Tuskfish API
  • Package
  • Class

Packages

  • content
  • core
  • database
  • installation
  • security
  • user
  • utilities

Classes

  • TfishAncestralObject
  • TfishAngryTree
  • TfishArticle
  • TfishArticleHandler
  • TfishAudio
  • TfishAudioHandler
  • TfishBlock
  • TfishBlockHandler
  • TfishCache
  • TfishCollection
  • TfishCollectionHandler
  • TfishContentHandler
  • TfishContentObject
  • TfishCriteria
  • TfishCriteriaItem
  • TfishDatabase
  • TfishDownload
  • TfishDownloadHandler
  • TfishFileHandler
  • TfishFilter
  • TfishImage
  • TfishImageHandler
  • TfishLogger
  • TfishMetadata
  • TfishPreference
  • TfishPreferenceHandler
  • TfishRss
  • TfishSecurityUtility
  • TfishSession
  • TfishStatic
  • TfishStaticHandler
  • TfishTag
  • TfishTagHandler
  • TfishTaglink
  • TfishTaglinkHandler
  • TfishTemplate
  • TfishUser
  • TfishUtils
  • TfishVideo
  • TfishVideoHandler
  • TfishYubikeyAuthenticator

Functions

  • getUrl
  • tfish_autoload
   1    2    3    4    5    6    7    8    9   10   11   12   13   14   15   16   17   18   19   20   21   22   23   24   25   26   27   28   29   30   31   32   33   34   35   36   37   38   39   40   41   42   43   44   45   46   47   48   49   50   51   52   53   54   55   56   57   58   59   60   61   62   63   64   65   66   67   68   69   70   71   72   73   74   75   76   77   78   79   80   81   82   83   84   85   86   87   88   89   90   91   92   93   94   95   96   97   98   99  100  101  102  103  104  105  106  107  108  109  110  111  112  113  114  115  116  117  118  119  120  121  122  123  124  125  126  127  128  129  130  131  132  133  134  135  136  137  138  139  140  141  142  143  144  145  146  147  148  149  150  151  152  153  154  155  156  157  158  159  160  161  162  163  164  165  166  167  168  169  170  171  172  173  174  175  176  177  178  179  180  181  182  183  184  185  186  187  188  189  190  191  192  193  194  195  196  197  198  199  200  201  202  203  204  205  206  207  208  209  210  211  212  213  214  215  216  217  218  219  220  221  222  223  224  225  226  227  228  229  230  231  232  233  234  235  236  237  238  239  240  241  242  243  244  245  246  247  248  249  250  251  252  253  254  255  256  257  258  259  260  261  262  263  264  265  266  267  268  269  270  271  272  273  274  275  276  277  278  279  280  281  282  283  284  285  286  287  288  289  290  291  292  293  294  295  296  297  298  299  300  301  302  303  304  305  306  307  308  309  310  311  312  313  314  315  316  317  318  319  320  321  322  323  324  325  326  327  328  329  330  331  332  333  334  335  336  337  338  339  340  341  342  343  344  345  346  347  348  349  350  351  352  353  354  355  356  357  358  359  360  361  362  363  364  365  366  367  368  369  370  371  372  373  374  375  376  377  378  379  380  381  382  383  384  385  386  387  388  389  390  391  392  393  394  395  396  397  398  399  400  401  402  403  404  405  406  407  408  409  410  411  412  413  414  415  416  417  418  419  420  421  422  423  424  425  426  427  428  429  430  431  432  433  434  435  436  437  438  439  440  441  442  443  444  445  446  447  448  449  450  451  452  453  454  455  456  457  458  459  460  461  462  463  464  465  466  467  468  469  470  471  472  473  474  475  476  477  478  479  480  481  482  483  484  485  486  487  488  489  490  491  492  493  494  495  496  497  498  499  500  501  502  503  504  505  506  507  508  509  510  511  512  513  514  515  516  517  518  519  520  521  522  523  524  525  526  527  528  529  530  531  532  533  534  535  536  537  538  539  540  541  542  543  544  545  546  547  548  549  550  551  552  553  554  555  556  557  558  559  560  561  562  563  564  565  566  567  568  569  570  571  572  573  574  575  576  577  578  579  580  581  582  583  584  585  586  587  588  589  590  591  592  593  594  595  596  597  598  599  600  601  602  603  604  605  606  607  608  609  610  611  612  613  614  615  616  617  618  619  620  621  622  623  624  625  626  627  628  629  630  631  632  633  634  635  636  637  638  639  640  641  642  643  644  645  646  647  648  649  650  651  652  653  654  655  656  657  658  659  660  661  662  663  664  665  666  667  668  669  670  671  672  673  674  675  676  677  678  679  680  681  682  683  684  685  686  687  688  689  690  691  692  693  694  695  696  697  698  699  700  701  702  703  704  705  706  707  708  709  710  711  712  713  714  715  716  717  718  719  720  721  722  723  724  725  726  727  728  729  730  731  732  733  734  735  736  737  738  739  740  741  742  743  744  745  746  747  748  749  750  751  752  753  754  755  756  757  758  759  760  761  762  763  764  765  766  767  768  769  770  771  772  773  774  775  776  777  778  779  780  781  782  783  784  785  786  787  788  789  790  791  792  793  794  795  796  797  798  799  800  801  802  803  804  805  806  807  808  809  810  811  812  813  814  815  816  817  818  819  820  821  822  823  824  825  826  827  828  829  830  831  832  833  834  835  836  837  838  839  840  841  842  843  844  845  846  847  848  849  850  851  852  853  854  855  856  857  858  859  860  861  862  863  864  865  866  867  868  869  870  871  872  873  874  875  876  877  878  879  880  881  882  883  884  885  886  887  888  889  890  891  892  893  894  895  896  897  898  899  900  901  902  903  904  905  906  907  908  909  910  911  912  913  914  915  916  917  918  919  920  921  922  923  924  925  926  927  928  929  930  931  932  933  934  935  936  937  938  939  940  941  942  943  944  945  946  947  948  949  950  951  952  953  954  955  956  957  958  959  960  961  962  963  964  965  966  967  968  969  970  971  972  973  974  975  976  977  978  979  980  981  982  983  984  985  986  987  988  989  990  991  992  993  994  995  996  997  998  999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 
<?php

