escape expression */
-        $escape = 'ESCAPE \'' . $this->dbh->quoteString('\\') . '\'';
-    
-        $query = sprintf("SELECT * FROM %s WHERE owner='%s' AND " .
-                         "(LOWER(firstname) LIKE '%s' %s " .
-                         "OR LOWER(lastname) LIKE '%s' %s " .
-                         "OR LOWER(email) LIKE '%s' %s " .
-                         "OR LOWER(nickname) LIKE '%s' %s)",
-                         $this->table, $this->owner, $expr, $escape, $expr, $escape,
-                                                     $expr, $escape, $expr, $escape);
-
-        $res = $this->dbh->query($query);
-
-        if (DB::isError($res)) {
-            return $this->set_error(sprintf(_("Database error: %s"),
-                                            DB::errorMessage($res)));
-        }
+        global $use_pdo, $pdo_show_sql_errors;
+        if ($use_pdo) {
+            if (!($sth = $this->dbh->prepare('SELECT * FROM ' . $this->identifier_quote_char . $this->table . $this->identifier_quote_char . ' WHERE ' . $this->identifier_quote_char . 'owner' . $this->identifier_quote_char . ' = ? AND (LOWER(' . $this->identifier_quote_char . 'firstname' . $this->identifier_quote_char . ') LIKE ? ESCAPE ? OR LOWER(' . $this->identifier_quote_char . 'lastname' . $this->identifier_quote_char . ') LIKE ? ESCAPE ? OR LOWER(' . $this->identifier_quote_char . 'email' . $this->identifier_quote_char . ') LIKE ? ESCAPE ? OR LOWER(' . $this->identifier_quote_char . 'nickname' . $this->identifier_quote_char . ') LIKE ? ESCAPE ?)'))) {
+                if ($pdo_show_sql_errors)
+                    return $this->set_error(sprintf(_("Database error: %s"), implode(' - ', $this->dbh->errorInfo())));
+                else
+                    return $this->set_error(sprintf(_("Database error: %s"), _("Could not prepare query")));
+            }
+            if (!($res = $sth->execute(array($this->owner, $expr, '\\', $expr, '\\', $expr, '\\', $expr, '\\')))) {
+                if ($pdo_show_sql_errors)
+                    return $this->set_error(sprintf(_("Database error: %s"), implode(' - ', $sth->errorInfo())));
+                else
+                    return $this->set_error(sprintf(_("Database error: %s"), _("Could not execute query")));
+            }
+
+            while ($row = $sth->fetch(PDO::FETCH_ASSOC)) {
+                array_push($ret, array('nickname'  => $row['nickname'],
+                                       'name'      => $this->fullname($row['firstname'], $row['lastname']),
+                                       'firstname' => $row['firstname'],
+                                       'lastname'  => $row['lastname'],
+                                       'email'     => $row['email'],
+                                       'label'     => $row['label'],
+                                       'backend'   => $this->bnum,
+                                       'source'    => &$this->sname));
+            }
+
+        } else {
+            $expr = $this->dbh->quoteString($expr);
 
