X-Git-Url: https://vcs.fsf.org/?p=squirrelmail.git;a=blobdiff_plain;f=functions%2Fabook_database.php;h=68110ee67a9098939f21f717794d859567eba2b4;hp=c1cc0cd685a57fe6fbb22f7ed32584b834fe0a1c;hb=acb4fcd7e045e250c8028f56ee3d32ef350ed0aa;hpb=ae5dddc065f9501f267c4edaf68a066835da915f diff --git a/functions/abook_database.php b/functions/abook_database.php index c1cc0cd6..68110ee6 100644 --- a/functions/abook_database.php +++ b/functions/abook_database.php @@ -14,7 +14,7 @@ * PRIMARY KEY (owner,nickname) * * - * @copyright 1999-2011 The SquirrelMail Project Team + * @copyright 1999-2016 The SquirrelMail Project Team * @license http://opensource.org/licenses/gpl-license.php GNU Public License * @version $Id$ * @package squirrelmail @@ -22,24 +22,34 @@ */ /** - * Needs the DB functions + * Needs either PDO or the DB functions * Don't display errors here. Error will be set in class constructor function. */ -@include_once('DB.php'); +global $use_pdo, $disable_pdo; +if (empty($disable_pdo) && class_exists('PDO')) + $use_pdo = TRUE; +else + $use_pdo = FALSE; + +if (!$use_pdo) + @include_once('DB.php'); /** * Address book in a database backend * * Backend for personal/shared address book stored in a database, - * accessed using the DB-classes in PEAR. + * accessed using the DB-classes in PEAR or PDO, the latter taking + * precedence if available.. * - * IMPORTANT: The PEAR modules must be in the include path - * for this class to work. + * IMPORTANT: If PDO is not available (it should be installed by + * default since PHP 5.1), then the PEAR modules must + * be in the include path for this class to work. * * An array with the following elements must be passed to * the class constructor (elements marked ? are optional): *
- * dsn => database DNS (see PEAR for syntax) + * dsn => database DNS (see PEAR for syntax, but more or + * less it is: mysql://user:pass@hostname/dbname) * table => table to store addresses in (must exist) * owner => current user (owner of address data) * ? name => name of address book @@ -52,6 +62,32 @@ * * NOTE. This class should not be used directly. Use the * "AddressBook" class instead. + * + * Three settings that control PDO behavior can be specified in + * config/config_local.php if needed: + * boolean $disable_pdo SquirrelMail uses PDO by default to access the + * user preferences and address book databases, but + * setting this to TRUE will cause SquirrelMail to + * fall back to using Pear DB instead. + * boolean $pdo_show_sql_errors When database errors are encountered, + * setting this to TRUE causes the actual + * database error to be displayed, otherwise + * generic errors are displayed, preventing + * internal database information from being + * exposed. This should be enabled only for + * debugging purposes. + * string $pdo_identifier_quote_char By default, SquirrelMail will quote + * table and field names in database + * queries with what it thinks is the + * appropriate quote character for the + * database type being used (backtick + * for MySQL (and thus MariaDB), double + * quotes for all others), but you can + * override the character used by + * putting it here, or tell SquirrelMail + * NOT to quote identifiers by setting + * this to "none" + * * @package squirrelmail * @subpackage addressbook */ @@ -72,6 +108,14 @@ class abook_database extends addressbook_backend { * @var string */ var $dsn = ''; + + /** + * Character used to quote database table + * and field names + * @var string + */ + var $identifier_quote_char = ''; + /** * Table that stores addresses * @var string @@ -103,18 +147,18 @@ class abook_database extends addressbook_backend { /* ========================== Private ======================= */ /** - * Constructor + * Constructor (PHP5 style, required in some future version of PHP) * @param array $param address book backend options */ - function abook_database($param) { + function __construct($param) { $this->sname = _("Personal Address Book"); - /* test if Pear DB class is available and freak out if it is not */ - if (! class_exists('DB')) { + /* test if PDO or Pear DB classes are available and freak out if necessary */ + global $use_pdo; + if (!