Refactored code

.htaccess

@@ -1,5 +1,5 @@
 RewriteEngine On
-RewriteBase /api/
+#RewriteBase /api/
 
 RewriteCond %{REQUEST_METHOD} GET
 RewriteCond %{REQUEST_FILENAME} !-f

index.php

@@ -1,6 +1,191 @@
 <?php
 include "config.php";
 
-$action = preg_replace('/[^a-z]/','',isset($_GET["action"])?$_GET["action"]:'list');
+function connectDatabase($hostname,$username,$password,$database) {
+	global $config;
+	$mysqli = new mysqli($hostname,$username,$password,$database);
+	if ($mysqli->connect_errno) {
+		die('Connect failed: '.$mysqli->connect_error);
+	}
+	return $mysqli;
+}
+
+function parseGetParameter($name,$characters,$default) {
+	$value = isset($_GET[$name])?$_GET[$name]:$default;
+	return $characters?preg_replace("/[^$characters]/",'',$value):$value;
+}
 
-if (in_array($action,array('list','read','create','update','delete'))) include $action.'.php';
+function applyWhitelist($table,$action,$list) {
+	if ($list===false) return $table;
+	$list = array_filter($list, function($actions){
+		return strpos($actions,$action[0])!==false;
+	});
+	return array_intersect($table, array_keys($list));
+	
+}
+
+function applyBlacklist($table,$action,$list) {
+	if ($list===false) return $table;
+	$list = array_filter($list, function($actions) use ($action) { 
+		return strpos($actions,$action[0])!==false; 
+	});
+	return array_diff($table, array_keys($list));
+}
+
+function applyWhitelistAndBlacklist($table, $action, $whitelist, $blacklist) {
+	$table = applyWhitelist($table, $action, $whitelist);
+	$table = applyBlacklist($table, $action, $blacklist);
+	if (empty($table)) exitWith404();
+	return $table;
+}
+
+function processTableParameter($table,$database,$mysqli) {
+	global $config;
+	$tablelist = explode(',',$table);
+	$tables = array();
+	foreach ($tablelist as $table) {
+		$table = str_replace('*','%',$table);
+		if ($result = $mysqli->query("SELECT `TABLE_NAME` FROM `INFORMATION_SCHEMA`.`TABLES` WHERE `TABLE_NAME` LIKE '$table' AND `TABLE_SCHEMA` = '$database'")) {
+			while ($row = $result->fetch_row()) $tables[] = $row[0];
+			$result->close();
+		}
+	}
+	return $tables;
+}
+
+function findPrimaryKey($table,$database,$mysqli) {
+	global $config;
+	$keys = array();
+	if ($result = $mysqli->query("SELECT `COLUMN_NAME` FROM `INFORMATION_SCHEMA`.`COLUMNS` WHERE `COLUMN_KEY` = 'PRI' AND `TABLE_NAME` = '$table[0]' AND `TABLE_SCHEMA` = '$database'")) {
+		while ($row = $result->fetch_row()) $keys[] = $row[0];
+		$result->close();
+	}
+	return count($keys)?$keys[0]:false;
+}
+
+function exitWith404() {
+	die(header("Content-Type:",true,404));
+} 
+
+function startOutput($callback) {
+	if ($callback) {
+		header("Content-Type: application/javascript");
+		echo $callback.'(';
+	} else {
+		header("Content-Type: application/json");
+	}
+}
+
+function endOutput($callback) {
+	if ($callback) {
+	    echo ');';
+	}
+}
+
+function processKeyParameter($key,$table,$database,$mysqli) {
+	if ($key) {
+		$key = array($key,findPrimaryKey($table,$database,$mysqli));
+		if ($key[1]===false) exitWith404();
+	}
+	return $key;
+}
+
+function processFilterParameter($filter) {
+	if ($filter) {
+		$filter = explode(':',$filter,2);
+		if (count($filter)==2) {