-        while ($row = $res->fetchRow(DB_FETCHMODE_ASSOC)) {
-            array_push($ret, array('nickname'  => $row['nickname'],
-                                   'name'      => $this->fullname($row['firstname'], $row['lastname']),
-                                   'firstname' => $row['firstname'],
-                                   'lastname'  => $row['lastname'],
-                                   'email'     => $row['email'],
-                                   'label'     => $row['label'],
-                                   'backend'   => $this->bnum,
-                                   'source'    => &$this->sname));
+            /* create escape expression */
+            $escape = 'ESCAPE \'' . $this->dbh->quoteString('\\') . '\'';
+
+            $query = sprintf("SELECT * FROM %s WHERE owner='%s' AND " .
+                             "(LOWER(firstname) LIKE '%s' %s " .
+                             "OR LOWER(lastname) LIKE '%s' %s " .
+                             "OR LOWER(email) LIKE '%s' %s " .
+                             "OR LOWER(nickname) LIKE '%s' %s)",
+                             $this->table, $this->owner, $expr, $escape, $expr, $escape,
+                                                         $expr, $escape, $expr, $escape);
+            $res = $this->dbh->query($query);
+
+            if (DB::isError($res)) {
+                return $this->set_error(sprintf(_("Database error: %s"),
+                                                DB::errorMessage($res)));
+            }
+
+            while ($row = $res->fetchRow(DB_FETCHMODE_ASSOC)) {
+                array_push($ret, array('nickname'  => $row['nickname'],
+                                       'name'      => $this->fullname($row['firstname'], $row['lastname']),
+                                       'firstname' => $row['firstname'],
+                                       'lastname'  => $row['lastname'],
+                                       'email'     => $row['email'],
+                                       'label'     => $row['label'],
+                                       'backend'   => $this->bnum,
+                                       'source'    => &$this->sname));
+            }
         }
         return $ret;
     }
@@ -325,27 +444,56 @@ class abook_database extends addressbook_backend {
             return $this->set_error(sprintf(_("Unknown field name: %s"), $field));
         }
 
-        $query = sprintf("SELECT * FROM %s WHERE owner = '%s' AND LOWER(%s) = '%s'",
-                         $this->table, $this->owner, $db_field, 
-                         $this->dbh->quoteString($value));
+        global $use_pdo, $pdo_show_sql_errors;
+        if ($use_pdo) {
+            if (!($sth = $this->dbh->prepare('SELECT * FROM ' . $this->identifier_quote_char . $this->table . $this->identifier_quote_char . ' WHERE ' . $this->identifier_quote_char . 'owner' . $this->identifier_quote_char . ' = ? AND LOWER(' . $this->identifier_quote_char . $db_field . $this->identifier_quote_char . ') = ?'))) {
+                if ($pdo_show_sql_errors)
+                    return $this->set_error(sprintf(_("Database error: %s"), implode(' - ', $this->dbh->errorInfo())));
+                else
+                    return $this->set_error(sprintf(_("Database error: %s"), _("Could not prepare query")));
+            }
+            if (!($res = $sth->execute(array($this->owner, $value)))) {
+                if ($pdo_show_sql_errors)
+                    return $this->set_error(sprintf(_("Database error: %s"), implode(' - ', $sth->errorInfo())));
+                else
+                    return $this->set_error(sprintf(_("Database error: %s"), _("Could not execute query")));
+            }
 
-        $res = $this->dbh->query($query);
+            if ($row = $sth->fetch(PDO::FETCH_ASSOC)) {
+                return array('nickname'  => $row['nickname'],
+                             'name'      => $this->fullname($row['firstname'], $row['lastname']),
+                             'firstname' => $row['firstname'],
+                             'lastname'  => $row['lastname'],
+                             'email'     => $row['email'],
+                             'label'     => $row['label'],
+                             'backend'   => $this->bnum,
+                             'source'    => &$this->sname);
+            }
 
-        if (DB::isError($res)) {
-            return $this->set_error(sprintf(_("Database error: %s"),
-                                            DB::errorMessage($res)));
-        }
+        } else {
+            $query = sprintf("SELECT * FROM %s WHERE owner = '%s' AND LOWER(%s) = '%s'",
+                             $this->table, $this->owner, $db_field, 
+                             $this->dbh->quoteString($value));
+
+            $res = $this->dbh->query($query);
 
