def _query_callback(match, init = False):
"""
Helper function for db_query().
"""
php.static(_query_callback, 'args')
if (init):
_query_callback.args = list(match);
return;
# We must use type casting to int to convert FALSE/NULL/(TRUE?)
if match[1] == '%d':
# We don't need db_escape_string as numbers are db-safe
return str(int(php.array_shift(_query_callback.args)));
elif match[1] == '%s':
return db.escape_string(php.array_shift(_query_callback.args));
elif match[1] == '%n':
# Numeric values have arbitrary precision, so can't be treated as float.
# is_numeric() allows hex values (0xFF), but they are not valid.
value = php.trim(php.array_shift(args));
return (value if (php.is_numeric(value) and not \
php.stripos(value, 'x')) else '0')
elif match[1] == '%%':
return '%';
elif match[1] == '%f':
return float(php.array_shift(_query_callback.args));
elif match[1] == '%b': # binary data
return db.encode_blob(php.array_shift(_query_callback.args));
def munge_filename(filename, extensions, alerts = True):
"""
Munge the filename as needed for security purposes + For instance the file
name "exploit.php.pps" would become "exploit.php_.pps".
@param filename The name of a file to modify.
@param extensions A space separated list of extensions that should not
be altered.
@param alerts Whether alerts (watchdog, drupal_set_message()) should be
displayed.
@return filename The potentially modified filename.
"""
original = filename
# Allow potentially insecure uploads for very savvy users and admin
if (not variable_get('allow_insecure_uploads', 0)):
whitelist = array_unique(php.explode(' ', php.trim(extensions)))
# Split the filename up by periods + The first part becomes the basename
# the last part the final extension.
filename_parts = php.explode('.', filename)
new_filename = php.array_shift(filename_parts); # Remove file basename.
final_extension = php.array_pop(filename_parts); # Remove final extension.
# Loop through the middle parts of the name and add an underscore to the
# end of each section that could be a file extension but isn't in the list
# of allowed extensions.
for filename_part in filename_parts:
new_filename += '.' + filename_part
if (not php.in_array(filename_part, whitelist) and \
php.preg_match("/^[a-zA-Z]{2,5}\d?$/", filename_part)):
new_filename += '_'
filename = new_filename + '.' + final_extension
if (alerts and original != filename):
drupal_set_message(t('For security reasons, your upload has ' + \
'been renamed to %filename.', {'%filename' : filename}))
return filename
def query_temporary(query):
"""
Runs a SELECT query and stores its results in a temporary table.
Use this as a substitute for db_query() when the results need to stored
in a temporary table. Temporary tables exist for the duration of the page
request.
User-supplied arguments to the query should be passed in as
separate parameters
so that they can be properly escaped to avoid SQL injection attacks.
Note that if you need to know how many results were returned, you should do
a SELECT COUNT(*) on the temporary table afterwards. db_affected_rows() does
not give consistent result across different database types in this case.
@param query
A string containing a normal SELECT SQL query.
@param ...
A variable number of arguments which are substituted into the query
using printf() syntax. The query arguments can be enclosed in one
array instead.
Valid %-modifiers are: %s, %d, %f, %b (binary data, do not enclose
in '') and %%.
NOTE: using this syntax will cast None and False values to decimal 0,
and True values to decimal 1.
@param table
The name of the temporary table to select into. This name will not be
prefixed as there is no risk of collision.
@return
A database query result resource, or False if the query was not executed
correctly.
"""
args = func_get_args()
tablename = php.array_pop(args)
php.array_shift(args)
query = php.preg_replace('/^SELECT/i', 'CREATE TEMPORARY TABLE ' + \
tablename + ' Engine=HEAP SELECT', db_prefix_tables(query))
# 'All arguments in one array' syntax
if (php.isset(args, 0) and php.is_array(args, 0)):
args = args[0]
_db_query_callback(args, True)
query = php.preg_replace_callback(DB_QUERY_REGEXP, \
'_db_query_callback', query)
return _db_query(query)
def query_temporary(query):
"""
Runs a SELECT query and stores its results in a temporary table.
Use this as a substitute for db_query() when the results need to stored
in a temporary table. Temporary tables exist for the duration of the page
request.
User-supplied arguments to the query should be passed in as
separate parameters
so that they can be properly escaped to avoid SQL injection attacks.