$use_pdo && !class_exists('DB')) { // same error also in db_prefs.php - $error = _("Could not include PEAR database functions required for the database backend.") . "\n"; - $error .= sprintf(_("Is PEAR installed, and is the include path set correctly to find %s?"), - 'DB.php') . "\n"; + $error = _("Could not find or include PHP PDO or PEAR database functions required for the database backend.") . "\n"; + $error .= sprintf(_("PDO should come preinstalled with PHP version 5.1 or higher. Otherwise, is PEAR installed, and is the include path set correctly to find %s?"), 'DB.php') . "\n"; $error .= _("Please contact your system administrator and report this error."); return $this->set_error($error); } @@ -142,6 +186,19 @@ class abook_database extends addressbook_backend { $this->listing = $param['listing']; } + // figure out identifier quoting (only used for PDO, though we could change that) + global $pdo_identifier_quote_char; + if (empty($pdo_identifier_quote_char)) { + if (strpos($this->dsn, 'mysql') === 0) + $this->identifier_quote_char = '`'; + else + $this->identifier_quote_char = '"'; + } else if ($pdo_identifier_quote_char === 'none') + $this->identifier_quote_char = ''; + else + $this->identifier_quote_char = $pdo_identifier_quote_char; + + $this->open(true); } else { @@ -149,6 +206,13 @@ class abook_database extends addressbook_backend { } } + /** + * Constructor (PHP4 style, kept for compatibility reasons) + * @param array $param address book backend options + */ + function abook_database($param) { + return self::__construct($param); + } /** * Open the database. @@ -156,6 +220,7 @@ class abook_database extends addressbook_backend { * @return bool */ function open($new = false) { + global $use_pdo; $this->error = ''; /* Return true is file is open and $new is unset */ @@ -168,21 +233,73 @@ class abook_database extends addressbook_backend { $this->close(); } - $dbh = DB::connect($this->dsn, true); + if ($use_pdo) { + // parse and convert DSN to PDO style + // Pear's full DSN syntax is one of the following: + // phptype(dbsyntax)://username:password@protocol+hostspec/database?option=value + // phptype(syntax)://user:pass@protocol(proto_opts)/database + // + // $matches will contain: + // 1: database type + // 2: username + // 3: password + // 4: hostname (and possible port number) OR protocol (and possible protocol options) + // 5: database name (and possible options) + // 6: port number (moved from match number 4) + // 7: options (moved from match number 5) + // 8: protocol (instead of hostname) + // 9: protocol options (moved from match number 4/8) +//TODO: do we care about supporting cases where no password is given? (this is a legal DSN, but causes an error below) + if (!preg_match('|^(.+)://(.+):(.+)@(.+)/(.+)$|i', $this->dsn, $matches)) { + return $this->set_error(_("Could not parse prefs DSN")); + } + $matches[6] = NULL; + $matches[7] = NULL; + $matches[8] = NULL; + $matches[9] = NULL; + if (preg_match('|^(.+):(\d+)$|', $matches[4], $host_port_matches)) { + $matches[4] = $host_port_matches[1]; + $matches[6] = $host_port_matches[2]; + } + if (preg_match('|^(.+?)\((.+)\)$|', $matches[4], $protocol_matches)) { + $matches[8] = $protocol_matches[1]; + $matches[9] = $protocol_matches[2]; + $matches[4] = NULL; + $matches[6] = NULL; + } +//TODO: currently we just ignore options specified on the end of the DSN + if (preg_match('|^(.+?)\?(.