Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

SECURITY Backporting MySQLDatabase->addslashes() to use mysql_real_es…

…cape_string() instead of the non-multibyte-safe addslashes() PHP function, and using it in Convert::raw2sql()
  • Loading branch information...
commit ca7878453f7b30305e0c703f9cdebfe7c04de017 1 parent b37836f
Ingo Schommer chillu authored
3  core/Convert.php
View
@@ -104,9 +104,8 @@ static function raw2sql($val) {
if(is_array($val)) {
foreach($val as $k => $v) $val[$k] = self::raw2sql($v);
return $val;
-
} else {
- return addslashes($val);
+ return DB::getConn()->addslashes($val);
}
}
8 core/model/Database.php
View
@@ -112,6 +112,14 @@
protected abstract function tableList();
/**
+ * Returns an escaped string.
+ *
+ * @param string
+ * @return string - escaped string
+ */
+ abstract function addslashes($val);
+
+ /**
* The table list, generated by the tableList() function.
* Used by the requireTable() function.
* @var array
7 core/model/MySQLDatabase.php
View
@@ -400,6 +400,13 @@ function databaseError($msg, $errorLevel = E_USER_ERROR) {
user_error($msg, $errorLevel);
}
+
+ /*
+ * This will return text which has been escaped in a database-friendly manner.
+ */
+ function addslashes($value){
+ return mysql_real_escape_string($value, $this->dbConn);
+ }
}
/**
Please sign in to comment.
Something went wrong with that request. Please try again.