<?php
/**
 * Copyright November 20, 2006, Michi Kono.
 *
 * @author	Michi Kono
 * @version	1.1
 *
 * This code is released under the MIT license. For more information, visit michikono.com.
 *
 * This class will copy and escape the common global variables for easy access that ensures
 * all your data is sanitized when going into the database. All developers need to remember
 * is to use this class instead of the global variable names (much easier than relying on
 * them to always use addslashes(). This class will not double-escape something if magic quotes
 * are enabled. This class is compatible with PHP 4 or 5.
 */
class DbSafe {
	
	/**
	 * PHP 4 safe declarations. All escaped values.
	 */
	var $data = array();
	
	
	/**
	 * Initializes all values
	 */
	function DbSafe() {
		$this->data['post'] = $_POST;
		$this->data['get'] = $_GET;
		$this->data['request'] = $_REQUEST;
		$this->data['cookie'] = $_COOKIE;
	}
	
	/**
	 * Returns the sanitized (DB ready) get value for the index provided ($_GET[index])
	 *
	 * @param	string	name of field
	 * @param	boolean	set to TRUE to disable data sanitization for this call. 
	 *					Use this to get the original value. Compensates for magic quotes being on.
	 * @return	mixed	value of field, escaped
	 */
	function get($index, $getOriginal = FALSE) {
		return DbSafe::_returnValue('get', $index, $getOriginal);
	}
	
	/**
	 * Returns the sanitized (DB ready) post value for the index provided ($_POST[index])
	 *
	 * @param	string	name of field
	 * @param	boolean	set to TRUE to disable data sanitization for this call.
	 *					Use this to get the original value. Compensates for magic quotes being on.
	 * @return	mixed	value of field, escaped
	 */
	function post($index, $getOriginal = FALSE) {
		return DbSafe::_returnValue('post', $index, $getOriginal);
	}
	
	/**
	 * Returns the sanitized (DB ready) request value for the index provided ($_REQUEST[index])
	 *
	 * @param	string	name of field
	 * @param	boolean	set to TRUE to disable data sanitization for this call.
	 *					Use this to get the original value. Compensates for magic quotes being on.
	 * @return	mixed	value of field, escaped
	 */
	function request($index, $getOriginal = FALSE) {
		return DbSafe::_returnValue('request', $index, $getOriginal);
	}
	
	/**
	 * Returns the sanitized (DB ready) cookie value for the index provided ($_COOKIE[index])
	 *
	 * @param	string	name of field
	 * @param	boolean	set to TRUE to disable data sanitization for this call.
	 *					Use this to get the original value. Compensates for magic quotes being on.
	 * @return	mixed	value of field, escaped
	 */
	function cookie($index, $getOriginal = FALSE) {
		return DbSafe::_returnValue('cookie', $index, $getOriginal);
	}

	/**
	 * Returns the sanitized (DB ready) value of the internal variable that corresponds to the passed type.
	 *
	 * @param	string	type of field
	 * @param	string	name of field
	 * @param	boolean	set to TRUE to disable data sanitization for this call.
	 *					Use this to get the original value. Compensates for magic quotes being on.
	 * @return	mixed	value of field, escaped
	 */
	function _returnValue($type, $index, $getOriginal) {
		if(isset($this->data[$type][$index])) {
			if($getOriginal) {
				if(get_magic_quotes_gpc()) {
					return DbSafe::_undoMagicQuotes($this->data[$type][$index]);
				}
				else {
					return $this->data[$type][$index];
				}
			}
			else {
				return $this->escape($this->data[$type][$index]);
			}
		}
		else {
			return NULL;
		}
	}
	
	/**
	 * Escape any value.
	 *
	 * @param	mixed	Value to escape
	 * @return	mixed	Escaped value
	 */
	function escape($value) {
		$escapedValue = $value;
		DbSafe::_escape($escapedValue);
		return $escapedValue;
	}
	
	/**
	 * Escape an array of values.
	 *
	 * @param	array	Values to escape
	 * @return	array	Escaped values
	 */
	function escapeArray($values) {
		$escapedValues = $values;
		array_walk($escapedValues, array('DbSafe', '_escapeWalk'));
		return $escapedValues;
	}
	
	/**
	 * Internal method that escapes values in an array. Modifies it by reference. Used for array_walk.
	 *
	 * @param	mixed	Value of the index
	 * @param	mixed	Key name
	 * @return	void
	 */
	function _escapeWalk(&$value, $key) {
		DbSafe::_escape($value);
	}
	
	/**
	 * Internal method that escapes a single value by reference.
	 *
	 * @param	mixed	Value of the index
	 * @return	void
	 */
	function _escape(&$value) {
		if(is_array($value)) {
			$value = $this->escapeArray($value);
			return;
		}
		
		if(get_magic_quotes_gpc()) {
			$value = stripslashes($value);
		}
		
		if (!is_numeric($value) || '' == $value) { 
			/*
			 * This function is used over addslashes to protect against character
			 * encoding related attacks. This is problematic if no database
			 * connection is currently present. Thus we must do an addslashes
			 * if the mysql_real_escape_string fails.
			 */
			$unescapedValue = $value;
			$value = @mysql_real_escape_string($unescapedValue);
			if(FALSE === $value) {
				$value = addslashes($unescapedValue);
			}
		}
	}
	
	/**
	 * Strips out slashes in an array
	 *
	 * @param	array	The value or array to strip
	 * @return	array	The stripped values
	 */
	function _undoMagicQuotes($value) {
		if(is_array($value)) {
			foreach($value as &$components) {
				$components = DbSafe::_undoMagicQuotes($components);
			}
		}
		elseif(get_magic_quotes_gpc()) {
			$value = stripslashes($value);
		}
		
		return $value;
	}
}
?>