-        if ($row = $res->fetchRow(DB_FETCHMODE_ASSOC)) {
-            return array('nickname'  => $row['nickname'],
-                         'name'      => $this->fullname($row['firstname'], $row['lastname']),
-                         'firstname' => $row['firstname'],
-                         'lastname'  => $row['lastname'],
-                         'email'     => $row['email'],
-                         'label'     => $row['label'],
-                         'backend'   => $this->bnum,
-                         'source'    => &$this->sname);
+            if (DB::isError($res)) {
+                return $this->set_error(sprintf(_("Database error: %s"),
+                                                DB::errorMessage($res)));
+            }
+
+            if ($row = $res->fetchRow(DB_FETCHMODE_ASSOC)) {
+                return array('nickname'  => $row['nickname'],
+                             'name'      => $this->fullname($row['firstname'], $row['lastname']),
+                             'firstname' => $row['firstname'],
+                             'lastname'  => $row['lastname'],
+                             'email'     => $row['email'],
+                             'label'     => $row['label'],
+                             'backend'   => $this->bnum,
+                             'source'    => &$this->sname);
+            }
         }
+
         return array();
     }
 
@@ -364,26 +512,54 @@ class abook_database extends addressbook_backend {
         }
 
 
-        $query = sprintf("SELECT * FROM %s WHERE owner='%s'",
-                         $this->table, $this->owner);
+        global $use_pdo, $pdo_show_sql_errors;
+        if ($use_pdo) {
+            if (!($sth = $this->dbh->prepare('SELECT * FROM ' . $this->identifier_quote_char . $this->table . $this->identifier_quote_char . ' WHERE ' . $this->identifier_quote_char . 'owner' . $this->identifier_quote_char . ' = ?'))) {
+                if ($pdo_show_sql_errors)
+                    return $this->set_error(sprintf(_("Database error: %s"), implode(' - ', $this->dbh->errorInfo())));
+                else
+                    return $this->set_error(sprintf(_("Database error: %s"), _("Could not prepare query")));
+            }
+            if (!($res = $sth->execute(array($this->owner)))) {
+                if ($pdo_show_sql_errors)
+                    return $this->set_error(sprintf(_("Database error: %s"), implode(' - ', $sth->errorInfo())));
+                else
+                    return $this->set_error(sprintf(_("Database error: %s"), _("Could not execute query")));
+            }
 
-        $res = $this->dbh->query($query);
+            while ($row = $sth->fetch(PDO::FETCH_ASSOC)) {
+                array_push($ret, array('nickname'  => $row['nickname'],
+                                       'name'      => $this->fullname($row['firstname'], $row['lastname']),
+                                       'firstname' => $row['firstname'],
+                                       'lastname'  => $row['lastname'],
+                                       'email'     => $row['email'],
+                                       'label'     => $row['label'],
+                                       'backend'   => $this->bnum,
+                                       'source'    => &$this->sname));
+            }
+        } else {
+            $query = sprintf("SELECT * FROM %s WHERE owner='%s'",
+                             $this->table, $this->owner);
 
-        if (DB::isError($res)) {
-            return $this->set_error(sprintf(_("Database error: %s"),
-                                            DB::errorMessage($res)));
-        }
+            $res = $this->dbh->query($query);
+
+            if (DB::isError($res)) {
+                return $this->set_error(sprintf(_("Database error: %s"),
+                                                DB::errorMessage($res)));
+            }
 
-        while ($row = $res->fetchRow(DB_FETCHMODE_ASSOC)) {
-            array_push($ret, array('nickname'  => $row['nickname'],
-                                   'name'      => $this->fullname($row['firstname'], $row['lastname']),
-                                   'firstname' => $row['firstname'],
-                                   'lastname'  => $row['lastname'],
-                                   'email'     => $row['email'],
-                                   'label'     => $row['label'],
-                                   'backend'   => $this->bnum,
-                                   'source'    => &$this->sname));
+            while ($row = $res->fetchRow(DB_FETCHMODE_ASSOC)) {
+                array_push($ret, array('nickname'  => $row['nickname'],
+                                       'name'      => $this->fullname($row['firstname'], $row['lastname']),
+                                       'firstname' => $row['firstname'],
+                                       'lastname'  => $row['lastname'],
+                                       'email'     => $row['email'],
+                                       'label'     => $row['label'],
+                                       'backend'   => $this->bnum,
+                                       'source'    => &$this->sname));
+            }
         }
+
         return $ret;
     }
 