Note that if you need to know how many results were returned, you should do
a SELECT COUNT(*) on the temporary table afterwards. db_affected_rows() does
not give consistent result across different database types in this case.
@param query
A string containing a normal SELECT SQL query.
@param ...
A variable number of arguments which are substituted into the query
using printf() syntax. The query arguments can be enclosed in one
array instead.
Valid %-modifiers are: %s, %d, %f, %b (binary data, do not enclose
in '') and %%.
NOTE: using this syntax will cast None and False values to decimal 0,
and True values to decimal 1.
@param table
The name of the temporary table to select into. This name will not be
prefixed as there is no risk of collision.
@return
A database query result resource, or False if the query was not executed
correctly.
"""
args = func_get_args()
tablename = php.array_pop(args)
php.array_shift(args)
query = php.preg_replace('/^SELECT/i', 'CREATE TEMPORARY TABLE ' + \
tablename + ' Engine=HEAP SELECT', db_prefix_tables(query))
# 'All arguments in one array' syntax
if (php.isset(args, 0) and php.is_array(args, 0)):
args = args[0]
_db_query_callback(args, True)
query = php.preg_replace_callback(DB_QUERY_REGEXP, \
'_db_query_callback', query)
return _db_query(query)
def query_range(query):
"""
Runs a limited-range query in the active database.
Use this as a substitute for db_query() when a subset of the query is to be
returned. User-supplied arguments to the query should be passed in as
separate parameters so that they can be properly escaped to avoid SQL
injection attacks.
@param query
A string containing an SQL query.
@param ...
A variable number of arguments which are substituted into the query
using printf() syntax. The query arguments can be enclosed in one
array instead.
Valid %-modifiers are: %s, %d, %f, %b (binary data, do not enclose
in '') and %%.
NOTE: using this syntax will cast None and False values to decimal 0,
and True values to decimal 1.
@param from
The first result row to return.
@param count
The maximum number of result rows to return.
@return
A database query result resource, or False if the query was not executed
correctly.
"""
args = func_get_args()
count = php.array_pop(args)
from_ = php.array_pop(args)
php.array_shift(args)
query = db_prefix_tables(query)
# 'All arguments in one array' syntax
if (php.isset(args, 0) and php.is_array(args, 0)):
args = args[0]
_db_query_callback(args, True)
query = php.preg_replace_callback(DB_QUERY_REGEXP, \
'_db_query_callback', query)
query += ' LIMIT ' + int(from_) + ', ' . int(count)
return _db_query(query)
def query_range(query):
"""
Runs a limited-range query in the active database.
Use this as a substitute for db_query() when a subset of the query is to be
returned. User-supplied arguments to the query should be passed in as
separate parameters so that they can be properly escaped to avoid SQL
injection attacks.
@param query
A string containing an SQL query.
@param ...
A variable number of arguments which are substituted into the query
using printf() syntax. The query arguments can be enclosed in one
array instead.
Valid %-modifiers are: %s, %d, %f, %b (binary data, do not enclose
in '') and %%.
NOTE: using this syntax will cast None and False values to decimal 0,
and True values to decimal 1.
@param from
The first result row to return.
@param count
The maximum number of result rows to return.
@return
A database query result resource, or False if the query was not executed
correctly.
"""
args = func_get_args()
count = php.array_pop(args)
from_ = php.array_pop(args)
php.array_shift(args)
query = db_prefix_tables(query)
# 'All arguments in one array' syntax
if (php.isset(args, 0) and php.is_array(args, 0)):
args = args[0]
_db_query_callback(args, True)
query = php.preg_replace_callback(DB_QUERY_REGEXP, \
'_db_query_callback', query)
query += ' LIMIT ' + int(from_) + ', '.int(count)
return _db_query(query)
def initialize():
"""
Choose a language for the page, based on language negotiation settings.
