Fixed bug #15737: quoteStrForLike does not properly escape strings in…

… sql_mode NO_BACKSLASH_ESCAPES git-svn-id: https://svn.typo3.org/TYPO3v4/Core/branches/TYPO3_4-4@9778 709f56b5-9817-0410-a4d7-c38de5d9e867
TYPO3 · Dec 16, 2010 · 9eb4be4 · 9eb4be4
1 parent e8e9261
commit 9eb4be4
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -2,6 +2,7 @@
 
 	* Fixed bug #14402: XSS in Install tool (thanks to Benjamin Mack)
 	* Fixed bug #16590: t3lib_TSparser::checkIncludeLines() does not check files to be included (thanks to Fabrizio Branca)
+	* Fixed bug #15737: quoteStrForLike does not properly escape strings in sql_mode NO_BACKSLASH_ESCAPES
 
 2010-12-07  Christian Kuhn  <lolli@schwarzbu.ch>
 

diff --git a/t3lib/class.t3lib_db.php b/t3lib/class.t3lib_db.php
@@ -1124,11 +1124,38 @@ function sql_pconnect($TYPO3_db_host, $TYPO3_db_username, $TYPO3_db_password)	{
 					);
 				}
 			}
+			$this->setSqlMode();
 		}
 
 		return $this->link;
 	}
 
+	/**
+	 * Fixes the SQL mode by unsetting NO_BACKSLASH_ESCAPES if found.
+	 *
+	 * @return void
+	 */
+	protected function setSqlMode() {
+		$resource = $this->sql_query('SELECT @@SESSION.sql_mode;');
+		if (is_resource($resource)) {
+			$result = $this->sql_fetch_row($resource);
+			if (isset($result[0]) && $result[0] && strpos($result[0], 'NO_BACKSLASH_ESCAPES') !== FALSE) {
+				$modes = array_diff(
+					t3lib_div::trimExplode(',', $result[0]),
+					array('NO_BACKSLASH_ESCAPES')
+				);
+				$query = 'SET sql_mode=\'' . mysql_real_escape_string(implode(',', $modes)) . '\';';
+				$success = $this->sql_query($query);
+
+				t3lib_div::sysLog(
+					'NO_BACKSLASH_ESCAPES could not be removed from SQL mode: ' . $this->sql_error(),
+					'Core',
+					3
+				);
+			}
+		}
+	}
+
 	/**
 	 * Select a MySQL database
 	 * mysql_select_db() wrapper function