Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

revamp database escaping fixes #5178 #5180

Open
wants to merge 18 commits into
base: release-2.1
from
Open
Diff settings

Always

Just for now

ad quotes

Signed-off-by: albertlast albertlast@hotmail.de
  • Loading branch information...
albertlast committed Feb 22, 2019
commit 0c82b2f1aa335fe7340bb8fbd1b375301c6a11b2
@@ -106,7 +106,7 @@ function smf_db_initiate($db_server, $db_name, $db_user, $db_passwd, $db_prefix,
// Disable backlash escape, only '' is than a valid one
$sql_mode .= (empyt($sql_mode) ? '' : ',') . 'NO_BACKSLASH_ESCAPES';
mysqli_query($connection, 'SET SESSION sql_mode = ' . $sql_mode);
mysqli_query($connection, "SET SESSION sql_mode = '" . $sql_mode . "'");
This conversation was marked as resolved by albertlast

This comment has been minimized.

Copy link
@Sesquipedalian

Sesquipedalian Feb 28, 2019

Member

There are typos in the lines above. Since those need to be fixed anyway, why not just put everything back on a single line?

mysqli_query($connection, "SET SESSION sql_mode = 'ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION,NO_BACKSLASH_ESCAPES'");

This comment has been minimized.

Copy link
@albertlast

albertlast Feb 28, 2019

Author Collaborator

i was guessing,
that i would look more cleaner,
when the different set of mods are grouped and mention in the comment what they do and
when you want to disable a specif behavior that you only comment out the right line.

This comment has been minimized.

Copy link
@Sesquipedalian

Sesquipedalian Feb 28, 2019

Member

Well, if you want to do that, the cleanest way would be to use an array and then implode it to make the final string. Something like this, perhaps:

$sql_mode = array(
	'ONLY_FULL_GROUP_BY',
	'STRICT_TRANS_TABLES',
	'NO_ZERO_IN_DATE',
	'NO_ZERO_DATE',
	'ERROR_FOR_DIVISION_BY_ZERO',
	'NO_AUTO_CREATE_USER',
	'NO_ENGINE_SUBSTITUTION',
	'NO_BACKSLASH_ESCAPES',
);
mysqli_query($connection, "SET SESSION sql_mode = '" . implode(',', $sql_mode) . "'");

If you want to make it really friendly for mods, you could insert an integration hook between the array and the mysqli_query() call in order to give the mods edit-free access to the $sql_mode array.

This comment has been minimized.

Copy link
@albertlast

albertlast Feb 28, 2019

Author Collaborator

Mods we can't support here,
Since the connection to the db is not up

if (!empty($db_options['db_mb4']))
$smcFunc['db_mb4'] = (bool) $db_options['db_mb4'];
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.