/**
 * TfishDatabase class file.
 * 
 * @copyright   Simon Wilkinson 2013-2017 (https://tuskfish.biz)
 * @license     https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html GNU General Public License (GPL) V2
 * @author      Simon Wilkinson <[email protected]>
 * @version     Release: 1.0
 * @since       1.0
 * @package     database
 */

// Enable strict type declaration.
declare(strict_types=1);

if (!defined("TFISH_ROOT_PATH")) die("TFISH_ERROR_ROOT_PATH_NOT_DEFINED");

/**
 * Tuskfish database handler class (singleton).
 * 
 * Implements PDO and makes exclusive use of prepared statements with bound values to mitigate SQL
 * injection attacks. Table and column identifiers are also escaped.
 * 
 * It is expected that by the time data trickles down to this class it will have ALREADY BEEN
 * THOROUGHLY VALIDATED AND RANGE CHECKED by user-facing control scripts and internal object checks.
 * As the validation conducted by this class is the last line of defense any failures will trigger
 * FATAL errors and angry log entries.
 *
 * @copyright   Simon Wilkinson 2013-2017 (https://tuskfish.biz)
 * @license     https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html GNU General Public License (GPL) V2
 * @author      Simon Wilkinson <[email protected]>
 * @version     Release: 1.0
 * @since       1.0
 * @package     database
 */
class TfishDatabase
{

    /** @var object $_db Instance of the PDO base class */
    private static $_db;

    /** Instantiation not permitted. */
    final private function __construct()
    {
    }

    /** No cloning permitted */
    final private function __clone()
    {
    }
    
    /** No serialisation */
    final private function __wakeup()
    {
    }

    /**
     * Enclose table and column identifiers in backticks to escape them.
     * 
     * This method must only be used on TABLE and COLUMN names. Column values must be escaped 
     * through the use of bound parameters.
     * 
     * @param string $identifier Table or column name.
     * @return string Identifier encapsulated in backticks.
     */
    public static function addBackticks(string $identifier)
    {
        return '`' . $identifier . '`';
    }

    /**
     * Close the connection to the database.
     * 
     * @return bool True on success false on failure.
     */
    public static function close()
    {
        return self::_close();
    }

    /** @internal */
    private static function _close()
    {
        self::$_db = null;
        return true;
    }

    /**
     * Establish a connection to the database.
     * 
     * Connection is deliberately non-persistent (persistence can break things if scripts terminate
     * unexpectedly).
     * 
     * @return bool True on success, false on failure.
     */
    public static function connect()
    {
        return self::_connect();
    }

    /** @internal */
    private static function _connect()
    {
        // SQLite just expects a file name, which was defined as a constant during create()
        self::$_db = new PDO('sqlite:' . TFISH_DATABASE);
        
        if (self::$_db) {
            // Set PDO to throw exceptions every time it encounters an error.
            // On production sites it may be best to change the second argument to 
            // PDO::ERRMODE_SILENT OR PDO::ERRMODE_WARNING
            self::$_db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
            return true;
        } else {
            return false;
        }
    }

    /**
     * Create an SQLite database with random prefix and creates a language constant for it.
     * 
     * Database name must be alphanumeric and underscore characters only. The database will
     * automatically be appended with the suffix .db
     * 
     * @param string $db_name Database name.
     * @return string|bool Path to database file on success, false on failure.
     */
    public static function create(string $db_name)
    {
        // Validate input parameters
        $db_name = TfishFilter::trimString($db_name);
        
        if (TfishFilter::isAlnumUnderscore($db_name)) {
            return self::_create($db_name . '.db');
        } else {
            trigger_error(TFISH_ERROR_NOT_ALNUMUNDER, E_USER_ERROR);
            exit;
        }
    }

    /** @internal */
    private static function _create(string $db_name)
    {
        // Generate a random prefix for the database filename to make it unpredictable.
        $prefix = mt_rand();

        // Create database file and append a constant with the database path to config.php
        try {
            $db_path = TFISH_DATABASE_PATH . $prefix . '_' . $db_name;
            self::$_db = new PDO('sqlite:' . $db_path);
            $db_constant = PHP_EOL . 'if (!defined("TFISH_DATABASE")) define("TFISH_DATABASE", "'
                    . $db_path . '");';
            $result = TfishFileHandler::appendFile(TFISH_CONFIGURATION_PATH, $db_constant);
            
            if (!$result) {
                trigger_error(TFISH_ERROR_FAILED_TO_APPEND_FILE, E_USER_NOTICE);
                return false;
            }
            
            return $db_path;
        } catch (PDOException $e) {
            TfishLogger::logErrors($e->getCode(), $e->getMessage(), $e->getFile(), $e->getLine());
            return false;
        }
    }

    /**
     * Create a table in the database.
     * 
     * Table names may only be alphanumeric characters. Column names are also alphanumeric but may
     * also contain underscores.
     * 
     * @param string $table Table name (alphanumeric characters only). 
     * @param array $columns Array of column names (keys) and types (values).
     * @param string $primary_key Name of field to be used as primary key.
     * @return bool True on success, false on failure.
     */
    public static function createTable(string $table, array $columns, string $primary_key = null)
    {
        // Initialise
        $clean_primary_key = null;
        $clean_columns = array();

