From: Habu Date: Fri, 23 Mar 2018 22:48:08 +0000 (+0900) Subject: [modify]検索条件を与えるのにプリペアドステートメントを使用 X-Git-Url: http://git.sourceforge.jp/view?p=hengband%2Fweb.git;a=commitdiff_plain;h=e6214beb4984272a07a77b79241a7cdbe0a0c3a0 [modify]検索条件を与えるのにプリペアドステートメントを使用 詳細検索実装の時にSQLインジェクションの可能性を避けるため --- diff --git a/db_common.inc b/db_common.inc index cb19b6f..9a10c79 100644 --- a/db_common.inc +++ b/db_common.inc @@ -49,25 +49,47 @@ class ScoreDB /** * スコア検索の絞り込み用WHERE句を取得する * - * @return string スコア検索絞り込み用のWHERE句 + * @return array スコア検索絞り込み用のWHERE句('where')とプレースホルダに渡すパラメータ配列('params')の連想配列 */ - private function get_where() + private function get_search_condition() { $last_days = filter_input(INPUT_GET, 'last_days', FILTER_VALIDATE_INT); + $params = []; + if ($last_days > 0) { $wheres[] = "date >= datetime('now', 'localtime', '-{$last_days} days')"; } - foreach (['race_id', 'class_id', 'personality_id'] as $id_str) { - $id = filter_input(INPUT_GET, $id_str, FILTER_VALIDATE_INT); - if ($id > 0) { - $wheres[] = "{$id_str} = {$id}"; + foreach (['race_id', 'class_id', 'personality_id'] as $key_column) { + $val = filter_input(INPUT_GET, $key_column, FILTER_VALIDATE_INT); + if ($val > 0) { + $wheres[] = "{$key_column} = :{$key_column}"; + $params[":{$key_column}"] = $val; + } + } + + foreach (['name'] as $key_column) { + $val = filter_input(INPUT_GET, $key_column); + if ($val !== NULL && strlen($val) > 0) { + $wheres[] = "{$key_column} = :{$key_column}"; + $params[":{$key_column}"] = $val; } } - $where = isset($wheres) ? 'WHERE '.implode(' AND ', $wheres) : ''; + foreach (['killer'] as $key_column) { + $val = filter_input(INPUT_GET, $key_column); + if ($val !== NULL && strlen($val) > 0) { + $wheres[] = "({$key_column} LIKE :{$key_column} OR {$key_column} = :{$key_column}1 OR {$key_column} = :{$key_column}2)"; + $params[":{$key_column}"] = "%".$val."%"; + $params[":{$key_column}1"] = "麻痺状態で".$val; + $params[":{$key_column}2"] = "彫像状態で".$val; + } + } - return $where; + $result['where'] = isset($wheres) ? 'WHERE '.implode(' AND ', $wheres) : ''; + $result['params'] = $params; + + return $result; } @@ -143,9 +165,10 @@ EOM; * @param string $where スコア検索に用いるWHERE句 * @return integer スコア総件数 */ - private function get_query_data_count($where) + private function get_query_data_count($where, $params) { - $stmt = $this->dbh->query("SELECT count(*) AS data_count from scores {$where}"); + $stmt = $this->dbh->prepare("SELECT count(*) AS data_count from scores {$where}"); + $stmt->execute($params); $res = $stmt->fetchAll(PDO::FETCH_ASSOC); return intval($res[0]['data_count']); @@ -162,16 +185,17 @@ EOM; */ public function search_score($start_num, $count) { - $where = $this->get_where(); + $cond = $this->get_search_condition(); $order_by = $this->get_order_by(); - $query_sql = $this->get_search_query(intval($start_num / $count) * $count, $count, $where, $order_by); + $query_sql = $this->get_search_query(intval($start_num / $count) * $count, $count, $cond['where'], $order_by); $search_start_time = microtime(true); $this->dbh->beginTransaction(); - $score_stmt = $this->dbh->query($query_sql); + $score_stmt = $this->dbh->prepare($query_sql); + $score_stmt->execute($cond['params']); $result['scores'] = $score_stmt->fetchAll(PDO::FETCH_ASSOC); - $result['total_data_count'] = $this->get_query_data_count($where); + $result['total_data_count'] = $this->get_query_data_count($cond['where'], $cond['params']); $this->dbh->commit(); $result['elapsed_time'] = microtime(true) - $search_start_time;