修复 PUT/DELETE 等方法读取错误，修复 where() 方法拼接时存在的安全隐患，新增 cli 启动方式

zzfly256 · zzfly256 · commit 65ea22be28b5 · 2019-02-01T23:44:50.000+08:00
diff --git a/App/Controller/apiController.php b/App/Controller/apiController.php
@@ -7,12 +7,8 @@
 
 class apiController extends Controller {
 
-    public function testGet(){
-        $demo = new Demo();
-        $demo->abc = 1;
-        $demo->acb = 1;
-
-        return $this->response($demo);
+    public function testDelete(){
+        return $this->response($this->request->get('name'));
     }
 
     // ORM 查询类方法演示
diff --git a/System/Database.php b/System/Database.php
@@ -86,7 +86,8 @@ public function setModel($modelClass) {
 
     /**
      * SQL 语句预处理并执行
-     * @param string $sqlStatement, array $parameters
+     * @param string $sqlStatement
+     * @param array $parameters
      * @return boolean
      * @uses 用于预处理并执行语句，请注意本方法结合了 pdo 中 prepare 和 execute 两个方法
      */
@@ -194,9 +195,9 @@ public function where($sqlConditionArray = []){
                 // 传入条件，进行 SQL 语句拼接
                 foreach ($sqlConditionArray as $key => $value) {
                     if (isset($whereSQL)) {
-                        $whereSQL .= " AND ".$key.'="'.$value.'"';
+                        $whereSQL .= " AND ".$key.'="'.addslashes($value).'"';
                     } else {
-                        $whereSQL = $key.'="'.$value.'"';
+                        $whereSQL = $key.'="'.addslashes($value).'"';
                     }
                 }
                 $this->where = '('.$whereSQL.')';
@@ -212,9 +213,9 @@ public function where($sqlConditionArray = []){
                 // 传入条件，进行 SQL 语句拼接
                 foreach ($sqlConditionArray as $key => $value) {
                     if (isset($whereSQL)) {
-                        $whereSQL .= " AND ".$key.'="'.$value.'"';
+                        $whereSQL .= " AND ".$key.'="'.addslashes($value).'"';
                     } else {
-                        $whereSQL = $key.'="'.$value.'"';
+                        $whereSQL = $key.'="'.addslashes($value).'"';
                     }
                 }
                 $this->where .= ' AND ('.$whereSQL.')';
@@ -274,9 +275,9 @@ public function orWhere($sqlConditionArray = []){
             // 传入条件，进行 SQL 语句拼接
             foreach ($sqlConditionArray as $key => $value) {
                 if (isset($whereSQL)) {
-                    $whereSQL .= " AND ".$key.'="'.$value.'"';
+                    $whereSQL .= " AND ".$key.'="'.addslashes($value).'"';
                 } else {
-                    $whereSQL = $key.'="'.$value.'"';
+                    $whereSQL = $key.'="'.addslashes($value).'"';
                 }
             }
             $this->where .= ' OR ('.$whereSQL.')';
@@ -306,7 +307,8 @@ public function orWhereRaw($sqlConditionStatement = ''){
 
     /**
      * join 语句
-     * @param string $table, string $method = inner
+     * @param string $table, string
+     * @param$method = inner
      * @return Database
      * @uses 用于根据两个或多个表中的列之间的关系查询数据。其中 method 可选 left, right, full, inner
      */
@@ -340,7 +342,8 @@ public function on($sqlConditionStatement){
 
     /**
      * 根据字段排列结果集
-     * @param string|array $field, string $method
+     * @param string|array $field
+     * @param string $method
      * @return Database
      * @uses 根据字段排列结果集, 其中 $field 可为单个字段字符串或关联数组
      */
@@ -422,9 +425,15 @@ public function delete(){
         return $this->prepare($this->SQLStatement);
     }
 