        // Validate input parameters
        $clean_table = self::validateTableName($table);
        
        if (TfishFilter::isArray($columns) && !empty($columns)) {
            $type_whitelist = array("BLOB", "TEXT", "INTEGER", "NULL", "REAL");
            
            foreach ($columns as $key => $value) {
                $key = self::escapeIdentifier($key);
                
                if (!TfishFilter::isAlnumUnderscore($key)) {
                    trigger_error(TFISH_ERROR_NOT_ALNUMUNDER, E_USER_ERROR);
                    exit;
                }
                
                if (!in_array($value, $type_whitelist)) {
                    trigger_error(TFISH_ERROR_ILLEGAL_VALUE, E_USER_ERROR);
                    exit;
                }
                
                $clean_columns[$key] = $value;
                unset($key, $value);
            }
        } else {
            trigger_error(TFISH_ERROR_NOT_ARRAY_OR_EMPTY, E_USER_ERROR);
            exit;
        }
        
        if (isset($primary_key)) {
            $primary_key = self::escapeIdentifier($primary_key);
            
            if (array_key_exists($primary_key, $clean_columns)) {
                $clean_primary_key = TfishFilter::isAlnumUnderscore($primary_key)
                        ? $primary_key : null;
            }
            
            if (!isset($clean_primary_key)) {
                trigger_error(TFISH_ERROR_NOT_ALNUMUNDER, E_USER_ERROR);
                exit;
            }
        }

        // Proceed with the query
        if ($clean_primary_key) {
            return self::_createTable($clean_table, $clean_columns, $clean_primary_key);
        } else {
            return self::_createTable($clean_table, $clean_columns);
        }
    }

    /** @internal */
    private static function _createTable(string $table_name, array $columns,
            string $primary_key = null)
    {
        if (mb_strlen($table_name, 'UTF-8') > 0 && is_array($columns)) {
            $sql = "CREATE TABLE IF NOT EXISTS `" . $table_name . "` (";
            
            foreach ($columns as $key => $value) {
                $sql .= "`" . $key . "` " . $value . "";
                if (isset($primary_key) && $primary_key === $key) {
                    $sql .= " PRIMARY KEY";
                }
                $sql .= ", ";
            }
            
            $sql = trim($sql, ', ');
            $sql .= ")";
            $statement = self::preparedStatement($sql);
            $statement->execute();
            
            if ($statement) {
                return true;
            } else {
                trigger_error(TFISH_ERROR_NO_STATEMENT, E_USER_ERROR);
            }
        }
    }

    /**
     * Delete single row from table based on its ID.
     * 
     * @param string $table Name of table.
     * @param int $id ID of row to be deleted.
     * @return bool True on success false on failure.
     */
    public static function delete(string $table, int $id)
    {
        $clean_table = self::validateTableName($table);
        $clean_id = self::validateId($id);
        
        return self::_delete($clean_table, $clean_id);
    }

    /** @internal */
    private static function _delete(string $table, int $id)
    {
        $sql = "DELETE FROM " . self::addBackticks($table) . " WHERE `id` = :id";
        $statement = self::preparedStatement($sql);
        
        if ($statement) {
            $statement->bindValue(':id', $id, PDO::PARAM_INT);
        } else {
            return false;
        }
        
        return self::executeTransaction($statement);
    }

    /**
     * Delete multiple rows from a table according to criteria.
     * 
     * For safety reasons criteria are required; the function will not unconditionally empty table.
     * Note that SQLite does not support DELETE with INNER JOIN or table alias. Therefore, you
     * cannot use tags as a criteria in deleteAll() (they will simply be ignored). It may be
     * possible to get around this restriction with a loop or subquery.
     * 
     * @param string $table Name of table.
     * @param object $criteria TfishCriteria object used to build conditional database query.
     * @return bool True on success, false on failure.
     */
    public static function deleteAll(string $table, TfishCriteria $criteria)
    {
        $clean_table = self::validateTableName($table);
        $clean_criteria = self::validateCriteriaObject($criteria);
        
        return self::_deleteAll($clean_table, $clean_criteria);
    }

    /** @internal */
    private static function _deleteAll(string $table, TfishCriteria $criteria)
    {
        // Set table.
        $sql = "DELETE FROM " . self::addBackticks($table) . " ";

        // Set WHERE criteria.
        if ($criteria) {

            if (!empty($criteria->item)) {
                $sql .= "WHERE ";
            }

            if (TfishFilter::isArray($criteria->item)) {
                $pdo_placeholders = array();
                $sql .= $criteria->renderSQL();
                $pdo_placeholders = $criteria->renderPDO();
            } else {
                trigger_error(TFISH_ERROR_NOT_ARRAY, E_USER_ERROR);
            }

            // Set the order (sort) column and order (default is ascending).
            if ($criteria->order) {
                $sql .= "ORDER BY `t1`." 
                        . self::addBackticks(self::escapeIdentifier($criteria->order)) . " ";
                $sql .= $criteria->ordertype === "DESC" ? "DESC" : "ASC";
                if ($criteria->order != 'submission_time') {
                    $sql .= ", `t1`.`submission_time` ";
                    $sql .= $criteria->ordertype === "DESC" ? "DESC" : "ASC";
                }
            }

            // Set the LIMIT and OFFSET.
            if ($criteria->offset && $criteria->limit) {
                $sql .= " LIMIT :limit OFFSET :offset";
            } elseif ($criteria->limit) {
                $sql .= " LIMIT :limit";
            }
        }