@@ -401,31 +577,55 @@ class abook_database extends addressbook_backend {
             return false;
         }
 
+        // NB: if you want to check for some unwanted characters
+        //     or other problems, do so here like this:
+        // TODO: Should pull all validation code out into a separate function
+        //if (strpos($userdata['nickname'], ' ')) {
+        //    return $this->set_error(_("Nickname contains illegal characters"));
+        //}
+
         /* See if user exist already */
         $ret = $this->lookup($userdata['nickname']);
         if (!empty($ret)) {
-            return $this->set_error(sprintf(_("User \"%s\" already exists"),$ret['nickname']));
+            return $this->set_error(sprintf(_("User \"%s\" already exists"), $ret['nickname']));
+        }
+
+        global $use_pdo, $pdo_show_sql_errors;
+        if ($use_pdo) {
+            if (!($sth = $this->dbh->prepare('INSERT INTO ' . $this->identifier_quote_char . $this->table . $this->identifier_quote_char . ' (' . $this->identifier_quote_char . 'owner' . $this->identifier_quote_char . ', ' . $this->identifier_quote_char . 'nickname' . $this->identifier_quote_char . ', ' . $this->identifier_quote_char . 'firstname' . $this->identifier_quote_char . ', ' . $this->identifier_quote_char . 'lastname' . $this->identifier_quote_char . ', ' . $this->identifier_quote_char . 'email' . $this->identifier_quote_char . ', ' . $this->identifier_quote_char . 'label' . $this->identifier_quote_char . ') VALUES (?, ?, ?, ?, ?, ?)'))) {
+                if ($pdo_show_sql_errors)
+                    return $this->set_error(sprintf(_("Database error: %s"), implode(' - ', $this->dbh->errorInfo())));
+                else
+                    return $this->set_error(sprintf(_("Database error: %s"), _("Could not prepare query")));
+            }
+            if (!($res = $sth->execute(array($this->owner, $userdata['nickname'], $userdata['firstname'], (!empty($userdata['lastname']) ? $userdata['lastname'] : ''), $userdata['email'], (!empty($userdata['label']) ? $userdata['label'] : ''))))) {
+                if ($pdo_show_sql_errors)
+                    return $this->set_error(sprintf(_("Database error: %s"), implode(' - ', $sth->errorInfo())));
+                else
+                    return $this->set_error(sprintf(_("Database error: %s"), _("Could not execute query")));
+            }
+        } else {
+            /* Create query */
+            $query = sprintf("INSERT INTO %s (owner, nickname, firstname, " .
+                             "lastname, email, label) VALUES('%s','%s','%s'," .
+                             "'%s','%s','%s')",
+                             $this->table, $this->owner,
+                             $this->dbh->quoteString($userdata['nickname']),
+                             $this->dbh->quoteString($userdata['firstname']),
+                             $this->dbh->quoteString((!empty($userdata['lastname'])?$userdata['lastname']:'')),
+                             $this->dbh->quoteString($userdata['email']),
+                             $this->dbh->quoteString((!empty($userdata['label'])?$userdata['label']:'')) );
+
+            /* Do the insert */
+            $r = $this->dbh->simpleQuery($query);
+
+            /* Check for errors */
+            if (DB::isError($r)) {
+                return $this->set_error(sprintf(_("Database error: %s"),
+                                                DB::errorMessage($r)));
+            }
         }
 
-        /* Create query */
-        $query = sprintf("INSERT INTO %s (owner, nickname, firstname, " .
-                         "lastname, email, label) VALUES('%s','%s','%s'," .
-                         "'%s','%s','%s')",
-                         $this->table, $this->owner,
-                         $this->dbh->quoteString($userdata['nickname']),
-                         $this->dbh->quoteString($userdata['firstname']),
-                         $this->dbh->quoteString((!empty($userdata['lastname'])?$userdata['lastname']:'')),
-                         $this->dbh->quoteString($userdata['email']),
-                         $this->dbh->quoteString((!empty($userdata['label'])?$userdata['label']:'')) );
-
-         /* Do the insert */
-         $r = $this->dbh->simpleQuery($query);
- 
-         /* Check for errors */
-         if (DB::isError($r)) {
-             return $this->set_error(sprintf(_("Database error: %s"),
-                                             DB::errorMessage($r)));
-         }
          return true;
     }
 
