tylerhall / simple-php-framework Goto Github PK

Some of these will come when we merge in the 7.2 branch, but we need to take a quick look to ensure we're supporting all the new ones since PHP 5.x.

So, I rely heavily on generating nids for my objects, so that id'd are not guessable.
I ran into a weird problem that I could not lookup object from my database by their nid.
I have used this in the past too and never had a problem.

But now I found that I was passing the just generated nid to a function, to fetch the object I just saved. It uses the sha1() function which returns 40byte strings. However since the default mysql.sql had the column set as varchar(32) the nids were truncated to 32 bytes. Therefore all my queries returned false.

I'm not sure if this is an oversight and the database columns should be altered, or if something changed that I don't know about.

Hello tylerhall

The file that contains the SPFError class is named class.sferror.php instead of class.spferror.php, which in turn causes the autoloading to fail and throw the following error:

Fatal error: Uncaught Error: Class 'SPFError' not found in /includes/master.inc.php:34

Thought I'd better let you know. Thanks for sharing your work :)

It tries to set empty string instead of NULL and that won't work on numbers or enums.

I found it at class.stats.php
INSERT INTO stats ...

tiagosiebler/Shine@2270acb

for example, this file references a MySQL table that isn't defined anywhere ....

https://github.com/tylerhall/simple-php-framework/blob/master/includes/class.stats.php

Additionally, as it's now 2020, it's probably a good idea to change the MySQL schema to use InnoDB instead of MyISAM table types.

There is possible race condition when multiple simultaneous calls are done on DBSession::write resulting in a duplicate key error (i.e. between line 31 and 32 another simultaneous call to DBSession::write could have just finished executing line 32).

Fix suggestion:

        public static function write($id, $data)
        {
            $db = Database::getDatabase();
            $db->query('INSERT INTO `sessions` (`id`, `data`, `updated_on`) VALUES (:id:, :data:, :updated_on:) ON DUPLICATE KEY UPDATE `data` = :data:, `updated_on` = :updated_on:', array('id' => $id, 'data' => $data, 'updated_on' => time()));
            return ($db->affectedRows() == 1);
        }

Wouldn't it be necessary in login.php, line 4 and line 13 to redirect to WEB_ROOT instead of to '/'? I have my project in webserver subfilder "/in/" and have set that as my web_root in class.config.php

Can you provide examples for the usage of these two?

Please make the file http://groups.google.com/group/simple-php-framework/web/test.site.zip available again from Google group forum (18/10/2007)

As far as I know, array pop remove last element of the array, not first. So you have to use array_shift instead. Here is my version:

    // Returns an array of the first value in each row.
    // You can pass in nothing, a string, or a db result
    public function getValues($arg = null)
    {
        $result = $this->resulter($arg);
        if(!$this->hasRows($result)) return array();

        $values = array();
        mysql_data_seek($result, 0);
        while($row = mysql_fetch_array($result, MYSQL_ASSOC))
            $values[] = array_shift($row);
        return $values;
    }

But normally people didn't usually use the function with a multi-column query anyway.

https://github.com/tylerhall/simple-php-framework/blob/master/.htaccess#L15 references a non-existing file index.php.

PHP 7.2 appears to be unhappy with line 6 of class.dbsession.php:

ini_set('session.save_handler', 'user');

I'm building an application using your framework. Have used it int other projects before. Never had an issue. I think this maybe an issue on php 8.1?

see this code:

function updateCartItemQuantity($cartItemNid, $deltaQuantity) {
    $db = Database::getDatabase();
    $row = $db->getRow("SELECT * FROM shopping_cart_items WHERE nid = " . $db->quote($cartItemNid) . " AND is_deleted = 0");
    if ($row) {
        $cartItem = new ShoppingCartItem();
        $cartItem->load($row);
        $cartItem->quantity += $deltaQuantity;
        if ($cartItem->quantity <= 0) {
            $cartItem->delete();
        } else {
            $cartItem->update();
        }
    }
}

it fails:
with this error: "Fatal error: Uncaught mysqli_sql_exception: Column 'id' cannot be null in".

however printing the sql created in the update() function is this:

UPDATE shopping_cart_items SET `id` = NULL,`nid` = '9e9481863f111fcd71cea4a356f6c3ff22347223',`cart_nid` = '69bdc679e2c3730267ed7c67eb4b96748125b437',`product_nid` = '9c2221a844ab3d3bcd509a73b989bb252c6b2862',`quantity` = 3,`is_deleted` = '0' WHERE `id` = '26'

so somehow in the update() function it can't "decode" the id the first time, but it can the second time.

please advise.