        // Prepare the statement and bind the values.
        $statement = self::preparedStatement($sql);
        
        if ($criteria) {
            if (!empty($pdo_placeholders)) {
                
                foreach ($pdo_placeholders as $placeholder => $value) {
                    $statement->bindValue($placeholder, $value, self::setType($value));
                    unset($placeholder);
                }
            }
            
            if ($criteria->limit && $criteria->offset) {
                $statement->bindValue(':limit', $criteria->limit, PDO::PARAM_INT);
                $statement->bindValue(':offset', $criteria->offset, PDO::PARAM_INT);
            } elseif ($criteria->limit) {
                $statement->bindValue(':limit', $criteria->limit, PDO::PARAM_INT);
            }
        }
        
        return self::executeTransaction($statement);
    }

    /**
     * Escape delimiters for identifiers (table and column names).
     * 
     * SQLite supports three styles of identifier delimitation:
     * 
     * 1. Standard SQL double quotes: "
     * 2. MySQL style grave accents: `
     * 3. MS SQL style square brackets: []
     * 
     * Escaping of delimiters where they are used as part of a table or column name is done by
     * doubling them, eg ` becomes ``. In order to safely escape table and column names ALL
     * three delimiter types must be escaped.
     * 
     * Tuskfish policy is that table names can only contain alphanumeric characters (and column
     * names can only contain alphanumeric plus underscore characters) so delimiters should never
     * get into a query as part of an identifier. But just because we are paranoid they are
     * escaped here anyway.
     * 
     * @param string $identifier Name of table or column.
     * @return string Escaped table or column name.
     */
    public static function escapeIdentifier(string $identifier)
    {
        $clean_identifier = '';
        $identifier = TfishFilter::trimString($identifier);
        $identifier = str_replace('"', '""', $identifier);
        $identifier = str_replace('`', '``', $identifier);
        $identifier = str_replace('[', '[[', $identifier);
        $clean_identifier = str_replace(']', ']]', $identifier);
        
        return $clean_identifier;
    }

    /**
     * Execute a prepared statement within a transaction.
     * 
     * The $statement parameter should be a prepared statement obtained via preparedStatement($sql).
     * Note that statement execution is within a transaction and rollback will occur if it fails.
     * This method should be used with database write operations (INSERT, UPDATE, DELETE).
     * 
     * @param object $statement Prepared statement.
     * @return bool True on success, false on failure.
     */
    public static function executeTransaction(PDOStatement $statement)
    {
        try {
            self::$_db->beginTransaction();
            $statement->execute();
            self::$_db->commit();
        } catch (PDOException $e) {
            self::$_db->rollBack();
            TfishLogger::logErrors($e->getCode(), $e->getMessage(), $e->getFile(), $e->getLine());
            return false;
        }
        
        return true;
    }

    /**
     * Insert a single row into the database within a transaction.
     * 
     * @param string $table Name of table.
     * @param array $key_values Column names and values to be inserted.
     * @return bool True on success, false on failure.
     */
    public static function insert(string $table, array $key_values)
    {
        $clean_table = self::validateTableName($table);
        $clean_keys = self::validateKeys($key_values);
        
        return self::_insert($clean_table, $clean_keys);
    }

    /** @internal */
    private static function _insert(string $table, array $key_values)
    {
        $pdo_placeholders = '';
        $sql = "INSERT INTO " . self::addBackticks($table) . " (";

        // Prepare statement
        foreach ($key_values as $key => $value) {
            $pdo_placeholders .= ":" . $key . ", ";
            $sql .= self::addBackticks($key) . ", ";
            unset($key, $value);
        }
        
        $pdo_placeholders = trim($pdo_placeholders, ', ');
        $sql = trim($sql, ', ');
        $sql .= ") VALUES (" . $pdo_placeholders . ")";

        // Prepare the statement and bind the values.
        $statement = self::$_db->prepare($sql);
        
        foreach ($key_values as $key => $value) {
            $statement->bindValue(":" . $key, $value, self::setType($value));
            unset($key, $value);
        }
        
        return self::executeTransaction($statement);
    }

    /**
     * Retrieves the ID of the last row inserted into the database.
     * 
     * Used primarily to grab the ID of newly created content objects so that their accompanying
     * taglinks can be correctly associated to them.
     * 
     * @return int|bool Row ID on success, false on failure.
     */
    public static function lastInsertId()
    {
        if (self::$_db->lastInsertId()) {
            return (int) self::$_db->lastInsertId();
        } else {
            return false;
        }
    }

    /**
     * Return a PDO statement object.
     * 
     * Statement object can be used to bind values or parameters and execute queries, thereby
     * mitigating direct SQL injection attacks.
     * 
     * @param string $sql SQL statement.
     * @return object PDOStatement object on success PDOException object on failure.
     */
    public static function preparedStatement(string $sql)
    {
        return self::_preparedStatement($sql);
    }

    /** @internal */
    private static function _preparedStatement(string $sql)
    {
        return self::$_db->prepare($sql);
    }

    /**
     * Prepare and execute a select query.
     * 
     * Returns a PDO statement object, from which results can be extracted with standard PDO calls.
     * 
     * @param string $table Name of table.
     * @param object $criteria TfishCriteria object used to build conditional database query.
     * @param array $columns Names of database columns to be selected.
     * @return object PDOStatement object on success PDOException on failure.
     */
    public static function select(string $table, TfishCriteria $criteria = null, array $columns = null)
    {
        $clean_table = self::validateTableName($table);
        $clean_criteria = isset($criteria) ? self::validateCriteriaObject($criteria) : null;
        $clean_columns = isset($columns) ? self::validateColumns($columns) : array();
        
        return self::_select($clean_table, $clean_criteria, $clean_columns);
    }

    /** @internal */
    private static function _select(string $table, TfishCriteria $criteria = null, array $columns)
    {
        // Specify operation.
        $sql = "SELECT ";

        // Select columns.
        if ($columns) {
            foreach ($columns as $column) {
                $sql .= '`t1`.' . self::addBackticks($column) . ", ";
            }
            
            $sql = rtrim($sql, ", ") . " ";
        } else {
            $sql .= "`t1`.* ";
        }

        // Set table.
        $sql .= "FROM " . self::addBackticks($table) . " AS `t1` ";

        // Check if a tag filter has been applied (JOIN is required).
        if (isset($criteria) && !empty($criteria->tag)) {
            $sql .= self::_renderTagJoin($table);
        }