"""
# Configured presentation language mode.
mode = variable_get('language_negotiation', \
lib_bootstrap.LANGUAGE_NEGOTIATION_NONE)
# Get a list of enabled languages.
languages = lib_bootstrap.language_list('enabled')
languages = languages[1]
if mode == lib_bootstrap.LANGUAGE_NEGOTIATION_NONE:
return language_default()
elif mode == lib_bootstrap.LANGUAGE_NEGOTIATION_DOMAIN:
for language in languages:
parts = php.parse_url(language.domain)
if (not php.empty(parts['host']) and \
(php.SERVER['php.SERVER_NAME'] == parts['host'])):
return language
return language_default()
elif mode == lib_bootstrap.LANGUAGE_NEGOTIATION_PATH_DEFAULT or \
mode == lib_bootstrap.LANGUAGE_NEGOTIATION_PATH:
# _GET['q'] might not be available at this time, because
# path initialization runs after the language bootstrap phase.
args = (php.explode('/', _GET['q']) if php.isset(_GET, 'q') else [])
prefix = php.array_shift(args)
# Search prefix within enabled languages.
for language in languages:
if (not php.empty(language.prefix) and language.prefix == prefix):
# Rebuild php.GET['q'] with the language removed.
php.GET['q'] = php.implode('/', args)
return language
if (mode == LANGUAGE_NEGOTIATION_PATH_DEFAULT):
# If we did not found the language by prefix, choose the default.
return language_default()
# User language.
if (lib_appglobals.user.uid and \
php.isset(languages[lib_appglobals.user.language])):
return languages[lib_appglobals.user.language]
# Browser accept-language parsing.
language = language_from_browser()
if (language):
return language
# Fall back on the default if everything else fails.
return language_default()
def initialize():
"""
Choose a language for the page, based on language negotiation settings.
"""
# Configured presentation language mode.
mode = variable_get('language_negotiation', \
lib_bootstrap.LANGUAGE_NEGOTIATION_NONE)
# Get a list of enabled languages.
languages = lib_bootstrap.language_list('enabled')
languages = languages[1]
if mode == lib_bootstrap.LANGUAGE_NEGOTIATION_NONE:
return language_default()
elif mode == lib_bootstrap.LANGUAGE_NEGOTIATION_DOMAIN:
for language in languages:
parts = php.parse_url(language.domain)
if (not php.empty(parts['host']) and \
(php.SERVER['php.SERVER_NAME'] == parts['host'])):
return language
return language_default()
elif mode == lib_bootstrap.LANGUAGE_NEGOTIATION_PATH_DEFAULT or \
mode == lib_bootstrap.LANGUAGE_NEGOTIATION_PATH:
# _GET['q'] might not be available at this time, because
# path initialization runs after the language bootstrap phase.
args = (php.explode('/', _GET['q']) if php.isset(_GET, 'q') else [])
prefix = php.array_shift(args)
# Search prefix within enabled languages.
for language in languages:
if (not php.empty(language.prefix) and language.prefix == prefix):
# Rebuild php.GET['q'] with the language removed.
php.GET['q'] = php.implode('/', args)
return language
if (mode == LANGUAGE_NEGOTIATION_PATH_DEFAULT):
# If we did not found the language by prefix, choose the default.
return language_default()
# User language.
if (lib_appglobals.user.uid and \
php.isset(languages[lib_appglobals.user.language])):
return languages[lib_appglobals.user.language]
# Browser accept-language parsing.
language = language_from_browser()
if (language):
return language
# Fall back on the default if everything else fails.
return language_default()
def munge_filename(filename, extensions, alerts=True):
"""
Munge the filename as needed for security purposes + For instance the file
name "exploit.php.pps" would become "exploit.php_.pps".
@param filename The name of a file to modify.
@param extensions A space separated list of extensions that should not
be altered.
@param alerts Whether alerts (watchdog, drupal_set_message()) should be
displayed.
@return filename The potentially modified filename.
"""
original = filename
# Allow potentially insecure uploads for very savvy users and admin
if (not variable_get('allow_insecure_uploads', 0)):
whitelist = array_unique(php.explode(' ', php.trim(extensions)))
# Split the filename up by periods + The first part becomes the basename
# the last part the final extension.
filename_parts = php.explode('.', filename)
new_filename = php.array_shift(filename_parts)
# Remove file basename.
final_extension = php.array_pop(filename_parts)
# Remove final extension.
# Loop through the middle parts of the name and add an underscore to the
# end of each section that could be a file extension but isn't in the list
# of allowed extensions.
for filename_part in filename_parts:
new_filename += '.' + filename_part
if (not php.in_array(filename_part, whitelist) and \
php.preg_match("/^[a-zA-Z]{2,5}\d?$/", filename_part)):
new_filename += '_'
filename = new_filename + '.' + final_extension
if (alerts and original != filename):
drupal_set_message(t('For security reasons, your upload has ' + \
'been renamed to %filename.', {'%filename' : filename}))
return filename
