OC_DB.php 6.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184
  1. <?php
  2. /**
  3. * @copyright Copyright (c) 2016, ownCloud, Inc.
  4. *
  5. * @author Andreas Fischer <bantu@owncloud.com>
  6. * @author Bart Visscher <bartv@thisnet.nl>
  7. * @author Christoph Wurst <christoph@winzerhof-wurst.at>
  8. * @author Joas Schilling <coding@schilljs.com>
  9. * @author Jörn Friedrich Dreyer <jfd@butonic.de>
  10. * @author Lukas Reschke <lukas@statuscode.ch>
  11. * @author Morris Jobke <hey@morrisjobke.de>
  12. * @author Robin Appelman <robin@icewind.nl>
  13. * @author Thomas Müller <thomas.mueller@tmit.eu>
  14. * @author Vincent Petry <vincent@nextcloud.com>
  15. *
  16. * @license AGPL-3.0
  17. *
  18. * This code is free software: you can redistribute it and/or modify
  19. * it under the terms of the GNU Affero General Public License, version 3,
  20. * as published by the Free Software Foundation.
  21. *
  22. * This program is distributed in the hope that it will be useful,
  23. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  24. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  25. * GNU Affero General Public License for more details.
  26. *
  27. * You should have received a copy of the GNU Affero General Public License, version 3,
  28. * along with this program. If not, see <http://www.gnu.org/licenses/>
  29. *
  30. */
  31. class OC_DB {
  32. /**
  33. * Prepare a SQL query
  34. * @param string $query Query string
  35. * @param int|null $limit
  36. * @param int|null $offset
  37. * @param bool|null $isManipulation
  38. * @throws \OC\DatabaseException
  39. * @return OC_DB_StatementWrapper prepared SQL query
  40. * @deprecated 21.0.0 Please use \OCP\IDBConnection::getQueryBuilder() instead
  41. *
  42. * SQL query via Doctrine prepare(), needs to be execute()'d!
  43. */
  44. public static function prepare($query, $limit = null, $offset = null, $isManipulation = null) {
  45. $connection = \OC::$server->getDatabaseConnection();
  46. if ($isManipulation === null) {
  47. //try to guess, so we return the number of rows on manipulations
  48. $isManipulation = self::isManipulation($query);
  49. }
  50. // return the result
  51. try {
  52. $result = $connection->prepare($query, $limit, $offset);
  53. } catch (\Doctrine\DBAL\Exception $e) {
  54. throw new \OC\DatabaseException($e->getMessage());
  55. }
  56. // differentiate between query and manipulation
  57. return new OC_DB_StatementWrapper($result, $isManipulation);
  58. }
  59. /**
  60. * tries to guess the type of statement based on the first 10 characters
  61. * the current check allows some whitespace but does not work with IF EXISTS or other more complex statements
  62. *
  63. * @param string $sql
  64. * @return bool
  65. */
  66. public static function isManipulation($sql) {
  67. $sql = trim($sql);
  68. $selectOccurrence = stripos($sql, 'SELECT');
  69. if ($selectOccurrence === 0) {
  70. return false;
  71. }
  72. $insertOccurrence = stripos($sql, 'INSERT');
  73. if ($insertOccurrence === 0) {
  74. return true;
  75. }
  76. $updateOccurrence = stripos($sql, 'UPDATE');
  77. if ($updateOccurrence === 0) {
  78. return true;
  79. }
  80. $deleteOccurrence = stripos($sql, 'DELETE');
  81. if ($deleteOccurrence === 0) {
  82. return true;
  83. }
  84. // This is triggered with "SHOW VERSION" and some more, so until we made a list, we keep this out.
  85. // \OC::$server->getLogger()->logException(new \Exception('Can not detect if query is manipulating: ' . $sql));
  86. return false;
  87. }
  88. /**
  89. * execute a prepared statement, on error write log and throw exception
  90. * @param mixed $stmt OC_DB_StatementWrapper,
  91. * an array with 'sql' and optionally 'limit' and 'offset' keys
  92. * .. or a simple sql query string
  93. * @param array $parameters
  94. * @return OC_DB_StatementWrapper
  95. * @throws \OC\DatabaseException
  96. * @deprecated 21.0.0 Please use \OCP\IDBConnection::getQueryBuilder() instead
  97. */
  98. public static function executeAudited($stmt, array $parameters = []) {
  99. if (is_string($stmt)) {
  100. // convert to an array with 'sql'
  101. if (stripos($stmt, 'LIMIT') !== false) { //OFFSET requires LIMIT, so we only need to check for LIMIT
  102. // TODO try to convert LIMIT OFFSET notation to parameters
  103. $message = 'LIMIT and OFFSET are forbidden for portability reasons,'
  104. . ' pass an array with \'limit\' and \'offset\' instead';
  105. throw new \OC\DatabaseException($message);
  106. }
  107. $stmt = ['sql' => $stmt, 'limit' => null, 'offset' => null];
  108. }
  109. if (is_array($stmt)) {
  110. // convert to prepared statement
  111. if (! array_key_exists('sql', $stmt)) {
  112. $message = 'statement array must at least contain key \'sql\'';
  113. throw new \OC\DatabaseException($message);
  114. }
  115. if (! array_key_exists('limit', $stmt)) {
  116. $stmt['limit'] = null;
  117. }
  118. if (! array_key_exists('limit', $stmt)) {
  119. $stmt['offset'] = null;
  120. }
  121. $stmt = self::prepare($stmt['sql'], $stmt['limit'], $stmt['offset']);
  122. }
  123. self::raiseExceptionOnError($stmt, 'Could not prepare statement');
  124. if ($stmt instanceof OC_DB_StatementWrapper) {
  125. $result = $stmt->execute($parameters);
  126. self::raiseExceptionOnError($result, 'Could not execute statement');
  127. } else {
  128. if (is_object($stmt)) {
  129. $message = 'Expected a prepared statement or array got ' . get_class($stmt);
  130. } else {
  131. $message = 'Expected a prepared statement or array got ' . gettype($stmt);
  132. }
  133. throw new \OC\DatabaseException($message);
  134. }
  135. return $result;
  136. }
  137. /**
  138. * check if a result is an error and throws an exception, works with \Doctrine\DBAL\Exception
  139. * @param mixed $result
  140. * @param string $message
  141. * @return void
  142. * @throws \OC\DatabaseException
  143. */
  144. public static function raiseExceptionOnError($result, $message = null) {
  145. if ($result === false) {
  146. if ($message === null) {
  147. $message = self::getErrorMessage();
  148. } else {
  149. $message .= ', Root cause:' . self::getErrorMessage();
  150. }
  151. throw new \OC\DatabaseException($message);
  152. }
  153. }
  154. /**
  155. * returns the error code and message as a string for logging
  156. * works with DoctrineException
  157. * @return string
  158. */
  159. public static function getErrorMessage() {
  160. $connection = \OC::$server->getDatabaseConnection();
  161. return $connection->getError();
  162. }
  163. /**
  164. * Checks if a table exists in the database - the database prefix will be prepended
  165. *
  166. * @param string $table
  167. * @return bool
  168. * @throws \OC\DatabaseException
  169. */
  170. public static function tableExists($table) {
  171. $connection = \OC::$server->getDatabaseConnection();
  172. return $connection->tableExists($table);
  173. }
  174. }