        // Set WHERE criteria.
        if (isset($criteria)) {
            if (!empty($criteria->item) || !empty($criteria->tag)) {
                $sql .= "WHERE ";
            }

            if (TfishFilter::isArray($criteria->item)) {
                $pdo_placeholders = array();
                $sql .= $criteria->renderSQL();
                $pdo_placeholders = $criteria->renderPDO();
            } else {
                trigger_error(TFISH_ERROR_NOT_ARRAY, E_USER_ERROR);
            }

            if (!empty($criteria->item) && !empty($criteria->tag)) {
                $sql .= "AND ";
            }

            // Set tag(s).
            if (!empty($criteria->tag)) {
                $sql .= $criteria->renderTagSQL();
                $tag_placeholders = $criteria->renderTagPDO();
            }

            // Set GROUP BY.
            if ($criteria->groupby) {
                $sql .= " GROUP BY `t1`."
                        . self::addBackticks(self::escapeIdentifier($criteria->groupby));
            }

            // Set the order (sort) column and order (default is ascending).
            if ($criteria->order) {
                $sql .= " ORDER BY `t1`."
                        . self::addBackticks(self::escapeIdentifier($criteria->order)) . " ";
                $sql .= $criteria->ordertype === "DESC" ? "DESC" : "ASC";
                
                if ($criteria->order != 'submission_time') {
                    $sql .= ", `t1`.`submission_time` ";
                    $sql .= $criteria->ordertype === "DESC" ? "DESC" : "ASC";
                }
            }

            // Set the LIMIT and OFFSET.
            if ($criteria->offset && $criteria->limit) {
                $sql .= " LIMIT :limit OFFSET :offset";
            } elseif ($criteria->limit) {
                $sql .= " LIMIT :limit";
            }
        }

        // Prepare the statement and bind the values.
        $statement = self::preparedStatement($sql);
        
        if (isset($criteria) && $statement) {
            if (!empty($pdo_placeholders)) {
                foreach ($pdo_placeholders as $placeholder => $value) {
                    $statement->bindValue($placeholder, $value, self::setType($value));
                    unset($placeholder);
                }
            }

            if (isset($tag_placeholders) && !empty($tag_placeholders)) {
                foreach ($tag_placeholders as $tag_placeholder => $value) {
                    $statement->bindValue($tag_placeholder, $value, PDO::PARAM_INT);
                    unset($placeholder);
                }
            }

            if ($criteria->limit && $criteria->offset) {
                $statement->bindValue(':limit', $criteria->limit, PDO::PARAM_INT);
                $statement->bindValue(':offset', $criteria->offset, PDO::PARAM_INT);
            } elseif ($criteria->limit) {
                $statement->bindValue(':limit', $criteria->limit, PDO::PARAM_INT);
            }
        }

        // Execute the statement.
        $statement->execute();

        // Return the statement object, results can be extracted as required with standard PDO calls.
        return $statement;
    }

    /**
     * Count the number of rows matching a set of conditions.
     * 
     * @param string $table Name of table.
     * @param object $criteria TfishCriteria object used to build conditional database query.
     * @param string $column Name of column.
     * @return int|object Row count on success, PDOException object on failure.
     */
    public static function selectCount(string $table, TfishCriteria $criteria = null, string $column = '')
    {
        $clean_table = self::validateTableName($table);
        $clean_criteria = isset($criteria) ? self::validateCriteriaObject($criteria) : null;
        
        if ($column) {
            $column = self::escapeIdentifier($column);
            
            if (TfishFilter::isAlnumUnderscore($column)) {
                $clean_column = $column;
            } else {
                trigger_error(TFISH_ERROR_NOT_ALNUMUNDER, E_USER_ERROR);
                exit;
            }
        } else {
            $clean_column = "*";
        }
        
        return self::_selectCount($clean_table, $clean_criteria, $clean_column);
    }

    /** @internal */
    private static function _selectCount(string $table, TfishCriteria $criteria, string $column)
    {
        // Specify operation and column
        $sql = "SELECT COUNT(";
        $sql .= $column = "*" ? $column : self::addBackticks($column);
        $sql .= ") ";

        // Set table.
        $sql .= "FROM " . self::addBackticks($table) . " AS `t1` ";

        // Check if a tag filter has been applied (JOIN is required).
        if (isset($criteria) && !empty($criteria->tag)) {
            $sql .= self::_renderTagJoin($table);
        }

        // Set WHERE criteria.
        if (isset($criteria)) {

            if (!empty($criteria->item) || !empty($criteria->tag)) {
                $sql .= "WHERE ";
            }

            if (TfishFilter::isArray($criteria->item)) {
                $pdo_placeholders = array();
                $sql .= $criteria->renderSQL();
                $pdo_placeholders = $criteria->renderPDO();
            } else {
                trigger_error(TFISH_ERROR_NOT_ARRAY, E_USER_ERROR);
                exit;
            }

            if (!empty($criteria->item) && !empty($criteria->tag)) {
                $sql .= "AND ";
            }

            // Set tag(s).
            if (!empty($criteria->tag)) {
                $sql .= $criteria->renderTagSQL();
                $tag_placeholders = $criteria->renderTagPDO();
            }
        }

        // Prepare the statement and bind the values.
        $statement = self::preparedStatement($sql);
        if (isset($criteria) && $statement) {
            if (!empty($pdo_placeholders)) {
                foreach ($pdo_placeholders as $placeholder => $value) {
                    $statement->bindValue($placeholder, $value, self::setType($value));
                    unset($placeholder);
                }
            }
        }
        
        if (isset($tag_placeholders) && !empty($tag_placeholders)) {
            foreach ($tag_placeholders as $tag_placeholder => $value) {
                $statement->bindValue($tag_placeholder, $value, PDO::PARAM_INT);
                unset($placeholder);
            }
        }

        // Execute the statement.
        $statement->execute();

