--- includes/database.inc.1 2004-12-23 22:07:52.000000000 +0100 +++ includes/database.inc 2004-12-23 23:44:29.000000000 +0100 @@ -169,10 +170,61 @@ function db_queryd($query) { } /** + * Runs a select query in the active database. + * + * User-supplied arguments to the query should be passed in as separate parameters + * so that they can be properly escaped to avoid SQL injection attacks. + * + * @param $sql_array + * An array containing an SQL query, and a few optional arguments. + * array keys: SELECT is an array, FROM is a string, JOIN, WHERE, are arrays, GROUP, HAVING, ORDER are strings. These are translated into an SQL statement + * if $sql_array['range'] is 1, a db_query_range is performed + * if $sql_array['pager'] is 1, a pager_query is performed + * otherwise a db_query is performed + * @param $args + * An array of arguments which are substituted into the query using + * printf() syntax. + * @return + * A database query result resource, or FALSE if the query was not executed + * correctly. + */ + + +function db_array_query($sql_array, $args) { + + $query = 'SELECT '. implode(',', $sql_array['SELECT']).' FROM '. $sql_array['FROM']; + + if (!empty($sql_array['JOIN'])) { + $query .= ' LEFT JOIN '. implode(' LEFT JOIN ', $sql_array['JOIN']); + } + + if (!empty($sql_array['WHERE'])) { + $query .= ' WHERE '. implode(' AND ', $sql_array['WHERE']); + } + + $map = array('GROUP' => ' GROUP BY ', 'HAVING' => ' HAVING ', 'ORDER' => ' ORDER BY '); + foreach ($map as $key=>$val) { + if (isset($sql_array[$key])) { + $query .= $val.$sql_array[$key]; + } + } + + if (isset($sql_array['pager']) && $sql_array['pager']) { + return (pager_query($query, $args)); + } + + if (isset($sql_array['range']) && $sql_array['range']) { + return (db_query_range($query, $args)); + } + + return db_query($query, $args); +} + +/** * @} End of "defgroup database". */ // Initialize the default database. db_set_active(); -?> \ No newline at end of file +?> --- modules/node.module.1 2004-12-11 01:31:17.000000000 +0100 +++ modules/node.module 2004-12-17 00:50:37.000000000 +0100 @@ -1019,7 +1019,7 @@ function node_feed($nodes = 0, $channel global $base_url, $locale; if (!$nodes) { - $nodes = db_query_range('SELECT n.nid FROM {node} n '. node_access_join_sql() .' WHERE '. node_access_where_sql() .' AND n.promote = 1 AND n.status = 1 ORDER BY n.created DESC', 0, 15); + $nodes = node_select_nodes(array('WHERE'=>array('n.promote = 1','n.status = 1'),'ORDER'=>'n.created DESC','range'=>1),0,15); } while ($node = db_fetch_object($nodes)) { @@ -1464,7 +1464,7 @@ function node_delete($edit) { * Generate a listing of promoted nodes. */ function node_page_default() { - $result = pager_query('SELECT DISTINCT(n.nid), n.sticky, n.created FROM {node} n '. node_access_join_sql() .' WHERE n.promote = 1 AND n.status = 1 AND '. node_access_where_sql() .' ORDER BY n.sticky DESC, n.created DESC', variable_get('default_nodes_main', 10)); + $result = node_select_nodes(array('SELECT'=>array('n.sticky', 'n.created'), 'WHERE'=>array('n.promote = 1', 'n.status = 1'), 'ORDER'=>'n.sticky DESC, n.created DESC','pager'=>1),variable_get('default_nodes_main', 10)); if (db_num_rows($result)) { drupal_set_html_head(''); @@ -1779,4 +1779,76 @@ function node_access_grants($op, $uid = * @} End of "defgroup node_access". */ +/** + * Implementation of hook_node_sql + */ + +function node_node_sql(&$sql_array) { + $join = node_access_join_sql(); + if (!empty($join)) { + $sql_array['JOIN'][] = substr(node_access_join_sql(),10); // cut INNER JOIN + } + $where = node_access_where_sql(); + if ($where != "'1'") { + $sql_array['WHERE'][] = node_access_where_sql() ; + } +} + +/** + * Runs a select query in the active database. + * + * User-supplied arguments to the query should be passed in as separate parameters + * so that they can be properly escaped to avoid SQL injection attacks. + * + * @param $sql_array + * An array containing an SQL query, and a few optional arguments. + * array keys: SELECT (or 0), JOIN, WHERE, are arrays, GROUP, HAVING, ORDER are strings. These are translated into an SQL statement + * if $sql_array['suppress'] is set, hook_node_sql is not called. Use only if you have nid(s) which are already processed by hook_node_sql! + * if $sql_array['range'] is 1, a db_query_range is performed + * if $sql_array['pager'] is 1, a pager_query is performed + * otherwise a db_query is performed + * @param $args + * An array of arguments which are substituted into the query using + * printf() syntax. + * @return + * A database query result resource, or FALSE if the query was not executed + * correctly. + */ + +function node_select_nodes() { + + $args=func_get_args(); + + $sql_array=array_shift($args); + if (is_array($args[0])) { + $args=$args[0]; + } + + if (isset($sql_array[0]) && !isset($sql_array['SELECT'])) { + $sql_array['SELECT']=$sql_array[0]; + } + + foreach (array('SELECT','JOIN','WHERE') as $key) { + if (!isset($sql_array[$key])) { + $sql_array[$key]=array(); + } + } + + if (!isset($sql_array['suppress'])) { + array_unshift($sql_array['SELECT'], 'DISTINCT(n.nid)'); + foreach (module_list() as $name) { + $function = $name .'_node_sql'; + if (function_exists($function)) { + $function($sql_array,$args); // call by reference. SELECT, JOIN, WHERE are arrays at this point. + } + } + } + else { + array_unshift($sql_array['SELECT'], 'n.nid'); + } + $sql_array['FROM'] = '{node} n'; + + return db_array_query($sql_array,$args); +} + ?>