fix: issues related permissions

Author: marcocesarato

.gitignore

@@ -1,4 +1,5 @@
 **.logs
 **.log
 .idea/**
-vendor/**
+vendor
+ghooks.lock

.php_cs .php_cs.php.php_cs renamed to .php_cs.php

@@ -13,8 +13,8 @@
   "scripts": {
     "post-install-cmd": "vendor/bin/cghooks add --ignore-lock",
     "post-update-cmd": "vendor/bin/cghooks update",
-    "fix-cs": "vendor/bin/php-cs-fixer fix --config=.php_cs -v",
-    "check-cs": "vendor/bin/php-cs-fixer fix --dry-run --format=txt --verbose --diff --diff-format=udiff --config=.cs.php"
+    "fix-cs": "vendor/bin/php-cs-fixer fix --config=.php_cs.php -v",
+    "check-cs": "vendor/bin/php-cs-fixer fix --dry-run --format=txt --verbose --diff --diff-format=udiff --config=.php_cs.php"
   },
   "require": {
     "php": ">=5.6",

composer.json

@@ -698,7 +698,6 @@ public function get($query, $db = null)
                     }
                 }
                 $group_columns = $selected_columns;
-                $prefix_columns = $this->auth->addSelectPermissions($prefix_columns, $table, $prefix, $db);
                 $select_columns = implode(', ', $prefix_columns);
             }
 
@@ -842,21 +841,21 @@ public function get($query, $db = null)
             // bind WHERE values
             if (!empty($where_values) && count($where_values) > 0) {
                 foreach ($where_values as $key => $value) {
-                    $value = $this->cleanConditionValue($value, $query['table'], $key, $db);
+                    $value = $this->parseValue($value, $query['table'], $key, $db);
                     $type = self::detectPDOType($value);
                     $key = ':' . $key;
-                    $sql_compiled = self::debugCompileSQL($sql_compiled, $key, $value);
+                    $sql_compiled = self::getPartialCompiledQuery($sql_compiled, $key, $value);
                     $sth->bindValue($key, $value, $type);
                 }
             }
 
             // bind JOIN values
             if (!empty($join_values) && count($join_values) > 0) {
                 foreach ($join_values as $key => $value) {
-                    $value = $this->cleanConditionValue($value, $query['table'], $key, $db);
+                    $value = $this->parseValue($value, $query['table'], $key, $db);
                     $type = self::detectPDOType($value);
                     $key = ':' . $key;
-                    $sql_compiled = self::debugCompileSQL($sql_compiled, $key, $value);
+                    $sql_compiled = self::getPartialCompiledQuery($sql_compiled, $key, $value);
                     $sth->bindValue($key, $value, $type);
                 }
             }
@@ -1133,18 +1132,18 @@ public function patch($query, $db = null, $skipChecks = false)
 
                     // bind PUT values
                     foreach ($column_values as $key => $value) {
-                        $value = $this->cleanConditionValue($value, $table, $key, $db);
+                        $value = $this->parseValue($value, $table, $key, $db);
                         $key = ':' . $key;
-                        $sql_compiled = self::debugCompileSQL($sql_compiled, $key, $value);
+                        $sql_compiled = self::getPartialCompiledQuery($sql_compiled, $key, $value);
                         $sth->bindValue($key, $value);
                     }
 
                     // bind WHERE values
                     if (!empty($where_values) && count($where_values) > 0) {
                         foreach ($where_values as $key => $value) {
-                            $value = $this->cleanConditionValue($value, $table, $key, $db);
+                            $value = $this->parseValue($value, $table, $key, $db);
                             $key = ':' . $key;
-                            $sql_compiled = self::debugCompileSQL($sql_compiled, $key, $value);
+                            $sql_compiled = self::getPartialCompiledQuery($sql_compiled, $key, $value);
                             $sth->bindValue($key, $value);
                         }
                     }
@@ -1211,6 +1210,10 @@ public function delete($query, $db = null)
             $where_additional = $this->hooks->apply_filters('delete_query_additional_where', '', $query['table']);
             $where_additional_table = $this->hooks->apply_filters('delete_query_additional_where_' . strtolower($query['table']), '', $query['table']);
 
+            if (empty(trim($restriction))) {
+                $restriction = "'1' = '1'";
+            }
+
             $sql .= ($where_exists ? ' AND ' : ' WHERE ') . ' (' . $restriction . ') ';
             $sql .= (!empty($where_additional) ? ' AND (' . $where_additional . ') ' : '');
             $sql .= (!empty($where_additional_table) ? ' AND (' . $where_additional_table . ') ' : '');
@@ -1223,10 +1226,10 @@ public function delete($query, $db = null)
             // bind WHERE values
             if (!empty($where_values) && count($where_values) > 0) {
                 foreach ($where_values as $key => $value) {
-                    $value = $this->cleanConditionValue($value, $query['table'], $key, $db);
+                    $value = $this->parseValue($value, $query['table'], $key, $db);
                     $type = self::detectPDOType($value);
                     $key = ':' . $key;
-                    $sql_compiled = self::debugCompileSQL($sql_compiled, $key, $value);
+                    $sql_compiled = self::getPartialCompiledQuery($sql_compiled, $key, $value);
                     $sth->bindValue($key, $value, $type);
                 }
             }
@@ -1288,10 +1291,10 @@ private function executeInsert($table, $columns, $db)
 