@@ -444,26 +644,52 @@ class abook_database extends addressbook_backend {
             return false;
         }
 
-        /* Create query */
-        $query = sprintf("DELETE FROM %s WHERE owner='%s' AND (",
-                         $this->table, $this->owner);
-
-        $sepstr = '';
-        while (list($undef, $nickname) = each($alias)) {
-            $query .= sprintf("%s nickname='%s' ", $sepstr,
-                              $this->dbh->quoteString($nickname));
-            $sepstr = 'OR';
-        }
-        $query .= ')';
+        global $use_pdo, $pdo_show_sql_errors;
+        if ($use_pdo) {
+            $sepstr = '';
+            $where_clause = '';
+            $where_clause_args = array();
+            while (list($undef, $nickname) = each($alias)) {
+                $where_clause .= $sepstr . $this->identifier_quote_char . 'nickname' . $this->identifier_quote_char . ' = ?';
+                $where_clause_args[] = $nickname;
+                $sepstr = ' OR ';
+            }
+            if (!($sth = $this->dbh->prepare('DELETE FROM ' . $this->identifier_quote_char . $this->table . $this->identifier_quote_char . ' WHERE ' . $this->identifier_quote_char . 'owner' . $this->identifier_quote_char . ' = ? AND (' . $where_clause . ')'))) {
+                if ($pdo_show_sql_errors)
+                    return $this->set_error(sprintf(_("Database error: %s"), implode(' - ', $this->dbh->errorInfo())));
+                else
+                    return $this->set_error(sprintf(_("Database error: %s"), _("Could not prepare query")));
+            }
+            array_unshift($where_clause_args[], $this->owner);
+            if (!($res = $sth->execute(array_array($where_clause_args)))) {
+                if ($pdo_show_sql_errors)
+                    return $this->set_error(sprintf(_("Database error: %s"), implode(' - ', $sth->errorInfo())));
+                else
+                    return $this->set_error(sprintf(_("Database error: %s"), _("Could not execute query")));
+            }
+        } else {
+            /* Create query */
+            $query = sprintf("DELETE FROM %s WHERE owner='%s' AND (",
+                             $this->table, $this->owner);
+
+            $sepstr = '';
+            while (list($undef, $nickname) = each($alias)) {
+                $query .= sprintf("%s nickname='%s' ", $sepstr,
+                                  $this->dbh->quoteString($nickname));
+                $sepstr = 'OR';
+            }
+            $query .= ')';
 
-        /* Delete entry */
-        $r = $this->dbh->simpleQuery($query);
+            /* Delete entry */
+            $r = $this->dbh->simpleQuery($query);
 
-        /* Check for errors */
-        if (DB::isError($r)) {
-            return $this->set_error(sprintf(_("Database error: %s"),
-                                            DB::errorMessage($r)));
+            /* Check for errors */
+            if (DB::isError($r)) {
+                return $this->set_error(sprintf(_("Database error: %s"),
+                                                DB::errorMessage($r)));
+            }
         }
+
         return true;
     }
 
@@ -482,6 +708,13 @@ class abook_database extends addressbook_backend {
             return false;
         }
 
+        // NB: if you want to check for some unwanted characters
+        //     or other problems, do so here like this:
+        // TODO: Should pull all validation code out into a separate function
+        //if (strpos($userdata['nickname'], ' ')) {
+        //    return $this->set_error(_("Nickname contains illegal characters"));
+        //}
+
          /* See if user exist */
         $ret = $this->lookup($alias);
         if (empty($ret)) {
@@ -498,27 +731,44 @@ class abook_database extends addressbook_backend {
             }
         }
 
