这里提供的数据库连接类程序,后面还提供了一个sql安全检测函数与sql语句完整性检测函数。*/
class db_mysql {
var $connid;
var $querynum = 0;
var $expires;
var $cursor = 0;
var $cache_id = '';
var $cache_file = '';
var $cache_expires = '';
var $halt = 0;
var $result = array();function connect($dbhost, $dbuser, $dbpw, $dbname, $pconnect = 0) {
global $cfg;
$this->expires = $cfg['db_expires'];
$func = $pconnect == 1 ? 'mysql_pconnect' : 'mysql_connect';
if(!$this->connid = $func($dbhost, $dbuser, $dbpw)) {
$this->halt('can not connect to mysql server');
}
if($this->version() > '4.1' && $cfg['db_charset']) {
mysql_query("set names '".$cfg['db_charset']."'" , $this->connid);
}
if($this->version() > '5.0') {
mysql_query("set sql_mode=''" , $this->connid);
}
if($dbname) {
if(!mysql_select_db($dbname , $this->connid)) {
$this->halt('cannot use database '.$dbname);
}
}
return $this->connid;
}function select_db($dbname) {
return mysql_select_db($dbname , $this->connid);
}function query($sql , $type = '', $expires = 0, $save_id = false) {
$sql=checksql($sql);
if($type == 'cache' && stristr($sql, 'select')) {
$this->cursor = 0;
$this->cache_id = md5($sql);
$this->result = array();
$this->cache_expires = $expires ? $expires + mt_rand(-9, 9) : $this->expires;
return $this->_query($sql);
}
if(!$save_id) $this->cache_id = 0;
$func = $type == 'unbuffered' ? 'mysql_unbuffered_query' : 'mysql_query';
if(!($query = $func($sql , $this->connid)) && $this->halt) {
$this->halt('mysql query error', $sql);
}
$this->querynum++;
return $query;
}function get_one($sql, $type = '', $expires = 0) {
$query = $this->query($sql, $type, $expires);
$r = $this->fetch_array($query);
$this->free_result($query);
return $r ;
}
function counter($table, $condition = '', $type = '', $expires = 0) {
global $cfg;
$table = strpos($table, $cfg['tb_pre']) === false ? $cfg['tb_pre'].$table : $table;
$sql = "select count(*) as num from {$table}";
if($condition) $sql .= " where $condition";
$r = $this->get_one($sql, $type, $expires);
return $r ? $r['num'] : 0;
}function fetch_array($query, $result_type = mysql_assoc) {
return $this->cache_id ? $this->_fetch_array($query) : @mysql_fetch_array($query, $result_type);
}function affected_rows() {
return mysql_affected_rows($this->connid);
}function num_rows($query) {
return mysql_num_rows($query);
}function num_fields($query) {
return mysql_num_fields($query);
}
function escape_string($str){
return mysql_escape_string($str);
}
function result($query, $row) {
return @mysql_result($query, $row);
}function free_result($query) {
return @mysql_free_result($query);
}function insert_id() {
return mysql_insert_id($this->connid);
}function fetch_row($query) {
return mysql_fetch_row($query);
}function version() {
return mysql_get_server_info($this->connid);
}function close() {
return mysql_close($this->connid);
}function error() {
return @mysql_error($this->connid);
}function errno() {
return intval(@mysql_errno($this->connid)) ;
}function halt($message = '', $sql = '') {
global $cfg;
if($message) {
if($cfg['errlog']) {
$log = "query:$sql|errno:".$this->errno()."|error:".$this->error()."|errmsg:$message";
log_write($log, 'sql');
}
}
showmsg("mysqlerror:$message",'-1');
exit();
}function _query($sql) {
global $fr_time;
$this->cache_file = cache_root.'/sql/'.substr($this->cache_id, 0, 2).'/'.$this->cache_id.'.php教程';
if(!is_file($this->cache_file) || ($fr_time - @filemtime($this->cache_file) > $this->cache_expires)) {
$tmp = array();
$result = $this->query($sql, '', '', true);
while($r = mysql_fetch_array($result, mysql_assoc)) {
$tmp[] = $r;
}
$this->result = $tmp;
$this->free_result($result);
file_put($this->cache_file, "cache_expires)."*/ return ".var_export($this->result, true).";n?>");
} else {
$this->result = include $this->cache_file;
}
return $this->result;
}function _fetch_array($query = array()) {
if($query) $this->result = $query;
if(isset($this->result[$this->cursor])) {
return $this->result[$this->cursor++];
} else {
$this->cursor = $this->cache_id = 0;
return array();
}
}
}function checksql($dbstr,$querytype='select'){
$clean = '';
$old_pos = 0;
$pos = -1;
//普通语句,直接过滤特殊语法
if($querytype=='select'){
$nastr = "/[^0-9a-z@._-]{1,}(union|sleep|benchmark|load_file|outfile)[^[email protected]]{1,}/i";
if(preg_match($nastr,$dbstr)){
log_write($dbstr,'sql');
showmsg('safeerror:10001', '网页特效:;');
exit();
}
}
//完整的sql检查
while (true){
$pos = strpos($dbstr, ''', $pos + 1);
if ($pos === false){
break;
}
$clean .= substr($dbstr, $old_pos, $pos - $old_pos);
while (true){
$pos1 = strpos($dbstr, ''', $pos + 1);
$pos2 = strpos($dbstr, '', $pos + 1);
if ($pos1 === false){
break;
}
elseif ($pos2 == false || $pos2 > $pos1){
$pos = $pos1;
break;
}
$pos = $pos2 + 1;
}
$clean .= '$s$';
$old_pos = $pos + 1;
}
$clean .= substr($dbstr, $old_pos);
$clean = trim(strtolower(preg_replace(array('~s+~s' ), array(' '), $clean)));
if (strpos($clean, 'union') !== false && preg_match('~(^|[^a-z])union($|[^[a-z])~s', $clean) != 0){
$fail = true;
}
elseif (strpos($clean, '/*') > 2 || strpos($clean, '--') !== false || strpos($clean, '#') !== false){
$fail = true;
}
elseif (strpos($clean, 'sleep') !== false && preg_match('~(^|[^a-z])sleep($|[^[a-z])~s', $clean) != 0){
$fail = true;
}
elseif (strpos($clean, 'benchmark') !== false && preg_match('~(^|[^a-z])benchmark($|[^[a-z])~s', $clean) != 0){
$fail = true;
}
elseif (strpos($clean, 'load_file') !== false && preg_match('~(^|[^a-z])load_file($|[^[a-z])~s', $clean) != 0){
$fail = true;
}
elseif (strpos($clean, 'into outfile') !== false && preg_match('~(^|[^a-z])intos+outfile($|[^[a-z])~s', $clean) != 0){
$fail = true;
}
elseif (preg_match('~([^)]*?select~s', $clean) != 0){
$fail = true;
}
if (!empty($fail)){
log_write($dbstr,'sql');
showmsg('safeerror:10002', 'javascript:;');exit;
}
else
{
return $dbstr;
}
}