             // bind POST values
             foreach ($columns as $column => $value) {
-                $value = $this->cleanConditionValue($value, $table, $column);
+                $value = $this->parseValue($value, $table, $column);
                 $column = ':' . $column;
                 $sth->bindValue($column, $value);
-                $sql_compiled = self::debugCompileSQL($sql_compiled, $column, $value);
+                $sql_compiled = self::getPartialCompiledQuery($sql_compiled, $column, $value);
             }
 
             $this->logger->debug($sql_compiled);
@@ -1334,34 +1337,100 @@ public function render($data)
      * @param $simple_encode
      * @param $query
      */
-    public function renderJson($data, $simple_encode = false)
+    public function renderJson($data, $simple_encode = false, $complex = false)
     {
-        @header('Content-type: application/json');
-
-        if (is_multi_array($data) && !$simple_encode) {
-            $prefix = '';
-            $output = '[';
-            foreach ($data as $key => $row) {
-                $output .= $prefix . json_encode($row);
-                $prefix = ',';
-            }
-            $output .= ']';
+        if ($complex) {
+            $output = $this->jsonStringify($data);
         } else {
-            $output = json_encode($data);
+            // TODO: replace with jsonStringify method, need to do some checks
+            if (is_multi_array($data) && !$simple_encode) {
+                $prefix = '';
+                $output = '[';
+                foreach ($data as $row) {
+                    $output .= $prefix . json_encode($row);
+                    $prefix = ',';
+                }
+                $output .= ']';
+            } else {
+                $output = json_encode($data);
+            }
         }
 
         // Prepare a JSONP callback.
         $callback = jsonp_callback_filter($this->query['callback']);
 
         // Only send back JSONP if that's appropriate for the request.
         if ($callback) {
-            echo "{$callback}($output);";
+            $output = "{$callback}($output);";
+        }
 
-            return;
+        $compressed = gzencode($output);
+
+        ob_clean();
+
+        @header('Content-Type: application/json');
+        @header('Content-Encoding: gzip');
+        @header('Content-Length: ' . strlen($compressed));
+
+        exit($compressed);
+    }
+
+    /**
+     * Encode large amount of data into JSON.
+     *
+     * @param mixed $data
+     *
+     * @return string
+     */
+    public function jsonStringify($data, $path = 'json')
+    {
+        if (is_array($data) || is_object($data)) {
+            if (is_object($data)) {
+                $isNamedKey = true;
+            } else {
+                $isNamedKey = (is_string(key($data)));
+            }
+            if ($isNamedKey) {
+                $output = '{';
+                $prefix = '';
+                foreach ($data as $key => $value) {
+                    $nextPath = $path . ".$key";
+                    if (!is_numeric($key)) {
+                        $key = '"' . $key . '"';
+                    }
+                    $stringify = $this->hooks->apply_filters('render_json_process', true, $nextPath);
+                    if ($stringify) {
+                        $content = $this->jsonStringify($value, $nextPath);
+                        $content = $this->hooks->apply_filters('render_json_content', $content, $nextPath);
+                    } else {
+                        $content = $this->hooks->apply_filters('render_json_result', 'null', $nextPath);
+                    }
+                    $output .= $prefix . $key . ': ' . $content;
+                    $prefix = ',';
+                }
+                $output .= '}';
+            } else {
+                $output = '[';
+                $prefix = '';
+                foreach ($data as $key => $value) {
+                    $nextPath = $path . "[$key]";
+                    $stringify = $this->hooks->apply_filters('render_json_process', true, $nextPath);
+                    if ($stringify) {
+                        $content = $this->jsonStringify($value, $nextPath);
+                        $content = $this->hooks->apply_filters('render_json_content', $content, $nextPath);
+                    } else {
+                        $content = $this->hooks->apply_filters('render_json_result', 'null', $nextPath);
+                    }
+                    $output .= $prefix . $content;
+                    $prefix = ',';
+                }
+                $output .= ']';
+            }
+        } else {
+            $output = json_encode($data);
         }
-        // If not JSONP, send back the data.
-        echo $output;
-        exit();
+
+        return (string)$output;
     }
 
