Merge pull request #27 from willdurand/fix-mysql-driver-sql-injections

Fix mysql driver sql injections

runtime/lib/Propel.php

@@ -31,7 +31,7 @@ class Propel
 	 * The Propel version.
 	 */
 	const VERSION = '1.6.2-dev';
-	
+
 	/**
 	 * A constant for <code>default</code>.
 	 */
@@ -155,8 +155,8 @@ class Propel
 	/**
 	 * @var        string Base directory to use for autoloading. Initialized in self::initBaseDir()
 	 */
-  protected static $baseDir;
-  
+	protected static $baseDir;
+
 	/**
 	 * @var        array A map of class names and their file paths for autoloading
 	 */
@@ -190,15 +190,15 @@ class Propel
 		'DebugPDOStatement'   => 'connection/DebugPDOStatement.php',
 
 		'PropelException'     => 'exception/PropelException.php',
-		
+
 		'ModelWith'           => 'formatter/ModelWith.php',
 		'PropelArrayFormatter' => 'formatter/PropelArrayFormatter.php',
 		'PropelFormatter'     => 'formatter/PropelFormatter.php',
 		'PropelObjectFormatter' => 'formatter/PropelObjectFormatter.php',
 		'PropelOnDemandFormatter' => 'formatter/PropelOnDemandFormatter.php',
 		'PropelStatementFormatter' => 'formatter/PropelStatementFormatter.php',
 		'PropelSimpleArrayFormatter' => 'formatter/PropelSimpleArrayFormatter.php',
-		
+
 		'BasicLogger'         => 'logger/BasicLogger.php',
 		'MojaviLogAdapter'    => 'logger/MojaviLogAdapter.php',
 
@@ -220,7 +220,7 @@ class Propel
 		'PropelParser'        => 'parser/PropelParser.php',
 		'PropelXMLParser'     => 'parser/PropelXMLParser.php',
 		'PropelYAMLParser'    => 'parser/PropelYAMLParser.php',
-		
+
 		'Criteria'            => 'query/Criteria.php',
 		'Criterion'           => 'query/Criterion.php',
 		'CriterionIterator'   => 'query/CriterionIterator.php',
@@ -270,12 +270,12 @@ public static function initialize()
 
 		// reset the connection map (this should enable runtime changes of connection params)
 		self::$connectionMap = array();
-		
+
 		if (isset(self::$configuration['classmap']) && is_array(self::$configuration['classmap'])) {
-		  PropelAutoloader::getInstance()->addClassPaths(self::$configuration['classmap']);
-		  PropelAutoloader::getInstance()->register();
-	  }
-		
+			PropelAutoloader::getInstance()->addClassPaths(self::$configuration['classmap']);
+			PropelAutoloader::getInstance()->register();
+		}
+
 		self::$isInit = true;
 	}
 
@@ -348,8 +348,8 @@ public static function setConfiguration($c)
 	{
 		if (is_array($c)) {
 			if (isset($c['propel']) && is_array($c['propel'])) {
-			  $c = $c['propel'];
-		  }
+				$c = $c['propel'];
+			}
 			$c = new PropelConfiguration($c);
 		}
 		self::$configuration = $c;
@@ -423,22 +423,22 @@ public static function log($message, $level = self::LOG_DEBUG)
 		if (self::hasLogger()) {
 			$logger = self::logger();
 			switch ($level) {
-				case self::LOG_EMERG:
-					return $logger->log($message, $level);
-				case self::LOG_ALERT:
-					return $logger->alert($message);
-				case self::LOG_CRIT:
-					return $logger->crit($message);
-				case self::LOG_ERR:
-					return $logger->err($message);
-				case self::LOG_WARNING:
-					return $logger->warning($message);
-				case self::LOG_NOTICE:
-					return $logger->notice($message);
-				case self::LOG_INFO:
-					return $logger->info($message);
-				default:
-					return $logger->debug($message);
+			case self::LOG_EMERG:
+				return $logger->log($message, $level);
+			case self::LOG_ALERT:
+				return $logger->alert($message);
+			case self::LOG_CRIT:
+				return $logger->crit($message);
+			case self::LOG_ERR:
+				return $logger->err($message);
+			case self::LOG_WARNING:
+				return $logger->warning($message);
+			case self::LOG_NOTICE:
+				return $logger->notice($message);
+			case self::LOG_INFO:
+				return $logger->info($message);
+			default:
+				return $logger->debug($message);
 			}
 		}
 		return true;
@@ -551,12 +551,12 @@ public static function getConnection($name = null, $mode = Propel::CONNECTION_WR
 			return self::getSlaveConnection($name);
 		}
 
-	} 
-	
+	}
+
 	/**
 	 * Gets an already-opened write PDO connection or opens a new one for passed-in db name.
 	 *
-	 * @param      string $name The datasource name that is used to look up the DSN 
+	 * @param      string $name The datasource name that is used to look up the DSN
 	 *                          from the runtime configuation file. Empty name not allowed.
 	 *
 	 * @return     PDO A database connection
@@ -578,11 +578,11 @@ public static function getMasterConnection($name)
 
 		return self::$connectionMap[$name]['master'];
 	}
-	
+
 	/**
 	 * Gets an already-opened read PDO connection or opens a new one for passed-in db name.
 	 *
-	 * @param      string $name The datasource name that is used to look up the DSN 
+	 * @param      string $name The datasource name that is used to look up the DSN
 	 *                          from the runtime configuation file. Empty name not allowed.
 	 *
 	 * @return     PDO A database connection
@@ -623,7 +623,7 @@ public static function getSlaveConnection($name)
 
 		return self::$connectionMap[$name]['slave'];
 	}
-	
+
 	/**
 	 * Opens a new PDO connection for passed-in db name.
 	 *
@@ -638,12 +638,15 @@ public static function getSlaveConnection($name)
 	 */
 	public static function initConnection($conparams, $name, $defaultClass = Propel::CLASS_PROPEL_PDO)
 	{
+		$adapter = self::getDB($name);
 