Using arguments on the SQL LIMIT statement and passing that in the class.database.php query function results in a SQL syntax error (at least for mysql).

This happens because it this produces queries such as:

Quotations are not allowed as arguments for the LIMIT statement because only actual int values are expected there.

Now for obvious reasons the quotations are vital in the query function.
For now I fixed this issue by changing the following line (124, in class.database.php):

to this:

This should still prevent any kind of injection, but I am curious if there is a better solution.

Hi there,

I see that this framework uses similar classes to the shine projects, are these fully compatible with the project, or would they need to be carefully worked over the existing classes in shine? Rephrased, do all the class and function names match what shine would expect, if I start replacing classes? I see the table names would need to be updated, which is fine, just trying to scope the effort that would be needed to update each of the classes with this as a basis.

Thanks

There are a few references to the old mysql_ style functions - e.g.

from running psalm on the codebase :

ERROR: UndefinedFunction - includes/class.dbloop.php:43:9 - Function mysql_data_seek does not exist (see https://psalm.dev/021)
        mysql_data_seek($this->result, $this->position);


ERROR: UndefinedFunction - includes/class.dbloop.php:44:16 - Function mysql_fetch_array does not exist (see https://psalm.dev/021)
        $row = mysql_fetch_array($this->result, MYSQL_ASSOC);


ERROR: UndefinedConstant - includes/class.dbloop.php:44:49 - Const MYSQL_ASSOC is not defined (see https://psalm.dev/020)
        $row = mysql_fetch_array($this->result, MYSQL_ASSOC);


ERROR: UndefinedFunction - includes/class.dbloop.php:72:31 - Function mysql_num_rows does not exist (see https://psalm.dev/021)
        if ($this->position < mysql_num_rows($this->result)) {


ERROR: UndefinedFunction - includes/class.dbloop.php:73:20 - Function mysql_data_seek does not exist (see https://psalm.dev/021)
            return mysql_data_seek($this->result, $this->position);


ERROR: UndefinedFunction - includes/class.dbloop.php:81:16 - Function mysql_num_rows does not exist (see https://psalm.dev/021)
        return mysql_num_rows($this->result);


ERROR: UndefinedFunction - includes/class.rss.php:47:23 - Function mysql_fetch_array does not exist (see https://psalm.dev/021)
        while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {


ERROR: UndefinedConstant - includes/class.rss.php:47:50 - Const MYSQL_ASSOC is not defined (see https://psalm.dev/020)
        while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {

Calls to empty() or isset() on a DBObject property always returns true, and unset() has no effect as the magic methods __isset and __unset are not defined. The following methods need to be added:

          public function __isset($key) {
              return array_key_exists($key, $this->columns);
          }


          public function __unset($key) {
              unset($this->columns[$key]);
          }

Some function, such as:

    public function getRow($arg = null)
    {
        $result = $this->resulter($arg);
        return $this->hasRows() ? mysql_fetch_array($result, MYSQL_ASSOC) : false;
    }

has a BIG bug. It call $this->hasRow() without the $arg, which may result
incorrectetd when multiple but linked query were made. The correct solution
should be:

    public function getRow($arg = null)
    {
        $result = $this->resulter($arg);
        return $this->hasRows($arg) ? mysql_fetch_array($result, MYSQL_ASSOC) : false;
    }

(I think this is the only function that has this bug. But I may missed some other function, so please recheck)

Is this still maintained?

With all of the new TLDs (.consultant, .ninja, etc.), this validator needs to be relaxed a bit.