     /**
@@ -1637,10 +1706,11 @@ private function getTableColumnsMeta($table, $db = null)
      * @param $table
      * @param $key
      * @param $db
+     * @param $forceNullable
      *
      * @return mixed
      */
-    private function cleanConditionValue($value, $table, $key, $db = null)
+    public function parseValue($value, $table, $key, $db = null, $forceNullable = false)
     {
         if (is_array($value)) {
             $value = serialize($value);
@@ -1663,6 +1733,8 @@ private function cleanConditionValue($value, $table, $key, $db = null)
                 ];
                 if (in_array($dataType, $numericDataType)) {
                     $value = ($isNullable) ? null : (float)$default;
+                } elseif ($forceNullable) {
+                    $value = null;
                 }
             }
         }
@@ -1896,7 +1968,7 @@ private function parseWhere($main_table, $where, $sql)
                                 $special_value = [$special_value];
                             }
                             foreach ($special_value as $v) {
-                                $clean_value = $this->cleanConditionValue($v, $table, $column);
+                                $clean_value = $this->parseValue($v, $table, $column);
                                 if ($clean_value === null) {
                                     $clean_value = ''; // Don't accept null
                                 }
@@ -1938,7 +2010,7 @@ private function parseWhere($main_table, $where, $sql)
                             if (is_null($value)) {
                                 $index_value = "''";
                             } else {
-                                $clean_value = $this->cleanConditionValue($value, $table, $column);
+                                $clean_value = $this->parseValue($value, $table, $column);
                                 if ($clean_value === null) {
                                     $clean_value = ''; // Don't accept null
                                 }
@@ -1965,7 +2037,7 @@ private function parseWhere($main_table, $where, $sql)
                         if (count($_value_split) > 1 && $this->checkColumn(@$_value_split[1], @$_value_split[0])) {
                             $index_value = $_value_split[0] . '.' . $_value_split[1];
                         } else {
-                            $clean_value = $this->cleanConditionValue($value, $table, $column);
+                            $clean_value = $this->parseValue($value, $table, $column);
                             if ($clean_value === null) {
                                 $clean_value = ''; // Don't accept null
                             }
@@ -2130,19 +2202,85 @@ private static function detectPDOType($value)
     }
 
     /**
-     * Compile PDO prepare.
+     * Returns the partial emulated SQL string.
      *
      * @param $string
      * @param $key
      * @param $value
      *
-     * @return string|string[]|null
+     * @return string
+     */
+    public static function getPartialCompiledQuery($query, $key, $value)
+    {
+        $value = self::getCompiledParamValue($value);
+
+        return preg_replace('/' . $key . "([,]|\s|$|\))/i", $value, $query);
+    }
+
+    /**
+     * Returns the emulated SQL string.
+     *
+     * @param string $query
+     * @param array $parameters
+     *
+     * @return string
+     */
+    public static function getCompiledQuery($query, $parameters = [])
+    {
+        $keys = [];
+        $values = [];
+
+        /**
+         * Get longest keys first, so the regex replacement doesn't cut markers
+         * (ex : replace ":username" with "marco.cesarato" if we have a param name :user ).
+         */
+        $isNamedMarkers = false;
+        if (count($parameters) && is_string(key($parameters))) {
+            uksort($parameters, function ($k1, $k2) {
+                return strlen($k2) - strlen($k1);
+            });
+            $isNamedMarkers = true;
+        }
+        foreach ($parameters as $key => $value) {
+            // Check if named parameters (':param') or anonymous parameters ('?') are used
+            if (is_string($key)) {
+                $keys[] = '/:' . ltrim($key, ':') . '/';
+            } else {
+                $keys[] = '/[?]/';
+            }
+            $values[] = self::getCompiledParamValue($value);
+        }
+        if ($isNamedMarkers) {
+            return preg_replace($keys, $values, $query);
+        }
+
+        return preg_replace($keys, $values, $query, 1, $count);
+    }
+
+    /**
+     * Bring parameter value into human-readable format.
+     *
+     * @param mixed $rawValue
+     *
+     * @return string
      */
-    public static function debugCompileSQL($string, $key, $value)
+    public static function getCompiledParamValue($rawValue)
     {
-        $string = preg_replace('/' . $key . "([,]|\s|$|\))/i", ($value === null ? 'NULL$1' : "'" . $value . "'$1"), $string);
+        if (is_string($rawValue)) {
+            $value = "'" . addslashes($rawValue) . "'";
+        } elseif (is_numeric($rawValue)) {
+            $value = (string)$rawValue;
+        } elseif (is_array($rawValue)) {
+            $value = implode(',', $rawValue);
+        } elseif (is_null($rawValue)) {
+            $value = 'NULL';
+        } elseif (is_bool($rawValue)) {
+            $value = (string)($rawValue);
+        } else {
+            $value = (string)($rawValue);
+        }
 
-        return $string;
+        return $value;
     }
 
     /**

includes/classes/API.php

@@ -2,6 +2,8 @@
 
 namespace marcocesarato\DatabaseAPI;
 
+use DateTime;
+
 /**
  * Logger Class.
  *

includes/classes/Logger.php

@@ -25,7 +25,7 @@
 require_once __API_DIR_INCLUDES__ . '/compatibility.php';
 require_once __API_DIR_INCLUDES__ . '/functions.php';
 
-disable_php_errors();
+enable_php_errors();
 
 // Libs
 require_once __API_DIR_CLASSES__ . '/Hooks.php';