Skip to content

Commit

Permalink
Fixed SQL injection.
Browse files Browse the repository at this point in the history
  • Loading branch information
shannah committed Apr 7, 2019
1 parent e64f855 commit eb4265e
Showing 1 changed file with 6 additions and 6 deletions.
12 changes: 6 additions & 6 deletions lib/SQL/Compiler.php
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ function compileFunctionOpts($args){
} else if ( $func_arg['type'] == 'function'){
$out .= $this->compileFunction($func_arg['value'], false).', ';
} else if ( $func_arg['type'] == 'text_val' ){
$out .= "'".$func_arg['value']."', ";
$out .= "'".addslashes($func_arg['value'])."', ";
} else if ( $func_arg['type'] == 'expression' ){

$out .= $this->compileExpression($func_arg['type'], $func_arg['value']).", ";
Expand Down Expand Up @@ -138,7 +138,7 @@ function getWhereValue ($arg)
$value = $arg['value'];
break;
case 'text_val':
$value = '\''.$arg['value'].'\'';
$value = '\''.addslashes($arg['value']).'\'';
break;
case 'subclause':
$value = '('.$this->compileSearchClause($arg['value']).')';
Expand Down Expand Up @@ -209,7 +209,7 @@ function getParams($arg)
$value[] = $arg['value'][$i];
break;
case 'text_val':
$value[] = '\''.$arg['value'][$i].'\'';
$value[] = '\''.addslashes($arg['value'][$i]).'\'';
break;
case 'function':
$val = $this->compileFunction($arg['value'][$i]);
Expand Down Expand Up @@ -415,7 +415,7 @@ function compileSelect()
break;

case 'text_val':
$column = '\''.$this->tree['columns'][$i]['value'].'\'';
$column = '\''.addslashes($this->tree['columns'][$i]['value']).'\'';


if ( $this->tree['columns'][$i]['alias'] ){
Expand Down Expand Up @@ -638,7 +638,7 @@ function compileExpression($type, $val){
case 'null':
return $val;
case 'text_val';
return "'".$val."'";
return "'".addslashes($val)."'";
case 'ident':
return $this->compileIdent($val);
case 'function':
Expand Down Expand Up @@ -673,7 +673,7 @@ function compileInterval($val){
$out .= $val;
break;
case 'text_val':
$out .= "'".$val."'";
$out .= "'".addslashes($val)."'";
break;
default:
throw new Exception("Failed to compile interval. Wrong expression type ".$val['expression_type']);
Expand Down

1 comment on commit eb4265e

@shannah
Copy link
Owner Author

@shannah shannah commented on eb4265e Apr 7, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @JarLob for discovering this vulnerability

Please sign in to comment.