+			$filter[0] = preg_replace('/[^a-zA-Z0-9\-_]/','',$filter[0]);
+			$filter[1] = $mysqli->real_escape_string($filter[1]);
+			$filter[2] = 'LIKE';
+			if ($match=='any'||$match=='start') $filter[1] .= '%';
+			if ($match=='any'||$match=='end') $filter[1] = '%'.$filter[1];
+			if ($match=='exact') $filter[2] = '=';
+			if ($match=='lower') $filter[2] = '<';
+			if ($match=='upto') $filter[2] = '<=';
+			if ($match=='from') $filter[2] = '>=';
+			if ($match=='higher') $filter[2] = '>';
+		} else {
+			$filter = false;
+		}
+	}
+	return $filter;
+}
+
+function processPageParameter($page) {
+	if ($page) {
+		$page = explode(':',$page,2);
+		if (count($page)<2) $page[1]=20;
+		$page[0] = ($page[0]-1)*$page[1];
+	}
+	return $page;
+}
+$action   = parseGetParameter('action', 'a-z', 'list');
+$table    = parseGetParameter('table', 'a-zA-Z0-9\-_*,', '*');
+$key      = parseGetParameter('key', 'a-zA-Z0-9\-,', false); // auto-increment or uuid 
+$callback = parseGetParameter('callback', 'a-zA-Z0-9\-_', false);
+$page     = parseGetParameter('page', '0-9', false);
+$filter   = parseGetParameter('filter', false, 'start');
+$match    = parseGetParameter('match', 'a-z', false);
+
+$mysqli = connectDatabase($config["hostname"], $config["username"], $config["password"], $config["database"]);
+
+$table = processTableParameter($table,$config["database"],$mysqli);
+$key = processKeyParameter($key,$table,$config["database"],$mysqli);
+$filter = processFilterParameter($filter);
+$page = processPageParameter($page);
+
+$table = applyWhitelistAndBlacklist($table,$action,$config['whitelist'],$config['blacklist']);
+
+startOutput($callback);
+switch($action){
+	case 'list': 
+		echo '{';
+		$tables = $table;
+		$first_table = true;
+		foreach ($tables as $table) {
+			if ($first_table) $first_table = false;
+			else echo ',';
+			echo '"'.$table.'":{';
+			if (is_array($page)) {
+				$sql = "SELECT COUNT(*) FROM `$table`";
+				if (is_array($filter)) $sql .= " WHERE `$filter[0]` $filter[2] '$filter[1]'";
+				if ($result = $mysqli->query($sql)) {
+					$pages = $result->fetch_row();
+					$pages = floor($pages[0]/$page[1])+1;
+					echo '"pages":"'.$pages.'",';
+				}
+			}
+			echo '"columns":';
+			$sql = "SELECT * FROM `$table`";
+			if (is_array($filter)) $sql .= " WHERE `$filter[0]` $filter[2] '$filter[1]'";
+			if (is_array($page)) $sql .= " LIMIT $page[1] OFFSET $page[0]";
+			if ($result = $mysqli->query($sql)) {
+				$fields = array();
+				foreach ($result->fetch_fields() as $field) $fields[] = $field->name;
+				echo json_encode($fields);
+				echo ',"records":[';
+				$first_row = true;
+				while ($row = $result->fetch_row()) {
+					if ($first_row) $first_row = false;
+					else echo ',';
+					echo json_encode($row);
+				}
+				$result->close();
+			}
+			echo ']}';
+		}
+		echo '}';
+		break;
+	case 'read': 
+		if ($result = $mysqli->query("SELECT * FROM `$table[0]` WHERE `$key[1]` = '$key[0]'")) {
+			$value = $result->fetch_assoc();
+			echo json_encode($value);
+			$result->close();
+		}
+		break;
+	case 'create': break;
+	case 'update': break;
+	case 'delete': break;
+	default: exitWith404();
+}
+endOutput($callback);

