Fixed issue #9644: Unable to preview survey when using database sessi…

…ons - link bug 09592 Dev: Overwrite quoteValue in DbConnection Dev: Implement DbHttpSession class: Call toQuoteValue with PDO::PARAM_LOB to get directly a bytea value Dev: Edit config sample and installer Dev: Edit kcfinder to check for application.core.web.DbHttpSession
LimeSurvey · Jan 19, 2016 · 3d05380 · 3d05380
1 parent 0a50260
commit 3d05380
Show file tree

Hide file tree

Showing 9 changed files with 74 additions and 6 deletions.
diff --git a/application/config/config-sample-dblib.php b/application/config/config-sample-dblib.php
@@ -35,7 +35,7 @@
 
         // Uncomment the following line if you need table-based sessions
         // 'session' => array (
-            // 'class' => 'system.web.CDbHttpSession',
+            // 'class' => 'application.core.web.DbHttpSession',
             // 'connectionID' => 'db',
             // 'sessionTableName' => '{{sessions}}',
         // ),

diff --git a/application/config/config-sample-mysql.php b/application/config/config-sample-mysql.php
@@ -36,7 +36,7 @@
 // Make sure MySQL max_allowed_packet setting is large enough, some surveys generate over 2 MB of session data.
 /*
         'session' => array (
-            'class' => 'system.web.CDbHttpSession',
+            'class' => 'application.core.web.DbHttpSession',
             'connectionID' => 'db',
             'sessionTableName' => '{{sessions}}',
         ),

diff --git a/application/config/config-sample-pgsql.php b/application/config/config-sample-pgsql.php
@@ -35,7 +35,7 @@
 
         // Uncomment the following line if you need table-based sessions
         // 'session' => array (
-            // 'class' => 'system.web.CDbHttpSession',
+            // 'class' => 'application.core.web.DbHttpSession',
             // 'connectionID' => 'db',
             // 'sessionTableName' => '{{sessions}}',
         // ),

diff --git a/application/config/config-sample-sqlsrv.php b/application/config/config-sample-sqlsrv.php
@@ -35,7 +35,7 @@
 
         // Uncomment the following line if you need table-based sessions
         // 'session' => array (
-            // 'class' => 'system.web.CDbHttpSession',
+            // 'class' => 'application.core.web.DbHttpSession',
             // 'connectionID' => 'db',
             // 'sessionTableName' => '{{sessions}}',
         // ),

diff --git a/application/controllers/InstallerController.php b/application/controllers/InstallerController.php
@@ -1091,7 +1091,7 @@ function _writeConfigFile()
 
             ."\t\t"   . "// Uncomment the following line if you need table-based sessions". "\n"
             ."\t\t"   . "// 'session' => array ("                      . "\n"
-            ."\t\t\t" . "// 'class' => 'system.web.CDbHttpSession',"   . "\n"
+            ."\t\t\t" . "// 'class' => 'application.core.web.DbHttpSession',"   . "\n"
             ."\t\t\t" . "// 'connectionID' => 'db',"                   . "\n"
             ."\t\t\t" . "// 'sessionTableName' => '{{sessions}}',"     . "\n"
             ."\t\t"   . "// ),"                                        . "\n"

diff --git a/application/core/db/DbConnection.php b/application/core/db/DbConnection.php
@@ -13,5 +13,24 @@ public function __construct($dsn = '', $username = '', $password = '') {
             'pgsql' => 'PgsqlSchema'
         ));
     }
+
+    /**
+     * Quotes a string value for use in a query.
+     * @param string $str string to be quoted
+     * @param integer $quoteParam Parameter for PDO::quote function.
+     * @return string the properly quoted string
+     * @see http://www.php.net/manual/en/function.PDO-quote.php
+     */
+    public function quoteValueExtended($str, $quoteParam)
+    {
+        if(is_int($str) || is_float($str))
+            return $str;
+
+        $this->setActive(true);
+        if(($value=$this->getPdoInstance()->quote($str, $quoteParam))!==false)
+            return $value;
+        else  // the driver doesn't support quote (e.g. oci)
+            return "'" . addcslashes(str_replace("'", "''", $str), "\000\n\r\\\032") . "'";
+    }
 }
 ?>
diff --git a/application/core/web/DbHttpSession.php b/application/core/web/DbHttpSession.php
@@ -0,0 +1,46 @@
+<?php
+
+class DbHttpSession extends \CDbHttpSession
+{
+
+	/**
+	 * Session write handler.
+	 * Do not call this method directly.
+	 * @param string $id session ID
+	 * @param string $data session data
+	 * @return boolean whether session write is successful
+	 */
+	public function writeSession($id,$data)
+	{
+		// exception must be caught in session write handler
+		// http://us.php.net/manual/en/function.session-set-save-handler.php
+		try
+		{
+			$expire=time()+$this->getTimeout();
+			$db=$this->getDbConnection();
+			if($db->getDriverName()=='pgsql' )
+				$data=new CDbExpression($db->quoteValueExtended($data, PDO::PARAM_LOB)."::bytea");
+			if($db->getDriverName()=='sqlsrv' || $db->getDriverName()=='mssql' || $db->getDriverName()=='dblib')
+				$data=new CDbExpression('CONVERT(VARBINARY(MAX), '.$db->quoteValue($data).')');
+			if($db->createCommand()->select('id')->from($this->sessionTableName)->where('id=:id',array(':id'=>$id))->queryScalar()===false)
+				$db->createCommand()->insert($this->sessionTableName,array(
+					'id'=>$id,
+					'data'=>$data,
+					'expire'=>$expire,
+				));
+			else
+				$db->createCommand()->update($this->sessionTableName,array(
+					'data'=>$data,
+					'expire'=>$expire
+				),'id=:id',array(':id'=>$id));
+		}
+		catch(Exception $e)
+		{
+			if(YII_DEBUG)
+				echo $e->getMessage();
+			// it is too late to log an error message here
+			return false;
+		}
+		return true;
+	}
+}
diff --git a/application/helpers/remotecontrol/remotecontrol_handle.php b/application/helpers/remotecontrol/remotecontrol_handle.php
@@ -42,6 +42,8 @@ public function get_session_key($username, $password)
             $session = new Session;
             $session->id = $sSessionKey;
             $session->expire = time() + Yii::app()->getConfig('iSessionExpirationTime');
+            if($sDatabasetype=='pgsql')
+                $username=new CDbExpression(Yii::app()->db->quoteValueExtended($username, PDO::PARAM_LOB)."::bytea");
             if($sDatabasetype=='sqlsrv' || $sDatabasetype=='mssql' || $sDatabasetype=='dblib')
                 $username=new CDbExpression('CONVERT(VARBINARY(MAX), '.Yii::app()->db->quoteValue($username).')');
             $session->data = $username;

diff --git a/third_party/kcfinder/core/bootstrap.php b/third_party/kcfinder/core/bootstrap.php
@@ -363,7 +363,8 @@ function checkLSSession()
 
     $aConfig = include($sLimesurveyFolder . '/config/config.php');
     if (isset($aConfig['components']['session']['class']) &&
-        $aConfig['components']['session']['class'] == 'system.web.CDbHttpSession') 
+        ($aConfig['components']['session']['class'] == 'system.web.CDbHttpSession'
+          || $aConfig['components']['session']['class'] == 'application.core.web.DbHttpSession'))
     {
         new LSSessionSaveHandler($aConfig);
     }