        // Return the row count (integer) by retrieving the row.
        $count = $statement->fetch(PDO::FETCH_NUM);

        return (int) reset($count);
    }

    /**
     * Select results from the database but remove duplicate rows.
     * 
     * Use the $columns array to specify which fields you want to filter the results by.
     * 
     * @param string $table Name of table.
     * @param object $criteria TfishCriteria object used to build conditional database query.
     * @param array $columns Name of columns to filter results by.
     * @return object PDOStatement on success, PDOException on failure.
     */
    public static function selectDistinct(string $table, TfishCriteria $criteria = null, array $columns)
    {
        // Validate the tablename (alphanumeric characters only).
        $clean_table = self::validateTableName($table);
        $clean_criteria = isset($criteria) ? self::validateCriteriaObject($criteria) : null;
        $clean_columns = !empty($columns) ? self::validateColumns($columns) : array();
        
        return self::_selectDistinct($clean_table, $clean_criteria, $clean_columns);
    }

    /** @internal */
    private static function _selectDistinct(string $table, TfishCriteria $criteria, array $columns)
    {
        // Specify operation
        $sql = "SELECT DISTINCT ";

        // Select columns.
        foreach ($columns as $column) {
            $sql .= '`t1`.' . self::addBackticks($column) . ", ";
        }
        
        $sql = rtrim($sql, ", ") . " ";

        // Set table.
        $sql .= "FROM " . self::addBackticks($table) . " AS `t1` ";

        // Set parameters.
        if (isset($criteria)) {

            if (!empty($criteria->item) || !empty($criteria->tag)) {
                $sql .= "WHERE ";
            }

            if (TfishFilter::isArray($criteria->item)) {
                $pdo_placeholders = array();
                $sql .= $criteria->renderSQL();
                $pdo_placeholders = $criteria->renderPDO();
            } else {
                trigger_error(TFISH_ERROR_NOT_ARRAY, E_USER_ERROR);
                exit;
            }

            if (!empty($criteria->item) && !empty($criteria->tag)) {
                $sql .= "AND ";
            }

            // Set tag(s).
            if (!empty($criteria->tag)) {
                $sql .= $criteria->renderTagSQL();
                $tag_placeholders = $criteria->renderTagPDO();
            }

            // Set GROUP BY.
            if ($criteria->groupby) {
                $sql .= " GROUP BY `t1`."
                        . self::addBackticks(self::escapeIdentifier($criteria->groupby));
            }

            // Set the order (sort) column and type (default is ascending)
            if ($criteria->order) {
                $sql .= " ORDER BY `t1`."
                        . self::addBackticks(self::escapeIdentifier($criteria->order)) . " ";
                $sql .= $criteria->ordertype === "DESC" ? "DESC" : "ASC";
                
                if ($criteria->order != 'submission_time') {
                    $sql .= ", `t1`.`submission_time` ";
                    $sql .= $criteria->ordertype === "DESC" ? "DESC" : "ASC";
                }
            }

            // Set the LIMIT and OFFSET.
            if ($criteria->offset && $criteria->limit) {
                $sql .= " LIMIT :limit OFFSET :offset";
            } elseif ($criteria->limit) {
                $sql .= " LIMIT :limit";
            }
        }

        // Prepare the statement and bind the values.
        $statement = self::preparedStatement($sql);
        if (isset($criteria) && $statement) {
            if (!empty($pdo_placeholders)) {
                foreach ($pdo_placeholders as $placeholder => $value) {
                    $statement->bindValue($placeholder, $value, self::setType($value));
                    unset($placeholder);
                }
            }
            
            if ($criteria->limit && $criteria->offset) {
                $statement->bindValue(':limit', $criteria->limit, PDO::PARAM_INT);
                $statement->bindValue(':offset', $criteria->offset, PDO::PARAM_INT);
            } elseif ($criteria->limit) {
                $statement->bindValue(':limit', $criteria->limit, PDO::PARAM_INT);
            }
        }
        
        if (isset($tag_placeholders) && !empty($tag_placeholders)) {
            foreach ($tag_placeholders as $tag_placeholder => $value) {
                $statement->bindValue($tag_placeholder, $value, PDO::PARAM_INT);
                unset($placeholder);
            }
        }
        $statement->execute();

        return $statement;
    }

    /**
     * Toggle the online status of a column between 0 and 1, use for columns representing booleans.
     * 
     * Note that the $id MUST represent a column called ID for whatever table you want to run it on.
     * 
     * @param int $id ID of the row to update.
     * @param string $table Name of table.
     * @param string $column Name of column to update.
     * @return bool True on success, false on failure.
     */
    public static function toggleBoolean(int $id, string $table, string $column)
    {
        $clean_id = self::validateId($id);
        $clean_table = self::validateTableName($table);
        $clean_column = self::validateColumns(array($column));
        $clean_column = reset($clean_column);
        
        return self::_toggleBoolean($clean_id, $clean_table, $clean_column);
    }

    /** @internal */
    private static function _toggleBoolean(int $id, string $table, string $column)
    {
        $sql = "UPDATE " . self::addBackticks($table) . " SET " . self::addBackticks($column)
                . " = CASE WHEN " . self::addBackticks($column)
                . " = 1 THEN 0 ELSE 1 END WHERE `id` = :id";

        // Prepare the statement and bind the ID value.
        $statement = TfishDatabase::preparedStatement($sql);
        
        if ($statement) {
            $statement->bindValue(":id", $id, PDO::PARAM_INT);
        }

        return self::executeTransaction($statement);
    }

    /**
     * Increment a content object counter field by one.
     * 
     * Call this method when the full description of an individual content object is viewed, or
     * when a related media file is downloaded.
     * 
     * @param int $id ID of content object.
     * @param string $table Name of table.
     * @param string $column Name of column.
     * @return bool True on success false on failure.
     */
    public static function updateCounter(int $id, string $table, string $column)
    {
        $clean_id = self::validateId($id);
        $clean_table = self::validateTableName($table);
        $clean_column = self::validateColumns(array($column));
        $clean_column = reset($clean_column);
        
        return self::_updateCounter($clean_id, $clean_table, $clean_column);
    }

    /** @internal */
    private static function _updateCounter(int $id, string $table, string $column)
    {
        $sql = "UPDATE " . self::addBackticks($table) . " SET " . self::addBackticks($column)
                . " = " . self::addBackticks($column) . " + 1 WHERE `id` = :id";