 		$dsn = $conparams['dsn'];
 		if ($dsn === null) {
 			throw new PropelException('No dsn specified in your connection parameters for datasource ['.$name.']');
 		}
 
+		$conparams = $adapter->prepareParams($conparams);
+
 		if (isset($conparams['classname']) && !empty($conparams['classname'])) {
 			$classname = $conparams['classname'];
 			if (!class_exists($classname)) {
@@ -689,7 +692,6 @@ public static function initConnection($conparams, $name, $defaultClass = Propel:
 		}
 
 		// initialize the connection using the settings provided in the config file. this could be a "SET NAMES <charset>" query for MySQL, for instance
-		$adapter = self::getDB($name);
 		$adapter->initConnection($con, isset($conparams['settings']) && is_array($conparams['settings']) ? $conparams['settings'] : array());
 
 		return $con;
@@ -814,7 +816,7 @@ public static function autoload($className)
 		}
 		return false;
 	}
-	
+
 	/**
 	 * Initialize the base directory for the autoloader.
 	 * Avoids a call to dirname(__FILE__) each time self::autoload() is called.
@@ -878,7 +880,7 @@ public static function setDatabaseMapClass($name)
 
 	/**
 	 * Disable instance pooling.
-	 * 
+	 *
 	 * @return boolean true if the method changed the instance pooling state,
 	 *                 false if it was already disabled
 	 */
@@ -893,7 +895,7 @@ public static function disableInstancePooling()
 
 	/**
 	 * Enable instance pooling (enabled by default).
-	 * 
+	 *
 	 * @return boolean true if the method changed the instance pooling state,
 	 *                 false if it was already enabled
 	 */

runtime/lib/adapter/DBAdapter.php

@@ -72,6 +72,17 @@ public static function factory($driver) {
 		}
 	}
 
+	/**
+	 * Prepare connection parameters.
+	 *
+	 * @param array	$params
+	 * @return array
+	 */
+	public function prepareParams($settings)
+	{
+		return $settings;
+	}
+
 	/**
 	 * This method is called after a connection was created to run necessary
 	 * post-initialization queries or code.
@@ -266,17 +277,17 @@ protected function formatTemporalValue($value, ColumnMap $cMap)
 		/** @var $dt PropelDateTime */
 		if ($dt = PropelDateTime::newInstance($value)) {
 			switch($cMap->getType()) {
-				case PropelColumnTypes::TIMESTAMP:
-				case PropelColumnTypes::BU_TIMESTAMP:
-					$value = $dt->format($this->getTimestampFormatter());
-					break;
-				case PropelColumnTypes::DATE:
-				case PropelColumnTypes::BU_DATE:
-					$value = $dt->format($this->getDateFormatter());
-					break;
-				case PropelColumnTypes::TIME:
-					$value = $dt->format($this->getTimeFormatter());
-					break;
+			case PropelColumnTypes::TIMESTAMP:
+			case PropelColumnTypes::BU_TIMESTAMP:
+				$value = $dt->format($this->getTimestampFormatter());
+				break;
+			case PropelColumnTypes::DATE:
+			case PropelColumnTypes::BU_DATE:
+				$value = $dt->format($this->getDateFormatter());
+				break;
+			case PropelColumnTypes::TIME:
+				$value = $dt->format($this->getTimeFormatter());
+				break;
 			}
 		}
 		return $value;
@@ -450,9 +461,9 @@ public function createSelectSqlPart(Criteria $criteria, &$fromClause, $aliasAll
 
 		// Build the SQL from the arrays we compiled
 		$sql =  "SELECT "
-		. ($queryComment ? '/* ' . $queryComment . ' */ ' : '')
-		. ($selectModifiers ? (implode(' ', $selectModifiers) . ' ') : '')
-		. implode(", ", $selectClause);
+			. ($queryComment ? '/* ' . $queryComment . ' */ ' : '')
+			. ($selectModifiers ? (implode(' ', $selectModifiers) . ' ') : '')
+			. implode(", ", $selectClause);
 
 		return $sql;
 	}

runtime/lib/adapter/DBMySQL.php

@@ -197,4 +197,34 @@ public function bindValue(PDOStatement $stmt, $parameter, $value, ColumnMap $cMa
 
 		return $stmt->bindValue($parameter, $value, $pdoType);
 	}
+
+	/**
+	 * Prepare connection parameters.
+	 * See: http://www.propelorm.org/ticket/1360
+	 *
+	 * @param array	$params
+	 * @return array
+	 */
+	public function prepareParams($params)
+	{
+		$params = parent::prepareParams($params);
+
+		if(isset($params['settings']['charset']['value'])) {
+			if(version_compare(PHP_VERSION, '5.3.6', '<')) {
+				throw new PropelException(<<<EXCEPTION
+Connection option "charset" cannot be used for MySQL connections in PHP versions older than 5.3.6.
+Please refer to http://www.propelorm.org/ticket/1360 for instructions and details about the implications of
+using a SET NAMES statement in the "queries" setting.
+EXCEPTION
+			);
+			} else {
+				if(strpos($params['dsn'], ';charset=') === false) {
+					$params['dsn'] .= ';charset=' . $params['settings']['charset']['value'];
+					unset($params['settings']['charset']);
+				}
+			}
+		}
+
+		return $params;
+	}
 }