+    public function count(){
+        $countSQL = str_replace($select, 'COUNT('.$select.')', $this->SQLStatement);
+        return $this->PDOConnect->query($countSQL)->fetch()[0];
+    }
+
     /**
      * Database 分页
-     * @param int $pageNum, boolean $furtherPageInfo
+     * @param int $pageNum
+     * @param boolean $furtherPageInfo
      * @return Collection
      * @uses 数据库 LIMIT 语句调用
      */
diff --git a/System/Http/Request.php b/System/Http/Request.php
@@ -10,8 +10,7 @@
     protected $method;
     protected $url;
     protected $path;
-    protected $postArray;
-    protected $getArray;
+    protected $requestArray;
 
 
     /**
@@ -22,8 +21,12 @@ public function __construct(){
         $this->method = strtolower($_SERVER['REQUEST_METHOD']);
         $this->path = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);
         $this->url = $_SERVER["REQUEST_URI"];
-        $this->postArray = $_POST;
-        $this->getArray = $_GET;
+        $this->requestArray = $_REQUEST;
+        if(!in_array($this->method,['post','get'])){
+            parse_str(file_get_contents('php://input'), $_OTHER);
+            $this->requestArray = array_merge($this->requestArray,$_OTHER);
+        }
+
     }
 
 
@@ -32,7 +35,7 @@ public function __construct(){
      * @return array
      */
     public function all(){
-        return array_merge($this->postArray, $this->getArray);
+        return $this->requestArray;
     }
 
     /**
@@ -49,12 +52,8 @@ public function get($field){
                 $resultArray[] = $this->get($value);
                 return $resultArray;
             }
-        } else if(array_key_exists($field,$this->postArray)) {
-            // POST 取值
-            return $this->postArray[$field];
-        } elseif(array_key_exists($field,$this->getArray)) {
-            // GET 取值
-            return $this->getArray[$field];
+        } else if(array_key_exists($field,$this->requestArray)) {
+            return $this->requestArray[$field];
         } else {
             // 键值不存在
             return null;
diff --git a/System/Model.php b/System/Model.php
@@ -30,7 +30,7 @@ class Model implements Jsonable
      */
 	public static function find($id){
         $db = new Database(static::$table);
-        if($result = $db->where([ 'id' => $id])->fetch()){
+        if($result = $db->where([ 'id' => intval($id)])->fetch()){
             return new static($result);
         } else {
             return null;
diff --git a/System/Utility/Functions.php b/System/Utility/Functions.php
@@ -8,36 +8,29 @@
 // 调试封装
 if(!function_exists('dump')){
     /**
-     * @param $toDo
+     * @param $param
      * @uses 打印变量
      */
-    function dump($toDo){
+    function dump($param){
         echo "<pre>";
-        if (is_array($toDo)) {
-            print_r($toDo);
-        } elseif (is_object($toDo)) {
-            print_r($toDo);
+        if (is_array($param)) {
+            print_r($param);
+        } elseif (is_object($param)) {
+            print_r($param);
         } else {
-            var_dump($toDo);
+            var_dump($param);
         }
     }
 }
 
 if(!function_exists('dd')){
     /**
-     * @param $toDo
+     * @param $param
      * @uses 打印变量并停止运行
      */
-    function dd($toDo){
+    function dd($param){
         echo "<pre>";
-        if (is_array($toDo)) {
-            print_r($toDo);
-        } elseif (is_object($toDo)) {
-
-            print_r($toDo);
-        } else {
-            var_dump($toDo);
-        }
+        dump($param);
         die();
     }
 }
diff --git a/index.php b/index.php
@@ -1,4 +1,11 @@
 <?php
+if (php_sapi_name() == "cli"){
+    echo "Welcome to PHP QuickORM Framework ..\n";
+    echo "Starting development server at Port: 8000\n";
+    exec("php -S 0.0.0.0:8000");
+    die();
+}
+
 require __DIR__.'/vendor/autoload.php';
 use \System\Http\Route;
 use \System\Http\Request;