        // Prepare the statement and bind the ID value.
        $statement = TfishDatabase::preparedStatement($sql);
        
        if ($statement) {
            $statement->bindValue(":id", $id, PDO::PARAM_INT);
        }

        return self::executeTransaction($statement);
    }

    /**
     * Update a single row in the database.
     * 
     * @param string $table Name of table.
     * @param int $id ID of row to update.
     * @param array $key_values Array of column names and values to update.
     * @return bool True on success, false on failure.
     */
    public static function update(string $table, int $id, array $key_values)
    {
        $clean_table = self::validateTableName($table);
        $clean_id = self::validateId($id);
        $clean_keys = self::validateKeys($key_values);
        
        return self::_update($clean_table, $clean_id, $clean_keys);
    }

    /** @internal */
    private static function _update(string $table, int $id, array $key_values)
    {
        // Prepare the statement
        $sql = "UPDATE " . self::addBackticks($table) . " SET ";
        
        foreach ($key_values as $key => $value) {
            $sql .= self::addBackticks($key) . " = :" . $key . ", ";
        }
        
        $sql = trim($sql, ", ");
        $sql .= " WHERE `id` = :id";

        // Prepare the statement and bind the values.
        $statement = self::preparedStatement($sql);
        
        if ($statement) {
            $statement->bindValue(":id", $id, PDO::PARAM_INT);
            
            foreach ($key_values as $key => $value) {
                $type = gettype($value);
                $statement->bindValue(":" . $key, $value, self::setType($type));
                unset($type);
            }
        } else {
            return false;
        }
        
        return self::executeTransaction($statement);
    }

    /**
     * Update multiple rows in a table according to criteria.
     * 
     * Note that SQLite does not support INNER JOIN or table aliases in UPDATE; therefore it is
     * not possible to use tags as a criteria in updateAll() at present. It may be possible to get
     * around this limitation with a subquery. But given that the use case would be unusual /
     * marginal it is probably just easier to work around it.
     * 
     * @param string $table Name of table.
     * @param array $key_values Array of column names and values to update.
     * @param object $criteria TfishCriteria object used to build conditional database query.
     */
    public static function updateAll(string $table, array $key_values, TfishCriteria $criteria = null)
    {
        $clean_table = self::validateTableName($table);
        $clean_keys = self::validateKeys($key_values);
        
        if (isset($criteria)) {
            $clean_criteria = self::validateCriteriaObject($criteria);
        } else {
            $clean_criteria = null;
        }
        
        return self::_updateAll($clean_table, $clean_keys, $clean_criteria);
    }

    /** @internal */
    private static function _updateAll(string $table, array $key_values, TfishCriteria $criteria)
    {
        // Set table.
        $sql = "UPDATE " . self::addBackticks($table) . " SET ";

        // Set key values.
        foreach ($key_values as $key => $value) {
            $sql .= self::addBackticks($key) . " = :" . $key . ", ";
        }
        
        $sql = rtrim($sql, ", ") . " ";

        // Set WHERE criteria.
        if (isset($criteria)) {

            if (!empty($criteria->item)) {
                $sql .= "WHERE ";
            }

            if (TfishFilter::isArray($criteria->item)) {
                $pdo_placeholders = array();
                $sql .= $criteria->renderSQL();
                $pdo_placeholders = $criteria->renderPDO();
            } else {
                trigger_error(TFISH_ERROR_NOT_ARRAY, E_USER_ERROR);
                exit;
            }
        }

        // Prepare the statement and bind the values.
        $statement = self::preparedStatement($sql);
        
        foreach ($key_values as $key => $value) {
            $statement->bindValue(':' . $key, $value, self::setType($value));
            unset($key, $value);
        }
        
        if (isset($criteria)) {
            if (!empty($pdo_placeholders)) {
                foreach ($pdo_placeholders as $placeholder => $value) {
                    $statement->bindValue($placeholder, $value, self::setType($value));
                    unset($placeholder);
                }
            }
        }

        return self::executeTransaction($statement);
    }

    /**
     * Helper method to set appropriate PDO predefined constants in bindValue() and bindParam().
     * 
     * Do not use this method for arrays, objects or resources. Note that if you pass in an
     * unexpected data type (ie. one that clashes with a column type definition) PDO will throw
     * an error.
     * 
     * @param mixed $data Input data to be type set.
     * @return int PDO data type constant.
     */
    public static function setType($data)
    {
        $type = gettype($data);
        
        switch ($type) {
            case "boolean":
                return PDO::PARAM_BOOL;
                break;

            case "integer":
                return PDO::PARAM_INT;
                break;

            case "NULL":
                return PDO::PARAM_NULL;
                break;

            case "string":
            case "double":
                return PDO::PARAM_STR;
                break;

            default: // array, object, resource, "unknown type"
                trigger_error(TFISH_ERROR_ILLEGAL_TYPE, E_USER_ERROR);
                exit;
        }
    }