+)$|', $matches[5], $database_name_options_matches)) { + $matches[5] = $database_name_options_matches[1]; + $matches[7] = $database_name_options_matches[2]; + } + if ($matches[8] === 'unix' && !empty($matches[9])) + $pdo_prefs_dsn = $matches[1] . ':unix_socket=' . $matches[9] . ';dbname=' . $matches[5]; + else + $pdo_prefs_dsn = $matches[1] . ':host=' . $matches[4] . (!empty($matches[6]) ? ';port=' . $matches[6] : '') . ';dbname=' . $matches[5]; + try { + $dbh = new PDO($pdo_prefs_dsn, $matches[2], $matches[3]); + } catch (Exception $e) { + return $this->set_error(sprintf(_("Database error: %s"), $e->getMessage())); + } - if (DB::isError($dbh)) { - return $this->set_error(sprintf(_("Database error: %s"), - DB::errorMessage($dbh))); - } + $dbh->setAttribute(PDO::ATTR_CASE, PDO::CASE_LOWER); - $this->dbh = $dbh; + } else { + $dbh = DB::connect($this->dsn, true); - /** - * field names are lowercased. - * We use unquoted identifiers and they use upper case in Oracle - */ - $this->dbh->setOption('portability', DB_PORTABILITY_LOWERCASE); + if (DB::isError($dbh)) { + return $this->set_error(sprintf(_("Database error: %s"), + DB::errorMessage($dbh))); + } + /** + * field names are lowercased. + * We use unquoted identifiers and they use upper case in Oracle + */ + $dbh->setOption('portability', DB_PORTABILITY_LOWERCASE); + } + + $this->dbh = $dbh; return true; } @@ -190,8 +307,13 @@ class abook_database extends addressbook_backend { * Close the file and forget the filehandle */ function close() { - $this->dbh->disconnect(); - $this->dbh = false; + global $use_pdo; + if ($use_pdo) { + $this->dbh = NULL; + } else { + $this->dbh->disconnect(); + $this->dbh = false; + } } /** @@ -257,32 +379,65 @@ class abook_database extends addressbook_backend { /* Convert wildcards to SQL syntax */ $expr = str_replace('?', '_', $expr); $expr = str_replace('*', '%', $expr); - $expr = $this->dbh->quoteString($expr); + $expr = "%$expr%"; - /* create escape expression */ - $escape = 'ESCAPE \'' . $this->dbh->quoteString('\\') . '\''; - - $query = sprintf("SELECT * FROM %s WHERE owner='%s' AND " . - "(LOWER(firstname) LIKE '%s' %s OR LOWER(lastname) LIKE '%s' %s)", - $this->table, $this->owner, $expr, $escape, $expr, $escape); + global $use_pdo, $pdo_show_sql_errors; + if ($use_pdo) { + if (!($sth = $this->dbh->prepare('SELECT * FROM ' . $this->identifier_quote_char . $this->table . $this->identifier_quote_char . ' WHERE ' . $this->identifier_quote_char . 'owner' . $this->identifier_quote_char . ' = ? AND (LOWER(' . $this->identifier_quote_char . 'firstname' . $this->identifier_quote_char . ') LIKE ? ESCAPE ? OR LOWER(' . $this->identifier_quote_char . 'lastname' . $this->identifier_quote_char . ') LIKE ? ESCAPE ? OR LOWER(' . $this->identifier_quote_char . 'email' . $this->identifier_quote_char . ') LIKE ? ESCAPE ? OR LOWER(' . $this->identifier_quote_char . 'nickname' . $this->identifier_quote_char . ') LIKE ? ESCAPE ?)'))) { + if ($pdo_show_sql_errors) + return $this->set_error(sprintf(_("Database error: %s"), implode(' - ', $this->dbh->errorInfo()))); + else + return $this->set_error(sprintf(_("Database error: %s"), _("Could not prepare query"))); + } + if (!($res = $sth->execute(array($this->owner, $expr, '\\', $expr, '\\', $expr, '\\', $expr, '\\')))) { + if ($pdo_show_sql_errors) + return $this->set_error(sprintf(_("Database error: %s"), implode(' - ', $sth->errorInfo()))); + else + return $this->set_error(sprintf(_("Database error: %s"), _("Could not execute query"))); + } - $res = $this->dbh->query($query); + while ($row = $sth->fetch(PDO::FETCH_ASSOC)) { + array_push($ret, array('nickname' => $row['nickname'], + 'name' => $this->fullname($row['firstname'], $row['lastname']), + 'firstname' => $row['firstname'], + 'lastname' => $row['lastname'], + 'email' => $row['email'], + 'label' => $row['label'], + 'backend' => $this->bnum, + 'source' => &$this->sname)); + } - if (DB::isError($res)) { - return $this->set_error(sprintf(_("Database error: %s"), - DB::errorMessage($res))); - } + } else { + $expr = $this->dbh->quoteString($expr); + + /* create escape expression */ + $escape = 'ESCAPE \'' . $this->dbh->quoteString('\\') . '\''; + + $query = sprintf("SELECT * FROM %s WHERE owner='%s' AND " . + "(LOWER(firstname) LIKE '%s' %s " . + "OR LOWER(lastname) LIKE '%s' %s " . + "OR LOWER(email) LIKE '%s' %s " . + "OR LOWER(nickname) LIKE '%s' %s)", + $this->table, $this->owner, $expr, $escape, $expr, $escape, + $expr, $escape, $expr, $escape); + $res = $this->dbh->query($query); + + if (DB::isError($res)) { + return $this->set_error(sprintf(_("Database error: %s"), + DB::errorMessage($res))); + } - while ($row = $res->fetchRow(DB_FETCHMODE_ASSOC)) { - array_push($ret, array('nickname' => $row['nickname'], - 'name' => $this->fullname($row['firstname'], $row['lastname']), - 'firstname' => $row['firstname'], - 'lastname' => $row['lastname'], - 'email' => $row['email'], - 'label' => $row['label'], - 'backend' => $this->bnum, - 'source' => &$this->sname)); + while ($row = $res->fetchRow(DB_FETCHMODE_ASSOC)) { + array_push($ret, array('nickname' => $row['nickname'], + 'name' => $this->fullname($row['firstname'], $row['lastname']), + 'firstname' => $row['firstname'], + 'lastname' => $row['lastname'], + 'email' => $row['email'], + 'label' => $row['label'], + 'backend' => $this->bnum, + 'source' => &$this->sname)); + } } return $ret; } @@ -321,27 +476,56 @@ class abook_database extends addressbook_backend { return $this->set_error(sprintf(_("Unknown field name: %s"), $field)); } - $query = sprintf("SELECT * FROM %s WHERE owner = '%s' AND LOWER(%s) = '%s'", - $this->table, $this->owner, $db_field, - $this->dbh->quoteString($value)); + global $use_pdo, $pdo_show_sql_errors; + if ($use_pdo) { + if (!($sth = $this->dbh->prepare('SELECT * FROM ' . $this->identifier_quote_char . $this->table . $this->identifier_quote_char . ' WHERE ' . $this->identifier_quote_char . 'owner' . $this->identifier_quote_char . ' = ? AND LOWER(' . $this->identifier_quote_char . $db_field . $this->identifier_quote_char . ') = ?'))) { + if ($pdo_show_sql_errors) + return $this->set_error(sprintf(_("Database error: %s"), implode(' - ', $this->dbh->errorInfo()))); + else + return $this->set_error(sprintf(_("Database error: %s"), _("Could not prepare query"))); + } + if (!($res = $sth->execute(array($this->owner, $value)))) { + if ($pdo_show_sql_errors) + return $this->set_error(sprintf(_("Database error: %s"), implode(' - ', $sth->errorInfo()))); + else + return $this->set_error(sprintf(_("Database error: %s"), _("Could not execute query"))); + } - $res = $this->dbh->query($query); + if ($row = $sth->fetch(PDO::FETCH_ASSOC)) { + return array('nickname' => $row['nickname'], + 'name' => $this->fullname($row['firstname'], $row['lastname']), + 'firstname' => $row['firstname'], + 'lastname' => $row['lastname'], + 'email' => $row['email'], + 'label' => $row['label'], + 'backend' => $this->bnum, + 'source' => &$this->sname); + } - if (DB::isError($res)) { - return $this->set_error(sprintf(_("Database error: %s"), - DB::errorMessage($res))); - } + } else { + $query = sprintf("SELECT * FROM %s WHERE owner = '%s' AND LOWER(%s) = '%s'", + $this->table, $this->owner, $db_field, + $this->dbh->quoteString($value)); - if ($row = $res->fetchRow(DB_FETCHMODE_ASSOC)) { - return array('nickname' => $row['nickname'], - 'name' => $this->fullname($row['firstname'], $row['lastname']), - 'firstname' => $row['firstname'], - 'lastname' => $row['lastname'], - 'email' => $row['email'], - 'label' => $row['label'], - 'backend' => $this->bnum, - 'source' => &$this->sname); + $res = $this->dbh->query($query); + + if (DB::isError($res)) { + return $this->set_error(sprintf(_("Database error: %s"), + DB::errorMessage($res))); + } + + if ($row = $res->fetchRow(DB_FETCHMODE_ASSOC)) { + return array('nickname' => $row['nickname'], + 'name' => $this->fullname($row['firstname'], $row['lastname']), + 'firstname' => $row['firstname'], + 'lastname' => $row['lastname'], + 'email' => $row['email'], + 'label' => $row['label'], + 'backend' => $this->bnum, + 'source' => &$this->sname); + } } + return array(); } @@ -360,26 +544,54 @@ class abook_database extends addressbook_backend { } - $query = sprintf("SELECT * FROM %s WHERE owner='%s'", - $this->table, $this->owner); + global $use_pdo, $pdo_show_sql_errors; + if ($use_pdo) { + if (!