Properly escape strings in MySQL statement values

Use *_real_escape string functions provided by connectors to escape strings while exporting Fix phpmyadmin#12453 Signed-off-by: Deven Bansod <devenbansod.bits@gmail.com>
devenbansod · Sep 18, 2016 · 22eaf18 · 22eaf18
1 parent 9d27af8
commit 22eaf18
Show file tree

Hide file tree

Showing 6 changed files with 69 additions and 4 deletions.
diff --git a/libraries/DatabaseInterface.php b/libraries/DatabaseInterface.php
@@ -2648,6 +2648,19 @@ public function fieldFlags($result, $i)
         return $this->_extension->fieldFlags($result, $i);
     }
 
+    /**
+     * returns properly escaped string for use in MySQL queries
+     *
+     * @param resource $link the connection object
+     * @param string   $str  value (as a string)
+     *
+     * @return string escaped string from $str
+     */
+    public function escapeString($link, $str)
+    {
+        return $this->_extension->escapeString($link, $str);
+    }
+
     /**
      * Gets server connection port
      *

diff --git a/libraries/dbi/DBIDummy.php b/libraries/dbi/DBIDummy.php
@@ -1256,4 +1256,17 @@ public function fieldFlags($result, $i)
     {
         return '';
     }
+
+    /**
+     * returns properly escaped string for use in MySQL queries
+     *
+     * @param resource $link the connection object
+     * @param string   $str  value (as a string)
+     *
+     * @return string escaped string from $str
+     */
+    public function escapeString($link, $str)
+    {
+        return '';
+    }
 }
diff --git a/libraries/dbi/DBIExtension.php b/libraries/dbi/DBIExtension.php
@@ -235,4 +235,14 @@ public function fieldName($result, $i);
      * @return string field flags
      */
     public function fieldFlags($result, $i);
+
+    /**
+     * returns properly escaped string for use in MySQL queries
+     *
+     * @param resource $link the connection object
+     * @param string   $str  value (as a string)
+     *
+     * @return string escaped string from $str
+     */
+    public function escapeString($link, $str);
 }
diff --git a/libraries/dbi/DBIMysql.php b/libraries/dbi/DBIMysql.php
@@ -471,4 +471,17 @@ public function storeResult($result)
     {
         return false;
     }
+
+    /**
+     * returns properly escaped string for use in MySQL queries
+     *
+     * @param resource $link the connection object
+     * @param string   $str  value (as a string)
+     *
+     * @return string escaped string from $str
+     */
+    public function escapeString($link, $str)
+    {
+        return mysql_real_escape_string($link, $str);
+    }
 }
diff --git a/libraries/dbi/DBIMysqli.php b/libraries/dbi/DBIMysqli.php
@@ -615,4 +615,17 @@ public function fieldFlags($result, $i)
         }
         return implode(' ', $flags);
     }
+
+    /**
+     * returns properly escaped string for use in MySQL queries
+     *
+     * @param resource $link the connection object
+     * @param string   $str  value (as a string)
+     *
+     * @return string escaped string from $str
+     */
+    public function escapeString($link, $str)
+    {
+        return mysqli_real_escape_string($link, $str);
+    }
 }
diff --git a/libraries/plugins/export/ExportSql.php b/libraries/plugins/export/ExportSql.php
@@ -2411,10 +2411,13 @@ public function exportData(
                 } else {
                     // something else -> treat as a string
                     $values[] = '\''
-                        . str_replace(
-                            $search,
-                            $replace,
-                            Util::sqlAddSlashes($row[$j])
+                        . $GLOBALS['dbi']->escapeString(
+                            $GLOBALS['dbi']->getLink(),
+                            str_replace(
+                                $search,
+                                $replace,
+                                Util::sqlAddSlashes($row[$j])
+                            )
                         )
                         . '\'';
                 } // end if