-        /* Create query */
-        $query = sprintf("UPDATE %s SET nickname='%s', firstname='%s', ".
-                         "lastname='%s', email='%s', label='%s' ".
-                         "WHERE owner='%s' AND nickname='%s'",
-                         $this->table,
-                         $this->dbh->quoteString($userdata['nickname']),
-                         $this->dbh->quoteString($userdata['firstname']),
-                         $this->dbh->quoteString((!empty($userdata['lastname'])?$userdata['lastname']:'')),
-                         $this->dbh->quoteString($userdata['email']),
-                         $this->dbh->quoteString((!empty($userdata['label'])?$userdata['label']:'')),
-                         $this->owner,
-                         $this->dbh->quoteString($alias) );
-
-        /* Do the insert */
-        $r = $this->dbh->simpleQuery($query);
-
-        /* Check for errors */
-        if (DB::isError($r)) {
-            return $this->set_error(sprintf(_("Database error: %s"),
-                                            DB::errorMessage($r)));
+        global $use_pdo, $pdo_show_sql_errors;
+        if ($use_pdo) {
+            if (!($sth = $this->dbh->prepare('UPDATE ' . $this->identifier_quote_char . $this->table . $this->identifier_quote_char . ' SET ' . $this->identifier_quote_char . 'nickname' . $this->identifier_quote_char . ' = ?, ' . $this->identifier_quote_char . 'firstname' . $this->identifier_quote_char . ' = ?, ' . $this->identifier_quote_char . 'lastname' . $this->identifier_quote_char . ' = ?, ' . $this->identifier_quote_char . 'email' . $this->identifier_quote_char . ' = ?, ' . $this->identifier_quote_char . 'label' . $this->identifier_quote_char . ' = ? WHERE ' . $this->identifier_quote_char . 'owner' . $this->identifier_quote_char . ' = ? AND ' . $this->identifier_quote_char . 'nickname' . $this->identifier_quote_char . ' = ?'))) {
+                if ($pdo_show_sql_errors)
+                    return $this->set_error(sprintf(_("Database error: %s"), implode(' - ', $this->dbh->errorInfo())));
+                else
+                    return $this->set_error(sprintf(_("Database error: %s"), _("Could not prepare query")));
+            }
+            if (!($res = $sth->execute(array($userdata['nickname'], $userdata['firstname'], (!empty($userdata['lastname']) ? $userdata['lastname'] : ''), $userdata['email'], (!empty($userdata['label']) ? $userdata['label'] : ''), $this->owner, $alias)))) {
+                if ($pdo_show_sql_errors)
+                    return $this->set_error(sprintf(_("Database error: %s"), implode(' - ', $sth->errorInfo())));
+                else
+                    return $this->set_error(sprintf(_("Database error: %s"), _("Could not execute query")));
+            }
+        } else {
+            /* Create query */
+            $query = sprintf("UPDATE %s SET nickname='%s', firstname='%s', ".
+                             "lastname='%s', email='%s', label='%s' ".
+                             "WHERE owner='%s' AND nickname='%s'",
+                             $this->table,
+                             $this->dbh->quoteString($userdata['nickname']),
+                             $this->dbh->quoteString($userdata['firstname']),
+                             $this->dbh->quoteString((!empty($userdata['lastname'])?$userdata['lastname']:'')),
+                             $this->dbh->quoteString($userdata['email']),
+                             $this->dbh->quoteString((!empty($userdata['label'])?$userdata['label']:'')),
+                             $this->owner,
+                             $this->dbh->quoteString($alias) );
+
+            /* Do the insert */
+            $r = $this->dbh->simpleQuery($query);
+
+            /* Check for errors */
+            if (DB::isError($r)) {
+                return $this->set_error(sprintf(_("Database error: %s"),
+                                                DB::errorMessage($r)));
+            }
         }
+
         return true;
     }
 } /* End of class abook_database */
-- 
2.25.1