($sth = $this->dbh->prepare('SELECT * FROM ' . $this->identifier_quote_char . $this->table . $this->identifier_quote_char . ' WHERE ' . $this->identifier_quote_char . 'owner' . $this->identifier_quote_char . ' = ?'))) { + if ($pdo_show_sql_errors) + return $this->set_error(sprintf(_("Database error: %s"), implode(' - ', $this->dbh->errorInfo()))); + else + return $this->set_error(sprintf(_("Database error: %s"), _("Could not prepare query"))); + } + if (!($res = $sth->execute(array($this->owner)))) { + if ($pdo_show_sql_errors) + return $this->set_error(sprintf(_("Database error: %s"), implode(' - ', $sth->errorInfo()))); + else + return $this->set_error(sprintf(_("Database error: %s"), _("Could not execute query"))); + } - $res = $this->dbh->query($query); + while ($row = $sth->fetch(PDO::FETCH_ASSOC)) { + array_push($ret, array('nickname' => $row['nickname'], + 'name' => $this->fullname($row['firstname'], $row['lastname']), + 'firstname' => $row['firstname'], + 'lastname' => $row['lastname'], + 'email' => $row['email'], + 'label' => $row['label'], + 'backend' => $this->bnum, + 'source' => &$this->sname)); + } + } else { + $query = sprintf("SELECT * FROM %s WHERE owner='%s'", + $this->table, $this->owner); - if (DB::isError($res)) { - return $this->set_error(sprintf(_("Database error: %s"), - DB::errorMessage($res))); - } + $res = $this->dbh->query($query); - while ($row = $res->fetchRow(DB_FETCHMODE_ASSOC)) { - array_push($ret, array('nickname' => $row['nickname'], - 'name' => $this->fullname($row['firstname'], $row['lastname']), - 'firstname' => $row['firstname'], - 'lastname' => $row['lastname'], - 'email' => $row['email'], - 'label' => $row['label'], - 'backend' => $this->bnum, - 'source' => &$this->sname)); + if (DB::isError($res)) { + return $this->set_error(sprintf(_("Database error: %s"), + DB::errorMessage($res))); + } + + while ($row = $res->fetchRow(DB_FETCHMODE_ASSOC)) { + array_push($ret, array('nickname' => $row['nickname'], + 'name' => $this->fullname($row['firstname'], $row['lastname']), + 'firstname' => $row['firstname'], + 'lastname' => $row['lastname'], + 'email' => $row['email'], + 'label' => $row['label'], + 'backend' => $this->bnum, + 'source' => &$this->sname)); + } } + return $ret; } @@ -397,31 +609,55 @@ class abook_database extends addressbook_backend { return false; } + // NB: if you want to check for some unwanted characters + // or other problems, do so here like this: + // TODO: Should pull all validation code out into a separate function + //if (strpos($userdata['nickname'], ' ')) { + // return $this->set_error(_("Nickname contains illegal characters")); + //} + /* See if user exist already */ $ret = $this->lookup($userdata['nickname']); if (!empty($ret)) { - return $this->set_error(sprintf(_("User \"%s\" already exists"),$ret['nickname'])); + return $this->set_error(sprintf(_("User \"%s\" already exists"), $ret['nickname'])); + } + + global $use_pdo, $pdo_show_sql_errors; + if ($use_pdo) { + if (!($sth = $this->dbh->prepare('INSERT INTO ' . $this->identifier_quote_char . $this->table . $this->identifier_quote_char . ' (' . $this->identifier_quote_char . 'owner' . $this->identifier_quote_char . ', ' . $this->identifier_quote_char . 'nickname' . $this->identifier_quote_char . ', ' . $this->identifier_quote_char . 'firstname' . $this->identifier_quote_char . ', ' . $this->identifier_quote_char . 'lastname' . $this->identifier_quote_char . ', ' . $this->identifier_quote_char . 'email' . $this->identifier_quote_char . ', ' . $this->identifier_quote_char . 'label' . $this->identifier_quote_char . ') VALUES (?, ?, ?, ?, ?, ?)'))) { + if ($pdo_show_sql_errors) + return $this->set_error(sprintf(_("Database error: %s"), implode(' - ', $this->dbh->errorInfo()))); + else + return $this->set_error(sprintf(_("Database error: %s"), _("Could not prepare query"))); + } + if (!