    /**
     * Renders a JOIN component of an SQL query for tagged content.
     * 
     * If the $criteria for a query include tag(s), the object table must have a JOIN to the
     * taglinks table in order to sort the content.
     * 
     * @internal
     * @param string $table Name of table.
     * @return string $sql SQL query fragment.
     */
    private static function _renderTagJoin(string $table)
    {
        $sql = "INNER JOIN `taglink` ON `t1`.`id` = `taglink`.`content_id` ";

        return $sql;
    }

    /**
     * Validates the properties of a TfishCriteria object to be used in constructing a query.
     * 
     * @param object $criteria TfishCriteria object.
     * @return object Validated TfishCriteria object.
     */
    public static function validateCriteriaObject(TfishCriteria $criteria)
    {
        
        if ($criteria->item) {
            if (!TfishFilter::isArray($criteria->item)) {
                trigger_error(TFISH_ERROR_NOT_ARRAY, E_USER_ERROR);
                exit;
            }
            
            if (empty($criteria->condition)) {
                trigger_error(TFISH_ERROR_REQUIRED_PROPERTY_NOT_SET, E_USER_ERROR);
                exit;
            }
            
            if (!TfishFilter::isArray($criteria->condition)) {
                trigger_error(TFISH_ERROR_NOT_ARRAY, E_USER_ERROR);
                exit;
            }
            
            if (count($criteria->item) != count($criteria->condition)) {
                trigger_error(TFISH_ERROR_COUNT_MISMATCH, E_USER_ERROR);
                exit;
            }
            
            foreach ($criteria->item as $item) {
                if (!is_a($item, 'TfishCriteriaItem')) {
                    trigger_error(TFISH_ERROR_NOT_CRITERIA_ITEM_OBJECT, E_USER_ERROR);
                    exit;
                }
                
                if (!TfishFilter::isAlnumUnderscore($item->column)) {
                    trigger_error(TFISH_ERROR_NOT_ALNUMUNDER, E_USER_ERROR);
                    exit;
                }
                
                if ($item->operator && !in_array($item->operator, $item->permittedOperators())) {
                    trigger_error(TFISH_ERROR_ILLEGAL_VALUE, E_USER_ERROR);
                    exit;
                }
            }
            
            foreach ($criteria->condition as $condition) {
                if ($condition != "AND" && $condition != "OR") {
                    trigger_error(TFISH_ERROR_ILLEGAL_VALUE, E_USER_ERROR);
                    exit;
                }
            }
        }
        
        if ($criteria->groupby && !TfishFilter::isAlnumUnderscore($criteria->groupby)) {
            trigger_error(TFISH_ERROR_NOT_ALNUMUNDER, E_USER_ERROR);
            exit;
        }
        
        if ($criteria->limit && !TfishFilter::isInt($criteria->limit, 1)) {
            trigger_error(TFISH_ERROR_NOT_INT, E_USER_ERROR);
            exit;
        }
        
        if ($criteria->offset && !TfishFilter::isInt($criteria->offset, 0)) {
            trigger_error(TFISH_ERROR_NOT_INT, E_USER_ERROR);
            exit;
        }
        
        if ($criteria->order && !TfishFilter::isAlnumUnderscore($criteria->order)) {
            trigger_error(TFISH_ERROR_NOT_ALNUMUNDER, E_USER_ERROR);
            exit;
        }
        
        if ($criteria->ordertype &&
                ($criteria->ordertype != "ASC" && $criteria->ordertype != "DESC")) {
            trigger_error(TFISH_ERROR_ILLEGAL_VALUE, E_USER_ERROR);
            exit;
        }
        
        return $criteria;
    }

    /**
     * Validate and escape column names to be used in constructing a database query.
     * 
     * @param array $columns Array of unescaped column names.
     * @return array Array of valid, escaped column names
     */
    public static function validateColumns(array $columns)
    {
        $clean_columns = array();
        
        if (TfishFilter::isArray($columns) && !empty($columns)) {
            foreach ($columns as $column) {
                $column = self::escapeIdentifier($column);
                
                if (TfishFilter::isAlnumUnderscore($column)) {
                    $clean_columns[] = $column;
                } else {
                    trigger_error(TFISH_ERROR_NOT_ALNUMUNDER, E_USER_ERROR);
                    exit;
                }
                
                unset($column);
            }
            
            return $clean_columns;
        } else {
            trigger_error(TFISH_ERROR_NOT_ARRAY, E_USER_ERROR);
            exit;
        }
    }

    /**
     * Validates and sanitises an ID to be used in constructing a database query.
     * 
     * @param int $id Input ID to be tested.
     * @return int $id Validated ID.
     */
    public static function validateId(int $id)
    {
        $clean_id = (int) $id;
        if (TfishFilter::isInt($clean_id, 1)) {
            return $clean_id;
        } else {
            trigger_error(TFISH_ERROR_NOT_INT, E_USER_ERROR);
            exit;
        }
    }

    /**
     * Validate and escapes keys to be used in constructing a database query.
     * 
     * Keys may only consist of alphanumeric and underscore characters. SQLite identifier delimiters
     * are escaped.
     * 
     * @param array $key_values Array of unescaped keys.
     * @return array Array of valid and escaped keys.
     */
    public static function validateKeys(array $key_values)
    {
        $clean_keys = array();
        
        if (TfishFilter::isArray($key_values) && !empty($key_values)) {
            foreach ($key_values as $key => $value) {
                $key = self::escapeIdentifier($key);
                
                if (TfishFilter::isAlnumUnderscore($key)) {
                    $clean_keys[$key] = $value;
                } else {
                    trigger_error(TFISH_ERROR_NOT_ALNUMUNDER, E_USER_ERROR);
                    exit;
                }
                
                unset($key, $value);
            }
            
            return $clean_keys;
        } else {
            trigger_error(TFISH_ERROR_NOT_ARRAY_OR_EMPTY, E_USER_ERROR);
            exit;
        }
    }

    /**
     * Validate and escape a table name to be used in constructing a database query.
     * 
     * @param string $table_name Table name to be checked.
     * @return string Valid and escaped table name.
     */
    public static function validateTableName(string $table_name)
    {
        $table_name = self::escapeIdentifier($table_name);
        
        if (TfishFilter::isAlnum($table_name)) {
            return $table_name;
        } else {
            trigger_error(TFISH_ERROR_NOT_ALNUM, E_USER_ERROR);
            exit;
        }
    }

}
Tuskfish API API documentation generated by ApiGen