list.php

@@ -1,95 +0,0 @@
-<?php
-$table = str_replace('*','%',preg_replace('/[^a-zA-Z0-9\-_*,]/','',isset($_GET["table"])?$_GET["table"]:'*'));
-$callback = preg_replace('/[^a-zA-Z0-9\-_]/','',isset($_GET["callback"])?$_GET["callback"]:false);
-$page = preg_replace('/[^0-9:]/','',isset($_GET["page"])?$_GET["page"]:false);
-$filter = isset($_GET["filter"])?$_GET["filter"]:false;
-$match = isset($_GET["match"])&&in_array($_GET["match"],array('any','start','end','exact','lower','upto','from','higher'))?$_GET["match"]:'start';
-
-$mysqli = new mysqli($config["hostname"], $config["username"], $config["password"], $config["database"]);
-if ($mysqli->connect_errno) die('Connect failed: '.$mysqli->connect_error);
-
-$tablelist = explode(',',$table);
-$tables = array();
-
-foreach ($tablelist as $table) {
-    if ($result = $mysqli->query("SELECT `TABLE_NAME` FROM `INFORMATION_SCHEMA`.`TABLES` WHERE `TABLE_NAME` LIKE '$table' AND `TABLE_SCHEMA` = '$config[database]'")) {
-        while ($row = $result->fetch_row()) $tables[] = $row[0];
-        $result->close();
-    }
-}
-
-if ($config["list_whitelist"]!==false) $tables = array_intersect($tables, $config["list_whitelist"]);
-if ($config["list_blacklist"]!==false) $tables = array_diff($tables, $config["list_blacklist"]);
-
-if (empty($tables)) {
-    die(header("Content-Type:",true,404));
-} if ($callback) {
-    header("Content-Type: application/javascript");
-    echo $callback.'(';
-} else {
-    header("Content-Type: application/json");
-}
-
-if ($filter) {
-    $filter = explode(':',$filter,2);
-    if (count($filter)==2) {
-        $filter[0] = preg_replace('/[^a-zA-Z0-9\-_]/','',$filter[0]);
-        $filter[1] = $mysqli->real_escape_string($filter[1]);
-        $filter[2] = 'LIKE';
-        if ($match=='any'||$match=='start') $filter[1] .= '%';
-        if ($match=='any'||$match=='end') $filter[1] = '%'.$filter[1];
-        if ($match=='exact') $filter[2] = '=';
-        if ($match=='lower') $filter[2] = '<';
-        if ($match=='upto') $filter[2] = '<=';
-        if ($match=='from') $filter[2] = '>=';
-        if ($match=='higher') $filter[2] = '>';
-    } else {
-        $filter = false;
-    }
-}
-
-if ($page) {
-    $page = explode(':',$page,2);
-    if (count($page)<2) $page[1]=20;
-    $page[0] = ($page[0]-1)*$page[1];
-}
-
-echo '{';
-$first_table = true;
-foreach ($tables as $table) {
-    if ($first_table) $first_table = false;
-    else echo ',';
-    echo '"'.$table.'":{';
-    if (is_array($page)) {
-        $sql = "SELECT COUNT(*) FROM `$table`";
-        if (is_array($filter)) $sql .= " WHERE `$filter[0]` $filter[2] '$filter[1]'";
-        if ($result = $mysqli->query($sql)) {
-            $pages = $result->fetch_row();
-            $pages = floor($pages[0]/$page[1])+1;
-            echo '"pages":"'.$pages.'",';
-        }
-    }
-    echo '"columns":';
-    $sql = "SELECT * FROM `$table`";
-    if (is_array($filter)) $sql .= " WHERE `$filter[0]` $filter[2] '$filter[1]'";
-    if (is_array($page)) $sql .= " LIMIT $page[1] OFFSET $page[0]";
-    if ($result = $mysqli->query($sql)) {
-        $fields = array();
-        foreach ($result->fetch_fields() as $field) $fields[] = $field->name;
-        echo json_encode($fields);
-        echo ',"records":[';
-        $first_row = true;
-        while ($row = $result->fetch_row()) {
-            if ($first_row) $first_row = false;
-            else echo ',';
-            echo json_encode($row);
-        }
-        $result->close();
-    }
-    echo ']}';
-}
-echo '}';
-
-if ($callback) {
-    echo ');';
-}

read.php

@@ -1,44 +0,0 @@
-<?php
-$key = preg_replace('/[^a-zA-Z0-9\-_]/','',isset($_GET["key"])?$_GET["key"]:false);
-$table = preg_replace('/[^a-zA-Z0-9\-_]/','',isset($_GET["table"])?$_GET["table"]:false);
-$callback = preg_replace('/[^a-zA-Z0-9\-_]/','',isset($_GET["callback"])?$_GET["callback"]:false);
-
-$mysqli = new mysqli($config["hostname"], $config["username"], $config["password"], $config["database"]);
-if ($mysqli->connect_errno) die('Connect failed: '.$mysqli->connect_error);
-
-$tables = array();
-
-if ($result = $mysqli->query("SELECT `TABLE_NAME` FROM `INFORMATION_SCHEMA`.`TABLES` WHERE `TABLE_NAME` = '$table' AND `TABLE_SCHEMA` = '$config[database]'")) {
-    while ($row = $result->fetch_row()) $tables[] = $row[0];
-    $result->close();
-}
-
-$keys = array();
-
-if ($result = $mysqli->query("SELECT `COLUMN_NAME` FROM `INFORMATION_SCHEMA`.`COLUMNS` WHERE `COLUMN_KEY` = 'PRI' AND `TABLE_NAME` = '$table' AND `TABLE_SCHEMA` = '$config[database]'")) {
-	while ($row = $result->fetch_row()) $keys[] = $row[0];
-	$result->close();
-}
-
-if ($config["read_whitelist"]!==false) $tables = array_intersect($tables, $config["read_whitelist"]);
-if ($config["read_blacklist"]!==false) $tables = array_diff($tables, $config["read_blacklist"]);
-
-if (empty($tables) || empty($keys)) {
-    die(header("Content-Type:",true,404));
-} if ($callback) {
-    header("Content-Type: application/javascript");
-    echo $callback.'(';
-} else {
-    header("Content-Type: application/json");
-}
-
-if ($result = $mysqli->query("SELECT * FROM `$tables[0]` WHERE `$keys[0]` = '$key'")) {
-	$value = $result->fetch_assoc();
-    if ($value) echo json_encode($value);
-    else die(header("Content-Type:",true,404));
-    $result->close();
-}
-
-if ($callback) {
-    echo ');';
-}