($res = $sth->execute(array($this->owner, $userdata['nickname'], $userdata['firstname'], (!empty($userdata['lastname']) ? $userdata['lastname'] : ''), $userdata['email'], (!empty($userdata['label']) ? $userdata['label'] : ''))))) { + if ($pdo_show_sql_errors) + return $this->set_error(sprintf(_("Database error: %s"), implode(' - ', $sth->errorInfo()))); + else + return $this->set_error(sprintf(_("Database error: %s"), _("Could not execute query"))); + } + } else { + /* Create query */ + $query = sprintf("INSERT INTO %s (owner, nickname, firstname, " . + "lastname, email, label) VALUES('%s','%s','%s'," . + "'%s','%s','%s')", + $this->table, $this->owner, + $this->dbh->quoteString($userdata['nickname']), + $this->dbh->quoteString($userdata['firstname']), + $this->dbh->quoteString((!empty($userdata['lastname'])?$userdata['lastname']:'')), + $this->dbh->quoteString($userdata['email']), + $this->dbh->quoteString((!empty($userdata['label'])?$userdata['label']:'')) ); + + /* Do the insert */ + $r = $this->dbh->simpleQuery($query); + + /* Check for errors */ + if (DB::isError($r)) { + return $this->set_error(sprintf(_("Database error: %s"), + DB::errorMessage($r))); + } } - /* Create query */ - $query = sprintf("INSERT INTO %s (owner, nickname, firstname, " . - "lastname, email, label) VALUES('%s','%s','%s'," . - "'%s','%s','%s')", - $this->table, $this->owner, - $this->dbh->quoteString($userdata['nickname']), - $this->dbh->quoteString($userdata['firstname']), - $this->dbh->quoteString((!empty($userdata['lastname'])?$userdata['lastname']:'')), - $this->dbh->quoteString($userdata['email']), - $this->dbh->quoteString((!empty($userdata['label'])?$userdata['label']:'')) ); - - /* Do the insert */ - $r = $this->dbh->simpleQuery($query); - - /* Check for errors */ - if (DB::isError($r)) { - return $this->set_error(sprintf(_("Database error: %s"), - DB::errorMessage($r))); - } return true; } @@ -440,26 +676,52 @@ class abook_database extends addressbook_backend { return false; } - /* Create query */ - $query = sprintf("DELETE FROM %s WHERE owner='%s' AND (", - $this->table, $this->owner); - - $sepstr = ''; - while (list($undef, $nickname) = each($alias)) { - $query .= sprintf("%s nickname='%s' ", $sepstr, - $this->dbh->quoteString($nickname)); - $sepstr = 'OR'; - } - $query .= ')'; + global $use_pdo, $pdo_show_sql_errors; + if ($use_pdo) { + $sepstr = ''; + $where_clause = ''; + $where_clause_args = array(); + while (list($undef, $nickname) = each($alias)) { + $where_clause .= $sepstr . $this->identifier_quote_char . 'nickname' . $this->identifier_quote_char . ' = ?'; + $where_clause_args[] = $nickname; + $sepstr = ' OR '; + } + if (!($sth = $this->dbh->prepare('DELETE FROM ' . $this->identifier_quote_char . $this->table . $this->identifier_quote_char . ' WHERE ' . $this->identifier_quote_char . 'owner' . $this->identifier_quote_char . ' = ? AND (' . $where_clause . ')'))) { + if ($pdo_show_sql_errors) + return $this->set_error(sprintf(_("Database error: %s"), implode(' - ', $this->dbh->errorInfo()))); + else + return $this->set_error(sprintf(_("Database error: %s"), _("Could not prepare query"))); + } + array_unshift($where_clause_args, $this->owner); + if (!($res = $sth->execute($where_clause_args))) { + if ($pdo_show_sql_errors) + return $this->set_error(sprintf(_("Database error: %s"), implode(' - ', $sth->errorInfo()))); + else + return $this->set_error(sprintf(_("Database error: %s"), _("Could not execute query"))); + } + } else { + /* Create query */ + $query = sprintf("DELETE FROM %s WHERE owner='%s' AND (", + $this->table, $this->owner); + + $sepstr = ''; + while (list($undef, $nickname) = each($alias)) { + $query .= sprintf("%s nickname='%s' ", $sepstr, + $this->dbh->quoteString($nickname)); + $sepstr = 'OR'; + } + $query .= ')'; - /* Delete entry */ - $r = $this->dbh->simpleQuery($query); + /* Delete entry */ + $r = $this->dbh->simpleQuery($query); - /* Check for errors */ - if (DB::isError($r)) { - return $this->set_error(sprintf(_("Database error: %s"), - DB::errorMessage($r))); + /* Check for errors */ + if (DB::isError($r)) { + return $this->set_error(sprintf(_("Database error: %s"), + DB::errorMessage($r))); + } } + return true; } @@ -478,6 +740,13 @@ class abook_database extends addressbook_backend { return false; } + // NB: if you want to check for some unwanted characters + // or other problems, do so here like this: + // TODO: Should pull all validation code out into a separate function + //if (strpos($userdata['nickname'], ' ')) { + // return $this->set_error(_("Nickname contains illegal characters")); + //} + /* See if user exist */ $ret = $this->lookup($alias); if (empty($ret)) { @@ -494,27 +763,44 @@ class abook_database extends addressbook_backend { } } - /* Create query */ - $query = sprintf("UPDATE %s SET nickname='%s', firstname='%s', ". - "lastname='%s', email='%s', label='%s' ". - "WHERE owner='%s' AND nickname='%s'", - $this->table, - $this->dbh->quoteString($userdata['nickname']), - $this->dbh->quoteString($userdata['firstname']), - $this->dbh->quoteString((!empty($userdata['lastname'])?$userdata['lastname']:'')), - $this->dbh->quoteString($userdata['email']), - $this->dbh->quoteString((!empty($userdata['label'])?$userdata['label']:'')), - $this->owner, - $this->dbh->quoteString($alias) ); - - /* Do the insert */ - $r = $this->dbh->simpleQuery($query); - - /* Check for errors */ - if (DB::isError($r)) { - return $this->set_error(sprintf(_("Database error: %s"), - DB::errorMessage($r))); + global $use_pdo, $pdo_show_sql_errors; + if ($use_pdo) { + if (!($sth = $this->dbh->prepare('UPDATE ' . $this->identifier_quote_char . $this->table . $this->identifier_quote_char . ' SET ' . $this->identifier_quote_char . 'nickname' . $this->identifier_quote_char . ' = ?, ' . $this->identifier_quote_char . 'firstname' . $this->identifier_quote_char . ' = ?, ' . $this->identifier_quote_char . 'lastname' . $this->identifier_quote_char . ' = ?, ' . $this->identifier_quote_char . 'email' . $this->identifier_quote_char . ' = ?, ' . $this->identifier_quote_char . 'label' . $this->identifier_quote_char . ' = ? WHERE ' . $this->identifier_quote_char . 'owner' . $this->identifier_quote_char . ' = ? AND ' . $this->identifier_quote_char . 'nickname' . $this->identifier_quote_char . ' = ?'))) { + if ($pdo_show_sql_errors) + return $this->set_error(sprintf(_("Database error: %s"), implode(' - ', $this->dbh->errorInfo()))); + else + return $this->set_error(sprintf(_("Database error: %s"), _("Could not prepare query"))); + } + if (!($res = $sth->execute(array($userdata['nickname'], $userdata['firstname'], (!empty($userdata['lastname']) ? $userdata['lastname'] : ''), $userdata['email'], (!empty($userdata['label']) ? $userdata['label'] : ''), $this->owner, $alias)))) { + if ($pdo_show_sql_errors) + return $this->set_error(sprintf(_("Database error: %s"), implode(' - ', $sth->errorInfo()))); + else + return $this->set_error(sprintf(_("Database error: %s"), _("Could not execute query"))); + } + } else { + /* Create query */ + $query = sprintf("UPDATE %s SET nickname='%s', firstname='%s', ". + "lastname='%s', email='%s', label='%s' ". + "WHERE owner='%s' AND nickname='%s'", + $this->table, + $this->dbh->quoteString($userdata['nickname']), + $this->dbh->quoteString($userdata['firstname']), + $this->dbh->quoteString((!empty($userdata['lastname'])?$userdata['lastname']:'')), + $this->dbh->quoteString($userdata['email']), + $this->dbh->quoteString((!empty($userdata['label'])?$userdata['label']:'')), + $this->owner, + $this->dbh->quoteString($alias) ); + + /* Do the insert */ + $r = $this->dbh->simpleQuery($query); + + /* Check for errors */ + if (DB::isError($r)) { + return $this->set_error(sprintf(_("Database error: %s"), + DB::errorMessage($r))); + } } + return true; } } /* End of class abook_database */